Forwarded message:
> From firewalls-owner @
GreatCircle .
COM Tue Sep 10 02:03:27 1996
> From: Joseph .
Cupano @
ey .
com
> X400-Originator: Joseph .
Cupano @
EY .
COM
> X400-Recipients: firewalls @
greatcircle .
com
> X400-Mts-Identifier: [/PRMD=ERNSTYOUNG/ADMD=ATTMAIL/C=US/;0014500005125969000002]
> X400-Content-Type: P2-1988 (22)
> Message-Id: <0014500005125969000002* @
MHS>
> To: " - (052)firewalls(a)greatcircle.com" <firewalls @
GreatCircle .
COM>
> Subject: Lotus Notes Security
> Date: Mon, 9 Sep 1996 16:05:46 -0400
> Sender: firewalls-owner @
GreatCircle .
COM
> Precedence: bulk
>
>
>
>
> >Hello all!
> >
> >While Notes access through firewalls is a FAQ (short answer: use your
> >favorite circuit-level relay to pass traffic on port 1352 to your
> >notes server), I was looking for a true application level proxy. By
> >this I mean a proxy that would UNDERSTAND the protocol Notes uses,
> >and allow me the functionality to:
>
>
> Efficient and effective Notes firewall design best served by
> understanding the Notes environment. Notes is a complex application with
> granularity of access control from Server/Database/Document down to Field level.
>
[Stuff deleted]
I sincerely hope that Notes security beats their smtp gateway
implementation (on OS/2 to be precise, but I have the feeling that the same
problems are in other platforms).
Although this isn't strictly firewall related I'd like to mention some
problems that sites in europe and generally outside the english speaking
nations, might have when using smtp gateway from Notes to the internet.
The situation is improving though.
Former version used OS/2 sendmail (came with OS/2) that is very basic and
support almost nothing to leverage some of the problems we had with notes
I had to translate to and from iso latin-1 and CP-850 on a unix machine
with 'real' sendmail.
That wasn't hard but showed that Notes had not thought about specific
smpt requirements for non-english speakin nations.
Now they have their own (still buggy, but 'ok, it's new') smtp gateway and
smpt daemon (sendmail).
It is much better and now translates automatically between character sets.
The older version had a 'gateway' that used os/2 sendmail.
But the main problem was (and still is) the following:
Notes likes to have your from adress as firstname_lastname @
site .
com or even
firstname_lastname @
notesdomainstuff/morenotesdomainstuff.site.com. (The
latter can be prevented).
I, like most other people want to have a short email address. It is supposed
to work, by using a 'nickname' instead of the full name (previously it didn't,
meaning that the gateway only supported 7 bit names), and work *IF* your name
contains only letters from the lover half of the asci table (<128).
Otherwise it doesn't, I can't say why, it just doesn't. (Anyway, nobody should
use the upperhalf 8 bit characters in their email adresses).
The from address is displayed with extra 7 bit characters instead of the 8 bit
characters. An example is Geir\gr\#\Pur_Sigur\Pard\"ttir @
shr .
is
I happen to be one of the 'lucky' ones, as my name contains no characters from
above ascii127 (doen't matter anyway, I personally don't use notes for smtp
mail).
Other are forced to have their names on the notes server written with seven
bit characters instead of the 8 bit ones, and have their real name as alias.
This is probably not enough firewall related, so please don't respond to the
list. But it makes you wonder how good the ip security is in Notes,
altough the theory is sound.
Btw, we don't have an external notes server.
|
|
