Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1797
  • Last Modified:

Spam Relaying on a Domino SMTP Gateway

We currently have a problem with people using our Domino SMTP server to relay spam.

On our gateway we have our SMTP Inbound Relay Control fields and SMTP Outbound Control fields set as blank. However, when we place * in the "Deny messages from external internet domains" and "Deny messages from external internet hosts" fields we stop being used as a relay but cannot send email via the gateway from our Domino Email server with a 554 error message being returned to our users.

We have checked that our Domino SMTP server and Domino Email server is only using TCP/IP notes protocol to connect to each other as the smtp protocol is not running on our email server.

Our global domain name is set as Pierhouse, our notes domain is Pierhouse and our local primary internet domain name is pierhouse.co.uk. We have also 6 alternate internet domain aliases.

Both of our servers are running Domino 5.0.7.

This spam relaying as become a real issue to us and 500 points is available to whoever can help us solve it.



 
0
Pierhouse
Asked:
Pierhouse
  • 15
  • 9
  • 2
2 Solutions
 
Sjef BosmanGroupware ConsultantCommented:
To check, use www.abuse.net/relay.html

Only fill in ONE of the fields, denying all would be best. So the field "Deny messages to be sent to the following external internet domains".
0
 
Sjef BosmanGroupware ConsultantCommented:
By the way, do you have multiple internal servers, and do you allow SMTP-mail between those servers? Then you need to remove the deny-setting and add in the allowed settings your domain only (pierhouse.co.uk)
0
 
Sjef BosmanGroupware ConsultantCommented:
Ignore last question... :-$

What could be set though is to allow only external mails to your domain.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
PierhouseAuthor Commented:
We had tried putting a * just in the "Deny messages to be sent to the following external internet domains" field but we still could not send email from our email server.
0
 
Sjef BosmanGroupware ConsultantCommented:
By the way, did you verify that you're not blacklisted? Providers can block all mail to you if your server allows message relays. Did you also try to put only your domain in the allow (top-field), and leave the rest empty?
0
 
Sjef BosmanGroupware ConsultantCommented:
And what does your server's log database tell you, under miscellaneous? Rejected for policy reasons (554)?
0
 
PierhouseAuthor Commented:
Yes we have tried putting our domain in the allow (top field) and we again got the 554 error "Attempt to relay mail to xxx@hotmail.com rejected for policy reasons. Relays to recipient's domain denied in your configuration" where the the hotmail address was a valid one.

With regards to blacklisting, carrying out checks yesterday, we are not blacklisted.
0
 
Sjef BosmanGroupware ConsultantCommented:
Just to check:

Configuration Settings for your server
 Router/SMTP tab
  Basics: SMTP outside=Enabled, SMTP local=Disabled, Reachable=Always
 Restrictions and Controls:
  Restrictions: empty
  SMTP Inbound Controls:
   Allow messages: pierhouse.co.uk, rest empty
  SMTP Outbound controls: empty

Is the name of your server mentioned in the log during the start of the router equal to the name used from the internet?
0
 
PierhouseAuthor Commented:
We have just doubled checked our current settings and they are:-

Router/SMTP tab
  Basics: SMTP outside=Enabled, SMTP local=All Messages, Reachable=Always
 Restrictions and Controls:
  Restrictions: empty
  SMTP Inbound Controls: empty
  SMTP Outbound controls: empty

Are you sugesting that we alter our configuration to that mentioned in your last comment and if that is the case should pierhouse.co.uk appear in both the "Allow messages from external internet domains...." and "Allow messages only from the following external internet hosts..." fields or just one of them and if so which one?
0
 
Sjef BosmanGroupware ConsultantCommented:
That would be my suggestion, yes, to allow only messages destined for your domain. Set only the first allow-field to your domain, stop and start the router, and test again. Restarting (or stopping and starting) the router is essential!

Either
    Tell Router Restart
or
    Tell Router Quit
    Load Router

I prefer the latter.
0
 
PierhouseAuthor Commented:
Thanks for the latest info. We will be trying the new settings on our server after 17:30 BST.

On our previous attempts to change the settings we have only stopped and restarted the smtp task, should we have stopped and re-started the router task as well?
0
 
Sjef BosmanGroupware ConsultantCommented:
Absolutely! SMTP task is only the listener, the Router sends mails.
0
 
Sjef BosmanGroupware ConsultantCommented:
Is that 18:30 MEST or FST? Strange abbreviation, MEST, in my language it means "manure".
0
 
qwaleteeCommented:
Do you use a single SMTP server for inbound/outbound?  Do you have a separate SMTP server in a DMZ?

My prefered setup involves separate internal and DMZ servers, with the DMZ server set up using SendMail, and all the inbound controls set up on the SendMail box.  If you use Domino for the DMZ, then set the inbound controls "only from following hosts to external" set to the IP address of the internal server(s), using bracket notation, e.g., [192.168.0.25]

If you have only a single Domino server, and don't use any SMTP clients (only Lotus Notes for user mail, and no processes sending to external), then using * in the DENY to external shoudl work.
0
 
PierhouseAuthor Commented:
We have a single SMTP server for inbound/outbound which should then route the email via notes mail to our email server. (BST is British Summer Time by the way)
0
 
Sjef BosmanGroupware ConsultantCommented:
See www.greenwichmeantime.com :)

Tried restarting the Router?
0
 
PierhouseAuthor Commented:
Finally found the problem at last!!!!

On the initial setup of our mail server the "Relay host for messages leaving the local internet domain:" had our SMTP server host name listed so of course when an email was to be sent from our mail server outside our local internet domain, it was being RELAYED to the SMTP server. So of course when we had put the * in the Deny fields on the SMTP box's configuration documet, it was rejecting all mail bound for the internet from our mail server

Thanks for all the help and time Sjef, it has been really appreciated
0
 
Sjef BosmanGroupware ConsultantCommented:
Good for you! And I got so close with my just-to-check list, I forgot the (more or less) obvious after Reachable=Always: "the rest is empty/default". I'm sorry, it took far too long to solve this, I should have been more detailed.

You verified with abuse.net as well?
0
 
PierhouseAuthor Commented:
By verified with abuse.net do you mean submitted contact details with them?
0
 
Sjef BosmanGroupware ConsultantCommented:
No, I meant to use the test on abuse.net. I checked the relays of your server using
    http://www.abuse.net/relay.html
and some tests seemed to pass through, unfortunately (see Test 16). What you might do is block everything with the * in the Deny again, as was the plan originally.
0
 
PierhouseAuthor Commented:
Thanks a lot. I will register and try tests
0
 
Sjef BosmanGroupware ConsultantCommented:
I didn't even register, I just filled in the name of your mailserver and clicked Test for Relay.
0
 
qwaleteeCommented:
What I hate about abuse.net is they cahce your results and won't check it again.

What I really hate about it is if you lost the results of your test, it will tell you that it is in cache, but won't show you what it was!
0
 
Sjef BosmanGroupware ConsultantCommented:
Indeed. Thanks, Lunchy.

Pierhouse, as it happens, I posted the complete relay report, but since it contains a description of some holes, I asked for its removal immediately afterwards. If you want to have the relay report then send me a mail, I saved a copy I can mail you back. My address is in my EE-profile.
0
 
PierhouseAuthor Commented:
Thanks Sjef for all your help on this one. We have sorted out the problem now and also identified some IP's to block on our firewall.
0
 
Sjef BosmanGroupware ConsultantCommented:
You're welcome :)
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

  • 15
  • 9
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now