> where domain.com is not local to the server in question, > the server attempts to bounce the message, and the bounce > goes into a loop, constantly being sent back to the same > server. There is "Solution v1.0pl1" for this. Open Domino Administrator and connect to your Domino server. Click on the "Configuration" tab, then on the left pane expand "Messaging" submenu, select "Configurations". On the right pane select your server to open it's configuration panel. Now, you'll be presented with new window named "Configuration for server/DOMAIN" There's a row of tabs on the top; select "Router/SMTP". You'll be presented with more tabs. Select "Restrictions and Controls" tab to get even more tabs. :-) What you need is "SMTP Inbound Controls". There's a field under the section "Inbound Sender Controls" named "Deny messages from the following internet address/domains". Put the IP in that address, enclosed in brackets - [127.0.0.1]. Note that you can put more than one IP address there (i.e. your localhost and your real IP), but each must be enclosed in it's own brackets. This is the slight change from my previous post (rejected anyway :-) - I made a mistake by selecting "Inbound Connection Controls" instead, which doesn't check for senders e-mail (what is really needed here, since From: field generates trouble, not the inbound connection; credit for the fix goes to pero.vukojevicat_private). We tested this, and it rejects inbound connection made from address user@[127.0.0.1] with the nice message in the log: > 22.08.2001 17:10:32 SMTP Server: 10.11.8.110 connected 22.08.2001 17:10:32 SMTP Server [0624:0004-0200] Mail from bounce@[127.0.0.1] rejected for policy reasons. Sender is denied in your configuration. This workaround can save you from DoS attacks (I've been told of at least one such attack recently on local Domino servers here), you can even use it in the middle of an attack to stop it. If you're already attacked and the message bounces around, you don't need to shut down entire server, just stop mail services, delete the message from the queue and start services again. Note: this workaround is tested just for the reported vulnerability. This shouldn't break anything, but be careful implementing this if your Domino server is not the main/only mail service at your location. If you encounter problem, you can fix it easily by removing the value from the field, but in any case Microsoft-like EULA is applied to this message. ;-)
This archive was generated by hypermail 2b30 : Thu Aug 23 2001 - 07:03:34 PDT