Freelancer domino administrator

Lotus Domino 8.5.1 Mail Administration
Version 1.0

Copyright Information
©2010 wareSource.com
Part #DSMA851-1.0, updated for Notes and Domino 8.5.1 Fix Pack 3
Under the copyright laws, this book may not be photocopied, reproduced,
translated, or reduced to any electronic medium or machine-readable form, in
whole or in part, without the prior written consent of wareSource.com.
While every reasonable precaution has been taken in the preparation of this book,
the author assumes no responsibility for errors or omissions, nor for the uses made
of the material contained herein and the decisions based upon such use. No
warrantees are made, express or implied, with regard to either the contents of this
work, its merchantability, or fitness for a particular purpose. The author shall not
be liable for direct, indirect, special, incidental, or consequential damages arising
out of the use or inability to use the contents of this book.
In no event shall the author be liable for any damages whatsoever (including
without limitation, damages for loss of business profits, business interruption, loss
of business information, or any other loss) arising out the use of or inability to use
this material, even if the author has been advised of the possibility of such
damages.
Lotus, Domino, Domino Designer, ScreenCam, LotusScript, Notes/FX, Lotus
Notes, Notes, DataLens, Notes Minder, and Sametime are trademarks or
registered trademarks of Lotus Development Corporation and/or IBM
Corporation. IBM, OS/2, AS/400, S/390, AIX, DB2, and WebSphere are
registered trademarks of International Business Machines, Incorporated.
Microsoft is a registered trademark and Windows, ActiveX, and Visual Basic are
trademarks of Microsoft Corporation. Netscape and Netscape Navigator are
trademarks of Netscape Communications Corporation. Java and JavaScript are
trademarks of Sun Microsystems, Inc.
All other marks are the property of their respective owners.
2 Lotus Domino 8.5.1 Mail Administration

Table of Contents
Topic 1: Mail Overview...........................................................................................7
Topic 2: NRPC Message Transfer and Delivery ...................................................21
Topic 3: Notes Configuration ................................................................................35
Topic 4: Inter-Domino Named Network NRPC Routing ......................................51
Topic 5: Inter-Named Network Routing Topologies.............................................75
Topic 6: NRPC Controls........................................................................................87
Topic 7: Domino Directory and Message Addressing...........................................97
Topic 8: Directory Assistance..............................................................................111
Topic 9: Directory Catalogs.................................................................................127
Topic 10: Mail Database Design......................................................................... 149
Topic 11: User Mail Database Administration................................................... 163
Topic 12: Notes Mail Security.............................................................................201
Topic 13: Calendar and Scheduling.....................................................................207
Topic 14: Domino Attachment and Object Service........................................... 243
Topic 15: SMTP Mail Transfer............................................................................255
Topic 16: SMTP Inbound Controls......................................................................289
Topic 17: Blacklists and Whitelists .....................................................................313
Topic 18: Rules....................................................................................................321
Topic 19: SMTP Outbound Controls...................................................................345
Topic 20: Internet Message Disclaimers..............................................................349
Topic 21: POP/IMAP Clients ..............................................................................357
Topic 22: LDAP Directory Service .....................................................................379
Topic 23: Internet Certificate Authority ..............................................................393
Topic 24: Issue Internet Client Certificates .........................................................435
Topic 25: Sign and Encrypt Internet Mail ...........................................................461
Topic 26: Lotus iNotes........................................................................................ 479
Topic 27: Security for Lotus iNotes.....................................................................515
Topic 28: Domino Access for Microsoft Outlook...............................................537
Topic 29: Mail Monitoring Tools ........................................................................551
Topic 30: Message Tracking and Reporting........................................................571
Topic 31: Message Archiving and Journaling .....................................................585
Topic 32: Troubleshooting and Performance ......................................................609
Index ....................................................................................................................637
Lotus Domino 8.5.1 Mail Administration 3

Description
During this course you will configure traditional Notes Mail as well as standards-
based SMTP mail transfer and delivery. You will set up several mail clients,
including Notes, Internet mail (POP/Outlook Express), Domino Access for
Microsoft Outlook, and iNotes.
This course stresses the role of directories, including the Domino Directory,
Directory Catalog, Mobile Directory Catalog, and Extended Directory Catalog,
and how to make them available via Directory Assistance. It also covers the
configuration of Domino to support LDAP requests.
This course also covers mail security for both Notes and Internet mail clients,
including how to configure SSL on Domino and to issue Internet Certificates to
users for digital signing and encryption.
Course goals
In this course, you will learn how to:
• configure intranet and Internet mail routing using the NRPC and SMTP
protocols
• set up Notes to send and receive mail, set up an Internet mail client to send
mail via SMTP and retrieve mail via POP3 or IMAP4 protocols, use a
browser to access mail via iNotes, and configure Domino Access for
Microsoft Outlook
• utilize the various directory types for mail addressing as well as for mail
transfer and delivery
• configure the Domino Server to support address lookups by Internet mail
clients using LDAP
• configure the NRPC and SMTP Router controls and restrictions to improve
routing performance and reduce unsolicited email
• utilize Notes Mail security features and serve as your own Internet Certificate
Authority, create server and client Internet Certificates, enable SSL, and
digitally sign and encrypt mail sent to Internet mail clients
• support Notes Calendar and scheduling, including inter-domain resource
reservations
• configure Domino Attachment and Object Service to reduce disk space and
network traffic due to message transfer, delivery, and storage

• reduce Mail database size using design and document compression among
other methods
• manage Notes Mail files using Domino Administrator with the assistance of
the Administration Process
• utilize mail monitoring, tracking, and journaling features
• retain messages using archiving and journaling
• monitor and troubleshoot mail transfer and delivery.
Audience
This course is part of a series of Domino administration training courses. Follow
these paths to master all aspects of administering the Domino Server, Lotus
Notes, and other clients:
Lotus Domino
Administration Basics
3 days
Lotus Notes
Administration
3 days
Lotus Domino
Mail Administration
4 days
Notes
Experience
Lotus Notes
Support
3 days
Lotus Notes
User Essentials
1 day
Lotus Domino
Monitoring and Maintenance
2 days
Lotus Notes
User Essentials
PLUS Pack
Courses later in the series assume that you have mastered the content of earlier
courses.
This course is designed for LAN administrators who are responsible for
supporting mail on Lotus Domino Servers, Notes, and Internet mail clients and
who:
• are proficient Notes mail users
• have installed and configured a Domino Server
• understand basic DNS and SMTP principles
• have taken the Lotus Domino Administration Basics and Lotus Notes
Administration courses or have the equivalent knowledge and experience
• ideally have taken the Lotus Domino Monitoring and Maintenance course or
have the equivalent knowledge and experience.
Lotus Domino 8.5.1 Mail Administration 5

Course design
This is an intensely practical course, combining thorough conceptual training with
significant hands-on experience with Domino and Domino Administrator as well
as the various mail clients Domino supports. As you learn about various aspects
of the Domino Server and Domino Administrator as they relate to messaging, you
will immediately apply the concepts and techniques you learn.
Please consult the Set Up document for this course to make sure the correct
environment is in place before starting the course.
Font conventions
This course follows these font conventions:
• Italic - database, view, page, form, document, macro, and field names, object
event types, and new terms introduced in the text
• Bold - Notes menu options, command button names (whether Notes or
developer defined), field labels, and accelerator keys
• Courier - user input, sample values, code examples
• Helvetica – URLs
• Lucinda Console – HTML, XML, CSS, and programming code examples.

Topic 1: Mail Overview
Key points
Notes Mail has always used—and continues to use—the Notes Remote Procedure
Call (NRPC) protocol to transfer messages, and proprietary directories, like the
Domino Directory, to store information needed for message addressing, routing,
and delivery.
With NRPC sending messages to other systems or devices—if even possible—
involved complicated gateways that would convert messages (and even network
protocols) and recipient addresses.
With the advent of standards-based Internet mail and directory protocols and mail
clients, Web browsers, and handheld devices (mobile phones, PDAs, pagers), the
Lotus Domino Server has been adapted to also support standards-based Internet
messaging and directory protocols. Knowledge of how both Notes and Internet
messaging protocols operate and are configured is required when building a mail
infrastructure using Domino.
This Topic shows the similarities and differences between routing messages using
the proprietary NRPC routing protocol and the standards-based Simple Mail
Transfer Protocol (SMTP).
Mail terminology
There are a few terms pertaining to mail that must be defined before looking
specifically at NRPC or SMTP message routing. This diagram shows the
relationship between these terms:
User Agent
(UA)
Message
Transfer Agent
(MTA)
Mail
Transport
Protocol
User Agent
(UA)
Internet
MQ
MS
LMS
MQ
Directory Directory
LMS
Message Transfer Agent (MTA)
Message Delivery Agent (MDA)
Mail
Access
Protocol
Message
Queue (MQ)
Local Message
Store (LMS)
Local Message
Store (LMS)
Message Store
(MS)
Message
Queue (MQ)
Mail
Transport
Protocol
Mail
Transport
Protocol Mail
Delivery
Protocol
Topic 1: Mail Overview 7

• User Agent (UA). This is the software that users use to send and read email.
This could be Notes, any of the Internet mail packages (Mozilla Thunderbird,
Outlook/Outlook Express, or Eudora), a Web browser, or a phone or PDA. In
fact, depending on users’ changing locations, they could access their email at
work, home, and while traveling using any of the clients. Most of what users
think about when they think of their “email” is the responsibility of the UA.
• Message Transfer Agent (MTA). The mail server process responsible for
accepting messages transferred either by UAs or other MTAs and either
transferring them to other MTAs or delivering them to users with accounts
and message stores on that server. The MTA could be a Domino Server or
Microsoft Exchange, or any one of hundreds of commercial and open source
SMTP mail servers.
• Message Transfer. The routing of a message from the UA to the MTA and
between MTAs.
• Message Store (MS). The MS is used by the MTA to store messages that are
addressed to users who have an account on that server. In the case of
Domino, each user is assigned an MS database (their Mail database).
• Message Delivery Agent (MDA). A server process responsible for
delivering the message to a UA’s MS. Often running on the same server as
the MTA. For Internet mail servers, this server responds to either the POP3
(Post Office Protocol, version 3) or IMAP4 (Internet Message Access
Protocol, version 4) employed by the UA. The Domino Mail Router acts as
both the MTA and MDA.
• Message Delivery. The delivery of a message by the MDA to the UA’s MS.
• Local Message Store (LMS). The UA may have a local message store for
messages downloaded from the MS. For a POP3 client, messages are
downloaded (and removed from) the server to a local store. For a mobile
Notes user, messages are replicated to a local replica copy of the user’s Mail
database.
• Message Queue (MQ). A database used by the MTA that temporarily stores
incoming and outgoing messages. Incoming messages may be transferred
from UAs or other MTAs. Outgoing messages may be transferred to other
MTAs or delivered to the MS. Mobile Notes users have a local Mail Box
database (MAIL.BOX) that holds “sent” messages until reconnected to
Domino, at which time the messages are transferred to the server’s Mail Box
database.
8 Topic 1: Mail Overview

• Directory. Used by the MTA to determine where to transfer or deliver
messages in the MQ. Also used to determine the user MS if the message is to
be delivered to that server. Domino uses its own Domino Directory database
for both routing and delivery. Two directories are used for Internet mail:
• the Internet’s global Domain Name Service (DNS), a distributed database
of name-to-IP address mappings (MX records) to find MTAs in other
Internet domains
• a directory used to find users in the domain, often accessible via the
LDAP protocol (Lightweight Directory Access Protocol).
• Mail Transfer Protocol. The syntax and commands exchanged between the
UA and MTAs and between MTAs. Relies on underlying network protocols,
such as TCP/IP, to transport the higher-level protocol and message content.
For Internet mail, the protocol to transfer messages from the UA to the MTA
and from MTA to MTA is SMTP. For Notes Mail, the protocols are
generically referred to as Notes Remote Procedure Call (NRPC).
• Mail Delivery Protocol. The protocol used by the MDA to deliver the
message to the user’s MS. There are no standards for this protocol, as it
depends on the type of MS being used—it can be anything from a text file to
a high-end RDMS. For Domino, delivery is via NRPC to a Domino database
assigned to each user.
• Mail Access Protocol. The protocol used to read and/or download messages
from the MS on the MDA. The download protocol for UAs to download
messages for reading is either POP3 or IMAP4, and NRPC for Notes.

• Recipient Address. The basis for any message transfer and delivery system
is the recipient address. Addresses are protocol-dependent, for example:
• For NRPC routing within a Domino Domain, the address is any value
found in the Person document FullName (User name) or ShortName
fields.
• For NRPC routing to another Domino Domain, the person name plus
@domainname is specified, for example, Joe Smith@GlobalUS. If there
are intermediary Domino Domains through which the message must be
routed to reach the recipient domain, those domains can be appended, for
example, Mary Jones@GlobalUS@GlobalInt. The address is read from
right to left by the Router as the message is transferred to the next
Domino Domain found in the recipient address until it arrives at the
user’s own Domino Domain. You’ll see below what happens next.
• For SMTP routing, the address is the user name (no spaces) plus the
domain name and domain class, for example, jsmith@globalus.com. If
there are IP subdomains, they can also be included, for example,
mjones@globalus.globalint.com. Unlike NRPC routing, subdomains
are not intermediary domains through which the message must route. All
message transfers directly to that subdomain. If routing to a Notes user
who has not been assigned an Internet address, any spaces in the name
can be substituted with underscores, for example,
joe_smith@globalus.com.
Because address accuracy is absolutely essential, the directory is often made
available to users to help select addresses of users within the domain rather
than having to type them from memory. Notes goes one step further and
prevents users from sending a message to an unknown user within the
domain. All UA software also provides a personal directory so users can
store their own list of valid recipient addresses.

NRPC message flow
This diagram shows the message flow using NRPC with the Notes UA and the
Domino MTA:
Notes
Domino
Router
NRPC
and/or
SMTP
Notes
NRPC
and/or
SMTP
LAN
WAN
Internet
NRPC
MAIL.BOXMAIL.BOX
User Mail.NSFUser Mail.NSF
Replica Mail.NSFReplica Mail.NSF
MAIL.BOXMAIL.BOX
Domino
Router
Domino DirectoryDomino Directory Domino DirectoryDomino Directory
User Mail.NSFUser Mail.NSF
NRPC
This table describes the steps of the message flow using NRPC with the Notes UA
and the Domino MTA:
Step Action
1 The UA is Notes, which is used to create the message and transfer
the message to the MTA, which is the Domino Server.
This example starts with a message originating from a LAN-
connected client.
2 The message is transferred via NRPC to the Domino Server (MTA).
Note: While NRPC is most typically transported by TCP/IP, it can
also be carried by any of the other network protocols supported by
Domino/Notes as well.
3 The message is written to the MQ, which is the Mail Box database
on the server.
Note: This database ACL -Default- access is set to Depositor so
users can “deposit” messages but cannot read any of the messages
waiting for delivery.

Step Action
4 By default (can be changed under user preferences or on a per-
message basis), the message is also saved in the sender’s Mail
database (MS) on the user’s Home/Mail server for later reference.
The per-user database architecture of Notes Mail is considered one
of the most reliable in the industry, being far more fail-proof than
use a single MS database for all users.
5 The Router server task uses the Domino Directory to determine
where to transfer the message. If the destination Domino Domain is:
• the same as the server’s, the Router looks up the recipient’s
Person document in the Domino Directory to find the recipient’s
Home/Mail server name
• in another Domino Domain, the Router looks up the Connection
document to a Domino Server in that other Domain.
6-9 If the message is destined for a user on the same Home/Mail Server
as the sender, the Router delivers it immediately. Otherwise, the
Router copies the message out of the local Mail Box and writes it to
the remote Mail Box database on the target Domino Server using the
NRPC protocol.
If successful, the Router then deletes the message from the local
Mail Box database.
10 The Router server task uses the Domino Directory to determine
where to transfer or deliver the message. If the recipient Mail
database is on:
• the same server, the Router looks up the recipient’s Person
document to find the Mail database file name
• another server in the same Domino Named Network, the Router
immediately transfers the message to that server via NRPC
• another server in a different Domino Named Network, the Router
looks up the Connection document to a Domino Server in that
other Domino Named Network and transfers the message via
NRPC when the connection conditions come true (number of
messages or scheduled).
Whether for message transfer or delivery, the Router stamps its
name and the current date/time that it handled the message.

Step Action
11 The Router checks any user mail rules that may delete or modify the
message. If not, the Router copies the message out of its local Mail
Box and writes it to the user’s Mail database (MS) using the NRPC
protocol.
The Router deletes the message from its local Mail Box database.
12 The Notes UA is used to read the message from the server copy of
the Mail database. This is just like reading any other Domino
database.
The message is retained in the user’s Mail database (MS) on the
server until explicitly deleted by the user (or archived to another
database via an agent running in the Mail database).
13 A mobile Notes user may also have a replica copy of the Mail
database on the local hard drive, in which case incoming messages
are added to the local LMS (for offline reading) via replication (and
NOT via message transfer).
Note: The model used by Lotus iNotes access is almost identical to that used by
Notes. The differences are in:
• Step 1, where the message is created using an HTML form run in the
browser and when submitted is handed from the Domino Web server task to
the Mail Box database for delivery or transfer.
• Step 12, where users read their messages rendered in HTML by the Domino
Web Server task from the Mail databases using a browser.

SMTP message flow
This diagram shows the message flow using the SMTP protocol with an Internet
UA and MTAs:
UA
MTA
SMTP
UAInternet
MQMQ
MSMS
LMSLMSMQMQ
DNSDNS DirectoryDirectory
22
LMSLMS
11
MTA
MDA
SMTP SMTP
POP or
IMAP
This table describes the steps of the message flow using Internet mail protocols
with an Internet UA and MTAs:
Step Action
1 The UA is used to create the message and includes the software to
initiate the lookup of the MTA IP address in the DNS and transfer
the message to the MTA.
2 The message is transferred to the MTA via SMTP.
Whether for message transfer or delivery, the MTA stamps its name
and the current date/time that it handled the message to the email
header.
3 The message is written to the MQ, which could be a text file or a
relational database.
4 By default, the message is also saved to a local message store
(LMS) on the UA.

Step Action
5 The sending MTA looks at the recipient address to find the
destination domain.
The sending MTA sends the domain name to the Domain Name
Service (DNS), the DNS finds an MX Record (Mail Exchange) for
an MTA in the destination domain, and the DNS returns the IP
address of the highest preference recipient MTA to the sending
MTA.
The sending MTA initiates a TCP/IP connection to the IP address of
the recipient MTA.
6 - 7 A SMTP connection request is made to the receiving MTA.
8 The receiving MTA responds to the connection request and the
sending MTA sends the message header to the receiving MTA.
9 If the message is accepted by the receiving MTA, the sending MTA
transfers the message contents (using the DATA command).
When the transfer is complete, the receiving MTA acknowledges
receipt and waits for another message transfer or disconnect.
10 The MTA then uses its local directory (not DNS) to determine
where to transfer or deliver the message inside the domain. If the
recipient Mail database is on:
• the same server, look up the recipient’s mail account name to
find the user’s Message Store (MS) database file name
• another server in the same domain, transfer the message to that
server via SMTP.
11 Copy the message out of the local MQ to the user’s Mail database
(MS) using an internal database procedure call.
Delete the message from the MQ.

Step Action
12-
13
If the UA is using POP3, it contacts its MDA (in this case a POP
mail server). The MDA uses an internal database procedure call to
retrieve the message from the MS and allows the UA to move the
message to its LMS.
If the UA is using IMAP4, the user has the choice of downloading
the message to the LMS or reading (and leaving) the message on the
server.
Note: Some UAs using POP3 also allow you to leave the messages
on the server, but with limitations solved by IMAP4. The
distinctions between these two protocols will be described in a later
Topic.
Domino mail clients
Once a message has been routed to the user’s Home/Mail server and delivered to
the user’s Mail database, it is now up to the UA to access the message for reading.
There are four types of UAs (covered in this course) that can access a Mail
database on a Domino Server:
Mail.NSF
Domino
Server
Notes
Client
Internet Mail
Client
Web
Browser
iNotes
NRPC
POP or IMAP
HTTP
SMTP
Outlook
Client
N
R
PC
Domino supports these UA clients (and associated mail access protocols):
• Notes. Notes users can, of course, use native NRPC to access their Mail
databases on the Domino Server.

• Internet mail clients. Clients that support POP3 or IMAP4 can also access
the same Mail databases on a Domino Server, though via different protocols.
There are a wide variety of mail clients that support POP3 and IMAP4, such
as Mozilla Thunderbird, Qualcomm Eudora, Microsoft Outlook/Outlook
Express, and David Harris’ Pegasus Mail. Lotus Notes itself supports POP3
and IMAP4, but these should not be used in favor of the NRPC protocol,
which is far superior with respect to features, security, and reliability.
• Web Browser. Because the Domino Server is also an HTTP server, can also
access Mail databases using Lotus iNotes from a browser (which has both
Full and Lite modes) and certain handheld devices (Ultralite mode). iNotes is
covered in Topic 26.
• Microsoft Outlook. Domino Access for Microsoft Outlook (DAMO) is a
client-side add-in that provides transparent access to Domino-based Mail
using NRPC calls. DAMO is covered in Topic 28.
A user can access the same Mail database (message store) using any of these
clients. While in the office, for example, the user has Notes to read messages, but
while at a client site accesses mail via a browser using Lotus iNotes (assuming, of
course, that the user’s Mail database—or a replica copy of it—is on a Domino
Server accessible over the Internet).
Note: The fact that Domino supports multiple mail clients does not mean that
all clients consume the same amount of server resources. While user disk space
is the same regardless of client/access protocol, compared to NRPC and POP3,
access to messages via HTTP (such as with iNotes) consumes significantly
more server CPU cycles because of all the conversion work to HTML. This
translates to a server supporting far fewer browser-based than other types of
users. See the still-relevant article at
ftp://ftp.lotus.com/pub/lotusweb/product/domino/Domino_7_Performance_Paper.
pdf.
Note: This course does not explicitly cover Domino-hosted mail for hand-held
or wireless devices such as phones, pagers, or PDAs, including the current
IBM/Lotus products to support these devices (http://www-
306.ibm.com/software/lotus/category/mobile-wireless/), Lotus Notes Traveler
(http://www-306.ibm.com/software/lotus/products/notes/traveler.html), or the
many third party products available to support these devices. What you will
learn in this course, however, is pivotal to the operation of Domino in support of
these devices, as they rely on one of the other methods of accessing messages
(POP, HTTP, or even NRPC).

License implications
Just a quick note about licensing. Lotus charges a Client Access License (CAL)
fee for users who are listed in the Domino Directory for mail access, regardless of
protocol or mail client used. There is also a enterprise CAL, which includes both
general database access as well as mail access to the server.
Note: For the latest license information see http://www-
01.ibm.com/software/lotus/notesanddomino/clientpackaging.html.
Choosing a mail protocol
While the users’ location and connectivity capabilities usually determine the most
appropriate mail client, there are a few protocol-dependent issues that determine
which client can be used.
Which should you use? Consider these points when making a decision:
• You cannot use NRPC to transfer messages to Internet mail servers expecting
SMTP. You MUST enable SMTP to send/receive messages from Internet
mail servers.
• You can use the Internet as a Virtual Private Network (VPN) using NRPC to
transfer messages to other Domino Servers in your Domino Domain or to
other Domino Domains, either directly or via a third-part mail intermediary
that routes NRPC, such as Lotus Support (http://www-
306.ibm.com/software/lotus/support/lnn/), 4T Domino
(http://www.4tdomino.com/), or NaviSite
(http://messaging.navisite.com/ManagedLotusDomino.shtml). You can
encrypt packets between Domino Servers using an encryption key created as
a by-product of authentication to ensure secure transmission (this is on top of
any encryption and digital signing that Notes may use).
• Even if transferring messages destined for Internet addresses using SMTP,
there are advantages to using NRPC for server-to-server transfers inside your
Domino Domain (or to other Domino Domains). NRPC is a guaranteed
messaging system built on an internally managed, replicated directory.
Domino Administrator includes a number of tools to troubleshoot failures
and bottlenecks, including message trace, load balancing, statistics and event
handlers, and Domino Domain Management probes.

• When using the Internet mail and directory protocols, you are relying on the
DNS servers on the Internet (or Internal DNS for internal message routing) to
find an MX record for the destination Internet domain. When using NRPC
(whether over the Internet or not), you are instead relying on the
configuration in your own Domino Directory (and possibly though not
necessarily using the DNS for the destination server’s IP address). Who do
you trust more to guarantee service?
Network design
The diagrams shown in this course are functional diagrams that show the flow of
messages through various systems.
They don’t tell you much about how to design your network or how to connect
your network to your corporate WAN or to the Internet. Network design that
balances the sometimes-contradictory goals of throughput, resilience, and security
is as much science as magic.
Though beyond the scope of this course, we do have a few comments and
recommendations about network design:
• Domino (as a mail server) can be used in any network design from the very
simple single server connected directly to the Internet to the most complex
multi-tier, global network.
For more information about how to place Domino in large networks, the best
resource is the two-part article, Using Notes/Domino SMTP with a DMZ
available at www.ibm.com/developerworks/lotus/library/smtp-dmz1 and
http://www.ibm.com/developerworks/lotus/library/smtp-dmz2/.
• Notes and Domino are extremely well equipped with respect to messaging
security at all points, such as public/private key authentication of users and
servers, network packet encryption, message encryption/digital signatures
using both proprietary and standards-based technologies, server and database
access lists, Notes Execution Control Lists, etc. All these security
mechanisms are integrated and easily managed with Domino Administrator
and the Administration Process task. You will see many of these mechanisms
described in this course.
• With respect to message transport security, Domino includes an array of
mechanisms to help prevent everything from denial of service attacks to
spoofed addresses to spam. You will see how to configure these mechanisms
in this course.

• The most important thing we can stress is that in spite of Domino’s strengths
with respect to messaging security, there are far better products that you
should use as your front-line defenses against network attacks, mailed
viruses, spam, phishing, zombie relays, employees leaking company secrets,
employees deleting messages that must be kept for legal purposes, and a host
of other perils and challenges related to messaging. It is critical that you
employ a multi-layered approach to messaging security, with Domino as the
last defense and not the first or only defense.

Topic 2: NRPC Message Transfer and Delivery
Key points
This Topic builds on the basic concepts of NRPC as the message transport and
delivery protocol you learned in the previous Topic.
Key to NRPC message routing is the grouping of servers and users into a Domino
Domain. All nodes—servers and users—are defined in the Domino Directory for
that particular Domino Domain.
This Topic also looks at the internal fields of a message routed via NRPC.
Protocol independence
NRPC message routing was designed to operate on any network protocol.
Depending on the computing platform, NRPC was originally created to run over
NetBEUI/NetBIOS, NetBIOS over IP, NetBIOS over IPX, SPX, SPX II,
AppleTalk, TCP/IP, TCP/IP IPV6, and network type (LAN, Internet, WAN,
MAN, etc.). This network protocol and type independence has allowed mail to
work even if the network is made up of a mixture of protocols with minimal or no
dependence on external directories, such as DNS, in order to work properly. All
that is necessary is a Domino Server that is connected to the network and
configured to use one or more network protocols.
In practice, however, most operating systems and networks today run only
TCP/IP, so most new Domino/Notes installations only run TCP/IP (and TCP/IP is
the only protocol supported between Domino Servers in a Domino Cluster).
Note: Starting with Domino/Notes 8.5, the proprietary X.PC used by Notes
Direct Dialup is no longer supported and the modems directory is not installed.
So if you rely on X.PC you cannot upgrade to 8.5.
Think Domino
When configuring mail to run on Domino Servers using NRPC, you need to focus
your thoughts on the Domino-think world, for example:
• “domain” means the Domino Domain defined in the Domino Directory—
NOT the IP domain or a Windows domain
• “directory” is the Domino Directory database and associated services—NOT
DNS or LDAP—which means that you have total end-to-end control over the
entire system without having to rely on outside parties or other servers
Topic 2: NRPC Message Transfer and Delivery 21

• “network” is a Domino Named Network—NOT the underlying physical
network or network protocols
• “connection” is a Connection document defined in the Domino Directory—
NOT any record you will find in the DNS.
Domino Domain
If a group of servers and users are all defined in the same Domino Directory, they
are in the same Domino Domain. The domain name is used:
• for Notes Mail message routing between Domino Domains
• to uniquely identify the Notes installation at a particular company.
As it is replicated to all servers, the Domino Directory is what servers use to make
decisions regarding message transfer and delivery, identifying how to find:
• other Domino Domains or Internet domains to transfer messages not
addressed to users within the domain
• the Home/Mail server of a recipient
• the Mail database name of a recipient.
The server finds its Domino Domain name when it starts from the Domain=
variable in the NOTES.INI. This was defined during Server Setup.
The Domino Domain is also required in the Server document so that it can locate
other configuration documents:
Note: Search Lotus Domino Administrator Help for “Ensuring DNS resolves in
NRPC -- Best practices” to see why the Server’s common name (e.g. HUB)
should be the same as the server’s name in DNS (e.g. hub.teamapps.com) and
have an A record linking the entry to a numeric IP address, and how the NET
Address field in the Server document should match as well (e.g.
hub.teamapps.com). But remember again that the IP domain name, while it may
be the same as the Domino Domain name, serves a different function.
22 Topic 2: NRPC Message Transfer and Delivery

The Domino Domain name must also be used on any Connection documents
between servers in two different Domino Domains (or between two servers in two
different Domino Named Networks in the same Domino Domain):
Later in the course you will create Connection documents for mail routing and
will also review inter-Organization authentication using Cross Certificates and
server security that was covered in the Lotus Domino Administration Basics
course.
Domino Named Networks
Servers in the same virtual location (having the ability to communicate
continuously on the same LAN/WAN) using the same protocol can be defined in
the same Domino Named Network. Being in the same Domino Named Network
means that the server can connect to any other server in the Domino Named
Network using a common network protocol without having to establish a dial-up
connection.
This diagram shows a Domino Domain with a single Domino Named Network:
Domain=TeamApps
TCPIP HQ
Servers in the same Domino Named Network can:
• all be seen by Notes users whose Home/Mail server is also in the Domino
Named Network in the Open Database dialog box

• exchange messages automatically and immediately without further
configuration.
To see the networks, open the Domino Directory to the Networks view or expand
Networks in Domino Administrator:
This Navigation Pane shows several Domino Named Networks, including TCPIP
HQ, which is expanded to show several servers HUB, Magic, Mirage, etc. The
key on the icon for Magic means it is the Administration Server for the Domino
Directory.
The Domino Named Network name for a server is defined in its Server document
on the Ports – Domino Named Network Ports tab (under “Notes Network,” the
legacy name for “Domino Named Networks”):
Unlike Domino Domain names, which should be unique between companies,
Domino Named Network names are only used internally by the servers to develop
routing tables between servers in the same Domino Domain.

Since users never see Domino Named Network names, they do not have to be
user-friendly. You should code the name to include any administrator-helpful
information, such as a physical location and/or protocol.
Note: The Net Address field contains the protocol-specific address that other
servers and Notes clients use to locate the server on the network. In a TCP/IP
network, this is the fully qualified Internet host name (e.g.,
hub.teamapps.com).Though they serve different purposes, in a TCP/IP
network this address is typically the same as the one specified in the Fully
qualified Internet host name field on the Basics tab, for example:
Note: The first server you set up in your Domain will automatically be defined
as having the Domino Named Network name, Portname + “Network,” for
example, TCPIP Network. For additional servers, however, you must manually
enter the name in the Server document after registration but before setting up
the additional server. If the additional server is in the same Domino Named
Network, specify the exact same name when you set it up.
Multiple Domino Named Networks
If you have a network that uses different protocols or in which servers are
connected only via modem, you must create multiple Domino Named Networks.
This diagram shows three Domino Named Networks within the TeamApps
domain:
Domain=TeamApps
TCPIP HQ
TCPIP NY
TCPIP LA

Two servers belong to TCPIP HQ because they both support TCPIP and
communicate on the same LAN. When users at the home office use the Open
Application dialog box, they see both servers.
The other servers belong to their own Domino Named Networks. Users only see
one server at those locations when they use the Open Application dialog box.
Keeping the servers in separate Domino Named Networks encourages users to use
their local server, which frees up bandwidth on slow leased lines for intra-server
communication (message routing and replication).
If users know the name of a server in another Domino Named Network, they can
still enter its name into the Server field in the Open Database dialog box. Once a
Bookmark is created or database icon is added to the workspace, of course, the
user no longer needs to remember the server name. (This assumes, of course, that
the Server Access List allows users from other Domino Named Networks to open
a server.)
Multiprotocol servers
Servers supporting multiple protocols are members of multiple Domino Named
Networks. This diagram shows a multiprotocol Domino Server that belongs to
two Domino Named Networks:
Domain=TeamApps
NetBIOS HQ
TCPIP NY
TCPIP HQ
The multiprotocol server, running both NetBIOS and TCP/IP, is responsible for
replication and message routing between the Domino Named Networks.
Because the two Domino Named Networks intersect at one server, Notes Mail
delivery between the two Domino Named Networks through the multiprotocol
server is automatic and does not require further configuration (no Connection
documents are required). A Connection document is required, however, for
message routing between the server in the TCPIP NY Domino Named Network
and a server in TCPIP HQ. In this example, because the servers in NetBIOS HQ
and TCPIP NY do not have a protocol in common, they must route messages and
replicate indirectly via a server in TCPIP HQ (or you could configure a server in
TCPIP HQ as a Passthru Server).

NRPC routing
The placement of Domino Servers into Domino Named Networks and Domino
Domains affects message routing.
This diagram shows the major components and message flow of the Notes Mail
system architecture (assuming a LAN-based Notes user and NRPC routing):
Client Mailer
sends/saves memo
Memo saved
to User Mail File
Router polls
MAIL.BOX
Memo deposited
in MAIL.BOX of
Home/Mail Server
Instant delivery
if on same server
Instant transfer to
another server's
MAIL.BOX if in the same
Domino Named Network
Scheduled/Triggered
transfer to
another server's
MAIL.BOX if in another
Domino Named Network
or Domino Domain
Using Server and Connection documents, each Router independently builds a
routing table of least hop-count paths to all servers in its own Domino Named
Network and to those in other Domino Named Networks and Domino Domains
that require more information to successfully transfer messages (via Connection
documents).
When a message is found in MAIL.BOX, the dispatch thread:
• immediately delivers the message if on the local server (uses Person
document information to look up the user’s Home/Mail server name and
Mail database file name)
• immediately transfers the message if the other server is in the same Domino
Named Network
• waits for the Connection document schedule/threshold to come true and
hands the message over to the appropriate transfer thread for transfer out of a
specified port to another Domino Named Network or Domino Domain.
The process repeats at each server hop until the terminal destination Home/Mail
server delivers the message to the user’s Mail database.
If the message calls for a Delivery Confirmation or Return Receipt, the process is
reversed and the sender is sent the confirmation or receipt. The specific path of
servers may or may not be the same.

Note: If you are routing messages to another Domino Domain, be aware that
you can only configure the routing of messages to a point server in the other
domain. It is up to the administrators in the other Domino Domain to configure
routing within the domain and to configure routing back to a point server in
your domain. You will configure inter-domain routing in a later Topic.
Router task
NRPC message routing (transfer and delivery) is handled by the Router server
task. This multi-threaded task is started when the server starts as a result of being
listed in the ServerTasks= variable in the NOTES.INI, for example:
ServerTasks=Replica,Router,Update,Stats,AMgr,Adminp, <etc.>
The Router task should also be enabled in the Routing task field in the Server
document:
In a single server environment, or if all servers are in the same Domino Named
Network (and have the Router task running as shown above by selecting Mail
Routing), there really isn’t much else you need to do to establish basic NRPC
email within your domain.
The Router makes its decisions about where to transfer or deliver a message based
on information found in the:
• incoming or outgoing message SendTo field (and possibly CopyTo and
BlindCopyTo fields)

• Domino Directory hidden views (primarily $Users, which selects Person,
Group, Mail-in Database, and Certifier documents):
The first step in processing a message is to parse the address following “@” to find
the domain name (Domino or Internet). The Domino Domain is specified in the
Server document (as well as in the NOTES.INI), so this is easy to find.
Assuming that the message is addressed to this domain, look up the address in the
$Users view. If a match is found, use the MailServer and MailFile values to move
the message from the MAIL.BOX to the user’s Mail database (the database location
is specified in each user’s Person document) for delivery or to another server’s
MAIL.BOX for transfer.
Router task functions
With no additional configuration the Router task performs these functions:
• transfers messages simultaneously out multiple LAN ports
• employs multiple transfer threads to the same target server so large messages
don’t impede smaller messages destined for the same server
• determines when to deliver messages based on message delivery priority and
queues large messages to be transferred or delivered off-hours
• sends delivery failure messages and return receipts back to senders
• marks undeliverable messages as “dead” if there is no connection or route
found back to sender to return a delivery failure and stores them in MAIL.BOX
for administrative action
• logs its actions and maintains a full complement of performance statistics.

With very little additional configuration, the Router also performs these functions:
• determines the next server hop in a computed “shortest path” when there are
a number of Connection documents in the same Domino Directory
• has a limited ability to route around unsuccessful connections and recover to
the normal/preferred route when the connection is restored
• generates events that can be handled by the Event task and responds to
Domino Domain Monitoring messaging probes
• monitors Mail database size using quotas and optionally restricts additional
messages from being created until the size is reduced.
As the course progresses, you will learn how to configure these and other Router
task functions.
Exercise: Test message delivery
Follow these steps to test the delivery of messages on a single server (which is by
default in a single Domino Domain and single Domino Named Network):
Step Action
1 Make sure your Domino Server is running and the Server Console is
showing.
2 Work in Notes.
3 Press Ctrl+M to create a new message.
4 Because there is only one Notes user (you) in your Domino Domain
and you do not yet have Connection documents to other Domains,
address the new message to yourself.
5 When you send the message, watch the Server Console messages on
the server.
6 Press F9 to refresh your Inbox view to find the message you
received.
7 As an experiment, try sending a message to this user:
Fake User
What happens at the client? At the server?

Step Action
8 Try sending a message to this user:
Fake User@FakeDomain
This is a Notes user’s address in another Domino Domain name.
What happens at the client? At the server?
9 Try sending a message to this user:
FakeUser@fakedomain.com
Notes interprets this as an Internet address because the domain name
(anything after the “@”) has a period in it. What happens at the
client? At the server?
10 Open the Notes Log database on the Domino Server. Switch to the
Mail Routing Events view.
Open up the Log document(s) for today and find the events related
to your mail activity.
11 Working at the Server Console (or in the Remote Server Console),
enter these commands one at a time:
>tell router delivery stats
>tell router show queues
12 Or, from the list of Server Tasks in Domino Administrator, right-
click the Router task and choose Tell Task to select the same
commands:
The output displays delivery statistics and information about
messages held in the transfer and local delivery queues.

Message document internals
Open your Inbox and right-click a message you have received. Choose Document
Properties and click the Fields tab to expose the internals of the message
document:
Most of the fields have been added by the Notes Mailer user (such as SendTo,
Subject, and Body), but some are added by Notes as part of the form design, and
others by the Router as it processes the message document.
The standard fields (for both Notes and Internet mail) that make up a message
document are the SendTo, Subject, and Body fields (if the message is long, there
will be more than one Body item listed—all of the items are put together when
reading the message). Additional addresses are stored in CopyTo and
BlindCopyTo (if used).
The From and FromDomain (if from a different Domino Domain) fields tell you
who sent the message.
The PostedDate field indicates when the user sent the message, while the
DeliveredDate is when the Router wrote the document to the user Mail database.
RouteServers and RouteTimes are multi-value fields that collect all of the Router
names that handle a message. Since you have only seen delivery on a single
server, you will only see one server name and a single timestamp pairing. When
you route a message between Domino Servers, you will see all of the names here.

To see the internals of a message document a bit more clearly, open the message
you received and click the More action button and choose Delivery Information.
The Delivery Information dialog box opens:
The Delivery and Routing Information field shows the PostedDate and
DeliveredDate fields; scroll down to see the RouteServers and RouteTimes
information.
As you may suspect, the Delivery Options and Importance fields are also stored
in various fields in the message document.
The time and date stamps can be seen on the Document Info tab in Document
properties.
Since the server wrote the document to your Mail database, it is listed as the last
modifier.

The first two lines on the last tab shows the Universal Note ID (UNID) of the
message document that was sent; the UNID uniquely identifies a document:
When the Router logs its transfer and delivery actions in the Domino Server Log
(LOG.NSF) database, it records only the last eight characters of the UNID:
When written to the recipient’s Mail database, the UNID will typically stay the
same (unless there happens to be a duplicate, in which case a new, unique UNID
is assigned), so you can, if necessary, track the message down in the logs of
servers listed in the RouteServers field and also compare the message in the
sender’s and recipient’s Mail databases. (You will do this later in the course.)
The “DB” identifier will always change in the recipient copy of the message
document to match the Replica ID of the recipient’s Mail database.
Note: For more information about document identifiers, read the Lotus Support
document, What Are the Components of a Note ID? found at
http://www.ibm.com/support/docview.wss?rs=899&uid=swg27002668.

Topic 3: Notes Configuration
Key points
There are a number of options with respect to how Notes sends and receives
messages, but there are really only a few basic settings that control how Notes
interacts with the Domino Server with respect to email. The settings answer these
questions:
• What is required for the user to create a new message from anywhere in
Notes?
• How is the message content formatted for the recipient (Notes Rich Text or
MIME)?
• What is required to send the message?
• What is required for the Router to deliver messages to a user’s Mail
database?
• What is required for users to read their messages?
Beyond these basic questions, all of the other configuration options are related to
the usability and add-on features of the UA itself.
Another fundamental question is how users address their messages. This is
covered in a later Topic when we discuss directories.
Note: We can assume in this Topic that:
• Notes is connected to the Domino Server on a local area network
• the user’s Notes ID has been certified or cross-certified by a Certifier ID in
the server’s Organization so authentication is possible (User ID is not locked
out due to incorrect password)
• the user is allowed to access the server (is represented in the Server Access
List in Server document, is not in any “Deny Access” group, and is in no
other way blocked from accessing the server)
• the -Default- access of MAIL.BOX on the Domino Server is Depositor (this
prevents users from reading or tampering with other users’ messages)
• the user has at least Editor access to his/her Mail database.
Topic 3: Notes Configuration 35

Create message
What is required for a user to create a new message anywhere in Notes?
Before answering this question, it is important to remember that Notes knows
who the current user is, and the user’s current Location name from the Notes User
ID file name specified in the NOTES.INI variables Keyfilename= and Location=.
With these two pieces of information Notes learns from the current Location in
the local Contacts that the user’s Mail database is on a Domino Server (Location
documents are used by both the Notes Basic and Standard configurations; the
second image is from Preferences in Notes Standard configuration which is just a
different UI but with the same settings):
The Mail database name and Domino Domain name are specified; the user has
his/her own database (the .NSF extension is optional), which exists on the
Home/Mail server.
The Home/Mail server on which the user’s Mail database resides is specified on
the Servers tab in the Location document using the fully distinguished name, for
example:
When the user creates a new memo (presses Ctrl+M, clicks the New button on
the Mail bar on the Basics Home Page, opens Mail and clicks the New action
button, or chooses Create – Mail – Message anywhere outside of Mail), the
Memo form from the specified database (mailpsmith.nsf) on the specified
server (Magic/TeamApps) is opened.
36 Topic 3: Notes Configuration

If the:
• Mail file field does not specify a valid path and file name on the Home/Mail
server (or on the local hard drive if configured for Local mail), the Create -
Mail menu will display (None Available).
• Mail file location field is set to Local, then the Mail database must exist on
the local hard drive (ideally in the same subdirectory structure as on the
server).
Otherwise because the user has Editor+ access to the database and can create new
documents in it (both ACL settings), the new message opens.
Note: Location documents can be keyed to the User ID on the Advanced –
Basics tab, so that the Home/Mail server, Mail database file name, and other
settings all switch based on the User ID currently active. This allows a single
copy of Notes to be shared by multiple users by merely switching to another
location. For a more robust multi-user client, though, you should set up Notes to
run specifically as a multi-user client. The Lotus Notes Support course describes
how to do this.
Message format
Most modern email software (including Notes) allows you to send messages that
include formatted text and attachments. How the message content (the Body field)
is formatted for a particular recipient depends on the recipient UA. If the recipient
UA is:
• Notes, the message is formatted using the proprietary CD (Composite
Document) rich text structure, which offers the greatest fidelity and retains
special Notes features such as sections and Document Links
• an Internet email client, the message is converted (as best as possible) from
the CD format to MIME (Multipurpose Internet Mail Extensions), using
plain text, HTML, or both in the same message.
It is ultimately up to the Notes user to determine the message format, but Notes
can be configured to help in this effort. How does Notes know which format to
use, especially if sending the message to multiple recipients, some who use Notes
and others who use an Internet email client?

The first thing Notes does is check the Domino Directory for the recipient; if
found, the recipient’s Person document specifies the preferred message format:
Thus, for recipient UAs that can interpret MIME (for all Internet mail picked up
by POP and IMAP users), the Notes Mailer creates a version of the message that
uses MIME.
For recipients that can read only Notes Rich Text (Notes 4.x and prior), the Mailer
creates a version that uses the CD format.
If the setting is Keep in senders’ format, the message is sent using the field
definition in the mail template (which by default is the Notes Rich Text format). It
is then up to the recipient’s UA to convert the Body field format.
The recommended settings are:
• Keep in senders’ format if the UA is Notes R5 or higher.
• Prefers MIME if the UA is POP3 or IMAP.
• Prefers Notes Rich Text if the UA is Notes pre-R5.

If the recipient domain name has a period (meaning it is an Internet address), the
recipient’s format preference won’t be found in the Domino Directory. Instead,
the Notes Mailer looks to the current Location document for instructions on how
to format messages bound for the Internet (the last field):
With the MIME Format preference set, all recipients outside the user’s Domino
Domain with Internet addresses will receive messages in the MIME format.
But wait, there’s more! The User Preferences (File – Preferences – User
Preferences – Mail – Internet in Notes Basic configuration) determine whether
the MIME is sent as HTML, reduced to text, or both (if the recipient mail client
supports HTML it will use the attachment; otherwise the text is used):

In Notes Standard configuration, choose File – Preferences to open User
Preferences. Then expand MailInternet to find the Internet mail format setting.
If set to Prompt when sending, the user is prompted when the message is
actually sent to select the format of the MIME encoded content:
It is up to the user to know the message format capabilities of the recipient UA.
Note: All the MIME recipients in a message’s Address fields will be converted
to the same format. If you want to send a particular format to a particular
person, you will have to create another message. If some recipients are also
Notes users, the result is that you will possibly see two messages being
deposited in MAIL.BOX—one for Notes Rich Text format, and one for MIME.
Submit message to recipient
What is required to enable Notes to send a message?
The fact that a particular message is saved to a user’s Mail database is a function
of that user:
• having the rights in the ACL to author documents in that database
• choosing to save the message when it was sent:

Note: User Preferences (MailSending and Receiving) also determines if the
default button performs a Send & Save or Send Only:
If the user opts to send the message, the message document is deposited in the
MAIL.BOX database on the Home/Mail server specified in the current Location
document stored in the local Contacts.
Once the document is deposited to the MAIL.BOX database on the server, it is up to
the Router task to poll that database for messages to transfer or deliver.
If the user Mail database file location is set to Local (for mobile users), the
message document is saved to the local MAIL.BOX database. When the user
schedules or forces a message transfer, the documents in the local MAIL.BOX
database are moved to the MAIL.BOX database on the Home/Mail server.
Deliver message to user
What is required for the Router to deliver messages to a user’s Mail databases?
If a message originates from a Domino Server other than the user’s Home/Mail
server, the message is transferred by the server to the next hop on the way to the
user’s Home/Mail server using the same process of depositing the message into
the next server’s MAIL.BOX database, and if successful, deleting it from its own
MAIL.BOX.
When the message arrives at the recipient’s Home/Mail server, the Router
performs a lookup of the user’s name from a view of Person documents to find
the Home/Mail Server field to match. It then looks for the Mail database file name
and deposits the message into that database. If successful, the Router deletes the
document from its MAIL.BOX database.
Again, how the message is stored depends on the recipient’s Person document,
which specifies the preferred message format.

Read messages
What is required for a user to read messages using the Notes UA?
When the user clicks the Mail icon on the Home Page or clicks in Notes
Standard configuration and chooses Mail (or any other ways to open Mail), again,
the Location document is used to determine which database to open on the
specified Home/Mail server (or the Local drive).
User registration
Most of the Person document (in the Domino Directory) and Location document
(in the local Contacts) information for Notes Mail delivery is created as part of
user registration and/or Notes setup; you do not generally have to create this
information manually.
User registration is covered fully in the Lotus Notes Administration course, but
let’s review the mail-related aspects of registering a new user.
The Mail page in the Register Person dialog box (with the Advanced check box
selected) is where you set the Home/Mail server, mail system type, Mail database
design template and file name, and the ACL setting for the user:

This table describes the fields on the Mail tab:
Field Function
Mail system Choose from Lotus Notes, POP, IMAP, or iNotes, which
all use a Notes database to store user mail.
If set to Other Internet or Other, a new field appears where
you can enter the user’s forwarding Internet or other mail
address (a Mail database will NOT be created for the user)
so other users can address memos and send them via an
MTA or gateway.
Choose None if the user doesn’t need mail or you want to
configure it later.
Mail Server
button
The fully distinguished name of the Home/Mail server, for
example:
Mail Magic/TeamApps
The Home/Mail server performs several functions:
• stores the user’s Mail database
• is responsible for running the Administration Process to
make any changes to the Mail database
• using the list of servers in the same Domino Named
Network, presents the user with a list of servers in the
Open Database dialog box
• serves as a network name resolver to help Notes find
other Domino Servers if:
• the server name cannot be resolved using protocol-
level methods or a numeric IP address is required
• the server name is different from the protocol-specific
name (such as the computer host name)
• the server uses different common names in the Server
document Net Address field; the Home/Mail server
picks the correct name given the Notes protocol.

Field Function
Mail file
name
The path and database file name for the user. By default the
file name is created using the first letter of the user’s first
name and first seven characters of the last name.
If the directory does not exist, it will be added automatically
under the DATA directory. You cannot, however, specify a
linked directory name here.
Note: For easier administration, you should always create
all Mail database files in a separate mail directory (or
directories) under the data directory. The default is MAIL.
Mail file
template
Unlike previous versions of Domino that had multiple mail
templates, now just the single Mail (R8.5) (MAIL85.NTF)
design template for all Mail UA types (Lotus Notes,
POP/IMAP, iNotes, and Domino Access for Microsoft
Outlook/DAMO).
If your company has created a custom template, you can
specify that template name instead of the default. You may,
for example, provide additional views and custom forms
(employee reviews, travel authorization, timesheets, etc.), or
reduce the functionality to reduce the user Mail database file
footprint such as to remove the code if the user will never
access Mail with a browser.
Note: You will learn later in the course how to use a
central design and/or compress design elements to save
space.
Mail File
Replicas
button
Allows you to create a replica of the user Mail database on
more than one server; typically when using Domino
Clustering, Mail databases are stored on at least two servers
in the cluster.

Field Function
Mail file
owner access
The setting the user has in the ACL. If set to:
• Editor, users can delegate their Mail and enable the Out
of Office agent. This is the recommended setting.
• Designer, users also can change the design (and block
design updates) and create a full text index (if you don’t
create it now). Generally not recommended.
• Manager, users have complete control over their Mail
databases, including the ability to change the ACL and
delete the database. NOT recommended!
Note: If you give Editor or Designer access, you (the
person registering the user) will be given Manager access
in the database ACL. Remember that Full Access
administrators can still control the ACL of any database.
Note: For users to delegate Mail database access, they must
also be listed as Author in the Administration Requests
database (this may be accomplished with –Default– set to
Author or more likely the Organization, e.g., */TeamApps)
and given Author access.
Mail file
manager
Adds an entry to the ACL with Manager access if the user
isn’t set as Manager.
The idea is to have at least one person or group listed as
Manager, and if not the user, then ideally a group name of
trusted administrators responsible for managing user Mail
databases.
If the user is set to be Editor or Designer in the previous
field, the person doing the registration will be set as
Manager in the ACL unless this field contains a user or
group name, in which case that name will be set as Manager
to the ACL.

Field Function
Create file in
background
If you create the Mail database(s) now (option is not
selected):
• registration will take much more time
• you must have physical connectivity to the Home/Mail
server(s).
If you let the Administration Process create the database(s)
in the background (option is selected):
• registration will go must faster
• you don’t need to have physical connectivity to the
Home/Mail server if it is at a remote location
• the Create Mail File Administration Request placed in the
Administration Process Requests database must replicate
to the Home/Mail server and be processed before you can
set up the user.
Whether created now or in the background, you must have
the right to create databases on the Home/Mail server(s).
If you migrate users from other mail directories, you must
create the Mail databases now.
Create full
text index
Allows users to quickly search their mail for words and
phrases. Keep in mind that full text indexes can be as large
as 75% of the database size.
We recommend that you create the index later using the
Database - Full Text Index tool in the Files function tab in
Domino Administrator. This is actually a better way to
create the index, as you can also set various options that
affect the search capability and index size.
Note: If you had set the user access level to Editor earlier,
the user will not have sufficient access to create the full text
index him/herself.

Field Function
Set database
quota/
warning
threshold
Specify the maximum file size of the user’s Mail database. If
users exceed the quota, by default they can still receive mail
but cannot save mail until they delete existing messages.
Specify the warning level at which users are notified that
they are about to exceed their quota.
Note: You will learn how to set/reset quotas and how they
are enforced later in the course.
The Address tab (also appears when you check the Advanced check box) lets
you add the user’s Internet email address and Internet domain to allow the user to
receive mail from the Internet addressed to them:
This table describes the fields on the Address tab:
Field Function
Internet
address
This is the email address of the user that is used when the
Mail Router routes mail from the Internet.
Tip: The Internet address will be created for you if you
leave this field blank, enter the Internet Domain on the right,
and have selected an Address name format option and
Separator. You will see the address being built as you type
in the Internet Domain name. If you type an address in the
Internet Address field, however, your entry will override the
auto-generated address.

Field Function
Internet
Domain
The registered Internet domain name used to send mail from
the Internet into your company. This name corresponds to one
or more MX records in the public DNS.
Address
name
format/
Separator
Determines how a user’s name should be concatenated to
automatically create the Internet address.
Note: Once you decide on a particular format, you should
stick with it for all users, especially if they have advertised
their address. If you want to change the Internet Address
format later, you can do so using the Set Internet Address
tool in the People & Groups function tab.
Tip: The default values for user registration fields can be set with an explicit or
Organizational Policy document that is paired to Registration and Setup
Settings. Then repeat the settings in the Desktop Settings policy so you can
dynamically reconfigure the user settings. The Lotus Notes 8 Administration
course describes how to do this.
Note: Domino Administrator also includes migration tools to move users from
cc:Mail, Exchange, Netscape Mail, Windows directory, or an LDIF file (the
result of an export from an LDAP directory). There are also third-party
migration tools that you can use to port email accounts and files to other clients
(e.g., http://www.binarytree.com/). Migrating from Exchange? See the still-
relevant IBM Redbook “Migrating from Microsoft Exchange2000/2003 to
Lotus Notes and Domino 7” at
http://www.redbooks.ibm.com/redpieces/abstracts/sg247777.html?Open.
Exercise: Test message delivery
Follow these steps to show how settings in your Person document in the Domino
Directory and your Location document in your local Contacts affect your ability
to create, send, and read messages:
Step Action
1 Make sure your Domino Server is running and the Server Console is
showing.
2 Work in Notes.

Step Action
3 Open the Domino Directory on your server.
Open the MessagingMail Users view and determine your
Home/Mail server, Mail Address, and Mail File names.
This view (also available in Domino Administrator) gives you an
overview of users who have a Mail database file name listed by
Home/Mail server.
This view is also helpful to ensure unique address and file names, as
well as to distinguish users who have been registered in the Domino
Directory but who are not set up for mail.
4 Open your Person document in Read mode.
Click the Basics tab to see the information the server uses to deliver
messages to your Mail database.
Close the document.
5 Open the MessagingNetworks view and locate the Domino Named
Network that your Home/Mail server belongs to.
There is probably only one server in the Domino Named Network. If
there were more servers, messages would be instantly transferred to
those servers for delivery to users with Mail databases on those
servers.
6 Choose File – Preferences - Location Preferences to open your
current Location document.
Click the Servers tab. What is the name of your Home/Mail server?
This should match what your Person document said.
Click the Mail tab. Where is your Mail database located? This
should match what your Person document said.
7 Press Ctrl+M to create a new message.
Which Mail database is opened? (Use Database properties to
verify.)
What controls which database opens?
8 Address the new message to yourself.

Step Action
9 Send the message.
Which Home/Mail server is used when sending the message? What
controls which server is used?
10 Close your Mail database.
11 Click the Mail bookmark.
Which Mail database is opened? (Use Database properties to
verify.)
What controls which database opens?

Topic 4: Inter-Domino Named Network NRPC Routing
Key points
As you know, you do not have to configure message transfer between two
Domino Servers in the same Domino Named Network; the messages are
transferred and delivered immediately regardless of any delivery priority set by
the user. This Topic looks at message transfer using NRPC between two:
• Domino Named Networks in the same Domino Domain
• different Domino Domains.
The basic mechanism to enable inter-Named Network message routing is a
Connection document in the Domino Directory on both ends (and any nodes
between), so that messages can route both ways.
When you need Connection documents
If you only have a single Domino Named Network or never want to route
messages via NRPC to another Domino Domain, you do not have to create any
Connection documents for message routing. We’ll look at an example of several
Domino Named Networks that are not connected. The MessagingMail function
tab in Domino Administrator shows the Mail Routing Topology by Domino
Named Networks:
Topic 4: Inter-Domino Named Network NRPC Routing 51

In this Domino Domain there are several Domino Named Networks. Within each
network, message routing to/from any server is automatic and immediate without
requiring any Connection documents that specify message routing (you will still
need Connection documents to schedule replication).
There will not, however, be any message routing (or replication) between the
Domino Named Networks without Connection documents defined.
Note: The topology map is rebuilt at 2 AM by the Maps Extractor server task.
After adding new Connection documents, you won’t see the new topology
maps. There is no way to force it to update immediately. You can try starting
the Maps task manually using this Server Console command (use the live
console):
>load maps
Then restart Domino Administrator. But in most cases, you won’t see new
drawings until tomorrow.
You can change the number of hours after the Map task starts that the maps are
rebuilt using the NOTES.INI variable Topology_WorkInterval=#hours. The
maps will then be rebuilt every #hours afterwards. Search Domino 7
Administrator Help for details.
If you have a large multi-network or multi-domain enterprise, however, then you
will undoubtedly create and maintain many Connection documents (typically
through one or more centralized Domino Servers acting as mail hubs).
The topology map, by the way, shows routing in the same Domino Named
Network (the legend for the topology diagram labels it “Default Mail Routing”) as
a solid blue line between two servers.
Though none are shown in the topology above, explicit connections would be
drawn with a dashed red line. In this other example, Sea and Rock are in the same
Domino Named Network, whereas Rock and Hub are not but do have a
Connection document defined:
52 Topic 4: Inter-Domino Named Network NRPC Routing

There are several other examples of message routing that may or may not require
Connection documents. If you route messages via:
• SMTP to the Internet, you do NOT need Connection documents unless you
route messages first to a mail hub (such as outside the firewall) that is
responsible for routing messages to the Internet
• NRPC over the Internet, then you DO need Connection documents (there are
no MX records in the DNS that can be used for NRPC routing).
Two Connection documents are needed
Two Connection documents are necessary to send and receive messages from
another server in another Domino Named Network.
If you want to route messages:
• between Domino Named Networks within your own domain, you must
compose both Connection documents in your domain’s Domino Directory.
• to other domains, you must create a Connection document between one
server in your domain (through your Domino Named Networks) to one point
server in the other domain; the other domain’s Notes administrator is
responsible for creating a Connection back to your domain.
Caution: Never create a Server document in your Domino Directory for any
Domino Servers outside of your Domino Domain. This will totally confuse the
Router.
Create Connection document
Connection documents provide the Router with instructions on how and when to
transfer messages to another Domino Server outside its own Domino Named
Network or Domino Domain.
Follow these steps to create a Connection document relevant to message routing:
Step Action
1 Open the Configuration function tab in Domino Administrator.
Expand the Messaging item in the Context Pane and click
Connections to open the Connections view in the Domino
Directory.

Step Action
2 Click the Add Connection action button.
A new Connection document opens:
Connection documents are used to schedule message routing and/or
replication. In this course, we are only interested in routing, but you
would typically work on the schedule for both tasks in the same
Connection document.
Note: Remember that because the Domino Directory is replicated
to all servers in your Domino Domain, you can define the routing
topology and schedule for all servers in the Domino Directory on
one server and the Connection documents will eventually replicate
to all the other servers.
3 Enter the field values (relevant to message routing) using the
following table.

Field Function
Connection
type
Specify the type of connection, the default type being Local
Area Network, in which the destination server is always
available over a network connection.
Network Dialup can also be used for message transfer, which
uses a RAS dialer to connect to a SLIP or PPP dial-up server.
There are several other specialty connection types you can
choose from, most of which are now obsolete.
The type of connection you select reveals additional fields or
an added tab to the Connection document.
Source server
and domain
The distinguished server name (e.g., Hub/TeamApps) and the
Domino Domain name of the server initiating the exchange.
Use the
port(s)
The name of the port out from which the destination server
can be found.
If the other server is available via multiple ports, you can
optionally put an * to let the server determine a port to use,
starting at the top of the enabled port list.
Note: Ports are named using the ServerSetup Ports tool in
the Server function tab in Domino Administrator. If a LAN
port, the port name is also entered in the Ports - Domino
Named Network Ports tab in the Server document.
Usage priority Affects how the source server finds the destination server,
which occurs in this sequence:
• determine a path to the destination server using
Connection documents with a Usage priority set to Normal
• if not found, probe all enabled ports for the destination
address (the method varies by protocol)
• use Connection documents with a Usage priority set to Low
• attempt to use a default Passthru Server to connect.
Note: If two ports are enabled in the same Domino Named
Network, you can force which port a server uses to connect
to the other server by setting one to a Usage priority to
Normal, and the other to Low.

Field Function
Destination
server and
domain
The distinguished server name (e.g., Spoke1/TeamApps) and
(Domino) domain name of the destination server (NOT the
Internet domain, as we are routing via NRPC here).
You can also enter a group name as the destination. The
Group document, in turn, contains a list of Domino Servers
in the Members field.
This reduces the number of Connection documents you need
to manage if messages are to route out to multiple servers in
the destination Domino Named Network or Domino Domain.
Note: Message transfer is sensitive to the destination
domain of the message.
If there are no messages bound for the destination domain,
no connection will be attempted.
If, on the other hand, a user sends a message to a user in
another domain to which there is no connection, the
message is returned to the user as undeliverable.
Optional
network
address
Specifies a network address if the common name of the
server is not a resolvable network address (such as when
using TCP/IP without a HOSTS file or a DNS).
Note: Lotus highly recommends using a TCP/IP host name
as opposed to a numeric IP address. If your server has
trouble contacting a DNS, enter the IP address instead.
Step Action
4 Click the Replication/Routing tab to define the parameters for
routing:
Enter the field values (relevant to routing) using the following table.

Field Function
Routing task Select Mail Routing for NRPC routing.
The other routing tasks listed are virtual connections that
allow messages using other protocols to travel via NRPC to a
server that has been enabled to route messages to the external
mail system.
Route at once
if
In addition to scheduled connections, the Router can initiate
an unscheduled connection if this threshold of messages to
the same destination server is reached.
At the extreme values, if you set it to 1, one Normal priority
message will cause the Router to make the connection. If you
set it to 999, the messages will queue until the next scheduled
transfer.
If all of your mail connections internal to your company are
over a high-speed WAN and you have bandwidth to spare (or
you use the Internet to route Notes Mail), there is really no
overall traffic savings by preventing instant delivery of
messages. Set the transfer threshold to 1 and allow messages
to travel freely.
For connections across slower lines, and especially via dial-
up modem, you should increase the threshold to a high
number so the connection is made only on a scheduled basis.
(You can disable high priority messages from routing
immediately on a server-by-server basis.) If the call is long
distance, you can schedule the call off-hours.
Note: It is more efficient to make a dial-up call and transfer
10 messages than to connection 10 times and transfer one
message each time. Over the LAN (or a fast WAN),
however, there is no overall performance advantage in
waiting to deliver messages all at once versus one at a time.
Besides, users won’t be happy if messages aren’t delivered
as soon as they send them.

Field Function
Routing cost Generally set to 1 for LAN connections and 5 for Dialup
Modem connections. Used by each Router when it builds a
routing table that computes the least-costly (in number of
hops) route to any other server.
Caution: You can set the value from 1 to 10 to decrease the
likelihood that a particular path is chosen, but be careful, or
you may create a routing loop (message becomes dead after
25 hops). Lotus recommends that you leave this field alone!
The routing table is rebuilt after replication of the Domino
Directory, any change to Server or Connection documents,
and/or when you optionally specify it to be rebuilt in the
Dynamic cost reset interval field in the
RouterSMTPAdvanced Controls tab in the
Configuration Settings document.
The number of hops a message may take before being
considered undeliverable is set in the Maximum hop count
field in the RouterSMTPRestrictions and Controls
Transfer Controls tab in the Configuration Settings
document.
Note: The routing cost does NOT directly affect which port
a Router selects to connect to a particular server; it only
affects which server is thought to be next in the least-cost
path to the final destination server. Do NOT attempt to
specify two connections between two servers at the same
time using different ports (and different routing costs)
thinking that one can be used as a backup—it won’t work!

Field Function
Router type The default, Push Only, is used in all cases over a
LAN/WAN, and in most cases when dial-up connections are
made. This means that two Connection documents (one each
way) are needed.
There are three other types of connections that can be made:
• Push Wait. Source server waits to transfer messages until
it gets a connection from the destination server. When the
destination server connects, it issues a “pull request,”
which tells the source server to push the messages.
Requires that the destination server have a Pull Push or
Pull Only connection.
• Pull Push. Source server connects to the destination server
and pushes its messages; it also sends a pull request, at
which point the destination pushes messages to the source.
This requires that the destination server have a Push Wait
connection to the other server.
• Pull Only. Source server connects to the destination server
and sends a pull request but does NOT push its own
messages to the destination. Requires that the destination
server have a Push Wait connection.
These last three options allow bi-directional message transfer
between seldom-connected servers in which one server is
responsible for making the connection. These are most often
used for a central server connecting to multiple remote site
servers or when multiple servers connect to an ISP to pick up
messages.
Pull Push/Pull
Only options
Other options appear if the Routing type field is set to Pull
Push or Pull Only:
• route via NRPC or SMTP
• pull messages that are also related to the source server’s
domain (listed in the Global Domain document), which
could be other specific servers, domains, or hosts on
whose behalf the pull request is made).

Step Action
5 Click the Schedule tab to define when messages can be transferred:
Enter the field values using the following table.
Field Function
Schedule Allows you to enable or disable the entire Connection
document.
Connect at
times
Allows two types of settings, or a mixture of the two:
• list of individual time(s), for example:
10:00 PM; 4:00 PM; 9:00 PM
This allows precise connection schedules for more
controlled resource utilization.
• range of times, for example:
8:00 AM – 10:00 PM
This makes for easier scheduling and increased
opportunity for connection success.
The connection is only active during the times you schedule.
Note: The connection is only active during the times you
schedule. If there are no messages pending to the
destination server, no connection is made (unless
Replication is also specified as a task).

Field Function
Repeat
interval of
Means two different things, depending on which type of
connection schedule you select:
• For specific times, it indicates the length of time that the
Router will attempt to make the connection (such as if the
line is busy).
• For a range of times, it indicates how often after the end of
a successful connection the Router should wait to initiate
the next connection. (Zero indicates to attempt a
connection only once.)
Note: To reduce resource load, attempts to transfer a
message are made at exponentially longer delays. You can,
however, specify the initial delay using the Initial transfer
retry interval field in the Configuration Settings document
under the Router/SMTP - Restrictions and Controls -
Transfer Controls tab.
Days of week Controls which days the connections are made.
Step Action
6 Save and close the document.
7 To dynamically update the routing tables using Configuration
Settings document information, enter this Server Console command:
>tell router update config
If you don’t use this command, the Router will pick up any changes
in five minutes anyway.

Step Action
8 If the source server is the server you are currently administering,
open the Messaging function tab.
Click Mail Routing Topology - By Connections to see the
graphical layout of the routing connections, for example:
Double-click a server name to reorient the diagram to put that server
at the center; double-click a dashed line to open the underlying
Connection document.
Click Mail Routing Topology – By Named Networks to see which
servers will instantly receive messages by virtue of being in the
same Domino Named Network.
Replicate the Domino Directory
If any document that affects the $Servers, $Connections, or $Domains views
(including Connection documents) is added to or updated in the Domino
Directory, the routing table is rebuilt on each server. But because of the changes,
the routing tables of other servers may be temporarily inaccurate until the changes
replicate to the other servers involved in message routing. (Each server builds it
own routing table.)

Explicit inter-domain addressing
When addressing Notes Mail, users must include the Domino Domain name of
mail recipients if:
• they are defined in another domain’s Domino Directory
• the message must travel through any type of mail gateway or firewall
Domino Named Network.
Users can mail documents to users in other domains by specifying the domain
name of the recipient in the address, for example:
John Smith@MasterStudios
The message will route if you have created a Connection document to the Master
Studios domain and if there are no other domains between the sender and John
Smith.
If you do not have a direct connection to the Master Studios domain, but another
domain to which you are connected does, users could address the message
including the intermediary domain:
John Smith@MasterStudios@VideoLand
In this example, VideoLand is a non-adjacent domain, and MasterStudios is the
domain where John Smith exists.
Note: Any transfer or delivery event counts as a hop. So although a message
can travel 25 hops, this may account for far fewer actual domains because the
message may pass through two or more servers within a domain to reach the
eventual connection out to another domain.
Error messages
Even though you have Connection documents specifying replication and/or
message routing, there are potentially three security mechanisms that prevent you
from routing messages between servers in different Domino Domains and/or
Organizations:
• inability of your Domino Server to authenticate with the Domino Server in
the other Domino Domain or Organization (“Your Address Book does not
contain any cross certificates capable of authenticating the server”)
• lack of server access (“Access to server denied”), though you won’t see this
until your server can authenticate

• lack of database access (“Access to database denied”), though you won’t see
this until your server can access the destination server.
These mechanisms and corresponding error messages follow the serial nature of
the Domino security model.
Exercise: Connection document and Cross Certification
In this exercise, you will work with your colleagues in another Domino Domain
to create two Connection documents (one in each Domino Directory) so that
messages will transfer back and forth.
Follow these steps to create a Connection document to another Domino Domain
for NRPC message routing:
Step Action
1 Work in Domino Administrator in the Configuration function tab.
Expand the Messaging item in the context pane.
Click the Connections entry to open the view of Connection
documents in the Domino Directory.
2 Create a LAN Connection document from your server to the other
domain’s server using these criteria:
• disable replication
• specify Push Only routing
• schedule the connection between 8:00 AM and 6:00 PM, every 60
minutes (for testing purposes only!), every day
• route if there is 1 message pending.
Your colleague in the other domain will create a Connection
document in the opposite direction.
3 Save and close the Connection document.

Step Action
4 At the view, press Ctrl+Shift+F9. This will refresh all of the views
(including the hidden ones) and speed the rebuilding of the routing
table.
Note: Normally you would not attempt this in large databases
(including the Domino Directory), as it will take a great deal of
time. Better to make your changes and let the indexes rebuild in
their own time! But since we have a small directory here, go ahead
and rebuild all the view indexes.
5 Test the connection by creating a new message and addressing it to
your colleague in the other Domino Domain using this syntax:
Joe Smith@TeamApps
Where “TeamApps” is the other domain name.
Watch the Server Console for the message to be transferred.
6 What happened?
Most likely the transfer failed because the two Server IDs were
created by different Organization Certifiers. You will see the error
message at the Server Console.
You will need to cross-certify the other Organization. (While you
should normally cross-certify at the server-to-server level to add a
degree of security and bandwidth conservation, you will certify
organizations since you will also be accessing the other server with
Notes.)
If you remember how to cross-certify two Organizations, do so now
and then skip to Step 18. Otherwise, continue with the Step 7.
7 There are several ways to cross-certify another Organization, but
you are going to use “On demand cross certification.” This is the
easiest way to cross-certify Organizations. Administrators from both
Organizations (who have their own Organization or Organizational
Unit Certifier ID) will use Notes or Domino Administrator to open
the other Organization’s server.
8 From Notes, choose File – Application– Open and again attempt to
open a session with your colleague’s server.

Step Action
9 The Create Cross Certificate dialog box opens:
Do NOT click Yes.
10 Instead, click the Advanced button.
The Issue Cross Certificate dialog box opens, showing your user
name and ID as the Certifier:

Step Action
11 Click the Certifier button and select the Certifier ID of the highest
(necessary) level in your Organization hierarchy. In this exercise,
choose your Organization Certifier ID file (cert.id copied from
your server’s DATA folder). When prompted, enter the Certifier ID
password.
Your name will be replaced by the Certifier name you select.
Select the highest level of the other Organization in the Subject
name field. You may have several choices:
• The name of the Organization of the other server, which will
create a Cross Certification document that will trust any server in
the other Organization. Choose this option.
• Up to four levels of Organizational Units.
• The name of the other server, which means you will allow
authentication only by that specific server.
By choosing your Organization Certifier and the Organization
Certifier from the other Organization, you are adding a Cross
Certificate that implies you will trust users and servers from
anywhere in the other Organization.
12 Click the Server button and select the Registration Server (your
server) so that the Cross Certification document is created in the
public Domino Directory.
13 Optionally change the date the cross certificate will expire.

Step Action
14 To review, the Issue Cross Certificate dialog box now shows at
which level in your Organization you will need to issue the cross
certificate (in this example your Organization’s certifier), the name
of your Registration Server where the Cross Certificate document
will be created, and the level of the other Organization at which you
will allow authentication:
Click the Cross certify button.
A Cross Certificate document FROM your Certifier TO the subject
name is created in the Registration Server’s Domino Directory.
15 The assumption here is that your colleague has performed the same
actions and has created a Cross Certificate document going the other
way to accept the certificate from your Organization.

Step Action
16 Now attempt to open the other server from Domino Administrator.
If you are rebuffed with this error message:
this means that either:
• The previous cross certification process (from both sides) was
unsuccessful.
• You need to wait a few minutes for the results of the bi-
directional cross certification to take effect. Hidden views in the
Domino Directory need to be refreshed and the server takes some
time to incorporate the new certificate.
After a few minutes, click Access server.
If you click Create Cross Certificate, this will create a Cross
Certificate document in your local Contacts, which defeats the
purpose of high-level Organization cross certification stored in the
Domino Directory. But the duplication won’t hurt anything.
If you had other Notes clients running, they too would be able to
open the server in the other Organization because of the existence of
the Organization-to-Organization Cross Certificate document in
both servers’ public Domino Directories.

Freelancer domino administrator

Freelancer domino administrator

Recommended

Recommended

More Related Content

Similar to Freelancer domino administrator

Similar to Freelancer domino administrator (20)

Recently uploaded

Recently uploaded (20)

Freelancer domino administrator