|
|
|
|
|
|
|
|
|
|
Prevent spammers from abusing your Domino systems (continued)
If you must allow relaying for some external hosts through your Domino server, place the IP addresses of the external hosts in the "Exclude these connecting hosts from anti-relay checks" field of the "Inbound Relay Enforcement" section.
If your external hosts use dynamic IP addresses, set the "Exceptions for authenticated users" field to the "Allow all authenticated users to relay" option and enable SMTP authentication in the Server Document -> Ports -> Internet Ports -> Mail tab. This will allow external users to set their SMTP clients to use their Notes Internet username and password to relay mail through your Domino server from anywhere on the Internet.
Here's a tip within a tip: Only enable authentication for SMTP over SSL to prevent your usernames and passwords from being sent over the Internet unencrypted.
Preventing spam related DoS
The SMTP server in versions of Domino prior to Release 6 had serious bugs which can sometimes be triggered by spam trying to find a way into your mail system or by DNS blacklist servers testing your Domino server to see if it is a source of spam. When triggered, these bugs can cause your SMTP server to crash or enter an endless mail loop.
To patch these bugs, open your Server Configuration Document to the Router/SMTP tab -> Inbound Controls. Add the address "[127.0.0.1]" (without the quotes, but with the brackets) to the following fields:
Inbound Sender Controls -> "Deny Messages from the following internet address" and on the same tab, Inbound Intended Recipients Controls -> "Deny messages intended for the following internet addresses"
Also in the Configuration Document -> Router/SMTP tab -> Outbound Controls section add the address to the Outbound Recipient Controls -> "Deny messages to recipients in the following internet domains or hostnames" field.
See IBM Technotes references 1090751 & 1100797 for more information of these Domino DoS (Denial of Service) vulnerabilities.
Ensuring that your Domino infrastructure is not vulnerable to the exploits listed above should be one of your top priorities when enabling SMTP on Domino systems. The above configurations will keep your Domino servers safe from intentional and accidental infrastructure disaster.
Daniel Koffler works as a Domino consultant for major organizations in North America and Europe, specializing in network design, security analysis and knowledge management, he is also the author of several OpenSource projects. Daniel can be reached at dkoffler@users.sourceforge.net
[ Prev ]
|
|
|
|
|
|
-- Advertisement --
PistolSTAR: the de facto standard for Lotus authentication
PistolStar's Password Power integrates with Microsoft Active Directory to enable single sign-on to Lotus applications and automatic recovery of the Notes ID password via self-service reset of the Active Directory password.
- A single set of credentials to remember - one set of password policies to manage.
- Cost-effective plug-ins integrate smoothly with your environment.
- Proven, ground-breaking technology deployed to millions of users.
Learn more. |
-- Advertisement --
Six Great Tools for IBM Lotus Sametime
- Encrypted and secure, browser-based, persistent chat rooms
- Complete chat logging and auditing
- Easy-to-define IM help desk queues
- Manage buddy lists across any organization
- Integrate awareness into Microsoft Outlook
- High powered, rapid bot development tools
Visit Instant Tech for free trials and more information. |
|
|
|
|
|
|
|
|
