Monday, 8 April 2013

Mail encryption using IBM Traveler in a multi-domain environment

Lots of members of the Notes blogging community share stuff all the time. I'm not one of them, I know that, but I thought I'd share this with you.

I remember from Paul Mooney's presentations at IBM Connect (I think it was the AdminBlast) strongly advocating keeping your Traveler server(s) in a separate Domino domain to your production mail environment.

This is because Traveler is constantly being updated to support latest devices and features, administrators should keep the Traveler server running the latest versions and patches for Domino and Traveler, regardless of whether you're running version 8.* or 9.*.

Similarly, best practise suggests that administrators should keep Sametime servers in their own domain too. Let's face it, Sametime is a very delicate little flower, it needs a lot of love, care and attention when patching, so you might not want a Domino 8.5.3 Domino Directory running on your Domino 8.5.2 server running Sametime 8.5.1. Actually, that combination probably works but you get the idea! :)

Anyway, here's the issue...  

By default, Traveler will tell your users that mail encryption will work, but actually it won't. 
I assume the following:

1. You're running ID Vault on your mail servers.
2. You're users have not uploaded their Notes ids to their mailboxes to access encrypted content via Domino Web Access.

Here's the evidence for the prosecution:
  • My Traveler server is in a separate domain to my mail servers.
  • The following information is displayed when dumping a user's Traveler profile to text:

    "Notes ID: Mail File does not contain the Notes ID."

    "Encrypting, decrypting and signing messages are enabled because the Notes ID is in the mail file or the ID vault."
  • When the user tries to open an encrypted email, the user cannot access the email. You get different behaviours depending on the device. In my testing:

    - iOS: Error: "There is no Notes id for your user on Traveler"

    - Android: There's no error message. When the user clicks the Download button in the message, he is prompted for his Notes password. The device hourglasses for a moment and then the email is not displayed.
Simply put, ID Vault does not authenticate users across domains. There is an IBM SPR about this (SPR #YDEN8FFERA) which you can log a feature request against.

My frustration here is that Traveler says that access to encrypted emails this way will work, but in fact it doesn't.

The easiest way to fix this is to advise users who want to access encrypted emails through their devices to upload their Notes id to their mailboxes. This can be done from your Traveler server's website. All they need to do is:
  1. Log into the Traveler server's website.
  2. Click "Manage the Notes id".
  3. Click "Upload the Notes id".
  4. Browse to the Notes id file, and enter the password for the id as shown.

 Another workaround to this issue would be to automate the addition of Notes ids from ID Vault into the user's mail database. A third party tool is available to do this (I've not tried it, but I'd be interested to know if you have!) provided by Helpsoft*.

Another workaround might be to move your Traveler into the same mail domain as your servers. If you're happy keeping your mail servers at the latest-ish release of Domino, then you'll probably be ok. Just be careful with those Sametime or Quickr boxes though.

* I am in no way affiliated with Helpsoft, but I have been a very satisfied user of some of their products for some time.