R5 Security Question

[CharlieIT]

I have a Domino 5.08 Server.

Does anyone know what kind of security (if any) R5 uses for mail?

When my users send a message, is it clear-text? Can it be sniffed and opened easily? Is it encrypted? Can it be encrypted?

Is R6 any better in terms of security?

Thank You!

 

[Packet7]

You can encrypt the mail in both R5 and R6. Plenty of info in the Notes Help Files that will guide you through.

Rgds,

John

 

[CharlieIT]

Thanks for the response. Yes, I saw that I could use encryption. Before I research that though--how much at risk am I if I do not use encryption? Is username and password sent clear text? Are e-mails clear text? How secure is Lotus Notes right out of the box?

 

[Packet7]

Hello,

Well, if your data needs to be secured, I would use encryption. If not, I would leave it off. We opt not too. One of our offices use Exchange, and they have been hacked, DOS's, and exploited about 4 times. Nobody has never comprimised our Domino Servers.

If your using iNotes off the Internet, I would look into SSL. I see that being Domino's biggest vulnerability right out of the box. Hope this helps.

Rgds,

John

 

[CharlieIT]

Thanks. I'm not using Inotes or anything like that. My users are simply using a Notes Client to connect to a Domino 5.08 Server.

I know I can use encryption, I was just wondering if anyone knows what kind of security the Lotus Notes client uses right out of the box? How easy would it be for someone to sniff the line and read mail going to a from a Lotus Notes client without the extra encryption?

Does anyone know?

 

[Packet7]

Can you explain what you mean by "security" and "out of the box"?

Does R5 use encryption by default? No. Does R6, yes. In R5, simply go into the Admin Client, Server Tab, Status, Tools, Server, Setup Ports, Select the port and enable "Encrypt Network Data".

R5.08 is old, if you have the time and $$ to upgrade, I would move to R6.5.1. Just an opinion. Sorry if I gave you the run around. Maybe someone else will have more to add. Good luck.

Rgds,

John

 

[CharlieIT]

Thanks John--you have been helping me quite a bit, and I am very greatful. I guess what I am trying to figure out is how vulerable my company has been prior to making the changes you just suggested.

Assuming I do not follow your suggestion above to encrypt TCPIP traffic, how secure is mail when it is not encrypted? If it is not encrypted, is it clear text?

 

[Packet7]

Hey,
No worries. To my knowledge, the Notes client ID is encrypted in both R5 and R6. I tutilizes a Private Public key embedded in the file and is not sent to the Domino server in clear text.

When the Notes client sends a message, it uses port 1352 and is not encrypted. I have captured traffic before using a sniffer and the message is in clear text.

Most email systems out of the box, are not secure. Which is why they provide encryption. We don't secure our email and our users understand that the data sent is NOT secured. We have an electronic use policy that covers our a$$.

AT times, we do get requests to secure Data, so our R6 encryption is the approach. It's always internal though, and easy to setup. We have yet to get a request to a foregin email system, like Exchange. But it can be done.

I would concentrate on ACL, ID Mgt and server access more then securing the data stream. Just an idea.

Hope this helps. Thanks.

Rgds,

John

 

[CharlieIT]

So just to qualify then...Now that I have set the server to "Encrypt Network Data" (as you instructed above), the e-mails sent to and from the clients are no longer clear text? If someone in my organization is sending an e-mail to someone in another organization who has, say, Outlook--are the e-mails in clear text with the "Encrypt Network Data" option implemented? Or am I going to need to go an extra step for that and configure certificates?

 

[Packet7]

Hey,

I would sniff some traffic and check, but you should be good to go. Third-party encryption will reuire some work on your behalf and the client. They will need to exchange keys.

You should now run some tests and research additional encryption options with other mail systems.

Rgds,

John

 

[woonjas]

enabling network traffic encryption for the network ports on the server forces communication between clients and the server to be encrypted to prevent sniffing contents on the wire (but that's just for native notes traffic, including notes mail).

Users can configure their client to encrypt messages by default, which will also mean that messages in the message store (the user's mail database) are encrypted.

If you worry about messages outside of notes like internet recipients, you need to add x509 (ssl) certificates to the users' person documents & id files. This will allow the user to send encrypted messages to internet recipients using sMIME.

Obtaining certificates for the users can be done by setting up your own Certificate Authority, or by purchasing certificates from trusted third parties like verislime.

Instructions on how to do this can be found in the administration help database which is installed by default on every server.


Woonjas
IRC: #notes on EFNet