Controlling who can relay email through native SMTP server
From Support
When using our email API, it is necessary for the SMTP server we use to be able to relay the emails we send. This can be a concern when using the native iSeries SMTP server, or any SMTP server, for that matter, since a customer does not want to make it possible for spammers to use the iSeries to relay messages.
But without relaying, it is not possible to email from the Web client of WebDocs-iSeries Edition (the application formerly known as Image Server/400). Fortunately, it is possible to control who can relay email through the iSeries SMTP server. The method for doing this is different for V4Rx and V5Rx of OS/400.
NOTE: It seems that specifying 127.0.0.1 for allowed relaying works well for sending from the iSeries itself. The advantage is, this address is always the same for all systems.
Restricting Email Relay - V4Rx
The following information is based on IBM Knowledge Base articles at Restricting Mail Relay - Examples and Stopping Mail from Coming to the iSeries.
To restrict email relay completely, CRTDTAARA DTAARA(QUSRSYS/QTMSNORLY) TYPE(*CHAR) LEN(1)
In Version 4.2, PTF SF52864 provides the capability to restrict mail acceptance/relay for the purpose of preventing spam mail. This pertains only to Release 4.2. Following that release, it is not necessary to install any PTFs. To link to SF52864 cover letter immediately, click here: A portion of the PTF cover letter follows:
To restrict mail relay, do the following:
Create a Source Physical File QUSRSYS/QTMSADRLST with a record length of 92 (12 characters for line count and change information). On an IBM® OS/400® command line type the following:
CRTSRCPF FILE(QUSRSYS/QTMSADRLST) CCSID(500)
Note: The file must be CCSID 500.
Press the Enter key.
Create a Source Physical File member ACCEPTRLY. To create a member for a file that already exists (and go into edit), on the OS/400® command line type the following:
STRSEU SRCFILE(QUSRSYS/QTMSADRLST) SRCMBR(ACCEPTRLY)
Press the Enter key.
Add a record with the dotted decimal address of the allowed user. Only addresses in the list are allowed to relay. Put one address and mask per line (a mask is optional). For example, an entry could be:
1.2.3.4 255.255.0.0
In this example, the mask and the address is combined ( and ) to allow all addresses starting with 1.2 ; for example, 1.2.5.6 :
Another example:
7 .8.9.3 255.255.255.255
This allows only one address, 7.8.9.3 . It is the same as:
7.8.9.3
To restrict connections, do the following:
Create a Source Physical File QUSRSYS/QTMSADRLST record length 92 (12 characters for line count and change information). On an OS/400 command line type the following:
CRTSRCPF FILE(QUSRSYS/QTMSADRLST) CCSID(500)
Note: The file must be CCSID 500.
Press the Enter key.
Create a Source Physical File member REJECTCNN. To create a member for a file that already exists (and go into edit), on an OS/400 command line type the following:
STRSEU SRCFILE(QUSRSYS/QTMSADRLST) SRCMBR(REJECTCNN)
Press the Enter key.
Add a record with the dotted decimal address of the rejected user. This blocks relay and mail delivery from this address. Put one address and mask per line (a mask is optional).
An example entry would be:
1.2.3.4 255.255.0.0
In this example, the mask and the address would be combined ( and ) to reject all addresses starting with 1.2, for example, 1.2.5.6.
Another example:
7.8.9.3 255.255.255.255
This would reject only one address, 7.8.9.3. It is the same as:
7.8.9.3
Instructions for activating relay and connection lists:
End the SMTP server. From an OS/400 command line type the following:
ENDTCPSVR SERVER(*SMTP)
Press the Enter key.
If data area for blocking all relays exists, delete it. To see if the data area exists, type the following from an OS/400 command line:
DSPDTAARA DTAARA(QUSRSYS/QTMSNORLY)
Press the Enter key.
To delete the data area, type the following on an OS/400 command line:
DLTDTAARA DTAARA(QUSRSYS/QTMSNORLY)
Press the Enter key.
Start the SMTP server by typing the following on an OS/400 command line:
STRTCPSVR SERVER(*SMTP)
Press the Enter key.
Special Notes: If the data area for blocking relays is used (QUSRSYS/QTMSNORLY), all relays will be blocked. If the data area is not there, but QUSRSYS/QTMSADRLST.ACCEPTRLY exists and has at least one entry, then only addresses in the list will be allowed to relay. If the address is in QUSRSYS/QTMSADRLST.REJECTCNN it will not be allowed to connect. This blocks relay and mail delivery from this address. If QUSRSYS/QTMSADRLST.REJECTCNN does not exist or has no valid entries, all connections will be allowed (based on the contents of the ACCEPTRPLY data area if one exists - if it does not exist, all will be allowed). If you do not use Percent Routing, turn it off with the following command:
CHGSMTPA
Press F4 to prompt the command. At the bottom of the second screen, set PERCENT ROUTING CHARACTER set to *NO.
Restricting Email Relay - V5Rx
The following information is based on the V5R1 Information Center. There are also commands for managing email relay, including CHGSMTPA (ALWRLY parameter) and ADDSMTPLE. See the help for each command for more information.
Restricting relays A common concern that you may face is protecting your server from people who try to use your e-mail server for spamming, or sending large amounts of bulk e-mail. To avoid these problems, use the relay restriction function to specify as closely as possible who can use your machine for relay. You have five options for allowing relay:
Allow all relay messages Block all relay messages Accept relay messages from only the near domains list Accept relay messages from only the address relay list Accept relay messages from both the near domains and address relay lists
To specify users that can send e-mail to the Internet, follow these steps: 1. In Operations Navigator, expand your iSeries 400 server --> Network --> Servers --> TCP/IP. 2. Right-click SMTP, and select Properties. 3. Click the Relay Restrictions tab. 4. Select the appropriate relay restriction from the five options offered here.
Note: If you choose Accept relay messages from only the near domains list or Accept relay messages from both the near domains and address relay lists, then you will need to click the General tab to list the near domains from which you are accepting relay.
5. Click Help for more information. 6. Click OK.
See Restricting connections, as a preliminary step to preventing unsolicited mail, by not allowing known offenders to connect to your e-mail server.
Restricting connections You can prevent the connection of users who may abuse your e-mail server. Unwanted users may connect to your server, and send unsolicited mail. This unsolicited e-mail takes a great amount of central processing unit (CPU) cycles and space. Also, if your server allows others to relay unsolicited mail, other servers might block the mail that comes from your server. You can specify IP addresses of known unwanted users, or you can connect to a host that contains a Realtime Blackhole List (RBL) server. These Realtime Blackhole Lists provide a listing of known IP addresses that send unsolicted mail. See the MAPS (Mail Abuse Prevention System LLC) website for an example of a host that contains a Realtime Blackhole List. To obtain a list of open relays, find a web site that lists hosts that offer open relays. An Internet search for "Open Relay" will provide several sites that offer this type of information. To specify known IP addresses or a host with a Realtime Blackhole List, complete the following steps:
- In Operations Navigator, expand your iSeries server --> Network --> Servers --> TCP/IP.
- Right-click SMTP, and select Properties.
- Click the Connection Restrictions page.
- Click Add to add host names of servers with a Realtime Blackhole List that you would like to use.
- Click Add to add specific IP addresses to restrict attempted connections.
- Click Help, for more information.
- Click OK.
For more information on protecting your e-mail server, see the Mail security topic.
