Using Domino LDAP to filter mail at gateway

We are using Domino 5 servers (soon to be upgraded to 6.5) behind an IIS SMTP gateway. There are SPAM and virus filters on the gateway (GFI Software) and the spam and anti-virus are working well. What is causing the problems are the Directory Harvest and Dictionary attacks that make it past the SPAM filters.

Can the IIS SMTP be configured to use LDAP or another method to verify the destination address of incoming mail with the Domino server and drop any mail destinations not in our address book?

Could someone provide links to documentation of this if it's possible
Who is Participating?

Improve company productivity with a Business Account.Sign Up

qwaleteeConnect With a Mentor Commented:

If you turn on the "Verify that Local Domain recipients exist" option, it should not affect your ability to do type-ahead addressing in the Notes client, or to do partial name lookups in Notes.  It should also allow you to continue to receive mail using any user alias that is unique.
HappyFunBallConnect With a Mentor Commented:
In your server's Configuration document, go to Router/SMTP > Restrictions and Controls > SMTP Inbound Controls and go to the Inbound Intended Recipient Controls.  The field called Verify that Local Domain recipients exist in Domino Directory should be set to enabled.  Domino will then "not accept for policy reasons" any email that is addressed to a name not exsiting in the Domino Directory.
allsoppAuthor Commented:
This is not an option in version 5. I know it exists in 6 and up but it will a couple of months before we get the new servers in and running.

Is it possible to query the Domino LDAP from the IIS SMTP gateway and drop any non-existing name email there?
Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

From what I can tell, there are some 3rd party solutions that do what you want, but nothing built into Notes.  Still, this setting in R5 may help:

Configuration > Router/SMTP > Basics > Address Lookup:Full name Only
allsoppAuthor Commented:
I'll check that setting out.

Third party solutions are OK. I would appreciate some links to where they could be found.

Specifically I was thinking of having the IIS SMTP do the checking, but so far I've only found support for Active Directory, not Domino's LDAP.
Hi allsopp,

This is really more of an issue with configuring your gateway SMTP server (IIS) to do a directory lookup before accepting.  You already have the LDAP directory, the rest is up to the gwateway server to make use of it correctly.  There are many, many SMTP servers, including free SMTP servers, that can do this, not sure about MS.

If you want to let Domino handle it, then the easy way is only available in R6, as you surmise.  However, if you do not have many users, it would be feasible to maintain a list of acceptable inbound internet addresses in a group.  That group can be set to be the only allowale address list, though you owuld have to maintain it manually.

Go to Directory -> Server -> COnfiguratons -> [Your server's config or the global config if no server config] -> Router/SMTP -> Restrictions and Controls -> SMTP Inbound Controls.

The last heading of that tab is "Inbound Intended Recipients Controls," and it contains a field, "Allow messages intended only for the following internet addresses."  If you put the group in there, then any address not in that group will be rejected.

Best regards,
(But I have to question why you would even bother using IIS at all if you intend to let Domino do all the controls.  You can always use a second Domino server if your concern is protecting the box.  Of course, you would need to be licensed to do that.  Hmm, technically, you might be able to use an Express license for free for this, since no users would be on the box.)
allsoppAuthor Commented:
We are using IIS because we have some GFI software pluggin in to it for Anti-virus and SPAM . This portion is working well. What is causing the headaches is the Dictionary and Directory Harvest attacks which cause a lot of traffic on the Domino server, trying to deliver to bad addresses, and sending out NDR's to usually spoofed addresses. The only reason I was thinking of using Domino for the control is that the address book is in  Domino.

We have 2500 users so I'd prefer not to maintain two lists of addresses.

The solution from HappyFunBall causes other problems when entering an address on a new mail message. With that setting on you need to enter the entire recipients name, rather than just a portion of it, then selecting from the resulting drop down list.

I'll try the solution from qwaletee and see what happens. If that doen't work we'll just get by until the new version and servers arrive and are tested and installed.


- qwaletee
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.