Playing With Dominos
by Dr. Clue (dr.clue@grond.demon.co.uk)
Lotus Notes/Domino is a groupware system, essentially allowing easy sharing of information between people.
It's a client/server system, composed of the Domino server and the Notes client. It's big, it's complex, and it's got an awful lot of things that don't quite make sense when compared to other environments. This makes it a challenge to learn, but also means there's a lot of confused Notes admins out there!
There's not way I can cover everything here, but I'll try and concentrate on some of the main ways to have fun with Domino.
Notes was developed by a subsidiary of Lotus, called Iris Associates. They have a help site called notes.net, where you can download upgrades, trial versions, and moderately useful documentation.
Basic Concepts
Notes works with documents.
Within a database, you have forms which documents are created from. They define the fields, layout, and any scripts that are executed. Once documents are created from forms, they are viewed and organized by views. You can also create folders, that function like views, but contain copies of the document. So a document can be seen in more than one view, but it is the same document - delete it from one view, you delete it from the database. A document in a folder a copy that exists within the folder - delete it from there, and it will be in a view somewhere within the database. O.K.? Let's carry on, then.
Poking Around with the SMTP MTA
Let's start by looking at Notes mail.
The Domino server has a Public Name and Address Block (PNAB) which contains all the users for Notes domain, plus all the groups. Additionally, people may have defined extra groups in their local NABs, but these are obviously only accessible to them within their own Notes client. The Notes domain is essentially defined by the PNAB.
When sending email within Notes, all you're doing is just replicating a document between servers - it's not a mail system in the "real" sense of the word. This has some interesting side effects for us - firstly with the SMTP MTA. This is an add-in task running on the Domino server which converts the Notes proprietary mails into SMTP, and vice versa.
With Domino 4.6 and earlier, most of the anti-spam and anti-relaying features were added as statements to the main NOTES.INI file. These statements are cryptic, and many lazy admins haven't bothered with them.
As SMTP isn't native to Domino, it must convert incoming email from the SMTP before it can apply any restrictions. This gives us our first DoS. If you send multiple email into a Domino server, it must accept them and then convert them fully. Once converted, Domino checks its NOTES.INI file to see if it should bounce those emails. If it should, it either converts the emails to SMTP again and bounces it, or else forms a Notes Non-Delivery Report (NDR) converts that to SMTP, and sends that back.
As you can see, the Domino server is doing a ton of extra work here - just flooding it with emails that it must reject will bring the server to its knees. However, that's a bit lame, so what else can we do?
Well, Notes uses an X.500 like hierarchy of certified IDs - like Joe User/Development/ACME. This get converted and spat out the SMTP MTA, depending on its config. Using the above example, the Notes internal mail address would be:
and the most common SMTP equivalent would be:
Often the SMTP MTA is reconfigured to show:
Using this addressing scheme, and with a little trail and error, you can bounce message through the MTA to internal Notes groups. Bounce messages and SMTP error are logged into the standard Notes log on the Domino server. This is crowded and difficult to read.
An enterprising Domino admin will create special views within his log to view certain MTA events. However, because the MTA is essentially an add-in, your options here as an admin are limited. This means there's quite a high chance your poking around will go unnoticed. Certainly, it can be followed through that if an admin hasn't secured his MTA against relaying, he's unlikely to have gone to the effort of creating special views to check on the MTA's activity.
Via the Web
Domino servers also have an add-in HTTP task.
When Notes 4.5 came out, this add-in was called Domino. Version 1 and 1.5 were launched, before the market-droids confused the whole scene by changing the name of the Notes server to Domino. From 4.6 onwards, HTTP has been bundled as an add-in, as well as other interesting things like NNTP and the SMTP MTA.
One of the first things any competent Notes admin will have done is disabled database browsing. If they haven't, when you connect to the Domino server, you'll see a nice listing of all the databases on the server, with their directory structure. Nice. Accessing a Notes database via a web browser is easy.
By default, the HTTP task will add a ?Open to the end of a URL. So, for accessing the Notes logs, we would use:
There's a host of ? commands that can be used. ?EditDocument is always handy. ?OpenForm is also nice. Have a dig around and see what else you can come up with.
A Word About Access-Control Lists (ACL)
Access to the Notes database is configured by ACLs - the two most important entered being Default and Anonymous.
Default is on the ACL by, well, default - it defines the highest level of access a user is given. This is overridden by either specifically mentioning the user in the ACL, or by using a Group with them as a member.
Anonymous is not on the ACL by default - this defines the highest level of access available to a non-authenticated user. There is also a switch defined in a separate area of the ACL called Maximum Internet Browser Access.
By default, this is set to Editor, which means you can create documents, and edit and delete other people's documents.
Lotus doesn't, by default, ship very secure ACLs for the standard databases. This is getting better with Notes R5, but the admin still has to go through his databases manually and configure secure ACLs. This tends to mean that some databases slip through, with Default access giving more than it should.
Domino Logging
The Domino log database is called, quite originally: LOG.NSF
This is where things get stuffed and where an alert admin will look to see who's been playing around on his servers. Access violations (and other errors like "File Not Found") will also appear on the Domino server's console.
The HTTP task can be configured to either log to the Notes log or else to text files living in the data directory. Domino will log separate files, making it a pain to use standard log analysis tools (which expect one file in CLF format).
The main ones are access_log, error_log, and referrer_log. Databases themselves track user accesses, and what you do. You can only delete this from a Notes client and if you have Manager access to the database.
However, if you haven't authenticated, then you will appear as Anonymous on the list. So to track you down, the admin has to search and synchronize entries in the database's user activity list, the Notes log, and the HTTP access and referrer logs. Bit of a pain, eh?
I hope this has given you a bit of an insight into Domino, and has whetted your appetite for more. Have fun and explore, but don't be destructive!