As I’m running a small site with only one domino server, I’m not really an admin genius …
So far, I only had to deal with Notes Clients, now there will be some POP3 clients too… I installed the POP3-clients and they work OK, but they’re not allowed to send e-mail out of our domain.
So my questions is : what is the best (safest) way to allow my POP3-clients to send mail to the internet, without spammers taking control of my server.
Subject: POP3 mail & securety, how to do …
Hi,
go to the Configuration-document for your server and find:
Router/SMTP - Restrictions and Controls - SMTP Inbound Controls - “Inbound relay enforcment”
There is a field called: “Exceptions for authenticated users”. Set its value to “Allow all authenticated users to relay”
(Look in the pop-up help or the help-db for detailed information)
Thats all. You can then keep all of your anti-open-relay configurations.
Bye
Hynek
Subject: This parameter is set like you said, but outbound mail is still rejected …
Thank you very much for your hint!
The configuration is set like you suggested. Still I got messages that the messages are rejected for policy reasons. (I restarted the router) The parameter ‘Deny messages from the following internet hosts to be sent to external internet domains’ is set to ‘*’.
If I remove the * then everything works ok, but my server is an open relay then.
Would this be a correct (safe) solution? :
setting Deny messages from the following internet hosts to be sent to external internet domains:(* means all) to “” and setting Allow messages only from the following internet hosts to be sent to external internet domains: to MyDomainName
Subject: RE: This parameter is set like you said, but outbound mail is still rejected …
Hi,
I am not absolutely sure of the configuration you described (would have to go through the help db again).
However this is my configuration which works well for me:
It allows complete access for POP3 users and is not an open-relay. (… and does DNS-blacklists)
Maybe you could give it a try.
I have set it up some months ago so I cant tell you exactly what each field does but with the help-db
and a little testing you should be able to get it to work.
Bye
Hynek
Inbound Relay Controls
Allow messages to be sent only to the following external internet domains:
Deny messages to be sent to the following external internet domains: (* means all)
Allow messages only from the following internet hosts to be sent to external internet domains:
[192.168..]
Deny messages from the following internet hosts to be sent to external internet domains:(* means all)
Inbound Relay Enforcement
Perform Anti-Relay enforcement for these connecting hosts:
External hosts
Exclude these connecting hosts from anti-relay checks:
Exceptions for authenticated users:
Allow all authenticated users to relay
DNS Blacklist Filters
DNS Blacklist filters:
Enabled
DNS Blacklist sites:
blackholes.mail-abuse.org; bl.spamcop.net; sbl.spamhaus.org; dialups.relays.osirusoft.com; relays.visi.com; list.dsbl.org; opm.blitzed.org; relays.ordb.org
Desired action when a connecting host is found in a DNS Blacklist:
Log and reject message
Custom SMTP error response for rejected messages:
Your host %s was found in the DNS blacklist at %s. We are sorry but we can not accept your e-mail because it could contain spam. Please contact the site where you are listed to be removed from their blacklist.
Inbound Connection Controls
Verify connecting hostname in DNS:
Disabled
Allow connections only from the following SMTP internet hostnames/IP addresses:
Deny connections from the following SMTP internet hostnames/IP addresses:
Inbound Sender Controls
Verify sender’s domain in DNS:
Disabled
Allow messages only from the following external internet addresses/domains:
Deny messages from the following internet addresses/domains:
Inbound Intended Recipients Controls
Verify that local domain recipients exist in the Domino Directory:
Disabled
Allow messages intended only for the following internet addresses:
Deny messages intended for the following internet addresses:
Subject: Thanks for your help … Still some strange behaviour here …
My configuration is very similar to yours, except that I’m not using blacklisting.By filling in the local ip-range in the field “Allow messages only from the following internet hosts to be sent to external internet domains:”, the POP3 client can send mail when they’re connected to the LAN (as one would expect), but they’re still rejected when the connect trough the internet.
But thanks anyway, now I know that it’s supposed to work and it’s not a bug or so.
I will check the whole configuration again, and try out some alternative settings …
Subject: You’re close - one more step
Maybe this is too late to do you any good, but…
In order to take advantage of the “Allow all authenticated users to relay” setting, you also need to set up the POP3 client, which is using SMTP to send mail to the server, with a userID and password for the SMTP session, so that it is allowed to relay as an “Authenticated User”.
If you don’t do this, the SMTP client will connect with an anonymous session, and the Notes server will not be able to tell that user’s session from the evil spammers running amok and creating havok.
Configure the SMTP client with a user name based on the notes user name (FN_LN, or whatever your format is) and a password which should match the user’s “Internet Password”. Then the SMTP client will log in as an Authenticated user, instead of anonymous, and it will be allowed to relay outside your domain.
Been there, made it work…
Subject: …and yet another step
and do not forget one more thing (I’ve lost several hours because of it today) :
Go to the Server document/Ports/Internet Ports
and turn on “Name & Password Authentication” for “SMTP Inbound”