cryoserver configuring lotus notes

Cryoserver Archive Lotus Notes

Configuration

Forensic & Compliance Systems Ltd +44 (0)800 280 0525 [email protected] www.cryoserver.com

Version 1.0 December 2007

Cryoserver Archive Lotus Notes Configuration

2007 FCS. All rights reserved. of 24

Contents

INTRODUCTION ............................................................................................................................................... 3

SMTP ROUTING TO CRYOSERVER ..................................................................................................................... 4

BASIC LOTUS NOTES JOURNALING ................................................................................................................... 5

ENABLING JOURNALING ............................................................................................................................................ 5

SETTING THE RULE FOR JOURNALING ........................................................................................................................... 6

OTHER CONFIGURATION SETTINGS .................................................................................................................. 8

SERVER CONFIGURATION .......................................................................................................................................... 8

LDAP CONFIGURATION ............................................................................................................................................ 8

ENABLING THE LDAP SERVICE .................................................................................................................................... 9

CONFIGURING LDAP FOR CRYOSERVER ...................................................................................................................... 11

CRYOSERVER LDAP CONFIGURATION ........................................................................................................................ 12

LOTUS NOTES MIME CONFIGURATION .......................................................................................................... 16

USER CONFIGURATION ........................................................................................................................................... 20

SPECIFYING HOW DOMINO LOOKS UP THE RECIPIENTS OF INCOMING SMTP MESSAGES ....................................................... 21

KNOWN ISSUES .............................................................................................................................................. 24

NO JOURNAL WHEN BOTH INTERNAL AND INTERNET RECIPIENTS USED .............................................................................. 24

NO BCC GROUP INFORMATION ................................................................................................................................ 24

MULTIPLE SERVER JOURNALING ................................................................................................................................ 24



Introduction This document describes the basic method to route journal mail from Lotus Notes to

Cryoserver. Journaling is a standard feature of Lotus Notes 6.5 that, by default, will journal mail to a specified Lotus Notes server. The mail stored in this specified server will contain the mail in encrypted form, together with Lotus Notes metadata relating to each email.

Cryoserver is used to replace the Lotus Notes Server journaling end-point. The down side of this current approach is that Cryoserver mail does not include Bcc recipient information and other ‘final recipient’ details (known as the ‘envelope’). Where the Lotus Notes server

has integration with an LDAP service, distribution lists may be expanded by Cryoserver.

Lotus Notes has supported Journaling since version 6.5. However, we can only recommend the use of Lotus Notes version 6.5.4 fixpack 1 (i.e. 6.5.4.1) and later, as this resolves the initial journaling issues.



SMTP Routing to Cryoserver The email generated by the Lotus Notes Journaling feature must be sent directly to

Cryoserver using SMTP.

To do this:

1. Create an SMTP document for the complianceinternet.co.uk domain, and associate it with a Foreign SMTP Domain document that specifies the IP address for the domain:

Figure 1 - The Foreign SMTP Domain document.

2. Add a new Foreign SMTP Domain document and type in the IP address of your Cryoserver master server:

Figure 2 - The Cryoserver Foreign Domain, routing details

The complianceinternet.co.uk domain is not registered as a public email end-point – so any mail sent to this address on the public Internet will bounce.



Basic Lotus Notes Journaling You must specify:

• Enable Journaling for the local server or for all servers.

• A rule that filters the required emails to the Journal.

Basic journaling sends a copy of email directly to Cryoserver using Lotus Notes SMTP services. This has the advantage of being very simple to configure. The main disadvantage is that BCC recipient information is not included in the copy sent to Cryoserver.

Enabling Journaling

To enable jounaling, you will need to edit the local server configuration document, for

single server journaling, or the default global configuration document to enable journaling for all servers in a group.

If you do not have a local server configuration document, but you want to enable journaling on a single server only, then you must create a new local configuration document and copy the configuration from the default document to the local copy. Then follow the steps below.

In the Server Configuration document locate the Router/SMTP tab, or for the Messaging

configuration document, locate the Messaging Settings tab. From there, click the Advanced tab and the Journaling tab.

You can then enable Journaling, and send the journal to either a Mail-In database, or a local database.

For basic journaling, use a Mail-In database, and key in the standard Cryoserver mail recipient email address ([email protected]) as the destination. The

encryption exclusion list is ignored.



Figure 3 - Enabling journaling

Cryoserver/Lotus Notes currently only supports Basic Journaling – where a copy of every mail is sent via SMTP to the Cryoserver, using this mail-in database configuration.

Setting the Rule for Journaling

Normally, all email will be journaled, but a specific set of mail can be journaled if required. A rule must be created in order for any journaling to occur.

Figure 4 - Adding a rule for journaling



NOTE: If the rules tab is missing, then you have an upgraded Lotus Notes system (the Admin template is not fully updated during an upgrade). In this case you will need to access the Global configuration document, via the Server branch from the tree view on the left.

Figure 5 - The ‘Journal Everything’ rule

You need to ADD a condition, and ADD an action. The default condition and action will result in ALL mail being journaled.



Other Configuration Settings This chapter describes other configuration settings that may be required for Cryoserver to

work with Lotus Notes.

Server Configuration

In a multi-server set up, each server will need the Journaling Enabled (as appropriate). If all servers use just the default server document, but you want to enable journaling on just a single server, then you will need to create a new server configuration document and copy all configuration from the default document into the new document. Then you can adapt the parts of the server document pertaining to Journaling.

Figure 6 - Locating the All Servers document

If you cannot see the * - [All Servers] entry, then click on the server document and press the UP arrow on the keyboard. You need to the global document in order to access the LDAP settings.

LDAP Configuration

Cryoserver can use a single LDAP service in order to perform two functions:

Login Validation, where the user name and password that was entered into the Cryoserver Login web page is validated against LDAP using the following procedure:

• Access LDAP using a well-known user id, and perform a search to find the end users DN entry.

• Use the LDAP Bind feature to validate the Password, for the users DN.

• If the Bind succeeds, obtain the users internet email addresses.

Distribution List Expansion, using the following iterative procedure:

• Extract each email address used in the email.

• For each address, locate the entry in LDAP using a search from each BaseDN listed in the Super User configuration.



• If a search is successful, use the primary email address (if different to the email address used in the email – which assumes that email alias addresses are included in LDAP)

• If the search returns a distribution list, then read its list of members, and obtain the email address for each entry, or repeat if the entry is another distribution

group.

Cryoserver does not currently support a dual LDAP interface, where the Login is validated against one LDAP system (e.g. Active Directory) but the email address details are obtained from another LDAP system (e.g. Domino Lotus Notes).

Note: LOTUS NOTES LDAP will authenticate the User Login against the users’ internet

password. Lotus Notes does not require an internet password – so these may need to be manually entered into the Lotus Notes Admin console, for the users who need basic search

access to Cryoserver.

Enabling the LDAP service

1. The LDAP task runs automatically on the administration server for the primary Domino Directory. On other servers in the domain, either change the ServerTasks setting in LOTUS NOTES.INI, or manually start/stop the service:

• Start: Enter Load LDAP at the console

• Restart: Enter Restart Task LDAP at the console

• Stop: Enter Tell LDAP Quit at the console

2. If your organization uses more than one Global Domain document, specify the one that the LDAP service uses to return Internet addresses to LDAP clients. Open the Global Domain document. In the "Use as default Global Domain" field, choose Yes.

3. (Optional) Customize the default LDAP service configuration. In many cases, the LDAP service default settings are adequate.

4. To check whether you set up the LDAP service correctly, use an LDAP search utility

such as ldapsearch provided with Lotus Notes and Domino, to issue a query to the LDAP service.

LDAP is accessed using a TCP/IP port. To enable this port:



Figure 7 - Enabling the LDAP port

The default un-encrypted port is 389. It can be altered, as shown here, if it conflicts with another LDAP system that is already running on the server.

Figure 8 - Internet Sites should include an LDAP entry

Figure 9 - Creating a site against which the LDAP will run



Configuring LDAP for Cryoserver

To see the LDAP Configuration document, locate the All Servers document, and click on the LDAP tab.

You need to select the Lotus Notes objects and attributes that LDAP is to publish. Do this through the Global Configuration LDAP tab.

Figure 10 - The LDAP record in the Global Configuration document

Click Select Attribute Types to open a dialog box, where the User and Distribution Group attributes can be selected.

Figure 11 - LDAP Selecting the Distribution Group attributes

Make sure that you have selected at least ‘cn’. ‘member’ and ‘mail’ attributes for the dominoGroup and dominoUser objects. It will probably be best to click Add All.

After selecting the attributes, scroll down to display the general LDAP settings, as shown in Figure 12.



Figure 12 - LDAP Settings

Make sure that the DN Required on Bind is set to NO.

Cryoserver LDAP Configuration

The matching configuration in Cryoserver, as entered into the Super User web interface,

Company Edit page is detailed below.

Directory user cn=<user>… A user whose (internet) password should not expire should be made available for Cryoserver use. The FQDN (Fully Qualified Domain

Name) of this user should be entered here. Use an LDAP Browser if you are unsure of the FQDN. It is typically in the form:

cn=a user, ou=users, o=company

Directory password A password must be used

User DN #

with translate = Yes, or

cn=#,ou=Users,o=dom

The # is replaced by the Directory User value (above).

IF the ‘Translate Users’ is set to NO, then the users Login ID

replaces the # – and must create a full FQDN.



with translate = No

IF translate users is set to YES, then the user’s Login ID is Searched for.

Base DN Root

Or leave it blank

Or

o=<domain>

The LDAP system can append this base DN to the login and other DN strings to create a FQDN. Used ONLY if the “append base DN” is set to Yes.

For LOTUS NOTES, the base DN

should be blank (or the word ‘root’, which means the same thing in Cryoserver).

Search DN root

or a blank entry

In LOTUS NOTES, distribution groups appear to be directly listed

at the root level (though some LOTUS NOTES LDAP configuration may be different – use an LDAP Browser to confirm).

In this case, all directory searches must start at the root. In LOTUS NOTES the root level does not

have a name (unlike Exchange) – so the search MUST have a blank (or ‘root’) entry in order to find distribution groups.

Append Base DN No As the base is blank – no need to

append it!

Primary field name Mail Used for Address Expansion &

Login:

This contains the user’s internet email address.

By default, distribution groups do not have internet email addresses. If so, Cryoserver CANNOT expand those addresses.

LOTUS NOTES Administrator

should manually enter internet

addresses for Distribution Groups

Primary field pattern (.*) This says “take the whole value”. Cryoserver uses the full text from

the Primary Field as the users email address.

Secondary field name Cn Used for Address Expansion &

Login:

This is the user’s alias email

address list. Lotus Notes has no formal way of expressing alias email addresses.

The “cn” attribute in LOTUS NOTES contains the user’s common name



– but it can be extended to include a list of alternative names.

The LOTUS NOTES Administrator

can manually enter alternative

internet addresses for users in the

Name field on the Admin User

Configuration screen.

Secondary fld pattern (.*) This says ‘take the whole value’ of

each secondary address entry.

Secondary fld format (cn={0})

this is optional

Used for Address Expansion:

This allows Cryoserver to perform searches of an alias email address.

It places the email address from the email into the {0} part of the format, and then performs a search.

Member field name Member Used for Address Expansion:

The LDAP attribute that lists the members of a Distribution List.

In LOTUS NOTES the members are FQDN strings (cn=user,ou=users,dc=fred).

However, External email addresses are incorrectly prefixed with ‘cn=’. Cryoserver version 1.3.4p has a fix for this.

Translate Users Yes Used for login:

IF Yes, then Cryoserver logs in with the well-known user (the User DN, above). It then performs a Search using the users Login ID.

Translation Key cn Used for Login:

SSL No Not used

Cache size 300 to 1000 Address Expansion:

The number of LDAP entries to store in-memory, for the timeout period.

Cache timeout 500 Address Expansion:

The number of seconds to keep a

cached LDAP entry in-memory. After this timeout, that entry must be re-fetched from LDAP.

LDAP Type Custom Login and Address Expansion:

IF you use any other type,



Cryoserver overrides most of the LDAP settings with some hard-coded ones.

Login Failure Limit 9 Allow user to enter a reasonable number of incorrect passwords before locking an account.

Lock Time 1 Minute(s) – if bad passwords are

entered and the account becomes locked, how long before the user can attempt more password guesses.

Old Pwd Limit 1 NOT USED in version 1.3x

Password Expiry 99999 Do not expire cryoserver-local passwords

In version 1.4+ a grace login is allowed after the Expiry – but not in version 1.3.

Spool Mode RFC822 LOTUS NOTES only does basic (non-forensic) journaling. It does not include the message envelope [full list of recipients] in the journal copies.

Avg Message Interval 0 or 10 To test if the LOTUS NOTES system is sending mail to the Cryoserver.

If Cryoserver does not process any email within this time period, a

special alert email is raised by Cryoserver.

Cryoserver waits to see if it receives this email back again. If so all is OK. If not then there may be an issue – so an Engineer Alert message is sent.

Feedback email Blank

or

<email address>

If the message interval not 0, then a special alert is sent to this email address.

This email address MUST be on the

LOTUS NOTES server being journaled – because Cryoserver is waiting for the email to be returned via the LOTUS NOTES journal mechanism.



Lotus Notes MIME Configuration

MIME is the standard format of the content of any email sent over the internet. Some settings determine how Lotus Notes will convert Lotus Notes format emails into Internet

format emails. Other settings determine how Lotus Notes handles incoming Internet emails.

Incoming Internet Mail will generally be relayed, unchanged, directly to the Journal Recipient if the Mail-In journal option is selected. Internal Email will be translated into MIME when it is sent to the Mail-In journal recipient – and some options here determine how this translation from Internal to Internet format will occur.

Figure 13 - Outbound Internet Mail Format Control

Internal mail that is to be converted to Internet Mail must have its Lotus Notes Rich Text field converted to either plain text, HTML, or both. The preference is to use both, as shown here.



Figure 14 - Incoming Internet Mail Rules

BCC Recipients

For incoming internet mail, you can ensure that the BCC recipients are actually stored

within the Lotus Notes system for all Lotus Notes users. This may be seen as a privacy or compliance issue, and is often set to No.

IF Lotus Notes Journaling is sent to a Local Database, rather than a mail-in database, then the BCC information will be preserved in the Local Database’s copy – except for mail that was Bcc’d to a distribution group, when NO RECORD is kept of either the group or the group’s recipients in the Journal Copy.



Figure 15 - Outbound Message Options

The Outbound options determine some key aspects of internet mail formatting and content of Lotus Notes Internal Mail that is translated into an Internet format email.

RFC822 phrase handling determines the text for each recipients internet email

addresses ‘display name’. Internet email addresses (RFC822 addresses) can be formed as “Display Name” [email protected]

The display name can be one of the items selected on this configuration page. Lotus Notes Private Items are the meta-data items that exist in the Lotus Notes Mail document that are not usually included in an Internet email. Some example items are shown below.

X-Lotus Notes-Item: CN=Trinity/O=Cryoserver;

flags=44; name=$UpdatedBy

X-Lotus Notes-Item: 04-Jan-2006 16:08:24 GMT =?US-ASCII?Q?=2C_04-Jan-2006_16=3A08=3A25_GMT?=;

type=401; name=$Revisions

X-Lotus Notes-Item: 0;

name=$MsgTrackFlags

X-Lotus Notes-Item: forensiccompliance.com;

name=FromDomain


type=300; name=$Hops


name=$NoteHasNativeMIME



The Always Send Lotus Notes Items in Header, and the opposite Remove Items

From Header options determine if specific Lotus Notes items are to be included or removed from the generated Internet Mail. Simply enter the names of the Lotus Notes Items that you want to include, or exclude, separated with new-lines. There are two caveats with the Always Send option

• Only a single header will be generated for each item – even if that item is a list of values within Lotus Notes, only the first such value is output (unlike the Lotus Notes Private Items option above, that includes the whole set of values)

• Each value is truncated to 255 characters.

Figure 16 - SMTP Basics

The Address lookup field determines how rigorous the Lotus Notes system will be when matching an incoming email recipient address with an entry in the Domino Directory (LDAP). See Specifying how Domino looks up the recipients of incoming SMTP messages below for further information.

The Domain Configuration document determines the default formatting of internet email

addresses for the domain.



Figure 17 - Internet Addressing defaults for a domain

User Configuration

The user configuration should not affect the Journaling of email. However, the fidelity of original internet emails is preserved when using the Format preference of Keep in senders’

format.

Figure 18 - Person configuration details



Specifying how Domino looks up the recipients of incoming SMTP messages

When Domino receives a message over SMTP, the message recipient is identified by an Internet-style address, in the format [email protected], rather than a Lotus Notes-style address, such as Genevieve Martin/Acme. To determine the correct destination mail file, Domino must match the SMTP address to a Person document in the Domino Directory. To find a match, the router checks the $Users view of the directory. This view

displays all name entries in all Person documents in the directory, including Internet mail addresses, as well as all user name variations, first names, last names, common names (CN), distinguished names (DN), short names, and soundex names.

Note: To display the hidden $Users view: Open the directory, press CTRL-SHIFT and select View-Go To. In the Go To dialog box, select the view ($Users) and click OK.

Inbound recipient lookups are controlled by the Address lookup setting on the Router/SMTP - Basics tab of the Configuration Settings document. This setting determines

the criteria that the Router uses when attempting to match the SMTP address on an incoming message to an entry in the $Users view. The Router matches addresses based on:

• The full SMTP address only -- for example, [email protected]

• The local part of the SMTP address (that is, the part to the left of the @ sign) only -- for example, Genevieve_Martin

• The full SMTP address, and then if no match is found, the local part address

When using full name matching, the Router searches the Domino Directory for an exact match of the entire SMTP address (for example, [email protected]). If an exact match is not found, the Router performs a secondary search if the domain suffix of the incoming address is listed in the Global domain document as an Internet domain alias. For this secondary search, the Router replaces the given domain suffix with the domain suffix designated in the Global domain document as the Primary domain name.

To prevent the Router from using domain aliases when looking up addresses, do not include alternate Internet domain aliases in a Global domain document. Instead, create multiple Global Domain documents, each specifying a different primary Internet domain.

Restricting the Router to matching addresses on the full Internet address only ensures that each user's Internet address complies with a standard format. Users cannot receive inbound mail addressed to their short names, soundex names, or other name variations that exist in the $Users view. When configuring the Router to look up users' full Internet

addresses only, complete the Internet address field in all Person documents, and Mail-in database documents for mail-in databases that receive mail over SMTP.

To specify how addresses are looked up:

1. Make sure you already have a Configuration Settings document for the server(s) to be configured.

2. From the Domino Administrator, click the Configuration tab and then expand the Messaging section.

3. Choose Configurations.

4. Select the Configuration Settings document to be edited and then click Edit Configuration.

5. Click the Router/SMTP - Basics tab.

6. Complete these fields, and then save the document:



Field Type in

Address lookup Specifies how the Router searches the Domino Directory

to determine the Lotus Notes recipient of an inbound

Internet message. Choose one:

• Fullname then Local Part - (default) The Router

first searches the Domino Directory for a match

for the full Internet address

([email protected]). If no match is found,

it searches the directory again, looking for a

match for the local part of the address only.

• Fullname only - The Router searches the

Domino Directory for full Internet addresses

only. For example, it searches for

"[email protected]" but not for "user." If an

exact match is not found and the domain suffix

is equivalent to an Internet domain alias defined

in the Global domain document, a secondary

search is performed using the domain suffix of

the primary Internet domain.

Local Part only - The Router searches the Domino Directory for a match of the local part of the Internet

address, that is, the part before the @ symbol. Local part matching matches periods and underscores in the address with spaces in the directory.

Exhaustive lookup Choose one:

• Enabled - The Router searches all directories to

ensure that there are no duplicate recipient

names that might prevent the message from

getting to the right person. Performing

exhaustive lookups is time-consuming and

places a heavy load on the server.

• Disabled - (default) The Router limits its search

to the first directory that contains the address.

7. The change takes effect after the next Router configuration update. To put the new

setting into effect immediately, reload the routing configuration as below.

The Router on each server maintains a dynamic routing table, which specifies the best route to each possible destination server. The routing table builds on information contained in the server's LOTUS NOTES.INI file and in the Configuration Settings, Domain, Connection, and Server documents in the Domino Directory.

By default, at intervals of approximately 5 minutes, or after you restart the task, the

Router examines the Domino Directory for changes that would warrant rebuilding the routing table. In cases where you want new settings to take effect immediately, but do not want to interrupt the flow of mail by stopping and restarting the Router, you can use a TELL command to force an update.

To update the server's routing table

Type in the following command at the server console:

Tell router update config

The Router checks the Server, Server Configuration, Connection, Adjacent and Non-

Adjacent domain documents, and the LOTUS NOTES.INI file for changes that might effect



the routing topology. The Router then builds a new routing table that incorporates the changes. The Router reprocesses any messages currently in MAIL.BOX based on the new routing table.

The Router does not check the Global Domain document for changes in response to the update configuration command. The information contained in the Global Domain document

is loaded into memory only after server initialization. It is not refreshed when the routing tables reload.



Known Issues

No Journal when both Internal and Internet recipients used

This issue was noted in Lotus Notes version 6.5.4: No journal copy was made where an

email was sent to both a local Lotus Notes user and an external internet recipient.

This issue was fixed in Lotus Notes version 6.5.4 fixpack 1 (i.e. 6.5.4.1).

No BCC Group information

If an email is Bcc’d to a distribution group, then the Journal does not keep a record of either the Group address or the recipients in that group.

Multiple Server Journaling

If the organisation has multiple Lotus Notes servers and corresponding Cryoserver systems, then some ‘Loss of mail’ will be noticed on each Cryoserver. The reason is that Lotus Notes will journal an email only once within a group of Domino servers. This results

in an internal mail being sent from one Lotus Notes server to another, being journaled at the sending Lotus Notes server ONLY. Similarly, an external mail being delivered to recipients on multiple Lotus Notes servers will only be journaled at the Gateway Lotus Notes server. The receiving Lotus Notes server will identify the email as ‘has been journaled’ and will not journal again.

Where there is a central Cryoserver, regardless of the number of Lotus Notes servers, then this behaviour is ideal.

Where each Lotus Notes Server has a corresponding Cryoserver, then there will be apparent loss of mail. We can provide a ‘Global Search’ facility, which will span a search across remote Cryoservers – and thus recover the ‘missing’ sent items.

The Domino Lotus Notes system needs to be extended to log the ‘journal destination’. Where this destination is different on the remote servers, then Journaling should be repeated.

cryoserver configuring lotus notes

Software

lotus notes tocryoserver

lotus notes journaling

lotus notes metadata

lotus notes smtpservices

specified lotus notes

cryoserver mail

lotus notes mime configuration

use of lotus notes version