Sunday, February 7, 2016

The Curious Case Of The Configuration Document

Wow, had to blow the dust off of the old blog here so that I could share something I learned over the weekend.  And it was a bitter lesson, indeed.

Here's the scenario:
Had to stand up a new Domino server in my domain that would allow for SMTP traffic between us and our cloud based anti-spam/malware service.  A requirement of this mail flow topology is that the connectivity between my on-prem and cloud solution must have TLS connectivity.  Okay, not a big deal, right?  Well, it didn't work out that smooth.

First, I followed Gab's steps on how to create a secure SSL certificate with Domino.  Yes, Gab is awesome for writing these steps up.  Then, I went through and followed the standards that IBM has had set for years on setting your configuration document up to allow for TLS to work.  Okay, no worries, right?  Well just like in life, things don't always work the way you want them to.  When we started testing of the mail flow, we were getting repeated messages from the vendor in the cloud that they Domino server was not allowing for a STARTTLS session.  So I opened a ticket with IBM, I opened a ticket with the vendor, I had people at work much more knowledgeable then me try to hack into the servers connection and they were able to get a STARTTLS, but nothing I did with anyone , vendor, consultant worked.  

And that's when it hit me.

I deleted the configuration document for that particular Domino server, replicated that delete around, then went back in and recreated it from scratch.  Brand new document.  Made sure all my settings were set correctly, (based on the IBM doc and a server that is already doing this in my enviroment), and then walked away from it for a while.  After a bit, I started seeing STARTTLS, (we had logging on), start flashing across my server console.  Yes Virgina, there is a STARTTLS Santa Claus!  

So, why did that work?  The simple answer is, I don't know.  It's Domino.  Domino, while it's a powerful server platform, does fall prey at times to corruption in documents.  My thought was creating a brand new server config document from the ground up may help.  In this case it did.

My word to the wise, when all else fails, go back to the basics and start over.  In this case, it paid off and we are securely communicating.

No comments: