I am trying to set up SMTP mail routing into Domino from outside. The Domino server is already configured to send outbound mail via SMTP, but not to accept inbound.
The server has SMTP task running and listening on port 25. It has no mx record yet for routing mail to it, so I am trying as a first test to send mail to its IP address. “rav-dev” is defined as a mailin database. I have not yet (knowingly) set any restrictions on inbound mail.
After 24 hours I get a bounce with the following information:
************************************************************************
Delivery has failed to these recipients or groups:
rav-dev@160.69.33.237 (rav-dev@160.69.33.237)
Your message wasn’t delivered. Despite repeated attempts to deliver your message, the recipient’s email system refused to accept a connection from your email system.
Contact the recipient by some other means (by phone, for example) and ask them to tell their email admin that it appears that their email system is refusing connections from your email server. Give them the error details shown below. It’s likely that the recipient’s email admin is the only one who can fix this problem.
For Email Admins
No connection could be made because the target computer actively refused it. This usually results from trying to connect to a service that is inactive on the remote host - that is, one with no server application running. For more information and tips to fix this issue see this article: https://go.microsoft.com/fwlink/?LinkId=389361
Network rejection: can be caused by a firewall (external or Windows firewall) not allowing Port 25 communication (you need a port forwarding of port 25 on an external IP address to your Domino server)
Rejection because of configuration in Domino server configuration document (Router/SMTP - Restrictions and Controls - SMTP Inbound Controls)
Rejection because of disallowed general connection
–> Inbound Connection Controls –> Allow connections only from the following SMTP internet hostnames/IP addresses
Rejection because of relay settings
–> Inbound Relay Enforcement –> Exclude these connecting hosts from anti-relay checks
Rejection because of recipient check
–> Inbound Intended Recipients Controls –> Verify that local domain recipients exist in the Domino Directory
and others
Check all of these.
To make sure that in general the server is ok just install “telnet client” on your Domino server and type the following lines:
telnet localhost 25
helo itsme
mail from: sender@somewhere.com
rcpt to: <smtp-address-of-your-mailin>
data
Subject: This is the subject of the mail
This is the body
.
That should help to start identifying the problem.
One last warning: Nowadays you should not expose Domino SMTP directly to the internet…. you will be spammed to death immediately and probably used as an open relay if you do not configure this carefully. Use something “before” the Domino server to filter all that and let only this machine contact your Domino server…
There are many things to do, in order to prep Domino to receive mail. Some things to check in the Domino directory to configure inbound SMTP. There are many ways to do this but here are steps I prefer. This is not all inclusive:
in the Server doc: “Load Internet Configurations from Sever\Internet Sites” set to Enabled.
on the Server doc: “SMTP Listener task” should be “Enabled”. On the Ports > Internet Ports tab, you must have the SMTP Inbound port enabled. Port 25. no need to enable TLS port status in here.
Now you can create you inbound SMTP Document. In the view “Configuration > Web > Internet Sites”, if you don’t hae one, create a SMTP Inbound Site. For the “host names or addresses mapped to this site” enter the IP address of the server (it’s local address).
If you do not have a “server Configuration” document for this server, create one for this Domino server. Many important controls exist on this doc such as only accepting email from specific IP’s or domains.
Do you have a firewall in front of your server? It needs to accept smtp traffic from the source to your Domino server.
I did not mention the firewall, but there is one, and it does allow port 25 traffic. Also, the rejection message, as you see, shows the IP address of the final destination server, so even before checking that I was confident that the message is getting through the firewall.
I mentioned that there are no inbound connection controls or anti-relay checks in place. There will be later, but the first step is to get the server to accept mail at all.
I mentioned, too, that the destination address has been defined as a mail-in database. If that were the problem, the failure message would be different.
The message, it appears, is getting to the server via an SMTP connection request (which is refused) but is then not getting through that layer to the Notes router that would deliver it to the destination database.
I have not used Telnet, although that may be worth trying, but perhaps it is worth my saying that I can send mail by SMTP out from the server, but replying to such a mail results in a delivery error as reported.
in the Server doc: “Load Internet Configurations from Sever\Internet Sites” set to Enabled.
I do not have this enabled, nor an inbound SMTP site document created, but in that case the server just uses the settings in the server document itself, doesn’t it? This gives less fine-grained control, admittedly, but should at least accept a connection. No?
on the Server doc: “SMTP Listener task” should be “Enabled”. On the Ports > Internet Ports tab, you must have the SMTP Inbound port enabled. Port 25. no need to enable TLS port status in here. It is enabled, and the console shows the taks as listening on :25
Now you can create you inbound SMTP Document. In the view “Configuration > Web > Internet Sites”, if you don’t hae one, create a SMTP Inbound Site. For the “host names or addresses mapped to this site” enter the IP address of the server (it’s local address).
If you do not have a “server Configuration” document for this server, create one for this Domino server. Many important controls exist on this doc such as only accepting email from specific IP’s or domains. Again, both of the above will give me better control, but neither is necesary, is it, to receive mail? I don’t want to introduce unnecessary complications until I have the fundamentals working.
Do you have a firewall in front of your server? It needs to accept smtp traffic from the source to your Domino server. The fact that the refusal message comes from the destination Domino server indicates that the firewall is passing the traffic.
If all configurations are correct but external connections are still being refused, the following debug parameters can help you narrow down the potential causes:
SMTPDebug=3
SMTPDebugIO=3
These parameters capture verbose logs for inbound SMTP connections. They will allow you to identify which port the source server is attempting to connect to and at what point the Domino SMTP server returns an error.
It is also helpful to see if other external domains can connect, as this will help isolate whether the issue is specific to outlook.com.
You can enable these parameters using the following console commands:
Set Config SMTPDebug=3
Set Config SMTPDebugIO=3
Tell SMTP Update Config
Note: Please ensure you disable these parameters once you have captured the necessary data to avoid unnecessary log growth.
Set Config SMTPDebug=
Set Config SMTPDebugIO=
Tell SMTP Update Config
Sample output:
Set Config SMTPDebug=3
Set Config SMTPDebugIO=3
Tell SMTP Update Config
[1664:0002-15FC] SMTP Server: Updating values in configuration
[1664:0002-15FC] SMTP Server: Configuration updated
[1664:0006-1AE0] 2026/05/15 16:56:14.94 SMTP CIServ Listen> Connection Accepted on Port 25 for Session 14610B65
[1664:0008-1D4C] 2026/05/15 16:56:14.97 SMTP CITask StateMachine> Sent 103 bytes to 169.254.1.22
[1664:0008-1D4C] [1664:0008-1D4C] S: 220 v12.hcl.com ESMTP Service (HCL Domino Release 12.0.2FP4) ready at Fri, 15 May 2026 16:56:14 +0900
[1664:0008-1D4C] 2026/05/15 16:56:15 SMTP Server [1664:0008-1D4C] State change from Greeting to Greeting
[1664:0008-1D4C] 2026/05/15 16:56:15 SMTP Server [1664:0008-1D4C] Processing in Greeting state
[1664:0008-1D4C] 2026/05/15 16:56:15 SMTP Server [1664:0008-1D4C] State change from Greeting to Connected
[1664:0008-1D4C] 2026/05/15 16:56:15 SMTP Server: 169.254.1.22 connected
In the Domino directory in the view “Configuration > Messaging > Domains”.
You need a global domain document. But sure to specify your Domino domain on the restrictions tab. You can find your Domino domain on the server doc on the Basics tab.
On the “Conversions” tab, put 160.69.33.237 in the Local Primary Internet domain.
If I understand correctly, you’re attempting to send an email from MS365 to an address of rav-dev@160.69.33.237. This may work but it seems a little problematic to me. I feel like I’ve had issues trying to send emails to an IP like that.
For what it’s worth, I’d probably create a mail flow rule and tell Exchange to send to domino. Like this. Assuming your valid email domain in MS365 is “mydomain.com”, it’d make a mail flow rule that states to send anything sent to the domain “mydomino-domino.com” to the IP 160.69.33.237. The domain mydomino-domino.com does not need any DNS records. it does not need to be registered anywhere. But you should make sure it’s unique. In the global domain doc as I mentioned about make sure “mydomino-domino.com” is your primary or is an Alternate Internet domain alias. To test, send to rav-dev@mydomino-domino.com.
When you send the message, even before you make any of these changes. Monitor a live domino console and see what happens when the message is received. If you don’t monitor it like, check log.nsf after the message is rejected and see what Domino is reporting. The Domino server may show “Rejected for Policy Reasons”, which means the message is getting to it, but your configuration is now allowing emails from that IP or form that email address.
I agree with @tchildy . While sending an email with an ip address [in brackets] for the domain part of the email address may be technically permitted in the RFC’s, I’d be surprised if it worked in practice, especially with something like M365.
Better to get back to basics and test using telnet or netcat. Since you haven’t set up any smtp inbound restrictions yet, your test connections won’t be rejected for the usual reasons: no PTR record, failed SPF, etc.
First telnet (or netcat) from the domino server to itself (localhost) while watching the domino console in another window. Then try the same from the same subnet but a different host to the domino server’s internal/RFC1918 IP address. Finally from the outside world to the domino server’s external public IP address. You need to narrow down the problem first before you can apply a solution.
@tchildy That is helpful - thank you. If I understand you correctly the pseudo-domain “mydomino-domino.com” would be created within Exchange configuration, along with its associated IP address. Is that right? Hence no need for external DNS? If so I will need to engage the help of the Exchange admins on the other side of the world . I guessed I would have to at some point, but I was hoping to be on surer ground before I do.
In sending the test messages I have been monitoring the console and checking logs. Nothing is showing up there - not on the console and therefore not in Miscellaneous Events, nor in Mail Routing Events. That is what is making me think that the message is not getting as far as the router, but that the server is rejecting the connection at the first contact from Exchange.
I do have a global domain document, with domain restrictions set. Is an inbound SMTP site document actually required? (I get that it is desirable by the time we get to production deployment). I have now filled the primary internet domain field with the server’s IP address. So far, though, I don’t think the message is getting far enough for that to be relevant.
@trustedcomputer That Exchange is returning a refusal from the Domino server’s IP address makes me think that Exchange is not rejecting the message based on its being directed to an explicit IP address, since it is at least making an attempt to deliver it.
I have confirmed connectivity (port 25) using powershell from my workstation to the server. Connection from the outside world is not required.
. I guessed I would have to at some point, but I was hoping to be on surer ground before I do.