This post is about a case study regarding “Denied access Notes users are still able to access mails through IBM Notes Traveler“.
We are using IBM lotus Domino server as per following
- – Lotus Domino – Primary Mail Server [For Lotus Notes/Webmail]
- – Lotus Domino – Traveler Role [For Mobile Devices like Android/iPhone]
Case Study:
Today, It was brought to our knowledge that one of company’s employee resigned on 28th June 2019) have sent emails to HR Dept on ndex day. while his account was under DENY group, but still he was able to sent emails. We tried settings from IBm document referenced “Denied access Notes users are still able to access mails through IBM Notes Traveler” from https://www-01.ibm.com/support/docview.wss?uid=swg21634205 but still no luck. Traveler users who were under NO ACCESS GROUP under Primary LOTUS server were still able to sync emails.
Our Blocking Practice:
As per our practice , when any user resigned from the company, we add him under DENY GROUP under Lotus Domino Server for few days, which blocks the Notes/Webmail Access access for that particular user. Later if user withdraw resignation we just remove his name from this list, Else we remove his profiles and save his email in Archive for ever.
Findings:
If the user have IBM Verse installed on there mobile device, he can still access the email because his access is blocked primarily on Lotus Email Server, but since mobile devices does not communicate with the Primary server directly instead they access it via separate TRAVELER server (by proxying through LOTUS TRAVELER server), and communication between Primary Server & Lotus traveler server is being done through server to server basis thus they could access the emails.
Solution:
Adding the NO ACCESS list in the traveler server document under security DID THE TRICK !
1 | [13FC:000A-1574] 07/01/2019 12:45:02 PM XXXXX Web Server: Access Denied Exception [/traveler?action=sync&orig=sp&deviceId=Android_a41df4vf3fe46a8e3a] CN=MY USER/O=MYCOMP |
This list will be updated via Primary Lotus server after every 10 minutes (using replication connection) & it will act as additional level of permissions filtering. Now if any user will be added under DENY GROUP under Lotus Mail Server, this list will be propagated to Lotus Traveler server as well which will deny the user request if his name is under DENY GROUP.
Thanks to FB group “IBM Lotus Domino Administrators” for pointing in the right direction.
