We are using Lotus Domino 8.5.3.xxx series mail server which have many local groups along with associated members in it. Yesterday an valid external user sent annoying email to some of local groups like dept1@mydomain.com & the email got delivered to all members associated with this group despite there was no email/internet address defined for it. This happened for the first time & we were surprised as it was not in our knowledge before that external user can send email to local groups as well despite not having internet addresses created for it exclusively.
After doing some R&D and posting to lotus domino groups, it was revealed that under Server Document / Configuration Setting / Router/SMTP / Basics , there was a setting named ADDRESS LOOKUP set to FULLNAME THEN LOCAL PART , which was responsible for accepting email for the local group even though there was no internet address associated with it.
Some explanation :
FULLNAME THEN LOCAL PART (default):
The Router first searches the Domino Directory for a match for the full Internet address (localpart@domain.com). If no match is found, it searches the directory again, looking for a match for the local part of the address only.
After setting it to FULLNAME ONLY, [followed by tell router update / tell adminp p all / sh nlcache reset] the issue got resolved & now when external user sends email to DEPT1@mydomain.com , he gets ‘Recipient could not be found’ NDR report.
[0B60:000A-18F4] 02/28/2020 08:45:26 AM SMTP Server: Mail for dept1@mydomain.com rejected for policy reasons. Recipient could not be found in the Domino Directory.
NOTE: Full Name Only in conjunction with not having an Internet Address specified for the Group will work.
Other workarounds:
Initially we restricted flow email destined to local group by using two methods
1) MAIL RULES
Under Server Document / Configuration Setting / Router/SMTP / Restrictions & Control / Rules , add a new rule like following
dont forgot to Move this rule on TOP
I have also added my id in exception so that I can send email This is example for EXCEPTION.
2. Group based ACL
Second method is by putting ACL on each group so that only particular user can see the group , list members, or send email to that particular group. Use the reader attributes of the group being used to email to (open the document properties of the group and click on the tab with the key). Set who can read the group to a limited group of people who are authorized to send such broadcasts. Be sure to include localdomainservers as well as the names of the people who maintain the group. Now they can put it into the TO field without concern for someone replying to all since only someone who can see the group can use it. This works for external users as well because smtp messages are treated as anonymous. Unless you give anonymous access to the group, they can’t use it either.
