Using Domino LDAP to filter mail at gateway

Posted on 2004-09-22
Last Modified: 2013-11-16
We are using Domino 5 servers (soon to be upgraded to 6.5) behind an IIS SMTP gateway. There are SPAM and virus filters on the gateway (GFI Software) and the spam and anti-virus are working well. What is causing the problems are the Directory Harvest and Dictionary attacks that make it past the SPAM filters.

Can the IIS SMTP be configured to use LDAP or another method to verify the destination address of incoming mail with the Domino server and drop any mail destinations not in our address book?

Could someone provide links to documentation of this if it's possible
Question by:allsopp
  • 4
  • 3
  • 2

Assisted Solution

HappyFunBall earned 250 total points
ID: 12123828
In your server's Configuration document, go to Router/SMTP > Restrictions and Controls > SMTP Inbound Controls and go to the Inbound Intended Recipient Controls.  The field called Verify that Local Domain recipients exist in Domino Directory should be set to enabled.  Domino will then "not accept for policy reasons" any email that is addressed to a name not exsiting in the Domino Directory.

Author Comment

ID: 12124310
This is not an option in version 5. I know it exists in 6 and up but it will a couple of months before we get the new servers in and running.

Is it possible to query the Domino LDAP from the IIS SMTP gateway and drop any non-existing name email there?

Expert Comment

ID: 12125715
From what I can tell, there are some 3rd party solutions that do what you want, but nothing built into Notes.  Still, this setting in R5 may help:

Configuration > Router/SMTP > Basics > Address Lookup:Full name Only

Author Comment

ID: 12125767
I'll check that setting out.

Third party solutions are OK. I would appreciate some links to where they could be found.

Specifically I was thinking of having the IIS SMTP do the checking, but so far I've only found support for Active Directory, not Domino's LDAP.
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

LVL 31

Expert Comment

ID: 12132769
Hi allsopp,

This is really more of an issue with configuring your gateway SMTP server (IIS) to do a directory lookup before accepting.  You already have the LDAP directory, the rest is up to the gwateway server to make use of it correctly.  There are many, many SMTP servers, including free SMTP servers, that can do this, not sure about MS.

If you want to let Domino handle it, then the easy way is only available in R6, as you surmise.  However, if you do not have many users, it would be feasible to maintain a list of acceptable inbound internet addresses in a group.  That group can be set to be the only allowale address list, though you owuld have to maintain it manually.

Go to Directory -> Server -> COnfiguratons -> [Your server's config or the global config if no server config] -> Router/SMTP -> Restrictions and Controls -> SMTP Inbound Controls.

The last heading of that tab is "Inbound Intended Recipients Controls," and it contains a field, "Allow messages intended only for the following internet addresses."  If you put the group in there, then any address not in that group will be rejected.

Best regards,
LVL 31

Expert Comment

ID: 12132785
(But I have to question why you would even bother using IIS at all if you intend to let Domino do all the controls.  You can always use a second Domino server if your concern is protecting the box.  Of course, you would need to be licensed to do that.  Hmm, technically, you might be able to use an Express license for free for this, since no users would be on the box.)

Author Comment

ID: 12133047
We are using IIS because we have some GFI software pluggin in to it for Anti-virus and SPAM . This portion is working well. What is causing the headaches is the Dictionary and Directory Harvest attacks which cause a lot of traffic on the Domino server, trying to deliver to bad addresses, and sending out NDR's to usually spoofed addresses. The only reason I was thinking of using Domino for the control is that the address book is in  Domino.

We have 2500 users so I'd prefer not to maintain two lists of addresses.

The solution from HappyFunBall causes other problems when entering an address on a new mail message. With that setting on you need to enter the entire recipients name, rather than just a portion of it, then selecting from the resulting drop down list.

I'll try the solution from qwaletee and see what happens. If that doen't work we'll just get by until the new version and servers arrive and are tested and installed.
LVL 31

Accepted Solution

qwaletee earned 250 total points
ID: 12172143

If you turn on the "Verify that Local Domain recipients exist" option, it should not affect your ability to do type-ahead addressing in the Notes client, or to do partial name lookups in Notes.  It should also allow you to continue to receive mail using any user alias that is unique.
LVL 31

Expert Comment

ID: 12467156


- qwaletee

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Lotus notes 3 294
Adjusting times for a meeting room 3 130
Querying received e-mails from an agent 7 203
Lotus Notes 6.5.5 6 200
I thought it will be a good idea to make a post as it will help in case someone else faces these issues. I trust this gives an idea how each entry in Notes.ini can mean a lot for the Domino Server to be functioning properly. This article discusses t…
For beginners of Lotus Notes user this is important to know about the types of files and their location supported by IBM Notes. Mostly users are unaware about how many file types are created and what their usages are. This Article is fully dedicated…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now