Kisco Systems

IBM i Security Tips

Home : Blog : IBM i SMTP Relay Controls

IBM i SMTP Relay Controls

By Rich Loeber

Updated March 4, 2021

Many IBM i shops keep the SMTP server active on their system to support host-based applications that format and send e-mail messages directly from their IBM i system. With the SMTP server active, you could leave your system open to spammers who could take over the SMTP server to relay their spam messages. This tip describes how to control SMTP relay on your system. You can check to see if SMTP is active on your system by running the following command:


If there are any tasks displayed, then the SMTP server is active on your system.

Controlling SMTP mail relay involves two processes. First, you have to set the ALWRLY parameter in the SMTP Attributes on your SMTP server. This is updated using the CHGSMTPA (Change SMTP Attributes) command. Keep in mind that your user profile must have the *IOSYSCFG special authority to be able to use the CHGSMTPA command. When you first prompt the command, press the F9 key to show all of the parameters.

If you just want to deny all mail relays, set this value to *NONE and you're all set, you can stop reading now and move on with your life. However, if you are sending mail from your IBM i using the SNDDST command, SNDSMTPEMM command or other program-controlled methods, you cannot leave this setting at *NONE as it will block mail being sent from your system. Simply changing this setting to *ALL is not a good idea either as this will allow anyone to relay mail through your system. The best choices are one of the following:

*LIST - only IP addresses that match an *ACCEPT SMTP list entry will be allowed or denied
*NEAR - only IP addresses that match a *NEAR SMTP list entry will be allowed
*BOTH - the system will look at both the *LIST and *NEAR entries

Once you have this part configured and have specified one of the three recommended settings, you will then have to update the SMTP list to indicate who can relay mail. This is done using the ADDMSTPLE (Add SMTP List Entry) command. There are a lot of options for this, but as a simple example let's set up an entry that will permit mail to be relayed from your IBM i. If you system has an IP address of, then you would add a relay accept transaction that looks like the following:


This entry will accept all SMTP mail that is sent from the specific IP address indicated in the INTNETADR parameter. The subnet mask used here is coded so that only the specific IP address will be processed. You can also use this command to post a *REJECT or *NEAR entry to the SMTP list to indicate specific IP addresses to be rejected or to define a system to be considered as a *NEAR system. Varying the subnet mask can let you define ranges of IP addresses and if you need help on how to code these entries, feel free to contact me. Once entries have been added to the SMTP list, you can delete them using the RMVSMTPLE (Remove SMTP List Entry) command. It would be nice if IBM provided a WRKSMTPLE command too, but the test system I work on has no sign of this feature.

If you have been using SMTP list entries for a while, you may need to know what entries are already established on your system but IBM i provides no support for a review function. You can, however, review what is already set up by examining the various members in the file named QATMADRLST in library QUSRSYS. Each member, which you will find appropriately named, contains the list entries for that type. A simple query report can list the entries and you can remove unwanted entries as needed.

If you have any questions about this topic, you can reach me at rich at, I'll give it my best shot. All email messages will be answered.