|
|
|
|
|
|
|
|
|
|
|
|
|
|
Prevent spammers from abusing your Domino systems (continued)
If you must allow relaying for some external hosts through your Domino server, place the IP addresses of the external hosts in the "Exclude these connecting hosts from anti-relay checks" field of the "Inbound Relay Enforcement" section.
If your external hosts use dynamic IP addresses, set the "Exceptions for authenticated users" field to the "Allow all authenticated users to relay" option and enable SMTP authentication in the Server Document -> Ports -> Internet Ports -> Mail tab. This will allow external users to set their SMTP clients to use their Notes Internet username and password to relay mail through your Domino server from anywhere on the Internet.
Here's a tip within a tip: Only enable authentication for SMTP over SSL to prevent your usernames and passwords from being sent over the Internet unencrypted.
Preventing spam related DoS
The SMTP server in versions of Domino prior to Release 6 had serious bugs which can sometimes be triggered by spam trying to find a way into your mail system or by DNS blacklist servers testing your Domino server to see if it is a source of spam. When triggered, these bugs can cause your SMTP server to crash or enter an endless mail loop.
To patch these bugs, open your Server Configuration Document to the Router/SMTP tab -> Inbound Controls. Add the address "[127.0.0.1]" (without the quotes, but with the brackets) to the following fields:
Inbound Sender Controls -> "Deny Messages from the following internet address" and on the same tab, Inbound Intended Recipients Controls -> "Deny messages intended for the following internet addresses"
Also in the Configuration Document -> Router/SMTP tab -> Outbound Controls section add the address to the Outbound Recipient Controls -> "Deny messages to recipients in the following internet domains or hostnames" field.
See IBM Technotes references 1090751 & 1100797 for more information of these Domino DoS (Denial of Service) vulnerabilities.
Ensuring that your Domino infrastructure is not vulnerable to the exploits listed above should be one of your top priorities when enabling SMTP on Domino systems. The above configurations will keep your Domino servers safe from intentional and accidental infrastructure disaster.
Daniel Koffler works as a Domino consultant for major organizations in North America and Europe, specializing in network design, security analysis and knowledge management, he is also the author of several OpenSource projects. Daniel can be reached at dkoffler@users.sourceforge.net
|
|
|
|
|
|
|
|
|
|
|
|
|
|
-- Advertisement --
Learn Notes and Domino 8 at your place and pace!
Learn Notes and Domino in your office and/or home! TLCC's highly acclaimed distance learning courses for users, developers, and admins will enhance your career and your resume.
The many included activities and demos will make you a pro! Expert instructor help is a click away.
Click here to try a FREE demo course!! |
-- Advertisement --
Teamstudio Edition 25 has shipped
It's finally here! Now that Teamstudio Edition 25 has shipped, listen to our latest Tool Time audio program to find out what's changed. Updates to all your favorite Teamstudio tools will be discussed.
Plus, you'll get an introduction to Teamstudio Undo (formerly known as Teamstudio Snapper).
Tap here to get started! |
|
|
|
|
|
|
|
|
|
|
