Security in Domino and minimising the insights to your data

Tobias Fonsmark


Welcome to Let's Connect Nordics 2024

Who are we at Semaphor?

Established in 1992


Notes/Domino experts since 1994


Contributing to open source since 2010


Notes/Domino & Open source


We run all our platforms and applications ourselves

Mail, CRM, websites, filesharing, Office, Telephony, DNS etc.

We don't have any relationship with Microsoft, Google, Amazon, Apple or similar companies

The trend has been to move to the cloud...
but we see a counter reaction

Complex application stacks is a good reason for many customers to use cloud hosting

Mail, calendar and Office applications doesn't require the cloud

GDPR and increased security- and privacy focus in Europe, makes European companies reconsider their outsourcing strategies

This counter reaction will give HCL Notes/Domino a competitive advantage in the market

Cloud platforms from outside Europe are being watched

When hosting mail and applications outside of EU, you must expect your data to be analysed by vendors and being shared with foreign intelligence

If you don't have competitors and you don't store personal data in the cloud, this might not be a problem for you

Conflict


Must have
surveillance
Must have
privacy

FISA ยง1881a

EU Charter of Fundamental Rights Article 7, 8 and 47

The good news

With HCL Notes/Domino you'll get a modern backend and clients, for mail, calendar and applications, while enabling you to keep your data safe

This is achievable by hosting the backend in your own datacenter or in a datacenter of a trusted partner

Recommendations

3 examples and a bit more...

Postfix in front (in- and outgoing SMTP)


nginx or similiar reverse proxy in front of HTTP


An example of a vhost in nginx: ``` server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name www.example.dk; client_max_body_size "500M"; ssl_certificate /etc/nginx/examplepath/example.crt; ssl_certificate_key /etc/nginx/examplepath/example.key; more_set_headers "Strict-Transport-Security: max-age=31536000"; more_set_headers "Content-Security-Policy: upgrade-insecure-requests"; more_set_headers "X-Frame-Options: SAMEORIGIN"; include /etc/nginx/securityheaders.conf; location ~* \.(gif|jpe?g|png|webp|avif|svg|pdf|ico|ttf|woff2?)$ { proxy_pass http://example-upstream-server; proxy_cache my-cache; proxy_http_version 1.1; proxy_cache_valid 200 302 1d; proxy_cache_valid 404 10s; } location ~* \.(css|js)$ { proxy_pass http://example-upstream-server; proxy_cache my-cache; proxy_http_version 1.1; proxy_cache_valid 200 302 1d; proxy_cache_valid 404 10s; } location / { proxy_pass http://example-upstream-server; proxy_cache my-cache; proxy_redirect http:// https://; proxy_cache_valid 200 302 4h; proxy_cache_valid 404 25s; proxy_http_version 1.1; } } server { listen 80; listen [::]:80; server_name www.example.dk; more_set_headers "Content-Security-Policy: upgrade-insecure-requests"; location / { return 301 https://$host$request_uri; } } ```

nginx or similar reverse proxy in front of IMAP/SMTP


An example of a vhost in nginx in front of IMAP and SMTP: ``` mail { auth_http <domino-ip>/database.nsf/mailauth?openagent; proxy_pass_error_message on; ssl_certificate /etc/nginx/ssl/yourcert/yourcert.crt; ssl_certificate_key /etc/nginx/ssl/yourcert/yourcert.key; ssl_prefer_server_ciphers on; ssl_protocols TLSv1.2; ssl_ciphers HIGH:!aNULL:!MD5; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; error_log /var/log/nginx/error.log info; smtp_greeting_delay 3; server { server_name smtp.example.dk; listen 465 ssl; xclient off; protocol smtp; smtp_auth login plain cram-md5; auth_http_header User-Agent "Nginx SMTP proxy"; } server { server_name imap.example.dk; listen 993 ssl; protocol imap; proxy on; auth_http_header User-Agent "Nginx IMAP4 proxy"; } } ```

Recommendations

  • Postfix in front (in- and outgoing SMTP)
  • nginx or similar reverse proxy in front of HTTP
  • nginx in front of IMAP/SMTP - including Fail2Ban
  • Keep OS and Domino updated
  • Run Domino on Linux
  • Using LDAPS instead of LDAP
  • Strengthen TLS ciphers

Questions

?

https://presentations.semaphor.dk/LCN-2024/


tobias.fonsmark@semaphor.dk


www.semaphor.dk


More specific recommendations

  • Running Domino 12.0.2 FP4 or 14.0 FP2 IF1
  • NRPC Port Encryption
  • HTTPS/TLS everywhere
  • Using Certificate Manager
  • Using DBMT
  • IDVault
  • IDFile encryption strength: 256bit AES and SHA-512 - Key strength: 2048 Bits
  • Supported OS version!
  • DKIM & SPF enabled

Common misconseptions

Questions

?

https://presentations.semaphor.dk/LCN-2024/


tobias.fonsmark@semaphor.dk


www.semaphor.dk