Specifying enforcement of inbound relay controls

By default, Domino enforces anti-relay settings for external hosts only. Internal hosts are exempt from anti-relay checks so Domino does not consider an internal host as a possible relay, even if it is explicitly listed in the Inbound relay controls Deny messages from the following Internet hosts to be sent to external Internet domains field.

Depending on your environment, you may want to extend the scope of enforcement by applying relay restrictions to both internal and external hosts. This is equivalent to setting the variable SMTPAllHostsExternal=1 in the NOTES.INI file.

Applying relay enforcement to internal hosts lets you achieve more secure and controlled routing. For example, you can configure your Domino SMTP server so that only other Domino mail servers are allowed to relay. By doing so you can prevent internal users who run other mail clients (for example, POP or IMAP clients), as well as servers in other internal mail systems, from using the Domino SMTP server to send mail to the Internet.

You might also enable relay enforcement for internal hosts if you have a Domino SMTP server that receives mail from a dual-interface firewall server. For security purposes, some organizations may not connect their Domino SMTP servers directly to the Internet, choosing instead to set up an internal SMTP relay host or firewall to receive Internet mail destined for the organization's Internet domain. The relay or firewall then routes the mail to a Domino SMTP server, which, in turn, transfers it to the organization's internal mail servers.

A host in the local Internet domain can always relay to external Internet domains unless it is explicitly denied by an entry in the field Deny messages from the following internet hosts to be sent to external internet domains.

If the internal relay or the firewall does not implement its own relay controls, the Domino SMTP server may then receive mail that is not destined for a local user. If the Domino server is set up to perform anti-relay enforcement on external hosts only, then mail received from the internal relay or firewall is not subject to the Inbound Relay Controls because the sending system, the relay or the firewall, belongs to the same local Internet domain. Thus, when the Router determines that the Internet address listed in the RCPT TO command has no match in the $Users view in the Domino Directory, it routes the message back out to the Internet.

By default, if you deny relaying for a domain or set of domains (for example, all external domains), all hosts in the denied domains are subject to the relay controls. This level of restriction prevents remote IMAP or POP3 clients that connect to Domino by way of Internet service providers (ISPs) in external domains from sending outbound Internet mail because Domino does not recognize the source of the message as a valid relay origin.

To ensure that Domino allows POP3 or IMAP users to send outbound Internet mail, you can customize relay enforcement to allow all authenticated users to relay. After the Domino SMTP listener determines that a connecting host has been authenticated, it treats the connection as though it originated from a local user and exempts it from the Inbound relay controls.

By default, after you deny relaying for a domain, all hosts in that domain are subject to the relay controls. You can customize relay enforcement to allow specific clients or servers in a domain to relay by entering host names or IP addresses in the field Exclude these connecting hosts from anti-relay checks. For each specified exception, Domino does not enforce the inbound relay controls. Use exceptions to allow hosts outside the local Internet domain to use the Domino SMTP server as a relay to send and receive their mail from the Internet, while still preventing Domino from being used as an open relay by unauthorized Internet hosts.