« Notes Administrator Opening at Major Institution in Washington DC | Main| Increase the Height of Blogsphere's Web Editor »

Run Domino Mail on Dynamic IP Without Being Blacklisted

QuickImage Category


The main problem with running a Domino Mail server from home is the dynamic IP address.  Using a service like DynDNS or No-IP.com (my choice), gets around the problem of inbound mail finding its way to you (just be sure that your updater runs often, and you use some sort of backup service like No-IP.com's BackupMX for those occasional periods when your server is unreachable).  Unfortunately, since many dynamic IP address pools have been blacklisted as potential sources of spam, not all the outbound mail gets where its going.  There are several possible workarounds, including:
  • Getting a Static IP from your ISP, which can easily add $50/mo to your telecom bill.  Consider this option if you also want to host your website internally and are currently paying someone else for this, since Port 80 will no longer be blocked.
  • Hosting your mail externally, which can also get expensive, and you'll have to consider bandwidth and disk space limits.
  • Finding an SMTP relay host through which you can route outbound SMTP mail.  Unfortunately (or fortunately) few ISPs seem eager to provide this option.  And even if you find an SMTP host that will serve as a relay, chances are it's already on the spam blacklists for precisely that reason, so you gain nothing anyway.
  • Connect to another Domino Server that has SMTP enabled, has a static IP, and is not blacklisted anywhere.

The SMTP relay is probably the easiest method that doesn't cost anything, if you happen to have suitable servers to point to.  However, unless you own both boxes, the owner of the relay server may not be comfortable taking the risk that your mail server won't misbehave and cause his server to get blacklisted.

So, I chose the last option, which meant cross-certifying my organization with DDN (who host this blog), and vice versa.  The trick was in getting the right combination of connection, configuration, and foreign SMTP domain settings.  The Administration Help seemed to suggest using an SMTP connection document in conjunction with a Foreign SMTP Domain document, where the "domain" that these two documents shared was some arbitrary, fictitious name.  I suppose this might have worked had the DDN server been part of the same Notes Domain as my mail server, but in any case, it didn't work.  In the end, I made the following changes to my existing mail server to get things working:

Step 1: SMTP Mail Routing on the server document - can be enabled or not in a single server environment like mine, but in a multi-server setup I'm not sure.  You may need to pick one or the other, perhaps even different settings on different servers depending on your topology.

single server its ok
A picture named M2

Step 2: Turn off outbound SMTP routing on your mail server's Configuration Doc - Router/SMTP - Basics Tab.

A picture named M3


Step 3: Create Connection Document between your mail server and the outside Domino SMTP server.  Note that most values are bogus for confidentiality reasons, but the Destination Domain is "DDN", which matches the value used in Step 4.

A picture named M2
A picture named M3
VERY IMPORTANT: Make sure to enable the schedule here, or the connection won't work.

A picture named M4

Step 4: Create Foreign SMTP Domain Document, but put the *Actual* domain name of the hosting provider, in this case "DDN".  Don't put a fictitious name here as the Help file suggests (and don't bother with an "SMTP Connection Document" that's supposed to accompany it).  The ficticious domain stuff (eg. TheInternet) applies when you are routing SMTP mail directly (thanks Paul!).

A picture named M5

Step 5: Issue a "Tell Router Update Config" command from the server console to rebuild the routing tables, etc.

A picture named M6

If you can suggest alternative ways to achieve this goal or see any potential pitfalls I may have overlooked, I'd love to hear from you.


Comments

1 - If Comcast is so open, how do they prevent spammers with Comcast as their ISP from having a field day? They must have some protections, or their relay would have been blacklisted long ago.

2 - I also think that they just monitor outgoing mail to see if there are big spikes or what not. My usage is just my wife and I, so not many emails go out from there...

3 - I formerly worked for Comcast via Convergys, and I know that when i worked there they DID NOT scan from address, however they do keep vary accurate records of quantity sent. When they see someone who even seems like he could be spamming, comcast blacklists them and shuts down their account until they show they aren't spamming.

4 - I have been using Comcast's smtp to relay messages for quite some time and all of a sudden i receive the "ldap:ou=rbl,dc=comcast,dc=net -> 550 " error.

Any help would be appreciated.

5 - Verizon is just more strict I guess. Here's what I get if I try to use their relay server:

Router: Error transferring message 004E4331 via SMTP to OUTGOING.VERIZON.NET 550 5.7.1 Authentication Required

6 - Richard, you are fortunate. I tried outgoing.verizon.net with no success, and cursory research seems to indicate Verizon has had it this way for a while. They might let my outgoing stuff out if I hosted a website for that domain with them. This might be an option for me since my email domain is different than lotusguru.com, but my current arrangement seems to work fine and doesn't cost anything extra either.

7 - Um... they only allow people on their internal network to relay. Basically normal users on Comcasts network use the comcast POP3 server to get their comcast mail, and the comcast SMTP server to send outgoing mail. They have never stopped me from sending out from within the Comcast network. Basically my Notes server just forwards all outgoing mail to the comcast smtp server... That's pretty much what every ISP I've ever used does...

8 - Yeah, I use Comcast and am able to use their SMTP relay to send mail out to the outside world no problem. So my Notes server just hands off the messages to the relay and all is good. So, lucky for me on that one I guess!

9 - I've been using my ISP's relay for this for years. They, like most ISPs, give out the relay address freely because users who are just using a regular client have to use it. They don't know whether I'm connecting with Outlook Express or with my server.

Some ISPs do filter outbound messages to make sure that the From address isn't forged. If my ISP did this, they'd block my messages since they don't know that rhs.com is my legitimate address. Fortuntely, they don't -- and I don't think that many ISPs are doing this.

My ISP is Comcast, by the way.

-rich

10 - We now support SMTP AUTH to a relay in Domino Version 8.0 Its under Router/SMTP > Basics > use Authentication when sending messages to the relay host: Enable this or set to required. Provide a user name and password and Relay away. Please use IBM/Lotus support services. :)
1-800-426-7378 Options 2 , 1 , 1

11 - Oh, authentication. Domino does not support SMTP AUTH to the relay. Didn't know that Verizon requires it. I had heard that they checked the From field, but that was a while ago and I thought I had heard that they stopped doing it. Basically, you're going to need to find someone who is willing to relay for you from outside Verizon -- and if they've got port 25 blocked you may have to work with someone who can relay from another port.

As for how comcast does it, they're not completely avoiding being blacklisted. I've seen one or two of their relays on blacklists every now and again, and I do get occasional spams that originate at comcast addresses -- but they seem to be having reasonable success, because it's really only a small number. I presume that they're doing traffic analysis and maybe content analysis.

-rich

Your Host

KevinPettitt.jpg
Kevin Pettitt View Kevin Pettitt's profile on LinkedIn

Tools I Use

Idea Jam

Subscribe to This Blog

 Full Posts  Comments

MyYahoo
netvibes Add to Netvibes

Contact

Hosted by

OpenNTF

Disclaimer

This site is in no way affiliated, endorsed, sanctioned, supported, nor blessed by Lotus Software nor IBM Corporation, nor any of my past or future clients (although they are welcome to do so). The opinions, theories, facts, etc. presented here are my own and in no way represent any official pronouncement by me on behalf of any other entity.

© 2005-2017 Kevin Pettitt - all rights reserved as listed below.

Creative Commons License
Unless otherwise labeled by its originating author, the content found on this site is made available under the terms of an Attribution / NonCommercial / ShareAlike