E-Pro: Internet Messaging Do’s and Don’ts
Tags :Domino 7
All administrators read the stories. Internet
messaging (e-mail) is a critical application for every enterprise in today’s
world and needs caring administrators who have the right knowledge
to take care of it. As you walk to your desk you also hear the one
thing that makes the administrator shudder:”Can you do something about
that spam?!?!?”
DO’S
- Enforce anti-relay policies and test your settings. Domino 6 now sets a default in the configuration documents to stop some basic relaying on your server, but if you migrated from a previous version of Domino, your previous settings are maintained.
- To learn how to quickly test your settings, see my previous e-Pro Magazine article on Troubleshooting Internet Messaging in Domino at e-ProMag.com, article ID 1999.
- Authenticate all users for relay privileges. You can choose not to authenticate local domain users, but if someone is forging an address then you’re defeating the purpose of this ability introduced in Domino 6 (you could do this previously but only if you locked the whole SMTP server down) The ability to modify these setting can be found in the Configuration document under the Router/SMTP – Restrictions and Controls – SMTP Inbound Controls – Inbound Relay Enforcement.
- Use blacklists to reduce that spam. Now that Domino 6 natively supports blacklists by adding them into the Server Configuration document’s DNS Blacklists Filter section, take advantage of the numerous free blacklist services that can be found!
- Understand whitelists and their purpose for mail management. Whitelists allow the administrator (or user, on local spam products) to allow certain messages to be allowed through your spam filters based on sender or domain If an address is on both a whitelist and a blacklist, the whitelist will win, causing the message to be delivered. Whitelisting is not available natively in Domino, but there are third-party tools available.
- Investigate purchasing a third-party spam filtering tool when Domino SMTP/Router and blacklists rules are not enough to reduce spam in your environment.
- Create SMTP/Router rules in the Server Configuration document for better enterprise mail management . You can deny, sort, and route mail based on server-side rules of subject, sender, importance, and even recipient count! There are many others, investigate these options! Remember server based rules effect everyone, not similar to mailfile rules users maintain on their own.
- Change the setting in the Server Configuration document to not allow mail for local domain recipients not found in the Domino Directory (Domino 6 only). Enabling this setting reduces the amount of dictionary-attack spam clogging your mail.box on the server by not accepting mail that is destined for unknown names.
- Try to use named groups or wildcard Server Configuration documents to control multiple servers at one time. This gives you consistent control over numerous servers to ease administration and to make sure each server responds the same for troubleshooting. Keep in mind there may be instances when a server will need specific configurations based on user needs, such as a server that needs specific domains or users to be blocked while still aloowing other servers to receive the same mail.
- Increase the number of mail.box databases on your system if you currently have only the default one (1). This allows faster processing of mail and increases performance (up to a certain point). Busy SMTP servers benefit greatly from an additional mail.box. It can consume resources if you allow the server to have too many. Best practices for the number of mail.box databases relies on server usage and mail load. Remember, too many mail.box databases can have adverse effects!
- Enable a maximum message size for mail messages. A mistake many enterprises make is not establishing a balance between business need and convenience. Is it convenient to accept 100MB messages via email? Of course it is! But does your business need large graphic packages or CAD drawings? If not, you need to evaluate a business need for a size limit. A majority of enterprises we deal with are very comfortable in the 15-20MB limit. This also saves disk space and prevents someone from sending a large attachment to multiple users, possibly bringing your system to a halt.
DON’Ts
- Leave the default Configuration document settings that are created for each server. By default a new Configuration document does have an anti-relay setting, as I mention above, but everything else is left to the administrator to configure. There are great performance enhancements that can be found by understanding all the variables I am not able to fit here. I would suggest following the administration guide for a full description of each field and section.
- Simply enable the setting to check for connecting host names in DNS. Not all companies have correctly configured DNS, or their ISP does not allow reverse DNS entries for them. This will have your system denying their mail to you. While this is a very powerful feature at reducing spam, it immediately becomes noticeable that you will reject legitimate email.
- You can also very senders domain in DNS instead of the connecting host. By not checking the host in DNS (to protect false positives for ones that don’t allow reverse DNS), but instead checking the actual sender’s domain name, you can trim down unwanted emails that way also. A legitimate sender should have a DNS entry correct?
- Try to micro-manage who can and cannot receive Internet email. Maintaining that listing is a manual process that most administrators do not have time for. I have only seen a couple companies that had reasons to only allow mail to certain people or addresses.
blog comments powered by Disqus
On Sunday, May 2nd, 2004 by Chris Miller