Secure mail for iNotes

To allow HCL iNotes® users to encrypt and digitally sign email messages, you must enable both the Encrypted mail support and the Name Resolution and Validation fields on the iNotes tab of the server's configuration settings document.

If an SSL connection is required for either the client or both the client and server, iNotes users cannot read or send encrypted messages when connected via HTTP. If the user is connected via HTTP, they must switch to HTTPS when accessing the encrypted message on the server. This switch occurs automatically when sending encrypted mail. The user is prompted to switch when reading encrypted mail.

Note: If you allow encrypted email to be sent over nonsecure connections, you are also allowing the transmission of user credentials over nonsecure connections.

S/MIME is supported in iNotes. Users can verify an S/MIME signature on a received message. Users who have an X.509 certificate in their mail file-based HCL Notes® ID can decrypt received S/MIME messages as well as S/MIME sign messages they send. Outgoing messages can be S/MIME encrypted for recipients who have an X.509 certificate in the HCL Domino® directory or in iNotes contacts. To allow an X.509 certificate to be used by iNotes, an Internet cross-certificate must be issued from the user's organizational certifier to the certificate authority that issued the X.509 certificate. This Internet cross-certificate must be present in the Domino directory.

When both Notes and S/MIME sign and encryption are possible, iNotes uses S/MIME sign and encryption by default. This could cause problems in a mixed environment that includes pre-Domino 7 servers. Pre-Domino 7 servers do not support S/MIME, so messages sent S/MIME signed and encrypted could not be verified or decrypted. Use the notes.ini file setting iNotes_wa_SecMailPreferNotes to turn on Notes sign and encryption when both S/MIME and Notes sign and encryption are possible. This setting is not supported offline.

Deployment differences between Notes and iNotes

  • Recovery authority -- iNotes does not support recovery authority unless it is already in the ID mailed to the user.
  • Imported Notes IDs -- Notes IDs cannot be Smartcard enabled.
  • Certificates -- iNotes looks for certificates first in the Domino directory and then in the contacts.
  • Cross certificates -- iNotes looks for cross certificates only in the Domino directory. If you are using iNotes, you must create any required cross certificates in the Domino directory.
  • Multiple domains -- If you are administering multiple domains, use directory assistance for an extended directory catalog on the server. Do not use a condensed directory catalog on the server.
  • Offline -- If you are using a directory catalog, you must enable it for encrypted mail.