MEMBER SPOTLIGHT
 Jamie Magee, MartinScott Consulting LLC This month featuring one of the most experienced Lotuscript performance experts read more
FEATURED PRODUCT
read more


PENUMBRA BLOGGERS
STORIES
Penumbra > Stories

R7 Security Redpaper
(by Dieter Stalder, STDI Consulting)

October 2005 and for once, I didn't answer the call of nature to enjoy the fall colors in Ontario. I answered the call for a Residency, it was the 'Security Considerations in Notes and Domino 7' Redpaper (http://www.redbooks.ibm.com/redpieces/abstracts/redp4104.html). The task: Write about the new R7 security enhancements which included:

  • Custom password policies
  • Support for larger keys in ND7
  • Smartcards
  • Customizing password/certificate expiration
  • Public key enhancements
  • SSO Name Mapping in ND7
  • Enhancement to spam control

The first problem was the fact that we had to produce a 200 page document covering security. A single topic by itself could fill 200 pages. The two topics I adopted were spam control and SSO. Spam control is one subject I know very well. Not because I receive over 7000 spams a day, which averages 3500 spams per user, but because I capture and analyze spam mail since March 2002. I shared the first spam session at Lotusphere 2003 with Richard Schwartz from RHS Consulting and Meredith Lovett from Lotus Development. The first time we met Meredith to prepare for the session we asked for white list filters, now with R7 we got them, the private and the DNS Whitelist filters.

Having excellent results with DNS Blacklist site such as spamhaus.org, I was wondering what the options for a DNS whitelist services are. And there I found BondedSender.org. Reading through the web site, I noticed that this is an initiative for Commercial Senders to allow their messages to pass blacklist filters. Now my curiosity demanded a test, what is the difference between a Commercial Sender and a Spammer?

First I looked for a Bonded Sender member and signed up to their e-mail promotion. Within 2 days, I was on the distribution list and got 2 messages a day. The big question, are two message per day too much for a service I signed up? If your answer is yes, just wait a few weeks. After about 2 months, I got over 10 messages a day as a result of my participation. No Problem, they are a member of bondendSender.org and have to honor the remove instructions. But only 1 or 2 messages per day came from the original domain. I originally signed up with a unique e-mail address to be able to trace the results and it was not my intention to find out if they honor remove instructions or not. At this point I disabled the e-mail domain - my curiosity was satisfied and bondedsender.org is now listed in the Blacklist DNS.

Is this the end of DNS Whitelist? Not at all. How about running your own DNS and add all your customers to the DNS? That's exactly what I did in Boston for the Redpaper, setting up my own Whitelist DNS. I was prepared for long hours of setup and testing, but it turned out to be much simpler then I expected. The Redpaper documents how the Microsoft DNS can be used as a Whitelist DNS. And after returning to my office, I repeated the setup using the BIND DNS server software from ICS. It's all documented at my web site at http://www.stdi.com. BIND runs on non-Microsoft platforms as well as all Windows version.

Now with Whitelist support in Domino, life is sweet. Well, until you have to implement Smartcards. But I leave this topic for you to read in the Redpaper.

Dieter Stalder, Mississauga, Ontario, Canada