Skip to Main Content
HCL Domino Ideas Portal

Welcome to the #dominoforever Product Ideas Forum! The place where you can submit product ideas and enhancement request. We encourage you to participate by voting on, commenting on, and creating new ideas. All new ideas will be evaluated by HCL Product Management & Engineering teams, and the next steps will be communicated. While not all submitted ideas will be executed upon, community feedback will play a key role in influencing which ideas are and when they will be implemented.

For more information and upcoming events around #dominoforever, please visit our Destination Domino Page

Status No Plans to Implement
Workspace Domino
Categories Security
Created by Guest
Created on Feb 23, 2024

Need any setting or Notes.ini parameter to bypass ICAP server if ICAP server is unresponsive

When scanning is enabled, messages are held in mail.box until are processed by ICAP server.

In case the ICAP server is unreachable (no matter what is the reason) messages are held in mailbox.

Need a setting or notes.ini switch to inform Domino that if the ICAP server is unresponsive, available messages are routed further without scanning.

Some kind of bypass to avoid situations when routing for the whole company stops because of ICAP server malfunction.

  • Attach files
  • Guest
    Reply
    |
    Mar 20, 2024

    While silently failing and bypassing would indeed be a security risk, the decision to 'fail open' or 'fail closed' should be left with the customer.

    If a failure scenario is actioned, Domino should log it (i.e. ICAP unresponsive, bypassing ICAP as per configured policy). However, the decision of whether to hold the queue and wait for ICAP to return, or skip ICAP and continue processing needs to be configurable by the customer.

  • Guest
    Reply
    |
    Mar 5, 2024

    I think HCL should not decide what is secure and what is not. We simply need flexible solution. Without such notes.ini option or different similar solution (like simple checkbox in cscan.cfg config) domino administrators are exposed to security incidents based on mail routing failure.

    Which is more interesting a year ago when ICAP feature was implemented, I configured ICAP and faced such security incidents because of incomplete implementation on Domino side.

    I opened the case (CS0397905), the patch was given for tests and case was solved. After a year patch which I was testing is implemented in 12.0.2FP3(SPR: DANOCTMQ25). So domino admins at least for a year were exposed to security incidents related of icap feature malfunction.

    Unfortunately it is not the end. Recently I faced similar security incident and new case is created in HCL CS0474979. Who knows how long me and other Domino admins have to take into consideration potential security incidents related to ICAP feature malfunctions.

    To be honest I currently considering not using ICAP feature in Domino at all because for now this feature is simply unreliable.

    Taking into consideration that ICAP feature was implemented on 12.0.2 vast of customers implemented other mechanisms to scan their emails. ICAP is just one element of many. In most cases such role are on mail gateways and additional gateways in between domino and mx. So argument that is better to stop mailrouting than pass a message without icap scan is missed.

    There can be other situation not related to Domino like simple network issues or ICAP server failure which in result and current approach will cause mail routing failure.

    Other systems (strict security systems) which are able to use ICAP have similar option whis is called "guarantee enforcement". It is simple configuration setting. I think it is obvious what it means...

    If checked scanning is mandatory no matter of delays, failures. If cotent is not scanned then it is not delivered.

    If it is not checked then content may be delivered without scanning....

  • Admin
    Thomas Hampel
    Reply
    |
    Mar 4, 2024

    I dont think its a good idea to bypass the (configured) ICAP scanning, because it would bypass your security scanning completely.

    The better approach is to improve monitoring and alerting so that admins are made aware of an unresponsive ICAP server and can then (if they wanted to do so) disable the ICAP configuration.

    rejecting this idea for security reasons - if you think this should be done, please continue to vote on this idea.

  • Guest
    Reply
    |
    Feb 26, 2024

    Does this really need to be a notes.ini? This is a very special case.

    You can disable mailscan and re-enable it later. Would a step by step guide help?
    If just having a notes.ini parameter some admin could just set a parameter to disable it and nobody would notice.

    Did you know: CScan only looks into mail with attachments. It is designed to not stop messages without attachments.
    This would "only" stop mail with attachments.
    But yes there should be simple way to disable it temporary. But this should be rather a database setting than just a notes.ini from my point of view.

    The database setting exists. Maybe a documentation of the steps will help?


    -- Daniel