9:22 AM
MISDUONG
Technote (troubleshooting)
Problem
Introduction
The Restrictions and Controls section of the Server Configuration document is an important part of the Domino SMTP/mail server. This is where mail restrictions are configured to help prevent spam. Spam mail is also referred to as Unsolicited Commercial Email (UCE) or Unsolicited Bulk Email (UBE) and can cause many problems for Domino Administrators. This section of the Configuration document can also be used to control users, servers, domains, and Notes organizations from sending or receiving mail.
Purpose
The purpose of this Technical Paper is to assist you in configuring the Restrictions and Control section of the Server Configuration document. In describing Restrictions, SMTP inbound controls, SMTP outbound controls, Delivery controls, Transfer controls and Rules, this document not only addresses the restrictions for unwanted Internet mail, but it also describes the process for configuring threads and other router restrictions. Examples are provided of the restrictions and the error messages displayed when the restriction is applied by the server.
Assumptions
This document assumes that:
- You have a working SMTP Domino R8.x server with a registered Internet domain and the corresponding settings in Domain Name System (DNS).
- You have working knowledge of the SMTP conversation for mail transmission. For more information on the SMTP commands, refer to the Request for Comments number 821, also known as RFC821.
The error messages herein are the default error messages for each field; it is assumed that no error messages have been modified in the Failure Message section under Router/SMTP, Advanced, Controls.
Furthermore, this document uses the terms "local Internet domain" and "external Internet domain" throughout. Here, the local Internet domain refers to the Global Domain document's "Local Primary Internet Domain" and "Alternate Internet Domain aliases." All entries in these two fields are considered the local Internet domain, and all Internet domains not listed are considered the external Internet domains.
Resolving the problem
Restrictions
Allow mail only from domains:
This field is used to specify the Notes domains that can send mail to this domain. If a domain is added to this field, mail will be accepted only from this domain; mail from other Notes domains will be rejected. This restriction does not affect mail routing within the local Notes domain.
The following error message displays on the server console, is written to the log, and is sent back to the originator when the user's domain is not listed in this field:
"02:21:04 PM Router: Policy Reason: Your Domain does not have access to route messages to the specified domain."
Field-Level Help: Domains that will be allowed to send mail to this domain..
Deny mail from domains:
This field is used to specify the Notes domains that cannot send mail to this domain. Adding a domain to this field denies mail from this domain only; Domino will continue receiving mail from all other Notes domains. This restriction, like the "Allow mail from domains" field, does not affect mail routing in the local Notes domain.
The error message is the same as that for the "Allow mail from domains" field, except it is displayed when the domain is entered in this field.
Note: If a single Notes domain is entered in both the allow and deny fields, then the deny field would takes precedence over the allow, this is done because of security issues.
Field-Level Help: Domains that will be restricted from sending mail to this domain.
Allow mail only from the following organizations and organizational units: (*/Acme, */Sales/Corp)
This field is similar to the "Allow mail from domains" field; however, this restriction uses organizational units and/or organizations to allow mail instead of the Notes domains. An entry in this field allows mail only from this organization or organizational unit to send mail to this domain. For example, suppose you enter */acme in this field. This entry allows only users from the acme organization to send mail to the local domain. However, organizations can be split into multiple domains, so this restriction could be done with the "Allow mail from domains" field, but it would require multiple entries.
Error message when the organization is not listed in the allow field:
"02:44:01 PM Router: Policy Reason: Router: CN=First Last/O=ACME@ACME is restricted from sending mail through server SERVER/R80."
Field-Level Help: Organizations and organizational units which are allowed to send mail to this
domain. This restriction applies only if the sender's address is a Notes distinguished name.
Deny mail only from the following organizations and organizational units: (*/Acme, */Sales/Corp)
This field is very similar to "Deny mail from domains" field; however, this restriction uses the organizational units and/or organizations to restrict Notes mail routing. An entry in this field denies mail only from this organizational unit and/or organization. The Domino server will allow the server to route mail from all other organizations. For example, if you enter */north/acme in this field, it will deny all mail from this organizational unit, but it would allow mail from */south/acme to be delivered.
NOTE: If a single Notes organization is entered in both the Allow and Deny fields, the Deny takes the precedence over the Allow because of security reasons.
Error Message received on the Domino console when the sending organization is listed in this field:
"02:49:38 PM Router: Policy Reason: Router: CN=First Last/O=ACME@ACME is restricted from sending mail through server SERVER/R80"
Field-Level Help:Organizations and organizational units which are restricted from sending mail to this domain. This restriction applies only if the sender's address is a Notes distinguished name.
Maximum message size: 0 KB (default)
This is the maximum message size in KB (Kilobytes) the server will accept for routing both Internet mail and Notes mail. This restriction is used for both transfer and local delivery. The default setting 0 K, which will allow the router to deliver any message size.
There are two error messages associated with this field when the message exceeds the maximum size:
"02:53:13 PM Router: Policy Reason: Router: Unable to dispatch message. Size exceeds 1 Kbytes"
"552 Message size exceeds fixed maximum message size set by administrator"
The first is written to the Log and sent back to the registered Notes user in the form of a deliver failure report. The second error message is displayed on delivery failure reports for Internet users.
Field-Level Help: Messages larger than this size will not be transferred or delivered. A non delivery message will be returned to the sender reporting the reason for the failure.
Send all messages as low priority if message size is between: Disabled
This field works with the maximum message size; when the field is enabled, it displays another field. This hidden field allows the to set a size range in KB. If a message falls within this range, the message status would be set to low, and it would routed as low priority. For more details on setting low-priority message delivery, see "Low Priority mail routing time range" in the Transfer Controls tab.
This option can be used if network bandwidth is an issue and you want a certain-sized messages to be received but not transferred during busy production hours. This option works only if the message is being transferred; it does not work for local delivery.
No error messages given or displayed on the server. You can issue a "tell router show" on the server console to see the queue status.
Field-Level Help: Messages in this size range will have their priority permanently changed to low causing them to be sent only during off peak hours. Note that a range of 0 to 0 means never change priority.
---------------------------------------------------------------------------------------------------------------------------------------------------------
SMTP Inbound Controls
Inbound Relay Controls
An IP range can be used to represent more than one host. If the asterisk is placed in one or more units of an IP address, the variant range(s) takes effect.
For example:
This syntax does not work ----> [9.9.*]
Some syntaxes that work ------> [9.9.9.*], [9.9.*.*], [9.*.*.*]
Allow messages to be sent only to the following external Internet domains:
This field configures the Domino R8 mail server as a relay for the specified Internet domains. For example, if you enter acme.com, Domino will relay messages for recipients only in this external Internet domain. This entry will also allow the server to route mail for user@server.acme.com. If @acme.com is entered in this field, a message addressed to user@server.acme.com will be rejected by the Domino server. Any message an SMTP server attempts to relay to this server will be rejected, unless they belong to the acme.com Internet domain.
It is important to note that this setting is used only when the connecting server is not a member of the local Internet domain and it is attempting to relay a message for a recipient in the acme.com domain. This field is a text field that will accept multiple entries, but these entries must be separated by a comma.
Error Message when the Internet domain is not listed in this field:
"12:59:11 PM SMTP Server [026A:0005-0125] Attempt to relay mail to anyone@domain1.com rejected for policy reasons. Relays to recipient's domain denied in your configuration."
Field Level Help: The external Internet domains to which messages will be relayed (or the Domino domains to which messages will be relayed if the item starts with a percent sign). Recipients in all other domains will be rejected. Items need only match the end of the domain name (acme.com will match jsmith@serv1.acme.com, @acme.com will match jsmith@acme.com but will not match pbrown@serv1.acme.com ).
Deny messages from external Internet domains to be sent to the following Internet domains:
Entries in this field restrict the Domino server from relaying messages from external hosts to the domain specified in this field. If the message is addressed to recipients in this domain, the Domino server rejects the message. This field, like the Allow field, will also accept multiple entries, but these entries must be separated by a comma.
For example, if you enter "acme.com" in this field, when a external server connects to send mail to user@acme.com, the message would be rejected. If you enter "@acme.com" in this field, the Domino server would only reject message from users that belong to this Internet domain; messages addressed to user@server.acme.com would be allowed.
NOTE: If you specify the same entry in the Allow field and the Deny fields, Domino will always take the Deny field as precedence over the Allowed field. Because of security concerns, Deny must take precedence. You can also use an asterisk (*) as a wildcard to indicate all domains are denied.
Error Message displayed when the domain is entered the deny field:
"01:04:18 PM SMTP Server [0101:0004-0148] Attempt to relay mail to user@acme.com rejected for policy reasons. Relays to recipient's domain denied in your configuration."
Field Level Help: The external Internet domains to which we will never relay messages(or the Notes domains to which messages will never be relayed if the item starts with a percent sign). * would reject message relays to all recipients. Items need only match the end of the domain name (acme.com will match jsmith@serv1.acme.com, @acme.com will match jsmith@acme.com but will not match pbrown@serv1.acme.com ).
Allow messages only from the following external Internet hosts to be sent to external Internet domains:
The entries in this field identify the external hosts and/or IP addresses allowed to relay messages through this Domino server. The message destination must be an Internet domain for which the intended recipient is another Internet domain. These host names and/or IP address will be able to relay messages through the Domino R5 server.
For Example, if you enter acme.com in this field, Domino will only accept mail from servers that match this entry, so server.acme.com would match. More information on this can be found in the Field Level help.
Error Message received in the form of Delivery failure reports when the domain is not listed in the Allow field:
"554 Relay rejected for policy reasons"
Field Level Help: The fully qualified host names or IP addresses of connecting hosts for which we will relay messages. Items need only match the end of host names (acme.com will match serv1.acme.com). IP addresses are always enclosed in square brackets and may include * as a wildcard for subnet addresses.
Deny messages from the following external Internet hosts to be sent to external Internet domains:
The entries in this field identify the external hosts and/or IP address restricted from relaying messages through this Domino server. A message intended for recipients outside the local Internet domain would be rejected.
For Example, if you enter Domain1.com in this field, Domino will reject the ability to relay mail from servers that belong to this Internet domain.
NOTE: If you specify the same entry in the Allow field and the Deny fields, Domino will always take the Deny field as precedence over the Allowed field. Because of security concerns, Deny must take precedence. You can also use an asterisk (*) as a wildcard to indicate all domains that are denied from relaying.
Error Message received in the form of Delivery failure reports when the domain is listed Deny:
"554 Relay rejected for policy reasons"
Field Level Help: The fully qualified host names or IP addresses of connecting hosts for which we will never relay messages. * means all hosts. Items need only match the end of host names (acme.com will match serv1.acme.com). IP addresses are always enclosed in square brackets and may include * as a wildcard for subnet addresses.
Field Level Help: Specifies whether inbound relay controls apply to internal as well as external host. Choose one.
"External host" (default) The server enforces inbound relay controls only for host outside the local internet domain. Internal host can always relay.
"All connecting host" Provides a stricter relay enforcement by applying inbound relay controls to internal as well as external host.
"None" - Disables inbound relay controls.
Exclude these connecting hosts from anti-relay checks
Field Level Help: Enter the IP address or host names to specify host exempt from enforcement of inbound relay controls. Enter an IP address in square brackets: for example [127.0.0.1]. You can wild cards to represent an entire subnet address, but not to represent values in a range.
For example, [127.*.0.1] is valid. 123.123.12.*.123] is not.
Exceptions for authenticated users:
Field Level Help: Specifies whether authenticated user are exempt from enforcement of the inbound relay controls.
Perform anti-relay checks for authenticated users - The server does not allow exceptions for authenticated users. Authenticated users are subject to the same enforcement as non-authenticated users.
Allow all authenticated users to relay - User who logs in with a valid name and password are exempt from the applicable inbound relay controls. Use this to enable relaying by POP3 or IMAP users who connect to the network from ISP accounts outside the local Internet domain.
Note: When setting your configuration settings document to 'Allow all authenticated users to relay' the
administrator will need to change the server document: Mail tab Name & password to Yes under Mail SMTP Inbound
DNS Blacklist Filters:
Field Help: If enabled the smtp listener task will perform dns queries against the blacklist sites configured below for all host that are subject to inbound relay control enforcement.
Enabled - When Domino receives an SMTP connection request, it checks whether the connecting host is listed in the blacklist at the specified sites.
Disabled - Domino does not check whether a connecting host is on the blacklist.
Allow connections only from the following SMTP internet hostnames/IP addresses:
Field Help: Allow messages only from these host. Items need only match the end of host names (acme.com will match server1.acme.com) IP address must be enclosed in square brackets and may include an * as a wild card or subnet address.
Deny connections from the following SMTP internet hostnames/IP addresses:
Field Help: Refuse messages from these hosts. Items need only match the end of host names (acme.com will match server1.acme.com) IP address must be enclosed in square brackets and may include an * as a wild card or subnet address.
Error limit before connection is terminated:
Field Help: Terminates the connection when the number of protocol errors returned for the session exceeds this value. For example, possible errors are blacklist rejections, or RCPT to rejections. The error returned is – 421 smtp service is not available.. Closing transmission channel.
DNS Whitelist Filters:
When enabled the SMTP listener task performs DNS queries against whitelist sites your you define in the "DNS Whitelist filters".
Field Help: If enabled the smtp listener task will perform dns queries against the whitelist sites configured below for all host that are subject to inbound relay control enforcement.
DNS Whitelist Sites:
Defines a list of DNS whitelist sites in which the SMTP listener task will perform DNS queries.
Field Help: Specifies the dns whitelist sites to check when domino receives an smtp connection request.
Desired action when a connecting host is found in a dns whitelist:
Specifies actions to be taken when a host is found in DNS whitelist,
Field Help:
Silently skip blacklist filters – Performs no logging>
Log only – Records the host name and IP address of the connecting server found in the private whitelist.
Log and tag – Adds the Note item, $DNSWLSITES, to messages accepted from whitelisted hosts.
Private Blacklist Filter:
Field Help: If enabled, the smtp listener task will determine if the connecting host has been blacklisted by the Administrator. Note: Applies only to host subject to inbound relay enforcement.
Blacklist the following hosts:
Field Help: Enter the ip addresses or host names of the systems to black list. Enclose IP addresses with square brackets: For example [127.0.0.1]. IP ranges and masks are supported. Wild cards can be used except within ranges.
Desired action when a connecting host is found in the private blacklist:
Field Help: Log only - Records the host name and IP address of the connecting server and the name of the site where the server was listed.
Log and tag messages - Adds the Note item, $DNSBLSites to the messages accepted from blakclisted host.
Log and reject message - Rejects the connection and returns a configurable error message to a blacklisted host.
All actions skip blacklist filters, if enabled.
Custom SMTP error response for rejected messages:
Field Help: Text included in the error response when rejecting messages from blacklisted hosts. The format specifier '%s' can be used to insert the ip address of the connecting host. For example, if you enter the following text Your host %s was blacklisted, when domino rejects a message from the blacklisted host 127.0.0.1, it will return the following error message. Your host 127.0.0.1 was black listed.
Private Whitelist filters
Field Help: If enabled, the SMTP listener task will perform DNS queries against the whitelist sites configured below for all host that are subject to inbound relay control enforcement.
DNS Whitelist Sites:
Field Help: Enter IP address or host names of the system to whitelist. Enclose IP adresses with square brackets: for example: [127.0.0.1]. IP ranges and masks are supported. Wildcards can be used except within ranges.
Desired action when a connecting host is found in a DNS whitelist:
Field Help: Silently skip blacklist filters - Performs no logging. Log only - Records the host name and IP address of the connection server, and the name of the site where the server was listed. Log and tage message - Adds the note item $DNSWLSites, to messages accepted from whitelisted hosts. All actions skip blacklist filters, if enabled.
Outbound Sender Controls Allow messages only from the following Internet addresses to be sent to the Internet:
Field Help: The sender may send messages outside of the local internet domain only if their address is included in this list. This restriction only applies if the sender's address is an internet address.
Specifies the RFC 821 Internet addresses of users in the local Internet domain from whom IBM® Lotus® Domino® accepts mail destined for Internet addresses outside the local Internet domain. If this field contains entries, Domino accepts outbound Internet mail from the specified Internet addresses only and rejects outbound Internet mail sent from other addresses. Rejected mail is returned to the sender.
Enter Internet addresses in the form user@domain.com, or enter the name of an IBM® Lotus® Notes® group containing a list of Internet addresses allowed to send mail to the Internet.
Wildcards (for example, *acme.com) and isolated Internet domain suffixes (for example, acme.com) are not acceptable values in this field.
Group entries cannot contain a domain part or dot ('.'). For example, the group with the name DenyMail is valid, but the groups named Deny.iris.com or Denymail@iris are not.
Deny messages from the following Internet addresses to be sent to the Internet:
Field Help: The sender may not send messages outside of the local internet domain if their address is included in this list. 8 means deny all. This restriction only applies if the sender's address is an Internet address.
Specifies the RFC 821 Internet addresses of users in the local Internet domain from which Domino does not accept mail destined for external Internet addresses. If this field contains entries, Domino rejects outbound Internet mail sent from the specified Internet addresses and returns it to the sender. All other users can send Internet mail.
Enter Internet addresses in the form user@domain.com, or enter the name of a Notes group listing the Internet addresses from which to deny outbound Internet mail.
Wildcards (for example, *acme.com) and isolated Internet domain suffixes (for example, acme.com) are not acceptable values in this field.
Group entries cannot contain a domain part or dot ('.'). For example, the group with the name DenyMail is valid, but the groups named Deny.iris.com or Denymail@iris are not.
Allow messages only from the following Notes addresses to be sent to the Internet:
Field Help: The sender may send messages outside of the local internet domain only if their address is included in this list. This restriction only applies if the sender's address is a Notes address. Groups are allowed as entries, however, ACL type groups are not supported.
Specifies the Notes user names from which Domino accepts mail destined for external Internet addresses. If this field contains entries, Domino accepts outbound Internet mail from the specified entries only and rejects outbound Internet mail sent from all other Notes addresses. Rejected mail is returned to the sender.Enter fully-qualified Notes addresses in the form User/Organizational_unit/Organization, or enter the name of a Notes group whose members you want to prevent from sending Internet mail. Group entries cannot contain a domain part or dot ('.'). For example, the group with the name DenyMail is valid, but the groups named Deny.iris.com or Denymail@iris are not.
Deny messages from the following Notes addresses to be sent to the Internet:
Field Help: The sender may not send messages outside of the local internet domain if their address is included in this list. * means all. This restriction only applies if the sender is a Notes address. Groups are allowed as entries., however ACL type groups are not supported.
Specifies the Notes user names from which Domino does not accept mail destined for external Internet addresses. If this field contains entries, Domino rejects outbound Internet mail sent from the specified entries and returns it to the sender. Domino accepts outbound Internet mail from all other Notes addresses.
Enter fully-qualified Notes addresses in the form User/Organizational_unit/Organization or the name of a Notes group whose members you want to prevent from sending Internet mail.
Group entries cannot contain a domain part or dot ('.'). For example, the group with the name DenyMail is valid, but the groups named Deny.iris.com or Denymail@iris are not.
Outbound Recipient Controls
Allow messages only to recipients in the following Internet domains or host names
Field Help: Messages will be allowed if the recipient's domain name is in the list. Messages will also be allowed if one of the possible mail exchange (mx) hostnames for the intended recipient's domain matches an entry in this list. Messages to other domains or hostnames are denied. Entries only need to match the end of names (acme.com allows server1.acme.com).
Specifies the Internet domains, such as acme.com, and Internet host names, such as mailhost.acme.com, to which Domino can send mail. If there are entries in this field, users can only send Internet mail to the specified entities. Domino denies mail to all other domains or host names.
If you specify an Internet domain, users can send mail to any host or sub-domain in that domain. Domino matches entries against the last part of domain names or host names, so entering host.acme.com allows mail to mail.host.acme.com as well inbound.host.acme.com.
Group entries cannot contain a domain part or dot ('.'). For example, the group with the name AllowMail is valid, but the groups named Allow.iris.com or Allowmail@iris are not.
Deny messages to recipients in the following Internet domains or host names
Field Help: Messages to recipients in domains specified in this list are denied. Messages are also denied if a hostname in this list matches one of the possible mail exchange (mx) hostnames of intended recipient's domain. Entries only need to match the end of names (acme.com denies server1.acme.com)
Specifies the Internet domains, such as acme.com, and Internet host names, such as mailhost.acme.com, to which Domino cannot send mail. Domino allows mail to all other domains or host names. Domino matches entries against the last part of domain names or host names, so entering host.acme.com denies mail to smtp.host.acme.com as well as inbound.host.acme.com.
Group entries cannot contain a domain part or dot ('.'). For example, the group with the name DenyMail is valid, but the groups named Deny.iris.com or Denymail@iris are not.
|
Transfer Controls
Maximum transfer threads:
Field Help: The maximum number of threads Domino creates to transfer messages to all other servers. The value applies to both Notes routing and SMTP. The Router sets a default maximum number of transfer threads based on server memory. Letting the Router select the maximum number is usually best . If you set the maximum number manually, set the maximum to between 1 and 25 threads, depending on server load.
The maximum number of server threads Domino creates to transfer messages to all other servers. The value applies to both Notes routing and SMTP. The Router sets a default maximum number of transfer threads based on server memory. Letting the Router select the maximum number is usually best. If you set the maximum number manually, set the maximum to between 1 and 25 threads, depending on server load. Maximum concurrent transfer threads:
Field Help: The maximum number of server threads the Domino Router uses to transfer messages to a single destination. The value applies to both Notes routing and SMTP. If no value is specified, the default value is equal to one-half of the maximum transfer threads, rounded down to the nearest integer. By default, domino does not use multiple concurrent threads when transferring messages over Notes routing from one Domino domain to another.
Maximum hop count:
Field Help: The maximum number of times a message can be transferred between servers before delivery fails and domino sends a non-delivery messages.
Low-priority mail routing time range:
Field Help: The time range when domino routes messages marked as low priority. The default is between 12 AM and 6AM.
Low priority delay notification:
Field Help: If you configure the Router to hold low-priority messages until a given time period, message originators may not be aware of the reason for the delay. The Router can generated delay notifications for every low-priority message held., or for specific messages only. Choose on:
Disable -The Router does not notify senders when messages are delayed for priority reasons.
Only if priority changed for policy reasons - The Router notifies senders of priority-related delays only for messages that were designated low-priority as the result of a configured mail rule or size restriction.
Only if user requested low-priority- The Router notifies senders of priority-related delays only for messages which the sender designated as low-priority.
All low-priority messages - The Router notifies senders of priority-related delays for all low-priority messages.
Initial transfer retry interval:
Field Help: The time (in minutes) that the Router waits after a message transfer failure before retrying the transfer.
The default interval is 15 minutes. Lower values increase the retry attempts per hour and could possibly increase the success rate of routing the messages. Higher values decrease the retry attempts per hour, resulting in longer routing times.
The Router continues attempts to transfer a pending message until the age of the message reaches the configured time-out value (by default, 24 hours). After a message times out, the Router generates a delivery failure report to the sender.
Expired message purge interval:
Field Help: Specifies, in minutes, how often the router checks the MAIL.BOX for expired messages to purge. The default is 15 minutes.
Transfer and delivery delay notifications:
Field Help: Choose whether to send a delay notification to the author of a pending message that was not transferred or delivered within a specified amount of time. For each priority level, define the period of time in the Delay notification intervals fields. This notification differs from the low priority time range delay notifications in that the transfer and deliver settings applies to all messages priorities, and indicates the message is being retried after a failed transfer or delivery attempt. Low priority time range delay notifications are a one-time notification indicating that no attempt is made to transfer a message until the low priority time range.
Choose one:
- Enabled -- To allow the transfer and delivery of Delay notifications.
- Disable -- To prevent the transfer or delivery of Delay notifications.
Specify the amount of time that a high, normal, and low priority message should reside in the message queue before the router sends a Delay report to the author of the message. The default for each priority is four (4) hours.
Specify the amount of time in hours or minutes for High priority mail, Normal priority mail, and Low priority mail.
|
Posted in: 
Tip: 
Note: 
