We have had ongoing hassles with the Anti-Relay settings and function, and it is clear there is a lot of undocumented behaviour going on. Searching the forum you can see people repeatedly having difficulties for years that aren’t resolved because noone seems to know the double secret settings.
Here’s a big non-documented answer for everyone who has trouble with anti-relay settings: What the doc doesn’t say is that IF YOU USE ‘Connecting Hosts’ EXCEPTIONS THEN THE ‘Allow Authenticated Users to Relay’ SETTING WILL NOT WORK!!! Apparently any entry in that field causes the user authentication process to get ignored. This has been true for a long time, and took us years to finally stumble over. You need to either use ALL host based exceptions (i.e. your users can’t expect to use SMTP from hotels), or use ALL user authentication exceptions. Not both.
Just as we figured this out last month, and thought we could get Domino to work as it should, here’s another mystery: Clients configured as IMAP can SMTP authenticate fine. Nice ‘SMTP Authentication’ message on the console. Clients configured for POP get timed out and never are able to SMTP authenticate. Maybe this is a client (Outlook) issue, but given how horrible the doc and general knowledge is around Relay enforcement, my guess is that it’s on the Domino side until proven otherwise.
Any suggestions from the field? Hope the first issue clears up things for some people - there are tons of questions from people struggling with that dating back to 2004 and no clear answer I could find by searching the forums…
Subject: Anti-RelayIssues - Some Answers But More Questions
As followup regards this issue, I am replying to your post along with a few other similar ones as there are quite a few people asking the same question with no replies.
It does seem the configuration “Exceptions for authenticated users” does not operate as expected, however even if it worked as expected, using the same server to provide authenticated relaying AND exchange SMTP mail (MX server) is bad practice.
Basically to support your users sending email you should provide a separate SMTP server where the SMTP port is 587 and the port is configured to allow authenticated users only. This would be the MSA server (as per Chris’s article in the link).
This MSA server would be configured to allow authenticated users to relay and not restrict connecting hosts to a specific range/pool of IP numbers.
The SMTP MSA server would be a separate server from your SMTP MX server (which listens on port 25, does not enforce authentication and has anti-relay controls configured).
Having two SMTP servers will allow roaming users using clients such as Outlook, Thunderbird, iPhone, etc. to send SMTP Mail by configuring them to send via the MSA server on port 587, (not via your MX server on port 25).
These users would receive email from whichever server you are happy to provide DMZ access and to run IMAP on. I guess this could be the MSA server if it has the disk space to hold replicas of their mail files.