Stu Downes

Domino Access for Microsoft Outlook (DAMO)

DAMO has basically been designed for people who want (or have to use) a Domino server but do not want to use the Lotus Notes client to access their emails.

DAMO is a plug-in for Outlook and installs with ease from the setup executable, there is no server side code. Outlook doesn’t actually communicate with the Domino server. The architecture can be seen in the diagram below.

This drawing has been re-drawn directly from the IBM Redbook (see further reading at bottom)

The client uses a local replica of the address book and a local replica of the mail database in nsf format. The local mail.nsf file replicates documents to and from the server but after replication replaces the full document with a truncated document thus allowing DAMO to keep track of documents using their unique ID. By using truncated documents the size of mail.nsf is mimimal. (note the file is note called mail.nsf and normally defaults to shortname.nsf). The data, DLLs and other code is all stored in Program FilesDominoForOutlook.

Digging into the DAMO Layer

The extension manager allows DLL calls and other tasks to be triggered by specific Domino events. The real aim of the extension manager is to allow DAMO to be changed easily as more functionality is made available in future Domino releases.

The replication layer uses nwrdeamn.exe to create the replicas initially and then maintain synchronisation between the .PST and Domino server .nsf. The local .nsf files are referred to by IBM as the cache. The sequence for first replication is:

• Create mail.nsf

• Create names.nsf

• Pull data into mail.nsf (documents and folders only)

• Create folders in .PST

• Push documents into .PST (see mapping module below)

• Truncate documents in cache (local nsf)

The mapping module works in tandem with the replication layer. This comes into play when messages are moved, created or received. Lets look at when a document is delivered to the user:

• New mail arrives in mail.nsf on the server.

• DAMO polls the server (at a defined interval) for new mail.

• Replication Layer pulls changes to the local cache.

• Mapping Module then creates, or modifies, documents in the .PST.

• The Mapping Module also provides the necessary mapping between Outlook and Domino to allow for calendars, meeting invitations, reminders and free-time lookups to work correctly from within the Outlook client.

Outbound mail is a similar flow:

• New mail stored in Outbox within .PST

• Outlook informs DAMO of pending message.

• DAMO then uses MAPI to create a message in the local mail.box.

• Replication Layer then pushes mail over NRPC to the Domino server mail.box where server routing processes look after onward delivery.

The users Lotus Notes ID file is used to secure access and features such as encrypted emails to be created and read from within the DAMO client. The look and feel is the same as Outlook with no real changes to the front end.

Domino Access for Microsoft Outlook look and feel:

At the back end shows where the plug-in has modified the menu options in Outlook:

Usability

I like Outlook as a client for email and use it personally at home for pop3. Being familiar with Outlook already made the transition to DAMO a no issue switch. So if you are considering switching your back end from Exchange to Domino and want to retain the look and feel then DAMO is for you. I’m not going to review Outlook usability here.

Applications will be a different kettle of fish, in that unless the application has been written to be browser accessible then the Lotus Notes client will be needed on the desktop and DAMO becomes redundant.

One problem I experienced was that Outlook with DAMO did not recognise http:// as a URL and hence hyperlinks were not available within messages. Messages transmitted as html messages with <a href…/a> tags were fine but it appears that NRPC messages are transmitted locally as rich text and the HTTP links are not recognised as such.

Domino Clustering and DAMO

It works! Enough said! Now you can have Outlook clients with an application level failover solution which has a proven track record and does work.

DAMO Server Load

The redbook from IBM claims that 1 DAMO user = 1.2 Lotus Notes client users. I assume by this they mean Online Notes compared to DAMO. In our accounts we have observed that a DAMO client compared to an offline Notes client can consume as much as 100 times the resources of a correctly configured offline user.

DAMO and Directory Catalogs

Using directory catalogs (a cut down lightweight version of the address book) is a popular for taking address books offline. Unfortunately if your directory catalog server is different to your mail server it does not appear to be possible to set a different address book server (though I’m sure I remember seeing an Address Book Server Dialog somewhere). Hence you end up with the full directory (although the replica is very small in comparison). So design of your dircat topology needs to reflect this (i.e. host dircat on the mail servers).

Presence Awareness

MSN Messenger presence awareness works as with Outlook connected to an Exchange server! (and hence I assume but haven’t tested Office Communicator 2005 with Live Communication Server (one for future testing I think!). Perhaps someone with MS experience will be able to comment and let me know what the Outlook roadmap includes – for example I’m not sure whether the Office Communicator Plug in would be configurable to provide presence awareness with the necessary active directory tweaks (i.e. mapping email addresses).

Presence awareness with TeamMessenger, an Outlook plug-in which connects to Sametime, also works with DAMO (and interestingly also works concurrently with MSN Messenger). The functionality is a compromise whereby presence and chat is enabled through a separate window which hovers over the screen (see below).

Wherever you place the window it obscures some part of the screen which you will need to use at some point. You can run without the window but you have to click the “whos online” button to see who from a message distribution is online.

Here is the TeamMessenger window:

Presence awareness in the email you are reading is shown in the item tab.

The buddy list shows your buddy list as stored on the Sametime server.

Nice features of Team Messenger are a link with the Outlook Calendar which changes a users presence status to away when the user is in a meeting (this can be turned off).

In my view this functionality does not meet the in-message in-folder presence awareness available in the Notes client (incidentally this is soon to be extended to the Domino directories in release 7!).

Further Reading

http://www.redbooks.ibm.com/redbooks.nsf/0/3ffdf52c5e37973085256fb500562032?OpenDocument

In every organisation promotion and career progression generally involves moving up from the “shop floor” and moving away from end customers. The relationships you enter into tend to be strongest between yourself and customers at the same level. So for example a desktop IT engineer will have much closer relationships with end users than the CIO.

What I see from my position as a Lotus collaboration specialist is the way enterprise support, design and engineering teams are structured. Everyone clammers for technical progression up the career ladder and to get away from 1st and 2nd line helpdesk calls (“I’ve forgotten my password”, “I’ve deleted all my emails” etc.)

But what I also see is that once up that technical career ladder there is then little attention paid to the end user tools but much attention paid to the back end server performance and functionality.

This has started to worry me somewhat as the main impact we have with our users is through the software on their desktop, they don’t care what the server is at the back end as long as it delivers what they want. I’m not putting the argument that back end engineering is trivial and unecessary but I am saying that more attention needs to be paid to the user.

How many companies have got large lab environments for testing new releases of server software. How many have also got user labs and large scale beta programs which involve the customer? I’d argue that the software vendors do this but IT suppliers and departments pay too little attention to end user activity, end user productivity and the functionality that software delivers.

In fact some decisions on the architecture of back end servers have an impact on product usability. A classic example was when a collegue complained that he couldn’t launch electronic meetings from within his instant messaging client. I explained that our instant messaging team had seperated the chat and meeting servers for performance reasons. Yet that one change has a huge impact on the ease of use and productivity of many thousands of staff who want to launch electronic meetings. Instead of select and click from the IM client there is an onerous traul through a browser interface completing this field and that field. What should take 10 seconds now takes 5 minutes.

So my plea to all….remember the user. Remember that the desktop is king. Re-align your teams so that technical advancement isn’t just back end engineering. Remember the desktop and have experts in that area as this is your key interface between IT and the user community. Get it right and the rewards are there in terms of financial, reputation and customer satisfaction.

This article will be of interest to the following people:
1. You have a Domino SMTP MTA which is pre-release 6 (or Release 6 but you haven’t configured it properly!)
2. You do not use a mail relay which checks the addresses for validity before accepting the messages

Again as per the last post this problem is several years old but I still see it in enterprise environments today.

What is the problem?
Well what should happen if I am an email server I have an email for companyb.com. I contact companyb.com and tell their gateway in a handshake who I have messages for. They reply with one message for any addresses that are invalid. All handled at a protocol level without the message even entering companyb.com’s domain.

So how did/does Domino work by default. Well it accepts the message and then does an address lookup generating a non delivery report for each incorrect address.

So What?
Well lets say I spoofed the sender address to be managingdirector@companyc.com. Company C use Domino but don’t run the proper name resolution at SMTP protocol levels. I then send a message from managingdirector@companyc.com with a 10 MB attachment. I send if to wrongaddress1@companyc.com to wrongaddress1000@companyc.com. I do this 100 times because managing director has just sacked me and I’m upset.

What will happen…..well Domino will try and generate 100,000 emails with a 10MB attachment and try and send them internally to managingdirector@companyc.com because it thinks he has sent 100,000 incorrectly addressed messages.

how do I fix it
Well take IBM’s advice…….article 1 and article 2

About 5 years ago, yes 5 years ago, this vulnerability was posted at Defcon 8. The basic issue is that a persons Domino Internet Password Hash can be stolen and de-crypted.
Basically your hash for the internet password is stored in a field in the person document.

The problem is I still see this vulnerability in environments today.

The has you see there is the hash for “1234test”. Then some simple Lotus Formula using the @Password command for “1234test” hashes to the same string. This is true of any Domino server (including Domino 7.0) with out of the box configuration.

The main problem here is with a brute force or dictionary attack from you have a very simple way of identifying a users password. So you have someone with access to your Domino directory and they steal a hash, what is the problem?

Well, if the password is that of one of your administrators and you allow administration of Domino using a browser OR you have browser enabled email and they get the password of your managing director, then you have a big problem. Not to mention the drive to synchronise passwords for multiple systems!!

So what is the technically difficult solution that prevents this problem by salting the password?

Select the users in the address book, select Actions – Update to a more secure internet password.

Really that is it. So I am dumbfounded by the lack of action for the large company I have informed……..please check your environments if this is the first time you have read about this issue.

I’d like to use my blog to highlight the role volunteers played in supporting the statutory services in London. From reading the information on the St. John Ambulance and British Red Cross websites you can see that:

There were 37 St. John and 25 Red Cross Ambulances, 20 mobile treatment centres from St. John, emergency response vehicles from the Red Cross and more than 200 volunteers working to help during the incident.

St. John are still providing 24×7 first aid cover, staffed by volunteers for the search and recovery operation.

There will be many other organisations I haven’t mentioned (WRVS, Salvation Army etc) and I think we should all remember when they are collecting for money in the street the usefulness of that donation.