Personal Blog of Thomas Hampel - Creative Mythbusting in Development and Collaboration

Who am I?


Query results for : Security

Is HCL Notes / Domino affected by SMTP smuggling?- 3 January 2024 - (0) Comments

Thomas Hampel
 3 January 2024

In short : No

The long(er) version:


SMTP Smuggling is a newly discovered attack to a number of mail server products and mail hosting providers.
All mail transfer  are based on the SMTP protocol that exists for years where server and client, or two servers talk to each other as defined in an internet standard (
RFC 5321)
Even with perfect antispam checking, SPF, DKIM, DMARC, etc in place, the vulnerability would allow sending spoofed emails, which can result in a huge problem.

The Problem

Key problem is that some SMTP mail server implementations do not follow the RFC precisely.
As defined in chapter 4.2.5 of the RFC, the DATA part of a message is ending with . , note the small dot in between.

Image:Is HCL Notes / Domino affected by SMTP smuggling?

is a carriage return

is a  LineFeed, meaing to move the paper or the cursor to the next line.

another RFC (
RFC 5322 ) defines
Image:Is HCL Notes / Domino affected by SMTP smuggling?

Servers often transfer more than just one message at the time in one session.
For servers that don't perfectly follow the RFC it is possible to send the header of the second mail as the body of the first mail so that only the first header is checked.

In the post processing of that mail the server will split apart the messages again and will route two mails where the only the first one was formally checked against SPF, DKIM, etc. definitions.

This will allow to sneak a new mail header with fake sender names into some mail environments (but not to Domino).

More technical details are described in this publication:

The disclosure also caused the German BIS to publish this security warning:

All the above is explained in great details in this wonderful talk.

What about Domino?

HCL's Domino development team was made aware of the problem and started formally testing if Domino is affected.

As indicated above, the Domino SMTP server is not vulnerable to SMTP Smuggling; it only accepts CRLF.CRLF as the end of data sequence.

Domino is perfectly following the RFC's.


Based on a
recent post in our support forum, there seems to be a need for further clarification.
While it is possible to squeeze two mails into one using the technique described above, Domino will still handle each mail standalone and will run antispam checks against each of them.
Details are investigated as part of SPR MDLSD2XL45

If you want to test yourself,
Daniel Nashed published nshmail, a Simple SMTP mail send tool that can be very helpful to test SMTP connections.


Domino Forum Question by Florian Bühler
- SEC Consult publication :
SMTP Smuggling - Spoofing E-Mails Worldwide
- CCC 37c3 Talk :
SMTP Smuggling to spoof e-mails worldwide
nshmail -- Simple SMTP mail send tool

False Alarm: New Domino Backdoor- 20 April 2023 - (0) Comments

Thomas Hampel
 20 April 2023

IBM XForce is well known for the quality of their research - however this time I'm wondering about the publication.
discovered and analyzed a new type of malware (so far so good) and they named it ... "Domino"

Don't Panic!

HCL already published
this technote to clarify that this is unrelated to the HCL Domino product and has requested IBM Security X-Force to correct this unfortunate use of HCLSoftware’s registered and licensed product name.

IBM updated their article and have renamed the malware - it is now called "Minodo"

In short:

1. There is no backdoor in HCL Domino

2. The new malware which IBM has discovered has NOTHING to do with HCL Domino.

3. This malware does NOT affect HCL Domino


Import & Export Internet Certificates Programatically- 18 June 2015 - (0) Comments

Thomas Hampel
 18 June 2015

We all know that Admins are lazy. Being lazy can be helpful when having development skills, especially to reduce the amount of helpdesk calls by automating boring work.
How to import X509 certificates into a Notes ID when the certificate itself is stored in the Windows certificate store?

S/MIME Import / Export Automation

If needed, users can then export or import Internet Certificates directly from the Notes Client, but who wants to do that manually?
Even exporting the certificate from the Notes ID is too complicated for most users...
Image:Import & Export Internet Certificates Programatically

Looking for an automated way to export Internet Certificates, the pubnames.ntf provides there are some undocumented @Formulas that can be found for working with X509 certificates
  • @X509Certificates([Subject];UserCertificate;"");
    Returns the list of subjects of the internet certificates stored in the person document field named "UserCertificate"
  • @Command([PKCS12ExportCertsFromNAB];UserCertificate;Certificate;Number;"0")
    Where "Number" is the element in the list returned by @X509Certificates

In my opinion those @Functions still show too many dialog boxes, so lets try to make it more simple.
The C-API documentation provides the functions required namely PKCS12_ExportIDFileToFile and PKCS12_ImportFileToIDFile.

Wrapping both into a small script is easy...

Function PKCS12_ExportIDFileToFile Lib "nnotes" Alias "PKCS12_ExportIDFileToFile" (_
           ByVal pIdFilename As String,_
           ByVal pIdFilepassword As String,_
           ByVal pPKCS12Filename As String,_
           ByVal pPKCS12Filepassword As String,_
           ByVal ExportFlags As Long,_
           ByVal ReservedFlags As Long,_                
           Preserved As Any) As Integer

Function PKCS12_ImportFileToIDFile Lib "nnotes" Alias "PKCS12_ImportFileToIDFile" (_
           ByVal pPKCS12Filename As String,_
           ByVal pPKCS12Filepassword As String,_
           ByVal pIdFilename As String,_
           ByVal pIdFilepassword As String,_
           ByVal ImportFlags As Long,_
           ByVal ReservedFlags As Long,_                
           Preserved As Any) As Integer


Calling those API's would be able to import a certificate from a file, but often the certificate has already been deployed to (e.g.) the Windows certificate store.
It would have been easy to use a Windows API call to export a certificate into a file and then import it again back into the Notes ID using the Notes API calls above.
Unfortunately M$ discontinued support for CAPICOM after Windows XP... so we have to use old school methods like using command line tools like Certutil

still with the resulting functions you can Import and Export X509 certificates from the Windows certificate store to the NotesID and back.



As usual mind YMMV and feel free to further optimize the code to fit your needs-
Please use at your own risk and report back any suggestions or improvements!

Special Thanks to Marcus Floeser for providing the screenshot.

IDVault - ID file upload fails with Error 03:11- 16 August 2013 - (1) Comments

Thomas Hampel
 16 August 2013

A Notes ID is not uploaded to an IDVault although the configuration of the Client itself as well as the IDVault incl. its trust certificates seem to be correct.


The administrator wanted to force the Notes client to upload his ID file to the server, since there already was an (old) IDfile stored in the vault, it has been deleted manually.
However, the client still doesnt upload its local userID.

Looking at the servers log file / Security Events....

Image:IDVault - ID file upload fails with Error 03:11
provided a few hints about the problem:

> Unable to find ID for 'dummy username/OU/O' in vault 'O=IDVault'.  Error: 03:11
> ID failed to authenticate in vault 'O=IDVault'.  'dummy username/OU/O' (IP address made request.  Error: 03:11

and further down other user names:

> Error: Entry not found in index

Indicating a view isnt updated...


1.) Update the view index for the hidden view $IDFile in the IDVault database by using the following command
load updall -R IBM_ID_VAULT\IDvault.nsf

2.) Remove the pending name change as described in my previous blog post id-vault-error-0311.htm

Hint: Although this has fixed the problem in my case, there's more to know.

IDVault does not honor view updates made directly in the database, maybe for performance reasons.
There is a DEBUG parameter for the IDVault which can override this behaviour so that VIEWUPDATES are being reflected/enabled.

Recover your Domino SSL Keystore password- 27 February 2013 - (2) Comments

Thomas Hampel
 27 February 2013

In a situation where an you need to verify the contents of a Domino SSL Key ring file (*.kyr) its very useful to know the password to that key ring.
Unfortunately thats not always the case, e.g. when inheriting a server for which no documentation exists, or in simple terms when you forgot the password.

In order to recover the password in clear text, just enable the debug parameter SSL_TRACE_KEYFILEREAD=1 in the Notes.ini
To avoid any impact to production, you might want to do this in an isolated environment like a fresh installed Domino server or a test server you already have.

So this is what you have to do:
  1. Install a new isolated Domino server (or use a test server of your choice)
  2. Copy the *.kyr + *.sth file from the production server to the new server
  3. Configure the HTTP task to make use of this key ring file, by updating the server document/internet ports, or by updating the internet site / security configuration.
  4. Enable the Notes.ini parameter by typing this command at the server's console
    set config SSL_TRACE_KEYFILEREAD=1
  5. Restart the HTTP task
    tell http restart
  6. Watch the console to obtain the password in plain text:

ReadKeyfile> Recovering password from stash file
ReadKeyfile> Password is ABCDEFGH
ReadKeyfile> Reading keyfile /opt/IBM/notesdata/keyfile.kyr
ReadKeyfile> Looking for trusted roots
ReadKeyfile> Found trusted roots
ReadKeyfile> Exit status = 0
ReadKeyfile> Recovering password from stash file
ReadKeyfile> Password is ABCDEFGH
ReadKeyfile> Reading keyfile /opt/IBM/notesdata/keyfile.kyr
ReadKeyfile> Looking for cert chain
ReadKeyfile> Got cert chain
ReadKeyfile> Exit status = 0
ReadKeyfile> Recovering password from stash file
ReadKeyfile> Password is ABCDEFGH
ReadKeyfile> Reading keyfile /opt/IBM/notesdata/keyfile.kyr
ReadKeyfile> Looking for private key
ReadKeyfile> Decoding keys
ReadKeyfile> Keys decoded
ReadKeyfile> Exit status = 0
HTTP Server: Using Internet Site Configuration View

Now you can use the Domino Server Certificate Authority application to take a closer look into the *.kyr file.
Thomas Hampel, All rights reserved.