Chat now with support
Chat with Support

Coexistence Manager for Notes 3.8.1 - User Guide

About the CMN Documentation Suite Introduction CMN Directory Connector
Directory Connector overview Installation and configuration DC Management Console Connector Creation Wizard Connector Advanced Settings Starting and stopping the Directory Connector service
CMN Mail Connector
Mail Connector features overview Coexistence mail routing basics Deployment of CMN Mail Connector Installation Configuration Mail Connector Management Console
CMN Free/Busy Connector The Log Viewer Appendix A: Known limitations Appendix B: Troubleshooting Appendix C: CMN Logs

Step 6: Reconfigure mail servers for CMN

IMPORTANT: These server reconfigurations should occur only after the CMN service is started. Reconfiguring the mail servers before starting CMN would at least briefly send mail to a nonexistent destination.

The CMN Mail Connector runs in conjunction with one or more Lotus Domino and Microsoft Exchange servers, or with a local Domino server and a hosted Exchange environment. As such, the Domino and Exchange environments must be configured to recognize and route messages via CMN.

6a: Configure Domino environment for CMN

For the Domino Server to work with CMN, it must direct Exchange-bound mail to CMN for processing. If you want to use CMN’s Mail Connector for active mail remediation, you must also configure Domino and Notes as described below.

If using subdomains: Set Forwarding Address to user@subdomain@notesdomain

A subdomain routing method may introduce a risk that the assigned subdomain names will escape your organization’s internal communications, which in turn can cause bounce-backs on replies to those addresses. To prevent this problem, set the Notes Forwarding Address attribute to user@subdomain@notesdomain, which causes Domino to set the reply address for external email to the user's primary SMTP address (internet address field value).

In the Domino Administrator, Configuration tab | Messaging section | Domains document | Foreign SMTP Domain: Change the destination server to the IP for CMN. Use MX priority designations for load balancing.

CMN’s active mail features require that the Domino server be configured as described here (beginning in the Domino Administrator):

1
Click the Configuration tab, then click Server, then Configurations.
3
Click the MIME tab.
4
Click the Conversion Options tab, and then the Outbound tab.
5
Set the Message content field to: Create multi-part alternative including conversion and encapsulation.

Some environments function correctly with only the Domino server configuration described above. But others, depending on the location of the message conversion and other environmental factors, may also require updating the Notes client configuration.

If Outlook recipients do not receive active mail attachments: Confirm the proper conversions within Notes (.OND attachments). Typically this occurs on the Domino server, but you can use this procedure to force the Notes client conversion as well. To configure Notes clients for active mail features, beginning in the Domino Administrator:

1
Click the Configuration tab.
2
In the Tools sidebar at right: Select Policies, and then Create.
3
In the Create New Policy dialog box: Click the Settings radio button, then select Desktop from the drop-down list box, click OK, and enter a name for the new policy on the Basics tab.
4
In the Desktop Settings screen: Click the Mail tab.
5
Under MIME Settings: In the drop-down list for Format for messages to internet addresses which cannot be found when message is sent, select Notes Rich Text format. Then click Save & Close.
6
Back in the Configuration tab, under Tools | Policies in the navigation sidebar at right: Select Create.
7
In the Create New Policy dialog box: Click the Settings radio button, then select Security from the drop-down list box, click OK, and name the new policy on the Basics tab.
8
In Security Settings: Click the Execution Control List tab.
9
Change the Update Frequency to your preference, either Once daily or When Admin ECL Changes. Then click Save and Close.
b
In the navigation sidebar at right: Select Tools | Policies, and then Create.
c
In the Create New Policy dialog box: Click the Policy radio button, click OK, and name the new policy on the Basics tab.
d
Under Basics, set Policy type to your preference, either Organizational or Explicit Users. (Note: If using Explicit Users, the Policy must be assigned in the person document for each appropriate user.)
e
In the Setting Type/Setting Name section, set the Desktop and Security fields to the Desktop and Security policy you've created.
f
Click Save & Close.

If you want to use CMN’s active mail features (which require Rich Text outbound format), but want your outbound Internet mail to be sent in MIME format, you can route Notes' Internet-bound mail through CMN into Exchange and then let Exchange handle delivery to the internet. By this method, CMN will strip the extra attachments before relaying messages to Exchange, and then the Exchange MTA will handle delivery. This strategy works with either single- namespace or multi-domain mail routing (see Coexistence mail routing basics earlier in this chapter).

Another option is to designate a Domino server to be used for routing only, with no users assigned to it. This method, however, will work only with multi-domain mail routing. To configure a Domino server for MIME-format outbound Internet mail while CMN active mail features are enabled:

2
For this server: Create a Server Configuration document and enable Notes encapsulation on the Outbound MIME tab.
3
In the Domino Administrator: Click the Configuration tab and then expand the Messaging section.
4
Choose Domains, and then click Add Domain.
5
On the Basics tab, complete the Domain type field with the Foreign SMTP Domain.
6
Click the Routing tab, complete these fields, and click Save & Close:
Messages Addressed to — Exchange SMTP Domain: The name of the Exchange SMTP domain to which this document applies. For example: exchange.company.com
Should be Routed to — Domain name: A fictitious, logical domain name (for example, CMNDom) to which messages that match the pattern in the Internet Domain field will be routed. The name you specify serves as a placeholder only; Domino uses the name to pair the Foreign SMTP Domain document with the connection document you will create below.
7
In the Domino Administrator: Click the Configuration tab and then expand the Messaging section.
8
Choose Connections, and click Add Connection.
9
On the Basics tab, complete these fields, and then save the document:
Source server: Name of the newly created Domino server where other Domino servers will route mail bound for Exchange via CMN.
Connect via: Direct connection—for servers that communicate over LAN connections.
Destination server: Unique fictitious placeholder name—for example, CMNServer. Domino does not use the value in this field, but the Connection document will not work if the field is empty. The name you specify must not match the name of any server on the network.
Destination domain: Fictitious, logical domain name specified in the Internet Domain name field of the corresponding Foreign SMTP domain document (CMNDom in the earlier example).
SMTP MTA relay host: IP address or DNS name of the CMN server, to which the source server transfers outbound mail.
10
On the Replication/Routing tab, complete these fields:
Routine task: Choose Mail Routing. There is no need to specify SMTP routing, since the same routing task is responsible for transferring messages over NRPC and SMTP. The source server must have SMTP routing enabled in its Server document; otherwise, the Router discards the information in the SMTP Connection document.
Route at once if: Number of pending messages that will force routing. The default is 5.
11
On the Schedule tab, specify the desired routing schedule.
12
Click Save & Close.

6b: Configure Exchange server for CMN

In the Organization Configuration | Hub Transport | Send Connector tab | Domino Send Connector Properties | Network tab: Add the IP or the FQDN for CMN as a "smart host" through which to route mail. You may use MX priority designations for load balancing.

If you have already verified the configuration of your Exchange distribution lists while setting up the CMN Directory Connector (in chapter 2), just skip ahead to the next step below. Otherwise:

Check the Message Delivery Restrictions settings for any Exchange group to which you want Notes users to be able to send messages. Any such Exchange group must be of the universal distribution type to be mail-enabled. To change the settings, beginning in the Exchange Management Console:

1
Select the group under Recipient Configuration | Distribution Group, then double-click the group you want to edit.
2
Click the Mail Flow Settings tab, and highlight Message Delivery Restrictions, then click Properties above.
3
De-select (unmark) the check box for Require that all senders are authenticated.
4
Save, and then restart the MS Exchange transport service.

Step 7 (optional): Configure TLS/SSL encryption

CMN's Mail Connector supports the TLS encryption protocol (SSL 3.1). TLS support requires a valid server certificate, which must be installed on the CMN server, and selected in CMN's Mail Connector Management Console. A new screen has been added to the MC Management Console for this purpose. The Notes and Exchange servers must also be configured for TLS/SSL support.

To enable and configure TLS/SSL encryption with CMN's Mail Connector:

a
In Domino Administrator: Open the Server Certificate Administration database on your server (typically certsrv.nsf), or create one from the template if none exists.
b
Choose the option to Create Key Ring with Self-Certified Certificate, and enter the appropriate field values:
Key Ring File Name: Choose selfcert.kyr in the Domino root data directory.
Common Name: The fully qualified host name of your Domino server— for example, domino.company.com.
Organization: Should match the corresponding entry in your domain registration.
State or Province: In the U.S. this is the two-letter postal abbreviation for your state. Elsewhere, enter the name of the region, province, etc.
Country: The two-character country code.
c
Click the Create Key Ring with Self-Certified Certificate button.
d
Under Server Configuration: Choose the Current Server Document, and select the Ports tab.
e
On the Ports tab: Select the Internet Ports tab, and enter the appropriate field values:
SSL Settings: Set the SSL key file name to selfcert.kyr in the Domino root data directory.
f
Under Web: Enable HTTPS and ensure it is set to 443. (With HTTPS enabled, your browser will be able to retrieve the public key and install it into the cert store.)
h
Test the certificate: On the CMN client computer, point IE to https://domino.company.com (IE should render the page without errors).
a
Click the Enable TLS radio button.
b
In the Certificate Store drop-down list, select the location in your network where the certificate resides. If the certificate location does not appear in the list, you must copy the certificate to one of the listed locations, using the Microsoft Certificates Management Console, into a LOCAL-SYSTEM account (not a personal account).
d
Remember to Save Configuration (on the File menu).
a
In the left-hand navigation tree, select Server|Configurations. Then select the server in the list (at the right), and click Edit Configuration.
b
In the Configuration Settings for the selected server, select the Router/SMTP tab, then the Advanced... tab, and then the Commands and Extensions tab.
c
Set the SSL negotiated over TCP/IP port field to either Enabled or Required. This is an important distinction:
Required: Prevents Domino’s receipt of non-TLS messages. (The Required setting disallows non-TLS encrypted messages, which CMN might otherwise transmit if a configuration issue prevents CMN from sending a TLS-encrypted message, in which case it would attempt to send the message as plain text.)
Enabled: Permits TLS-encrypted messages but does not prevent non-TLS messages.
Even if your server uses Internet Site documents, you must go to the Basics tab and temporarily set Load Internet Configurations From Server\Internet Sites Documents to Disabled. You do not need to save the server document in this state, but disabling Internet Site Documents exposes a form on the Ports/Internet Ports tab.
d
Select the Ports/Internet Ports tab.
Each type of Internet Site has individual settings for SSL on an Internet Site document, but outbound mail routing via SMTP does not. This is where you specify what keyring to use for outbound SMTP TLS. Enter the name of your new keyring file there, then go back to the Basics tab and re-enable Internet Sites if needed. When you go back to the Ports/Internet Ports tab, you will see that the SSL settings portion of the form has been hidden.
e
Set Mail (SMTP Inbound) and Mail (SMTP Outbound):

SMTP Inbound:

TCP/IP port number: 25
TCP/IP port status: Enabled
Enforce server access settings: No
SSL port number: 465
SSL port status: Enabled

SMTP Outbound:

TCP/IP port number: 25
TCP/IP port status: Negotiated SSL
Enforce server access settings: N/A
SSL port number: 465
SSL port status: Disabled

If you are not using Internet Site documents: Click Save and Close, and restart the Domino server. This step 3 procedure is now complete (skip substeps f and g, and resume at step 4).
If you are using Internet Site documents, continue with step f below.
f
Open the inbound SMTP Site document and configure the Security tab as follows.

TCP Authentication:

Anonymous: Yes
Name & password: No

 

SSL Authentication:

Anonymous: Yes
Name & password: No

SSL Options:

Key ring file name: keyfile.kyr
Protocol version: Negotiated
Accept SSL site certificates: No
Accept expired SSL certificates: Yes
Check for CRLs: No
Trust expired CRLs: Yes
Allow CRL search to fail: Yes

Make sure that the Key ring file name value is correct. If you plan to use authentication, enable the Name & Password options. Otherwise, leave them disabled.
g
Click Save and Close, and restart the Domino server.
In Server Configuration | Hub Transport | Properties | Authentication: Mark the checkbox for Transport Layer Security (TLS), and also the checkbox for either Externally Secured (for the default receive connector) or Integrated Windows Authentication (for a client receive connector).
(To disable TLS encryption for the receive connector by PowerShell, enter the same command substituting $false for $true. To disable it in the Exchange Management Console, unmark the same checkboxes.)
To enable: get-sendconnector | set-sendconnector -requiretls $true
To disable: get-sendconnector | set-sendconnector -requiretls $false
b
If STARTTLS is not already enabled, enable it with this command:
Related Documents