DE-Mail Mail-Template with Command Line DNS Lookup
Daniel Nashed – 8 June 2016 05:43:38
We ran into a limitation with the DE-Mail Template that T-System implemented in their Notes Mail Template. It turned out that they are invoking a cmd.exe because this is the only way to return data directly from nslookup to the application with a redirect on Windows.
The function is used to check if the recipient's domain is a DE-Mail domain and queries SRV records defined in RFC RFC 2782 (check https://en.wikipedia.org/wiki/SRV_record for details).
SRV Records can not be queried with simple DNS lookup but need a more complex syntax as shown in the example below.
Here is the actual code in the DE-Mail Template:
'Call executeAndWait("CMD.EXE /C nslookup -type=SRV _ldaps._tcp."+domain+ipPart+" 2> "+tmpFilePath)
Example nslookup:
nslookup -type=SRV _ldaps._tcp.web.de-mail.de
Non-authoritative answer:
_lDAPS._tCP.wEb.de-mAIl.de SRV service location:
priority = 0
weight = 5
port = 636
svr hostname = oevd.sec.de-mail.de
We have asked T-Systems to enhance the code a quite while ago because usually cmd.exe is not allowed in Citrix environments and it will also not work on Linux and Mac.
It does not look like we are going to get a solution soon., so we implemented your own work-around.
Luckily there is a Java class that implements functionality to query SRV records. Here is the first version of the code I wrote.
I have added a Java agent and a function to invoke the Java agent to replace the current implementation of the lookup.
The agent is invoked with the document in context from Lotus Script without the need to save the document first.
Feel free to use this code, modify/enhance it and send feedback.
-- Daniel
-- Script Lib "DeMailFunctions" --
- New Function CheckRecipient
Function CheckRecipient (Doc As Notesdocument, Domain As String) As Integer
Dim theAgent As NotesAgent
Dim AgentString As String
Dim NoteID As String
Dim ret As Integer
Dim demail_recipient As Integer
Dim db As NotesDatabase
'1 = no DE-Mail recipient
'0 = valid DE-Mail domain
demail_recipient = 1
On Error Goto end_function
Set db = doc.ParentDatabase
doc.nslookup_domain = domain
Set theAgent = db.GetAgent("nslookup_srv")
If Not(theAgent Is Nothing) Then
ret = theAgent.RunWithDocumentContext(doc, "")
If (ret = 0) Then
If (doc.nslookup_result(0) <> "") Then
' Print "nslookup.srv result -> " + doc.nslookup_result(0)
demail_recipient = 0
End If
End If
Else
End If
end_function:
Call doc.RemoveItem ("nslookup_domain")
Call doc.RemoveItem ("nslookup_result")
CheckRecipient = demail_recipient
Exit Function
End Function
-- Change Function "checkRecipients" --
Comment out the following two red lines and add the green line
'Call executeAndWait("CMD.EXE /C nslookup -type=SRV _ldaps._tcp."+domain+ipPart+" 2> "+tmpFilePath)
'If Not checkLookUpResult(tmpFilePath) Then
If (CheckRecipient (doc, domain)) Then
-- New Agent "(nslookup_srv)" --
Add the following Java Agent code
' Written by Daniel Nashed (nsh@nashcom.de)
import lotus.domino.*;
import java.util.Hashtable;
import java.util.ArrayList;
import java.util.List;
import javax.naming.*;
import javax.naming.directory.*;
public class JavaAgent extends AgentBase {
public void NotesMain() {
try {
Session session = getSession();
AgentContext agentContext = session.getAgentContext();
Document doc = agentContext.getDocumentContext();
if (doc != null)
{
doc.replaceItemValue("nslookup_result", "");
String nslookup_domain = doc.getItemValueString("nslookup_domain");
String nslookup_dnsserver = doc.getItemValueString("ServerIP");
System.out.println("nslookup_domain -->" + nslookup_domain + "< ServerIP --> " + nslookup_dnsserver + "<");
Hashtable env = new Hashtable();
env.put("java.naming.factory.initial", "com.sun.jndi.dns.DnsContextFactory");
if (nslookup_dnsserver == "")
env.put("java.naming.provider.url", "dns:");
else
env.put("java.naming.provider.url", "dns://" + nslookup_dnsserver);
DirContext ctx = new InitialDirContext(env);
try {
Attributes attrs = ctx.getAttributes("_ldaps._tcp." + nslookup_domain, new String[] { "SRV" });
if(attrs != null && attrs.size() > 0)
{
// System.out.println ("---found something---");
NamingEnumeration e = attrs.getAll();
String lookup_result e.next().toString();
doc.replaceItemValue("nslookup_result", lookup_result);
}
else
{
// System.out.println ("nothing returned");
}
} catch (NamingException e) {
System.out.println ("--- Namelookup Result Catch ---");
e.printStackTrace();
}
doc.recycle();
}
} catch(Exception e) {
System.out.println ("--- Namelookup - General Catch ---");
e.printStackTrace();
}
}
}
...
- Comments [4]
1Matthias 08.06.2016 6:43:53 DE-Mail Mail-Template with Command Line DNS Lookup
Nice Daniel,
but are dns lookups towards external domains allowed within the local network from local clients? No security concerns?
2Daniel Nashed 09.06.2016 4:47:26 DE-Mail Mail-Template with Command Line DNS Lookup
@Matthias, the lookup is performed against your local DNS server which forwards the request to an external DNS server.
In addition in the configuration database you can configure a different DNS server which would be used instead of the client configured DNS server.
That is already in the original implementation but they use cmd.exe and nslookup directly for that.
My implementation does the same just wth Java code.
3Matthias 10.06.2016 8:10:46 DE-Mail Mail-Template with Command Line DNS Lookup
Yes I see. I was just wondering if DNS forwarding was or is now a common thing, which companies do. In my opinion it is a security weak spot especially for generic malware. So I thought it is a good point to configure only dnslookups for the local network?!?
4Daniel Nashed 10.06.2016 11:46:15 DE-Mail Mail-Template with Command Line DNS Lookup
@Mathias, not sure I understand what you mean in this case.
The mailfile has to check if a recipient is a DE-Mail recipient and needs to do a DNS lookup.
All clients usually ask a local DNS server. This is how clients work.
In the case of the DE-Mail functionality you could even specify a different DNS server than what the user has configured.
But the concept asking a local DNS server is a general concept. The company DNS server forwards the query to the authorative DNS server.
Not sure how you want to improve that in this case or also in other cases.
Yes there is a general risk. But that risk is not specify here.
-- Daniel