Restricting inbound SMTP connections

To prevent your mail system from accepting unwanted mail, Domino® provides a set of controls that let you restrict incoming SMTP connections. The Inbound Connection controls let you specify whether Domino checks the names of connecting hosts in DNS or, if by host name or IP address, the remote hosts from which the server allows and denies connections.

About this task

To determine whether a connection attempt is allowed or denied, the Domino SMTP task first checks the remote host's IP address, which the server's TCP/IP stack reads from the incoming IP packet headers. If the IP address does not match any entry in the Inbound Connection control fields, the SMTP task performs a second check, querying DNS to obtain the host name for the given address. If the query is successful, Domino compares the name obtained against the host names in Allow and Deny fields.

If you create a separate Configuration Settings document for your internal SMTP servers, you can use the inbound connection controls to ensure that these internal servers accept SMTP connections from specific SMTP hosts only. For example, configure servers to allow SMTP connections only from servers that receive mail from the Internet. Restricting connections in this way prevents users with POP3 or IMAP clients from sending mail through the server, helps you define valid outbound routing paths, and limits the load on the server.

Note: SMTP can resolve names for group types of Mail-only or Multi-purpose. When you create or modify the SMTP and Router settings in the Configuration Settings document, be sure to enter group names that have a group type of Mail-only or Multi-purpose. These groups must be in the primary directory. This applies to settings on the Restrictions tab, the SMTP Inbound Controls tab, and the SMTP Outbound Controls tab.

In addition to these inbound connection controls, Domino provides two other means for blocking connections:

  • DNS blacklist filters

    DNS blacklist filters enable a server to check a host against one or more blacklists during the SMTP conversation. If a connecting host matches an entry in a blacklist, you can configure the server to reject the connection, tag any received messages, or record the transaction in the Notes® Log.

  • Access to the SMTP Listener through Domino Extension Manager (EM) services.

    Extension Manager (EM) services allow developers to access some functions of the SMTP Listener task. The Extension Manager (EM) allows an executable program library, such as a dynamic link library or shared object library, to register a callback routine that will be called before, after, or before and after Domino performs selected internal operations. Using EM hooks in the SMTP Listener can extend current functionality by providing:

    • Additional anti-spam controls
    • Custom address translation
    • Custom SMTP responses
    • Interception of messages

    The Domino C API header file EXTMGR.H, included in the Software Development Kit, defines symbols for the supported Extension Manager notification events and types.

    For additional information on the Extension Manager and registering callback routines, see the Lotus® C API Toolkit for Notes/Domino, listed in the Additional documentation resources topic linked from the related references at the end of this topic.

To restrict inbound SMTP connection

Procedure

  1. Make sure you already have a Configuration Settings document for the server(s) to be configured.
  2. From the Domino Administrator, click the Configuration tab and expand the Messaging section.
  3. Click Configurations.
  4. Select the Configuration Settings document for the mail server or servers you want to restrict mail on, and click Edit Configuration.
  5. Click the Router/SMTP > Restrictions and Controls > SMTP Inbound Controls tab.
  6. Complete these fields in the Inbound Connection Controls section and then click Save & Close.
    Table 1. Inbound Connection Controls

    Field

    Enter

    Verify connecting host name in DNS

    Choose one:

    • Enabled - Domino verifies the name of the connecting host by performing a reverse DNS lookup. Domino checks DNS for a PTR record that matches the IP address of the connecting host to a host name. If Domino cannot determine the name of the remote host because DNS is not available or no PTR record exists, it does not allow the host to transfer mail. Although Domino accepts the initial connection, later in the SMTP transaction it returns an error to the connecting host in response to the MAIL FROM command. Internet SMTP hosts are not required to have PTR entries in DNS. As a result, when this field is enabled, the SMTP task may reject connections from valid SMTP hosts.
    • Disabled - (default) Domino does not check DNS to verify the name of the connecting host.

    Allow connections only from the following SMTP Internet host names/IP addresses

    The host names, group names, and/or IP addresses allowed to connect to the SMTP service on this server. If you enter host names and/or IP addresses in this field, only servers matching these entries can connect to the SMTP listener; connection requests from all other servers are denied.

    Enter IP addresses in brackets -- for example, [192.168.10.17].

    Host name entries may be complete, as in the fully qualified host name of a particular server, or partial and imply the existence of a wildcard. That is, if you enter:

    abc.com

    Domino extends accepts only connections from mail hosts in the domains represented by *abc.com, that is, all host names ending in abc.com, including smtp.abc.com and mailhost.abc.com. Domino rejects all other connection requests.

    If you specify host name entries, each time a host connects, Domino checks DNS for a PTR record for the connecting host. If Domino cannot resolve the IP address to a host name because DNS is unavailable or no PTR record exists, no mail is accepted from the connection.

    Deny connections from the following SMTP Internet host names/IP addresses

    The host names, group name, and/or IP addresses that are not allowed to connect to the SMTP service on this server. If you enter host names and/or IP addresses in this field, all servers except those matching entries in this field can connect to the SMTP listener; connection requests are denied only for servers matching the entries in this field.

    Enter IP addresses in brackets -- for example, [192.168.10.17].

    Host name entries may be complete, as in the fully qualified host name of a particular server, or partial and use an implied wildcard. That is, if you enter:

    abc.com

    Domino implicitly extends the restriction to all mail hosts within the denied domain, denying connections from *abc.com, that is, all hosts in the abc.com domain, including smtp.abc.com and mailhost.abc.com.

    The entry abc.com does not prevent connections from xyzabc.com.

    Do not use a leading dot (.) in an entry; for example, .abc.com. Because Domino does not match the leading dot, the entry .abc.com does not prevent connections originating from the domain abc.com.
    Error limit before connection is terminated Specify the maximum number of protocol errors allowed before a session connection is terminated.
  7. Reload the SMTP task or update the SMTP configuration to put changes into effect.

Restricting the total number of inbound SMTP sessions

About this task

By default, the SMTP service supports an unlimited number of inbound sessions; that is, as many connections as the server's resources physically permit. To restrict the number of concurrent SMTP sessions that a server accepts, set the variable SMTPMaxSessions in the server's NOTES.INI file, where xxx is the maximum number of sessions allowed without any buffering. When the specified number of inbound SMTP connections is reached, the server refuses additional connections and returns the following error:

421 Server.domain.com SMTP service not available, closing transmission channel