Hi,
I am trying to take advantage of the anti-spam facilities in Domino 6 which has the added feature of stopping many servers delivering mail!!! In some ways this does reduce my workload, but this is ridiculous! My setup is :
Perform Anti-Relay enforcement for these connecting hosts: External hosts
Exceptions for authenticated users: Allow all authenticated users to relay
The hosts (not DNS blacklisted, by the way) connect and disconnect without delivering a message …
Does anyone have any ideas?
Thanks,
Michael
Subject: Inbound Relay Enforcement problems
“The hosts (not DNS blacklisted, by the way) connect and disconnect without delivering a message …”
Which hosts? All or just some?
If just some, it is not unusual to see hosts connecting and disconnecting without (apparently) doing anything. I know of two reasons for this (one of which does not apply in your case, I think). There are probably others.
Reason 1 (possible suspect for you) - some firewalls mess about with SMTP at the protocol level and/or do things based on timing. Our firewall (a Cisco PICS) has something called SMTP fixup protocol which restricts the inbound SMTP commands to a few very basic ones, so EHLO for example does not work. This appears to confuse some hosts and they disconnect after encountering a 500 response code in reply to EHLO.
Reason 2 - (if I read your config right, probably not a suspect here) - we have “verify sender’s domain in DNS” turned on. This is a safe precaution because it is reasonable to assume that any legitimate mail can be replied to. If the sender’s domain does not exist then no reply is possible. For completely bogus domains, Domino quickly generates a 554 permanent policy rejection.
A new spammers’ trick is to register a domain and define authoritative name servers for it, leaving at least one of these name servers uncontactable. No A records or MX are associated with these domains and they have a very short time to live, forcing DNS lookups to go back to the “authoritative” name servers.
When the “verify sender’s domain” function of Domino kicks in, it causes a series of DNS queries to try and find a matching A or MX record and these eventually time out because the DNS is not contactable (takes quite a long time). The Domino server then returns “451 Unable to complete command, DNS not available or timed out” (transient failure) and the message re-queues at the remote end and tries again a few minutes later.
Thus the log fills up with SMTP connect/disconnect activity and no messages are received.
Subject: RE: Inbound Relay Enforcement problems
Sorry Chris, I just checked the firewall and port 25 comes in totally unhindered. You are correct on reason 2 as well, I don’t verify the sender’s domain in the DNS so that shouldn’t be the problem …
Thanks for the thoughts,
Michael
Subject: RE: Inbound Relay Enforcement problems
You need to crank up the logging on SMTP (SMTPdebugio and all that) to see what these hosts that connect and disconnect are actually saying.
Subject: Inbound Relay Enforcement problems
“Verify connecting hostname in DNS” denies all hosts that do not have a dns entry to deliver mail. We had that problem in the past, so if you enabled this option, try to disable it.
cheers,
Tom
Subject: RE: Inbound Relay Enforcement problems
Hi Tom,
No sorry - that’s disabled … In fact my SMTP Inbound settings are (I’ll leave out the blanks):
Inbound Relay Controls
Deny messages to be sent to the following external internet domains: (* means all) *
Inbound Relay Enforcements
Perform Anti-Relay enforcement for these connecting hosts: External hosts
Exceptions for authenticated users: Allow all authenticated users to relay DNS
Blacklist Filters
DNS Blacklist filters: Enabled
DNS Blacklist sites: sbl.spamhaus.org; bl.spamcop.net
Desired action when a connecting host is found in a DNS Blacklist: Log and tag message
Inbound Connection Controls
Verify connecting hostname in DNS: Disabled
Inbound Sender Controls
Verify sender’s domain in DNS: Disabled
Inbound Intended Recipients Controls
Verify that local domain recipients exist in the Domino Directory: Disabled