This is how to protect your servers from being used as a SPAM relay host, and how to reject some SPAM from entering your network..
OK, I got into finally locking down each and every combination, and running each against a relay checker. For the most flexibility, here is what I have:
Internal network, 192.168.0.x, with multiple hosts, for which relaying SHOULD be allowed. Some hosts run Outlook, Outlook Express, Netscape, etc. This has been tested with all of them.
Create or edit the configuration document for your SMTP server. From the Router/SMTP, then Restrictions and Controls, and then finally the SMTP Inbound Controls, make the following changes.
RELAY PROTECTION: In the field: Allow messages only from the following external internet hosts to be sent to external internet domains:, enter, within brackets, the list of your internal network addresses. Each network should be placed within brackets [], and use a * to represent a subnet. For example, [12.34.*.*] or [12.34.56.*]. This list of IP addresses will be the only systems that are allowed to relay off of your server. Any other system will be rejected. In my case, I list [192.168.0.*]. This has passed every relay test from every system I could find, except for the one test where Domino will not relay, it just ignores the message, which generates a false positive.
SPAM REJECTION: It is also a good idea to turn on the Verify connecting hostname in DNS field. What this does, is that when a server attempts to send mail to your system, it is checked via DNS to actually exist in DNS. This will keep a lot of inbound SPAM from entering your system. Unless the mail is coming from a valid computer found in DNS, it is rejected. Please note that many people don't know what they're doing (even major corporations) when they set up the mail server, and perfectly normal outbound mail servers will not have a reverse DNS lookup. Honestly, to me, they shouldn't be on the Internet, (They probably don't have a valid postmaster account either...) but the problem is that valid mail will be rejected because their mail server is not configured correctly. Personally, I will monitor the attempts, and will send a message to the postmaster informing them of their mistake.
This is also why it is important to not be a relay, which is described above. For example, your system is open to relay. The SPAMer uses your server to relay hundreds of thousands of email messages. Other systems that check that the system is in DNS sees your server as a valid system, and allows the SMAP to flow.
The Verify sender's domain in DNS is even more important. It makes sure that the hostname part of the return address is valid. This way, even if the mail comes into your network from a valid hostname server, if it is from a return address that has a non-existent hostname, it will be rejected. No valid email should ever have a domain that doesn't exist. Problem is, most Spammers will just use fake return addresses from aol.com or yahoo.com
To ensure that you receive mail for any domain that you are supposed to, create a global domain document for each domain name. Here I have several global domain documents, one for bluestream.org and pirate-king.com, and several more.
For known spam sites, list the names of the domains in the field Deny Messages from the Following Internet Addresses and Domains. You can never have enough domains listed here <grin>. Anytime SPAM slips through, just put them here. Oh, how I wish I could just make this list a @DBColumn that is constantly updated!!! (Should have more capabilities in RNext!)
Prevent intelligence gathering: Install a firewall that blocks all unnecessary ports. My feeling is that you should never be able to tell what OS a server is running, and you should come as close as you can to that goal. For SMTP, when a session is opened you will get a line like:
220 mailserver.domain.com ESMTP Service (Lotus Domino Release 5.0.6a) ready at Sat, 2 Jun 2001 13:40:23 -0400 You should prevent information like this from being known. If a SMTP bug is known (There is a Denial of Service attack against certain versions of R5 SMTP), crackers could just scan the net and when they locate a known release, attack it. Implement the following change in your notes.ini on the server:
SMTPGREETING = ESMTP Service at %s
This will change the session greeting to:
220 ESMTP Service at Sat, 2 Jun 2001 13:40:23 -0400
Now, no one can tell that you are running Lotus Domino, and they will have a much harder time attacking your system.
PLEASE CHECK YOUR SERVER!
TrusonTechnologies has a great Relay Scanner. Make sure you got it right!
---- Example settings for Anti Spam measures in Lotus Domino.
-- Configuration Document for the SMTP Server
-- Global Domain Documents, one for each domain name you will receive mail as.