Task:
Know the Notes/Domino ports and set-up typical security precautions for HCL Domino (previously Lotus/IBM) for commonly used web ports.
We will review:
- Domino TCP / SSL Ports
- Firewall Settings
- Server document - Ports set-up
- Internet Site - IP and Security (SSL/TLS) settings.
Default Domino TCP / SSL Ports:
| Protocol | TCP Port | SSL Port |
| Notes RPC | 1352 | N/A |
| HTTP/HTTPS | 80 | 443 |
| LDAP | 389 | 636 |
| NNTP | 119 | 563 |
| IMAP | 143 | 993 |
| POP3 | 110 | 995 |
| SMTP in/out | 25 | 465 |
IIOP
Domino Controller | 63148
2050 | 63149 |
|
|  | |
Use the FirewallD following commands to set-up open the ports needed on Red Hat / CentOS:
# firewall-cmd --zone=public --add-port=1352/tcp --permanent
# firewall-cmd --zone=public --add-port=80/tcp --permanent
# firewall-cmd --zone=public --add-port=443/tcp --permanent
# firewall-cmd --zone=public --add-port=993/tcp --permanent
in this example we restrict SSH and e-mail to internal networks only ...
# firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="192.168.199.0/16" port protocol="tcp" port="2050" accept"
# firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="192.168.199.0/16" port protocol="tcp" port="22" accept"
# firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="192.168.211.0/28" port protocol="tcp" port="25" accept"
# firewall-cmd --reload
Confirm loaded and running:
# firewall-cmd --state
SERVER DOCUMENT:
Assuming you have TLS (SSL) certificate set-up, you should redirect your non-secure ports to secure ports for the non-HTTP ports. Below is an example for IMAP settings on the Ports tab of the Server document.
- Redirect to SSL (TLS) Redirect if possible, and you want it to be forced. So we redirect for IMAP, but not globally for Web, so we can support non-HTTPS (SSL/TLS) web sites.
- Enforce server access (enables the Security tab)
Web
(HTTP/HTTPS) | |
| TCP/IP port number: | 80 |
| TCP/IP port status: | Enabled |
| Enforce server access settings: | Yes |
| SSL port number: | 443 |
| SSL port status: | Enabled |
| Mail | Mail
(IMAP) |
| TCP/IP port number: | 143 |
| TCP/IP port status: | Redirect to SSL |
| Enforce server access settings: | Yes |
| SSL port number: | 993 |
| SSL port status: | Enabled |
INTERNET SITE DOCUMENT:
Below is an example of our IMAP confirmation.
On the Basics tab:
| Site Information | |
| Descriptive name for this site: | MW Net IMAP |
| Organization: | MWNet |
| Host names or addresses mapped to this site: | mydomain.com
mydomain.net
10.1.12.117
10.1.12.217 |
| Domino servers that host this site: | * |
On the Security tab:
- We use name/password, and all names/emails with password are entered w/TLS active.
- Keyring (kyr and sth) files must be set-up. For SSL/TLS and Domino keyring set-up, use the instructions in the Domino kyrtool or OpenSSL instructions set-up document in this app.
- When HCL releases Domino updates, the SSL cipher list will have new choices added. After applying patches, click the Modify button and deselect any ciphers that are considered weak since the last review.
| TCP Authentication | |
| Name & password: | |
| SSL Authentication | |
| Name & password: | |
| Client certificate: | |
| SSL Options | |
| Key file name: | mw2048-2.kyr |
| Protocol version: | V3.0 only |
| SSL Security |
| SSL ciphers: | ECDHE_RSA_WITH_AES_256_GCM_SHA384
DHE_RSA_WITH_AES_256_GCM_SHA384
ECDHE_RSA_WITH_AES_128_GCM_SHA256
DHE_RSA_WITH_AES_128_GCM_SHA256
ECDHE_RSA_WITH_AES_256_CBC_SHA384
DHE_RSA_WITH_AES_256_CBC_SHA256
ECDHE_RSA_WITH_AES_128_CBC_SHA256
DHE_RSA_WITH_AES_128_CBC_SHA256
RSA_WITH_AES_256_GCM_SHA384
RSA_WITH_AES_128_GCM_SHA256
RSA_WITH_AES_256_CBC_SHA256
RSA_WITH_AES_128_CBC_SHA256
RSA_WITH_AES_128_CBC_SHA
Note: Version 9.x Domino servers will ignore this selection. They use the server INI setting SSLCipherSpec instead. |
previous page
|