Outlook users Connect to Domino via Public networks?

HCL Domino Domino Forum
1

Hi,

I just configure two domino 8.0.1 servers with different Domino Domain but same Certifier… 1st server is Mail (mail, inotes & pop3) and 2nd server is used for SMTP relay…

The outlook user can get email from 1st MAIL server via pop3 and sends outbound email thru the 2nd Domino SMTP server.

But the problem is some of our outlook users uses their laptop to connect to our servers remotely (internet cafe, at home, etc…)… How do we prevent our smtp server not to become a relay and not to allow everyone to relay as well.

I put [] on the Exclude these connecting hosts from anti-relay checks so that anywhere in the world our outlook users can use our smtp, but im not confortable putting [] on this field here…

Is there a way to secure our SMTP Domino servers?

Below is our settings:

“Configuration Docs - Router/SMTP”

Inbound Relay Controls:::

Allow messages to be sent only to the following external internet domains: @ABC.com, @XYZ.com

Deny messages to be sent to the following external internet domains: *

Allow messages only from the following internet hosts to be sent to external internet domains:

Deny messages from the following internet hosts to be sent to external internet domains: *

Inbound Relay Enforcement:::

Perform Anti-Relay enforcement for these connecting hosts: External hosts

Exclude these connecting hosts from anti-relay checks: [*]

Exceptions for authenticated users: Allow all authenticated users to relay

“Server Config” / Authentication options:

Name & password: Mail(POP) Yes Mail(SMTP Inbound) Yes

Anonymous: Mail(POP) N/A Mail(SMTP Inbound) Yes

Please advice,

Thanks

Anthony

2

Subject: Outlook users Connect to Domino via Public networks?

Hi,

I think that the best options is the use authentication for SMTP. You can read all about it in the Domino help databases.

Succes,

Oswald

3

Subject: RE: Outlook users Connect to Domino via Public networks?

This reply is misleading as there isn’t the documentation you require in the Domino Help.

It does seem the configuration “Exceptions for authenticated users” does not operate as expected, however even if it worked as expected, using the same server to provide authenticated relaying AND exchange SMTP mail (MX server) is bad practice.

You need to refer to this from Chris Linfoot:

http://chris-linfoot.net/d6plinks/CWLT-6YNEGQ

Basically to support your users sending email you should provide a separate SMTP server where the SMTP port is 587 and the port is configured to allow authenticated users only. This would be the MSA server (as per Chris’s article in the link).

This MSA server would be configured to allow authenticated users to relay and not restrict connecting hosts to a specific range/pool of IP numbers.

The SMTP MSA server would be a separate server from your SMTP MX server (which listens on port 25, does not enforce authentication and has anti-relay controls configured).

Having two SMTP servers will allow roaming users using clients such as Outlook, Thunderbird, iPhone, etc. to send SMTP Mail by configuring them to send via the MSA server on port 587, (not via your MX server on port 25).

These users would receive email from whichever server you are happy to provide DMZ access and to run IMAP on. I guess this could be the MSA server if it has the disk space to hold replicas of their mail files.

HTH

Greg