Published on February 4, 2008
HND203 Mail Routing Mastery: HND203 Mail Routing Mastery Andrew Pollack Northern Collaborative Technologies Language Note: Language Note I realize that for some of you, English is not your primary language, and for others, my accent is not the same as yours. If you are having trouble understanding me during this talk, please raise your hand and I will try to slow down and speak more clearly. Thank you. If it makes noise, shut it off!: If it makes noise, shut it off! Cell phones, pagers, PDA’s, FRS Radios, PSP’s, Portable Audio Players Portable Video Players, watch alarms, Laptop sound settings! Anything else you’ve carried around for the express purpose of using in sessions. You may leave on pace maker low battery alarms. The Copyright Screen!: The Copyright Screen! We are required by the excessive use of lawyers to properly mark the first use of these terms in all presentations. Here you go. IBM ®, the IBM logo, Lotus ®, Lotus Notes ®, Notes, Domino ®, Sametime ®, WebSphere ®, Workplace ® and Lotusphere ® are trademarks of International Business Machines Corporation in the United States, other countries, or both. Java® and all Java-based trademarks are trademarks of Sun Microsystems ®, Inc. in the United States ®, other countries, or both. Microsoft ® and Windows ® are trademarks of Microsoft Corporation ® in the United States ®, other countries ®, or both ®. Intel ®, Intel Centrino ®, Celeron ®, Intel Xeon ®, Intel SpeedStep ®, Itanium ®, and Pentium ® are trademarks or registered trademarks of Intel Corporation ® or its subsidiaries in the United States ® and other countries ®. UNIX ® is a registered trademark of The Open Group in the United States and other countries. Linux ® is a registered trademark of Linus Torvalds ® in the United States ®, other countries, or both. Other company ®, product ®, or service ® names may be trademarks ® or service marks ® of others. ® Agenda: Agenda Setting Expectations – What will we cover, and how deeply? Native Notes Mail Routing Cross Certification & Security Named Networks & Connection Documents Multiple Address Books Outbound SMTP Mail Routing DNS Requirements & SPF Using a single SMTP router for your Domain Inbound SMTP Mail Routing Don’t be a relay server Anti-spam choices & techniques Client Side Choices Alternate mail clients – IMAP and POP3 X.509 – signed and encrypted mail Setting Expectations: Setting Expectations Your time is valuable. If these points do not match your needs for this session, please feel free to move to another session. If you plan to do so, please do it early on so as not to disturb the others. Technical Level Introductory & Intermediate – We’re going to go into detail about the configurations and choices you have, but not focus too deeply on specific problems or bugs. Save those for the IBM Developers’ lab. Slides vs. Demo / Hands On There are several points in this two hour session that we’ll walk through together using the laptops, however not everyone has a laptop and the class is designed to be useful to everyone. As a courtesy, I try to put detail on the slides so that you can use them as reference in the future. Who am I to tell you these things?: Who am I to tell you these things? Andrew Pollack, President of Northern Collaborative Technologies Author of NCT Search, NCT Compliance Search, and NCT Simple Signon, and now Second Signal IBM Lotus Beacon Award Winner Administrator & Developer since version 2.0 Firefighter – A Lieutenant on an Engine company In firefighting, just like Server Administration it's all in the planning Native Lotus Notes Mail: Native Lotus Notes Mail Cross Certification & Security An Introduction to Certifiers: An Introduction to Certifiers Certificates are hierarchical – A certifier can be used to create sub-certifiers (called organizational certifiers) or users Any certificate can be validated by a server which has a higher level certificate in common These are all versions of the same name: Common Name: Andrew Pollack Abbreviated Name: Andrew Pollack/Users/TheNorth Hierarchical Name: CN=Andrew Pollack/OU=Users/O=TheNorth These are all versions of the same name: Common Name: Igloo Abbreviated Name: Igloo/Servers/TheNorth Hierarchical Name: CN=Igloo/OU=Servers/O=TheNorth Igloo and Andrew Pollack validate each other because: Both have a common certificate called “TheNorth” Both can verify that their certificate from “TheNorth” is identical Both can verify that the common and organizational certificates of the other were created using the common certifier “TheNorth” Cross Certification: Cross Certification A Cross-Certificate creates commonality where it otherwise does not exist If these two need to connect: Igloo/Servers/TheNorth Wigwam/Servers/ThePlains Igloo and Wigwam cannot validate each other because they have no common certificate “/Servers” is not a valid certificate in common because each was created using a different root certificate – thus they are not the same Native Lotus Notes Mail: Native Lotus Notes Mail Notes Named Networks & Connection Documents The Notes Named Networks: The Notes Named Networks Configured on the Server Document Itself Servers on the same Notes Named Network do not require connection documents for mail routing Servers on the same Notes Named Network should be: Always available to each other On low-cost, high speed network connections with each other Able to find each other using their network names Notes Mail Routing: Notes Mail Routing Servers on the same Notes Named Network Should be able to find each other "by name" without connection documents – with TCPIP, this would be DNS Servers on the same "named" network route mail automatically; no connection document is needed This is a "least cost" indicator to Domino's routing cost matrix Use this to your advantage Set up your named networks to reflect your network's faster and slower links. Put only servers that have excellent connectivity on the same "Named Network" Connection Documents: Connection Documents Connection documents tell servers which are not on the same "Notes Named Network" how to find each other Routing Topologies: Routing Topologies Avoid "Everyone Routes with Everyone" Map Network Choke Points Creating a Redundant Hub & Spoke: Creating a Redundant Hub & Spoke Two distinct local area networks or well connected individual networks One high bandwidth connection between the two clustered hubs Reduces traffic across the expensive long haul network Outbound SMTP Mail: Outbound SMTP Mail Using a Single Internet Mail Gateway: Using a Single Internet Mail Gateway Server Documents (all but the server that will route smtp): Set "SMTP Listener" to Disabled Set "Routing Tasks" to "Mail Routing" – but not "SMTP Mail Routing" Create a "Foreign SMTP Domain" Domain Document Route *.* to "OurFakeName" Create a Connection Document Type: SMTP Source Server: The domino server with smtp Destination Server: MAKE UP a name Destination Domain: "OurFakeName" Routing Task: SMTP Mail Routing This method means you don’t even need TCPIP as a protocol on your other Domino servers, because the routing all happens using Notes RPC protocols to the one server with SMTP capability. Single Internet Mail Gateway: Single Internet Mail Gateway What Really happens? All the servers where SMTP Mail Routing is not a task, look for a route to send the mail. These servers see that *.* goes to the domain "OurFakeName" That's the SMTP Domain Document's Job The router task on the servers see that one Domino server has a connection to the "OurFakeName" domain so they route the messages to that server That's the connection document's job The server which is SMTP Mail Routing Enabled receives the mail in its INBOX and knows how to send SMTP mail directly, so it does. Internet Mail Routing: Internet Mail Routing Turning off SMTP inside the Network If you turn off the SMTP Inbound Listener, local Windows clients which have been infected with a virus, worm, Trojan horse, or spy-ware application cannot send mail through your servers. This also eliminates accidental or deliberate use of your internal servers for spam routing. Even if you require password access for SMTP mail sending, password guessing is now quite common. If you disable SMTP Outbound on your servers, it will force the mail to route through your single gateway. In many cases this is a more secure method and provides greater traffic control on your network. DNS Requirements & SPF: DNS Requirements & SPF MX Records & Your Server’s IP Address Creating SPF Records Validating DNS & SPF Configurations Ports & Firewalls SMTP Port 25! Inbound SMTP Mail: Inbound SMTP Mail Managing Unwanted Mail: Managing Unwanted Mail Don't be a Relay In the "Configuration" document for your server – not the Server document, on the "Router/SMTP:Restrictions And Controls:SMTP Inbound Controls" Tab Deny messages from the following internet hosts to be sent to external internet domains:(* means all) – Set to "*" This is the Default on all recent Domino versions Hold Undeliverable Mail Don't send bounce messages – Frequently, the mail never even originated on your site and you're only adding to the problem Don't Give Away Address Information: Don't Give Away Address Information Verify that local domain recipients exist in the Domino Directory: Pros: Stops inbound SMTP messages send with dictionary style drops and name guesses from clogging your router Can make your site less attractive to spammers who get credit for "delivered" messages – accepted by your server Cons: Makes it easy for spammers to test for valid names on your server Consider using this if you have another tool that can detect multiple failed attempts from the same source and ban those sources at the firewall. Other Message Filtering Considerations: Other Message Filtering Considerations Using Black Lists (aka Real-time Black Hole or RBL) Many "black lists" exist that you can use (e.g. bl.spamcop.net; sbl-xbl.spamhaus.org) Not 100% accurate Read the list’s website to understand their criteria for listing Using White Lists (aka "Known Good" addresses) Most mail you get, is from people you've communicated with already New to version 7 of Lotus Domino, but part of several 3rd party tools for some time Mail Filtering Tools: Mail Filtering Tools Third Party Tools User-Interactive Products like spamJam can be excellent because each user decides individually what's wanted and what's not Appliance Solutions can be inexpensive and effective, but less user-specific Mail Filtering Services are an excellent choice – if privacy concerns are carefully reviewed My Recommendations spamJam – because users really like being able to interact with it Barracuda – for simplicity and price, this device works very well POSTINI – A service based approach Receiving mail for multiple internet domains: Receiving mail for multiple internet domains The Global Domain Document Client Side Choices: Client Side Choices Signed Mail: Signed Mail Signed mail to Notes users Your Public Key Use "Files-Security-User Security" to get it or copy it from your Domino Directory person document Signed Mail to Internet users X.509 Certificates – The modern standard for authentication Self Certifying – If you create your own certificate authority, everyone will always have to decide accept it as trusted Excellent alternative for internal company use Buying Certificates or Certification Rights Free Certification Network Importing Your X.509 Certificate: Importing Your X.509 Certificate If you obtain a personal x.509 certificate, you can import it into your person document in the Domino Directory Open your Person Document Select "Actions Import Internet Certificates" Once this is done, you can "sign" mail to be sent to users with Internet addresses Verifying Signed Mail: Verifying Signed Mail From Notes Users The Lotus Notes Public Key You must have their public key in your address book Verifying Signed Mail from Internet Users Accepting a Cross Certificate Do this the first time you get signed mail from a user Call the user, make sure its them sending the message Adding a Sender's Public Key to Your Personal Address Book: Adding a Sender's Public Key to Your Personal Address Book While viewing, use "Tools – Add sender to address book" Advanced tab, check to add "x.509 certificate…" Mail Encryption: Mail Encryption The Recipient’s Public Key is required The Public Key is used to create a one-way cipher that can only be read with the private key – and only the user has the private key, it's in their Notes ID file (or other file if a non-Notes user) Obtaining a Recipient's Public Key: Obtaining a Recipient's Public Key Notes Mail users in your domain already have it in their "Person" document in the Domino Directory. Notes Mail users in other domains must send it to you. They can copy it from their record in their Domino directory, or use the options in "Files – Security – User Security" to get it. Users can also simply send you a "Signed" document, and you can "Cross Certify" them when you receive the mail. (You'll be prompted.) Adding a Sender's Public Key to Your Personal Address Book: Adding a Sender's Public Key to Your Personal Address Book While viewing, use "Tools – Add sender to address book" Advanced tab, check to add "x.509 certificate…" Accessing Mail with Alternate Clients: Accessing Mail with Alternate Clients POP3 – Post Office Protocol WIDELY used – cell phones, standard clients – it’s everywhere Saving mail on the server or deleting it when you pull it down Ports & Firewalls IMAP – A bit of step up from POP3 Supports folders Good feel of contiguous use from remote client to Notes client Less commonly available Questions & Answers!: Questions & Answers! For those playing the home game, direct questions & comments to [email protected] We’re all Lotus professionals here, please ask your questions so others can here the answers. You may also contact me directly if you like. Please fill out your evaluations The latest copy of this presentation will also be available at my website: http://www.thenorth.com © 2007 All Rights Reserved.: © 2007 All Rights Reserved. The workshops, sessions and materials have been prepared by IBM or the session speakers and reflect their own views. They are provided for informational purposes only, and are neither intended to, nor shall have the effect of being, legal or other guidance or advice to any participant. While efforts were made to verify the completeness and accuracy of the information contained in this presentation, it is provided AS IS without warranty of any kind, express or implied. Neither IBM nor the speaker shall be responsible for any damages arising out of the use of, or otherwise related to, this presentation or any other materials. Nothing contained in this presentation is intended to, nor shall have the effect of, creating any warranties or representations from the speaker or form IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in this presentation may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth or other results.