Restricting Email Relaying through iSeries SMTP Server

RJS Software's email API requires the SMTP server to be able to relay emails. You need this relaying to send emails from the web client of WebDocs iSeries. However, you also do not want to make it possible for spammers to use the iSeries to relay messages. Fortunately, you can restrict who can relay email through the iSeries SMTP server. The method for doing this is different for V4Rx and V5Rx.
 
Note: Specifying 127.0.0.1 for allowed relaying works well for sending from the iSeries itself. The advantage of this is that this address is always the same for all systems.
 

Restricting Email Relaying in V4Rx

 
Note:
  • To restrict email relay completely, use: CRTDTAARA DTAARA(QUSRSYS/QTMSNORLY) TYPE(*CHAR) LEN(1)
  • In V4R2 only, you need to install PTF SF52864 to restrict mail relaying to prevent spam.
  • The following information is adapted from the IBM knowledge-base articles on Restricting Mail Relay - Examples and Stopping Mail from Coming to the iSeries.
 
To restrict email relaying and connections: 
  1. Create a source physical file QUSRSYS/QTMSADRLST with record length 92 (12 characters for line count and change information) and CCSID 500:

    CRTSRCPF FILE(QUSRSYS/QTMSADRLST) CCSID(500)

  2. Create a source physical file member ACCEPTRLY:

    STRSEU SRCFILE(QUSRSYS/QTMSADRLST) SRCMBR(ACCEPTRLY)

  3. Add one record per line of all allowed IP addresses and masks (optional). Only addresses in this list are allowed to relay.

    For example:

    • To combine the mask and address to allow all IP addresses starting with 1.2, such as 1.2.5.6, add the entry:

      1.2.3.4 255.255.0.0

    • To allow one IP address, 7.8.9.3, add the entry:

      7.8.9.3 255.255.255.255

  4. Create a source physical file member REJECTCNN:

    STRSEU SRCFILE(QUSRSYS/QTMSADRLST) SRCMBR(REJECTCNN) 

  5. Add one record per line of all rejected IP addresses and masks (optional). All addresses in this list are blocked from relaying and mail delivery.

    For example:

    • To combine the mask and address to reject all IP addresses starting with 1.2, such as 1.2.5.6, add the entry:

      1.2.3.4 255.255.0.0

    • To reject one IP address, 7.8.9.3, add the entry:

      7.8.9.3 255.255.255.255 

 
To activate relay and connection lists:
 
Note: When the data area for blocking relays exists (QUSRSYS/QTMSNORLY), all relays are blocked. When the data area does not exist, addresses that are in QUSRSYS/QTMSADRLST.ACCEPTRLY but not in QUSRSYS/QTMSADRLST.REJECTCNN can relay. If QUSRSYS/QTMSADRLST.ACCEPTRPLY and REJECTCNN do not exist or have no valid entries, all connections are allowed.
  1. End the SMTP server:

    ENDTCPSVR SERVER(*SMTP) 

  2. If the QTMSNORLY data area for blocking all relays exists, delete it:
    1. To see if the data area exists:

      DSPDTAARA DTAARA(QUSRSYS/QTMSNORLY) 

    2. To delete the data area:

      DLTDTAARA DTAARA(QUSRSYS/QTMSNORLY) 

  3. Start the SMTP server again:

    STRTCPSVR SERVER(*SMTP) 

  4. If you do not use Percent Routing, turn it off:
    1. Type CHGSMTPA and press F4.
    2. At the bottom of the second page, set Percent routing character to *NO.
 

Restricting Email Relaying in V5Rx

 
Note: The following information is adapted from the V5R1 Information Center. There are also commands for managing email relay, including CHGSMTPA (ALWRLY parameter) and ADDSMTPLE. See the help for each command for more information.
 
Unwanted users who send unsolicited mail can take a great amount of central processing unit (CPU) cycles and space. Also, if your server allows others to relay unsolicited mail, other servers might block the mail that comes from your server. To prevent spammers from using your email server, use the relay restriction function to specify as closely as possible who can use your machine for relaying.
 
You can specify IP addresses of known unwanted users, or you can connect to a host that contains a Realtime Blackhole List (RBL) server. These Realtime Blackhole Lists provide a list of known IP addresses that send unsolicted mail. See the MAPS (Mail Abuse Prevention System LLC) website for an example of a host that contains a Realtime Blackhole List. To obtain a list of open relays, search for "open relay" to find a website that lists hosts that offer open relays.
 
To restrict email relaying and connections: 
  1. In Operations Navigator, expand your iSeries server > Network > Servers > TCP/IP
  2. Right-click SMTP and choose Properties
  3. Click the Relay Restrictions tab.
  4. Choose one the five options to restrict email relaying:
    • Allow all relay messages.
    • Block all relay messages.
    • Accept relay messages from only the near domains list.

      Note: To use this option, you also need to click the General tab and list the near domains to accept.

    • Acccept relay messages from only the address relay list.
    • Accept relay messages from both the near domains and address relay lists.

      Note: To use this option, you also need to click the General tab and list the near domains to accept.

  5. Click the Connection Restrictions tab.
  6. Click Add to add host names of servers with a Realtime Blackhole List.
  7. Click Add to restrict attempted connections from specific IP addresses.
  8. Click OK
Still have questions? We can help. Submit a case to technical support

Last Modified On:
You don't have the appropriate permissions.
No, open a new Support Case
+1 800-328-1000
[email protected]
Infrastructure Protection & Data Security
Managed Security Services
Automation
IBM i

Copyright © 2023 Fortra