Coexistence Manager for Notes 3.8.4

Step 6: Reconfigure mail servers for CMN


	IMPORTANT: These server reconfigurations should occur only after the CMN service is started. Reconfiguring the mail servers before starting CMN would at least briefly send mail to a nonexistent destination.

The CMN Mail Connector runs in conjunction with one or more Lotus Domino and Microsoft Exchange servers, or with a local Domino server and a hosted Exchange environment. As such, the Domino and Exchange environments must be configured to recognize and route messages via CMN.

6a: Configure Domino environment for CMN

For the Domino Server to work with CMN, it must direct Exchange-bound mail to CMN for processing. If you want to use CMN’s Mail Connector for active mail remediation, you must also configure Domino and Notes as described below.

If using subdomains: Set Forwarding Address to user@subdomain@notesdomain

A subdomain routing method may introduce a risk that the assigned subdomain names will escape your organization’s internal communications, which in turn can cause bounce-backs on replies to those addresses. To prevent this problem, set the Notes Forwarding Address attribute to user@subdomain@notesdomain, which causes Domino to set the reply address for external email to the user's primary SMTP address (internet address field value).

Send Exchange-bound mail to CMN

In the Domino Administrator, Configuration tab | Messaging section | Domains document | Foreign SMTP Domain: Change the destination server to the IP for CMN. Use MX priority designations for load balancing.

Configure Domino and Notes for active mail features

CMN’s active mail features require that the Domino server be configured as described here (beginning in the Domino Administrator):

Click the Configuration tab, then click Server, then Configurations.

Select the server from the list, and click Edit Configuration.

Click the MIME tab.

Click the Conversion Options tab, and then the Outbound tab.

Set the Message content field to: Create multi-part alternative including conversion and encapsulation.

Some environments function correctly with only the Domino server configuration described above. But others, depending on the location of the message conversion and other environmental factors, may also require updating the Notes client configuration.

If Outlook recipients do not receive active mail attachments: Confirm the proper conversions within Notes (.OND attachments). Typically this occurs on the Domino server, but you can use this procedure to force the Notes client conversion as well. To configure Notes clients for active mail features, beginning in the Domino Administrator:

Click the Configuration tab.

In the Tools sidebar at right: Select Policies, and then Create.

In the Create New Policy dialog box: Click the Settings radio button, then select Desktop from the drop-down list box, click OK, and enter a name for the new policy on the Basics tab.

In the Desktop Settings screen: Click the Mail tab.

Under MIME Settings: In the drop-down list for Format for messages to internet addresses which cannot be found when message is sent, select Notes Rich Text format. Then click Save & Close.

Back in the Configuration tab, under Tools | Policies in the navigation sidebar at right: Select Create.

In the Create New Policy dialog box: Click the Settings radio button, then select Security from the drop-down list box, click OK, and name the new policy on the Basics tab.

In Security Settings: Click the Execution Control List tab.

Change the Update Frequency to your preference, either Once daily or When Admin ECL Changes. Then click Save and Close.

Create a policy document that will push out the workstation updates:

In Domino Administrator: Click the Configuration tab.

In the navigation sidebar at right: Select Tools | Policies, and then Create.

In the Create New Policy dialog box: Click the Policy radio button, click OK, and name the new policy on the Basics tab.

Under Basics, set Policy type to your preference, either Organizational or Explicit Users. (Note: If using Explicit Users, the Policy must be assigned in the person document for each appropriate user.)

In the Setting Type/Setting Name section, set the Desktop and Security fields to the Desktop and Security policy you've created.

Click Save & Close.

Each Notes client must be restarted for these changes to take effect.

CMN active mail with MIME format for outbound Internet mail

If you want to use CMN’s active mail features (which require Rich Text outbound format), but want your outbound Internet mail to be sent in MIME format, you can route Notes' Internet-bound mail through CMN into Exchange and then let Exchange handle delivery to the internet. By this method, CMN will strip the extra attachments before relaying messages to Exchange, and then the Exchange MTA will handle delivery. This strategy works with either single- namespace or multi-domain mail routing (see Coexistence mail routing basics earlier in this chapter).

Another option is to designate a Domino server to be used for routing only, with no users assigned to it. This method, however, will work only with multi-domain mail routing. To configure a Domino server for MIME-format outbound Internet mail while CMN active mail features are enabled:

Identify or create the "routing-only" Domain server.

For this server: Create a Server Configuration document and enable Notes encapsulation on the Outbound MIME tab.

In the Domino Administrator: Click the Configuration tab and then expand the Messaging section.

Choose Domains, and then click Add Domain.

On the Basics tab, complete the Domain type field with the Foreign SMTP Domain.

Click the Routing tab, complete these fields, and click Save & Close:

•

Messages Addressed to — Exchange SMTP Domain: The name of the Exchange SMTP domain to which this document applies. For example: exchange.company.com

•

Should be Routed to — Domain name: A fictitious, logical domain name (for example, CMNDom) to which messages that match the pattern in the Internet Domain field will be routed. The name you specify serves as a placeholder only; Domino uses the name to pair the Foreign SMTP Domain document with the connection document you will create below.

In the Domino Administrator: Click the Configuration tab and then expand the Messaging section.

Choose Connections, and click Add Connection.

On the Basics tab, complete these fields, and then save the document:

•

Connection type: SMTP

•

Source server: Name of the newly created Domino server where other Domino servers will route mail bound for Exchange via CMN.

•

Connect via: Direct connection—for servers that communicate over LAN connections.

•

Destination server: Unique fictitious placeholder name—for example, CMNServer. Domino does not use the value in this field, but the Connection document will not work if the field is empty. The name you specify must not match the name of any server on the network.

•

Destination domain: Fictitious, logical domain name specified in the Internet Domain name field of the corresponding Foreign SMTP domain document (CMNDom in the earlier example).

•

SMTP MTA relay host: IP address or DNS name of the CMN server, to which the source server transfers outbound mail.

On the Replication/Routing tab, complete these fields:

•

Replication task: Disabled.

•

Routine task: Choose Mail Routing. There is no need to specify SMTP routing, since the same routing task is responsible for transferring messages over NRPC and SMTP. The source server must have SMTP routing enabled in its Server document; otherwise, the Router discards the information in the SMTP Connection document.

•

Route at once if: Number of pending messages that will force routing. The default is 5.

On the Schedule tab, specify the desired routing schedule.

Click Save & Close.

Replicate the Domino Directory to all servers in the Domino domain.

The change takes effect after the next Router configuration update. To put the new setting into effect immediately, recalculate the routing tables on all affected servers.

6b: Configure Exchange server for CMN

In the Organization Configuration | Hub Transport | Send Connector tab | Domino Send Connector Properties | Network tab: Add the IP or the FQDN for CMN as a "smart host" through which to route mail. You may use MX priority designations for load balancing.

If necessary: verify Exchange DL configuration

If you have already verified the configuration of your Exchange distribution lists while setting up the CMN Directory Connector (in chapter 2), just skip ahead to the next step below. Otherwise:

Check the Message Delivery Restrictions settings for any Exchange group to which you want Notes users to be able to send messages. Any such Exchange group must be of the universal distribution type to be mail-enabled. To change the settings, beginning in the Exchange Management Console:

Select the group under Recipient Configuration | Distribution Group, then double-click the group you want to edit.

Click the Mail Flow Settings tab, and highlight Message Delivery Restrictions, then click Properties above.

De-select (unmark) the check box for Require that all senders are authenticated.

Save, and then restart the MS Exchange transport service.

Step 7 (optional): Configure TLS/SSL encryption

CMN's Mail Connector supports the TLS encryption protocol (SSL 3.1). TLS support requires a valid server certificate, which must be installed on the CMN server, and selected in CMN's Mail Connector Management Console. A new screen has been added to the MC Management Console for this purpose. The Notes and Exchange servers must also be configured for TLS/SSL support.

To enable and configure TLS/SSL encryption with CMN's Mail Connector:

Obtain and install a Domino server security certificate.

If you already have a valid certificate for some other security function (for example, for CMN's Free/Busy Connector), you can use the same certificate to enable TLS in the Mail Connector (and skip ahead to step 2 below). Otherwise, you will need an SSL certificate on a keyring file. This keyring file is exactly the same as one used for other web security functions such as secure web access, and can be obtained the same way.

You can obtain a certificate from a reputable Certification Authority (CA), or you can generate your own self-signed certificate. Your Domino documentation describes both approaches. Here we simply summarize how to accomplish this with a self-signed certificate:

In Domino Administrator: Open the Server Certificate Administration database on your server (typically certsrv.nsf), or create one from the template if none exists.

Choose the option to Create Key Ring with Self-Certified Certificate, and enter the appropriate field values:

•

Key Ring File Name: Choose selfcert.kyr in the Domino root data directory.

•

Common Name: The fully qualified host name of your Domino server— for example, domino.company.com.

•

Organization: Should match the corresponding entry in your domain registration.

•

State or Province: In the U.S. this is the two-letter postal abbreviation for your state. Elsewhere, enter the name of the region, province, etc.

•

Country: The two-character country code.

Click the Create Key Ring with Self-Certified Certificate button.

Under Server Configuration: Choose the Current Server Document, and select the Ports tab.

On the Ports tab: Select the Internet Ports tab, and enter the appropriate field values:

•

SSL Settings: Set the SSL key file name to selfcert.kyr in the Domino root data directory.

•

SSL Protocol Version: Negotiated

•

Accept SSL site certificates: Yes

•

Accept expired SSL certificates: No

Under Web: Enable HTTPS and ensure it is set to 443. (With HTTPS enabled, your browser will be able to retrieve the public key and install it into the cert store.)

Restart Domino.

Test the certificate: On the CMN client computer, point IE to https://domino.company.com (IE should render the page without errors).

In CMN's Mail Connector Management Console, on the new TLS Settings screen:

Click the Enable TLS radio button.

In the Certificate Store drop-down list, select the location in your network where the certificate resides. If the certificate location does not appear in the list, you must copy the certificate to one of the listed locations, using the Microsoft Certificates Management Console, into a LOCAL-SYSTEM account (not a personal account).

The table on the bottom half of the screen then shows a list of all certificates found in the designated Certificate Store, with the Issuer, the Effective and Expiration Dates, and the certificate Thumbprint.

In the table, select the certificate you want to install.

Remember to Save Configuration (on the File menu).

Configure the Domino Server to enable TLS encryption. (Remember that Domino does not support TLS-level encryption. An attempt to enable TLS on a Domino server will not generate an error, but Domino will negotiate the encryption level down to SSL3.) In Domino Administrator:

In the left-hand navigation tree, select Server|Configurations. Then select the server in the list (at the right), and click Edit Configuration.

In the Configuration Settings for the selected server, select the Router/SMTP tab, then the Advanced... tab, and then the Commands and Extensions tab.

Set the SSL negotiated over TCP/IP port field to either Enabled or Required. This is an important distinction:

•

Required: Prevents Domino’s receipt of non-TLS messages. (The Required setting disallows non-TLS encrypted messages, which CMN might otherwise transmit if a configuration issue prevents CMN from sending a TLS-encrypted message, in which case it would attempt to send the message as plain text.)

•

Enabled: Permits TLS-encrypted messages but does not prevent non-TLS messages.

Even if your server uses Internet Site documents, you must go to the Basics tab and temporarily set Load Internet Configurations From Server\Internet Sites Documents to Disabled. You do not need to save the server document in this state, but disabling Internet Site Documents exposes a form on the Ports/Internet Ports tab.

Select the Ports/Internet Ports tab.

Each type of Internet Site has individual settings for SSL on an Internet Site document, but outbound mail routing via SMTP does not. This is where you specify what keyring to use for outbound SMTP TLS. Enter the name of your new keyring file there, then go back to the Basics tab and re-enable Internet Sites if needed. When you go back to the Ports/Internet Ports tab, you will see that the SSL settings portion of the form has been hidden.

Set Mail (SMTP Inbound) and Mail (SMTP Outbound):


SMTP Inbound: • TCP/IP port number: 25 • TCP/IP port status: Enabled • Enforce server access settings: No • SSL port number: 465 • SSL port status: Enabled	SMTP Outbound: • TCP/IP port number: 25 • TCP/IP port status: Negotiated SSL • Enforce server access settings: N/A • SSL port number: 465 • SSL port status: Disabled

If you are not using Internet Site documents: Click Save and Close, and restart the Domino server. This step 3 procedure is now complete (skip substeps f and g, and resume at step 4).

If you are using Internet Site documents, continue with step f below.

Open the inbound SMTP Site document and configure the Security tab as follows.


TCP Authentication: • Anonymous: Yes • Name & password: No SSL Authentication: • Anonymous: Yes • Name & password: No	SSL Options: • Key ring file name: keyfile.kyr • Protocol version: Negotiated • Accept SSL site certificates: No • Accept expired SSL certificates: Yes • Check for CRLs: No • Trust expired CRLs: Yes • Allow CRL search to fail: Yes

Make sure that the Key ring file name value is correct. If you plan to use authentication, enable the Name & Password options. Otherwise, leave them disabled.

Click Save and Close, and restart the Domino server.

Configure the Exchange server to require TLS encryption for the receive connector. You can do this either by PowerShell commands or by settings in the Exchange Management Console:

•

To enable TLS encryption for the Exchange receive connector by PowerShell:

get-receiveconnector | set-receiveconnector -requiretls $true

—OR—

•

To enable TLS encryption for the Exchange receive connector in the Exchange Management Console:

In Server Configuration | Hub Transport | Properties | Authentication: Mark the checkbox for Transport Layer Security (TLS), and also the checkbox for either Externally Secured (for the default receive connector) or Integrated Windows Authentication (for a client receive connector).

After either method: Restart the Exchange Transport Service.

(To disable TLS encryption for the receive connector by PowerShell, enter the same command substituting $false for $true. To disable it in the Exchange Management Console, unmark the same checkboxes.)

Configure the Exchange server to require TLS encryption for the send connector. You can enable/disable TLS encryption for the send connector by PowerShell commands only:

To enable: get-sendconnector | set-sendconnector -requiretls $true

To disable: get-sendconnector | set-sendconnector -requiretls $false

And then restart the Exchange Transport Service.

Verify that STARTTLS is enabled on the Exchange server (and enable it if necessary):

From the CMN client computer, telnet to the Exchange server on port 25, and send ‘EHLO’. If the Exchange reply includes 250-STARTTLS, then STARTTLS is already enabled (skip ahead to step 7).

If STARTTLS is not already enabled, enable it with this command:

Enable-ExchangeCertificate -thumprint <thumbprint of certificate> -services:SMTP

And then restart the Exchange server.

Check the CMN log to verify that TLS is enabled and working properly. In the detailed log entries you should see an entry like this: