SlideShare a Scribd company logo

How to use Domino as a Mail Server in a Modern World

Martijn de Jong, profile picture
Martijn de Jong

The document is a comprehensive guide on utilizing Domino as a mail server, covering SMTP basics, configuration for outbound and inbound mail, and important email authentication methods like SPF, DKIM, and DMARC. It discusses the historical evolution of the SMTP protocol, key records like PTR for reputation, and various techniques for improving email deliverability and security. Additional details include DKIM setup procedures, handling greylisting, and ensuring secure transmission through TLS.

Technology
1 of 74
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
Most read
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
Most read
68
Most read
69
70
71
72
73
74
Martijn de Jong (e-office) Daniel Nashed (Nash!Com) How to use Domino as a Mail Server in a Modern World Or how to get your mails in your customer’s mailboxes and spam out of yours
Martijn de Jong • Senior HCL Consultant @ e-office • Studied electrical engineering, psychology and music • Working with “Lotus” portfolio since 2000 • https://blog.martdj.nl @martdj
Agenda SMTP Basics Outbound SMTP configuration in Domino Inbound SMTP configuration in Domino
SMTP Basics SMTP History SMTP Protocol PTR Record Sender Policy Framework (SPF) Domain Keys Identified Mail (DKIM) Domain-based Message Authentication, Reporting & Conformance (DMARC) SMTP submission vs SMTP relaying SMTP: Accept vs Reject vs Greylisting Secure transmission
SMTP History 1981: Simple Mail Transfer Protocol (SMTP) – RFC 788 - Jonathan B. (Jon) Postel “by design, every SMTP server was an open mail relay” 1995: Extended Simple Mail Transfer Protocol (ESMTP) – RFC 1869 1998: Message submission – RFC 2476 1999: SMTP Service Extension for Authentication – RFC 2554 2001: Simple Mail Transfer Protocol – RFC 2821 2008: Simple Mail Transfer Protocol – RFC 5321 2011: DomainKeys Identified Mail (DKIM) Signatures – RFC 6376 2014: Sender Policy Framework (SPF) – RFC 7208 2015: Domain-based Message Authentication, Reporting, and Conformance (DMARC) – RFC 7489 2015: SMTP 521 and 556 Reply Codes – RFC 7504 2018: Cryptographic Algorithm and Key Usage Update to DomainKeys Identified Mail (DKIM) – RFC 8301 2018: Use of Transport Layer Security (TLS) for Email Submission and Access – RFC 8314 2018: A New Cryptographic Signature Method for DomainKeys Identified Mail (DKIM) – RFC 8463 2019: Email Authentication for Internationalized Mail – RFC8616 2021: Deprecation of TLS 1.1 for Email Submission and Access – RFC 8997
SMTP Protocol example S: 220 smtp.example.com ESMTP Postfix C: HELO relay.example.org S: 250 Hello relay.example.org, I am glad to meet you C: MAIL FROM:<bob@example.org> S: 250 Ok C: RCPT TO:<alice@example.com> S: 250 Ok C: RCPT TO:<theboss@example.com> S: 250 Ok C: DATA S: 354 End data with <CR><LF>.<CR><LF> C: From: "Bob Example" bob@example.org C: To: "Alice Example" <alice@example.com> C: Cc: theboss@example.com C: Date: Tue, 15 Jan 2008 16:02:43 -0500 C: Subject: Test message C: C: Hello Alice. C: This is a test message with 5 header fields and 4 lines in the message body. C: Your friend, C: Bob C: . S: 250 Ok: queued as 12345 C: QUIT S: 221 Bye {The server closes the connection}
PTR record Every mail starts with a connection: SMTP Server: notes.nashcom.de (157.90.30.24) connected Reverse DNS lookup – Does 157.90.30.24 belong to notes.nashcom.de? Looks for a PTR record
PTR record lookup dig 24.30.90.157.in-addr.arpa PTR ; <<>> DiG 9.16.23-RH <<>> 24.30.90.157.in-addr.arpa PTR ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32637 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: d39bb4213a56db7901000000668e58c4cde082e76f760d4c (good) ;; QUESTION SECTION: ;24.30.90.157.in-addr.arpa. IN PTR ;; ANSWER SECTION: 24.30.90.157.in-addr.arpa. 81732 IN PTR notes.nashcom.de.
PTR Record PTR records can only be set by the owner of your IP address(es) That’s usually your internet or hosting provider Some provide an admin interface to set your PTR record Some provide no PTR records No PTR record or non-matching PTR record => huge hit on your reputational score!
Reputational Score Anti-spam measures work with a reputational score The score is calculated based on: The sending server (PTR record, blacklists, SPF) The domain of the sender (SPF, DKIM, DMARC) The mail content The higher the score, the better your chance your mail is delivered in the inbox of the intended recipient
SPF, DKIM & DMARC SPF: Is the sending server allowed to send mail for this domain? DKIM: Is this mail from this domain really sent from this domain? DMARC: What to do with the result of the previous checks? SPF DKIM DMARC
Sender Policy Framework Server tries to drop a mail at the server: C: EHLO notes.nashcom.de S: 250-poseidon.martdj.nl Hello notes.nashcom.de ([157.90.30.24]), pleased to meet you C: MAIL FROM:nsh@nashcom.de Check in DNS if 157.90.30.24 is allowed to send mail from nashcom.de
SPF – DNS TXT Record RFC 7208 - Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, Version 1 https://datatracker.ietf.org/doc/html/rfc7208 Defines which host are allowed to send mails for a domain DNS TXT record for a domain or sub-domain with flexible rule set Example: host -t txt nashcom.de -> nashcom.de descriptive text "v=spf1 mx ~all" Only allows domain’s defined MX record hosts to send mail More complex example dnug.de v=spf1 mx a:domino.dnug.de ip4:87.230.23.16 include:spf.nl2go.com include:mail.zendesk.com include:spf.ce.cloud-y.com -all
SPF Syntax http://www.open-spf.org/SPF_Record_Syntax Mechanisms: all ip4 ip6 a mx ptr exists include
Sender Policy Framework Server tries to drop a mail at the server: C: EHLO notes.nashcom.de S: 250-poseidon.martdj.nl Hello notes.nashcom.de ([157.90.30.24]), pleased to meet you C: MAIL FROM:nsh@nashcom.de Check in DNS if 157.90.30.24 is allowed to send mail from nashcom.de SPF DNX TXT Record nashcom.de: v=spf1 mx ~all MX Lookup: SPF Pass
DomainKeys Identified Mail (DKIM) Verifies that the content of a mail was not altered after it was sent Used for reputation checking and spam prevention https://www.youtube.com/watch?v=jy6YMzQZTz8&t=11s
DomainKeys Identified Mail (DKIM) Verifies that the content of a mail was not altered after it was sent Used for reputation checking and spam prevention Non-repudiability – when a mail is sent with a DKIM hash, an organization can’t deny that it was sent by them Depends on both a DNS TXT record and the sending mail server Multiple DKIM DNS TXT records allowed. Selector should be unique CNAME forwarding is allowed
DMARC Domain-based Message Authentication, Reporting and Conformance https://dmarc.org
DMARC Combines SPF and DKIM and allows to define policies for your domain RFC 7489 - Domain-based Message Authentication, Reporting, and Conformance (DMARC) https://datatracker.ietf.org/doc/html/rfc7489 Another DNS TXT record example
DMARC – Online Resource What is DMARC? https://www.mailjet.com/blog/news/some-words-about-dmarc Google - Help prevent spoofing and spam with DMARC https://support.google.com/a/answer/2466580 Build your DMARC Record https://dmarcguide.globalcyberalliance.org OpenSource DMARC Analyzer https://domainaware.github.io/parsedmarc DMARC Organization https://dmarc.org
SMTP: Accept vs Reject vs Greylisting Accept: Mail is accepted by server and will be delivered to recipient, moved to quarantine or moved to the trash Reject: Mail won’t be accepted by the receiving mail server Greylisted: Mail is temporarily not accepted (see next slide) It’s better to reject mail than to accept mail and throw it in the trash bin Uses no resources in your domain As long you don’t accept a message you are not responsible for the message Sending host must deal with it Should give sender a Non Delivery Report In case of a legitimate sender, they’ll know that they should contact you in another way Same for badly monitored quarantine
Greylisting Greylisting is based on: "the SMTP client retains responsibility for delivery of that message" (section 4.2.5) and "mail that cannot be transmitted immediately MUST be queued and periodically retried by the sender.“ – RFC 5321 Proper mail servers will retry sending a mail. Spammers usually won’t Disadvantages: Mail is delayed (by at least 30 minutes) Retries might come from a different IP address Uses more resources on sending servers As a result, greylisting is controversial
Submission vs Relaying Mail client -> mail server: submission Port 587, 465 or port 25 Mail server -> mail server: relaying Port 25
Secure transmission Not to be confused with Secure mail (S/MIME) Two methods: STARTTLS (port 25 or 587) Implicit TLS (port 465)
STARTTLS should be configured on every server Session is established on port 25 or port 587 unencrypted Server signals it supports TLS via STARTTLS extension Client issues “STARTTLS” command A new “EHLO” is used to restart the communication Standard TLS handshake is used to negotiate the connection Most servers don’t verify certificates used for SMTP Many servers still have default self signed certs → Lots of messages would be blocked Most environments use “opportunistic” STARTTLS and not enforce it Client and server can decide if they want to enforce it
Implicit TLS SMTP over SSL on port 465 was established in 1997 Deprecated in 1998 Made a comeback in 2018 (RFC 8314) Now the preferred method for email submission TLS 1.2 and TLS 1.3 only (RFC 8997)
Domino Outbound SMTP Configuration • DKIM • StartTLS • Implicit TLS • Relay host • Real-life examples • Test your configuration
Outbound implementation for your domain Method DNS of your domain Outbound mail server configuration PTR Record ✓ - SPF ✓ - DKIM ✓ ✓ DMARC ✓ - StartTLS - ✓ Implicit TLS - ✓
DKIM – Initial setup HCL could have made this easy... ... but they didn’t. So here we go: DKIM uses the OAuth Token Store Also known as the Credential Store The credential store is encrypted with a Notes Encryption Key Which is stored in de server’s id-file It must be shared among all servers that work with the credential store The credential store can replicate inside a cluster It can’t replicate outside a cluster
DKIM – Creating the credential store • Check if you have a credential store • Might have been created for “more secure internet passwords” • Should be in IBM_CredStore directory on the server • If no file is found: • From the Domino Console: (!) • Keymgmt create nek credstorekey Creates a Notes Encryption Key called “credstorekey” • Keymgmt create credstore credstorekey Creates the credential store / OAuth Token Store
DKIM – Creating DKIM Keys • 2 Possible encryption types: • RSA Possible key length: 1024, 2048 or 4096 bits. 1024 bits currently recommended for DKIM • Ed25519 Newer & more efficient. Added in 2018. Not supported by all receiving mail servers. Key length is 256 bits and is implicit (not added in commands) • keymgmt create DKIM <domain> <selector> <encryption type & strength> domain: your domain (e.g. martdj.nl) selector: alphanumeric string (e.g. rsa202407) encryption type & strength: See above • Examples: RSA: keymgmt create DKIM martdj.nl rsa202407 rsa 1024 ED25519: keymgmt create DKIM martdj.nl ed20240705 Ed25519 server response: Created DKIM key Ed20240705._domainkey.martdj.nl
DKIM – Export DNS TXT Value keymgmt export DKIM DNS martdj.nl ed20240705 martdj_nl_ed20240705.txt Parse domain martdj.nl Parse selector ed20240705 Parse filename martdj_nl_ed20240705.txt Get DKIM key d=martdj.nl, s=ed20240705, No error Get Key as PEM No error Get Key as DNSKey v=DKIM1; k=ed25519; p=jUMDZCZSx8CaGYVlUbwNaGF5LXgEFwRhpXqSx4O8GvI=;, 68, No error Exported DKIM key to DNS file /local/notesdata/martdj_nl_ed20240705.txt, No error Contents of martdj_nl_ed20240705.txt v=DKIM1; k=ed25519; p=jUMDZCZSx8CaGYVlUbwNaGF5LXgEFwRhpXqSx4O8GvI=; Do the same for the RSA key
DKIM keys in OAuth Token Store OAuth Token Store
DKIM – Add records to DNS Add the DKIM key to DNS as a TXT record A-Name = selector + “._domainkey” Add both Ed25519 record and RSA record
DKIM – Add key to notes.ini Enable DKIM on your server: set config DKIM_KEY_martdj.nl=ed20240705,202206 set config RouterDKIMSigning=1 restart task router Ed25519 RSA
DKIM That didn’t seem too hard! That was just the beginning...
DKIM in a cluster If you didn’t have a credential store yet: keymgmt export nek <nekname> <nekname>.key <password> example: keymgmt export nek credstorekey credstorekey.key passw0rd NEK > NEK credstorekey - Fingerprint A8C5 9018 C714 3F05 E574 93D9 5E70 005A 5371 4A71 NEK credstorekey exported successfully Copy file <nekname>.key to cluster server(s) keymgmt import nek overwrite <nekname>.key <password> example: keymgmt import nek overwrite credstorekey.key passw0rd NEK > NEK credstorekey - Fingerprint A8C5 9018 C714 3F05 E574 93D9 5E70 005A 5371 4A71 NEK credstorekey imported successfully Create replicas of IBM_CredStore<credstorename>.nsf on the original server to the other servers in the cluster
DKIM in a cluster – notes.ini Enable DKIM on every server set config DKIM_KEY_<domain>=<selector1>,<selector2> example: set config DKIM_KEY_martdj.nl=ed20240705,202206 set config RouterDKIMSigning=1 restart task router Or add to the notes.ini section in the configuration document for a group of servers
DKIM outside a cluster If you didn’t have a credential store yet: See previous section to export and import the Notes Encryption Key Create a credstore (as documents in the credential store can only be decrypted inside a cluster) Keymgmt create credstore credstorekey
DKIM outside a cluster – export DKIM keys Export the DKIM keys to a temporary database keymgmt export DKIM <dkimdb>.nsf <destination server> example: keymgmt export DKIM dkimdb-pegasus.nsf Pegasus/SRV/Martinus Credential Store Name : IBM_CredStorecredstore.nsf Recovery Manager: Assigning new DBIID for /local/notesdata/IBM_CredStore/dkimdb-pegasus.nsf (need new backup for media recovery). 05-07-2024 11:46:12 Recovery Manager: Assigning new DBIID for /local/nif/IBM_CredStore/dkimdb-pegasus_nsf.ndx (need new backup for media recovery). Exported DKIM keys No error Copy or replicate temporary database to destination server
DKIM outside a cluster – Import DKIM keys Import DKIM keys in Credential Store keymgmt import <name of credential store> <name of temporary db.nsf> example: keymgmt import credstore dkimdb-pegasus.nsf Credential Store Name : IBM_CredStorecredstore.nsf Credential Store imported successfully Do this for every cluster or server Add notes.ini parameter to each server that sends SMTP mail set config DKIM_KEY_martdj.nl=ed20240705,202206 set config RouterDKIMSigning=1 restart task router You can export / import multiple DKIM keys in one go
Enable Outbound STARTTLS Set “Negotiated TLS” on SMTP Outbound For servers that don’t support StartTLS there’s a Notes.ini setting to fall back to an unencrypted connection Notes.ini ROUTERFALLBACKNONTLS=1
SMTP over TLS Implicit TLS Uses port 465
Submitting vs Relaying Port 587 has become the default port for submitting SMTP mail to a mail server Port 25 is still the default port for relaying mail between mail servers How to configure your SMTP outbound port depends on whether you use a relay host (to which your server is submitting mail) or whether your server is relaying mail directly to the recipient’s domain
Relay Host Some reasons to use a relay host Your server can’t have a PTR record Your server has no or limited access to internet Relay host is configured in Configuration document Required – will only make connections if auth is supported Enabled – will authenticate if supported, otherwise unauthenticated IP address or FQDN. Can be multi-value
Relay Host – Protect your password Name and password fields will be encrypted if the document is encrypted by a secret key Secret key has to be imported in IDs of all servers using this document and all administrators Otherwise:
Real life scenario’s Sending Mail
Scenario 1 Every server in the domain can send SMTP mail directly Domino SMTP server Destination domain Mail relay Domino Domino Domino
Scenario 1 Just make sure “SMTP used when sending messages outside of the local internet domain:” is enabled
Scenario 2 Servers are using a relay host to send mail to the internet Domino Relay host Mail submission Domino Domino Domino SMTP server Destination domain Mail relay
Scenario 2 Set relay host in the configuration document Domino server now acts a mail client Depending on relay host, you might have to change the port to 587 in your server documents(s)
Scenario 3 Multiple servers, but only one can send mail to the internet Domino SMTP server Destination domain SMTP Mail relay Domino Domino Domino NRPC Mail
Scenario 3 – Configuration document All servers Server sending mail to internet
Scenario 3 – Foreign SMTP Domain document Create a Foreign SMTP Domain document All internet domains are routed to all_the_internet (custom label)
Scenario 3 – SMTP Connection document Create an SMTP Connection document
Test your configuration Sent a mail to ping@tools.mxtoolbox.com Check your mail or go to https://mxtoolbox.com/deliverability/EmailHeaders.aspx and enter your email address Check the Email health of your domain https://mxtoolbox.com/emailhealth
Domino Inbound SMTP Configuration • Enable Inbound SMTP • SMTP Inbound Site • Inbound StartTLS • Inbound Relay Control • Inbound Recipient Check • Sender’s domain • Connecting Hostname • Blacklists & Whitelists • SPF & DKIM • DMARC • Spamgeek
Inbound SMTP implementation Method DNS of sender’s domain Inbound mail server configuration PTR Record ✓ ✓ SPF ✓ ✓ DKIM ✓ ✓ DMARC ✓ ✓ StartTLS - ✓ Implicit TLS - ✓
Enable Inbound SMTP • Enable SMTP listener task server document – Basics • SMTP Inbound port 25 enabled server documents – ports – mail (Port 465 only if Domino is accepting mail from other mail clients)
SMTP Inbound Site If using Internet site documents, you must have an SMTP inbound internet site document
Enable inbound StartTLS • Offers “negotiated TLS over port 25 • Needs a TLS certificate TLS Credentials used from CertStore based on keyfile tag in server document / internet site Key file tag must match a keyfile name (e.g. keyfile.kyr) assigned to your server Key file tag can be also a FQDN
Inbound Relay Control For external server ALWAYS ensure nobody can use your server as a “Relay Host” The single “ * “ in the field means nobody can relay
Inbound Recipient Check Setting in same tab in config document further down in the form Denies all recipients not found in directory Recommendation: Enabled
Sender’s domain Verify sender’s domain in DNS Checks whether mail from domain exists in DNS Recommendation: Martijn – Enabled, Daniel – Disabled
Connecting hostname Verify connecting hostname in DNS Checks for a PTR record Strong recommendation: Disabled
Blacklists & Whitelists Blacklists / whitelists Reasonably safe to log and reject Log and tag, combined with a 3rd party tool / plugin would be better But many 3rd party tools do the blacklist check themselves
SPF & DKIM Inbound Sender Domain Authentication Controls Too dangerous to Log and reject “Log and tag message” adds 2 fields to an incoming mail DKIM_Signature Received_SPF Can be used in mail rules Or 3rd party plugins...
See SPF & DKIM results in header From an email: View – Show – Page Source Authentication-Results: martdj.nl 1; spf=pass smtp.mailfrom=n_i_bounces@insideapple.apple.com (sender IP 17.32.227.198); dkim=pass header.s=insideapple0517 header.d=insideapple.apple.com
DMARC We hope… You can still vote: https://domino-ideas.hcltechsw.com/ideas/IDEAMLCT-I-6
All Domino checks are binary... Modern anti-spam systems use a reputational score based on all these previous parameters We currently can’t do that in Domino
Introducing SpamGeek SMTP protocol Extension Manager created by Daniel Nashed Tool and basic support is free. Complex questions or scenarios are consulting Adds flexible anti-spam features to Domino Good for small environments and offers a lot of tracing
SMTP Debug parameters SMTPDebug This parameter can be set to capture inbound SMTP protocol conversations. This is for all messages received by the SMTP listener from all clients and servers via the SMTP protocol. 1 - Enable minimal logging of the SMTP listener 2 - Enable information logging of data sent and received along with some additional debugging information. This setting indicates commands and responses being received/sent along with the number of bytes being transmitted. However, it does not include the text that is transmitted. 3 - Enable verbose logging of data sent and received. Along with the information recorded at setting 2, this level shows the actual text received/sent via SMTP. Note that this does not include the text body of messages. 4 - This is the most verbose setting. SMTPDebugIO Description: Enables the logging of all data received by the SMTP listener task: 0 - No logging 1 - Number of bytes sent and received during the SMTP conversation 3 - Logs all data received by the SMTP task 4 - RFC822 data (message data) • Syntax: SMTPDebugIO=value • Caution: Use SMTPDebugIO only when necessary and disable it again as soon as possible. It can cause the log file to grow very large, and logs the contents of received messages. • Applies to: SMTP servers • Default: 0 • UI equivalent: None
Useful Resources https://blog.martdj.nl Martijn’s blog https://blog.nashcom.de Daniel’s blog https://mxtoolbox.com Check your configuration and whether your server is listed on blacklists https://talosintelligence.com/ Daniels tip to check your reputational score https://mailtrap.io/blog/smtp-commands-and-responses/ Useful site to understand return codes in an SMTP communication
Questions?

More Related Content

PPTX
OVN operationalization at scale at eBay
Aliasgar Ginwala
 
DOCX
Resume Owais
owaisACCA
 
XLS
Salary slip
smitabhagat96
 
PPTX
MPLS Layer 3 VPN
NetProtocol Xpert
 
PPTX
Basic BGP Configuration
NetProtocol Xpert
 
PPTX
Présentation Exchange 2010
Majid CHADAD
 
PPTX
.NET Conf 2022 - Networking in .NET 7
Karel Zikmund
 
PPTX
LTM essentials
bharadwajv
 
OVN operationalization at scale at eBay
Aliasgar Ginwala
 
Resume Owais
owaisACCA
 
Salary slip
smitabhagat96
 
MPLS Layer 3 VPN
NetProtocol Xpert
 
Basic BGP Configuration
NetProtocol Xpert
 
Présentation Exchange 2010
Majid CHADAD
 
.NET Conf 2022 - Networking in .NET 7
Karel Zikmund
 
LTM essentials
bharadwajv
 

What's hot (20)

ODP
VPC Implementation In OpenStack Heat
Saju Madhavan
 
PPT
Masakari project onboarding
Sampath Priyankara
 
PDF
Implementing BGP Flowspec at IP transit network
Pavel Odintsov
 
PDF
金融 API 時代のセキュリティ: OpenID Financial API (FAPI) WG
Nat Sakimura
 
PPT
Juniper mpls best practice part 2
Febrian ‎
 
PPTX
마이크로서비스 개요
Younghun Yun
 
PPTX
DoH, DoT and ESNI
Jisc
 
PDF
Palo alto-review
Rayan Darine
 
PPT
Dhcp presentation
Saqib Malik
 
PPTX
Big ip f5 ltm load balancing methods
Utpal Sinha
 
PPTX
GitLab for CI/CD process
HYS Enterprise
 
PDF
webservice scaling for newbie
DaeMyung Kang
 
PDF
CV-Rizwan
RIZWAN AKBAR ACCA
 
PDF
RNUG - Dirty Secrets of the Notes Client
Christoph Adler
 
DOC
Study Notes BGP Exam
Duane Bodle
 
PDF
4 palo alto licenses
Mostafa El Lathy
 
PPTX
Igmp presentation
SamreenAkhtar8
 
PDF
20150511 jun lee_openstack neutron 분석 (최종)
rootfs32
 
PDF
Iperf Tutorial
Febrian ‎
 
PPTX
Git Pull Requests
Callon Campbell
 
VPC Implementation In OpenStack Heat
Saju Madhavan
 
Masakari project onboarding
Sampath Priyankara
 
Implementing BGP Flowspec at IP transit network
Pavel Odintsov
 
金融 API 時代のセキュリティ: OpenID Financial API (FAPI) WG
Nat Sakimura
 
Juniper mpls best practice part 2
Febrian ‎
 
마이크로서비스 개요
Younghun Yun
 
DoH, DoT and ESNI
Jisc
 
Palo alto-review
Rayan Darine
 
Dhcp presentation
Saqib Malik
 
Big ip f5 ltm load balancing methods
Utpal Sinha
 
GitLab for CI/CD process
HYS Enterprise
 
webservice scaling for newbie
DaeMyung Kang
 
CV-Rizwan
RIZWAN AKBAR ACCA
 
RNUG - Dirty Secrets of the Notes Client
Christoph Adler
 
Study Notes BGP Exam
Duane Bodle
 
4 palo alto licenses
Mostafa El Lathy
 
Igmp presentation
SamreenAkhtar8
 
20150511 jun lee_openstack neutron 분석 (최종)
rootfs32
 
Iperf Tutorial
Febrian ‎
 
Git Pull Requests
Callon Campbell
 
Ad

Similar to How to use Domino as a Mail Server in a Modern World (20)

PDF
The not so simple mail transport protocol @dpcon 2018
Jos Elstgeest
 
PPT
Mail services
Zia Sarwar
 
PDF
Join the fight against email spam! - SweetlakePHP
Jeffrey Cafferata
 
PDF
Join the fight against email spam! - EmmenPHP
Jeffrey Cafferata
 
PPT
how email works
harikaveeravalli
 
PDF
Prism-Proof Cloud Email Services
hughpearse
 
PDF
TLS, SPF, DKIM, DMARC, authenticated email
rinnocente
 
PDF
An Introduction To The DMARC SMTP Validation Requirements
Gabriella Davis
 
PPT
internet applications
Srinivasa Rao
 
PDF
smtp relay services.pdf
DaisyJohn5
 
PPTX
Simple Mail Transfer Protocol
Ujjayanta Bhaumik
 
PPSX
SMTP(simple mail transfer protocol).ppsx
anjubala996089
 
PPTX
Jipdec 20131216-english
Kazunori Ando
 
PPTX
Simple Mail Transfer Protocol
Rajan Pandey
 
PDF
Email - Electronic Mail
Peter R. Egli
 
DOCX
Article on SMPT
fatima javaid
 
PPTX
Simple Mail Transfer Protocol
Maitree Patel
 
PPT
12 - E-Mail.ppt
ssuserf7cd2b
 
PPT
12 - E-Mail.ppt
ssuserf7cd2b
 
PPTX
Technical Background Overview Ppt
Antonio Ieranò
 
The not so simple mail transport protocol @dpcon 2018
Jos Elstgeest
 
Mail services
Zia Sarwar
 
Join the fight against email spam! - SweetlakePHP
Jeffrey Cafferata
 
Join the fight against email spam! - EmmenPHP
Jeffrey Cafferata
 
how email works
harikaveeravalli
 
Prism-Proof Cloud Email Services
hughpearse
 
TLS, SPF, DKIM, DMARC, authenticated email
rinnocente
 
An Introduction To The DMARC SMTP Validation Requirements
Gabriella Davis
 
internet applications
Srinivasa Rao
 
smtp relay services.pdf
DaisyJohn5
 
Simple Mail Transfer Protocol
Ujjayanta Bhaumik
 
SMTP(simple mail transfer protocol).ppsx
anjubala996089
 
Jipdec 20131216-english
Kazunori Ando
 
Simple Mail Transfer Protocol
Rajan Pandey
 
Email - Electronic Mail
Peter R. Egli
 
Article on SMPT
fatima javaid
 
Simple Mail Transfer Protocol
Maitree Patel
 
12 - E-Mail.ppt
ssuserf7cd2b
 
12 - E-Mail.ppt
ssuserf7cd2b
 
Technical Background Overview Ppt
Antonio Ieranò
 
Ad

More from Martijn de Jong (8)

PDF
2024: Domino Containers - The Next Step. News from the Domino Container commu...
Martijn de Jong
 
PDF
AD11 Starting with Domino on Docker.pdf
Martijn de Jong
 
PDF
Customising Your TDI Assemblyline
Martijn de Jong
 
PDF
Stabilising a large ibm connections environment
Martijn de Jong
 
PDF
Lessons Learned from a major IBM Collaboration Solutions Deployment
Martijn de Jong
 
PDF
Domino policies deep dive
Martijn de Jong
 
PDF
Lug2009 Email Management
Martijn de Jong
 
ODP
BP101 - 10 Things to Consider when Developing & Deploying Applications in Lar...
Martijn de Jong
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
Martijn de Jong
 
AD11 Starting with Domino on Docker.pdf
Martijn de Jong
 
Customising Your TDI Assemblyline
Martijn de Jong
 
Stabilising a large ibm connections environment
Martijn de Jong
 
Lessons Learned from a major IBM Collaboration Solutions Deployment
Martijn de Jong
 
Domino policies deep dive
Martijn de Jong
 
Lug2009 Email Management
Martijn de Jong
 
BP101 - 10 Things to Consider when Developing & Deploying Applications in Lar...
Martijn de Jong
 

Recently uploaded (20)

PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
Teaching material agriculture food technology
LiaRayya
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Cloud computing and distributed systems.
kkkkkhan
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Encapsulation theory and applications.pdf
gurumoop
 

How to use Domino as a Mail Server in a Modern World

  • 1. Martijn de Jong (e-office) Daniel Nashed (Nash!Com) How to use Domino as a Mail Server in a Modern World Or how to get your mails in your customer’s mailboxes and spam out of yours
  • 2. Martijn de Jong • Senior HCL Consultant @ e-office • Studied electrical engineering, psychology and music • Working with “Lotus” portfolio since 2000 • https://blog.martdj.nl @martdj
  • 3. Agenda SMTP Basics Outbound SMTP configuration in Domino Inbound SMTP configuration in Domino
  • 4. SMTP Basics SMTP History SMTP Protocol PTR Record Sender Policy Framework (SPF) Domain Keys Identified Mail (DKIM) Domain-based Message Authentication, Reporting & Conformance (DMARC) SMTP submission vs SMTP relaying SMTP: Accept vs Reject vs Greylisting Secure transmission
  • 5. SMTP History 1981: Simple Mail Transfer Protocol (SMTP) – RFC 788 - Jonathan B. (Jon) Postel “by design, every SMTP server was an open mail relay” 1995: Extended Simple Mail Transfer Protocol (ESMTP) – RFC 1869 1998: Message submission – RFC 2476 1999: SMTP Service Extension for Authentication – RFC 2554 2001: Simple Mail Transfer Protocol – RFC 2821 2008: Simple Mail Transfer Protocol – RFC 5321 2011: DomainKeys Identified Mail (DKIM) Signatures – RFC 6376 2014: Sender Policy Framework (SPF) – RFC 7208 2015: Domain-based Message Authentication, Reporting, and Conformance (DMARC) – RFC 7489 2015: SMTP 521 and 556 Reply Codes – RFC 7504 2018: Cryptographic Algorithm and Key Usage Update to DomainKeys Identified Mail (DKIM) – RFC 8301 2018: Use of Transport Layer Security (TLS) for Email Submission and Access – RFC 8314 2018: A New Cryptographic Signature Method for DomainKeys Identified Mail (DKIM) – RFC 8463 2019: Email Authentication for Internationalized Mail – RFC8616 2021: Deprecation of TLS 1.1 for Email Submission and Access – RFC 8997
  • 6. SMTP Protocol example S: 220 smtp.example.com ESMTP Postfix C: HELO relay.example.org S: 250 Hello relay.example.org, I am glad to meet you C: MAIL FROM:<bob@example.org> S: 250 Ok C: RCPT TO:<alice@example.com> S: 250 Ok C: RCPT TO:<theboss@example.com> S: 250 Ok C: DATA S: 354 End data with <CR><LF>.<CR><LF> C: From: "Bob Example" bob@example.org C: To: "Alice Example" <alice@example.com> C: Cc: theboss@example.com C: Date: Tue, 15 Jan 2008 16:02:43 -0500 C: Subject: Test message C: C: Hello Alice. C: This is a test message with 5 header fields and 4 lines in the message body. C: Your friend, C: Bob C: . S: 250 Ok: queued as 12345 C: QUIT S: 221 Bye {The server closes the connection}
  • 7. PTR record Every mail starts with a connection: SMTP Server: notes.nashcom.de (157.90.30.24) connected Reverse DNS lookup – Does 157.90.30.24 belong to notes.nashcom.de? Looks for a PTR record
  • 8. PTR record lookup dig 24.30.90.157.in-addr.arpa PTR ; <<>> DiG 9.16.23-RH <<>> 24.30.90.157.in-addr.arpa PTR ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32637 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: d39bb4213a56db7901000000668e58c4cde082e76f760d4c (good) ;; QUESTION SECTION: ;24.30.90.157.in-addr.arpa. IN PTR ;; ANSWER SECTION: 24.30.90.157.in-addr.arpa. 81732 IN PTR notes.nashcom.de.
  • 9. PTR Record PTR records can only be set by the owner of your IP address(es) That’s usually your internet or hosting provider Some provide an admin interface to set your PTR record Some provide no PTR records No PTR record or non-matching PTR record => huge hit on your reputational score!
  • 10. Reputational Score Anti-spam measures work with a reputational score The score is calculated based on: The sending server (PTR record, blacklists, SPF) The domain of the sender (SPF, DKIM, DMARC) The mail content The higher the score, the better your chance your mail is delivered in the inbox of the intended recipient
  • 11. SPF, DKIM & DMARC SPF: Is the sending server allowed to send mail for this domain? DKIM: Is this mail from this domain really sent from this domain? DMARC: What to do with the result of the previous checks? SPF DKIM DMARC
  • 12. Sender Policy Framework Server tries to drop a mail at the server: C: EHLO notes.nashcom.de S: 250-poseidon.martdj.nl Hello notes.nashcom.de ([157.90.30.24]), pleased to meet you C: MAIL FROM:nsh@nashcom.de Check in DNS if 157.90.30.24 is allowed to send mail from nashcom.de
  • 13. SPF – DNS TXT Record RFC 7208 - Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, Version 1 https://datatracker.ietf.org/doc/html/rfc7208 Defines which host are allowed to send mails for a domain DNS TXT record for a domain or sub-domain with flexible rule set Example: host -t txt nashcom.de -> nashcom.de descriptive text "v=spf1 mx ~all" Only allows domain’s defined MX record hosts to send mail More complex example dnug.de v=spf1 mx a:domino.dnug.de ip4:87.230.23.16 include:spf.nl2go.com include:mail.zendesk.com include:spf.ce.cloud-y.com -all
  • 15. Sender Policy Framework Server tries to drop a mail at the server: C: EHLO notes.nashcom.de S: 250-poseidon.martdj.nl Hello notes.nashcom.de ([157.90.30.24]), pleased to meet you C: MAIL FROM:nsh@nashcom.de Check in DNS if 157.90.30.24 is allowed to send mail from nashcom.de SPF DNX TXT Record nashcom.de: v=spf1 mx ~all MX Lookup: SPF Pass
  • 16. DomainKeys Identified Mail (DKIM) Verifies that the content of a mail was not altered after it was sent Used for reputation checking and spam prevention https://www.youtube.com/watch?v=jy6YMzQZTz8&t=11s
  • 17. DomainKeys Identified Mail (DKIM) Verifies that the content of a mail was not altered after it was sent Used for reputation checking and spam prevention Non-repudiability – when a mail is sent with a DKIM hash, an organization can’t deny that it was sent by them Depends on both a DNS TXT record and the sending mail server Multiple DKIM DNS TXT records allowed. Selector should be unique CNAME forwarding is allowed
  • 18. DMARC Domain-based Message Authentication, Reporting and Conformance https://dmarc.org
  • 19. DMARC Combines SPF and DKIM and allows to define policies for your domain RFC 7489 - Domain-based Message Authentication, Reporting, and Conformance (DMARC) https://datatracker.ietf.org/doc/html/rfc7489 Another DNS TXT record example
  • 20. DMARC – Online Resource What is DMARC? https://www.mailjet.com/blog/news/some-words-about-dmarc Google - Help prevent spoofing and spam with DMARC https://support.google.com/a/answer/2466580 Build your DMARC Record https://dmarcguide.globalcyberalliance.org OpenSource DMARC Analyzer https://domainaware.github.io/parsedmarc DMARC Organization https://dmarc.org
  • 21. SMTP: Accept vs Reject vs Greylisting Accept: Mail is accepted by server and will be delivered to recipient, moved to quarantine or moved to the trash Reject: Mail won’t be accepted by the receiving mail server Greylisted: Mail is temporarily not accepted (see next slide) It’s better to reject mail than to accept mail and throw it in the trash bin Uses no resources in your domain As long you don’t accept a message you are not responsible for the message Sending host must deal with it Should give sender a Non Delivery Report In case of a legitimate sender, they’ll know that they should contact you in another way Same for badly monitored quarantine
  • 22. Greylisting Greylisting is based on: "the SMTP client retains responsibility for delivery of that message" (section 4.2.5) and "mail that cannot be transmitted immediately MUST be queued and periodically retried by the sender.“ – RFC 5321 Proper mail servers will retry sending a mail. Spammers usually won’t Disadvantages: Mail is delayed (by at least 30 minutes) Retries might come from a different IP address Uses more resources on sending servers As a result, greylisting is controversial
  • 23. Submission vs Relaying Mail client -> mail server: submission Port 587, 465 or port 25 Mail server -> mail server: relaying Port 25
  • 24. Secure transmission Not to be confused with Secure mail (S/MIME) Two methods: STARTTLS (port 25 or 587) Implicit TLS (port 465)
  • 25. STARTTLS should be configured on every server Session is established on port 25 or port 587 unencrypted Server signals it supports TLS via STARTTLS extension Client issues “STARTTLS” command A new “EHLO” is used to restart the communication Standard TLS handshake is used to negotiate the connection Most servers don’t verify certificates used for SMTP Many servers still have default self signed certs → Lots of messages would be blocked Most environments use “opportunistic” STARTTLS and not enforce it Client and server can decide if they want to enforce it
  • 26. Implicit TLS SMTP over SSL on port 465 was established in 1997 Deprecated in 1998 Made a comeback in 2018 (RFC 8314) Now the preferred method for email submission TLS 1.2 and TLS 1.3 only (RFC 8997)
  • 27. Domino Outbound SMTP Configuration • DKIM • StartTLS • Implicit TLS • Relay host • Real-life examples • Test your configuration
  • 28. Outbound implementation for your domain Method DNS of your domain Outbound mail server configuration PTR Record ✓ - SPF ✓ - DKIM ✓ ✓ DMARC ✓ - StartTLS - ✓ Implicit TLS - ✓
  • 29. DKIM – Initial setup HCL could have made this easy... ... but they didn’t. So here we go: DKIM uses the OAuth Token Store Also known as the Credential Store The credential store is encrypted with a Notes Encryption Key Which is stored in de server’s id-file It must be shared among all servers that work with the credential store The credential store can replicate inside a cluster It can’t replicate outside a cluster
  • 30. DKIM – Creating the credential store • Check if you have a credential store • Might have been created for “more secure internet passwords” • Should be in IBM_CredStore directory on the server • If no file is found: • From the Domino Console: (!) • Keymgmt create nek credstorekey Creates a Notes Encryption Key called “credstorekey” • Keymgmt create credstore credstorekey Creates the credential store / OAuth Token Store
  • 31. DKIM – Creating DKIM Keys • 2 Possible encryption types: • RSA Possible key length: 1024, 2048 or 4096 bits. 1024 bits currently recommended for DKIM • Ed25519 Newer & more efficient. Added in 2018. Not supported by all receiving mail servers. Key length is 256 bits and is implicit (not added in commands) • keymgmt create DKIM <domain> <selector> <encryption type & strength> domain: your domain (e.g. martdj.nl) selector: alphanumeric string (e.g. rsa202407) encryption type & strength: See above • Examples: RSA: keymgmt create DKIM martdj.nl rsa202407 rsa 1024 ED25519: keymgmt create DKIM martdj.nl ed20240705 Ed25519 server response: Created DKIM key Ed20240705._domainkey.martdj.nl
  • 32. DKIM – Export DNS TXT Value keymgmt export DKIM DNS martdj.nl ed20240705 martdj_nl_ed20240705.txt Parse domain martdj.nl Parse selector ed20240705 Parse filename martdj_nl_ed20240705.txt Get DKIM key d=martdj.nl, s=ed20240705, No error Get Key as PEM No error Get Key as DNSKey v=DKIM1; k=ed25519; p=jUMDZCZSx8CaGYVlUbwNaGF5LXgEFwRhpXqSx4O8GvI=;, 68, No error Exported DKIM key to DNS file /local/notesdata/martdj_nl_ed20240705.txt, No error Contents of martdj_nl_ed20240705.txt v=DKIM1; k=ed25519; p=jUMDZCZSx8CaGYVlUbwNaGF5LXgEFwRhpXqSx4O8GvI=; Do the same for the RSA key
  • 33. DKIM keys in OAuth Token Store OAuth Token Store
  • 34. DKIM – Add records to DNS Add the DKIM key to DNS as a TXT record A-Name = selector + “._domainkey” Add both Ed25519 record and RSA record
  • 35. DKIM – Add key to notes.ini Enable DKIM on your server: set config DKIM_KEY_martdj.nl=ed20240705,202206 set config RouterDKIMSigning=1 restart task router Ed25519 RSA
  • 36. DKIM That didn’t seem too hard! That was just the beginning...
  • 37. DKIM in a cluster If you didn’t have a credential store yet: keymgmt export nek <nekname> <nekname>.key <password> example: keymgmt export nek credstorekey credstorekey.key passw0rd NEK > NEK credstorekey - Fingerprint A8C5 9018 C714 3F05 E574 93D9 5E70 005A 5371 4A71 NEK credstorekey exported successfully Copy file <nekname>.key to cluster server(s) keymgmt import nek overwrite <nekname>.key <password> example: keymgmt import nek overwrite credstorekey.key passw0rd NEK > NEK credstorekey - Fingerprint A8C5 9018 C714 3F05 E574 93D9 5E70 005A 5371 4A71 NEK credstorekey imported successfully Create replicas of IBM_CredStore<credstorename>.nsf on the original server to the other servers in the cluster
  • 38. DKIM in a cluster – notes.ini Enable DKIM on every server set config DKIM_KEY_<domain>=<selector1>,<selector2> example: set config DKIM_KEY_martdj.nl=ed20240705,202206 set config RouterDKIMSigning=1 restart task router Or add to the notes.ini section in the configuration document for a group of servers
  • 39. DKIM outside a cluster If you didn’t have a credential store yet: See previous section to export and import the Notes Encryption Key Create a credstore (as documents in the credential store can only be decrypted inside a cluster) Keymgmt create credstore credstorekey
  • 40. DKIM outside a cluster – export DKIM keys Export the DKIM keys to a temporary database keymgmt export DKIM <dkimdb>.nsf <destination server> example: keymgmt export DKIM dkimdb-pegasus.nsf Pegasus/SRV/Martinus Credential Store Name : IBM_CredStorecredstore.nsf Recovery Manager: Assigning new DBIID for /local/notesdata/IBM_CredStore/dkimdb-pegasus.nsf (need new backup for media recovery). 05-07-2024 11:46:12 Recovery Manager: Assigning new DBIID for /local/nif/IBM_CredStore/dkimdb-pegasus_nsf.ndx (need new backup for media recovery). Exported DKIM keys No error Copy or replicate temporary database to destination server
  • 41. DKIM outside a cluster – Import DKIM keys Import DKIM keys in Credential Store keymgmt import <name of credential store> <name of temporary db.nsf> example: keymgmt import credstore dkimdb-pegasus.nsf Credential Store Name : IBM_CredStorecredstore.nsf Credential Store imported successfully Do this for every cluster or server Add notes.ini parameter to each server that sends SMTP mail set config DKIM_KEY_martdj.nl=ed20240705,202206 set config RouterDKIMSigning=1 restart task router You can export / import multiple DKIM keys in one go
  • 42. Enable Outbound STARTTLS Set “Negotiated TLS” on SMTP Outbound For servers that don’t support StartTLS there’s a Notes.ini setting to fall back to an unencrypted connection Notes.ini ROUTERFALLBACKNONTLS=1
  • 43. SMTP over TLS Implicit TLS Uses port 465
  • 44. Submitting vs Relaying Port 587 has become the default port for submitting SMTP mail to a mail server Port 25 is still the default port for relaying mail between mail servers How to configure your SMTP outbound port depends on whether you use a relay host (to which your server is submitting mail) or whether your server is relaying mail directly to the recipient’s domain
  • 45. Relay Host Some reasons to use a relay host Your server can’t have a PTR record Your server has no or limited access to internet Relay host is configured in Configuration document Required – will only make connections if auth is supported Enabled – will authenticate if supported, otherwise unauthenticated IP address or FQDN. Can be multi-value
  • 46. Relay Host – Protect your password Name and password fields will be encrypted if the document is encrypted by a secret key Secret key has to be imported in IDs of all servers using this document and all administrators Otherwise:
  • 48. Scenario 1 Every server in the domain can send SMTP mail directly Domino SMTP server Destination domain Mail relay Domino Domino Domino
  • 49. Scenario 1 Just make sure “SMTP used when sending messages outside of the local internet domain:” is enabled
  • 50. Scenario 2 Servers are using a relay host to send mail to the internet Domino Relay host Mail submission Domino Domino Domino SMTP server Destination domain Mail relay
  • 51. Scenario 2 Set relay host in the configuration document Domino server now acts a mail client Depending on relay host, you might have to change the port to 587 in your server documents(s)
  • 52. Scenario 3 Multiple servers, but only one can send mail to the internet Domino SMTP server Destination domain SMTP Mail relay Domino Domino Domino NRPC Mail
  • 53. Scenario 3 – Configuration document All servers Server sending mail to internet
  • 54. Scenario 3 – Foreign SMTP Domain document Create a Foreign SMTP Domain document All internet domains are routed to all_the_internet (custom label)
  • 55. Scenario 3 – SMTP Connection document Create an SMTP Connection document
  • 56. Test your configuration Sent a mail to ping@tools.mxtoolbox.com Check your mail or go to https://mxtoolbox.com/deliverability/EmailHeaders.aspx and enter your email address Check the Email health of your domain https://mxtoolbox.com/emailhealth
  • 57. Domino Inbound SMTP Configuration • Enable Inbound SMTP • SMTP Inbound Site • Inbound StartTLS • Inbound Relay Control • Inbound Recipient Check • Sender’s domain • Connecting Hostname • Blacklists & Whitelists • SPF & DKIM • DMARC • Spamgeek
  • 58. Inbound SMTP implementation Method DNS of sender’s domain Inbound mail server configuration PTR Record ✓ ✓ SPF ✓ ✓ DKIM ✓ ✓ DMARC ✓ ✓ StartTLS - ✓ Implicit TLS - ✓
  • 59. Enable Inbound SMTP • Enable SMTP listener task server document – Basics • SMTP Inbound port 25 enabled server documents – ports – mail (Port 465 only if Domino is accepting mail from other mail clients)
  • 60. SMTP Inbound Site If using Internet site documents, you must have an SMTP inbound internet site document
  • 61. Enable inbound StartTLS • Offers “negotiated TLS over port 25 • Needs a TLS certificate TLS Credentials used from CertStore based on keyfile tag in server document / internet site Key file tag must match a keyfile name (e.g. keyfile.kyr) assigned to your server Key file tag can be also a FQDN
  • 62. Inbound Relay Control For external server ALWAYS ensure nobody can use your server as a “Relay Host” The single “ * “ in the field means nobody can relay
  • 63. Inbound Recipient Check Setting in same tab in config document further down in the form Denies all recipients not found in directory Recommendation: Enabled
  • 64. Sender’s domain Verify sender’s domain in DNS Checks whether mail from domain exists in DNS Recommendation: Martijn – Enabled, Daniel – Disabled
  • 65. Connecting hostname Verify connecting hostname in DNS Checks for a PTR record Strong recommendation: Disabled
  • 66. Blacklists & Whitelists Blacklists / whitelists Reasonably safe to log and reject Log and tag, combined with a 3rd party tool / plugin would be better But many 3rd party tools do the blacklist check themselves
  • 67. SPF & DKIM Inbound Sender Domain Authentication Controls Too dangerous to Log and reject “Log and tag message” adds 2 fields to an incoming mail DKIM_Signature Received_SPF Can be used in mail rules Or 3rd party plugins...
  • 68. See SPF & DKIM results in header From an email: View – Show – Page Source Authentication-Results: martdj.nl 1; spf=pass smtp.mailfrom=n_i_bounces@insideapple.apple.com (sender IP 17.32.227.198); dkim=pass header.s=insideapple0517 header.d=insideapple.apple.com
  • 69. DMARC We hope… You can still vote: https://domino-ideas.hcltechsw.com/ideas/IDEAMLCT-I-6
  • 70. All Domino checks are binary... Modern anti-spam systems use a reputational score based on all these previous parameters We currently can’t do that in Domino
  • 71. Introducing SpamGeek SMTP protocol Extension Manager created by Daniel Nashed Tool and basic support is free. Complex questions or scenarios are consulting Adds flexible anti-spam features to Domino Good for small environments and offers a lot of tracing
  • 72. SMTP Debug parameters SMTPDebug This parameter can be set to capture inbound SMTP protocol conversations. This is for all messages received by the SMTP listener from all clients and servers via the SMTP protocol. 1 - Enable minimal logging of the SMTP listener 2 - Enable information logging of data sent and received along with some additional debugging information. This setting indicates commands and responses being received/sent along with the number of bytes being transmitted. However, it does not include the text that is transmitted. 3 - Enable verbose logging of data sent and received. Along with the information recorded at setting 2, this level shows the actual text received/sent via SMTP. Note that this does not include the text body of messages. 4 - This is the most verbose setting. SMTPDebugIO Description: Enables the logging of all data received by the SMTP listener task: 0 - No logging 1 - Number of bytes sent and received during the SMTP conversation 3 - Logs all data received by the SMTP task 4 - RFC822 data (message data) • Syntax: SMTPDebugIO=value • Caution: Use SMTPDebugIO only when necessary and disable it again as soon as possible. It can cause the log file to grow very large, and logs the contents of received messages. • Applies to: SMTP servers • Default: 0 • UI equivalent: None
  • 73. Useful Resources https://blog.martdj.nl Martijn’s blog https://blog.nashcom.de Daniel’s blog https://mxtoolbox.com Check your configuration and whether your server is listed on blacklists https://talosintelligence.com/ Daniels tip to check your reputational score https://mailtrap.io/blog/smtp-commands-and-responses/ Useful site to understand return codes in an SMTP communication