Domino 8.5.2 Adding Email Aliases

Often times people need to receive email for multiple valid variation of their email addresses. On most email systems, these are called email aliases. IBM Domino has a slightly unusual way of allowing system administrators to define aliases:

  • Open the Domino Administrator Tool
  • On the People & Groups tab, select People
  • Edit the Person document of the person you would like to add an email alias to
  • Add the alternative email addresses to Short name/UserID like this:

    "UsedID [email protected]
    [email protected]
  • Save and close the Person document
  • Navigate to the Server... tab
  • Select the Server console
  • To enable the changes on the SMTP server, enter in the Domino Command: TELL ROUTER UPDATE CONFIG

Domino 8.5 SSL Key Import Into Keyring File

Domino Server SSL Key Import

By default, the SSL key order process in the Domino Administrator assumes that only single domain certificates are used. Hence, when you have a multi domain UCC or a wildcard certificate, it has to be loaded into the keyring (a.k.a. kyr file) outside of the Domino Administrator.

The basic overview of the process is this:

  • Create a kyr (keyring) file to hold the keys.
  • Create a p12 (PKCS#12) file with the certificate that needs to be added to the keyring.
  • Add the p12 (PKCS#12) file to the keyring.
  • Install the new keyring on the Domino Servers (mail, traveler, sametime, Quickr)

Domino Server PKCS#12 key generation and import

Create PKCS#12 from SSL KEY and CRT files

For this step I recommend to be on the Linux or AIX with openssl installed. Assuming that you have the certificate key, the CA issued certificate, and the certificate chains all in the same directory, you can run the following command to generate the p12 file:

openssl pkcs12 -export \
-in certificate-from-CA.crt \
-inkey certificate-key-file.key \
-certfile root-ca-bundle.crt \
-out certificate-in-pkcs12-format.p12

Add PKCS#12 to Domino Server Kyr Keyring File

For this step I recommend to be on the sametime server under Linux or AIX. In theory, this should work, but in practice, I found that the version 7 of the gsk tools doesn’t seem to be able to open kyr files. So you may need to skip ahead to the legacy Windows XP method, unless you can find the gsk5bas package on one of your older install media.

rpm -Uvh ${SAMETIME_CD_PATH}/SametimeEntryServer/GSKit/Linux/gsk7bas-7.0-4.28.i386.rpm
vi /opt/ibm/lotus/notes/latest/linux/ibm-jre/jre/lib/security/java.security

Add last provider to list:

security.provider.1=com.ibm.jsse2.IBMJSSEProvider2
security.provider.2=com.ibm.crypto.provider.IBMJCE
security.provider.3=com.ibm.security.jgss.IBMJGSSProvider
security.provider.4=com.ibm.security.cert.IBMCertPath
security.provider.5=com.ibm.security.sasl.IBMSASL
security.provider.6=com.ibm.spi.IBMCMSProvider

remove conflicting jar file:

mv /opt/ibm/lotus/notes/latest/linux/ibm-jre/jre/lib/ext/gskikm.jar /opt/ibm/lotus/notes/latest/linux/ibm-jre/jre/lib/ext/gskikm.removedjar-

set environment:

set JAVA_HOME
JAVA_HOME=/opt/ibm/lotus/notes/latest/linux/ibm-jre/jre export JAVA_HOME

Domino Server Required Utilities for SSL Key Import (legacy Windows XP method)

  • Download and install IKEYMAN.
  • Open the kyr file in gsk5.
  • Import the p12 cert.
  • Save the new kyr file.

Domino Server SSL Key Management References

  • http://www.redbooks.ibm.com/redpapers/pdfs/redp0046.pdf
  • http://www.turtleweb.com/turtleblog.nsf/dx/11022009232215GDAVGR.htm?opendocument&comments
  • http://www.deadspace.de/?p=294
  • ftp://ftp.software.ibm.com/software/webserver/appserv/library/v61/ihs/GSK7c_SSL_Ikm_Guide.pdf
  • https://support.quovadisglobal.com/KB/a93/how-do-i-install-my-digital-certificate-into-lotus-notes.aspx
  • http://replay.waybackmachine.org/20081121002554/http://www.justinclarke.com/archives/2005/08/sending_smime_e.html
  • http://www.eulerhermes.com/en/documents/secure-email/ehcica_howto_import_lotus_notes_en.pdf/ehcica_howto_import_lotus_notes_en.pdf
  • http://publib.boulder.ibm.com/infocenter/sametime/v8r0/index.jsp?topic=/com.ibm.help.sametime.802.doc/Entry/st_adm_security_ssl_ikey_lin_t.html

For more information about Domino Server solutions, visit our collaboration section.


Advice in the Wake of Security Breaches

By Mark Nyquist ‐ Information Systems Director, Epicor HCM

In the wake of the recent security breaches (see links below), I’d like to take just a quick moment to remind everyone that extra vigilance and scrutiny are becoming vital for the security of work and home environments.
I’m sure that many of you have already received notices from retailers you might be associated with (Target, USBank, BestBuy, etc..) stating that their email database for marketing newsletters was breached. The fallout of this is still being explored, but rest assured that will lead to very targeted ‘spear phishing’ attacks in the very near future. If your name and email address was disclosed in this breach, you’ll most likely start to receive emails that look very much like the newsletters you are used to seeing with proper logos, graphics, content, personalization to your name, etc.. – but with links that may go scam sites. Be extremely cautious when emails ask you to ‘change your password’, ‘update your credit card information’, etc.. When in doubt, look up the customer service number for the retailer, and contact them directly asking if the email is legitimate or if you might be able to perform the requested action over the phone.
In a very real example of the damage targeted attacks such as this can cause, look no further than the recent compromise of the RSA security company. Several users at RSA received a targeted email containing an Excel spreadsheet labeled ‘2011 Recruitment Plan’. Even though their junk-filter caught the email, one user still pulled it out of junk and opened it. The spreadsheet had an embedded flash object which executed a zero day exploit (meaning their antivirus program did not yet have a defense for this). The trojan then installed remote control software and the rest was history. Here’s where the story should hit home though: The attackers were then able to leverage this foothold to steal the master encryption key for millions of two-factor security FOBs. There are some government agencies that relied (note the past tense) on these for securing top secret data. The brand reputation of this company has now plummeted and security conscious customers are flocking to other solutions. The harm this one person caused will have major ramifications to the financial future of an entire company.

Takeaway

  • Only open email attachments from trusted people, and only when the content seems relevant. When in doubt, call the sender and ask for confirmation.
  • When possible, don’t click on links in emails. Instead, use your own bookmarks to trusted places and navigate to the destination. If this is not possible, scrutinize links (right click, copy – paste into notepad) to make sure the go to legitimate places.
  • Educate family and friends on the dangers that will certainly escalate in the near future.

Epsilon Breach

http://www.wsj.com/articles/SB10001424052748703806304576240992886577106


Alt Ten Selects NewPush to Host Its Ground Breaking Social Business Software

Social Business Software powered by NewPush

Alt Ten, a Littleton, Colorado based Social Business Software startup selects NewPush to run its ground breaking software, TurboStack.

TurboStack aims at filling the gap between traditional Email, CRM, ERP and other productivity tools and the power of Social Media.

NewPush has the infrastructure and know-how to scale applications such as TurboStack, while maintaining reliability and security of user data.

 

With offering IBM Lotus Connections, and now TurboStack, NewPush is squarely placing itself as a strong player in Social Business Software both for the enterprise and the small and medium size businesses.


How to find the full email headers (a.k.a. internet headers) in Outlook?

To be able to report SPAM, Viruses, or any other problem with email, the system administrators need the full email headers. These can be easily found in Netscape or Mozilla Thunderbird, just by viewing the raw message source, or by selecting View Full Headers in the View menu. However in Outlook 2003 it is a little bit harder. You need to follow these steps:

  • Click on the header of the email you need to work with
  • Right Click on the same header in question
  • Select Options...

You will then see the information you need under Internet Headers.


How to validate emails using PHP

Complete and thorough php email validation and php email verification can be found at PHPClasses.org: Email Validation:

<<This is a PHP class that attempts to validate a given e-mail address at three levels: matching the address against a RFC compliant regular expression, verifing the existence of the destination SMTP server by verifying the respective DNS MX record, and connecting to that server to see if the given address is accepted as a valid recipient. The class also features a debugging output option that lets you see the remote SMTP server connection and data exchange dialog to see the real cause why an apparently valid address may not be accepting messages>>

Here is the code for the class:

<?php
/*
* email_validation.php
*
* @(#) $Header: /home/mlemos/cvsroot/emailvalidation/email_validation.php,v 1.24 2008/12/28 07:29:35 mlemos Exp $
*
*/

class email_validation_class
{
var
$email_regular_expression="^([-!#$%&'*+./0-9=?A-Z^_`a-z{|}~])[email protected]([-!#$%&'*+/0-9=?A-Z^_`a-z{|}~]+\.)+[a-zA-Z]{2,6}$";
var
$timeout=0;
var
$data_timeout=0;
var
$localhost="";
var
$localuser="";
var
$debug=0;
var
$html_debug=0;
var
$exclude_address="";
var
$getmxrr="GetMXRR";

var $next_token="";
var
$preg;
var
$last_code="";

Function Tokenize($string,$separator="")
{
if(!
strcmp($separator,""))
{
$separator=$string;
$string=$this->next_token;
}
for(
$character=0;$character<strlen($separator);$character++)
{
if(
GetType($position=strpos($string,$separator[$character]))=="integer")
$found=(IsSet($found) ? min($found,$position) : $position);
}
if(IsSet(
$found))
{
$this->next_token=substr($string,$found+1);
return(
substr($string,0,$found));
}
else
{
$this->next_token="";
return(
$string);
}
}

Function OutputDebug($message)
{
$message.="n";
if(
$this->html_debug)
$message=str_replace("n","<br />n",HtmlEntities($message));
echo
$message;
flush();
}

Function GetLine($connection)
{
for(
$line="";;)
{
if(@
feof($connection))
return(
0);
$line[email protected]fgets($connection,100);
$length=strlen($line);
if(
$length>=2
&& substr($line,$length-2,2)=="rn")
{
$line=substr($line,0,$length-2);
if(
$this->debug)
$this->OutputDebug("S $line");
return(
$line);
}
}
}

Function PutLine($connection,$line)
{
if(
$this->debug)
$this->OutputDebug("C $line");
return(@
fputs($connection,"$linern"));
}

Function ValidateEmailAddress($email)
{
if(IsSet(
$this->preg))
{
if(
strlen($this->preg))
return(
preg_match($this->preg,$email));
}
else
{
$this->preg=(function_exists("preg_match") ? "/".str_replace("/", "\/", $this->email_regular_expression)."/" : "");
return(
$this->ValidateEmailAddress($email));
}
return(
eregi($this->email_regular_expression,$email)!=0);
}

Function ValidateEmailHost($email,&$hosts)
{
if(!
$this->ValidateEmailAddress($email))
return(
0);
$user=$this->Tokenize($email,"@");
$domain=$this->Tokenize("");
$hosts=$weights=array();
$getmxrr=$this->getmxrr;
if(
function_exists($getmxrr)
&&
$getmxrr($domain,$hosts,$weights))
{
$mxhosts=array();
for(
$host=0;$host<count($hosts);$host++)
$mxhosts[$weights[$host]]=$hosts[$host];
KSort($mxhosts);
for(
Reset($mxhosts),$host=0;$host<count($mxhosts);Next($mxhosts),$host++)
$hosts[$host]=$mxhosts[Key($mxhosts)];
}
else
{
if(
strcmp($ip[email protected]gethostbyname($domain),$domain)
&& (
strlen($this->exclude_address)==0
|| strcmp(@gethostbyname($this->exclude_address),$ip)))
$hosts[]=$domain;
}
return(
count($hosts)!=0);
}

Function VerifyResultLines($connection,$code)
{
while((
$line=$this->GetLine($connection)))
{
$this->last_code=$this->Tokenize($line," -");
if(
strcmp($this->last_code,$code))
return(
0);
if(!
strcmp(substr($line, strlen($this->last_code), 1)," "))
return(
1);
}
return(-
1);
}

Function ValidateEmailBox($email)
{
if(!
$this->ValidateEmailHost($email,$hosts))
return(
0);
if(!
strcmp($localhost=$this->localhost,"")
&& !
strcmp($localhost=getenv("SERVER_NAME"),"")
&& !
strcmp($localhost=getenv("HOST"),""))
$localhost="localhost";
if(!
strcmp($localuser=$this->localuser,"")
&& !
strcmp($localuser=getenv("USERNAME"),"")
&& !
strcmp($localuser=getenv("USER"),""))
$localuser="root";
for(
$host=0;$host<count($hosts);$host++)
{
$domain=$hosts[$host];
if(
ereg('^[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}$',$domain))
$ip=$domain;
else
{
if(
$this->debug)
$this->OutputDebug("Resolving host name "".$hosts[$host].""...");
if(!
strcmp($ip[email protected]gethostbyname($domain),$domain))
{
if(
$this->debug)
$this->OutputDebug("Could not resolve host name "".$hosts[$host]."".");
continue;
}
}
if(
strlen($this->exclude_address)
&& !
strcmp(@gethostbyname($this->exclude_address),$ip))
{
if(
$this->debug)
$this->OutputDebug("Host address of "".$hosts[$host]."" is the exclude address");
continue;
}
if(
$this->debug)
$this->OutputDebug("Connecting to host address "".$ip.""...");
if((
$connection=($this->timeout ? @fsockopen($ip,25,$errno,$error,$this->timeout) : @fsockopen($ip,25))))
{
$timeout=($this->data_timeout ? $this->data_timeout : $this->timeout);
if(
$timeout
&& function_exists("socket_set_timeout"))
socket_set_timeout($connection,$timeout,0);
if(
$this->debug)
$this->OutputDebug("Connected.");
if(
$this->VerifyResultLines($connection,"220")>0
&& $this->PutLine($connection,"HELO $localhost")
&&
$this->VerifyResultLines($connection,"250")>0
&& $this->PutLine($connection,"MAIL FROM: <[email protected]$localhost>")
&&
$this->VerifyResultLines($connection,"250")>0
&& $this->PutLine($connection,"RCPT TO: <$email>")
&& (
$result=$this->VerifyResultLines($connection,"250"))>=0)
{
if(
$result)
{
if(
$this->PutLine($connection,"DATA"))
$result=($this->VerifyResultLines($connection,"354")!=0);
}
else
{
if(
strlen($this->last_code)
&& !
strcmp($this->last_code[0],"4"))
$result=-1;
}
if(
$this->debug)
$this->OutputDebug("This host states that the address is ".($result ? ($result>0 ? "valid" : "undetermined") : "not valid").".");
@
fclose($connection);
if(
$this->debug)
$this->OutputDebug("Disconnected.");
return(
$result);
}
if(
$this->debug)
$this->OutputDebug("Unable to validate the address with this host.");
@
fclose($connection);
if(
$this->debug)
$this->OutputDebug("Disconnected.");
}
else
{
if(
$this->debug)
$this->OutputDebug("Failed.");
}
}
return(-
1);
}
};

?>

Here is the test code for implementing the class:

<?php
/*
* test_email_validation.html
*
* @(#) $Header: /home/mlemos/cvsroot/emailvalidation/test_email_validation.php,v 1.11 2003/12/12 15:25:52 mlemos Exp $
*
*/

?><HTML>
<HEAD>
<TITLE>Test for Manuel Lemos's PHP E-mail validation class</TITLE>
</HEAD>
<BODY>
<H1><CENTER>Test for Manuel Lemos's PHP E-mail validation class</CENTER></H1>
<HR>
<?php
require("email_validation.php");

$validator=new email_validation_class;

/*
* If you are running under Windows or any other platform that does not
* have enabled the MX resolution function GetMXRR() , you need to
* include code that emulates that function so the class knows which
* SMTP server it should connect to verify if the specified address is
* valid.
*/
if(!function_exists("GetMXRR"))
{
/*
* If possible specify in this array the address of at least on local
* DNS that may be queried from your network.
*/
$_NAMESERVERS=array();
include(
"getmxrr.php");
}
/*
* If GetMXRR function is available but it is not functional, you may
* use a replacement function.
*/
/*
else
{
$_NAMESERVERS=array();
if(count($_NAMESERVERS)==0)
Unset($_NAMESERVERS);
include("rrcompat.php");
$validator->getmxrr="_getmxrr";
}
*/

/* how many seconds to wait before each attempt to connect to the
destination e-mail server */
$validator->timeout=10;

/* how many seconds to wait for data exchanged with the server.
set to a non zero value if the data timeout will be different
than the connection timeout. */
$validator->data_timeout=0;

/* user part of the e-mail address of the sending user
([email protected] in this example) */
$validator->localuser="info";

/* domain part of the e-mail address of the sending user */
$validator->localhost="phpclasses.org";

/* Set to 1 if you want to output of the dialog with the
destination mail server */
$validator->debug=1;

/* Set to 1 if you want the debug output to be formatted to be
displayed properly in a HTML page. */
$validator->html_debug=1;

/* When it is not possible to resolve the e-mail address of
destination server (MX record) eventually because the domain is
invalid, this class tries to resolve the domain address (A
record). If it fails, usually the resolver library assumes that
could be because the specified domain is just the subdomain
part. So, it appends the local default domain and tries to
resolve the resulting domain. It may happen that the local DNS
has an * for the A record, so any sub-domain is resolved to some
local IP address. This  prevents the class from figuring if the
specified e-mail address domain is valid. To avoid this problem,
just specify in this variable the local address that the
resolver library would return with gethostbyname() function for
invalid global domains that would be confused with valid local
domains. Here it can be either the domain name or its IP address. */
$validator->exclude_address="";

if(IsSet($_GET["email"]))
$email=$_GET["email"];
if(IsSet(
$email)
&&
strcmp($email,""))
{
if((
$result=$validator->ValidateEmailBox($email))<0)
echo
"<H2><CENTER>It was not possible to determine if <TT>$email</TT> is a valid deliverable e-mail box address.</CENTER></H2>n";
else
echo
"<H2><CENTER><TT>$email</TT> is ".($result ? "" : "not ")."a valid deliverable e-mail box address.</CENTER></H2>n";
}
else
{
$port=(strcmp($port=getenv("SERVER_PORT"),"") ? intval($port) : 80);
$site="http://".(strcmp($site=getenv("SERVER_NAME"),"") ? $site : "localhost").($port==80 ? "" : ":".$port).GetEnv("REQUEST_URI");
echo
"<H2>Access this page using a URL like: $site?email=<A HREF="[email protected]"><TT>[email protected]</TT></A></H2>n";
}
?>
<HR>
</BODY>
</HTML>


Can your address book accomodate adressee groups?

There are multiple ways to have address books:

  • In your email program (i.e. Mozilla Thunderbird or Outlook Express) you can set up distribution lists.
  • In the email management tool, you can set up aliases with multiple recipients (there is virtually no limit to the number of recipients)
  • In the address book of webmail, you can set up distribution lists as well.
  • We can create mailing lists for you if you would like us to, and we can even create them with an autoresponder and other sales enhancing tools.

How do I change my secure webmail password?

Both the secure webmail and the secure POP3 or IMAP4 email are protected with the same password for each user. There are 2 ways to update a secure email user’s password:


How do I increase the attachment size with Horde / Imp?

As Horde/Imp is PHP based, there are a few places that need to be adjusted:

  • /etc/php.ini: memory_limit = 20M ; needs to be 2-3 x max upload/attach
  • /etc/php.ini: file_uploads = On
  • /etc/php.ini: upload_tmp_dir = /tmp ; changing that will confuse horde
  • /etc/php.ini: upload_max_filesize = 20M ; max inividual attachment
  • /etc/httpd/conf.d/php.conf: LimitRequestBody 536870912 # max individual upload

Reember that IMP works better with safe_mode Off.