[mahoward]

Has anybody seen the following behavior in 4.1 SP6 MR3 for Domino:

1) Receive an email from internal Notes users that has signed but not encrypted it

2) Email icon on Blackberry appears as a message with a padlock on top

3) Try to scroll down after first few lines of email and get prompted with a popup, on the Blackberry, for your Notes ID file password.

4) Enter ID file password and view rest of email

This is very strange because we have not seen this before, and have not imported ID files into the mailfiles in order to support S/MIME or other encryption.

Anyone have any info on why this might be happening?

[skyman84]

Padlock is a sign that the email is encrypted, if it were only signed, then the icon would show a key as opposed to the pad lock icon.

[mahoward]

Thanks skyman84, but in 4.1 SP6 MR3 just a signed message will cause the icon to be a padlock. This looks like a bug.

My manager is not allowing me to apply MR3 (which fixes 2 crash bugs we have experienced) because he doesn't want everyone who receives an internal Notes signed message to get a Notes ID password popup.

We generally don't use digital signatures or encryption, but some bozos think they are adding a signature at the bottom of the message body by clicking the "Sign" box in Notes.

Can anyone else who has Domino and applied MR3 do a sanity check on this for me? Just send a signed internal mail to someone, and have them read it on their BB. Does the lock show up? Is there any text in blue? Does it do a popup for the Notes ID file password?

[m4ilm4n]

Just tested it and it came thru without asking for pw or showing an icon on the BB.

Domino/Notes 8.0.2 with BES4.1.6 MR3

[mahoward]

Thanks m4ilm4n, that is strange you dont see the key or lock on your unread email icon. Have you disabled native notes encryption on your BES server via the SECMSGSupported reghack?

[DarthBBerry]

Don't have MR3 applied here yet. Sorry M.

[m4ilm4n]

Quote:

Originally Posted by mahoward

Have you disabled native notes encryption on your BES server via the SECMSGSupported reghack?

Nope. Running plain vanilla setup so far (except having turned off the PDF Distiller for now).

[Jadey]

No MR3 here, soz

[hzgjlv]

I am receiving exactly the same issue. Im speaking to RIM now and will post what i find.


With previous BES versions a user could receive a signed mail with no issue. The mail would appear in the inbox as a standard message and could be opened and forwarded no problem.

Since upgarding to SP6 MR3, signed messages appear with a key on the message icon (just like encrypted mail). When the user opens the mail and tries to forward it they receive a prompt

"Warning - This message will be sent without Lotus Notes encryption. Continue?" If the users selects yes they are then promted for the user id password (if stored in the mailfile)

[m4ilm4n]

My bad - I never applied MR3, so it sounds specific to that maint release.

[hzgjlv]

More info

In BES 4.1.5 you could only read encrypted mails if your mailfile was based on a webmail template and you had attached your id file to your mailfile.
In version 4.1.6 MR3 any user who is setup for roaming and has the id file attached to their address book can read encrypted mails, a definite improvement. The downside of this is that signed messages also require you to enter the id pwd when trying to forward.

[dalewest]

mahoward and hzgjlv, I'm seeing the exact same thing as you, and I'm on BES 4.1.6 MR3, Interim Security Update 2 (the ISU 2 is highly recommended, BTW, as it fixes a nasty PDF vulerability), running on Domino 7.0.3FP1.

Since m4ilm4n is running Domino 8.x, me wonders if it's a Domino 7.0.3 <-> BES 4.1.6 MR3 issue? I've been on 7.0.3 since 12/26, but only MR3 since 01/16, and my users only started reporting this issue this week (starting Monday 01/19).

hzgjlv, have you heard anything from RIM?

[mahoward]

m4ilm4n just stated he is not running MR3, so he hasn't seen this issue.

It is simply the MR3 update causing this, as I had one server up to MR3 but *without* the Interim Security update when we noticed this behavior.

In order to upgrade to MR3, as part of the process we are now disabling native notes encryption on the BES servers via the SECMSGSupported = 0 reghack.

This seems to work, no more key icons, no more prompts.

We needed to apply MR3 to fix 2 issues which caused crashes in our environment. One of these was related to particular S/MIME messages, but not sure how that relates to native notes encryption.

Looks like they slipped in some new code along with their fixes perchance?

In any case not good. Don't like getting bitten with this stuff.

[dalewest]

Good to know that you worked around it via the SECMSGSupported reghack. BTW... is that a live hack, or is a restart of one or more services/processes needed? RIM's technote says nada about it.

BTW... were you directed to the reghack by RIM, or did you have a hunch?

OT comment: Google is scary... it already indexed your reply to me. I found it when I googled "SECMSGSupported".

[mahoward]

You would need to restart the BES task to enable the hack. I searched for notes native encryption on the BB T-Support KB and it pointed me to the article on how to disable.

[Jagga]

@mahoward , nice find!

I definately think that you Domino/BES Admins are on the cutting EDGE of the UC industry. Always learning new things but still confused, hehe.

[hzgjlv]

Answer from RIM. This is a known issue and is being investigated under SDR285197.
Currently there is no workaround and no estimated time to fix (as this issue occurred in 4.1.6 MR3 and has only just been reported).

[dalewest]

@mahoward, by "restart the BES task", do you mean just the DBES server task as it appears in Domino? Just trying to gauge the duration of the outage.

Thanks for sharing, btw.

[mahoward]

Yeah since the reghack exists in the Agents subkey then I suspect the only thing that needs to be restarted is the DBES server task. Or "tell BES quit" & "load bes"

[x14]

View Document