allsopp
asked on
Using Domino LDAP to filter mail at gateway
We are using Domino 5 servers (soon to be upgraded to 6.5) behind an IIS SMTP gateway. There are SPAM and virus filters on the gateway (GFI Software) and the spam and anti-virus are working well. What is causing the problems are the Directory Harvest and Dictionary attacks that make it past the SPAM filters.
Can the IIS SMTP be configured to use LDAP or another method to verify the destination address of incoming mail with the Domino server and drop any mail destinations not in our address book?
Could someone provide links to documentation of this if it's possible
Can the IIS SMTP be configured to use LDAP or another method to verify the destination address of incoming mail with the Domino server and drop any mail destinations not in our address book?
Could someone provide links to documentation of this if it's possible
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
From what I can tell, there are some 3rd party solutions that do what you want, but nothing built into Notes. Still, this setting in R5 may help:
Configuration > Router/SMTP > Basics > Address Lookup:Full name Only
Configuration > Router/SMTP > Basics > Address Lookup:Full name Only
ASKER
I'll check that setting out.
Third party solutions are OK. I would appreciate some links to where they could be found.
Specifically I was thinking of having the IIS SMTP do the checking, but so far I've only found support for Active Directory, not Domino's LDAP.
Third party solutions are OK. I would appreciate some links to where they could be found.
Specifically I was thinking of having the IIS SMTP do the checking, but so far I've only found support for Active Directory, not Domino's LDAP.
Hi allsopp,
This is really more of an issue with configuring your gateway SMTP server (IIS) to do a directory lookup before accepting. You already have the LDAP directory, the rest is up to the gwateway server to make use of it correctly. There are many, many SMTP servers, including free SMTP servers, that can do this, not sure about MS.
If you want to let Domino handle it, then the easy way is only available in R6, as you surmise. However, if you do not have many users, it would be feasible to maintain a list of acceptable inbound internet addresses in a group. That group can be set to be the only allowale address list, though you owuld have to maintain it manually.
Go to Directory -> Server -> COnfiguratons -> [Your server's config or the global config if no server config] -> Router/SMTP -> Restrictions and Controls -> SMTP Inbound Controls.
The last heading of that tab is "Inbound Intended Recipients Controls," and it contains a field, "Allow messages intended only for the following internet addresses." If you put the group in there, then any address not in that group will be rejected.
Best regards,
qwaletee
This is really more of an issue with configuring your gateway SMTP server (IIS) to do a directory lookup before accepting. You already have the LDAP directory, the rest is up to the gwateway server to make use of it correctly. There are many, many SMTP servers, including free SMTP servers, that can do this, not sure about MS.
If you want to let Domino handle it, then the easy way is only available in R6, as you surmise. However, if you do not have many users, it would be feasible to maintain a list of acceptable inbound internet addresses in a group. That group can be set to be the only allowale address list, though you owuld have to maintain it manually.
Go to Directory -> Server -> COnfiguratons -> [Your server's config or the global config if no server config] -> Router/SMTP -> Restrictions and Controls -> SMTP Inbound Controls.
The last heading of that tab is "Inbound Intended Recipients Controls," and it contains a field, "Allow messages intended only for the following internet addresses." If you put the group in there, then any address not in that group will be rejected.
Best regards,
qwaletee
(But I have to question why you would even bother using IIS at all if you intend to let Domino do all the controls. You can always use a second Domino server if your concern is protecting the box. Of course, you would need to be licensed to do that. Hmm, technically, you might be able to use an Express license for free for this, since no users would be on the box.)
ASKER
We are using IIS because we have some GFI software pluggin in to it for Anti-virus and SPAM . This portion is working well. What is causing the headaches is the Dictionary and Directory Harvest attacks which cause a lot of traffic on the Domino server, trying to deliver to bad addresses, and sending out NDR's to usually spoofed addresses. The only reason I was thinking of using Domino for the control is that the address book is in Domino.
We have 2500 users so I'd prefer not to maintain two lists of addresses.
The solution from HappyFunBall causes other problems when entering an address on a new mail message. With that setting on you need to enter the entire recipients name, rather than just a portion of it, then selecting from the resulting drop down list.
I'll try the solution from qwaletee and see what happens. If that doen't work we'll just get by until the new version and servers arrive and are tested and installed.
We have 2500 users so I'd prefer not to maintain two lists of addresses.
The solution from HappyFunBall causes other problems when entering an address on a new mail message. With that setting on you need to enter the entire recipients name, rather than just a portion of it, then selecting from the resulting drop down list.
I'll try the solution from qwaletee and see what happens. If that doen't work we'll just get by until the new version and servers arrive and are tested and installed.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
allsopp,
Thanks!
- qwaletee
Thanks!
- qwaletee
ASKER
Is it possible to query the Domino LDAP from the IIS SMTP gateway and drop any non-existing name email there?