securing lotus domino for the web - email relay
DESCRIPTION
Without taking special precautions, Lotus Domino will act as an open mail relay on the Internet.An open mail relay means that anyone, anywhere that can connect to your Domino server, can use it to send email, without needing to be authenticated to your server.TRANSCRIPT
Securing Lotus Domino for the Web
Preventing Unwanted Mail Relaying
John Lawren James Wildunknown.com
Without taking special precautions, Lotus Domino will act as an open mail relay on the Internet. An open mail relay means that anyone, anywhere that can connect to your Domino server, can use it to send email, without needing to be authenticated to your server. Not exactly what we're looking for. Let's configure the anti-relay settings starting with the Global Domain document. You need a Global Domain document for each domain/sub-domain that you wish to allow to send mail through your Domino server. We find the Global Domain document by opening the 'Configuration' tab in the Domino Administrator client and selecting 'Messaging' and 'Domains'. (fig 1)
Fig 1. Domains view in the Configuration tab of the Domino Administrator client.
You will want to set the Domain type as 'Global Domain'. Although it may look as if you are supposed to enter your Internet (or DNS) domain name here (such as server.wildunknown.com) you actually want to enter your Domino Domain name. Mine is Wild. Set the domain role field to 'R5/R6/R7/R8 Internet Domain'. (fig 2)
Fig 2. The Basics tab of the Global Domain Document.
On the 'Restrictions' tab of the Global Domain document, enter the Internet (or DNS) domain name of your server. (fig 3)
Fig 3. The Restrictions tab of the Global Domain document.
On the 'Conversions' tab of the Global Domain document, enter the same value in the ‘Local Primary Internet domain’ field as the value you entered in the ‘Domino domains and aliases’ field on the 'Restrictions' tab. (fig 4) Change the value of the 'Internet Address lookup' field to Enabled. For Internet mail, the 'Local part' is formed of the 'Short Name' field on the person document in the Domino Directory and the Domino Domain postion is to the 'Right of @', while the Domino Domain separator is a '. - period'.
Fig 4. Conversions tab of the Global Domain document.
Save and close the Global Domain document, then open the Server Configuration document for your server. (fig 5)
Fig 5. The Server Configuration view in the Domino Administrator Client.
In the Server Configuration document, open the ‘Router/SMTP’ tab. Change the ‘Address lookup’ field value to 'Fullname only'. This will disallow partial matches on names when delivering email. (fig 6) If someone sends spam to: [email protected] We don't want it delivered to: [email protected].
Fig 6. The Router/SMTP tab of the Server Configuration document.
To limit where our Domino server is willing to receive mail from, open the ‘Restrictions and Controls’ tab, and them the ‘SMTP Inbound Controls’ tab. To prevent mail relaying, you want to put a * in both of the ‘Deny’ fields. If you have more than 1 Domino server, or any other servers that you do want to allow to replay email through this one, enter their IP addresses in the second ‘Allow’ field. Remember to surround the IP addresses in square brackets. (fig 7)
The logic may not look correct when you read it, however, keep in mind that these are 'Inbound' controls. Setting these fields to Deny all traffic only applies to 'Outside' servers trying to send through your server.
Fig 7. SMTP Inbound Controls
Under the ‘Inbound Replay Enforcement’ section, set ‘Perform Anti-Relay enforcement for these connecting hosts’ to 'All connecting hosts', but exclude our list of servers from that
check. Remember to put square brackets around your IP addresses. (fig. 8)
Figure 8. Inbound Relay Enforcement section of the ‘SMTP Inbound Controls’ tab.
Under the ‘DNS Blacklist Filters’ section, you can enable BNS blacklist filters. If you’re using Domino to receive email, you might want to use them as additional controls. If you are only setting up the server to prevent it from being an open mail relay, you can ignore this. See Figure 9 for a sample setup.
Figure 9. Sample setup DNS Blacklist Filters
Under the ‘Inbound Connection Controls’ section, we can setup the server to verify the connecting hostname using DNS. That means that the server will do a reverse DNS lookup to ensure that the IP address the server is connecting with matches the IP address of the domain it is connecting from. (Fig. 10)
Figure 10. Verify connecting hostname in DNS
Under the ‘Inbound Intended Recipients Controls’ section, there are a few changes we’ll want to make. First of all, we want to set ‘Verify that local domain recipients exist in the Domino Directory’ to ‘Enabled’. That means that we won’t accept email for people who don’t have an account on the server. Second, we’re going to set ‘Reject ambiguous names’ to ‘Enabled’. That means that we won’t accept email unless we know exactly who it is for.
Third, we’re going to set ‘Deny mail to groups’ to ‘For all connecting hosts’. This will stop email from outside sources to be sent to any of our groups. (Figure 11) (Personal Story: This happened once at a company I worked at. A disgruntled former employee sent a virus to the ‘AllEmployees’ group while masquerading as the CEO. Caused all sorts of problems.)
Figure 11. Inbound Intended Recipients Controls section
Securing Lotus Domino for the Web: Preventing Unwanted Mail Relaying was written by John Lawren James of Wildunknown.com. John Lawren James is a Lotus Domino Developer and Administrator from Ottawa, Ontario, Canada. He writes articles and shares information on topics related to:
- Lotus Domino - Lotus Notes - Security Administration - Security Policies