Need any setting or Notes.ini parameter to bypass ICAP server if ICAP server is unresponsive

While silently failing and bypassing would indeed be a security risk, the decision to 'fail open' or 'fail closed' should be left with the customer.

If a failure scenario is actioned, Domino should log it (i.e. ICAP unresponsive, bypassing ICAP as per configured policy). However, the decision of whether to hold the queue and wait for ICAP to return, or skip ICAP and continue processing needs to be configurable by the customer.

I think HCL should not decide what is secure and what is not. We simply need flexible solution. Without such notes.ini option or different similar solution (like simple checkbox in cscan.cfg config) domino administrators are exposed to security incidents based on mail routing failure.

Which is more interesting a year ago when ICAP feature was implemented, I configured ICAP and faced such security incidents because of incomplete implementation on Domino side.

I opened the case (CS0397905), the patch was given for tests and case was solved. After a year patch which I was testing is implemented in 12.0.2FP3(SPR: DANOCTMQ25). So domino admins at least for a year were exposed to security incidents related of icap feature malfunction.

Unfortunately it is not the end. Recently I faced similar security incident and new case is created in HCL CS0474979. Who knows how long me and other Domino admins have to take into consideration potential security incidents related to ICAP feature malfunctions.

To be honest I currently considering not using ICAP feature in Domino at all because for now this feature is simply unreliable.

Taking into consideration that ICAP feature was implemented on 12.0.2 vast of customers implemented other mechanisms to scan their emails. ICAP is just one element of many. In most cases such role are on mail gateways and additional gateways in between domino and mx. So argument that is better to stop mailrouting than pass a message without icap scan is missed.

There can be other situation not related to Domino like simple network issues or ICAP server failure which in result and current approach will cause mail routing failure.

Other systems (strict security systems) which are able to use ICAP have similar option whis is called "guarantee enforcement". It is simple configuration setting. I think it is obvious what it means...

If checked scanning is mandatory no matter of delays, failures. If cotent is not scanned then it is not delivered.

If it is not checked then content may be delivered without scanning....

I dont think its a good idea to bypass the (configured) ICAP scanning, because it would bypass your security scanning completely.

The better approach is to improve monitoring and alerting so that admins are made aware of an unresponsive ICAP server and can then (if they wanted to do so) disable the ICAP configuration.

rejecting this idea for security reasons - if you think this should be done, please continue to vote on this idea.

Does this really need to be a notes.ini? This is a very special case.

You can disable mailscan and re-enable it later. Would a step by step guide help?
If just having a notes.ini parameter some admin could just set a parameter to disable it and nobody would notice.

Did you know: CScan only looks into mail with attachments. It is designed to not stop messages without attachments.
This would "only" stop mail with attachments.
But yes there should be simple way to disable it temporary. But this should be rather a database setting than just a notes.ini from my point of view.

The database setting exists. Maybe a documentation of the steps will help?

-- Daniel