Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

alt

Daniel Nashed

Daniel Nashed's Blog

DE-Mail Mail-Template with Command Line DNS Lookup

Daniel Nashed – 8 June 2016 05:43:38
We ran into a limitation with the DE-Mail Template that T-System implemented in their Notes Mail Template.

It turned out that they are invoking a cmd.exe because this is the only way to return data directly from nslookup to the application with a redirect on Windows.
The function is used to check if the recipient's domain is a DE-Mail domain and queries SRV records defined in RFC RFC 2782 (check https://en.wikipedia.org/wiki/SRV_record for details).

SRV Records can not be queried with  simple DNS lookup but need a more complex syntax as shown in the example below.

Here is the actual code in the DE-Mail Template:

'Call executeAndWait("CMD.EXE /C nslookup -type=SRV _ldaps._tcp."+domain+ipPart+" 2> "+tmpFilePath)

Example nslookup:

nslookup -type=SRV _ldaps._tcp.web.de-mail.de

Non-authoritative answer:
_lDAPS._tCP.wEb.de-mAIl.de      SRV service location:
          priority       = 0
          weight         = 5
          port           = 636
          svr hostname   = oevd.sec.de-mail.de


We have asked T-Systems to enhance the code a quite while ago because usually cmd.exe is not allowed in Citrix environments and it will also not work on Linux and Mac.
It does not look like we are going to get a solution soon., so we implemented your own work-around.

Luckily there is a Java class that implements functionality to query SRV records. Here is the first version of the code I wrote.
I have added a Java agent and a function to invoke the Java agent to replace the current implementation of the lookup.
The agent is invoked with the document in context from Lotus Script without the need to save the document first.

Feel free to use this code, modify/enhance it and send feedback.

-- Daniel



-- Script Lib "DeMailFunctions" --

- New Function CheckRecipient

Function CheckRecipient (Doc As Notesdocument, Domain As String) As Integer
       
       Dim theAgent As NotesAgent
       Dim AgentString As String
       Dim NoteID As String
       Dim ret As Integer
       Dim demail_recipient As Integer
       Dim db As NotesDatabase
       '1 = no DE-Mail recipient
       '0 = valid DE-Mail domain
       demail_recipient = 1
       
       On Error Goto end_function
       
       Set db = doc.ParentDatabase
       
       doc.nslookup_domain = domain
       Set theAgent = db.GetAgent("nslookup_srv")
       If Not(theAgent Is Nothing) Then
               ret = theAgent.RunWithDocumentContext(doc, "")
               
               If (ret = 0) Then
                       If (doc.nslookup_result(0) <> "") Then
                               ' Print "nslookup.srv result -> " + doc.nslookup_result(0)
                               demail_recipient = 0
                       End If
               End If
       Else
       End If
       
end_function:
       Call doc.RemoveItem ("nslookup_domain")
        Call doc.RemoveItem ("nslookup_result")
        CheckRecipient = demail_recipient        
       Exit Function
       
End Function


-- Change Function "checkRecipients" --

Comment out the following two red lines and add the green line

'Call executeAndWait("CMD.EXE /C nslookup -type=SRV _ldaps._tcp."+domain+ipPart+" 2> "+tmpFilePath)
'If Not checkLookUpResult(tmpFilePath) Then                
       
If (CheckRecipient (doc, domain)) Then        


-- New Agent "(nslookup_srv)" --

Add the following Java Agent code

' Written by Daniel Nashed (nsh@nashcom.de)
import lotus.domino.*;
import java.util.Hashtable;
import java.util.ArrayList;  
import java.util.List;
import javax.naming.*;
import javax.naming.directory.*;

public class JavaAgent extends AgentBase {

   public void NotesMain() {

     try {
         Session session = getSession();
         AgentContext agentContext = session.getAgentContext();
         Document doc = agentContext.getDocumentContext();
         
         if (doc != null)
         {
                 doc.replaceItemValue("nslookup_result", "");
                 String nslookup_domain = doc.getItemValueString("nslookup_domain");
                 String nslookup_dnsserver = doc.getItemValueString("ServerIP");
                 System.out.println("nslookup_domain -->" + nslookup_domain + "< ServerIP --> " + nslookup_dnsserver + "<");
         
                 Hashtable env = new Hashtable();
                 env.put("java.naming.factory.initial", "com.sun.jndi.dns.DnsContextFactory");
                 
                 if (nslookup_dnsserver == "")
                         env.put("java.naming.provider.url", "dns:");
                 else
                         env.put("java.naming.provider.url", "dns://" + nslookup_dnsserver);
                         
                 DirContext ctx = new InitialDirContext(env);
                 
                 try {
                         Attributes attrs = ctx.getAttributes("_ldaps._tcp." + nslookup_domain, new String[] { "SRV" });
                         if(attrs != null && attrs.size() > 0)
                         {
                                 // System.out.println ("---found something---");
                         
                                 NamingEnumeration e = attrs.getAll();  
                                 String lookup_result e.next().toString();
                                 doc.replaceItemValue("nslookup_result", lookup_result);
                         }
                         else
                         {
                                 // System.out.println ("nothing returned");
                         }
                     } catch (NamingException e) {
                             System.out.println ("--- Namelookup Result Catch ---");
                             e.printStackTrace();
                     }

                 doc.recycle();
         }
     } catch(Exception e) {
         System.out.println ("--- Namelookup - General Catch ---");
         e.printStackTrace();
      }
   }
}
...
Comments

1Matthias  08.06.2016 6:43:53  DE-Mail Mail-Template with Command Line DNS Lookup

Nice Daniel,

but are dns lookups towards external domains allowed within the local network from local clients? No security concerns?

2Daniel Nashed  09.06.2016 4:47:26  DE-Mail Mail-Template with Command Line DNS Lookup

@Matthias, the lookup is performed against your local DNS server which forwards the request to an external DNS server.

In addition in the configuration database you can configure a different DNS server which would be used instead of the client configured DNS server.

That is already in the original implementation but they use cmd.exe and nslookup directly for that.

My implementation does the same just wth Java code.

3Matthias  10.06.2016 8:10:46  DE-Mail Mail-Template with Command Line DNS Lookup

Yes I see. I was just wondering if DNS forwarding was or is now a common thing, which companies do. In my opinion it is a security weak spot especially for generic malware. So I thought it is a good point to configure only dnslookups for the local network?!?

4Daniel Nashed  10.06.2016 11:46:15  DE-Mail Mail-Template with Command Line DNS Lookup

@Mathias, not sure I understand what you mean in this case.

The mailfile has to check if a recipient is a DE-Mail recipient and needs to do a DNS lookup.

All clients usually ask a local DNS server. This is how clients work.

In the case of the DE-Mail functionality you could even specify a different DNS server than what the user has configured.

But the concept asking a local DNS server is a general concept. The company DNS server forwards the query to the authorative DNS server.

Not sure how you want to improve that in this case or also in other cases.

Yes there is a general risk. But that risk is not specify here.

-- Daniel

Recent Entries

Feeds

Links

    Archives

    • [HCL Domino]
    • [Domino on Linux]
    • [Nash!Com]
    • [Daniel Nashed]