Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...


Daniel Nashed


    DE-Mail Mail-Template with Command Line DNS Lookup

    Daniel Nashed  8 June 2016 07:43:38
    We ran into a limitation with the DE-Mail Template that T-System implemented in their Notes Mail Template.

    It turned out that they are invoking a cmd.exe because this is the only way to return data directly from nslookup to the application with a redirect on Windows.
    The function is used to check if the recipient's domain is a DE-Mail domain and queries SRV records defined in RFC RFC 2782 (check for details).

    SRV Records can not be queried with  simple DNS lookup but need a more complex syntax as shown in the example below.

    Here is the actual code in the DE-Mail Template:

    'Call executeAndWait("CMD.EXE /C nslookup -type=SRV _ldaps._tcp."+domain+ipPart+" 2> "+tmpFilePath)

    Example nslookup:

    nslookup -type=SRV

    Non-authoritative answer:      SRV service location:
              priority       = 0
              weight         = 5
              port           = 636
              svr hostname   =

    We have asked T-Systems to enhance the code a quite while ago because usually cmd.exe is not allowed in Citrix environments and it will also not work on Linux and Mac.
    It does not look like we are going to get a solution soon., so we implemented your own work-around.

    Luckily there is a Java class that implements functionality to query SRV records. Here is the first version of the code I wrote.
    I have added a Java agent and a function to invoke the Java agent to replace the current implementation of the lookup.
    The agent is invoked with the document in context from Lotus Script without the need to save the document first.

    Feel free to use this code, modify/enhance it and send feedback.

    -- Daniel

    -- Script Lib "DeMailFunctions" --

    - New Function CheckRecipient

    Function CheckRecipient (Doc As Notesdocument, Domain As String) As Integer

           Dim theAgent As NotesAgent

           Dim AgentString As String

           Dim NoteID As String

           Dim ret As Integer

           Dim demail_recipient As Integer

           Dim db As NotesDatabase

           '1 = no DE-Mail recipient

           '0 = valid DE-Mail domain

           demail_recipient = 1

           On Error Goto end_function

           Set db = doc.ParentDatabase

           doc.nslookup_domain = domain

           Set theAgent = db.GetAgent("nslookup_srv")

           If Not(theAgent Is Nothing) Then

                   ret = theAgent.RunWithDocumentContext(doc, "")

                   If (ret = 0) Then

                           If (doc.nslookup_result(0) <> "") Then

                                   ' Print "nslookup.srv result -> " + doc.nslookup_result(0)

                                   demail_recipient = 0

                           End If

                   End If


           End If


           Call doc.RemoveItem ("nslookup_domain")

            Call doc.RemoveItem ("nslookup_result")
            CheckRecipient = demail_recipient        
           Exit Function

    End Function

    -- Change Function "checkRecipients" --

    Comment out the following two red lines and add the green line

    'Call executeAndWait("CMD.EXE /C nslookup -type=SRV _ldaps._tcp."+domain+ipPart+" 2> "+tmpFilePath)

    'If Not checkLookUpResult(tmpFilePath) Then                


    If (CheckRecipient (doc, domain)) Then        

    -- New Agent "(nslookup_srv)" --

    Add the following Java Agent code

    ' Written by Daniel Nashed (
    import lotus.domino.*;

    class JavaAgent extends AgentBase {

    public void NotesMain() {

    try {
             Session session = getSession();

             AgentContext agentContext = session.getAgentContext();

             Document doc = agentContext.getDocumentContext();
    if (doc != null)

    "nslookup_result", "");
                     String nslookup_domain = doc.getItemValueString(
                     String nslookup_dnsserver = doc.getItemValueString(
    out.println("nslookup_domain -->" + nslookup_domain + "< ServerIP --> " + nslookup_dnsserver + "<");
                     Hashtable env =
    new Hashtable();
    "java.naming.factory.initial", "com.sun.jndi.dns.DnsContextFactory");
    if (nslookup_dnsserver == "")
    "java.naming.provider.url", "dns:");
    "java.naming.provider.url", "dns://" + nslookup_dnsserver);
                     DirContext ctx =
    new InitialDirContext(env);
    try {
                             Attributes attrs = ctx.getAttributes(
    "_ldaps._tcp." + nslookup_domain, new String[] { "SRV" });
    if(attrs != null && attrs.size() > 0)

    // System.out.println ("---found something---");
                                     NamingEnumeration e = attrs.getAll();  
                                     String lookup_result;
    "nslookup_result", lookup_result);
    // System.out.println ("nothing returned");

    catch (NamingException e) {
    out.println ("--- Namelookup Result Catch ---");




    catch(Exception e) {
    out.println ("--- Namelookup - General Catch ---");






    1Matthias  08.06.2016 8:43:53  DE-Mail Mail-Template with Command Line DNS Lookup

    Nice Daniel,

    but are dns lookups towards external domains allowed within the local network from local clients? No security concerns?

    2Daniel Nashed  09.06.2016 6:47:26  DE-Mail Mail-Template with Command Line DNS Lookup

    @Matthias, the lookup is performed against your local DNS server which forwards the request to an external DNS server.

    In addition in the configuration database you can configure a different DNS server which would be used instead of the client configured DNS server.

    That is already in the original implementation but they use cmd.exe and nslookup directly for that.

    My implementation does the same just wth Java code.

    3Matthias  10.06.2016 10:10:46  DE-Mail Mail-Template with Command Line DNS Lookup

    Yes I see. I was just wondering if DNS forwarding was or is now a common thing, which companies do. In my opinion it is a security weak spot especially for generic malware. So I thought it is a good point to configure only dnslookups for the local network?!?

    4Daniel Nashed  10.06.2016 13:46:15  DE-Mail Mail-Template with Command Line DNS Lookup

    @Mathias, not sure I understand what you mean in this case.

    The mailfile has to check if a recipient is a DE-Mail recipient and needs to do a DNS lookup.

    All clients usually ask a local DNS server. This is how clients work.

    In the case of the DE-Mail functionality you could even specify a different DNS server than what the user has configured.

    But the concept asking a local DNS server is a general concept. The company DNS server forwards the query to the authorative DNS server.

    Not sure how you want to improve that in this case or also in other cases.

    Yes there is a general risk. But that risk is not specify here.

    -- Daniel



      • [IBM Lotus Domino]
      • [Domino on Linux]
      • [Nash!Com]
      • [Daniel Nashed]