Working with DNS whitelists for SMTP connections

Use DNS whitelist filters as a means to help identify legitimate email. When DNS whitelist filters are enabled, the SMTP listener task determines whether a connecting host is a member of a DNS whitelist by relying on the results of a DNS query of a DNS blacklist-style host name. If the query returns an IP address, the host is added to the whitelist and the remaining DNS whitelists are not searched. If the host is not found in the DNS whitelist , processing continues with DNS blacklist filters. If the query returns an error indicating that the host name is not valid, the host is not added to the whitelist and may be subject to blacklist filtering if that is enabled.

Before you begin

Make sure you have a Configuration Settings document for the server on which you are enabling DNS whitelist filters.

About this task

DNS whitelists can be used independently of blacklists but private blacklists override DNS whitelists.

Procedure

  1. From the Domino® Administrator, click the Configuration tab and expand the Messaging section.
  2. Click Configurations.
  3. Select the Configuration Settings document for the server on which you are enabling DNS whitelist filters.
  4. Click Router / SMTP > Restrictions and Controls > SMTP Inbound Controls.
  5. Complete these fields in the DNS Whitelist Filters section and then click Save and Close.
    Table 1. DNS Whitelist Filters

    Field

    Action

    DNS Whitelist Filters

    Note: DNS whitelist filtering applies only to hosts subject to inbound relay enforcement.

    Choose Enabled to allow the SMTP listener task to perform DNS queries against whitelist sites that you enter in the DNS Whitelist filters field.

    By default this setting is disabled.

    DNS Whitelist sites

    Specify the DNS whitelist sites against which the SMTP listener task will perform DNS queries. The queries are performed when Domino receives an SMTP connection request.

    Desired action when a connecting host is found in a DNS whitelist

    When the connecting host is found in a DNS Whitelist, choose one of the options here:

    • Silently skip blacklist filters -- All whitelist actions skip blacklist filters. Performs no logging.
    • Log only -- Records the host name and IP address of the connecting server, as well as the name of the site where the server was listed.
    • Log and tag message -- Adds the Note item, $DNSWLSite, to messages accepted from whitelisted hosts. Records the host name and IP address of the connecting server, as well as the name of the site where the server was listed.

Viewing DNS whitelist statistics

About this task

The SMTP listener task maintains a statistic to keep a cumulative count of the number of connections accepted from DNS whitelisted hosts. The statistic, SMTP.DNSWL.TotalHits, can be viewed using the Domino Administrator client, or by issuing this command from the server console:

show stat SMTP

To determine the number of times a particular IP address is listed in one of the configured DNS whitelists, expand the SMTP.DNSWL.<WhitelistSite>.IP address.Hits statistic.

To collect the expanded information, set the NOTES.INI variable SMTPExpandDNSWLStats =1.