Parameter:
Allow_Passthru_TargetsShort description: List of destination servers to which this server may route clients via pass-through. Corresponds to the "Destinations allowed" field in the server document. Default empty = all servers allowed.
Profile
Parameter | Allow_Passthru_Targets |
Category | Security / TLS (Pass-Through) |
Available since | At least 9.0.1 (HCL docs 9.0.1 – 14.5.1) |
GUI equivalent | Server document → Security tab / Passthru Use section → Destinations allowed field |
Possible values | Comma- or semicolon-separated list of destination server names |
Default | Empty = all destinations allowed (open) |
Description
According to the HCL product documentation (14.5.1, Controlling access to a pass-through server or pass-through destination):
Destinations allowed — Enter the names of destination servers to which this server may route clients. The default for this field is blank, which means that all servers may be routed to. This field corresponds to theAllow_Passthru_Targetssetting in the NOTES.INI file. If a conflict exists, the Destinations allowed field takes precedence.
Allow_Passthru_Targets defines the list of allowed destination servers for pass-through routing. When a Notes client wants to establish a connection to another server via this pass-through server, Domino checks whether that destination server is included in the list. If the list is empty (default), all destinations are allowed.Important: Empty = open — this is exactly the opposite of
Allow_Passthru_Callers, where empty means nothing allowed.Example configuration
Allow only specific destinations (whitelist):
Allow_Passthru_Targets=MailHub/Acme,DBHub/Acme
Allow all servers of an organization via certifier:
Allow_Passthru_Targets=*/Acme
Allow all destinations — corresponds to default, simply omit the parameter:
# Allow_Passthru_Targets=
Notes & pitfalls
- The server document field Destinations allowed takes precedence over notes.ini if both are populated.
- Default = empty = all destinations allowed — this is not a restrictive default in security terms. For hardening, an explicit whitelist should be configured.
- Applies only to HCL Notes clients and Domino servers — Internet/intranet clients cannot use pass-through.
- Works together with
Allow_Passthru_Callers(inbound list) as a two-tier pass-through access control.
Sources (HCL Product Documentation)
- HCL Domino 14.5.1 – Controlling access to a pass-through server or pass-through destination: help.hcl-software.com/domino/14.5.1/admin/conf_controllingaccesstoapassthruserverorpassthrudesti_t.html
- HCL Domino 11.0.1 – Controlling access to a pass-through server or pass-through destination: help.hcl-software.com/domino/11.0.1/admin/conf_controllingaccesstoapassthruserverorpassthrudesti_t.html
- HCL Domino 9.0.1 – Controlling access to a pass-through server or pass-through destination: help.hcl-software.com/domino/9.0.1/admin/admin/conf_controllingaccesstoapassthruserverorpassthrudesti_t.html