HND203 Mail Routing Mastery
Download
Report
Transcript HND203 Mail Routing Mastery
HND203 Mail Routing Mastery
Andrew Pollack
Northern Collaborative Technologies
Language Note
I realize that for some of you, English is not your primary language,
and for others, my accent is not the same as yours.
If you are having trouble understanding me during this talk, please
raise your hand and I will try to slow down and speak more clearly.
Thank you.
If it makes noise, shut it off!
Cell phones, pagers, PDA’s,
FRS Radios, PSP’s, Portable Audio Players
Portable Video Players, watch alarms,
Laptop sound settings!
Anything else you’ve carried around for the express purpose of
using in sessions.
You may leave on pace maker low battery alarms.
The Copyright Screen!
We are required by the excessive use of lawyers to properly mark the first use of these terms in all presentations.
Here you go.
IBM ®, the IBM logo, Lotus ®, Lotus Notes ®, Notes, Domino ®, Sametime ®, WebSphere ®, Workplace ® and
Lotusphere ® are trademarks of International Business Machines Corporation in the United States, other
countries, or both.
Java® and all Java-based trademarks are trademarks of Sun Microsystems
countries, or both.
Microsoft ® and Windows
both ®.
®
are trademarks of Microsoft Corporation
®
®,
Inc. in the United States
in the United States
®,
®,
other
other countries
®,
or
Intel ®, Intel Centrino ®, Celeron ®, Intel Xeon ®, Intel SpeedStep ®, Itanium ®, and Pentium ® are trademarks or
registered trademarks of Intel Corporation ® or its subsidiaries in the United States ® and other countries ®.
UNIX
®
is a registered trademark of The Open Group in the United States and other countries.
Linux
®
is a registered trademark of Linus Torvalds
Other company
®,
product
®,
or service
®
®
in the United States
names may be trademarks
®
®,
®
other countries, or both.
or service marks
®
of others.
Agenda
Setting Expectations – What will we cover, and how deeply?
Native Notes Mail Routing
Cross Certification & Security
Named Networks & Connection Documents
Multiple Address Books
Outbound SMTP Mail Routing
DNS Requirements & SPF
Using a single SMTP router for your Domain
Inbound SMTP Mail Routing
Don’t be a relay server
Anti-spam choices & techniques
Client Side Choices
Alternate mail clients – IMAP and POP3
X.509 – signed and encrypted mail
Setting Expectations
Your time is valuable.
If these points do not match your needs for this session, please feel free to
move to another session. If you plan to do so, please do it early on so as not to
disturb the others.
Technical Level
Introductory & Intermediate – We’re going to go into detail about the
configurations and choices you have, but not focus too deeply on specific
problems or bugs. Save those for the IBM Developers’ lab.
Slides vs. Demo / Hands On
There are several points in this two hour session that we’ll walk through
together using the laptops, however not everyone has a laptop and the class is
designed to be useful to everyone.
As a courtesy, I try to put detail on the slides so that you can use them as
reference in the future.
Who am I to tell you these things?
Andrew Pollack, President of Northern Collaborative Technologies
Author of NCT Search, NCT Compliance Search, and NCT Simple
Signon, and now Second Signal
IBM Lotus Beacon Award Winner
Administrator & Developer since version 2.0
Firefighter – A Lieutenant on an Engine company
In firefighting, just like Server Administration it's all in the planning
Native Lotus Notes Mail
Cross Certification & Security
An Introduction to Certifiers
Certificates are hierarchical – A certifier can be used to create sub-certifiers (called
organizational certifiers) or users
Any certificate can be validated by a server which has a higher level certificate in
common
These are all versions of the same name:
Common Name:
Abbreviated Name:
Hierarchical Name:
Andrew Pollack
Andrew Pollack/Users/TheNorth
CN=Andrew Pollack/OU=Users/O=TheNorth
These are all versions of the same name:
Common Name:
Abbreviated Name:
Hierarchical Name:
Igloo
Igloo/Servers/TheNorth
CN=Igloo/OU=Servers/O=TheNorth
Igloo and Andrew Pollack validate each other because:
Both have a common certificate called “TheNorth”
Both can verify that their certificate from “TheNorth” is identical
Both can verify that the common and organizational certificates of the other
were created using the common certifier “TheNorth”
Cross Certification
A Cross-Certificate creates commonality where it
otherwise does not exist
If these two need to connect:
Igloo/Servers/TheNorth
Wigwam/Servers/ThePlains
Igloo and Wigwam cannot validate each other because
they have no common certificate
“/Servers” is not a valid certificate in common because each was
created using a different root certificate – thus they are not the same
Native Lotus Notes Mail
Notes Named Networks & Connection Documents
The Notes Named Networks
Configured on the Server Document Itself
Servers on the same Notes Named Network do not require
connection documents for mail routing
Servers on the same Notes Named Network should be:
Always available to each other
On low-cost, high speed network connections with each other
Able to find each other using their network names
Notes Mail Routing
Servers on the same Notes Named Network
Should be able to find each other "by name" without connection documents –
with TCPIP, this would be DNS
Servers on the same "named" network route mail automatically; no connection
document is needed
This is a "least cost" indicator to Domino's routing cost matrix
Use this to your advantage
Set up your named networks to reflect your network's faster and slower links.
Put only servers that have excellent connectivity on the same "Named Network"
Connection Documents
Connection documents tell servers which are not on the same
"Notes Named Network" how to find each other
Routing Topologies
Avoid "Everyone Routes with Everyone"
Map Network Choke Points
The Internet
(Very Scary)
Westford Router
Domino
Server
Extranet
Domino
Server
Border Router
Salt Lake Router
Tampa Router
Domino
Cluster
Domino
Cluster
Creating a Redundant Hub & Spoke
Two distinct local area networks or well
connected individual networks
v
One high bandwidth connection
between the two clustered hubs
Reduces traffic across the expensive
long haul network
Outbound SMTP Mail
Using a Single Internet Mail Gateway
Server Documents (all but the server that will route smtp):
Set "SMTP Listener" to Disabled
Set "Routing Tasks" to "Mail Routing" – but not "SMTP Mail Routing"
Create a "Foreign SMTP Domain" Domain Document
Route *.* to "OurFakeName"
Create a Connection Document
Type: SMTP
Source Server: The domino server with smtp
Destination Server: MAKE UP a name
Destination Domain: "OurFakeName"
Routing Task: SMTP Mail Routing
This method means you don’t even need TCPIP as a protocol on
your other Domino servers, because the routing all happens using
Notes RPC protocols to the one server with SMTP capability.
Single Internet Mail Gateway
What Really happens?
All the servers where SMTP Mail Routing is not a task, look for a route to send
the mail.
These servers see that *.* goes to the domain "OurFakeName"
That's the SMTP Domain Document's Job
The router task on the servers see that one Domino server has a connection to
the "OurFakeName" domain so they route the messages to that server
That's the connection document's job
The server which is SMTP Mail Routing Enabled receives the mail in its INBOX
and knows how to send SMTP mail directly, so it does.
Internet Mail Routing
Turning off SMTP inside the Network
If you turn off the SMTP Inbound Listener, local Windows clients which have
been infected with a virus, worm, Trojan horse, or spy-ware application cannot
send mail through your servers.
This also eliminates accidental or deliberate use of your internal servers for
spam routing.
Even if you require password access for SMTP mail sending, password
guessing is now quite common.
If you disable SMTP Outbound on your servers, it will force the mail to route
through your single gateway. In many cases this is a more secure method and
provides greater traffic control on your network.
DNS Requirements & SPF
MX Records & Your Server’s IP Address
Creating SPF Records
Validating DNS & SPF Configurations
Ports & Firewalls
SMTP Port 25!
Inbound SMTP Mail
Managing Unwanted Mail
Don't be a Relay
In the "Configuration" document for your server – not the Server document, on
the "Router/SMTP:Restrictions And Controls:SMTP Inbound Controls" Tab
Deny messages from the following internet hosts to be sent to external internet
domains:(* means all) – Set to "*"
This is the Default on all recent Domino versions
Hold Undeliverable Mail
Don't send bounce messages – Frequently, the mail never even originated on
your site and you're only adding to the problem
Don't Give Away Address Information
Verify that local domain recipients exist in the Domino Directory:
Pros:
Stops inbound SMTP messages send with dictionary style drops and name
guesses from clogging your router
Can make your site less attractive to spammers who get credit for
"delivered" messages – accepted by your server
Cons:
Makes it easy for spammers to test for valid names on your server
Consider using this if you have another tool that can detect multiple
failed attempts from the same source and ban those sources at the
firewall.
Other Message Filtering Considerations
Using Black Lists (aka Real-time Black Hole or RBL)
Many "black lists" exist that you can use
(e.g. bl.spamcop.net; sbl-xbl.spamhaus.org)
Not 100% accurate
Read the list’s website to understand their criteria for listing
Using White Lists (aka "Known Good" addresses)
Most mail you get, is from people you've communicated with already
New to version 7 of Lotus Domino, but part of several 3rd party tools for some
time
Mail Filtering Tools
Third Party Tools
User-Interactive Products like spamJam can be excellent because each user
decides individually what's wanted and what's not
Appliance Solutions can be inexpensive and effective, but less user-specific
Mail Filtering Services are an excellent choice – if privacy concerns are carefully
reviewed
My Recommendations
spamJam – because users really like being able to interact with it
Barracuda – for simplicity and price, this device works very well
POSTINI – A service based approach
Receiving mail for multiple internet domains
The Global Domain Document
Client Side Choices
Signed Mail
Signed mail to Notes users
Your Public Key
Use "Files-Security-User Security" to get it or copy it from your Domino
Directory person document
Signed Mail to Internet users
X.509 Certificates – The modern standard for authentication
Self Certifying –
– If you create your own certificate authority, everyone will always have to
decide accept it as trusted
– Excellent alternative for internal company use
Buying Certificates or Certification Rights
Free Certification Network
Importing Your X.509 Certificate
If you obtain a personal x.509 certificate, you can import it into
your person document in the Domino Directory
Open your Person Document
Select "Actions Import Internet Certificates"
Once this is done, you can "sign" mail to be sent to users with
Internet addresses
Verifying Signed Mail
From Notes Users
The Lotus Notes Public Key
You must have their public key in your address book
Verifying Signed Mail from Internet Users
Accepting a Cross Certificate
Do this the first time you get signed mail from a user
Call the user, make sure its them sending the message
Adding a Sender's Public Key to Your Personal
Address Book
While viewing, use "Tools – Add sender to address book"
Advanced tab, check to add "x.509 certificate…"
Mail Encryption
The Recipient’s Public Key is required
The Public Key is used to create a one-way cipher that can only be read with the
private key – and only the user has the private key, it's in their Notes ID file (or
other file if a non-Notes user)
Obtaining a Recipient's Public Key
Notes Mail users in your domain already have it in their "Person" document in
the Domino Directory.
Notes Mail users in other domains must send it to you. They can copy it from
their record in their Domino directory, or use the options in "Files – Security –
User Security" to get it.
Users can also simply send you a "Signed" document, and you can "Cross
Certify" them when you receive the mail. (You'll be prompted.)
Adding a Sender's Public Key to Your Personal
Address Book
While viewing, use "Tools – Add sender to address book"
Advanced tab, check to add "x.509 certificate…"
Accessing Mail with Alternate Clients
POP3 – Post Office Protocol
WIDELY used – cell phones, standard clients – it’s everywhere
Saving mail on the server or deleting it when you pull it down
Ports & Firewalls
IMAP – A bit of step up from POP3
Supports folders
Good feel of contiguous use from remote client to Notes client
Less commonly available
We’re all Lotus professionals here, please ask your questions so others can
here the answers. You may also contact me directly if you like.
Please fill out your evaluations
The latest copy of this presentation will also be available at my website:
http://www.thenorth.com
Questions & Answers!
For those playing the home game, direct questions &
comments to [email protected]
© 2007 All Rights Reserved.
The workshops, sessions and materials have been prepared by IBM or the
session speakers and reflect their own views. They are provided for
informational purposes only, and are neither intended to, nor shall have the
effect of being, legal or other guidance or advice to any participant. While
efforts were made to verify the completeness and accuracy of the
information contained in this presentation, it is provided AS IS without
warranty of any kind, express or implied. Neither IBM nor the speaker shall
be responsible for any damages arising out of the use of, or otherwise
related to, this presentation or any other materials. Nothing contained in
this presentation is intended to, nor shall have the effect of, creating any
warranties or representations from the speaker or form IBM or its suppliers
or licensors, or altering the terms and conditions of the applicable license
agreement governing the use of IBM software.
References in this presentation to IBM products, programs, or services do
not imply that they will be available in all countries in which IBM operates.
Product release dates and/or capabilities referenced in this presentation
may change at any time at IBM’s sole discretion based on market
opportunities or other factors, and are not intended to be a commitment to
future product or feature availability in any way. Nothing contained in
these materials is intended to, nor shall have the effect of, stating or
implying that any activities undertaken by you will result in any specific
sales, revenue growth or other results.