Domino mail redirection question
by Volker Weber
Here is a little question that I don't have an immediate answer for:
How can I redirect all incoming mail for domain foo.com to foo.postmaster@bar.com in Lotus Domino 7 ?
This is also known as a catch-all address. I don't care to which user of domain foo.bar the mail is addressed, it should all be forwarded to one mailbox in domain bar.com.
Comments
Out of the box? Not really possible.
Catch all is pretty bad practice that I would discourage anyway but you can choose to hold instead of reject undeliverable emails.
Pretty bad practice? It's a requirement. If it's not possible, we shall do it with a real SMTP server.
It's bad practive as it's the best way of catching loads of spam sent to addresses that don't really need to be valid.
Personally I create valid addresses as required and reject all the others.
This is possible - you can configure the mail-router not to reject mails, but rather keep undeliverable mails within the mail.box-database - and this can be processed either manually by somebody, or some nice scripting could be used to work automatically on this and forward appropriately. Mail me up for details if you need them.
BR, Christopher
Christopher demonstrates the bad practice beautifully. Giving somebody access to mail.box will require them to have extra rights in the ACL. This will also allow them to view all other emails going through that system. Also if multiple mailboxes are in use, several places will need to be checked. Not good.
Writing some scripting to act on mail.box is also usually a very bad idea. Not only can it conflict with the router, but also the AV that is usually present. AV software usually puts emails into a 'dead' state in mail.box before it is scanned. If your agent picked it up at this point, your catch all email would be delivered without scanning. Very dangerous, especially in a catch all situation.
Catch all...yuck.
Ben, if all you have is a hammer ...
This problem is so simple that it is a shame if Domino cannot handle it. All you have to do is tell the smtp router to do this:
if To: contains foo.comadd Envelope-To: with foo.postmaster@bar.com
No ACLs, nobody to sort through mails. Just a simple condition and a new header.
And again: This is a REQUIREMENT.
Thankfully my domain registrant handles catch all at their end if I really need it. They don't charge for it either and it's a really easy workaround. Much more secure to have the email re-addressed externally.
It is a shame Domino doesn't support your requirement, but it's not supporting stuff like this that has kept Domino mail security so tight over the years whilst Exchange has been riddled with virus propogation. On recommendation, most Domino servers reject emails for invalid senders before even receiving the message.
I'd recommend looking at the domain registry solution. I use www.123reg.co.uk who handle all the catch-all options in with their standard pricing.
I would
1. create a server mail rule that moves any mail to a special mail database.
2. create a forwarding rule inside the mailbox
You could create a Server Mail Rule to do that. Go to Mail Rules in the Administrator Help Index.
Ben, no need to bash Exchange here. I don't what this has to do with Exchange at all. As Christopher has demonstrated, Domino seems to lead you into unsafe practices just nicely.
Olaf, thanks. We thought of this solution as well. But then we would also have to delete messages from this mailbox. And rely on rules inside a mailbox, which may or may not fire, depending on the current phase of the moon.
Hassan, I don't think there is a Server Mail Rule which would accomplish what we need. If you can create one, then please document it (screenshot is fine) and send it by mail.
Hassan calling in from Trinidad. That is way cool :-)
Volker - Wasn't trying to bash Exchange, more rather compliment Domino for not accepting mail messages for non-existant users. That's a big thumbs up from a security perspective.
Where's Chris Linfoot when you need him?
You are right, a Server Mail Rule by itself would not accomplish this. You would have to do as Olaf suggested and create an agent in the mailfile to forward the emails to the next domain.
Check out Damien's Trigger Happy. It's an elegant little server addin that gives far more control over triggering agents. In fact, it can trigger an agent in any database (in other words, this approach would still rely on agents, but you wouldn't have to muck with the mail.box design) before mail is received in mail.box, not after, so it doesn't interfere with AV scanning. Additionally, you can specify a formula selection criteria for each agent to act on, so the agent doesn't have to scan every message and include its own logic for deciding whether or not to forward each one. I installed this months ago, primarily to find out how quickly the overhead would crash my server, but it barely consumes any resources and has proven extremely useful, so I've kept it ever since.
Ben, I am not with you.
Lotus has done so many foolish things with internet security (allow more name variations, unsalted passwords, server access), that I don't think this is a security feature. I think the inability to define a postmaster inbox is just a missing feature.
Tim, interesting hint.
@Tim,
I do believe that Damien states to avoid using Trigger Happy on mail.box.
Bruce
I am with Ben, I would also recommend a domain / dns config rather than a catch-all functionality under domino (if there is one). Why let poor Domino handle all the catchall and waste CPU rather than simply handling on a domain config level.
@Bruce,
Here are the warnings he provides in the Using document:
---
Performance Issues:
Trigger Happy can have significant impacts on server performance when firing the Trigger agents. When an agent runs there is lot of work that has to happen. On a busy server, lots of agent Triggers firings can bring response times to a halt. The worst offender is a global Document Open Trigger, I would not recommend using such a Trigger without careful testing.
Otherwise Trigger Happy is very light weight when it has no work to do. So that means that you can create many Triggers so long as the agents do not get called frequently.
Possible Deadlocks:
I think on some of the events it may be possible to deadlock a Domino server using Trigger Happy. To avoid deadlocks you can follow this simple rule: Don't let agents in database A access database B if B also has Trigger Happy agents that will access A.
---
In my experience, as long as the selection formula is "selective" enough, running one of these triggers against mail.box causes no performance problems. In this particular case, however, I imagine it would be a question of how frequently it will need to forward a message.
Mail rules are definitely the way to go. Just set a rule to Move all of the incoming mail for a given domain to a specific database. From the Admin Help- Setting server mail rules document:
Move to database
The Router removes the message from MAIL.BOX and quarantines it in the database specified in the accompanying text field, for example, GRAVEYARD.NSF. The specified database must already exist. The message is not routed to its destination. Placing messages in a quarantine database lets you examine them more closely for viruses or other suspicious content.
Sounds pretty easy to me unless I am missing something. Of course, it will be one heck of a spam collection facility. Good thing you have searching to find the real emails.
Sean---
I don't think agents in mail.box will do the trick as the agent manager does not scan .box files for agents so the agent would never get scheduled to run.
The server mail rule might work if your have a rule of 'If internet domain = foo.com then move to database' but you will also have to setup the domino smtp to accept all inbound smtp mails into mail.box before processing them, this means making sure that an email to a non-existant user will get into mail.box instead of getting rejected immediatly.
I use an agent in combination with 'Hold undeliverable mail'. The agent runs every x-minutes in a small application. I can create a configuration document for every SMTP document I have, configure to what address the messages for a certain domain should be delivered and if the original recipient should be added to the subject of the message. Works just fine, but I do agree that this should be a feature in Domino.
My suggestion: create a Postmaster
- Set the administrator in the server document to e.g. "heinz.ketchup@foo.com"
-> Heinz Ketchup would receive every undeliverable e-mail
- Set in the person document of "Heinz Ketchup" an forwarding address like "foo.postmaster@bar.com"
-> Not Heinz Ketchup but foo.postmaster@bar.com receives the notification
- Configure Domino that all e-mail for "some.user@foo.com" becomes dead mail (don´t ask me how - it´s late this evening)
If it works call me "dr. notes", if not forget my posting.....
@Volker: The "inability to define a postmaster mailbox"? Domino 6 and up deliver messages addressed to postmaster and abuse to to the server administrators (Administration tab of the server doc), and Domino has always allowed you to set up an explict postmaster account. If what you meant was the "inability to define a catch-all mailbox", Domino has mail journaling instead of that. If what you meant was the "inability to forward mail to a catch-all on another server"... well, you're right that it doesn't have a simple setting for that, so it's a missing feature, but Domino definitely can be set up to do it so I don't think it's a particularly serious deficiency.
Also: I don't understand your reluctance to rely on rules or agents that "may or may not fire depending on the current phase of the moon". You're going to have to rely on something, whether it's a configuration, a rule, an agent, a trained monkey... In all cases and with all systems from all vendors, whatever you are going to rely on may or may not work all the time. It always comes down to the fact that some code has to run to do the job, and I don't think it matters much whether it's a procmail script, a Domino agent, or compiled code built into the MTA.
Olaf's recommendation is the way I'd do it. Specifically...
First set the server so that it does not validate recipients before depositing in mail.box. The setting is in the configuration doc, Router/SMTP tab, Restrictions and Controls sub-tab, SMTP Inbound Controls sub tab, labeled "Verify that local domain recipients exist in the Domino Directory" -- which should be un-checked.
Then set up a mail rule to detect if any recipient contains @foo.com and deposit it in a database called "forFoo.nsf".
Create an agent in forFoo.nsf, triggered when documents are created or modified, to forward the message and then delete it from forFoo.nsf.
If you don't trust the triggered agent to fire every time, then it would be a good idea to alse have a scheduled agent that runs once an hour, looks for any documents older than a few minutes, forwards and deletes them if it finds them, and then sends a message to an admin telling them that triggered agents are not working but corrective action has been taken. And if you don't trust the scheduled agent to be enough insurance, then you can also have the scheduled agent send a ping to a service that will report that it is down if pings don't arrive on schedule. I probably wouldn't bother with all that, because if messages stop flowing into foo.postmaster@bar.com, it will probably be noticed reasonably soon enough, and all the messages will be there in forFoo.nsf and you can manually trigger the agent.
-rich
Rich, I am not talking about a postmaster account that receives mail directed to postmaster and abuse, but a postmaster account that can receive all undeliverable mail. I understand why Lotus chose to leave those messages in mail.box. The Notes client does not have a redirect feature. You can only forward messages, making yourself the sender of said message. So the postmaster is stuck with messages he cannot redeliver.
In this case however we are talking about a business users who wants to receive those messages. I understand Olaf perfectly, and I do trust mail rules for the router. What I don't trust is rules or agents inside a particular mailfile. You also have touched on another weak part in this solution: You have to tell the mail exchange for bar.com to accept all undeliverable mail for bar.com. This is not desirable in this scenario.
It's probably easier to do this with postfix. Three lines of code and you are done:
/etc/postfix/main.cf:
virtual_alias_domains = foo.com
virtual_alias_maps = hash:/etc/postfix/virtual
/etc/postfix/virtual
@foo.com foo.postmaster@bar.com
Then you can take it from there and tell the Domino server where to put incoming messages for foo.postmaster@bar.com.
@Volker - Let's just leave it there. We're looking at this from completely different perspectives. You go ahead and do it on your "real SMTP server" but I'm not sure there's a 'catch-all' requirement in any RFCs for SMTP mail servers.
I only wish there wasn't a catch all on my snail-mail box too, I would get less junk then.
@Vowe,
Do we have the makings of a new T-shirt here?
:-)
Bruce
Hmm - seems that my posting for a solution-proposal has caused some discussion about being not reliable.
As stated in the posting, details are available on request. Basically, of course, the solution is more complex:
- configure domino-server to keep mail
- write an agent somewhere (not in mail.box, e.g. within some dedicated database) to go through all mail.box-mailboxes
- this agents acts only on documents which are "untouched for at least xyz minutes/hours, and which are in dead-state" - which gives enough time for virus-scanners and so on to act (in fact, the "dead"-state should be enough, but this is just the defensive approach).
- move (copy/delete) those mails to a specific other mailbox for processing by humans, let's say database "ABC"
- "ABC" is accessible by humans and has actions like forward, ...
as an alternative, instead of copying to "ABC", it could simply forward the mail to user "Franz Rüdiger", who works on the mails in his own mailbox.
Practically of course, this has some disadvantages - catching all random-SPAM and so on. But this is a non-technical discussion, I don't want to make it more intensive now. :-).
@Vowe: re a "redirect" feature... presuming you mean what I remember as the 'bounce' feature in Elm (it's been a long time since I used a Unix mail program!), I certainly would like to see that in Notes. The agent setup I described could partially duplicate it -- preserving the original sender name, but probably losing most other headers.
It comes down to this: Domino is a fine MTA if what you want is an MTA that receives mail and delivers it. It isn't a general-purpose mail switching and processing engine in the tradition of Sendmail and all the various add-ons and alternatives that have sprung up over the years. A smart API programmer could put that sort of functionality into Domino, but I doubt anyone would bother doing it because I doubt there are more than a handful of customers who would entrust that type of job to Domino. They'd be much more likely to front-end Domino with something with a proven record.
Rich, a redirect and/or bounce is available not only in Unix mail programs, but also in - gasp - Outlook. :-) See a comprehensive list in the SpamAssassin Wiki. The Mac OS X Mail application has both a bounce (to sender) and a redirect (to other recipient) function.
This particular Domino infrastructure is front-ended with an SMTP server, that I called a "real" SMTP server. Seems standard practice to me. I have yet to see a large infrastructure which receives mail through a Domino server on the internet. As this server is not under the control of the Domino administrators I was looking for a way to redirect all mails to a particular domain within the Domino infrastructure itself.
As Domino does not have this capability it would be foolish to bolt it on using agents while opening up the other domain for undeliverable mails at the same time. So, no go. Leave it to the SMTP server.
Volker, SMTP support in Domino sucks, and we all know that ;-)
For those setups I'd use a real SMTP mailer.
Example for qmail (standard 'by the book' qmail setup):
# echo 'foo.com:alias-foo' >> /var/qmail/control/virtualdomains
# echo 'foo.com' >> /var/qmail/control/rcpthosts
# echo '&foo.postmaster@bar.com' > ~alias/.qmail-foo-default
# svc -h /service/qmail
Done. Have fun.
Cheers,
/k
I solve the catch all problem with a simple domino feature, but you need to be in a full domino environment.
Define a Smart-host in the master mail hub and set a simple free smtp server on a small pc to receive the mail.
In this case all mail for undefined people in the domain are forwarded to the smart host,and an admin can have web or PO3 access to the small smtp.
Simple and working ..... if you don't need the smart host for another usage.
My comments (as an alleged expert in this field and FWIW):
1. @Ben - Catch all is sometimes used badly but is not in and of itself bad practice.
2. It is not natively supported in Domino.
3. It can be implemented as Philippe has suggested, by using the smarthost feature - in fact I suspect this type of scenario is precisely what the developers had in mind when they created smarthost.
4. The downside is that you can have only one, so if you need smarthost for anything else then you can't use it for this too.
5. In that last case you have two options
- make the distinction at the DNS level by having different MX for foo.com and bar.com - foo.com's MX cannot be Domino, but bar.com's MX can be
- use the same MX for foo.com and bar.com - that MX would have to be non-Domino and would forward bar.com's mail to a Domino server
If Lotus Domino can't do it, check out XWall at http://www.dataenter.co.at/products/xwall.htm, a SMTP-front-end for any SMTP-server (not just ExchangeServer):
"Forwards a whole domain to a single e-mail address"
Philippe, excellent idea! This is a very clean solution. If, and only if, the smarthost isn't used to send outgoing mail.
@Vowe: Smarthost is not a feature for outgoing mail. It is for incoming only. The relay host is for outgoing mail.
@Chris: Smarthost is an old Sendmail feature. I doubt IBM had catch-all in mind when they put it in. There are two major reasons it exists. One is that people want their MX to have a minimal Directory. It's "exposed" outside the firewall -- at least on port 25 -- so it's vulnerable, and they don't wnat to put all the keys to the kingdom on it. Smarthost allows it to recieve mail for the domain and then forward messages. The other reason is to allow mixed mail environments to share a domain name even if they can't share Directories. I.e., mail to user@foo.com comes in, if the user exists in the Directory it is delivered by Domino, otherwise it is forwarded to an Exchange server.
Rich, you are right. I mixed this up. Again. :-(
So, Exchange is the smart host in your scenario? SCNR. :-)
There is my little raw idea:
Configure a SMTP connection document to the foo.com domain to point to an gateway domain (Don't recall the true name, the thing you setup for your fax gateways etc). Allow Domino to accept mail for foo.com. Looking into the routing table it should realize that there is a route to foo.com. It ultimatly would point to the gateway database. Inside there you can have your agents.
Not sure if it would work, but sounds good at least .
:-) stw
@Stephan
But please notice that Domino would store the mails as "Sent items" in the gateway database.
@Rich - "The other reason is to allow mixed mail environments to share a domain name even if they can't share Directories."
That was almost my point. The only difference here is that there are two domains operating on the same Domino server. One of them behaves exactly as you have outlined = accepts mail even though there is no "directory".
Has anyone considered Foreign Domains "@domain.com" goes to a mailbox on this server...
Truly not redirected, but certainly looks like a duck.
I'm also voting with Olaf above on the Mail rule. After all the router pretty much just puts the message in the correct mailbox. Get that done, and what's the difference?
@ Stephan I'm thinking we're on the same page. Are you also referring to Foreign Domains?
I did the testing. I'm thinking it works.
