For the first time, I have to accommodate IMAP users, outside the office, so their IP addresses could be anything.
I want to allow authenticated, logged in IMAP users to be able to send (relay) email through SMTP, but I don’t want spammers to, obviously.
But while I’d love in the SMTP site doc to allow only name and password use, I can’t: I need to keep SMTP open to accept email that comes in from from spam filter service, always the same IP address, unauthenticated.
How to square the circle?
Subject: Can’t win?
Second server not an option.
In Configuration doc, I had:
"Exceptions for authenticated users: Allow all authenticated users to relay:
In SMTP site document, I had for TCP authentication:
Name and Password: Yes (to allow the authentication)
AND
Anonymous: Yes (to allow our incoming email server at our out of house spam service to deliver)
With anonymous turned off, no email being delivered to us.
With anonymous turned on, you see this in the logs
11/27/2015 06:50:45 AM [3240:0023-2A2C] SMTPClient: SMTP Authentication is not required by local server. Username: -blank-
And spammers are merrily relaying like crazy.
So you set this:
Deny messages from the following internet hosts to be sent to external internet domains: *
And the spammers are rendered helpless, but your IMAP and POP3 users are dead in the water, they can’t send.
It’s feeling like there isn’t a way to win on this one.
Subject: Relay Control
in the servers configuration under “Router/SMTP → Restrictions & Controls → SMTP Inbound Controls” you set:
“Exceptions for authenticated users: Allow all authenticated users to relay”
But be careful and set an event generator/handler to alert you in case of unexpected number of routing events, so that you realize when the credentials have been compromised and you are converted to a spam relay.
Subject: Just to be clear -
The spammers aren’t authenticating - these are anonymous connections?
I have pretty much the same requirement - inbound cannot relay, we have a handful of internal trusted IP addresses, and I have a couple smtp connections that authenticate to relay mail outside.
I do not use either SMTPAllowConnectionsAnonymous=1 or SMTPVerifyAuthenticatedSender=1
However, i DO use:
SMTP_LEFT_DOT_NEVER_DOMAIN=1
SMTPALLHOSTSEXTERNAL=1
SMTPClientDebug=1
SMTPGreeting=%s
SMTPNoVersionInRcvdHdr=1
What do you have in the 'Exclude these connecting hosts from anti-relay checks: field?
What do you have for ‘Allow messages to be sent only to the following external internet domains:’ ? (should be blank)
How many SMTP Internet site docs do you have? (How many internet site docs in total?)
Try adding ‘SMTPALLHOSTSEXTERNAL=1’ and see if that helps.
Review this technote: http://www-01.ibm.com/support/docview.wss?uid=swg21385199 http://www-01.ibm.com/support/docview.wss?uid=swg21385199
Review this pdf: http://public.dhe.ibm.com/software/dw/lotus/SMTPAuthSpamFinal.pdf http://public.dhe.ibm.com/software/dw/lotus/SMTPAuthSpamFinal.pdf
Subject: Different smtp servers with different settings?
Subject: smtp settings
Thanks Mark I will try your notes.ini settings.
Here is a screen cap of the configuration doc you were asking about: Screenshot - d098f18d4ea6fb67c40fa8c6e113bb48 - Gyazo https://gyazo.com/d098f18d4ea6fb67c40fa8c6e113bb48
Just one smtp doc, here it is: https://gyazo.com/0796e252bd5c2597abe954af856bcd8f https://gyazo.com/0796e252bd5c2597abe954af856bcd8f
Thanks for the resource links, they look all too familiar I’ve stared at them several times in the past going “yep, done all that…” :{
Subject: smtp settings
@Mark, “Should work the way you have it set - what do you have for ‘Perform Anti-Relay enforcement for these connecting hosts:’ ?”
Hey Mark, I have “All connecting hosts”
@ Barry, “Have you tried adding an smtp debug”
Yep, I got these going.
SMTPDebugIO=3
;DEBUG_THREADID=1
;debug_show_timeout=1
;debug_capture_timeout=1
SMTPClientDebug=1
Also added these based on what I found elsewhere.
SMTPAllowConnectionsAnonymous=1
SMTPVerifyAuthenticatedSender=1
SMTPErrorLimit=5
Problem as described still exists. If I allow authenticated IMAP users to send email. spammers have a field day relaying.
Subject: Should work…
Should work the way you have it set - what do you have for ‘Perform Anti-Relay enforcement for these connecting hosts:’ ?
Subject: Debug
Have you tried adding and smtp debug
Debugging SMTP in Domino - Domino People http://dominopeople.ie/blog/?p=388
Subject: closed
Closing this and giving up; client migrating to Gmail now instead.