Task:
Know the Notes/Domino ports and set-up typical security precautions for HCL Domino (previously Lotus/IBM) for commonly used web ports.
We will review:
- Domino TCP / SSL Ports
- Firewall Settings
- Server document - Ports set-up
- Internet Site - IP and Security (SSL/TLS) settings.
Default Domino TCP / SSL Ports:
| Protocol | TCP Port | SSL Port |
| Notes RPC | 1352 | N/A |
| HTTP/HTTPS | 80 | 443 |
| LDAP | 389 | 636 |
| NNTP | 119 | 563 |
| IMAP | 143 | 993 |
| POP3 | 110 | 995 |
| SMTP in/out | 25 | 465 |
IIOP
Domino Controller | 63148
2050 | 63149 |
|
|  | |
Use the FirewallD following commands to set-up open the ports needed on Red Hat / CentOS:
Notes:
In this example we restrict the Domino mgmt 2050 port, SSH and e-mail to internal networks only.
In addition, port 2050 is not typically used anymore w/Linux and containers.
# firewall-cmd --zone=public --add-port=1352/tcp --permanent
# firewall-cmd --zone=public --add-port=80/tcp --permanent
# firewall-cmd --zone=public --add-port=443/tcp --permanent
# firewall-cmd --zone=public --add-port=993/tcp --permanent
# firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="192.168.199.0/16" port protocol="tcp" port="2050" accept"
# firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="192.168.199.0/16" port protocol="tcp" port="22" accept"
# firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="192.168.211.0/28" port protocol="tcp" port="25" accept"
# firewall-cmd --reload
Confirm loaded and running:
# firewall-cmd --state
SERVER DOCUMENT:
Assuming you have TLS (SSL) certificate set-up, you should redirect your non-secure ports to secure ports for the non-HTTP ports. Below is an example for IMAP settings on the Ports tab of the Server document.
- Redirect to SSL (TLS) Redirect if possible, and you want it to be forced. So we redirect for IMAP, but not globally for Web, so we can support non-HTTPS (SSL/TLS) web sites.
- Enforce server access (enables the Security tab)
Web
(HTTP/HTTPS) | |
| TCP/IP port number: | 80 |
| TCP/IP port status: | Enabled |
| Enforce server access settings: | Yes |
| SSL port number: | 443 |
| SSL port status: | Enabled |
| Mail | Mail
(IMAP) |
| TCP/IP port number: | 143 |
| TCP/IP port status: | Redirect to SSL |
| Enforce server access settings: | Yes |
| SSL port number: | 993 |
| SSL port status: | Enabled |
INTERNET SITE DOCUMENT:
Below is an example of our IMAP confirmation.
On the Basics tab:
| Site Information | |
| Descriptive name for this site: | MW Net IMAP |
| Organization: | MWNet |
| Host names or addresses mapped to this site: | mydomain.com
mydomain.net
10.1.12.117
10.1.12.217 |
| Domino servers that host this site: | * |
On the Security tab:
- We use name/password, and all names/emails with password are entered w/TLS active.
- 2022 Keyring files (kyr/sth) are still supported, but it is highly recommended to utilize the Certificate Authority (CA server task) and Certificate Store (CertStore.nsf application) for configuration in Domino R10 and higher. Various set-up documents in this support application site are available. When using the Certificate Store, the Key File name in the Web Site document must match the key file name for the TLS domain record - the name does not need to include .kyr at the end. We typically using the domain name as the file name since no .kyr/.sth files are used with the CA task.
- 2023/2025 The TLS Authentication section has been updated with Passkey (WebAuthn) option in Domino 14.0.x and higher, and TCP / TLS Authentication can include TOTP (Yes with TOTP) in Domino 12.0.x and higher.
- When HCL releases Domino updates, the SSL cipher list will have new choices added. After applying patches, click the Modify button and deselect any ciphers that are considered weak since the last review.
- 2025 TLS ciphers have been updated to the 4 ciphers considered strong at this time
| TCP Authentication | |
| Anonymous: | Yes |
| Name & password: | Yes |
| Redirect TCP to TLS: | Yes |
| TLS Authentication | |
| Anonymous: | Yes |
| Name & password: | Yes ( or Yes with TOTP ) |
| Client certificate: | No |
| Bearer token (JWT): | No |
| Passkey (WebAuthn): | No |
| TLS Options | |
| Key file name: | mwnet |
| Accept TLS site certificates: | No |
| Accept expired TLS certificates: | Yes |
| Check for CRLs: | No |
| Trust expired CRLs: | Yes |
| Allow CRL search to fail: | Yes |
| TLS Security |
| TLS ciphers: | ECDHE_RSA_WITH_AES_256_GCM_SHA384 [C030]
DHE_RSA_WITH_AES_256_GCM_SHA384 [9F]
ECDHE_RSA_WITH_AES_128_GCM_SHA256 [C02F]
DHE_RSA_WITH_AES_128_GCM_SHA256 [9E]
Note: Version 9.x Domino servers will ignore this selection. They use the server INI setting SSLCipherSpec instead. |
previous page
|