Using CIDR Notation In IBM Domino Configuration

There are multiple resources that suggest CIDR Notation may be used in an IBM Domino server’s Configuration. For instance, IP address filter for SMTP inbound connection controls and CIDR address not working on AS400. However, in ALL of my testing, I’ve NEVER seen it work.

The ugly work-around is to convert the CIDR into a format that IS accepted. One shortcut is to use this excellent tool to convert CIDR to IP Ranges: CIDR TO IP RANGES CONVERTER.

Once you have the range, you’ll still need to “manually” format it.

For instance, use the values displayed in the IBM column to represent the CIDR in the first column:

CIDR IBM [] [] [] [] [23.103.160-175.*] [23.103.224-255.*] [40.96-103.*.*] [40.104-105.*.*] [] [111.221.112-119.*] [] [132.245.*.*] [134.170.68-69.*] [] [] [] [157.56.232-239.*] [157.56.240-255.*] [191.232.96-127.*] [] [191.234.140-143.*] [191.234.224-227.*] [] [206.191.224-255.*] [] []

DCT Idiosyncrasies

While tinkering with Domino Configuration Tuner today, I noticed that it recommends adding Debug_Logger_Buf_Full_No_Wait=1. However, rerunning DCT after adding the entry yields a different recommendation:

One or more settings were found in NOTES.INI that usually should not be set: 

Looks like something squeaked by QA.

Another finding worth mentioning is the recommendation to use CREATE_R85_LOG=1. I don’t necessarily have a problem with that recommendation, but the suggested implementation method is atrocious:

Bring down the server. Back up existing transaction logs, then delete them. Set Create_R85_Log=1 in the server NOTES.INI and restart the Domino server to have new logs created using the updated format. The new logs will have properly aligned I/O blocks. There is no need to verify the current block size. Domino will use correctly format the log even if the block size is 512.

Um, don’t do it that way, please. If you want to use, CREATE_R85_LOG=1:

  1. Set it in the ini (or via the config doc).
  2. Disable transaction logging for the server via the server doc.
  3. Restart the server.
  4. Verify via a “show server” console command that transaction logging is, in fact, disabled.
  5. Via the OS, delete the transaction log files (including the nlogctrl.lfh file).
  6. Enable transaction logging for the server via the server doc.
  7. Restart the server.

Running Domino Commands in Powershell

To avoid “Unable to open log file” and “log.nsf: File does not exist” errors remember to always start Powershell in “Run as Administrator” mode.

In newer versions like Microsoft Windows Server 2012 R2, navigate to the Domino binary directory and then prepend “.\” (without the quotes and with now spaces) before the traditional nwhatever.exe

For example, when binaries are at c:\lotus\domino and you want to run a copy-style compact on the entire data directory…

Start Powershell in “Run as Administrator” mode and your command line will look like this:

PS C:\lotus\domino> .\ncompact.exe -c

TLS For Domino SMTP

Those that are already using or considering enabling secure SMTP sessions using STARTTLS for Domino should either disable it / wait for now (until SPR# MKENA4SQ7R is resolved in an IF or 9.0.1 FP6), obtain hotfix(es) directly from IBM, or risk the inability to deliver/receive TLS with (at least) some addresses.

For those using (or planning to use) TLS, you should also look at adding the SSL_SESSION_SIZE notes.ini setting. When the setting is not used, the value defaults to 5000 and this is too low to prevent errors like:

02/25/2016 12:23:52 PM New SSL session data length of 5121 bytes is larger than the current size of 5000 bytes.
02/25/2016 12:23:52 PM You may want to set the Notes.ini variable SSL_SESSION_SIZE to at least 5121 bytes.

Note that the server suggested the 5121 value in this example (presumably based upon the handshake with the external server) and I’ve been unable, as yet, to find any other scientific method for determining what other value might be better.

Disable SMTP-AUTH To Stop Relay Hackers In Their Tracks

Sometimes setting up a system to allow password authentication is less secure.

Ever notice activity like this on your SMTP-enabled Domino server?

SMTP Server: Authentication failed for user guest ; connecting host
SMTP Server: Authentication failed for user backup ; connecting host

Guess what…  In this case, I am not happy that (Amazon Web Services, Ireland) thinks they need to relay SMTP through my Domino server.

If this hacker is able to guess a user login and password combo, they can relay whatever they want.

There is a quick fix that prevents these hacking attempts from ever succeeding at circumventing SMTP relay restrictions:

If you are NOT using Internet Site documents, set the following field(s) to “No” in the corresponding server’s Server Document:


If you ARE using Internet Site documents, just change the following field(s) to “No”:


Want more info? Read more here.

Happy hacker snubbing!


Circumventing the DCT Loop

Domino Configuration Tuner is one of many oft overlooked Domino Administration and assessment tools. Another obstacle to its use is the annoying, “Lotus Notes has automatically updated some require files for this application. Before you can use the DCT you need to restart your Notes Client.” message. The problem is that restarting the Notes Client does not improve the situation. You may also notice the following on the status bar: “Unable to deploy 1 updated file (probably locked and in use)”.

One way to resolve the issue:

  1. Shut down all Notes programs running on your workstation.
  2. Delete your local dct.nsf and dct.ntf
  3. Download the “latest” dct.ntf version:
  4. Put dct.ntf in your Notes data directory.
  5. Restart Windows in Safe Mode (press F8 while restarting)
  6. Launch Notes and start Domino Configuration Tuner
  7. If prompted to restart Notes, restart Notes and try launching DCT again.

Agent Disabled During Design Update

I encountered the following fun when deploying Brian Green’s Domino TeamMailbox recently. The concept applies to any design, not just the TeamMailbox.

Designer: Agent ‘New Mail Reminder’ in ‘mailin\xyz.nsf’ disabled during Design Update from template ‘teambox3.ntf’. Agent signer ‘Server1/servers/abc’.: Enabled status can be preserved only on the server where the agent is scheduled to run or, for mail agents, on the home mail server. Enabled status cannot be preserved if ‘-Any server-‘ is specified for the agent.

I found the following in IBM Lotus Domino Administrator Help 8.x >

Updating the design of an enabled agent
In pre-8.0 releases of IBM Lotus Domino , when a design update for enabled agents occurred, the agents were disabled and stopped running. This occurred because there was no mechanism to update the agent’s design and retain the original signature of the agent. In Domino 8, design update can update many enabled agents without disabling the agents.

In Domino 8, design update preserves the identity of the agent owner in the “On Behalf” field and re-signs the agent with the server ID. The agent’s enabled status is preserved only if the original agent owner has the rights to run agents and if the agent is scheduled to run on the server on which the design update is performed. The server has explicit rights to run agents only on itself. If the agent’s enabled status cannot be preserved, the design update is performed and a warning message is generated and sent to the server console as well as to the Domino Domain Manager.

You may see the warning messages shown in the examples below depending on who signs the agent.

In this example, the agent was signed by the server, ServerA/DomainA, which did not have rights to run agents on the server Test/Acme. Design update updated the agent design and left the agent disabled.

Warning generated on server TEST/ACME:
Designer: Agent ‘OutOfOffice’ in ‘mail\rooks.nsf’ disabled during Design Update from template ‘mail8.ntf’. Agent signer ‘ServerA/DomainA.: Users without rights to sign ‘On Behalf’ agents can only run agents on their own behalf.
In this example, the agent was specified to run on -any server-; therefore, its enabled state could not be preserved because it could not be signed with the server ID Test/DomainB ID. If the agent was signed with Test/DomainB ID, the agent would not run on any server other than Test/DomainB, which was not the intention of the agent designer. Design update updated the design of the agent and left it disabled.

Warning message generated on server Test/DomainB:
Designer: Agent ‘LotusInboxCleanup’ in ‘AdminSurvey2007.nsf’ disabled during Design Update from template ‘mail8.ntf’. Agent signer ‘Lotus Notes Template Development/Lotus Notes’.: Enabled status can be preserved only on the server where the agent is scheduled to run or, for mail agents, on the home mail server. Enabled status cannot be preserved if ‘-Any server-‘ is specified for the agent.

Presumed Solution
So, the solution would seem to be editing (signing) the agent with an ID with proper rights AND specifying a server for the agent. Using ‘-Any server-‘ is a no no.