Has the Domino Passthru server been a big security hole all these years?

The idea of the Domino Passthru server

The idea of a Domino as a passthru server is a bit like a Reverse Proxy.



If you have 5 Domino servers on your internal network, and only one external IP address, it can be difficult to get access to more than one Domino server from the internet.

To remedy this you can set up the one Domino server you can access from the internet to be a Passthru server.

This server can then redirect the income traffic to the relevant Domino server. Pretty smart and very simple to setup.

However....


Real life ... broken security
We were all trusting IBM and then HCL that security is in good hands. In general it is ..

HCL has done a lot of catching up the last years to get "up to par" with the security and standards generally used in other products.

But somehow Passthru seem to have fallen between the cracks

In the old days you could not see if a connection was secure and encrypted on the console you had to trust IBM/HCL things were working.

But nowadays you can set these settings in notes.ini to get valuable information

log_authentication=1

DEBUG_PORT_ENC_ADV=1


The server then will show details about the connections to the server

Example:

T:AES:128 E:1: P:t:e S:AES-GCM:256 A:2:1 L:N:N:N FS:DHE-2048+X25519

The E:1 in the connection details show that the connection is encrypted

(Read more here: https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0040530)

But if you have a Notes client trying to use the Domino server as a Passthru server you will see this too:

T:AES:128 E:0: P:p:e S:RC2:0 A:2:1 L:N:N:N FS:

As you can see now the connection is no longer encrypted!

All Domino servers here have a port setup to force an encrypted connection in their port settings. The Notes client here is also setup to use encryption.

And yet if we look at the connection details when server is accessed as a Passthu server there is no encryption at some point.

This is bad, ....it is actually really bad.

Mostly because I had been using Passthru for years .... that scares me a bit

but also because I have been thinking I have been in good hands with IBM/HCL all these years...but maybe have not.

There may be a good explanation and calming words from HCL ...but I doubt it

Next step would of course be to use a network sniffer to monitor what is actually happening

From the console it seems that it is the connection used to authenticate at the Passthru server that is not encrypted and that connection to the destination server does get encrypted


Am I hit?
If passthru is enabled on the Domino server, you are out of luck.

"But I do not use a Passthru connection from my Notes client!" ..... if your Notes client is trying to reach any unreachable server...it will try to use Passthru in the end, and connect unencrypted.

Most likely this will happen, since you will not have access to all of your servers at any given time.

Something like a scheduled replication may even trigger it.

Even trying to access a fake server name will start a Passthru connection.


It is easy to test your Domino setup yourself
Enable Passthru on the server.

Do a trace and see what it writes on the console


Hopefully HCL will explain what is going on and fix the issue with Passthru servers in a release soon


Advice - how to disable Passthru

Server:
In the Server document make sure to remove ALL data in the "Route through" field. Anything in there and the server is then a Passthru server


Client:
In the local address book remove any connection documents using Passthru as way of connecting to a server

This is what a Trace should say if server and client are correctly setup:


Posted on 05/24/2022 03:18:54 PM CEDT

Blog Search

About this Blog

Writings mostly about Lotus Notes/Domino...by me :
Jesper Kiaer,Espergærde, Denmark


Looking for a developer? I'm available contact@jezzper.com