Iq.Suite 23.1 Administration

Documentation

Administration iQ.Suite 23.1

Document Version 1.0  EDITOR´S NOTE

Editor´s Note

No part of this publication may be reproduced without written permission from GBS Europa GmbH.

All hardware and software names used are registered names and/or trademarks of their respective manufacturer/proprietor.

Edition: October 2020

1Preface...... 1 1.1 Hotline...... 1 1.2 Copyright ...... 1 1.3 Warranty ...... 2 1.4 License Terms ...... 2 1.5 Third-Party Copyright Notes ...... 2 1.6 Details on the Manuals ...... 3

2 Getting Started...... 4 2.1 System Requirements ...... 4 2.1.1 Installation Requirements ...... 4 2.1.2 Web Browsers...... 4 2.2 Starting the iQ.Suite ...... 5 2.2.1 Starting on the Domino Server...... 5 2.2.2 Starting on the Notes Client ...... 6 2.2.3 Starting Using the Web Browser...... 6 2.3 Closing the iQ.Suite ...... 7 2.3.1 Closing on the Domino Server ...... 7 2.3.2 Closing on the Notes Client ...... 7 2.4 Technical Description of the Main Components ...... 8 2.4.1 te_hook ...... 8 2.4.2 notes.ini File...... 8 2.4.3 Router ...... 8 2.4.4 iQ.Suiter Grabber...... 8 2.4.4.1 Email Processing by MailGrabber...... 9 2.4.4.2 Email Processing by DatabaseGrabber...... 10 2.4.4.3 Notes on MailGrabbers and DatabaseGrabbers...... 11 2.4.5 iQ.Suite User Groups...... 12 2.5 iQ.Clustering / Monitored Server Operation ...... 13 2.6 iQ.Mastering ...... 13

3 iQ.Suite Administration Console...... 14 3.1 User Interface Description ...... 14 3.2 Display Area ...... 15 3.3 The Function Bar / Tool Bar...... 15 3.3.1 Help...... 15 3.3.2 About...... 15

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE I CONTENT 

3.3.3 Print...... 15 3.3.4 Language ...... 16 3.3.5 Server ...... 16 3.3.6 Request License ...... 16 3.3.7 Export/Import ...... 17 3.3.8 Deactivate the iQ.Suite ...... 18 3.4 The Navigation Area ...... 19

4 Common Functions for All Modules...... 21 4.1 ’Global’ Configuration Area...... 21 4.1.1 Mail Jobs and Database Jobs ...... 21 4.1.2 Error Handling in Jobs ...... 23 4.1.3 Mail Rules and Database Rules...... 24 4.1.4 Database Definitions ...... 25 4.1.5 Access User Portal ...... 28 4.1.6 Licenses (User-Based) ...... 28 4.1.7 Synchronization of the Licenses ...... 29 4.1.8 License Logs...... 30 4.1.9 Global Parameters ...... 31 4.1.9.1 General Parameter Document ...... 31 4.1.9.2 Special Parameter Document ...... 33 4.1.9.3 Description of the Global Parameters (except Job Results) ...... 33 4.1.9.4 Description of the Global Parameters for Job Results ...... 33 4.1.9.5 Description of the Global Parameters (Client) ...... 36 4.1.10 Notification Templates ...... 37 4.1.11 Proxy Server ...... 38 4.2 Standard Tabs for Jobs ...... 39 4.2.1 Basics Tab - Mail Job...... 39 4.2.2 Basics Tab - Database Job...... 43 4.2.3 Selection Tab (only in particular jobs)...... 46 4.2.4 Actions ...... 47 4.2.5 Misc Tab ...... 49 4.2.6 Comments Tab ...... 51 4.3 Actions in iQ.Suite Jobs...... 51 4.3.1 Standard Actions...... 52 4.3.2 Additional Actions ...... 52 4.3.3 Special Option: Send notification just once ...... 54 4.3.3.1 Mail Status Database...... 55 4.3.3.2 Settings in the Job ...... 57 4.4 Configuration Documents ...... 58 4.4.1 Program Calls in iQ.Suite...... 58

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE II CONTENT 

4.4.2 Placeholders ...... 59 4.4.2.1 Placeholders in iQ.Suite Clerk ...... 59 4.4.2.2 Placeholders in Wall Content und Watchdog Pro ...... 62 4.4.2.3 Other Placeholders ...... 63 4.4.3 Variables and Placeholders for Specific iQ.Suite Modules ...... 74 4.5 Priorities ...... 82 4.5.1 Job Priorities ...... 82 4.5.2 Assigning Priorities (Job Chain)...... 82 4.6 Rules ...... 84 4.6.1 Rule Mechanism ...... 84 4.6.2 Execution Mode for Rules...... 85 4.6.3 Rule Types...... 87 4.6.3.1 Address Rules...... 87 4.6.3.2 Blacklist/Whitelist Rules ...... 87 4.6.3.3 Formula Rules...... 88 4.6.3.4 Field Type Rules ...... 88 4.6.3.5 Notes Encryption Rule ...... 89 4.6.3.6 Signature Rules ...... 89 4.6.3.7 Text Rules...... 89 4.6.4 Remove Rule from Selected Jobs ...... 89 4.7 Logging ...... 91 4.7.1 Global Configuration ...... 92 4.7.1.1 Defining the log databases ...... 92 4.7.1.2 Global Log Level for MailGrabber and DatabaseGrabber ...... 92 4.7.2 Separate Configuration ...... 93 4.7.2.1 Log Level for Rules ...... 93 4.7.2.2 Log Level for Jobs...... 93 4.7.2.3 Email specific Log Level ...... 93 4.8 iQ.Suite Split ...... 94 4.9 Exporting and Importing Configuration Files ...... 96 4.9.1 Export Configuration To File ...... 97 4.9.2 Import Standard Configuration...... 100 4.9.3 Import Configuration From File ...... 104 4.10 Quarantine Configuration Area ...... 105 4.10.1 Reports ...... 105 4.10.2 Originals...... 106 4.10.3 Statistics...... 107 4.10.4 Quarantine Access for Deputies ...... 107 4.10.5 Quarantine Configuration...... 107 4.10.6 Next Quarantine or Select Quarantine...... 109 4.11 Password Management ...... 110

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE III CONTENT 

4.11.1 The Configuration Document ‘Password Management’...... 111 4.11.2 Password Database...... 114 4.11.3 Manual Creation of User Passwords ...... 117 4.11.3.1 User Password Database: Roles and Rights...... 118 4.11.3.2 Creation of User Passwords ...... 119 4.11.3.3 Managing User Passwords ...... 121 4.12 Standard Area ’Logs and Statistics’ ...... 122 4.12.1 iQ.Suite Log ...... 122 4.12.2 Next iQ.Suite Log or Select iQ.Suite Log...... 122 4.12.3 Database Job Log...... 122 4.12.4 Configuration Change Log ...... 122 4.12.5 Statistics...... 123 4.13 Logging in the Windows Event Viewer ...... 124 4.14 Standard Area ‘Support’ ...... 125

5 iQ.Suite User Portal ...... 126 5.1 Opening the iQ.Suite User Portal ...... 128 5.1.1 Access from the Notes Client...... 128 5.1.2 Access Via Web Browser...... 129 5.2 Functions in the iQ.Suite User Portal...... 129 5.2.1 Table: Functions for Users...... 129 5.2.2 Table: Additional Functions for Administrators ...... 135 5.3 Rights/Roles Concept in iQ.Suite User Portal ...... 136 5.3.1 Available Databases ...... 137 5.3.2 iQ.Suite Groups ...... 138 5.3.3 iQ.Suite Roles ...... 139 5.3.3.1 [Admin] Role ...... 139 5.3.3.2 Table: Assigning an iQ.Suite Group to iQ.Suite Roles...... 140 5.4 Setting up the iQ.Suite User Portal for Users ...... 143 5.4.1 Making Functions Available in the iQ.Suite User Portal...... 143 5.4.2 Special Configurations for the iQ.Suite User Portal ...... 147 5.4.2.1 User-specific Quarantine Access Configuration ...... 147 5.4.2.2 Configuring the Summary Notification Job...... 149 5.4.2.3 Configuring Jobs for Quarantine Access through Mailbox...... 149 5.4.2.4 Whitelist Job Configuration for Automatic Whitelists...... 149 5.4.2.5 Including Blacklists and Whitelists in a Job ...... 150

6 iQ.Suite Action...... 152 6.1 Action Jobs ...... 153 6.1.1 Settings in the ‚Operations‘ Tab...... 153 6.1.2 Action Mail Jobs...... 159

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE IV CONTENT 

6.1.2.1 Replacing German Umlauts...... 159 6.1.2.2 Extending Emails with an additional field...... 160 6.1.3 Action Database Jobs ...... 160 6.1.3.1 ‘Advanced’ Tab ...... 160 6.1.3.2 Sample Job: Send Notification on Database Changes ...... 160 6.1.3.3 Sample Jobs: Display quarantined emails in the mailbox...... 161

7 iQ.Suite Watchdog ...... 164 7.1 iQ.Suite Watchdog Overview ...... 166 7.1.1 Notes about Virus Scanners ...... 166 7.1.2 Note for unpackers in replicated environments...... 167 7.1.3 Unpackers for Archives and PDFs...... 168 7.1.4 File Restrictions ...... 169 7.1.4.1 General ...... 169 7.1.4.2 Fingerprints ...... 169 7.1.5 Processing Description - Virus Check...... 171 7.1.5.1 Virus Scanning on the Mail Server...... 171 7.1.5.2 Virus Scanning in Databases...... 172 7.1.6 Configuration Process for Virus Check ...... 172 7.1.6.1 Notes for a New Installation ...... 172 7.1.6.2 Notes for an Update Installation...... 173 7.1.6.3 Notes for a Replicated Installation ...... 174 7.2 Virus Scanning...... 175 7.2.1 Creating an Engine Document...... 175 7.2.1.1 All Virus Scanner Engines ...... 175 7.2.1.2 Specialty: Avira Protection Cloud...... 180 7.2.1.3 Specialty: Kaspersky Cloud Protection ...... 183 7.2.1.4 Specialty: Kaspersky Anti-Phishing URL Detection ...... 185 7.2.1.5 Specialty: Sophos Live Protection/Sandboxing Protection ...... 186 7.2.1.6 Engine For Command Line Scanner...... 187 7.2.2 Creating a Virus Scanner Document ...... 188 7.2.2.1 All Virus Scanners...... 188 7.2.2.2 Avira: Specialty for the Avira Protection Cloud ...... 190 7.2.2.3 Specialty: Sophos Live Protection/Sandboxing Protection ...... 193 7.2.3 Sample Job: Virus Scanning on the Mail Server...... 196 7.2.3.1 Configuration of the ‚Virus Scanning Mail Job Pro‘...... 197 7.2.3.2 ,Basics‘ Tab ...... 197 7.2.3.3 ,Operations' -> ‚Options‘ Tab ...... 198 7.2.3.4 ,Operations‘ -> ‚No Alert‘ Tab...... 199 7.2.3.5 ,Operations‘ -> ‚Virus‘ Tab ...... 200 7.2.3.6 ,Operations‘ -> ‚Denied Attachments‘ Tab ...... 201 7.2.3.7 ,Operations‘ -> ‚Password Protection‘ Tab...... 202

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE V CONTENT 

7.2.3.8 ,Operations‘ -> ‚Error‘ Tab...... 203 7.2.3.9 ,Misc‘ Tab...... 204 7.2.4 Sample Job: Virus Scanning in Databases...... 204 7.3 URL Scanning ...... 210 7.3.1 Engine Configuration ...... 210 7.3.2 URL Scanner Configuration ...... 210 7.3.3 Sample Job: Scan Email Bodies for Suspicious URLs ...... 210 7.4 PDF Protection: Checking PDFs for Undesirable Elements ...... 214 7.4.1 Important Definitions ...... 214 7.4.2 Selection Tab ...... 215 7.4.3 Options Tab ...... 217 7.4.4 Actions: Restricted / Malformed PDF / Error...... 220 7.5 File Restrictions ...... 222 7.5.1 Configuration Document for File Restrictions ...... 222 7.5.2 Sample Job: File and Size Restrictions on the Mail Server ...... 224 7.5.2.1 Configuration of the Attachment Filtering Mail Job Pro...... 225 7.5.2.2 ,Basics‘ Tab ...... 225 7.5.2.3 ,Operations -> ‚Options‘ Tab...... 226 7.5.2.4 ,Operations‘ -> ‚No Alert‘ Tab...... 227 7.5.2.5 ,Operations‘ -> ‚Denied Attachments‘ Tab ...... 227 7.5.2.6 ,Operations‘ -> ‚Password Protection‘ Tab...... 228 7.5.2.7 ,Operations‘ -> ‚Error‘ Tab...... 229 7.5.2.8 ,Misc‘ Tab...... 230 7.5.3 Sample Job: File and Size Restrictions in Databases ...... 231

8 iQ.Suite Wall ...... 232 8.1 Spam Protection Overview ...... 234 8.1.1 Filtering Methods ...... 234 8.1.1.1 Address Analysis (Blacklists/Whitelists)...... 234 8.1.1.2 Spam Pattern Analysis...... 234 8.1.1.3 Text Analysis...... 235 8.1.2 Multi-stage Job Processing...... 235 8.1.3 Spam Analysis Sequence ...... 236 8.1.4 Note for replicated environments ...... 236 8.2 Address Analysis ...... 238 8.2.1 Using Blacklists and Whitelists ...... 238 8.2.1.1 Sample Job: Add trustworthy Addresses to a Whitelist ...... 240 8.2.1.2 Sample Job: Add undesirable Addresses to a Blacklist...... 243 8.2.2 Sample Job: Deny Spam Domains ...... 246 8.2.3 Sample Job: Restrictions for Internal Recipients ...... 248 8.2.4 Sample Job: Restrictions for Internal Senders...... 250

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE VI CONTENT 

8.3 Spam Analysis using Spam Analyzers ...... 253 8.3.1 Analyzer Document: Spam Analysis using a Spam Analyzer...... 254 8.3.1.1 Spam Analyzer with SASI as an Example ...... 254 8.3.1.2 Particularities of the Kaspersky Anti-Spam Analyzer...... 256 8.3.1.3 Parameters for the Engine Update ...... 258 8.3.2 Sample Job: Spam Analysis using a Spam Analyzer ...... 259 8.4 Quarantine Summary Notifications ...... 264 8.4.1 Sample Job: Configure Summary Notification ...... 265 8.4.2 Sample Job: Configure Summary Notification for Mobile End Devices ... 272 8.5 Text Analysis ...... 274 8.5.1 Overview ...... 274 8.5.1.1 Configuration Document for Converter ...... 275 8.5.1.2 Configuration Document for Text Analyzer ...... 276 8.5.1.3 General Parameters for the Sandbox ...... 280 8.5.1.4 Configuration Document for Dictionaries ...... 280 8.5.2 Text Analysis using Dictionaries ...... 282 8.5.2.1 Notes on Dictionaries...... 283 8.5.2.2 Sample Job: Text Analysis using Dictionaries ...... 283 8.5.2.3 Sample Job: Unicode Text Analysis using Dictionaries ...... 288 8.5.3 Text Analysis using CORE...... 291 8.5.3.1 Configuration Steps for CORE...... 292 8.5.3.2 Sample Job: Text Analysis using CORE...... 293 8.5.4 Text Analysis for Credit Card Numbers ...... 296 8.5.4.1 Sample Job: Text Analyses for Credit Card Numbers ...... 296 8.5.4.2 Credit Card Analyzer Description...... 299 8.5.5 Text Analysis with Wall Content Mail Jobs ...... 301 8.5.5.1 Jobs der Standardkonfiguration ...... 301 8.5.5.2 Configuration of Wall Content Mail Jobs...... 303 8.5.6 Wall Action: Text Analysis by using Regular Expressions ...... 306 8.6 Preventing Denial-of-Service Attacks ...... 310 8.6.1 Mail-flooding the Server ...... 310 8.6.1.1 Sample Job: Preventing Mail-flooding the Server...... 310 8.6.2 Mail-flooding the Recipients...... 313 8.6.2.1 Sample Job: Restrict the Number of Recipients ...... 313 8.7 Email Cleaning: Deleting HTML Bodies...... 315

9 iQ.Suite Crypt...... 317 9.1 Engines ...... 319 9.1.1 Overview ...... 319 9.1.2 Available Engines ...... 319 9.1.3 Configuration Document for the Crypt Engine ...... 321

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE VII CONTENT 

9.1.4 Configuration Document for the ‚S/MIME + KeyManager Engine‘ ...... 322 9.1.5 Configuration Document for the ‚GnuPG + KeyManager Engine‘...... 324 9.2 Encryption/Decryption with PGP and GnuPG ...... 326 9.2.1 Overview ...... 326 9.2.2 Procedures for Outgoing and Incoming Emails ...... 326 9.2.2.1 Encryption of Outgoing Emails...... 326 9.2.2.2 Decryption of Incoming Emails ...... 327 9.2.3 Sample Job: Encryption ...... 328 9.2.3.1 Installation and Initial Configuration ...... 328 9.2.3.2 Requirements...... 328 9.2.3.3 Detailed Description...... 329 9.2.4 Sample Job: Decryption...... 335 9.2.4.1 Requirements...... 335 9.2.4.2 Detailed Description...... 335 9.2.5 Sample Job: Automatic Key Import...... 339 9.2.5.1 Requirements...... 339 9.2.5.2 Sequence of iQ.Suite Crypt Operations...... 340 9.2.5.3 Detailed Description...... 340 9.3 Encryption with Notes ...... 344 9.4 S/MIME Application Fields ...... 346 9.4.1 General ...... 346 9.4.2 Requirements for Using S/MIME ...... 347 9.5 Encryption/Decryption with S/MIME ...... 348 9.5.1 Sample Job: Encryption ...... 348 9.5.1.1 Requirements and Processing Principle ...... 348 9.5.1.2 Detailed Description...... 348 9.5.2 Sample Job: Decryption...... 351 9.6 Digital Signatures with S/MIME ...... 354 9.6.1 Sample Job: Signing with S/MIME...... 355 9.6.1.1 Requirements and Processing principle ...... 355 9.6.1.2 Detailed Description...... 355 9.6.2 Signature Verification with S/MIME...... 358 9.7 Encrypting Emails with WebCrypt Pro ...... 359 9.8 Importing S/MIME and PGP Keys to iQ.Suite KeyManager ...... 362 9.9 Using iQ.Suite KeyManager ...... 365 9.9.1 Using S/MIME Certificates ...... 365 9.9.1.1 Overview and Configuration...... 365 9.9.1.2 Sample Configuration: KeyManager Connection...... 366 9.9.2 Using PGP Keys ...... 369 9.9.2.1 Sample Configuration: KeyManager Connection...... 370 9.9.2.2 Sample Configuration: KeyManager Job (PGP) ...... 370

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE VIII CONTENT 

9.9.2.3 Synchronization ...... 371 9.10 Using the Windows Certificate Store ...... 373 9.10.1 Creating a User for the Certificate Store...... 374 9.10.2 Configuration of the Certificate Store...... 375

10 iQ.Suite PDFCrypt ...... 377 10.1 Password Management ...... 378 10.1.1 Configuration of a Password Management...... 378 10.1.2 Password Database...... 378 10.1.3 Manual Creation of User Passwords ...... 378 10.1.4 Methods of Password Transmission ...... 378 10.1.5 Password in Clear Text in the PDFCrypt Mail...... 379 10.1.6 Password Request via mailto Link ...... 380 10.1.7 Password Request without mailto Link ...... 381 10.2 PDFCrypt Engine ...... 382 10.3 Converting Emails to (Encrypted/Signed) PDFs ...... 383 10.3.1 PDFCrypt Utilities...... 383 10.3.1.1 Importing PDFCrypt Images ...... 384 10.3.1.2 PDFCrypt Templates: PDFCrypt Mail and PDF Header ...... 385 10.3.1.3 Integrating PDFCrypt Images into a PDFCrypt Template...... 387 10.3.2 PDFCrypt Mail Encryption Job...... 390 10.3.2.1 Constraints for File Attachments...... 391 10.3.2.2 Options for Encrypting and Signing PDFs ...... 393 10.3.2.3 Settings for Creating the PDF Files ...... 396 10.3.2.4 Success/Error Actions...... 398 10.3.2.5 Example of a Use Case ...... 399 10.4 Verifying Signatures of PDF Files ...... 404 10.5 Signing and/or Encrypting PDF Attachments ...... 406 10.6 iQ.Suite User Request Job ...... 409

11 iQ.Suite DLP ...... 411 11.1 DLP Review ...... 412 11.1.1 Background Information...... 412 11.1.1.1 DLP Review Databases ...... 412 11.1.1.2 DLP Review Mail Job...... 413 11.1.1.3 Review Background Tasks ...... 413 11.1.1.4 Review Status and Notifications ...... 414 11.1.2 Rights/Role Concept to access the Review Database...... 416 11.1.3 Create a DLP Review Database ...... 418 11.1.4 Sample Job: Move Emails from Credit Department to Review Database. 419 11.1.5 Review Options...... 421

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE IX CONTENT 

11.1.6 The DLP Review Database...... 425 11.1.6.1 Acccessibility...... 425 11.1.6.2 Review View of the Review Database in HCL Notes...... 425 11.1.6.3 Review Protocols ...... 426 11.2 DLP Anomaly Detection ...... 428 11.2.1 Important Definitions ...... 428 11.2.2 Viewing DLP Data in iQ.Suite WebClient...... 430 11.2.2.1 Settings in ACL Manager ...... 430 11.2.2.2 Settings in Database Definition...... 431 11.2.3 Creating a DLP Configuration ...... 431 11.2.3.1 General Settings ...... 432 11.2.3.2 Defining the Data to be collected ...... 433 11.2.3.3 Calculation of the Baseline Data...... 435 11.2.3.4 Database Maintenance ...... 436 11.2.4 Defining Analysis Criteria...... 438 11.2.5 Job for Data Collection and Baseline Calculation ...... 445 11.2.6 Job for Live Data Collection and Email Analysis...... 446 11.2.6.1 Selecting DLP Configuration and Analysis Criteria...... 446 11.2.6.2 Actions in Case no Data exists / in Case Limits are exceeded... 447 11.2.7 Combining DLP Anomaly Detection and DLP Review...... 449

12 iQ.Suite Trailer...... 451 12.1 Overview...... 451 12.1.1 iQ.Suite Trailer vs. iQ.Suite Trailer Advanced ...... 452 12.1.2 Procedure for Trailer Configuration...... 453 12.2 iQ.Suite Trailer ...... 454 12.2.1 Configuring a Trailer Document ...... 454 12.2.1.1 Trailer Document for a Legal Disclaimer...... 454 12.2.1.2 Trailer Document for a Personalized Trailer ...... 455 12.2.1.3 Adding Language-dependent Trailers 459 12.2.2 Configuring a Trailer Job...... 460 12.2.3 Scenario: Adding a Legal Disclaimer ...... 462 12.2.4 Scenario: Adding a Department Disclaimer ...... 463 12.2.5 Scenario: Adding a Personalized Signature ...... 464 12.3 iQ.Suite Trailer Advanced ...... 465 12.3.1 Using iQ.Suite WebClient for Trailer Utilities ...... 465 12.3.2 Configuring Trailer Utilities (Optional) ...... 467 12.3.2.1 Conventional and Personalized Trailer Images ...... 467 12.3.2.2 Notes Data Sources...... 470 12.3.2.3 Search Patterns ...... 473 12.3.2.4 Trailer Attachments...... 475 12.3.2.5 ‘Copy To Sent Items’ Options ...... 480

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE X CONTENT 

12.3.3 Configuring a Trailer Advanced Document ...... 482 12.3.3.1 HTML Trailer and Plain-Text Trailer...... 483 12.3.3.2 Variables for Notes Email Fields...... 484 12.3.3.3 [COND] Condition ...... 485 12.3.3.4 Text List Fields with Several Entries ...... 486 12.3.3.5 Inserting Image to the Trailer Advanced Document...... 487 12.3.4 Configuring a Trailer Advanced Job...... 490 12.3.5 Scenario: Company Logo ...... 495 12.3.6 Scenario: Individual Signature and Personalized Image ...... 497 12.3.7 Scenario: vCard Data as QR Code Image...... 500 12.3.8 Scenario: Attaching Binary Attachments such as PDF ...... 503 12.3.9 Scenario: Appending a Personalized Attachment...... 505 12.3.10 Scenario: Update Sent Email in the Sender Mailbox ...... 506

13 iQ.Suite Clerk ...... 511 13.1 iQ.Suite Clerk Overview ...... 513 13.1.1 Clerk in the Admin Portal and the User Portal ...... 513 13.1.2 Forwarding vs. Redirection ...... 514 13.1.2.1 Regular Forwarding ...... 514 13.1.2.2 Periodic Forwarding ...... 514 13.1.2.3 Retroactive Forwarding...... 514 13.1.2.4 Redirection...... 516 13.1.3 Information on Absence Documents...... 516 13.1.3.1 Priorities of Forwarding Documents...... 516 13.1.4 Databases...... 518 13.1.4.1 Clerk Database ...... 518 13.1.4.2 Clerk Protocol Database ...... 518 13.1.4.3 Clerk Archival Database ...... 518 13.1.4.4 Clerk Log Database ...... 519 13.1.4.5 Clerk Notifications Database...... 519 13.2 Server-based Settings (by Admin only) ...... 520 13.2.1 Absence Templates ...... 520 13.2.1.1 Notes on Absence Templates...... 520 13.2.1.2 Creation of Absence Templates...... 521 13.2.2 Job Configuration...... 530 13.2.2.1 Hints on the Configuration ...... 530 13.2.2.2 Sample Job: Forwarding or Redirection...... 530 13.2.2.3 Creating Calendar Entries automatically...... 537 13.2.2.4 Notification Options for Internal and External Senders ...... 539 13.2.3 Job Configuration for the Info Emails...... 540 13.2.3.1 Important Definitions and Application Example ...... 540 13.2.3.2 Important Information prior to the Job Configuration ...... 541

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE XI CONTENT 

13.2.3.3 Configuration in the Clerk Job...... 542 13.3 Individual Settings (by Users also) ...... 547 13.3.1 Configuration Document: Forwarding ...... 548 13.3.2 Configuration Document: Periodic Forwarding ...... 555 13.3.3 Configuration Document: Redirection ...... 559 13.3.4 Configuration of Exceptions ...... 561 13.3.4.1 No Forwarding of Newsletters, no Notification of the Senders ... 561 13.3.4.2 No Forwarding of Private Emails, Notification of the Senders 563 13.3.4.3 Forwarding Emails with Special Content to a different Deputy ... 564 13.3.4.4 Retroactive Email Forwarding with a Redirection Document...... 565 13.3.4.5 Redirecting Emails from Special Senders to Another Deputy..... 566 13.3.4.6 No Redirecting of Emails from Special Senders ...... 567 13.4 Quarantine Access for Deputies ...... 568

14 iQ.Suite Connect ...... 570 14.1 Overview...... 570 14.2 Connect Engines ...... 571 14.3 Connecting iQ.Suite to Microsoft SharePoint ...... 571 14.3.1 Configuring a SharePoint Engine...... 571 14.3.2 SAMPLE Job: Storing File Attachments in Microsoft SharePoint ...... 574 14.4 Connecting iQ.Suite to HCL Connections ...... 582 14.4.1 Configuring Connections Engine ...... 582 14.4.2 SAMPLE Job: Storing File Attachments in HCL Connections ...... 584 14.5 Workflow: Connecting iQ.Suite to GBS Workflow Manager ...... 588 14.5.1 Configuring a Workflow Engine...... 588 14.5.2 Configuring Connect Workflow Job...... 590 14.5.2.1 Operations -> Options Tab...... 591 14.5.2.2 Selection Tab ...... 592 14.5.2.3 Mappings Tab ...... 592 14.5.2.4 Success Actions/Error Actions Tab...... 594

15 iQ.Suite Convert ...... 595 15.1 Overview...... 595 15.2 Sample Job: Compressing File Attachments...... 596 15.2.1 Selection Tab ...... 596 15.2.2 Options Tab ...... 598 15.3 Sample Jobs: Extracting File Attachments from Archives/PDFs (Decompression) .... 603 15.3.1 Selection Tab ...... 603 15.3.2 Options Tab ...... 604

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE XII CONTENT 

15.4 Sample Job: Converting Attachments to PDF ...... 607 15.5 Sample Job: Converting Attachments via Command Line ...... 612 15.5.1 Selecting Attachments ...... 612 15.5.2 Conversion Options ...... 613 15.5.3 Actions In Case Of Success / Error ...... 617

16 iQ.Suite Smart...... 618 16.1 Delayed Sending of Emails ...... 619 16.1.1 User-Controlled Scheduling ...... 619 16.1.2 Sample Job: Sending Emails with User-defined Delay...... 620 16.1.3 Server-controlled Scheduling...... 624 16.1.4 Sample Job: Delay Emails with Excessive Size ...... 624 16.2 Resolving Document Links ...... 627 16.2.1 Sample Job: Resolving Document Links ...... 627 16.3 Dual Control Check with Parking Database...... 629

17 iQ.Suite Safe ...... 630 17.1 Functioning ...... 631 17.2 Archiving Emails in Databases ...... 632 17.3 Log Databases ...... 635

18 iQ.Suite Bridge...... 636

19 iQ.Suite Budget...... 637 19.1 The Cost of an Email ...... 637 19.1.1 Basic Cost ...... 638 19.1.2 Volume Cost ...... 638 19.1.3 Per Server/Per Recipient Cost...... 639 19.1.4 Calculation Example ...... 640 19.2 Evaluation Logs ...... 641 19.2.1 Summary Log View by Account ...... 643 19.2.2 Summary Log View by Week and Month...... 644 19.3 Statistics ...... 645 19.4 Defining Connection Cost ...... 646 19.5 Setting Up Accounts and Specifying Limits ...... 648 19.5.1 Account Types ...... 648 19.5.2 Hierarchical User Names in Budget...... 650 19.5.3 Setting up a Sender Account ...... 652 19.5.4 Setting Up a Recipient Account ...... 655 19.5.5 Activating a Budget Job ...... 658

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE XIII CONTENT 

20 iQ.Suite MailFlow Check...... 661

21 Appendix: Global Parameters (except Job Results) ...... 664 21.1 Installation...... 664 21.1.1 DBG_Setup...... 664 21.1.2 iQ.Clustering / iQ.Mastering...... 665 21.1.3 iQ.Suite Directories ...... 665 21.2 General Parameters ...... 666 21.2.1 Notifications ...... 666 21.2.2 Job Errors ...... 667 21.2.2.1 Critical Jobs ...... 667 21.2.2.2 Other JobError Parameters...... 668 21.2.3 Logging ...... 669 21.2.4 MailGrabber/DatabaseGrabber...... 673 21.2.4.1 Housekeeping (MailGrabber)...... 673 21.2.4.2 Grabber Threads...... 673 21.2.5 Removing Quarantine Fields from Resent Emails ...... 674 21.2.6 Sandboxes ...... 675 21.2.7 Update of the Unpacker License Key ...... 675 21.3 iQ.Suite Clerk...... 676 21.3.1 Parameter Values for Name Formats ...... 676 21.3.2 Info Emails ...... 677 21.3.3 Name Formats (except Info Emails) ...... 679 21.3.4 Database Templates...... 680 21.3.5 SpaceCheck...... 680 21.3.6 Other Clerk Parameters ...... 681 21.4 iQ.Suite Crypt / Crypt Pro (KeyManager) ...... 684 21.5 iQ.Suite DLP ...... 686 21.6 iQ.Suite Trailer...... 687 21.7 iQ.Suite Trailer Advanced...... 688 21.8 iQ.Suite Wall ...... 689 21.9 iQ.Suite Watchdog...... 689 21.10 iQ.Suite WebClient ...... 692 21.11 Other Global Parameters...... 693

22 Appendix: Job Results ...... 705 22.1 Meta Results...... 705 22.2 General Results ...... 706 22.3 Results of the Action Mail Jobs ...... 707 22.4 Results of the Convert Decompression Jobs ...... 710

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE XIV CONTENT 

22.5 Results of the Crypt Mail Jobs ...... 715 22.6 Results of the Crypt Pro Import Jobs ...... 720 22.7 Results of the DLP Data Analyze Jobs ...... 725 22.8 Results of the PDFCrypt Mail Encryption Jobs ...... 727 22.9 Results of the PDFCrypt File Signing/Encryption Jobs ...... 730 22.10 Results of the PDFCrypt Signature Verification Jobs ...... 733 22.11 Results of the Trailer Advanced Mail Jobs ...... 736 22.12 Results of the Wall Mail Jobs ...... 738 22.13 Results of the Wall Cleaning Mail Jobs ...... 741 22.14 Results of the Watchdog Mail Jobs ...... 743 22.15 Results of the Watchdog PDF Protection Jobs ...... 748 22.16 Examples with a Crypt Mail Job ...... 752

23 Appendix: Color Values for ToolKit_Logo Parameter...... 753 23.1 The Notes Colors...... 753 23.2 Colors Sorted by Notes Color Value ...... 754 23.3 Colors Sorted by RGB Value (Ascending) ...... 765

Glossary...... 775

Index ...... 790

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE XV PREFACE - HOTLINE   1Preface 1.1 Hotline

To give you the best possible support, we need the following information from you in the event of a fault:  Product version  License number  Domino server version including any service pack  Operating system and version including any service pack  Configuration files  Log files  TECHNICAL_SUPPORT folder (in the installation folder)

The GBS Support Team is available from 8:30 AM to 6:00 PM (time zone: EST).  Europe, Asia, other  Tel.: +49 (0)1806 49 01 11  Email: [email protected]  USA & Canada:  Tel.: +1 877-228-6178  Email: [email protected]

1.2 Copyright

GBS Europa GmbH, hereafter referred to as GBS, is the owner of the full commercial copyright of this documentation protected by law. All rights not explicitly granted remain the property of GBS.

IQ.SUITE FOR DOMINO – ADMINISTRATION  PAGE 1 PREFACE - WARRANTY 

1.3 Warranty

GBS assumes no liability, express or implied, for the documentation. This includes quality, design, adherence to commercial standards, or suitability for a specific purpose.

The product descriptions are general and descriptive in nature. They can be interpreted neither as a promise of specific properties nor as a declaration of guarantee or warranty. The specifications and design of our products can be changed at any times without prior notice, especially to keep pace with technical develop- ments. For up-to-date information, please contact the GBS Sales Department.

1.4 License Terms

The GBS license terms are available on the product CD and the GBS website. Any license agreements from third-party software manufacturers are included with the software product as a PDF file.

1.5 Third-Party Copyright Notes

The package includes third-party products listed in the "Third Party License Agreements" document. This document is available in the

IBM and AIX are trademarks of International Business Machines (IBM) Corpora- tion. Notes and Domino are trademarks of HTC Technologies Ltd.

Microsoft, MS, Windows and the Windows Logo are registered trademarks of Microsoft Corporation in the Unites States of America and/or other countries.

Avira is a registered trademark of Avira GmbH. McAfee is a registered trademark of Networks Associates, Inc. Any other products mentioned in this document are subject to the copyright provisions of their respective manufacturers.Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.

IQ.SUITE FOR DOMINO – ADMINISTRATION  PAGE 2 PREFACE - DETAILS ON THE MANUALS 

1.6 Details on the Manuals

Personal Designations

Our Manuals are addressed equally to both genders. Therefore, we make every effort to use gender-neutral language. Since it is not entirely possible to avoid personal designations, we use the word forms he/she, his/hers or him/her in these cases.

Symbols

Warning.  Refers to critical situations. Please carefully read these messages to minimize the risk of data loss, damage to your system, etc.

Information.  Refers to important but noncritical situations.

Tip.  Provides assistance for a specific issue or describes special workarounds and features.

Freely accessible documentation is available on www.gbs.com.

If you have any suggestions on how we can make further improvements, we would be happy to get your feedback. Send an email to: [email protected]

IQ.SUITE FOR DOMINO – ADMINISTRATION  PAGE 3 GETTING STARTED - SYSTEM REQUIREMENTS   2 Getting Started 2.1 System Requirements

2.1.1 Installation Requirements

Please observe the system requirements and other notes on installation  mentioned in the iQ.Suite Installation Manual.

2.1.2 Web Browsers

Unless otherwise is specified in this manual, we support the following web browsers in their latest version at the time when this manual was issued:

 Google Chrome  Mozilla Firefox  Internet Explorer 11 / Microsoft Edge

The iQ.Suite User Portal, the HTTP links in Quarantine summary notifications and iQ.Suite WebClient require one of the web browser mentioned above.

The TinyMCE editor in iQ.Suite configuration documents, e.g. in Trailer Advanced documents and in PDFCrypt (PDFCrypt Mail and PDF Header), requires Internet Explorer 11 is required.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 4 GETTING STARTED - STARTING THE IQ.SUITE 

2.2 Starting the iQ.Suite

2.2.1 Starting on the Domino Server

To automatically start the iQ.Suite on the server, the notes.ini must contain two additional entries in the servertasks line: tm_grab and td_grab. With these entries, the iQ.Suite Grabbers are automatically started when the Domino server is booted. If required, add these entries manually at the end of the line.

To manually start the iQ.Suite on the server, enter the following commands on the server console:  load tm_grab to start the MailGrabber1  load td_grab to start the DatabaseGrabber

Any virus scanners equipped with an integrated on-access scanner and used outside of the iQ.Suite must not scan for viruses in the iQ.Suite working directory. Otherwise, the iQ.Suite functionality may be affected. Check your virus scanner and, if required, exclude the working directory from scanning. Use the ToolKit_ExclusiveTempDir parameter to set the working directory.

The te tm_grab ? command returns a list of possible Domino commands includ-  ing a short explanation. Be sure to enter the blank preceding the question mark.

1. Refer to “Technical Description of the Main Components” on page 8.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 5 GETTING STARTED - STARTING THE IQ.SUITE 

2.2.2 Starting on the Notes Client

To start the iQ.Suite on the Notes client, proceed as follows:

1. Start your Notes client.

2. Click on: FILE -> DATABASE ->OPEN.

3. Select the server running the iQ.Suite.

4. Locate and open the iQ.Suite data directory.

5. Locate and open the database Entry iQ.Suite .

To be able to configure the iQ.Suite, you need to log on as administrator.

2.2.3 Starting Using the Web Browser

To start the iQ.Suite using the web browser, proceed as follows:

1. Start your web browser.

2. Enter the following URL: http://nav.nsf.

3. Enter your authentication data for web access to the server (user name and password). This opens the navigation for the iQ.Suite.

To configure the products, you need to log in as administrator.

To start the iQ.Suite User Portal using the web browser, enter the following URL: http://g_user.nsf.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 6 GETTING STARTED - CLOSING THE IQ.SUITE 

2.3 Closing the iQ.Suite

2.3.1 Closing on the Domino Server

The iQ.Suite is automatically closed when the Domino server is shut down. To terminate the iQ.Suite manually, enter the commands tell tm_grab q (MailGrabber) or tell td_grab q (DatabaseGrabber) on the server console2.

2.3.2 Closing on the Notes Client

Close the database with ESC or close the window with X (web browser).

For further Information on using the Domino server and the Notes client, please refer to the HCL documentations.

2. Refer to “Technical Description of the Main Components” on page 8.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 7 GETTING STARTED - TECHNICAL DESCRIPTION OF THE MAIN COMPONENTS 

2.4 Technical Description of the Main Components

The technical foundation of the iQ.Suite for HCL Domino is made up of the following components:

2.4.1 te_hook

Special iQ.Suite mechanism that "hooks on" to the transport flow and monitors the email traffic. It intercepts the emails from the server Mail.box and provides them to the iQ.Suite for processing. This applies to internal emails sent between mailboxes on the same server as well as to incoming or outgoing emails.

2.4.2 notes.ini File

The notes.ini3 contains essential elements of the iQ.Suite functionality. Most of the entries in this file are added during the iQ.Suite installation process and should be checked once installation is complete (refer to the iQ.Suite Installation Manual). Most of the configuration settings entered using the iQ.Suite console are stored in the notes.ini as Global Parameters (ToolKit parameters). For a list of all global parameters, please refer to “Description of the Global Parameters (except Job Results)” on page 33.

2.4.3 Router

Once the emails have ben processed by the jobs of the different iQ.Suite modules, the router takes care of delivering the emails to the intended recipients.

2.4.4 iQ.Suiter Grabber

The two iQ.Suite Grabbers MailGrabber and DatabaseGrabber are components designed to check the emails for specific properties. Whenever an email meets one of the specified criteria, the iQ.Suite Grabbers make sure the email is processed by the iQ.Suite.

3. For further Information on the notes.ini, please refer to the HCL Domino documentation.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 8 GETTING STARTED - TECHNICAL DESCRIPTION OF THE MAIN COMPONENTS 

While the iQ.Suite Grabbers provide mechanism to decide when a specific operation needs to be executed, the iQ.Suite modules actually execute these operations. Thus, the iQ.Suite Grabber can be seen as a platform for running the iQ.Suite modules.

Technically, the iQ.Suite Grabbers are implemented as Domino server tasks that dynamically load DLLs as required. With this modular concept, different function blocks can be implemented with just one server process, thus saving server resources.

The following figure illustrates the main technical components of the iQ.Suite4:

2.4.4.1 Email Processing by MailGrabber

The MailGrabber is started on an event-controlled basis, i.e. whenever emails arrive in the server Mail.box. It takes the emails from the Mail.box and includes them in the configured job chain. At the same time, it evaluates ALL mail rules for the entire job chain, thus making sure the emails are processed by the mail

4. In graph: GROUP Policy Engine = email or database rules. GROUP Enterprise Message Handler = combination of te_hook and the iQ.Suite Grabbers.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 9 GETTING STARTED - TECHNICAL DESCRIPTION OF THE MAIN COMPONENTS 

jobs. The actions actually performed depend on the iQ.Suite job itself and the configured mail rules. Once the email has run through the job chain, it is released and delivered by the router.

The MailGrabber database is tm_grab.nsf.

1. An email arrives in the server Mail.box. This "event" causes the te_hook to intercept the email at the mail server and set its status to HOLD.

2. The MailGrabber retrieves the document from the server Mail.box and checks it for specific properties. Whenever an email meets one of the specified criteria, the MailGrabber evaluates the configured mail rules and decides which jobs are to be executed for the email.

3. The jobs are run according to their priority. The job with the highest priority is run first, the email is processed as set in the configuration. Refer to “Mail Jobs and Database Jobs” on page 21.

4. Once processed by the iQ.Suite, the MailGrabber releases the processed document, i.e. the HOLD status is removed.

5. The email is returned to the transport flow then delivered to the recipient by the router.

2.4.4.2 Email Processing by DatabaseGrabber

The DatabaseGrabber processes documents stored in Domino databases. The time at which the Database-Grabber is started depends on the time set in the database job. The policy governing the processing of emails in the databases is configured through database rules. When the start time for a job is reached, the DatabaseGrabber starts the corresponding iQ.Suite module. Scheduled jobs are started either once or periodically (at specific intervals).

The DatabaseGrabber database is td_grab.nsf.

1. In scheduled mode, the DatabaseGrabber is started at a specific time; in event-controlled mode, a special mechanism (te_hook) notifies the Databas- eGrabber that the database to be processed has been modified.

2. The DatabaseGrabber starts the job.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 10 GETTING STARTED - TECHNICAL DESCRIPTION OF THE MAIN COMPONENTS 

3. The first database specified is opened.

4. The first document is processed and the rules for this document are evaluated. If the rules apply, the DatabaseGrabber starts the corresponding job.

This sequence is repeated for all documents in all databases for all jobs.

An event-controlled start, for example when a monitored database is modified, is  possible, but this should only be done with very few databases since it places a great burden on the server. You should think carefully about which databases require event-controlled processing and keep their number to a strict minimum.

2.4.4.3 Notes on MailGrabbers and DatabaseGrabbers

Each email to be processed requires a separate thread, which ensures that the email will be processed by each configured job. The maximum number of threads is set under Global Parameters:  DatabaseGrabber: Number of Threads Databasegrabber  MailGrabber: Number of Threads Mailgrabber

As an alternative, you can set the following parameters in the notes.ini:  DatabaseGrabber: ToolKit_dgrabthreads  MailGrabber: ToolKit_mgrabthreads

As a general rule, it is possible to start up to 5 000 threads, so as to process 5 000 emails simultaneously. However, please note that a large number of threads will affect the server performance; the maximum value also depends on the hardware resources available. We recommend to increase the number of threads in steps and monitor the server performance.

The processing of the iQ.Suite Grabbers can be logged. Refer to “Logging” on page 91.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 11 GETTING STARTED - TECHNICAL DESCRIPTION OF THE MAIN COMPONENTS 

2.4.5 iQ.Suite User Groups

User groups which have been created in the Domino Directory can be selected In some iQ.Suite configuration documents such as rules and licence configurations. Please note that iQ.Suite can only use user groups which have the type ‘Mail only’ or ‘Multi-purpose’:

ACL groups (type ‘Access Control List only’) can only be used in database definitions and in the configuration of quarantine accesses for substitutes.

For further information on the group types, please refer to the HCL documentation.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 12 GETTING STARTED - IQ.CLUSTERING / MONITORED SERVER OPERATION 

2.5 iQ.Clustering / Monitored Server Operation

iQ.Clustering supports a cluster made up of several Domino servers (reasonable limit: 4 to 6) with the iQ.Suite installed. iQ.Clustering is an application clustering. It does not replace the functionalities of a Domino cluster, but complements them with useful functions.

For further Information on the installation and configuration of iQ.Clustering, please refer to the iQ.Suite Installation Manual. Download under www.gbs.com.

2.6 iQ.Mastering

With iQ.Mastering, it is possible to run third-party products together with the iQ.Suite, e.g. for spam or virus protection using existing solutions from other manufacturers.

For further Information on the installation and configuration of iQ.Mastering, please refer to the iQ.Suite Installation Manual. Download under www.gbs.com.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 13 IQ.SUITE ADMINISTRATION CONSOLE - USER INTERFACE DESCRIPTION   3 iQ.Suite Administration Console 3.1 User Interface Description

After having opened the database, the iQ.Suite displays the main menu. The iQ.Suite user interface is divided into three areas, which will be described in the subsequent sections:

Function bar:

Configuration area for global functions, e.g. importing/exporting files. Display area: Area used to display iQ.Suite content. Navigation pane:

iQ.Suite navigation area (between and within modules).

To return to the start screen click on the logo in the upper left corner.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 14 IQ.SUITE ADMINISTRATION CONSOLE - DISPLAY AREA 

3.2 Display Area

The display area presents the actual content. It is the area where the iQ.Suite is configured.

3.3 The Function Bar / Tool Bar

The function bar is used to set global iQ.Suite functions that apply to all modules, e.g. language, licensing, etc. Therefore, the individual functional areas are visible on the iQ.Suite start screen only::

Though always visible (i.e. regardless of the module or menu selected), the function bar only displays the functions available for the module/submenu currently selected in the navigation panel by the user.

3.3.1 Help

Further Information on all menus, tabs and fields is provided in the context-sensitive online help. To display help text for the element currently selected, click on

HELP. The online help includes comprehensive descriptions as well as proven configuration examples or application scenarios.

3.3.2 About

To show the backend version of the installed iQ.Suite, click on ABOUT.

3.3.3 Print

To open a print selection window, click on PRINT.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 15 IQ.SUITE ADMINISTRATION CONSOLE - THE FUNCTION BAR / TOOL BAR 

3.3.4 Language

To select your preferred language, click on LANGUAGE. The key screen elements are displayed in the selected language. For platform-specific reasons, it is not possible to assign text in several languages to every single screen element. Therefore, some elements are always shown in English. Where supported by Notes, we have enabled multiple languages for as many elements as possible.

3.3.5 Server

Click on SERVER for a list of all servers listed in your address book (names.nsf). You can only open the iQ.Suite configuration database if it is located in the same directory on the selected server. If the directory is not the same, the correct directory can be specified in the displayed dialog.

3.3.6 Request License

Click on REQUEST LICENSE to open a license request form. The required information can be selected from lists or is automatically read from the server document,

e.g. the current operating system and the Domino version. Click on SEND to send the form via email to the person responsible for licensing.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 16 IQ.SUITE ADMINISTRATION CONSOLE - THE FUNCTION BAR / TOOL BAR 

This button is also available on GLOBAL -> LICENSES and GLOBAL -> LICENSE  LOGS.

3.3.7 Export/Import

Click on EXPORT/IMPORT to exchange iQ.Suite configuration data outside Notes databases. You can update configuration databases without having to perform a complete update. Also, you can export an existing configuration as a backup to restore it later if required.

For further Information, please refer to “Exporting and Importing Configuration Files” auf Seite 96.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 17 IQ.SUITE ADMINISTRATION CONSOLE - THE FUNCTION BAR / TOOL BAR 

3.3.8 Deactivate the iQ.Suite

In certain events it might be reasonable to deactivate the iQ.Suite temporary e.g. in cases emails can‘t be processed due to an erroneous iQ.Suite configuration. Once the iQ.Suite is deactivated all emails are delivered without having been checked.

The screen displays red warning symbols if the iQ.Suite has been disabled:

To enable the iQ.Suite again click on .

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 18 IQ.SUITE ADMINISTRATION CONSOLE - THE NAVIGATION AREA 

3.4 The Navigation Area

The navigation pane is used to navigate between and within individual iQ.Suite modules. Click on the plus sign of a main menu item to display the corresponding submenus of the selected product (). The submenus provide various options to configure the iQ.Suite according to your requirements.

The module area is divided into two main groups:  Individual modules (Watchdog, Wall, etc.), and  Cross-module elements (Global, Quarantine, etc.).

The individual modules can be configured independently of each other. Most of the modules may include more than one Notes database, for instance the blacklist and whitelist databases in the iQ.Suite Wall module. Once you have defined your additional databases in the database definitions1, the databases are displayed in the portal views (Admin Portal and User Portal) where they can also be managed.

Within the Admin Portal, you can switch databases by clicking on NEXT ... DATA-

BASE. As of four databases, an additional SELECT ... DATABASE becomes available. This option opens a selection list with all of the module databases that are available on the same server2.

1. Refer to “Database Definitions” auf Seite 25

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 19 IQ.SUITE ADMINISTRATION CONSOLE - THE NAVIGATION AREA 

The cross-module elements are included in the standard iQ.Suite package and complement the iQ.Suite configuration:  Global This menu provides various submenus related to cross-module functions such as mail and database , mail and database , database definitions, global parameters, etc.

 Quarantine A quarantine is also a Notes database. It is the area where all blocked (intercepted) emails/documents and attachments as well as the corresponding reports are stored. The iQ.Suite User Portal provides the users with access to the quarantined documents they are authorized to view.

 Logs and Statistics This menu covers the logs as well as the statistical reports and charts related to the mail jobs and database jobs of all individual modules. Changes in iQ.Suite configuration such as deleting, changing or creating a new Notes document can be logged.

 Support This menu points to the GBS Support Team.

For a detailed description of the global elements and their configuration options, please refer to “Common Functions for All Modules” auf Seite 21.

2. For further Information on individual modules, please refer to the corresponding chapters in this manual.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 20 COMMON FUNCTIONS FOR ALL MODULES - ’GLOBAL’ CONFIGURATION AREA   4 Common Functions for All Modules The iQ.Suite is based on modules each of which is used for a specific topic related to handling emails. While these topics cover a wide range tasks, some of the configuration options can be defined for all of them globally.

The descriptions below refer to the iQ.Suite in general, regardless of the modules used. In subsequent chapters, the topics covered here will be assumed to be known and will therefore not be explicitly referred to.

4.1 ’Global’ Configuration Area

This configuration area includes most of the iQ.Suite functions that apply to all modules:

4.1.1 Mail Jobs and Database Jobs

To configure modules, jobs are created to execute the desired actions. We distinguish primarily between mail jobs and database jobs.

Mail jobs check emails immediately after they are received by the mail server. This makes it possible to check emails before they are sent to the recipients, for example, by using a Watchdog mail job to check for viruses. If a virus is found, the email is prevented from being sent to the recipients.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 21 COMMON FUNCTIONS FOR ALL MODULES - ’GLOBAL’ CONFIGURATION AREA 

In contrast, database jobs run on databases and check the emails stored there at regular intervals. The start time and time interval can be specified for this in the job. Alternatively, starting database jobs can be event-controlled, for example, after modifying a document in the database. A scan is made either of all documents or of all documents that have changed since the last job run that match the selection rules. Event-controlled scans are useful, for example, for service databases in which external persons place executable files. Mail and database jobs run separately1.

You can use the option ‚Check all documents since the last run‘ to check only the  documents in the database that have been added or changed since the last time the job was started. This approach significantly reduces the server load.

All jobs configured in the iQ.Suite are listed in the GLOBAL configuration area and can be processed from there. For reasons of clarity, the module-specific jobs are also listed below the respective module. For example, all Watchdog mail jobs and

Watchdog database jobs can also be configured in the WATCHDOG configuration area.

Jobs can be enabled (Active) and disabled (Not active). A disabled job is present but not executable. Setting the status to Not active lets you temporarily disable a job without actually having to delete it.

An essential element of the job configuration is the assembly of a job chain. For instance, first an email has to be decrypted (Crypt job) before it can be checked for viruses (Watchdog job). This starting order for jobs is defined by assigning a priority to each job. For further Information on assigning priorities and the job chain, please refer to “Priorities” on page 82. It is strongly recommended to read this section as it contains key information for using the iQ.Suite.

1. Also refer to “Error Handling in Jobs” on page 23.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 22 COMMON FUNCTIONS FOR ALL MODULES - ’GLOBAL’ CONFIGURATION AREA 

In each module, you can create new jobs by clicking the NEW button and entering the desired job configuration settings. To simplify the job configuration, the iQ.Suite standard configuration contains a number of example jobs:

DEFAULT jobs are pre-configured completely and can be enabled merely. Under normal circumstances, it will not be necessary to change the configuration. However, the jobs can be easily adapted to your requirements.

SAMPLE jobs represent example configurations that are also pre-configured but they cannot be enabled as is. To be used in a sensible way, those jobs normally need to be individually adjusted.

Note that sample jobs are system-dependent, i.e. they only run on the operating  system set in the column OS of the display area. Also at jobs created newly it must be defined for which operating systems the job shall be valid (MISC TAB ->

RUNS ON OS).

A job is configured with a configuration document. Every configuration document consists of tabs with numerous options to be adjusted. With this the iQ.Suite provides extensive possibilities for configuration to influence job operations to your individual needs. How to configure the standard tabs is described under “Stan- dard Tabs for Jobs” on page 39.

4.1.2 Error Handling in Jobs

If errors occur at the job processing, it has to be determined how the iQ.Suite shall reprocess the emails.

In case of errors at non-critical jobs, it might be sensible to ignore this job and to pass the email on to the next job in the job chain. Trailer mail jobs are categorized as non-critical, in general. If an error occurs and no Trailer document can be attached the email is delivered without a disclaimer.

In case of errors at critical jobs, it is sensible to remain the emails in the mail.box of the mail server, due to security purposes. In such a case the administrator will be notified to initiate suitable measures. In general, Watchdog mail jobs that check emails for viruses are categorized as critical.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 23 COMMON FUNCTIONS FOR ALL MODULES - ’GLOBAL’ CONFIGURATION AREA 

Define the categorization in the Misc tab in the Job is critical field of the job:

 ‚No‘: The job is not critical. In case of an initialization error, the job is simply ignored. In case of repeated runtime errors, the job is disabled.  ‚On error in initialization‘: The job is critical if an error occurs during initialization. In this case the system is restarted.  ‚On error in initialization and runtime‘: The job is critical if an error occurs during initialization and/or at runtime. Again, the system is restarted. If the job can be executed after a restart, the remaining emails (not processed yet) or those that have arrived in the meantime are processed now. Emails that were being processed when the error occurred are not checked again and remain in the mail.box. These emails can be manually included in the process.

Use global parameters (IQ.SUITE -> GLOBAL PARAMETERS) to configure the delay  until the MailGrabber is restarted and set if and how disabled jobs are to be enabled again.

4.1.3 Mail Rules and Database Rules

Defined rules are used to set to which emails a job applies, e.g. only for incoming internet emails or emails addressed to specific recipients. For the Wall spam mail job, it is, for instance, possible to exclude specific email addresses from being checked.

When the software determines whether or not a job applies to a given email, the (positive or negated) rules are used to check the email‘s properties. A rule either returns "True" or "False".

Mail rules are used for mail jobs and database rules for database jobs. These rules can also be combined, in which case they are combined according to a Boolean operator (logical AND or logical OR). The iQ.Suite standard configuration contains a number of pre-configured cross-module rules, which can be used for each job in each module as well as in combination. Each rule defines different conditions under which a job is to be run. You can also configure your own rules. Each rule contains different conditions under which a job is run. For further Infor- mation on using rules, please refer to “Rules” on page 84.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 24 COMMON FUNCTIONS FOR ALL MODULES - ’GLOBAL’ CONFIGURATION AREA 

The icons in the Controls for rule field are used to select and edit rules from  within the job. The Select, Deselect all, Edit and New icons are available to this end. Rules shown in green font are from previous versions (some of the icons may not appear in the document). In this case, click on Select and then OK in this selection dialog to update the rule, after which the remaining icons will also be available.

4.1.4 Database Definitions

Database definitions are used to create new databases based on iQ.Suite database templates and to change the definitions of existing databases. The data-

bases created and managed under GLOBAL -> DATABASE DEFINITIONS are required to retrieve specific values within a job, e.g. names for a user database.

A view of database definitions is available in the Admin Portal and the iQ.Suite User Portal. By default, the iQ.Suite User Portal only provides access to the databases listed under the User Portal category, e.g. the quarantine database g_arch.nsf or the delegation database g_del.nsf of iQ.Suite Clerk. All other data-

bases are displayed in the Admin Portal only. Select NEW -> DATABASE DEFINITION to define a new database. First select the database type for your new database. The corresponding template is then applied to the new database. Depending on

the database type, the new database will be included under the USER PORTAL cat-

egory or the ADMIN PORTAL category.

Select CHECK DEFINITION to test whether or not the database paths are correct and the database specified is found. This test is particularly important in replicated environments.

Select a database and then ACCESS MANAGEMENT to access the ACL Manager, from where you can release this database and set the access rights for the iQ.Suite User Portal using the rights/roles concept.

Set in at least one mail or database job the User-specific quarantine access field to ‚Yes‘. Otherwise no documents will be displayed in the iQ.Suite User Por- tal, neither to users nor to administrators. Select a quarantine database and click

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 25 COMMON FUNCTIONS FOR ALL MODULES - ’GLOBAL’ CONFIGURATION AREA  on the USER-SPECIFIC QUARANTINE ACCESS button. With this, all mail or database jobs are displayed for which you have activated the User-specific quarantine access field.

When a database already exists, proceed as follows:

1. Fill in the Database type.

2. Select in the field Server the servers on which the database definition applies. An asterisk (*) signifies that the database definition applies to all servers. If required, select in the Server exceptions field those servers on which the database definition does not apply.

3. Click on the Select database icon and select the desired database on the server. The Database path and Database title fields are automatically set to the filename and title of the database.

4. Activate the option Enable for ‘Data Service’ applications if the database defined in this document is to be used also by 'Data Service' applications. If you want iQ.Suite WebClient or iQ.Suite Apps such as iQ.Suite Clerk App to access data contained in the respective database, enable this option.

5. Only for Quarantines: Use Quarantine index In database definitions with the database type ‘Quarantine’, the Use Quaran- tine index option is available. With this option, determine whether access to the Quarantine database for originals is to happen in iQ.Suite User Portal via a Quarantine index database.

Direct access to large Quarantines via iQ.Suite User Portal can be very time- consuming and affect the performance, particularly in case of a large number of quarantined documents. Indexing of these documents in the Quarantine index database enables an indirect access to the quarantined documents of the Quarantine database: The smaller documents of the index database contain respectively a link to the quarantined document. The faster Quarantine view update in the User Portal provides a faster Quarantine access.

If you enable this option, select the database definition of the desired Qua- rantine index database (default: g_arch_index.nsf). Only the database definitions with the Database type ‘Quarantine Index‘ can be selected.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 26 COMMON FUNCTIONS FOR ALL MODULES - ’GLOBAL’ CONFIGURATION AREA 

The Quarantine index database can be set up in the Quarantine Configura- tion2.

6. Under Database description, you can describe the purpose of the database. This description will be displayed in the Description column of the overview

of all databases (GLOBAL -> DATABASE DEFINITIONS).

7. The Reader field is used to control the user access rights to a database. The users listed in this field are allowed to view the defined database in their individual view of the User Portal. For all other persons, the database is not visible.

8. Click on SAVE.

The new database definition document is now displayed in your overview of data-

base definitions. The status of a database definition is shown under GLOBAL ->

DATABASE DEFINITIONS. Enabled documents are displayed with a green checkmark, disabled ones with a red X. Any documents not explicitly changed or documents from previous iQ.Suite versions are identified through the missing icon and treated in the same way as enabled documents.

The databases become visible in the menu under the corresponding modules

(e.g. BLACKLIST/WHITELIST DATABASE under WALL) in the iQ.Suite portals (Admin Portal and User Portal). The Admin Portal allows to manage all of the databases used and to keep an overview of the databases used in the jobs. Also, it is possible to set which databases are to be made available in the User Portal to which users. The databases that can be made available in the User Portal are listed under “Available Databases” on page 137.

All database types can be configured to enable access through the Admin Portal.

2. Refer to “Quarantine Configuration” on page 107.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 27 COMMON FUNCTIONS FOR ALL MODULES - ’GLOBAL’ CONFIGURATION AREA 

Persons with reading rights do not automatically have access to the defined  database. Access rights to the database have to be assigned through the ACL (refer to “Rights/Roles Concept in iQ.Suite User Portal” on page 136). Please note that the users need access rights to the Clerk database (g_del.nsf) in order to be able to access the database definition documents stored there. Simply enabling the Reader field in the database definition document is not sufficient. For further Information on individual database definition fields, please refer to the online help.

4.1.5 Access User Portal

With GLOBAL -> ACCESS USER PORTAL the access management function (ACL Manager) for the iQ.Suite User Portal (g_user.nsf) is opened. The User Portal allows users to access shared iQ.Suite databases. Depending on their applicable rights and roles they can perform specific actions and are allowed to manage their own user-related settings. Thus reduces the workload of the administrator, e.g. by moving quarantined emails to the users‘ mailboxes.

Certain databases can be made available to the users so that they can perform specific actions from the iQ.Suite User Portal (refer to “Available Databases” on page 137). These actions can be set differently for specific persons and groups3.

4.1.6 Licenses (User-Based)

Click on GLOBAL -> LICENSES to enter the users to be licensed for a specific module. It is thus possible to license individual modules for a limited number of users. Such a limitation is possible for mail jobs only.

Before a job is run, the iQ.Suite checks the sender/recipient list against the list of licensed users. If successful, the module’s job is executed – if not successful, the job is skipped. In the input form, specify the server, check the desired module and select the individual users or the group from the Domino Directory. Then save your entries. The new user license is now available in the overview.

3. For further Information on how to set up the User Portal, please refer to “iQ.Suite User Portal” on page 126.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 28 COMMON FUNCTIONS FOR ALL MODULES - ’GLOBAL’ CONFIGURATION AREA 

Click on REQUEST LICENSE to request a license by filling in a form. Proceed as  described under “Request License” on page 16. For further Information on license document fields, please refer to the online help.

4.1.7 Synchronization of the Licenses

The license database g_lisync.nsf can be used to minimize the manual effort for the administration of iQ.Suite licenses, especially in multi-server environments.

Path to the license database: ...\\data\iQSuite

Under GLOBAL -> LICENSES (SYNCHRONIZATION), you can import your license files (default: toolkit.lic or demo.lic) into the license database mentioned above by

using the IMPORT LICENSE button (at the top left), provided that these files are on your file system. The imported licenses are then automatically distributed by replication to all other iQ.Suite servers for which they are valid.

For each imported license file, a license document is generated. Example:

The license data is copied from the license file to the license document:

 Name: The document name is initially created as follows: License --- This name can be edited.

 Status: Use this setting to decide on whether to use or read in the license.

The following license data cannot be edited:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 29 COMMON FUNCTIONS FOR ALL MODULES - ’GLOBAL’ CONFIGURATION AREA 

 Customer: Licensee

 Domains or Servers: This shows the domains or servers for which the license can be used.

 Expiration: Date on which the license expires.

 Demo expiration, if nec. days since install.: Date until which the license is valid for unrestricted use of iQ.Suite (demo). If a number of days () is specified, the demo period will end days after iQ.Suite installation. After- wards and until the license expiration date, only the modules/components of iQ.Suite which are mentioned in the license file can be used.

The following setting options are available:

 Limit start time / Limit end time: If required, specify a start time and/or end time within the validity period of the license. Times which are ouside of this validity period will be ignored. In the latest case, the information contained in the license file will apply.

 Define servers / Define domains: You can restrict the servers / domains on which the license will be read in. For this, respectively use the arrow button to select entries from the license file. You can furthermore select other servers from the Domino Directory. Your selection will take effect as long as it is consistent with the information contained in the license file.

The license file is read in when iQ.Suite is started.

To display the license documents, the following views are available:  All by restricted servers / domains  All by restricted validity  All by serial number

4.1.8 License Logs

A license entry is generated for each user licensed for a specific module under

GLOBAL -> LICENSES. The LICENSE LOGS menu provides an overview of license entries sorted by modules.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 30 COMMON FUNCTIONS FOR ALL MODULES - ’GLOBAL’ CONFIGURATION AREA 

Click on REQUEST LICENSE to request a license by filling in a form. Proceed as  described under “Request License” on page 16.

4.1.9 Global Parameters

Under GLOBAL -> GLOBAL PARAMETERS you get access to cross-module parameter documents. With these documents you can set ToolKit parameters to change the general behavior of the iQ.Suite. The parameters set in this document are listed under the Key = Value(s) column.

Enabled parameter documents overwrite the parameters of the same name set in the notes.ini. The notes.ini parameters remain valid if no associated parameter overwrites them.

4.1.9.1 General Parameter Document

1. Check the pre-configured parameter documents of the standard configuration

under GLOBAL -> GLOBAL PARAMETER or select NEW -> GENERAL GLOBAL

PARAMETER to create a new document. Click on EDIT.

2. In the Basics tab, set the following: a) Enable the document. b) Under Server select the server to which the document applies. With the asterisk (*) the document is valid for all servers. tag">c) Under Key enter the notes.ini parameters4 and under Value(s) the corresponding notes.ini value.

3. Open the Advanced tab:

4. Refer to “Description of the Global Parameters (except Job Results)” on page 33.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 31 COMMON FUNCTIONS FOR ALL MODULES - ’GLOBAL’ CONFIGURATION AREA 

Use the Possible values field to limit the parameter value range and reduce the number of input errors by allowing specific input formats only. The value selected has an influence on the Value(s) field in the Basics tab.

 ‚Any Number Integer‘: Any integer is possible. No multiple entries.  ‚Any Number Float‘: Any floating point number is possible. No multiple entries.  ‚0 or 1‘: Only 0 or 1 is allowed. The display in the Basics tab changes to two option fields. Default: 0.  ‚Text‘: Any text is possible. No multiple entries.  ‚Text list‘: Any text is possible. Multiple entries are possible and need to be separated by comma, semicolon or line break.  ‚Selected text‘: If you select this option, enter the possible values in the Value list field. One of these values can later be selected in the Basics tab.

In a general parameter document, you can enter any notes.ini parameters listed  under “Description of the Global Parameters (except Job Results)” on page 33.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 32 COMMON FUNCTIONS FOR ALL MODULES - ’GLOBAL’ CONFIGURATION AREA 

4.1.9.2 Special Parameter Document

Special parameter documents, delivered with the iQ.Suite, simplify the configuration of parameters that belong together. These documents usually contain a predefined set of notes.ini keys with user-definable values.

For some applications, it is not possible to use the general parameter docu-

ments under NEW -> GENERAL GLOBAL PARAMETER. For application scenarios that must frequently be configured, you can use special parameter documents to facilitate the configuration of related parameters, for example, when configuring iQ.Clustering. These parameter documents normally contain multiple predefined notes.ini entries. You can change the associated values.

4.1.9.3 Description of the Global Parameters (except Job Results)

All global parameters except the parameters for job results are described in the appendix. Refer to “Appendix: Global Parameters (except Job Results)” on page 664.

Without the parameters set in the notes.ini, the iQ.Suite will not work. For further  Information, please refer to “notes.ini File” on page 8.

4.1.9.4 Description of the Global Parameters for Job Results

Parameter ‚*_WriteAttaResults‘ With these parameters, details on the processing of email attachments are written in the email's result field. With ‚0', no processing details are reported. Possible values: 0, 1. Default: 1.

ToolKit_JobResult_Crypt_WriteAttaResults Job: Crypt

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 33 COMMON FUNCTIONS FOR ALL MODULES - ’GLOBAL’ CONFIGURATION AREA 

ToolKit_JobResult_CryptImport_WriteAttaResults Job: Crypt Pro Import

Toolkit_JobResult_Decompress_WriteAttaResults Job: Convert Decompression

Toolkit_JobResult_PDFProtect_WriteAttaResults Job: Watchdog PDF Protection

Toolkit_JobResult_PDFSigning_WriteAttaResults Job: PDFCrypt File Signing/Encryption

Toolkit_JobResult_PDFVerification_WriteAttaResults Job: PDFCrypt Signature Verification

ToolKit_JobResult_Watchdog_WriteAttaResults Job: Watchdog

Parameter ‚*_WriteDetails‘

With these parameters, details on the email processing are written in the email's result field. With ‚0', no processing details are reported. Possible values: 0, 1. Default: 1.

Toolkit_JobResult_Action_WriteDetails iQ.Suite Action: Action Job

Toolkit_JobResult_Decompress_WriteDetails Job: Convert Decompression

Toolkit_JobResult_DLPAnalyse_WriteDetails Job: DLP Data Analyze

Toolkit_JobResult_PDFCrypt_WriteDetails Job: PDFCrypt Mail Encryption

Toolkit_JobResult_PDFProtect_WriteDetails Job: Watchdog PDF Protection

Toolkit_JobResult_PDFSigning_WriteDetails Job: PDFCrypt File Signing/Encryption

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 34 COMMON FUNCTIONS FOR ALL MODULES - ’GLOBAL’ CONFIGURATION AREA 

Toolkit_JobResult_PDFVerification_WriteDetails Job: PDFCrypt Signature Verification

Toolkit_JobResult_TrailerAdv_WriteDetails Job: Trailer Advanced

Toolkit_JobResult_Wall_WriteDetails Job: Wall

Other parameters for job results

Toolkit_JobResult_Action_WriteCallResults iQ.Suite Action: With this parameter, detailed results of the formula, system or agent call are written in the email's result field. With ‚0' no details are reported. Possible values: 0, 1. Default: 1. Exception: In case of email signing, no detailed results are written – irrespective of the parameter value.

Toolkit_JobResult_Action_WriteMode iQ.Suite Action: With this parameter, the execution mode (ACTION MAIL JOB ->

OPERATIONS TAB) is written in the email's result field. With ‚0' this mode is not reported. Possible values: 0, 1. Default: 1.

ToolKit_JobResult_Append When the result field already exists in an email, the field will not be overwritten but extended with the new values. With ‚0' the result field will be overwritten and existing data will be lost. Possible values: 0, 1. Default: 1.

ToolKit_JobResult_Crypt_WriteMode iQ.Suite Crypt: With this parameter, the processing mode set under JOB

DOCUMENT -> OPERATIONS -> MODE is written in the email's result field. With ‚0' this mode is not reported. Possible values: 0, 1. Default: 1.

ToolKit_JobResult_Crypt_WriteBodyResults iQ.Suite Crypt: With this parameter, details on the processing of the email body are written in the email's result field. With ‚0' no processing details are reported. Possible values: 0, 1. Default: 1.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 35 COMMON FUNCTIONS FOR ALL MODULES - ’GLOBAL’ CONFIGURATION AREA 

Toolkit_JobResult_PDFCrypt_WritePassword iQ.Suite PDFCrypt: With this parameter, the password used for a subset of the recipients is written in the job result (PDFCrypt Job). Possible values: 0, 1. Default: 1. With ‚0‘, the password is not written. With ‚1‘, the password is written if the parameter Toolkit_JobResult_PDFCrypt_WriteDetails is set to ‚1‘ as well.

Toolkit_JobResult_Wall_WriteCallResults iQ.Suite Wall: With this parameter, the found denied email recipients are written in the email's result field, in addition to the detailed results of the email processing (refer to Toolkit_JobResult_Wall_WriteDetails). With ‚0' no recipients are reported. Possible values: 0, 1. Default: 1.

ToolKit_JobResult_Watchdog_WriteBodyResults iQ.Suite Watchdog: With this parameter, details on the processing of an email body are written in the email's result field. With ‚0' no processing details are reported. Possible values: 0, 1. Default: 1.

ToolKit_JobResult_WriteJobName With this parameter, the job name is written in the email's result field. With ‚0' the job name is not reported. Possible values: 0, 1. Default: 1.

ToolKit_JobResult_WriteStart With this parameter, the starting time for email processing is written in the email's result field. With ‚0' the starting time is not reported. Possible values: 0, 1. Default: 1.

ToolKit_JobResult_WriteEnd With this parameter, the end time for email processing is written in the email's result field. With ‚0' the end time is not reported. Possible values: 0, 1. Default: 1.

4.1.9.5 Description of the Global Parameters (Client)

The following global parameters can be used to change client settings. Enter these in the notes.ini of the client:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 36 COMMON FUNCTIONS FOR ALL MODULES - ’GLOBAL’ CONFIGURATION AREA 

$Group.de_Language

$Group.de_Language sets the language of the administration console. Possible values: de, en

$Group.de_OnlineHelp_Server Parameter that allows the client to access the server‘s online help. Enter the path to the gmanual.nsf database.

4.1.10 Notification Templates

Under GLOBAL -> NOTIFICATION TEMPLATES you can define document templates for notifications, to re-use notification texts in several jobs. As an alternative, create a new template from within a job (New icon). After saving the template it is available under Selection. Notification templates are used, for instance, to inform a user that emails have been moved to the quarantine or to report job errors to administrators.

To select an existing notification template, select the job’s Operations tab and click the Selection icon in the Notification template field. Any changes to the template are automatically applied to the jobs that used this template.

The notification templates can be assigned to specific modules or all modules. When selecting a template from within a module, only the templates assigned to this module are visible (as well as the general templates). When you open a noti-

fication template with the OPEN VIEWER button you can check the template in a preview.

To simplify administration, it is possible to use placeholders/metasymbols in notifi-  cation templates. A list is provided under “Placeholders” on page 59. For further Information on individual notification template fields, please refer to the online help.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 37 COMMON FUNCTIONS FOR ALL MODULES - ’GLOBAL’ CONFIGURATION AREA 

4.1.11 Proxy Server

To use a a proxy server for internet downloads, the server configuration must be set in the iQ.Suite. Using a proxy server can be quite useful, in particular if you are using virus scanners or spam analyzers that require periodical pattern updates from the Internet.

If you have already specified the proxy server connection settings during the iQ.Suite installation, these proxy server settings are set correctly. Otherwise enter

the settings in the default configuration document under GLOBAL -> PROXY SER-

VER:

a) Under Server address enter the full name or IP address of the proxy server. b) Enter the Port number of the proxy server. This port is used for communication with the proxy server. c) Enter the User name and the Password used by the update service to log on to the proxy server.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 38 COMMON FUNCTIONS FOR ALL MODULES - STANDARD TABS FOR JOBS 

4.2 Standard Tabs for Jobs

Regardless of its purpose, each mail or database job provides a number of standard functions, which are part of all jobs. This section describes these general functions. The job descriptions later on do not describe these basic functions and are limited to job-specific functions.

The Basics, Misc and Comments tabs are available in each job.

4.2.1 Basics Tab - Mail Job

Sample Crypt mail job:

 Job name: This name is used to identify the job in the Notes log and in error messages. To avoid errors, do not use any of the following special characters: asterisk (*), quote ("), inverted comma ('), semicolon (;), comma (,), plus sign (+), backslash (\).  Status: For a job to be executed and taken into account by the iQ.Suite, it has to be enabled with the ‚Active‘ option. Disabled Jobs (‚Not active‘ option) won‘t be considered by the iQ.Suite.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 39 COMMON FUNCTIONS FOR ALL MODULES - STANDARD TABS FOR JOBS 

 Priority: The priority is used to set the processing order of individual jobs. The higher the priority, the sooner a job is executed. For instance, a job with the priority set to 1 000 will be run before a job with a priority of 900. In the classical administration console, the job is integrated into the job chain at the position corresponding to the priority set. To set up a sensible processing order, reflect about which functions need to be performed first. Refer to “Assigning Priorities (Job Chain)” on page 82.  Runs on: Sets if the job applies to all jobs or only to those that meet specific conditions, e.g. certain address conditions, rules, etc.:  ‚All mails‘: No restrictions. The job is run for all emails.  ‚Selected mails‘: The job is run for specific emails only. Use the subsequent fields to set the conditions according to which the emails to be processed by the job will be selected.  Attachment dependency: Set whether or not starting the job depends on whether the email contains a file attachment. With this the server load will be reduced.  ‚All‘: The job is started regardless of whether or not the email contains a file attachment.  ‚Only with attachment‘: The job only starts if the email contains a file attachment.  ‚Only without attachment‘: The job only starts if the email does not contain a file attachment.  Controls for rules: Job rules define the conditions emails have to fulfill to be executed from a job. In default jobs the required rules are preconfigured. If necessary use the icons to select and edit rules from within the job. Rules shown in green font are from previous versions (the Select, Deselect all, Edit and New icons may not appear in the document). In this case, click on Select and then OK in this selection dialog to update the rule, after which the remaining icons will also be available.  Positive selection rule dependency/ negated selection rule dependency: When checking whether or not a job is to be started for an email, the positive and negated rules are used to check the email’s properties. To this end the rules return either "True" or "False". The rules can also be applied in combi-

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 40 COMMON FUNCTIONS FOR ALL MODULES - STANDARD TABS FOR JOBS 

nation, in which case they are combined according to a Boolean operator (logical AND/OR).5  Rule Summary: In this example the job will run on ‚Selected mails‘. Accord- ing to the rule, these are all incoming emails sent via the Internet (Inet- Sender). In addition, the email must not come from the quarantine (MailResentFromQuarantine) and the sender must not be included in a whitelist (WLRuleAntiSpam). Please note that the quarantine rule only applies if the system time is the same on the server and the client. The emails that meet these criteria are checked for prohibited text in the subject field and the message text.  Rule execution mode: This field is displayed only if the ToolKit_UseDynamicRuleEvaluation parameter is enabled and set to

‚Yes‘ (GLOBAL -> GLOBAL PARAMETERS -> DYNAMIC RULE EVALUATION).  ‚Set in global parameter‘: All rules for this job are evaluated as set in the global parameter ToolKit_RuleEvaluationMode.6  ‚Just before job‘: All rules for this job are evaluated only once, right before the job is run - provided nothing else is set within the rules themselves.  ‚Before all jobs‘: All rules for all jobs are evaluated together before all jobs - provided nothing else is set within the rules themselves. Define in the following field what to do in case of an error in the rule evaluation7.

 Upon error in rule evaluation: Set the course of action if an error occurs during the evaluation of a rule:  ‚Do not run job‘: The job is not executed and the email is passed on to the next job in the job chain.  ‚Run job‘: The error is ignored and the job is executed without rule evaluation.  ‚Treat as job error‘: The error is treated in the same way as an error in the job. Refer to “Job is critical:” on page 49.

5. For further Information, please refer to “Execution Mode for Rules” on page 85. 6. Refer to the ToolKit_RuleEvaluationMode parameter under “Global Parameters” on page 31. 7. Refer to “Execution Mode for Rules” on page 85.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 41 COMMON FUNCTIONS FOR ALL MODULES - STANDARD TABS FOR JOBS 

 Job starts in a replicated environment on: Sets whether a job is to be run only once for a document. This function only applies to replicated environments.  ‚on all servers‘: In a replicated environment, the job is started on all servers involved. The email is processed several times.  ‚just once‘: In a replicated environment, the job is started once only. The email is processed once only.

 Process notifications: With this option enabled, a job can also process notifications which have been put in the job chain of the current server for further processing. Only the following notification types are concerned:

 Notifications for which the option ‘Notification to be processed by jobs’ was enabled in the Actions tabs of other jobs (Success, Warning and/or Error actions). The latter option is only available in certain jobs like, for example, in the DLP Data Analyze Job.  PDFCrypt password request emails if the option ‘Submit notification to all iQ.Suite jobs on this server‘ was enabled in the password manager.

If the Process notifications option is enabled, the notifications generated by the  current job cannot be processed by other jobs of the current server. The option ‘Notification to be processed by jobs’ in the job‘s Actions tabs will have no effect in this case.

 Valid for senders: (not available in each job) Define whether the job is to be executed only for certain sender addresses. Add the sender addresses to the list.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 42 COMMON FUNCTIONS FOR ALL MODULES - STANDARD TABS FOR JOBS 

4.2.2 Basics Tab - Database Job

Sample Watchdog database job:

 Status: For a job to be executed and taken into account by the iQ.Suite, it has to be enabled with the ‚Active‘ option. Disabled Jobs (‚Not active‘ option) won‘t be considered by the iQ.Suite.

 Execution mode: Set this field to ‘Event-driven’ if the job is to be started whenever something has been changed in the database, e.g. a new document is stored. Please note that event-driven database jobs may strongly affect the server performance. Use the ’Scheduled’ mode if the job is to be run in fixed intervals. In the Start time field, enter the date and time at which the job will be started for the first time. Then use the Interval fields to specify

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 43 COMMON FUNCTIONS FOR ALL MODULES - STANDARD TABS FOR JOBS 

the exact interval, e.g. daily at 11 PM. Exceptions on certain days of the week can be specified in the Advanced tab.

 Database selection: Specify the database(s) to which this job applies. To select all databases in the Notes ‚mail‘ directory, enter ’mail\*.nsf’. The job will run on all of the databases specified, for all new and modified documents. In the Except field, enter the databases to be excluded from processing through this job. You can enter several databases, each in a separate line. Paths must be specified relative to the Notes data directory. Using wildcards is possible. This way, it is possible to exclude all databases that match a specific name pattern.

 Selected documents: Define whether the job executes all documents or within the database or only those with certain conditions, e.g. certain address conditions, rules, etc.  ‚All documents‘: The job applies to all documents.  ‚Selected documents‘: The job applies to certain documents. Specify the conditions in the following fields. In this example the job applies to documents, with or without attachment, newly inserted in the database or modified since the last run of the job. Any documents already processed by the job in a previous run are ignored.

 Dependence on document edit status:  ‘All’: The job applies to all documents – no matter when they were created or last changed.  ‘Created once previous job run’: The job applies only to documents that were created since the last run of the job.  ‘Modified or created since previous job run’: The job applies only to documents that were created or modified since the last run of the job.  ‘Modified or created during preceding time span’: The job applies only to documents that were created or modified during the last days and hours.  ‘Modified or created during fixed time span’: The job applies only to documents that were created or modified between the selected start date and end date. With the ‘Specify times’ option, you can additionally select a time for the start and the end.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 44 COMMON FUNCTIONS FOR ALL MODULES - STANDARD TABS FOR JOBS 

 Dependence on attachment: Set whether or not starting the job depends on whether the email contains a file attachment. With this the server load will be reduced.  ‘All’: The job is started regardless of whether or not the email contains a file attachment.  ‘With attachment’: The job only starts if the email contains a file attachment.  ‘No attachment’: The job only starts if the email does not contain a file attachment.  Controls for rules: Job rules define the conditions emails have to fulfill to be executed from a job. In default jobs the required rules are preconfigured. If necessary use the icons to select and edit rules from within the job. Rules shown in green font are from previous versions (the Select, Deselect all, Edit and New icons may not appear in the document). In this case, click on Select and then OK in this selection dialog to update the rule, after which the remaining icons will also be available.  Dependence on positive selection rules / dependence on negated selection rules: When checking whether or not a job is to be started for an email, the positive and negated rules are used to check the email’s properties. To this end the rules return either "True" or "False". The rules can also be applied in combination, in which case they are combined according to a Bool- ean operator (logical AND/OR).8  Rule Summary: In this example the job will run on ‚Selected mails‘. Accord- ing to the rule, these are all incoming emails sent via the Internet (Inet- Sender). In addition, the email must not come from the quarantine (MailResentFromQuarantine) and the sender must not be included in a whitelist (WLRuleAntiSpam). Please note that the quarantine rule only applies if the system time is the same on the server and the client. The emails that meet these criteria are checked for prohibited text in the subject field and the message text.  Rule Summary: If the job executes several rules in combination a rule summary is displayed in this field.

8. For further Information, please refer to “Execution Mode for Rules” on page 85.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 45 COMMON FUNCTIONS FOR ALL MODULES - STANDARD TABS FOR JOBS 

4.2.3 Selection Tab (only in particular jobs)

The Selection tab, part of the Operations tab, is available only in particular jobs,  e.g. in the Connect jobs, Convert jobs and in the PDFCrypt Mail Encryption job.

Use this tab to filter the email attachments, i.e. to restrict the number of attachments to be processed by specifying attachment sizes and types:

Example in Convert Compression Job:

 Attachment size has to be greater/smaller than ... KB: The file attachments can be filtered by file size. For this, use the appropriate fields to specify a minimum and/or maximum size. Only the attachments the size of which corresponds to your settings will be processed by the job.

 Selected file types: The file attachments can be filtered by file type: Use this option to specify for which file types (fingerprints) the job shall be executed or for which it shall not be executed (exceptions).

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 46 COMMON FUNCTIONS FOR ALL MODULES - STANDARD TABS FOR JOBS 

4.2.4 Actions

It depends on the tab when which actions will be executed. Examples:

 Success Actions: Actions in case of successful job processing  Error Actions: Actions in case of failed job processing  Warning: Actions in case of warnings  Restricted Actions: Actions which are executed when not allowed elements are found in a checked PDF.

Additional Actions

To add one or more of the following additional actions, click on ADD:

 Notification to ...: Decide on who will receive a notification and which notification. For this, use notification templates9. A notification can be sent to the following persons:

 administrator  sender of the email (except in the Crypt Pro Import Job)  all recipients of the email (except in the Crypt Pro Import Job)  selectable recipients

9. Refer to “Notification Templates” on page 37.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 47 COMMON FUNCTIONS FOR ALL MODULES - STANDARD TABS FOR JOBS 

Example for ‚Send notification to all recipients of email‘:

For notifications, further options are available:

 ‘Notification to be processed by jobs‘: Use this option to determine for each person group individually (administrator, sender, recipient) whether the notifications generated by this job are to be processed by other jobs on the current server. Only the jobs with the Process notifications option enabled (Basics tab) are concerned.

The option ‘Notification to be processed by jobs’ will have no effect if the option  Process notifications is enabled in the same job. In this case, the notification will not be processed by other jobs on this server. Refer to “Process notifications:” on page 42.

 ‘ 

 Copy email to quarantine before/after processing: This action which can be used to copy emails to a quarantine is available in addition to the standard action of the same name. This makes it possible to copy an email to several different quarantines. Unlike the behavior of the standard action, you can here decide on whether the email will be copied to the selected quarantine (Quarantine configuration field) ‘after processing’ or ‘before processing’. Furthermore, you can here specify a Category under which the email will be displayed in the Quarantine view.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 48 COMMON FUNCTIONS FOR ALL MODULES - STANDARD TABS FOR JOBS 

4.2.5 Misc Tab

Example with a Wall Mail Job:

 Server: Enter an asterisk (*) to enable the job for all servers. You can also specify several individual servers, each in a separate line.  Server exceptions: Use this field to create a server list, each in a separate line. For each server on the list, the job is not valid.  Monitored servers: Especially for iQ.Clustering, this field is relevant. Refer to “iQ.Clustering / Monitored Server Operation” on page 13.  Runs on OS: Select the operating systems the job is to be executed from the checkbox dialog.  Email address of the administrators: iQ.Suite notifications are sent to this email address. By default the placeholder %Admin% is set. With this ‚iQ.Suite- Admin‘ group defined in the ToolKit_Admin parameter in the notes.ini is used. Refer to “Placeholders” on page 59.  Log level: Use this field to set the log level of the g_log.nsf. The most detailed level you get with value ‚9‘. This setting can be useful, for instance, for troubleshooting. In productive operation, we recommend to set the log level to ‚6‘, as set by default in the ToolKit_LogLevel parameter in the notes.ini.  Job is critical: This setting is used to define a job as "critical". This allows to set whether or not initialization or runtime/processing errors can be ignored by the Grabber.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 49 COMMON FUNCTIONS FOR ALL MODULES - STANDARD TABS FOR JOBS 

 ‚No‘: The job is not critical. If an error occurs during the initialization or execution of the job, the job is ignored and the email/document is passed to the next job in the job chain. If the error occurs for several emails, the job is disabled.  ‚Upon initialization or execution error‘: The job is critical. If an error occurs during the initialization or execution of the job, the system is restarted. The emails/documents remain in the mail.box. If an error repeatedly occurs during the initialization or execution of the job, the job is disabled.  ‚Upon initialization error‘: The job is critical. If an error occurs during the initialization of the job, the system is restarted. If an error repeatedly occurs during the initialization of the job, the job is disabled.

 Email field for job result10: This field allows subsequent jobs to react to the job results of the current job. For this, the field entered in this field is written to the email at the end of the job processing. A subsequent job can react to this field and can process the email in a certain way. If the field is empty, no field is written to the email. If the field name starts with X_ the field is written in the email. After SMTP transport, this field will still be available in the email. For a description of the possible job results, please refer to “Appendix: Job Results” on page 705.

 Quarantine configuration: Specify how quarantined emails are handled. To do this, select the desired configuration document for the quarantine configu- ration11.  Utilities database (optional field): In some jobs, a preconfigured database is used to access external programs and configuration documents.  Memo from: As the sender of iQ.Suite notifications, the corresponding server is entered by default (%SERVER%). If there are multiple servers, this makes it easier to identify the server from which the notification originates.  Reply to: Enter an email address that local users can use if they receive system notifications. If recipients reply to system notifications with "Reply", this email address is used as the recipient address. By default, the placeholder

10. This option is only available in certain Mail Jobs. 11. For further Information on quarantine configuration, please refer to “Quarantine Configuration” on page 107.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 50 COMMON FUNCTIONS FOR ALL MODULES - ACTIONS IN IQ.SUITE JOBS 

%Admin% is set in order to use the group 'iQ.Suite-Admin' stored in the notes.ini under ToolKit_Admin.

4.2.6 Comments Tab

We recommend to note custom configuration settings and modifications in this tab.

4.3 Actions in iQ.Suite Jobs

In some jobs, action sequences can be used to configure actions in different tabs, e.g. in the Success Actions, Error Actions, Warning, Restricted Actions, and Malformed PDF Actions tabs.

In most jobs, the following actions are available12:

It depends on the tab when which actions will be executed. Examples:

 Success Actions: Actions in case of successful job processing

12. The job-specific actions are described in the section relative to the respective job.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 51 COMMON FUNCTIONS FOR ALL MODULES - ACTIONS IN IQ.SUITE JOBS 

 Error Actions: Actions in case of failed job processing  Warning: Actions in case of warnings  Restricted Actions: Actions which are executed when not allowed elements are found in a checked PDF.

4.3.1 Standard Actions

The following standard actions are available:

 Copy email to quarantine: If you want the email to be copied to a quarantine, select this option and choose in the drop-down list the desired Quaran- tine configuration. In case of a successful processing, the email is copied to the quarantine after processing; in case of a failed job processing it is copied like it was before processing. You can additionally specify a Category, under which the email document (email copy) will be displayed in the Quarantine view. This category corresponds to the Category in Quarantine report displayed in the email docu-

ment (ORIGINALS) and in the Quarantine report (REPORTS).

 Delete email: The email is deleted from the mail server and not delivered to the recipient. Usually, this option is only used after the email has been copied to the quarantine. Otherwise, the deletion is irrevocable.

4.3.2 Additional Actions

To create an additional action, click ADD:

 Notification to: Specify who should receive which notification:  Administrator  Sender of the email (except in the Crypt Pro Import Job)  All recipients of the email (except in the Crypt Pro Import Job)

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 52 COMMON FUNCTIONS FOR ALL MODULES - ACTIONS IN IQ.SUITE JOBS 

 Selectable recipients

For a description of the options which are displayed after that, refer to Options for ‘Notification to ...’: and “Special Option: Send notification just once” on page 54.

Options for ‘Notification to ...’:

Example for ‘Send notification to all recipients of email’:

 Sende notification to ...: Select the desired notification template13.

 Notification to be processed by jobs: Use this option to determine for each person group individually (administrator, sender, recipient) whether the notifications generated by this job are to be

13. Refer to “Notification Templates” on page 37.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 53 COMMON FUNCTIONS FOR ALL MODULES - ACTIONS IN IQ.SUITE JOBS 

processed by other jobs on the current server. This only concerns the jobs with the Process notifications option enabled (Basics tab).

This option will have no effect if the option Process notifications is enabled in  the same job. In this case, the notification will not be processed by other jobs on this server. Refer to “Process notifications:” on page 42.

 Use a custom sender address: By default, the name of the iQ.Suite server is automatically used as the sender of notifications. Use this option if you want to specify another sender address for the notifications (selection via the Domino Directory or free input in the Use free text field).

 Recipient (only for ‘Send notification to selectable recipients’): Specify which recipients should receive the notification.

 Append as inline notification (only if ‘Send notification to all recipients of email’ is selected): If you want the notification not to be sent in a separate email, but be added into the original email, enable this option. Then, select whether to insert the text of the notification ‘At the top’ or ‘At the bottom’ of the original message body.

 Send notification just once (only if ‘Send notification to all recipients’ is selected): refer to “Special Option: Send notification just once” on page 54.

4.3.3 Special Option: Send notification just once

The Send notification just once option is only available if a Notification to all recipients is to be sent in case of success.

Furthermore, this feature is available only for the following job types:

 PDFCrypt Mail Encryption  PDFCrypt File Signing/Encryption  Convert Compression  Convert Decompression

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 54 COMMON FUNCTIONS FOR ALL MODULES - ACTIONS IN IQ.SUITE JOBS 

The option mentioned above is displayed in the dialog under ->

OPERATIONS -> SUCCESS ACTIONS -> ADDITIONAL ACTIONS -> NOTIFICATION TO ALL

RECIPIENTS OF EMAIL:

4.3.3.1 Mail Status Database

For this feature, the database g_mail_status.nsf (in iQ.Suite Data directory) is used. This database stores the information on whether and when a recipient has received a recipient notification. This data allows the one-time notification for passwords.

If the option Send notification just once is enabled and an entry already exists in the database, the corresponding notification of the same password is not resent.

In case of a database change, please note that the (one-time) notifications will  be resent if the data is not transferred to the new database.

You can open the Mail Status database. In the database view, the existing entries are listed:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 55 COMMON FUNCTIONS FOR ALL MODULES - ACTIONS IN IQ.SUITE JOBS 

You can delete entries if you want a notification to be resent for a password-sender-recipient combination. In the database properties, you can configure that documents are to be automatically deleted after a defined time if they are not updated.

 Sender lists the senders for whose emails notifications have been sent just once. The sender of a notification can vary since, for example, a variable can be used for the sender address of the email for which this notification is sent.

If you want that the one-time sending of the notification also depends on the sender, i.e. if from different senders respectively just one notification is sent to a certain recipient, then the Sender column shows the senders.

If the one-time sending of the notification does not depend on the sender, the column remains empty.

 Recipient lists the recipients who already received a notification.

 Time is the time and date when a notification was sent.

Important note: The entry in the database is created before the notification is sent. If an error occurs for a notification, you must delete the entry if you want the notification to be resent.

 NotificationKey is the notification key whose parts depend on the type of the notification (password or not):  Password notification: The notification key is the Universal Note ID of the notification template.  Other notification: The notification key is the Universal Note ID of the notification template, followed by a slash and the Universal Note ID of the job in which the notification action is configured.

 Key is calculated based on all data mentioned above and the password, so that different keys are calculated for different senders (if the sender is relevant) and/or different recipients and/or different passwords. This ensures that the notifications are sent according to your settings in the job.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 56 COMMON FUNCTIONS FOR ALL MODULES - ACTIONS IN IQ.SUITE JOBS 

4.3.3.2 Settings in the Job

 Send notification just once: Determine whether the recipients are to be notified just once or for each email.

 Per password: With this option enabled, the notification is sent just once per password. If the password is changed, the notification is resent. It‘s not necessary that the notification contains a password. If several jobs use the same notification template, only one notification for all jobs together is sent for the same recipient (if the Per sender option is enabled as well, then also for the same sender) and same password.

If this option is not enabled, a notification is sent just once for each job. The notification is not resent if the password is changed.

In case of several jobs in which sending a password is enabled, the notification  of the job which has processed the email first is sent. Therefore, we recommend to make the same settings in all concerned jobs. The used notification messages should be appropriate for all jobs.

 Per sender: Determine whether the one-time notification shall also depend on the sender. If yes, the recipient notification is resent for each new sender.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 57 COMMON FUNCTIONS FOR ALL MODULES - CONFIGURATION DOCUMENTS 

Example:

Two employees of a bank are in charge of customer X. Employee A sends an email encrypted with password 1 to customer X. After that, employee B sends an email also encrypted with password 1. If these employees work in different locations with different domains, the customer may not be aware of the fact that the same password has been used for the email from employee B. With the Per sender option enabled, you can go around the problem described above.

4.4 Configuration Documents

The iQ.Suite is configured through configuration documents. All documents displayed in the iQ.Suite console represent configuration documents. Thus, mail and database jobs consist of configuration documents, just as rules, utilities (virus scanners, file restrictions, unpackers, etc.), quarantine configurations, notifications, etc.

4.4.1 Program Calls in iQ.Suite

In some configuration documents (e.g. unpackers, Crypt Engines, Convert Com- mand Line), it is possible to enter parameters for program calls. If so, please consider the following notes:

In case of program calls which contain parameters with spaces, quotation marks must be set around the parameters.

In case of program calls per cmd.exe under Windows, quotation marks must additionally be set around the entire command.

Positive example in the GnuPG engine:

/C ""C:\Program Files (x86)\GNU\GnuPG\gpg.exe" --homedir "C:\Program Files (x86)\GNU\GnuPG\Keyring" --batch --yes --output "%o"

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 58 COMMON FUNCTIONS FOR ALL MODULES - CONFIGURATION DOCUMENTS 

--recipient %recipients% --armor --encrypt "%i" >"%r" 2>&1"

4.4.2 Placeholders

In various places in the configuration documents, it is possible to use placeholders, which are replaced with corresponding values at runtime. Please note the only the most current placeholders are described hereafter. For further informa-

tion, please refer to the HELP.

Observe the following syntax: %ItemName%; ItemName stands for the content of the field in the document to be processed.

4.4.2.1 Placeholders in iQ.Suite Clerk

The following variables can be used in: Clerk absence notifications and retroactive absence notifications:

Variable Description

CLERK Is replaced with the recipient of the forwarded email (deputy or subs-

DELEGATE titute). Multiple addresses are separated by a comma.

DEPUTY

VERTRETER

ADJOINT

DEPUTY_NAME Is replaced with all what preceeds the first slash of the abbreviated full name (user name) specified in the the adress book entry of the deputy.

DEPUTY_USERNAME Is replaced with the abbreviated full name (user name) specified in the the adress book entry of the deputy.

DEPUTY_INTERNET Is replaced with the Internet address specified in the the adress book entry of the deputy.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 59 COMMON FUNCTIONS FOR ALL MODULES - CONFIGURATION DOCUMENTS 

Variable Description

DEPUTY_FULLNAME Is replaced with the full name specified in the the adress book entry of the deputy.

DEPUTY_FIRST_ Is replaced with the first name, byname and last name specified in MIDDLE_LASTNAME the adress book entry of the deputy.

START-DATE In the front-end, it is replaced with the start date of the forwarding.

The date format of the client is used.

Start-Date In the back-end, it is replaced with the start date of the forwarding.

The date format of the server is used.

START-TIME In the front-end, it is replaced with the start time of the forwarding.

The format of the client is used.

START-ZONE In the front-end, it is replaced with the time zone for the start time of the forwarding.

The format of the client is used.

END-DATE / In the front-end, it is replaced with the forwarding end date. The date FINAL-DATE format of the client is used.

Final-Date In the back-end, it is replaced with the forwarding end date. The date format of the server is used.

END-TIME In the front-end, it is replaced with the end time of the forwarding.

The format of the client is used.

END-ZONE In the front-end, it is replaced with the time zone for the end time of the forwarding.

The format of the client is used.

 All placeholders are case-sensitive.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 60 COMMON FUNCTIONS FOR ALL MODULES - CONFIGURATION DOCUMENTS 

Abbreviated full name:  Here, “abbreviated” means that the acronyms "CN=", "O=", etc. are removed from the name. Address book entry of the deputy:

If the deputy does not exist in the address book or the corresponding field in the address book entry is not set, the original address from the Clerk forwarding document is used.

Start date/End date of the forwarding:  Replacing the placeholders in the back-end is required if the Clerk documents are not created by a user interaction, but created by agents which have not filled in the required times in the desired format.

The following variables can be used in Clerk Info emails and partially in calendar entries:

Variable Description

ABSENTEE By default, ABSENTEE is replaced with the name of the absentee

ABSENTEE2 and ABSENTEE2 with the Internet address of the absentee. ABSENTEE can also be used in calendar entries.

The global parameter Toolkit_Clerk_InfomailAbsenteeFormat / Toolkit_Clerk_InfomailAbsentee2Format determines the format of the variable.

For information on the possible formats, refer to the description of the global parameters.

CLERK_FORWARDING_ Is replaced with a Notes link which refers to the forwarding document LINK for which the Info emails are sent.

DEPUTY DEPUTY is replaced by default with the name and DEPUTY2 with

DEPUTY2 the Internet address of the deputy. The global parameter Toolkit_Clerk_InfomailDeputy2Format / Toolkit_Clerk_InfomailDeputy2Format determines the format of the variable.

For information on the possible formats, refer to the description of the global parameters.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 61 COMMON FUNCTIONS FOR ALL MODULES - CONFIGURATION DOCUMENTS 

FORWARDING_ACTION Is replaced with a text which can be specified by the administrator in the global Clerk Database Settings for each person type for the forwarding and non-forwarding cases.

MAILTYPE Is replaced with a text which can be specified by the administrator in the global Clerk Database Settings for the first info email, the reminder email, the update email as well as for the presence emails.

STARTTIME In Clerk Info emails and in calendar entries created by Clerk, this

ENDTIME variable is replaced with the start time / end time of the absence.

SUMMARY In the Clerk Info presence email sent to the absentee when he comes back, this placeholder is replaced with the text specified by the administrator in the global Clerk Database Settings or with a list of the emails which were addressed to the absentee and have been processed by Clerk (in table form).

In case no emails have been processed by Clerk during absence, the text specified by the administrator is used.

In case emails have been processed, the placeholder is replaced with a table. For this, the administrator can specify the titles of the table columns in the global Clerk Database Settings.

Using the parameter Toolkit_Clerk_InfomailMaxSummaryEntries, the administrator can define the maximum number of emails to be listed in the table. If more emails have been processed, the last table row contains dots : "...".

This placeholder works, only if the Clerk log is enabled. Otherwise, no emails can be listed.

4.4.2.2 Placeholders in Wall Content und Watchdog Pro

The following variables can be used in notifications in Wall Content, Watchdog Virus Scanning Pro and Watchdog Attachment Filtering Pro, and in the job configuration in the Variable for analysis results field if using the ‘Add X-token to email’ or ‘Add Notes field to email’ action:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 62 COMMON FUNCTIONS FOR ALL MODULES - CONFIGURATION DOCUMENTS 

Variable Description

Domain Domain of the server on which the job with the action sequence is being executed.

GrabberName Name of the Grabber which executes the job to which the currently executed action sequence belongs. In case of iQ.Suite, the name is „MailGrabber“ or „DatabaseGrabber“. In the OEM case, other names can be used.

JobType Type of the job to which the currently executed action sequence belongs. Corresponds to the content of the FormLabel field in the job configuration document, e.g. “Wall Content Mail Job”.

JobUNID Universal Note ID of the job configuration document to which the currently executed action sequence belongs.

Module Name of the module of the jobs to which the currently executed action sequence belongs (e.g. “Wall”).

Server Server name of the server on which the job with the currently executed action sequence is executed.

ServerAbbrev Short server name of the server on which the job with the currently executed action sequence is executed.

TaskName Task name in which the job with the currently executed action sequence is executed.

4.4.2.3 Other Placeholders

%ADMIN% Placeholder for the value of the ToolKit_Admin parameter in the server’s notes.ini file. Can be used in: mail jobs, database jobs, address rules, Clerk in redirection and forwarding documents (as a redirection or forwarding target).

%ARCH_CATEGORY% The quarantine category configured in the job.

Can be used in: WALL QUARANTINE NOTIFICATION JOBS -> ADVANCED TAB->

‘DETAILS’ FIELD (visible only if Link mode is set to ‘Advanced’) and ‘HTML TABLE

ROW’ FIELD (visible only if Table mode is set to ‘Advanced’).

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 63 COMMON FUNCTIONS FOR ALL MODULES - CONFIGURATION DOCUMENTS 

%BLOCKCOMMENT% This placeholder can be used in the context of the dual control check with Smart Review. Normally, it is put in the notification addressed to the sender in the rejection case and is replaced with the rejection reason, i.e. the default text from the Review Options or the text specified by the Reviewer (delegate). Can be used in: Smart Review notification template used to notify the sender in case of rejection.

%CERTIFICATES% Program call parameter that should not be changed. For a description refer to the

HELP. Please note that this parameter is not expanded to %STANDARD_SMIME_PARAMETERS% in S/MIME engines.

%CHECK_DETAILS% Details of the analysis (why was the email quarantined – with CORE for example “SPAM-EN=98”).

Can be used in: WALL QUARANTINE NOTIFICATION JOBS -> ADVANCED TAB->

‘DETAILS’ FIELD (visible only if Link mode is set to ‘Advanced’) and ‘HTML TABLE

ROW’ FIELD (visible only if Table mode is set to ‘Advanced’).

%COMSPEC% Specifies a concrete path and is replaced with content of the COMSPEC environment variable. Can be used in: Configuration documents for engines (under Windows only).

%Crypt_NumberImported% Replaced with the number of successfully imported S/MIME certificates or PGP keys. Can be used in: Crypt Pro Import Mail Jobs for the notification sent in case of successful import.

%Database% Path to the currently processed database in database jobs (e.g. mail\user1.nsf) or server Mail.box in mail jobs (e.g. mail.box). Can be used in: notifications templates.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 64 COMMON FUNCTIONS FOR ALL MODULES - CONFIGURATION DOCUMENTS 

%DataDir% Placeholder for the value of the ToolKit_DataDir parameter (iQ.Suite data directory). Can be used in: mail jobs, database jobs, Crypt engine (S/MIME).

%DataDirABS% Placeholder for absolute path of iQ.Suite data directory. Can be used in: parameters for Converters and Analyzers, Bridge.

%Date% Timestamp in the filename of the PGP-encrypted email containing the message body.

Can be used in: CRYPT JOBS -> OPERATIONS TAB -> SETTINGS -> ‘FILE NAME FOR

ATTACHMENT‘ FIELD.

%DATE% The date on which the email was quarantined.

Can be used in: WALL QUARANTINE NOTIFICATION JOBS -> ADVANCED TAB->

‘DETAILS’ FIELD (visible only if Link mode is set to ‘Advanced’) and ‘HTML TABLE

ROW’ FIELD (visible only if Table mode is set to ‘Advanced’).

%DBPATHNAME% Path of the quarantine database.

Can be used in: WALL QUARANTINE NOTIFICATION JOBS:

1. ADVANCED TAB-> ‘DETAILS’ FIELD (visible only if Link mode is set to ‘Advanced’) and ‘HTML TABLE ROW’ FIELD (visible only if Table mode is set to ‘Advanced’).

2. OPERATIONS TAB -> NOTIFICATION -> TEXT BEFORE/BELOW TABLE.

%DeliverDate% Calculated delivery date and time for a delayed email. Can be used in: Smart, sender notifications.

%DiskSpace% Free disk space on the archive drive of Safe.

Can be used in: SAFE MAIL JOBS -> ADVANCED TAB -> ‘NOTIFICATION FOR LACKING

DISK SPACE IN FOLDER’ FIELD.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 65 COMMON FUNCTIONS FOR ALL MODULES - CONFIGURATION DOCUMENTS 

%DOCUNIID% The Notes unique ID of the quarantined document.

Can be used in: WALL QUARANTINE NOTIFICATION JOBS -> ADVANCED TAB->

‘DETAILS’ FIELD (visible only if Link mode is set to ‘Advanced’) and ‘HTML TABLE

ROW’ FIELD (visible only if Table mode is set to ‘Advanced’).

%ExecDir% Placeholder for the value of the ToolKit_ExecDir parameter in the server’s notes.ini (iQ.Suite program directory). Can be used in: mail jobs, database jobs

%ExtractedURL% Can be used in: Notification templates for URL Scanning. List of the URLs which have been extracted from plaintext and HTML bodies of emails. Every URL is displayed in a separate line.

The output URLs can be clicked in most of the email clients, which can have  undesired consequences. To prevent this, we recommend to use the placeholder %ExtractedURLSec%.

%ExtractedURLCount% Can be used in: Notification templates for URL Scanning. Number of URLs which have been extracted from plain-text and HTML bodies of emails.

%ExtractedURLSec% Can be used in: Notification templates for URL Scanning. The description of %ExtractedURL% applies for this placeholder as well. Howe- ver, here all characters of the URLs are separated with a blank in order to prevent from clicking the suspicious URLs. Example: www.mycompany.com -> w w w . m y c o m p a n y . c o m.

%from% Program call parameter. Email address of the sender. The corresponding value is set at runtime. Can be used in: Watchdog in Subject of the Administrator notification issued in case of a virus; Crypt.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 66 COMMON FUNCTIONS FOR ALL MODULES - CONFIGURATION DOCUMENTS 

%FROM% Sender of the quarantined message.

Can be used in: WALL QUARANTINE NOTIFICATION JOBS -> ADVANCED TAB->

‘DETAILS’ FIELD (visible only if Link mode is set to ‘Advanced’) and ‘HTML TABLE

ROW’ FIELD (visible only if Table mode is set to ‘Advanced’).

%HEADER% Contains the logo, module name and server. Can be used in: notification templates.

%HOSTNAME% Full Qualified Internet Hostname (e.g. machine.domain.com).

Can be used in: WALL QUARANTINE NOTIFICATION JOBS:

1. ADVANCED TAB-> ‘DETAILS’ FIELD (visible only if Link mode is set to ‘Advanced’) and ‘HTML TABLE ROW’ FIELD (visible only if Table mode is set to ‘Advanced’).

2. OPERATIONS TAB -> NOTIFICATION -> TEXT BEFORE/BELOW TABLE.

%i Program call parameter that should not be changed. For a description refer to the

HELP.

%ISSUERPASSWORD% Program call parameter that should not be changed. For a description refer to the

HELP.

%JOBNAME% Name of the job. Can be used in: notification templates.

%LOCAL% Local Notes domain of the server. Corresponds to the "Domain" entry in the notes.ini of the server. Can be used in: address rules, Clerk in redirection and forwarding documents (not as a redirection or forwarding target), Wall (address checking).

%LOCALDOMAIN% Local Notes domains of the server entered in the ToolKit_LocalDomains parameter.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 67 COMMON FUNCTIONS FOR ALL MODULES - CONFIGURATION DOCUMENTS 

Can be used in: configuration documents.

%LOGO% Logo name. Can be used in: notification templates.

%Mail_CopyTo% Recipients of an email listed in the cc field. Can be used in: notification templates.

%Mail_From% Sender of an email. Can be used in: notification templates.

%Mail_PostedDate% vs. %PostedDate% %PostedDate% indicates the sent date of the email in the local time, i.e. according to the time zone of the iQ.Suite server (e.g. UTC for Universal Time Coordinated). The time zone is not specified. %Mail_PostedDate% is replaced with the sent date of the email with indication of the time zone from which the email has been sent.

For the sent date, the date format set on the operating system of the iQ.Suite is used, e.g. TT.MM.JJJJ or JJJJ-MM-TT.

Can be used in: notification templates.

Example: David Galler from England sends at 4:44:06 PM (local time in England) an email to Anna Glenn / Germany. In the notification to Mrs. Glenn, the placeholder is replaced as follows: Instead of %PostedDate%: 2016-08-12 17:44:06 Instead of %Mail_PostedDate%: 2016-08-12 16:44:06 UTC

%Mail_Recipients% Recipients of the email. Can be used in: notification templates.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 68 COMMON FUNCTIONS FOR ALL MODULES - CONFIGURATION DOCUMENTS 

%Mail_SendTo% Recipients of the email. Can be used in: notification templates

%Mail_Subject% Subject line of the email. Can be used in: notification templates.

%MailInfo% Email information, including among others sender, recipients, date and time. Can be used in: notification templates.

%MODULE% Module name, e.g. Watchdog, Wall. Can be used in: notification templates.

%o Program call parameter that should not be changed. For a description refer to the

HELP.

%PASSWORD% Program call parameter that should not be changed. For a description refer to the

HELP. Can also be used in notification templates (PDFCrypt and Convert) to display the password as text.

%PATTERN% The time and date in the configuration document for delayed messages. Can be used in: Smart configuration.

%PFX% Program call parameter that should not be changed. For a description refer to the

HELP.

%PFXISSUER% Program call parameter that should not be changed. For a description refer to the

HELP.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 69 COMMON FUNCTIONS FOR ALL MODULES - CONFIGURATION DOCUMENTS 

%PostedDate% Refer to “%Mail_PostedDate% vs. %PostedDate%” on page 68.

%QuarantineCategory% Quarantine category. Can be used in: notification templates.

%QuarantineOrigLink% Link to the quarantine original document. Can be used in: notification templates.

%QuarantineReport% Quarantine report. Can be used in: notification templates.

%QuarantineReportLink% Link to the quarantine report document. Can be used in: notification templates.

%QuarantineReportShort% Replacing “File Report" (Watchdog) and "Summary Report" (Wall). Can be used in: notification templates in Watchdog, Wall.

%RECIPIENTS% Recipient address of the quarantined email.

Can be used in: WALL QUARANTINE NOTIFICATION JOBS -> ADVANCED TAB->

‘DETAILS’ FIELD (visible only if Link mode is set to ‘Advanced’) and ‘HTML TABLE

ROW’ FIELD (visible only if Table mode is set to ‘Advanced’).

%recipients% Program call parameter that should not be changed. For a description refer to the

HELP. Please note that this parameter is not expanded to %STANDARD_SMIME_PARAMETERS% in S/MIME engines.

%ReplicaID% or %ReplikID% Links to the documents of the quarantine summary notification. Both variables can be used to identify the databases.

Can be used in: WALL QUARANTINE NOTIFICATION JOBS:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 70 COMMON FUNCTIONS FOR ALL MODULES - CONFIGURATION DOCUMENTS 

1. ADVANCED TAB-> ‘DETAILS’ FIELD (visible only if Link mode is set to ‘Advanced’) and ‘HTML TABLE ROW’ FIELD (visible only if Table mode is set to ‘Advanced’).

2. OPERATIONS TAB -> NOTIFICATION -> TEXT BEFORE/BELOW TABLE.

%RequestPassword% Can be used in: PDFCrypt notification templates. This placeholder is replaced with the string which is required to request the password of the encrypted PDF. Also refer to %RequestPasswordRecipient%.

%RequestPasswordRecipient% Can be used in: PDFCrypt notification templates. This placeholder is replaced with the email address which is specified in the Password Management under Address for reply. In order to request the password of the encrypted PDF, the recipient has to insert the string of the placeholder %RequestPassword% into a new email and then send this email to this address. This email must contain the string of the placeholder %RequestPassword%.

%REVIEWDOCLINK% Replaced with a Notes document link to the email document in the Review database. Can be used in: notifications templates in Smart Review.

%ScannerInfo% Show scanners used. Can be used in: notification templates in Watchdog.

%SERVER% Short server name. Example: Server on which the quarantined documents are stored.

Can be used, for example, in: notification templates, and in WALL QUARANTINE

NOTIFICATION JOBS:

1. ADVANCED TAB-> ‘DETAILS’ FIELD (visible only if Link mode is set to ‘Advanced’) and ‘HTML TABLE ROW’ FIELD (visible only if Table mode is set to ‘Advanced’).

2. OPERATIONS TAB -> NOTIFICATION -> TEXT BEFORE/BELOW TABLE.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 71 COMMON FUNCTIONS FOR ALL MODULES - CONFIGURATION DOCUMENTS 

%ServerCommonName% Common Name part of the short server name. Please note that this placeholder should however not be used if the server name contains spaces because spaces in the name of the temporary directory can cause problems. Can be used in: notification templates and in the value of the global parameter ToolKit_ExclusiveTempDir.

%ServerFullName% Full server name. Can be used in: notification templates.

%STANDARD_SMIME_PARAMETERS% Used in S/MIME engine documents and expanded to all standard parameters for the corresponding S/MIME mode. Optional parameters can be specified after the placeholder. %STANDARD_SMIME_PARAMETERS% is inserted for each S/MIME parameter string, after which the duplicate parameter is removed. Parameters with different values can be kept after %STANDARD_SMIME_PARAMETERS% and overwrite the corresponding default values of the parameters. Exception: --certificates and --recipients cannot be overwritten.

Can be used in: CRYPT S/MIME ENGINES -> SETTINGS TAB.

%SUBJECT% In the email subject line, is replaced with the text specified in the subsequent Text field.

Can be used in: CLERK DOCUMENT -> OPERATIONS TAB -> ’SUBJECT’ FIELD (also iQ.Suite User Portal) and in WALL QUARANTINE NOTIFICATION JOBS -> ADVANCED

TAB-> ‘DETAILS’ FIELD (visible only if Link mode is set to ‘Advanced’) and ‘HTML

TABLE ROW’ FIELD (visible only if Table mode is set to ‘Advanced’).

%SuspiciousURL% Can be used in: Notification templates for URL Scanning. Is replaced with the first suspicious URL found.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 72 COMMON FUNCTIONS FOR ALL MODULES - CONFIGURATION DOCUMENTS 

The output URL can be clicked in most of the email clients, which can have  undesired consequences. To prevent this, we recommend to use the placeholder %SuspiciousURLSec%.

%SuspiciousURLSec% Can be used in: Notification templates for URL Scanning. The description of %SuspiciousURL% applies to this placeholder as well. Howe- ver, here all characters of the URL are separated with a blank in order to prevent from clicking the suspicious URL. Example: Not www.mycompany.com -> w w w . m y c o m p a n y . c o m

%TIME% Time at which the email was quarantined.

Can be used in: WALL QUARANTINE NOTIFICATION JOBS -> ADVANCED TAB->

‘DETAILS’ FIELD (visible only if Link mode is set to ‘Advanced’) and ‘HTML TABLE

ROW’ FIELD (visible only if Table mode is set to ‘Advanced’).

%TXT2IMG::PASSWORD% This placeholder is replaced with a password image. Can be set in notification templates (PDFCrypt and Convert).

%VALIDATIONREPORT% By default, a validation report is sent to the administrator whenever an email was successfully decrypted or an S/MIME signature verified. To inform the administrator by email about a successful job execution, you can use a notification template. The %ValidationReport% placeholder allows to integrate the validation report into the notification template. Can be used in: Validation report (Crypt).

%VIRUSNAME% Name of the virus found. Can be used in: notification templates in Watchdog.

%WORKINGDIR% Program call parameter that should not be changed. For a description refer to the

HELP.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 73 COMMON FUNCTIONS FOR ALL MODULES - CONFIGURATION DOCUMENTS 

4.4.3 Variables and Placeholders for Specific iQ.Suite Modules

The variables documented below concern the following iQ.Suite modules:

 Connect  Convert  Crypt Pro Import  DLP  PDFCrypt  Trailer Advanced  Watchdog PDF Protection

In notifications, set before and after the variable name the % character, e.g.  %RequestPassword%. In Job configurations, set before the variable name the[VAR] tag and after the variable name the [/VAR] end tag, e.g. [VAR]RequestPassword[/VAR].

The condition variable [COND] should be set in case a variable cannot be resolved and, if so, the text in conjunction with this variable would make no sense. Example: refer to “Condition [COND]” on page 386.

In the following table, the column “Also in jobs” indicates whether the variable  can be used not only in notifications but also in jobs of the respective module.

Variables for general use

The following variables can be used in notifications and in PDFCrypt Jobs:

Variable Description

Date Date and time at which the job that started the action was processed.

Date: YYYY-MM-TT

DateOnly Date on which the job that started the action was processed.

Jobname Name of the job that started the action.

MsgID ID of the email.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 74 COMMON FUNCTIONS FOR ALL MODULES - CONFIGURATION DOCUMENTS 

Variable Description

Subject Subject line of the email that triggered the action.

TimeOnly Time at which the job that started the action was processed.

The following variables can be used in notifications:

Variable Description

Note::{field_name} A field of the email can be referred to, in which the namespace “Note” precedes the name of the field, with ‚::‘ as a separator. The field must be a text field or the content must be representable as text.

This variable is replaced with the content of the field.

ToolReport Full processing report of all executed jobs.

ToolReportDetails Scan results with all details.

ToolReportFull Full processing report of all executed jobs.

ToolReportFullHTML Full processing report of all executed jobs in HTML format.

iQ.Suite Connect

The following variables can only be used in notifications:

Variable Description

Connect_AttachmentSize Sizes of the uploaded attachments in bytes.

Connect_AttachmentSizeKB Sizes of the uploaded attachments in KB.

Connect_AttaNameSuccess Name of the uploaded attachment.

Connect_AttaNameFail Name of the file attachment(s) which could not be uploaded.

Connect_Engine Name of the used Connect Engine

Connect_JobReport Detailed job report

Connect_ProcTimeFail Processing times for attachments with upload error

Connect_ProcTimeSuccess Processing time for uploading the file attachment(s)

Connect_TotalAttaSize Total size of the uploaded attachments (in Bytes)

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 75 COMMON FUNCTIONS FOR ALL MODULES - CONFIGURATION DOCUMENTS 

Variable Description

Connect_TotalAttaSizeKB Total size of the uploaded attachments (in KB)

Connect_TotalProcTime Total processing time for all uploaded file attachments

Connect_UploadCountFail Number of file attachments which could not be uploaded

Connect_UploadCountSuccess Number of successfully uploaded file attachments

Connect_UploadError List of errors which occurred when trying to upload attachments

Connect_UploadURL URL to the uploaded attachment(s)

Connect Workflow

The variable Note::{field_name} can be used in Connect Workflow Jobs:

Variable Description

Note::{Feldname} A field of the email can be referred to, in which the namespace “Note” precedes the name of the field, with ‚::‘ as a separator. The field must be a text field or the content must be representable as text.

This variable is replaced with the content of the field.

iQ.Suite Convert

The following variables can only be used in notifications:

Variable Description

AttachmentName Name of the converted file attachment; in form of a list for multiple attachments.

AttachmentSize Size of the converted file attachment prior to conversion (in bytes); in form of a list for multiple attachments.

AttachmentSizeKB Size of the converted file attachment prior to conversion (in KB); in form of a list for multiple attachments.

AttachmentSizeSum Total size of the converted file attachments prior to conversion (in bytes).

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 76 COMMON FUNCTIONS FOR ALL MODULES - CONFIGURATION DOCUMENTS 

Variable Description

AttachmentSizeSumKB Total size of the converted file attachments prior to conversion (in KB).

ConvertedCount Total number of converted file attachments.

MailSizeDeltaKB Total size difference of the original email following conversion (in KB).

Password Only available for Compress.

Password that was used for encryption.

SizeDeltaSumKB Total size difference of the converted file attachments of this email (in KB).

UniqueID Unique generated email identifier

iQ.Suite Crypt

Can only be used in notifications:

Variable Description

Crypt_NumberImported Number of imported keys. The email sections from which the keys were imported are counted.

iQ.Suite PDFCrypt

Variable Description Outside of notifications

AttachmentLinks Links to the file attachments of the origi- only in nal email. PDFCrypt header

Note: If you use this variable many times, the attachments will also be inserted into the PDF many times.

AttachmentTable HTML table which contains two only in columns: one with attachment icons and PDFCrypt header one with the corresponding attachment names. The attachments of the original email open by clicking on the attachment icons.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 77 COMMON FUNCTIONS FOR ALL MODULES - CONFIGURATION DOCUMENTS 

Variable Description Outside of notifications

BadCount Number of PDF files that could not be only in notifications processed. for PDFCrypt File Signing/Encryption GoodCount Number of successfully processed PDF files

Mode Executed processing (signing, encryption or “signing + encryption”)

Mail_RequestPasswordLink Only when the Password Manager is only in job used.

Email link for requesting password incl. HTML markup (text).

NotVerifiedCount Number of not verified PDF files (with only in invalid signature or untrusted certificate) notifications for PDF- Crypt Signature Veri- UnsignedCount Number of unsigned PDF files fication

VerifiedCount Number of verified PDF files

Password Password that was used for encryption. Yes

RequestPassword RequestPassword contains the string Yes with the actual password request. RequestPasswordRecipient Yes This string can be copied into the subject or body of a new email and sent to the recipient of the password request.

RequestPasswordRecipient is replaced with the address specified for password requests in the Password Management.

UniqueID Unique generated email identifier Yes

iQ.Suite Trailer Advanced

The variable Note::{field_name} can be used in Trailer Advanced documents:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 78 COMMON FUNCTIONS FOR ALL MODULES - CONFIGURATION DOCUMENTS 

Variable Description

This variable is replaced with the content of the field.

iQ.Suite Wall – Wall Content Mail Job

The following variable can be used in notifications and in the job configuration in case the ‘Add Notes field to email’ or ‘Add X-token to email’ action is used. It can be set in the Variable for analysis results field of the action.

Variable Description

LegacyResult This variable is replaced with the “usual” detailed analysis result of the job, which is normally a list of detailed results. For each file and the email body, the categories in which the threshold was exceeded are listed with their values (comma- separated) in the format “Category=Value“.

This variable has for the action ‘Add Notes field to email’a a special role which determines the output format of the variable value depending on its use.

a. Refer to “‘Add Notes field to email’” on page 305.

Variablen for analysis results

The following variables for analysis results can also be used in notifications and in the job configuration:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 79 COMMON FUNCTIONS FOR ALL MODULES - CONFIGURATION DOCUMENTS 

Variable Description

Result This variable is replaced with a value in the format “Category=Value“ or an empty string. For this, the category with the highest exceeded value is determined over all attachments (also unpacked files, if available), the email body and the other analyzed fields.

If the threshold was not exceeded in any category, variable is replaced with an empty string.

ResultCategory Works like the Result variable. However, it is replaced with the name of the category or an empty string ersetzt.

ResultThreshold Works like the Result variable. However, it is replaced with the threshold of the category or an empty string.

ResultValue Works like the Result variable. However, it is replaced with the value of the category or an empty string.

Category::{Kategoriename} For each category which is defined in the job document with a threshold, the respectively highest value can be determined over all attachments (also unpacked files, if available), the email body and all other analyzed fields. This value can be requested by using a variable which contains the category name and which is preceded by the namespace "Category" with ‘::’.

iQ.Suite Watchdog

Can only be used in notifications:

Variable Description

DeniedAttachment Names of the PDFs which contain prohibited elements.

DeniedCount Number of PDFs which contain prohibited elements.

DeniedExtractedAttachments Names of all prohibited attachments which have been extracted from PDFs.

DeniedExtractedURLs Names of all prohibited URLs which have been extracted from PDFs.

ErrorAttachment Names of the PDFs, bei denen errors occurred during processing.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 80 COMMON FUNCTIONS FOR ALL MODULES - CONFIGURATION DOCUMENTS 

Variable Description

ErrorCount Names of the PDFs for which errors occurred during processing.

IgnoredAttachment Names of the PDFs which have not been processed (because they were encrypted or signed).

IgnoredCount Number of PDFs which have not been processed (because they were encrypted or signed).

SafeAttachment Names of the PDFs which have been identified as “safe” (no prohibited elements)

SafeCount Number of PDFs which have been identified as “safe” (no prohibited elements).

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 81 COMMON FUNCTIONS FOR ALL MODULES - PRIORITIES 

4.5 Priorities

4.5.1 Job Priorities

Priorities described the "order" in which jobs are run, i.e. their "importance". Jobs with a high priority are run before jobs with a lower priority within the job chain. The priorities are expressed by way of a priority value and can be changed for any job any time. Priorities are set in the job’s Basics tab.

4.5.2 Assigning Priorities (Job Chain)

To be able to set the order of the jobs by assigning priorities, you need to decide which functions are to be performed first on incoming emails. The following illustrates a sensible job chain:

1. Key import job, e.g. Crypt - Key Import with PGP.

2. Decryption job for all incoming email, e.g. Crypt - Decryption with PGP.

3. Virus scanning job, e.g. Watchdog - Virus Scanning Job. Without decryption, the virus scan job should be the first one executed. This is to make sure that emails definitively are not infected (including iQ.Suite User Portal. Refer to “iQ.Suite User Portal” ). Otherwise it might be possible that emails, quarantined by other jobs due to viruses are resent to the recipi-

ents. For further Information on the quarantine, please refer to “Quarantine

Configuration” on page 107.

4. Jobs such as Block Mail Flooding or Number of Recipients to limit the number of emails per sender or recipients. Such jobs should run before a Split job in order to ensure that emails with too many recipients are filtered out early. If the Number of Recipients job were run after a Split job, the job would no longer work correctly because the number of recipients has been changed.

5. Jobs with a blocking function, e.g. to block large emails or unknown archives (Watchdog - Attachment/Size Filtering Job). The advantage of running this job early is that affected emails do not undergo further tests that unnecessar- ily use server resources.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 82 COMMON FUNCTIONS FOR ALL MODULES - PRIORITIES 

6. Job for conversion to PDF or PDF/A (Convert PDF Mail Job).

7. Job for compression (Convert Compression Mail Job).

8. Job for adding a legal disclaimer (Trailer - Trailer Job or Trailer Mail Job Advanced).

9. Job for integration with an archiving solution for email archiving, e.g. iQ.Suite Store (Bridge - Store Archiving).

10. Split job

Define further jobs as required and include them at a sensible position within the job chain.

Our default configuration already considers a reasonable job priority. Note, how-  ever, that the default configuration is only a suggestion. The actual priorities have to be assigned individually according to your company’s requirements.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 83 COMMON FUNCTIONS FOR ALL MODULES - RULES 

4.6 Rules

The conditions under which a job is run are set by way of Rules. Rules are used to define the emails for which a job is to be run, e.g. only to incoming Internet emails or emails addressed to specific recipients. For instance, you can exclude individual email addresses from being checked for spam by the mail job of iQ.Suite Wall.

The standard configuration is delivered with a number of pre-configured cross- module rules, which can be used for each job in each module as well as in combination. Each rule defines different conditions under which a job is to be run.

To edit rules from within a job use the Select, Deselect all, Edit and New icons in  the Controls for rule field. Rules from previous iQ.Suite versions are displayed in green font. In this case, some of the icons may not appear in the document hence the rule has to be updated. Click on Select and then OK in the selection dialog, after which the remaining icons will also be available.

4.6.1 Rule Mechanism

Rules allow the MailGrabber or DatabaseGrabber to perform tasks according to the information in the individual documents14. This enables precise selection of the documents to be checked. Rules apply across all modules and can be used in

any job. Therefore you find the list of mail rules and database rules under GLO-

BAL. You can view a list of rules and the jobs that use them in the complete jobs list in the Rule List column.

Details on how to use rules are available in one of the following:

a) Within the rule itself (GLOBAL -> MAIL RULES / DATABASE RULES -> double- click on an entry). In the Basics tab, the settings are shown as expression (formula), in the Comments tab as plain text. b) Within the DEFAULT and SAMPLE jobs supplied in the Basics tab. For a better understanding, the processing instructions for such a job are described and explained in the Comments tab.

14. For further Information on both components, please refer to “Technical Description of the Main Components” on page 8.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 84 COMMON FUNCTIONS FOR ALL MODULES - RULES 

As a general rule, there is no need to disable unused selection rule documents,  since a rule is only used if specified in a job.

4.6.2 Execution Mode for Rules

By default, all mail rules are evaluated before all jobs. This way, it is clear from the outset by which jobs an email will be processed. To ensure that a job processes the emails according to the results of previous jobs, you can set the rules to be evaluated dynamically. To this end, the global parameter ToolKit_UseDynamicRuleEvaluation must be set to YES. Oth- erwise, the global parameter ToolKit_RuleEvaluationMode will not be evaluated either.

Use one of the following methods to set when and how rule evaluation is to take place:  Method 1: Definition in the global parameter  Method 2: Definition in the mail job  Method 3: Definition within the rule

Please note that the processing hierarchy increases from Method 1 to Method 3: The settings in the global parameter are overwritten by the settings in the mail job. The setting in the mail job, in turn, are overwritten by the settings in the rules.  Method 1: Definition in the global parameter ToolKit_RuleEvaluationMode.  ‘Before‘: All rules are evaluated before all jobs (default).  ‘Always‘: All rules required for a job are evaluated once, before the job is processed.

 Method 2: Definition in the mail job: BASICS TAB -> EXECUTION MODE FOR RULES.  ’Set in global parameter‘ (default): All rules for this job use the settings of the global parameter ToolKit_RuleEvaluationMode15.  ’Before all jobs‘: All rules for this job are evaluated before all jobs.  ’Just before the job‘: All rules for this job are evaluated only once, right before the job is run.

15. Refer to “Description of the Global Parameters (except Job Results)” on page 33

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 85 COMMON FUNCTIONS FOR ALL MODULES - RULES 

Then define how the system is to react upon error in rule evaluation. Three options are available:

 ‘Do not run Job‘ (default): The job is not run.  ‘Run job‘: The job is run despite the error.  ‘Treat as job error‘: The error is treated in the same way as job errors (error handling configuration)16.  Method 3: Definition within the rule: BASICS TAB -> EXECUTION MODE.  ‘Set in job or global parameter‘: The rule uses the settings of the global parameter ToolKit_RuleEvaluationMode17. Exception: In the mail job, the Execution mode for rules is set to either ‘Before all jobs‘ or ‘Just before the job‘.  ‘Before all jobs‘: The rule is evaluated before all jobs. This corresponds to the previous rule evaluation method.  ‘Just before the job‘: The rule is evaluated only once, right before the job using this rule.

For a Split job, the processing sequence changes as follows when dynamic rule  evaluation is disabled: To start with, as the Split job generates "new" emails, all configured rules for all jobs are evaluated again. Then, and then only, the email is processed by the job that follows the Split job in the job chain. This may have an impact on the evaluation of sender-recipient relations as the address rules have already been evaluated before and specific job actions were triggered.

16. Refer to “Error Handling in Jobs” on page 23. 17. Refer to “Description of the Global Parameters (except Job Results)” on page 33.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 86 COMMON FUNCTIONS FOR ALL MODULES - RULES 

4.6.3 Rule Types

4.6.3.1 Address Rules

Address rules are an important component of the address analysis and refer to the address information contained in emails. You can use the address rules to make a job valid only for certain persons or groups, define exceptions for departments, or cause special actions to be performed for the emails of certain employees.

The addresses are specified through the Notes Name and Domino Directory or taken from address lists matched against Notes databases. Jobs are performed according to the address rule.

Examples:  A decryption job is only started if an email from a specific Internet domain is addressed to a specific group from the Domino Directory. The opposite is the case when it is not addressed to that group.  Excluding emails from spam analysis using a customer database. To do so, create a view with addresses from this database, set up an address rule that refers to the database and finally include this address rule in the job.  Blocking particular internal or external recipient addresses using address patterns.

For resolving addresses, addresses and groups are resolved in a similar way to that used by the router. You can decide whether or not to resolve the addresses in your Domino Directory before analysis. For further Information on input options, please refer to the address rule section (sender/recipient list fields) in the online help.

4.6.3.2 Blacklist/Whitelist Rules

With a blacklist/whitelist rule, emails can be processed or not processed from a job depending on whether the sender and/or recipient address is included in a blacklist or whitelist (address filter).

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 87 COMMON FUNCTIONS FOR ALL MODULES - RULES 

Example: Emails from senders found in a whitelist are to be excluded from spam analysis. For this, enter a corresponding rule in your list of negated rules in your Wall job. Any email to which this negated rule applies will be delivered without being checked.

As a general rule, whitelists can be set up globally (i.e. for the entire company) or for individual users. Through the iQ.Suite User Portal, users can add sender addresses to their own whitelists from emails in their personal quarantine. For further Information on blacklists/whitelists and on how to use them, please refer to “Using Blacklists and Whitelists” on page 238, “Whitelist Job Configuration for Automatic Whitelists” on page 149 as well as to the individual field descriptions in the online help.

4.6.3.3 Formula Rules

With this rule type, job requests can be carried out according to the result of a user-definable Notes formula expression. For instance, such a rule can be used to send emails at specific times or within a specific period of time.

For further Information on Notes formulas, please refer to your Notes documentation.  Only formula elements working in background agents can be used.

4.6.3.4 Field Type Rules

This rule type allows to specify any email field using the field name and the data type, both of which can be determined from an email by way of the document properties.

When a job is configured with a rule of this type, the job can be started according to the value returned (true/false). If the specified email field exists and matches the specified data type, the rule returns ’True’. In all other cases it returns ’False’.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 88 COMMON FUNCTIONS FOR ALL MODULES - RULES 

4.6.3.5 Notes Encryption Rule

This rule detects whether an email is encrypted with Notes and allows to exclude Notes-encrypted emails from the job processing.

4.6.3.6 Signature Rules

With the signature rules, jobs are run depending on the Notes signature of the document to be processed. It is possible to specify the canonically resolved name of the sender whose signature the email is to contain. For instance, you could configure a job in such a way that emails are not delivered unless they include a valid Notes signature.

It is possible to specify several senders and to use wildcards. Multiple entries are to be separated by a line break (ENTER key).

4.6.3.7 Text Rules

With the text rules, jobs are run depending on the content of a text field of the document to be processed. It is possible to search specific text fields for specific, user-defined content.

Example: An email is to be delivered to the recipient without being checked by a Watchdog mail job. Create a text rule and enter ’Subject’ under Text fields and ’Do not check’ under Text pattern. If this rule is applied to a Watchdog mail job (negated!), the job will not be executed and the email is delivered without having been checked.

Text rules identify search strings in text fields, text list fields, RFC822 fields and numeric fields. In RTF fields and MIME mails the text rule functionality is limited.

4.6.4 Remove Rule from Selected Jobs

Besides the possibility to remove rules from a single Job document, you can also remove a rule from all jobs or selected jobs at once via the corresponding Rule document.

To remove a rule (Database or Mail rule) from jobs, proceed as follows:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 89 COMMON FUNCTIONS FOR ALL MODULES - RULES 

1. Open the Rule document and remain in the Read mode.

2. In the Jobs tab, select the jobs from which you want to remove the rule:

In addition to the usual information regarding the iQ.Suite Job, the column Rule List shows all positive and negated rules which the respective Job is using.

The Rule List matches the display in the Job configuration in the Rule summary field (Basics tab).

Example: (InetSender AND Mail Is MIME) AND (NOT MailResentFromQuar- antine AND NOT WLRuleAntiSpam)

3. Click REMOVE RULE FROM SELECTED JOBS and confirm the removal with OK. Only the currently opened rule will be removed from the job and thus from the Rule List of the job.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 90 COMMON FUNCTIONS FOR ALL MODULES - LOGGING 

4.7 Logging

Each executed mail or database job is logged under LOGS AND STATISTICS ->

IQ.SUITE LOG, independent from the iQ.Suite module.

 Logging of the MailGrabber Logging is performed at two levels. First, the mail rules are evaluated and logged. If according to the rule evaluation, the job has to be executed for an email, in a second step, the job is executed and its execution is logged.

 Logging of the DatabaseGrabber Logging is performed at three levels. First, the databases to be analyzed are searched for and opened. This is done according to the job's log settings. Then, the database rules are evaluated and logged according to the rules' log settings. If according to the rule evaluation the job has to be executed for an email/a document, executing the job and logging its execution is the last step. It is done with the job's log settings.

You can specify with how much detail to log both processes in the log database. This can either be defined for each job or each rule separately or globally with global parameters used as standards for all jobs and rules18.

18. Changes in iQ.Suite configuration are logged in the g_status.nsf database (LOG & STATISTICS -> CONFIGURATION CHANGE LOG).

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 91 COMMON FUNCTIONS FOR ALL MODULES - LOGGING 

4.7.1 Global Configuration

4.7.1.1 Defining the log databases

By default, processing of MailGrabber and DatabaseGrabber is logged in the log

database g_log.nsf. This database is defined under GLOBAL -> GLOBAL PARAME-

TERS by the parameter ToolKit_Logdb.

To write the job logs of the MailGrabber and the DatabaseGrabber to a different database, specify the database under ToolKit_Logdb. To log the processing of the DatabaseGrabber separately, specify the desired database under ToolKit_LogDGrabDB.

All jobs including the DEFAULT and SAMPLE jobs are logged in the database  defined here. If no database is specified, the database log.nsf is used automatically. This is also the database where the processing of the Domino server is logged. For better transparency, we therefore recommend not to use this database for logging the iQ.Suite Grabbers.

As an alternative to specifying the parameter configuration under Global Param-  eters, you can also specify the parameters in the notes.ini.

4.7.1.2 Global Log Level for MailGrabber and DatabaseGrabber

Use the global parameter ToolKit_LogLevel to specify the global log level of the MailGrabber and the DatabaseGrabber. To log the processing of the Databas- eGrabber at a different log level, specify this log level under ToolKit_DGrabLogLevel.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 92 COMMON FUNCTIONS FOR ALL MODULES - LOGGING 

4.7.2 Separate Configuration

The most detailed logging is achieved with the value ‚9', which creates a com-  plete debug log. This setting is recommended for the troubleshooting, however, it may negatively impact the server performance. In production systems, we recommend to use log level ‚6' which will generate messages only.

4.7.2.1 Log Level for Rules

For loading, initializing, and evaluation of rules, a specific log level can be defined with the parameter ToolKit_RuleLogLevel.

Besides that, for the rule evaluation, an individual log level can be specified in the

rules document: BASICS TAB -> LOG LEVEL. With the default setting ‚0', the log level of the global parameter ToolKit_RuleLogLevel applies.

4.7.2.2 Log Level for Jobs

To log the processing of a certain job at a specific log level, specify that log level

directly in the job document: MISC TAB -> LOG LEVEL. With the default setting ‚0', the log level of the global parameter ToolKit_LogLevel applies for the Mail- Grabber and the DatabaseGrabber. To log the processing of database jobs at a different log level, specify this log level under ToolKit_DGrabLogLevel.

4.7.2.3 Email specific Log Level

You can use the global parameters ToolKit_LogLevel7Subject, ToolKit_LogLevel8Subject and ToolKit_LogLevel9Subject to increase the log level to 7, 8 respectively 9 during the processing of certain emails. To do so, in the parameter, set a keyword. If the keyword appears in the email subject, the log level is increased correspondingly. Example:  In the rule document, the log level is set to ‚6'.  In the job document, the log level is set to ‚9'.  The parameter ToolKit_LogLevel7Subject is activated and the keyword ‚Key' is set.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 93 COMMON FUNCTIONS FOR ALL MODULES - IQ.SUITE SPLIT 

The parameter can be used to increase the log level but not to decrease it. When the keyword ‚Key' appears in the email subject, the processing of the rule is logged at log level ‚7'. However, for processing the job, log level ‚9' remains.

4.8 iQ.Suite Split

An iQ.Suite Split job splits an email that arrives on the mail server and is addressed to multiple recipients into multiple emails according to the configured split mode. With this, those emails can be processed differently for different recipients. This is useful if a subsequent job shouldn‘t be processed for a certain recipient or if recipients have different conditions for email processing (such as encryption). iQ.Suite Split jobs can be configured as mail jobs for each module.

When processing jobs, the Split function generates "new" emails, which are  inserted at the beginning of the job chain. This processing behavior has an impact on the rule evaluation. Refer to Execution Mode for Rules auf Seite 85.

Split mode

The following split modes are possible:  One email per recipient: An email addressed to n recipients is split into n emails.  Two emails: recipients in / not in address list: An email addressed to n recipients is split into two emails:  the first one with the recipients who are included in the Address list field and not excluded by being entered in the Except field  the second one with the recipients who are entered in the Except field and such recipients who are not mentioned in the Address list. Special scenario: If all recipients are either in the first or in the second email, there will not be any splitting.

Further (automatic) splitting: If an email to a recipient group is split, this may result in very long lists of individual recipients. Then it might be necessary to further split the two emails so that the length of the recipient field of each email remains below its maximum length. If required, this splitting will happen automatically.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 94 COMMON FUNCTIONS FOR ALL MODULES - IQ.SUITE SPLIT 

Separation result field in email:

Both modes allow the setting of a result field in the emails. The field appears automatically in the email if a field name had been entered here in the Opera- tions tab. Without a field name, the result field will be missing in the emails. The value in the result field may be used, for example in a text rule.

The value in the email‘s result field depends on the split mode:  Split mode One email per recipient: The field value is "Single" in all emails.  Split mode Two emails: recipients in / not in address list:  In the first email the value is "True".  In the second email the value is "False". (First and second email as defined above)

Example:  Address list: EncryptionRecipientsPgp  Except: EncryptionRecipientsSmime  Result field: UsePgpEncryption.

After the Split Job, the email with the UsePgpEncryption field = True includes those recipients who are in the ‚EncryptionRecipientsPgp‘ group, but not in the ‚EncryptionRecipientsSmime‘ group.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 95 COMMON FUNCTIONS FOR ALL MODULES - EXPORTING AND IMPORTING CONFIGURATION FILES 

4.9 Exporting and Importing Configuration Files

The EXPORT/IMPORT button (under GLOBAL) can be used to exchange iQ.Suite configuration data outside of Domino databases. You can use this function, for instance, to update specific configuration databases without performing a full update.

EXPORT/IMPORT exports or imports your entire configuration or single configuration documents:  Export Configuration To File: Exports the entire current configuration.

 Import Configuration From File: Previously exported configuration documents are imported.

 Import Standard Configuration: The iQ.Suite standard configuration is re-imported.

The documents from the following databases can be imported or exported:  gm_grab.nsf: Mail job and mail rule documents  gd_grab.nsf: Database job and database rule documents  g_wdog.nsf: Utilities documents, license documents, global parameter documents, notification templates  g_del.nsf: Database definition documents  g_Trailer.nsf: Trailer documents  g_trailer_advanced.nsf: ‘Trailer Advanced’ documents

As an alternative you can export the configuration documents displayed under

GLOBAL or under each module individually with the EXPORT button.

Configuration data is always exported as a configuration file with the extension  .gxl.zip. Each contained GXL file corresponds to a configuration database, that contains the configuration documents of a configuration database in XML format.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 96 COMMON FUNCTIONS FOR ALL MODULES - EXPORTING AND IMPORTING CONFIGURATION FILES 

4.9.1 Export Configuration To File

By exporting your configuration or parts thereof, you can save and backup the existing configuration in an external file. If necessary, this allows to restore older configuration data by re-importing the corresponding export file.

To export the entire configuration and save it in the file system, click on GLOBAL -

> EXPORT/IMPORT -> EXPORT CONFIGURATION TO FILE:

This dialog can also be used to exclude entire databases or individual configuration document from being exported. The ‚Configuration Export‘ screen is divided into two areas:

Databases

This area displays all iQ.Suite configuration databases whose configuration documents can be exported. The iQ.Suite configuration is spread across these configuration databases.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 97 COMMON FUNCTIONS FOR ALL MODULES - EXPORTING AND IMPORTING CONFIGURATION FILES 

Documents

This area displays all configuration documents of the configuration databases that can be exported. The documents shown are the ones of the database currently selected. Documents shown in gray color cannot be exported as the associated configuration database has not been enabled for export.

1. Select the configuration databases to be exported (set check mark). The associated configuration documents are displayed and automatically set to ’Export’.

2. To exclude a database from export, disable the entire database (remove checkmark). All of the associated documents are also disabled. To exclude individual configuration documents of a database from export, select Do not export for these documents:

3. To exclude several configuration documents of a database from export, select the documents (click with Shift key depressed) and select Remove selection from export.

To select the documents, use a column other than "Action". The selection menu  associated with this column may interfere with the selection of individual rows. Click SHOW/HIDE COLUMNS to set the document properties to be displayed. Fur-

ther Information is provided by the Configuration Export help (HELP button).

4. In the Path field click SELECT. Enter the path to the directory the configuration data is to be stored once exported. For instance, if you wish to replace an existing file, first set the File type to ‚All Files (*)‘ in order to display all files in

the selected folder. Then select the file to be replaced and click CHOOSE FILE. This will take you back to the original dialog from you can start the export.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 98 COMMON FUNCTIONS FOR ALL MODULES - EXPORTING AND IMPORTING CONFIGURATION FILES 

If you prefer to export the configuration data to a specific directory, first enter a name of the configuration file to be created in the Filename field (here: my_export). Then, under File type, select the format for the data to be exported and click CHOOSE FILE. This will take you back to the original dialog from you can start the export. The data will be exported to the new folder (here: my_export) in the format specified.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 99 COMMON FUNCTIONS FOR ALL MODULES - EXPORTING AND IMPORTING CONFIGURATION FILES 

4.9.2 Import Standard Configuration

The iQ.Suite standard configuration contains example jobs (DEFAULT jobs and SAMPLE jobs) and sample rules. Select Import Standard Configuration if you wish to re-import this standard configuration.

1. Select GLOBAL -> EXPORT/IMPORT -> IMPORT STANDARD CONFIGURATION.

2. Select the configuration to be imported and click OK. Loading the configuration may take some time.

3. Click NEXT to confirm the subsequent message. This dialog can be used to exclude entire databases or individual configuration documents from being imported.

The ‚Configuration Import‘ screen is divided into two areas:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 100 COMMON FUNCTIONS FOR ALL MODULES - EXPORTING AND IMPORTING CONFIGURATION FILES 

Databases

This area displays all standard configuration databases. The iQ.Suite configuration is spread across these configuration databases. Disabled configuration databases are excluded from import. The configuration documents in these databases are also excluded from import. This is represented by grayed-out configuration documents.

If a database isn‘t found a corresponding message is displayed under "Title" and  "Type". This means the database is not located under the path specified (second column) in the Domino data directory. Documents from such configuration databases can only be imported after having adjusted the path so that it points to a database of the Domino server. Please also refer to the help information in the

‚Configuration Import‘ dialog (HELP button).

Documents

This area displays all configuration documents of the database selected in the area on the left side of the screen. These documents can be imported. To avoid unintentionally overwriting existing data, the documents are set to Do not import by default.

Documents displayed in blue font are duplicates. When importing configuration  data, you may lose important elements of the existing configuration. Before overwriting these documents, please refer to “Notes on duplicates” on page 102.

When a document is displayed in black font, this means that no corresponding document exists in the database of the Domino server. When importing these documents there is no danger of unintentionally overwriting existing data.

When a document is displayed in gray font, this means that the associated configuration database has not been selected for import or no database is found under the path specified. Such documents cannot be imported.

4. Click in the Path field on Select to specify where the older standard configuration to be imported is located. The configuration file to be imported has the extension .gxl.zip. The configuration documents can be imported into any

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 101 COMMON FUNCTIONS FOR ALL MODULES - EXPORTING AND IMPORTING CONFIGURATION FILES 

database by entering the path to the target database in the ’Path’ column, relative to the Domino data directory.

Configuration documents should always be imported into databases of the same  type as the databases from where they were exported. If configuration documents are imported into a database that does not have a view to display these documents, it will not be possible to access the imported configuration documents.

5. Select the databases to be imported (set check mark). The associated configuration documents are displayed and can be imported. The configuration documents of databases that have not been selected cannot be imported.

6. Define how the documents of a database are to be imported. Available options depend on whether the documents are normal import documents (black font) or duplicates (blue font). When a document is displayed in black font, this means that no corresponding document exists in the database of the Domino server. When importing these documents there is no danger of unintentionally overwriting existing data.

Notes on duplicates

Documents displayed in blue font are duplicates of documents that already exist in the database of the Domino server. This means that a matching document with the same UNID (Universal Notes Identifier) already exists.

The following options are available: a) Update: The data in the configuration document on the Domino server will be overwritten and replaced with the data of the duplicate (from the configuration file). The UNID of the overwritten configuration document on the Domino server remains unchanged.

Overwriting may change behavior of existing jobs, as the data in the document to  be imported may not be exactly the same as the data of the document on the Domino server, in which case the job will use other data than expected. Hence, duplicates are set to Do not import by default.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 102 COMMON FUNCTIONS FOR ALL MODULES - EXPORTING AND IMPORTING CONFIGURATION FILES 

b) Import as copy: A copy is made of the existing configuration document from the configuration file and stored in the database of the Domino server. A new UNID is assigned to this copy of the configuration document.

UNIDs are used as reference between configuration documents. As a new UNID  has been assigned to the copy, there is no reference between the existing configuration documents and the newly created copy. To integrate the copy into the existing configuration the references need to be recreated.

Actions for all duplicates in all databases

To import all duplicates in all configuration databases to be imported at the same time and in a specific way, use the following buttons:  Do not import duplicates  Copy duplicates  Update duplicates

The following actions can be applied to the configuration documents of a selected database:  Exclude individual configuration documents from import: In the Action column click on the corresponding document and select Do not import.  Exclude several configuration documents from import: Select the documents to be excluded under Document name (click with

CTRL key depressed) and click REMOVE SELECTION FROM IMPORT. To select multiple documents simultaneously, use a column other than Action.  Add individual configuration documents to import: Select Import.  Add several configuration documents to import: Select the documents to be imported (click with CTRL key depressed) and click Add selection to import (update duplicates) or Add selection to import (copy duplicates).

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 103 COMMON FUNCTIONS FOR ALL MODULES - EXPORTING AND IMPORTING CONFIGURATION FILES 

7. Click on NEXT. After having confirmed the security prompt the import is started. Please note that the import function cannot be undone. If you wish to

check your settings again click on BACK.

Please refer to the configuration import information provided by the correspond-  ing help function (HELP button). Besides a detailed description of how to proceed, this also includes useful troubleshooting information.

When updating to a higher iQ.Suite version, the existing jobs are adjusted to the  new iQ.Suite functions. This may result in a changed behavior of your configuration. Therefore, following an update please check all new functions in your jobs (such as the configuration of critical jobs).

4.9.3 Import Configuration From File

Previously exported configuration documents can be re-imported any time.

1. Select GLOBAL -> IMPORT CONFIGURATION FROM FILE.

2. Click SELECT and select the exported file to be re-imported.

Proceed as described under “Import Standard Configuration” on page 100.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 104 COMMON FUNCTIONS FOR ALL MODULES - QUARANTINE CONFIGURATION AREA 

4.10 Quarantine Configuration Area

The quarantine is the area of the iQ.Suite that is used to store all blocked emails, documents, file attachments, and the corresponding analysis report. There are various reasons for emails being stored in the quarantine database, for example, because of processing errors or because they are spam or virulent emails.

Quarantined emails are blocked for security reasons and are not delivered to the internal users. However, the iQ.Suite can be configured in a way that users can be allowed to access the quarantined emails that are addressed to them. This enables users to make their own decision on, for example, whether a blocked and quarantined newsletter is delivered or rather continued to be blocked in the future.

When setting access rights keep in mind quarantined emails may contain viruses.  If an infected email or attachment is opened, these viruses may be activated.

To allow local users to access their quarantined emails, choose one of the following methods:  Direct access through the iQ.Suite User Portal.  Access through the quarantine summary notification. Refer to “Quarantine Summary Notifications” on page 264.

 Access through the user's personal mailbox. Refer to “Sample Jobs: Display quarantined emails in the mailbox” on page 161.

4.10.1 Reports

The REPORTS menu provides the analysis reports of quarantined emails. The categorization can be freely defined and is shown in the quarantine database. For instance, it is possible to set up different categories for jobs using different virus scanners or for different file restrictions. When the field is empty, the corresponding return code is used as category.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 105 COMMON FUNCTIONS FOR ALL MODULES - QUARANTINE CONFIGURATION AREA 

4.10.2 Originals

The ORIGINALS menu provides the quarantined emails. The quarantine database contains buttons to process certain actions on quarantined emails. Multiple selec- tions are possible19.

 DELIVER TO ME: The quarantined email is delivered to the current user (per- former of the action).

 TO MY WHITELIST: The senders‘ address from the quarantined email is added to the users‘ personal whitelist.

 TO MY BLACKLIST: The senders‘ address from the quarantined email is added to the users‘ personal blacklist.

 RESEND: The quarantined email is resent. Other or additional recipients can be added. Furthermore, resending is also possible from a server other than the source server. All servers listed in the Domino Directory are available for selection.

 DENY: The quarantined email is locked to prevent it from being sent again. The action is marked with a red sign in the overview.

 REMOVE DENY: The email is unlocked, i.e. resending is possible again.

 FOR TRAINING: The quarantined email is added to CORE training database (g_learn.nsf).

 TO GLOBAL WHITELIST: The senders‘ address from the quarantined email is added to the global (company) whitelist.

 TO GLOBAL BLACKLIST: The senders‘ address from the quarantined email is added to the global (company) blacklist.

If the same address is automatically added to both a blacklist and a whitelist, the  entries are automatically deleted. This only applies to addresses added from the quarantine. Any addresses that were manually added to a whitelist or blacklist are preserved.

19. For further Information on quarantine functions, please refer to the online help.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 106 COMMON FUNCTIONS FOR ALL MODULES - QUARANTINE CONFIGURATION AREA 

4.10.3 Statistics

The STATISTICS menu provides the possibility top analyze/evaluate your quaran-

tine data using PRE-CONFIGURED REPORTS. Assign a name to the selected evalua-

tion report and set the period of time. You can also use the ADVANCED STATISTICS button to create individual statistics for your quarantine data. All charts can be

exported as BMP or JPG images or as CSV files20 (FILE menu in chart).

Creating a quarantine statistic is only possible for quarantine reports or originals  with an integrated report. No statistics are available for original documents (without report). The option under FILTER OPTIONS -> REPORT TYPE -> ORIGINAL refers to original documents with an integrated report.

4.10.4 Quarantine Access for Deputies

This quarantine area is relevant only in connection with the redirection and forwarding functions of iQ.Suite Clerk.

If emails are redirected or forwarded to deputies, by default, the deputies do not have access to quarantined emails since the access rights are defined only for

the original email recipient. For that reason, SUBSTITUTE QUARANTINE ACCESS allows to set up access to your quarantined emails for a substitute or deputy. Refer to “Quarantine Access for Deputies” on page 568.

4.10.5 Quarantine Configuration

A quarantine database is configured with a quarantine document. The advantage of the separate document is that quarantine settings can be reused. In addition, it contributes to reducing the complexity of the quarantine configuration, please refer to user quarantines.

Quarantine documents can be selected within certain jobs in the Misc tab under quarantine configuration, e.g. in the Crypt mail job SAMPLE- Import Key for GnuPG.

20. CSV file = Comma Separated Value file

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 107 COMMON FUNCTIONS FOR ALL MODULES - QUARANTINE CONFIGURATION AREA 

1. To configure a quarantine document, click on QUARANTINE -> QUARANTINE

CONFIGURATION and open one of the pre-configured sample documents, e.g. SAMPLE - Original only in quarantine job. As an alternative, create a new

configuration document with EDITQUARANTINE -> QUARANTINE CONFIGURATION

-> NEW -> QUARANTINE CONFIGURATION.

2. Click on EDIT:

a) Under Quarantine mode select how the original email and the report are to be handled:  ‚Do not quarantine‘: The original is not quarantined and no report is created.  ‚Only report in quarantine‘: Only the report is kept in the quarantine. Depending on the job configuration, the original is either deleted or delivered to the recipient.  ‚Only original in quarantine‘: Only the original is kept in the quarantine and no report is created.  ‚Report and original in same quarantine‘: Both the report and the original are stored in the same quarantine.  ‚Report and original in different quarantines‘: The report and the original are stored in two different quarantines, as specified.  ‚Original with integrated report in quarantine‘: The report is integrated into the original and then stored in the quarantine specified.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 108 COMMON FUNCTIONS FOR ALL MODULES - QUARANTINE CONFIGURATION AREA 

If the reports and the originals are to be stored in the same database, the data-  base defined under Quarantine database is used.

b) Specify under Quarantine database the quarantine database where the reports are to be stored. It is possible to set up several quarantine data-

bases for different purposes. To do so, select GLOBAL -> DATABASE DEFI-

NITIONS and create the databases on the basis of templates. The databases defined here will be available later in both the Admin Portal and the User Portal. c) Under User Portal: Additional Quarantine index, you can activate the ‘Use Quarantine index database’ option to enable indexing of quarantined documents in the Quarantine index database (database definition) selected below. In the iQ.Suite Job, select this Quarantine Configuration if you want to use it.

For further information on the use of a Quarantine index database, please refer to “Only for Quarantines: Use Quarantine index” on page 26.

Any existing configurations from previous iQ.Suite versions are fully operational without any changes.

4.10.6 Next Quarantine or Select Quarantine

If you have created several quarantine databases under Database Definitions21, these databases are available in the portal views (Admin Portal and User Portal) and can also be managed from there. In the Admin Portal, you can switch

between databases by clicking on NEXT QUARANTINE. As of four databases, an

additional SELECT QUARANTINE menu - with all available quarantine databases on the same server - becomes available.

21. Refer to “Database Definitions” on page 25.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 109 COMMON FUNCTIONS FOR ALL MODULES - PASSWORD MANAGEMENT 

4.11 Password Management

The Password Management can be used in the following iQ.Suite jobs:

 Convert Compression  Convert Decompression  PDFCrypt Mail Encryption  PDFCrypt File Signing/Encryption

If the Password type ‘Use password management’ is selected in these jobs, the settings of the selected Password Management apply.

A sample document for Password Management is available under PDFCrypt / Convert -> Password Management. To configure a new Password

Management, click NEW.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 110 COMMON FUNCTIONS FOR ALL MODULES - PASSWORD MANAGEMENT 

4.11.1 The Configuration Document ‘Password Management’

 Generate new password every ... days: This setting applies only to passwords that have been generated per recipient or per sender-recipient combination. Refer to settings in the Job (PDFCrypt or Convert Job) under Password type and Password generation. To set a time limit to the validity of these passwords in the password database, specify the number of days to pass after password generation before to generate a new password. The recipient receives the new password with the

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 111 COMMON FUNCTIONS FOR ALL MODULES - PASSWORD MANAGEMENT 

next email which will contain a password-encrypted file for this recipient. For past emails, the old password can still be used and requested without any time limit.

 Password complexity:  Define whether the password must contain upper case characters, lower case characters, numbers, and/or special characters. Used special characters: ! $ & / = ? # * + - _ < >

 Excluded characters: You can define exceptions for the selected complexity options. Example: The password must contain upper case letters, but certain upper case letters are not allowed, for example, ‘O’ and ‘0’ (zero) because of possible confusion. Default: iIoOlL01.  Password length: Enter the number of characters that the password must have. The settings of password complexity also apply to one-time passwords.

 Password database / User password database: The passwords generated by using the Password Management are saved in the database selected here (default: g_pwd.nsf).

The passwords which are manually created by users are stored in the selected user password database (default: g_userpwd.nsf).

All passwords remain in the selected (user) password databases also once they have expired. As soon as an email has been encrypted with a new manually created password, a password document is created in the password database based on the password entry of the user password database. The password entry remains in the user password database.

For further information on the databases mentioned above, please refer to “Password Database” on page 114 and “User Password Database: Roles and Rights” on page 118.

 Server / Server exceptions:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 112 COMMON FUNCTIONS FOR ALL MODULES - PASSWORD MANAGEMENT 

Use the Server field to specify the server(s) on which this configuration document shall be used. An asterisk (*) means ‘all servers’. In the Server exceptions field, you can exclude servers.

To specify multiple servers, use a separate line for each entry.

 Ignore complexity on manual password set: Define whether the password complexity specified in the password management is also to apply to passwords which are manually created. If you modify your settings (‘Yes’<-> ‘No’ and/or password complexity), click on the Trans- fer complexity icon for your changes to be transferred to the user password database.

 Password access (only for access to the password database): Use the Allow access for sender / recipients options to allow or not the senders and/or the recipients to access the passwords of the emails they have sent or received. Alternatively or in addition, you can allow other people to access all passwords of the password database. For this, use the Other persons field.

The password access controls the access rights to the password documents via the Notes client, assuming that the password database can be accessed. Senders, recipients and other persons with access permission must have been entered in the Domino Directory.

The following settings are relevant only in PDFCrypt if the User Request Job is used:

 Address for password requests: Email address to which the password requests are to be sent. For information on password requests, please refer to “Password Request via mailto Link” on page 380 and “Password Request without mailto Link” on page 381.

When a password is requested, iQ.Suite verifies whether the email address of  the sender of the password request matches with the requested password. Only if the sender address and the password match, the password is sent.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 113 COMMON FUNCTIONS FOR ALL MODULES - PASSWORD MANAGEMENT 

 Notification template for password requests: When the recipient requests the password via the email link, the template selected here is used for the reply email from iQ.Suite.

The template must exist under GLOBAL -> NOTIFICATION TEMPLATES (default: Password management request under the category ‘User Request’).

 Submit notification to all iQ.Suite jobs on this server: With this option enabled, determine whether password emails are to be put into the job chain of the current server for further processing. With this, as an example, a trailer can be appended to password emails. If this option is not enabled, the password email is directly delivered to the recipient without further processing.

4.11.2 Password Database

Under PDFCrypt / Convert -> Password Database, you can view all existing password documents, including the manually created password entries which have been already used.

Password documents can be read by those people which are specified in the password management under Password access and have access to the password database according to the ACL settings (Default: g_pwd.nsf). In addition to the configured readers, people who have the[PW-ACCESS]role in the ACL can view the password documents.

In our example, you can find the password document that was automatically created based on an email sent from David Galler to Anna Glenn:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 114 COMMON FUNCTIONS FOR ALL MODULES - PASSWORD MANAGEMENT 

You can use the VIEW button to sort the password documents, e.g. by password ID or creation date.

To open the Password document, click on the entry:

To view the password, click on .

 Password generation: This field shows the setting made in the used job (PDFCrypt or Convert Com- pression), e.g. generation for each email or for each sender-recipient combination.

 External address, Internal address: Addresses for which the password entry is valid.

In a job that encrypts outgoing emails, the internal address must match the sender and the external address must match the recipient. If a password is

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 115 COMMON FUNCTIONS FOR ALL MODULES - PASSWORD MANAGEMENT 

generated for an email with several recipient addresses, only the first address is recorded as the external address.

In a job that decrypts incoming emails, the internal address must match the recipient and the external address must match the sender.

 Subject: The subject is only displayed if the password for this email was generated with the option ‘For each email’ (option for Password generation).

 Creation time: Date and time when the password document was created.

 Last requested: Date and time when the password was requested last by the User Request job.

 Last used: Date and time when the password document was used last by the User Request job, the PDFCrypt job or the Convert job.

 Predecessor, Successor: DocID of the preceding/subsequent password documents. Once the validity has expired (settings in the password document), a new password document with a new password is created. In the password documents (the new and the old one), the predecessor and the successor are set accordingly.

 Recipients of the email: All recipients of the email are listed, including the recipients from the ‘Bcc’ field.

 DocID: Universal ID of this password document.

 Password ID: Unique ID for the password. The [VAR]UniqueId[/VAR] variable is used to communicate the password ID to the user.

One password ID is generated per email. When password documents are created for external addresses or internal-external address combinations, these IDs are listed in the same password document. After a certain number of password IDs, a copy of the password document is created.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 116 COMMON FUNCTIONS FOR ALL MODULES - PASSWORD MANAGEMENT 

4.11.3 Manual Creation of User Passwords

Manually created passwords are used if the User password database (default: g_userpwd.nsf) is selected in the Password Management used by the job.

In the following, note that internal and external addresses can be either individual persons or entire domains.

When using PDFCrypt or Convert Compression, users can create fixed passwords before sending before sending their first email to certain recipients. The defined password is then used to encrypt all emails from the user (internal address) to the external addresses which are specified in the password entry.

When using Convert Decompression, users who expect to receive an email with a password-protected attachment from a certain sender must create a password entry with this sender as “External address” before he receives the email. This allows the Decompression Job to decrypt the attachment.

The iQ.Suite administrator is authorized to create passwords for any internal addresses/internal domains via the iQ.Suite Admin Portal. End users are only authorized to create passwords for their own user (as internal address) via the iQ.Suite User Portal. With special permissions (granted through the appropriate role), end users also are authorized to create passwords for any internal

addreses/internal domains. The same password can be used for different senders and recipients (including domains).

Example in case of PDFCrypt Encryption:

The Sales employee “Anna Glenn” of company-y can create passwords only for the emails she sends. The iQ.Suite administrator “Kai Baron” of the same company can, for example, create a password for the sender “Anna Glenn” ([email protected]) to the recipient “David Galler” (dgaller@company- x.com).

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 117 COMMON FUNCTIONS FOR ALL MODULES - PASSWORD MANAGEMENT 

4.11.3.1 User Password Database: Roles and Rights

The view under PDFCrypt / Convert -> User Password Database shows the user passwords (password documents) you are authorized to see according to the roles and rights concept of the user password database.

You will find the database definition of the user password database (default:

g_userpwd.nsf) under GLOBAL -> DATABASE DEFINITIONS -> USER PASSWORD

MANAGEMENT.

The user password database is intended for the following use cases:

1. For end users via the iQ.Suite User Portal: ACL entry such as IQSUITE-USER (user in IQSUITE-USER directly or via a group assignment (other Domino Directory groups in which the user exists) or via an appropriate ACL entry of a group or person: Author, Create but not delete documents, no role assigned.

2. For administrators / end users with additional permissions via the iQ.Suite User Portal: Administrators (users with the [Admin] role) and end users (without the [Admin] role) with the [PW-CREATE] role can configure password documents for any senders in the iQ.Suite User Portal. Both must additionally have the [PW-ACCESS] role which permits them to see all password documents and set existing ones to “obsolete”, if required. This can be done manually or happens automatically, in case of replacement through new creation.

3. For administrators via the iQ.Suite Admin Portal: Administrators (users with the [Admin] role) can additionally open the user password database in the special view for administrators. In this view, they can create password documents in which they can also configure senders. In these password documents, the [Admin] role is set additionally to the [PW-ACCESS] role.

The [Admin] role is pre-assigned for the standard groups IQSUITE-ADMIN and

IQSUITE-SRV.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 118 COMMON FUNCTIONS FOR ALL MODULES - PASSWORD MANAGEMENT 

4. The [PW-ACCESS] role allows users to see all entries of the database mentioned above. Consequently, this role should be assigned to the server / server groups

(IQSUITE-SRV and equivalent own groups or server names).

For administrators / administrator groups (IQSUITE-ADMIN and equivalent own groups or persons) who should not have access to password documents (and therefore to passwords) of end users, revoke the [PW-ACCESS] role assigned to them by default.

The [PW-ACCESS] role can also be used to authorize users/groups who have no [Admin] role to see all password documents in the User Portal and to set them to “obsolete”, if required. This may be useful, for example, for Controlling or Hotline tasks.

4.11.3.2 Creation of User Passwords

To create user passwords the User password database, users must have a  Domino Directory entry with an Internet address.

To create a user password, proceed as follows:

1. In the iQ.Suite Admin Portal under PDFCrypt / Convert, click USER

PASSWORD DATABASE -> NEW -> USER PASSWORD [ADMIN]:

In the iQ.Suite User Portal:

USER PASSWORD -> BY EXTERNAL ADDRESS -> NEW -> USER PASSWORD

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 119 COMMON FUNCTIONS FOR ALL MODULES - PASSWORD MANAGEMENT 

2. Make the following settings:

 Internal address(es) / Domain(s) and External address(es) / Domain(s): These fields are used to define internal-external address combinations for whom the password is to be used.

These fields expect an Internet address or Internet domain. The internal addresses/internal domains must exist in a Domino Directory.

In a PDFCrypt Job or Convert Compression Job: If no Internet address is found for the sender and no corresponding password document exists in the password database, a new password is generated according to the settings in the PDFCrypt Job. The automatically generated password exists afterwards only in the Password database, not in the User password database.

To select a user or a domain from a Domino Directory, click on the arrow. If you want to enter several users/domains, repeat this procedure. If your entry does not contain the ‘@’ character, it will be interpreted as a domain.

In case of a direct manual entry, always enter an Internet address and use a separate line for each entry.

A password entry is created for every internal-external address combination.

Particularities for users in the iQ.Suite User Portal:

The first field is named Internal address (Creator) and is pre-filled with the address of the currently logged-in user. Only users with additional permissions ([Admin] or [PW-CREATE] role) can edit this field. In the latest case, the

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 120 COMMON FUNCTIONS FOR ALL MODULES - PASSWORD MANAGEMENT 

user can even specify several internal addresses/domains or enter “*“ for all internal addresses/domains.

 Password: The password must be entered twice and can be displayed in clear text with the Show password option. If the complexity check is disabled, the password is checked only for invalid special characters.

 If you want the password complexity (defined in the Password Management) to be considered when a new password is created, the option Ignore complexity on manual password set must be set to ‘No’. The password complexity is displayed if it should not be ignored. If the entered password does not meet the defined password complexity, a corresponding error message is displayed. Only if the password is displayed in clear text, details relative to the violation are given.

3. To confirm a password entry, click OK.

4.11.3.3 Managing User Passwords

Existing password entries cannot be edited. When a new password entry is created for an existing internal-external address combination, the password entry used so far is automatically set to “obsolete”.

To display the non-encrypted password of a password entry, double-click on the password entry.

SET TO OBSOLETE: You can select the passwords which should not be used anymore and set them to “obsolete” by using this button.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 121 COMMON FUNCTIONS FOR ALL MODULES - STANDARD AREA ’LOGS AND STATISTICS’ 

4.12 Standard Area ’Logs and Statistics’

4.12.1 iQ.Suite Log

Under PROTOCOL AND STATISTIC -> IQ.SUITE LOG the work logs for all operating states are listed (document analysis, job processing, thread starts, etc.). The view is refreshed every hour. To modify this interval, set the global parameter ToolKit_StatisticsInterval to an associate value.

You can use the iQ.Suite logs to determine the operation and status of all iQ.Suite modules. Each log is written to the g_log.nsf log database by default.

For further information on configuration of iQ.Suite Logs please refer to “Logging” on page 91.

4.12.2 Next iQ.Suite Log or Select iQ.Suite Log

If you have defined several log databases, you can switch between databases in

the Admin Portal by clicking on NEXT IQ.SUITE LOG. As of four databases, an

additional SELECT IQ.SUITE LOG menu - with all available log databases on the same server - becomes available.22

4.12.3 Database Job Log

The DATABASE JOB LOG is used to record which database job was executed in which database on which server. Currently running jobs are marked as “running”. In case of time-scheduled jobs, the date/time at which the job will be started next time is marked as “next start”.

4.12.4 Configuration Change Log

Under CONFIGURATION CHANGE LOG the changes in iQ.Suite configuration such as deleting, changing or creating a new Notes document are logged. For every change in one of the following databases a log is created in the g_status.nsf status database:

22. Refer to “Database Definitions” on page 25.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 122 COMMON FUNCTIONS FOR ALL MODULES - STANDARD AREA ’LOGS AND STATISTICS’ 

 gm_grab.nsf  gd_grab.nsf  g_wdog.nsf  g_trailer.nsf  g_trailer_advanced.nsf  g_del.nsf  g_elma.nsf

To enable this feature, in the notes.ini set the parameter ToolKit_HookLogConfigChanges=true. Then, reboot the Domino server.

4.12.5 Statistics

The STATISTICS menu provides reports and charts for all mail jobs of all modules (for iQ.Suite Watchdog database jobs as well). The entries are made using the Domino standard statistic functions, for instance in the statistics report database statrep.nsf.

To display this global statistics proceed as follows:

1. First start the Collect Service on your Domino server by way of the command: load collect.

2. Enable the corresponding parameter entry in the iQ.Suite.

3. Under Global Parameters open the ‚Collect statistic data‘ entry and enable the document.

4. Under Value(s) select ‚YES‘ and save your settings.

5. In the overview of global parameters, your configuration is enabled through ToolKit_Statistics=Yes.

By default, the report interval is set to 120 minutes, after which your configura-  tion is updated and the statistics displayed.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 123 COMMON FUNCTIONS FOR ALL MODULES - LOGGING IN THE WINDOWS EVENT VIEWER 

4.13 Logging in the Windows Event Viewer

For iQ.Suite installations on Windows, specific events are logged in the Windows Event Viewer:  Start and stop of the MailGrabber, the DatabaseGrabber and the Sandbox.  When updating a component integrated in the iQ.Suite (utility such as a virus scanner), the Sandbox reports if the update has been successful or failed.  Virus scanner update fails after expiration of the tolerance time without any version changes . This time is specified in the virus scanner engine document.  After an update check, it will be reported if the check has been successful or failed.  After an update check, the sandbox had to be shut down.  Result of version check for virus scanner

The log level for the event logs can be set with the global parameter ToolKit_GlobalEventLogLevel (global) or ToolKit_EventLogLevel (for Grabbers) or the INI parameter EventLogLevel (for Sandbox).

Example:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 124 COMMON FUNCTIONS FOR ALL MODULES - STANDARD AREA ‘SUPPORT’ 

4.14 Standard Area ‘Support’

The last menu of the iQ.Suite user interface points to the GBS Support Team.

Select ONLINE for links to the relevant pages on our website - Support, Knowl- edge Base and Documentation.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 125 IQ.SUITE USER PORTAL -   5 iQ.Suite User Portal The iQ.Suite User Portal provides end users (employees) access on certain iQ.Suite modules with reduced functionality. With this internal users are able to manage their own user-related settings, thus relieving the administrator.

The user-related settings include the following:  Absence Management Provided by the iQ.Suite Clerk module, Absence Management is the function used to set-up the forwarding or redirection of emails. With an appropriate roles/rights concept, internal users can set up temporary email forwarding to deputy or permanent email redirection to a substitute.

 User-specific Quarantine’ The User-specific quarantine (Quarantine database / Quarantine Index database) allows end users to monitor, manage and access their quarantined emails themselves. For security reasons, virus-infected emails are excluded from access.

For maximum performance, this feature can be combined with blacklists/whitelists (iQ.Suite Wall).

 Blacklists/Whitelists’ While being a basic function of the iQ.Suite, blacklists and whitelists are best used together with the iQ.Suite Wall anti-spam module.

Blacklists and whitelists allow end users to define the senders whose emails are to be blocked and quarantined (blacklist) or trusted without being checked (whitelist). This may be useful for newsletters, for instance if newsletters are classified as spam (and therefore quarantined) according to the company’s policies and the user nonetheless wishes to receive these emails.

 Trailer End users who are authorized to use the iQ.Suite Trailer functionality, are in a position to create their own "Personalized Trailer" documents and thus append individual Trailers to their emails. Without the correct access rights, the end users have no influence on the Trailers appended to their emails.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 126 IQ.SUITE USER PORTAL - 

Both the content and the layout of the Trailers are set by the administrator or authorized users.

Please note that end users only have access to "Personalized Trailer" documents. Only administrators have access to documents such as „legal disclaimers“ or other legal notices.

 User Password ‘User Password’ allow internal users to manually create and manage recipient-specific passwords to be used to encrypt their emails with iQ.Suite PDFCrypt. The recipients can be personal Internet addresses or Internet domains.

The underlying rights/roles concept of the iQ.Suite User Portal allows to grant users individual access rights to the User Portal databases and provide them with access to specific functions1. The iQ.Suite User Portal is provided by the database g_user.nsf.

For end users a separate manual provides information on how to use the  iQ.Suite User Portal. This manual can be accessed from the iQ.Suite User Portal (HELP button) or downloaded as PDF. Download under www.gbs.com.

1. Refer to “Rights/Roles Concept in iQ.Suite User Portal” auf Seite 136.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 127 IQ.SUITE USER PORTAL - OPENING THE IQ.SUITE USER PORTAL 

5.1 Opening the iQ.Suite User Portal

5.1.1 Access from the Notes Client

Administrators and end users open the iQ.Suite User Portal in the Notes client with the database g_user.nsf:

Similar to the administration console, the iQ.Suite User Portal interface consists of three areas:

Function bar:

Area for help and language settings. Display area:

Area used to display current content. Navigation area:

Area used to navigate between categories and subcategories.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 128 IQ.SUITE USER PORTAL - FUNCTIONS IN THE IQ.SUITE USER PORTAL 

5.1.2 Access Via Web Browser

Rather than using the Notes client, it is also possible to access the iQ.Suite User Portal via a web browser. In specific cases, certain actions are available in the Notes client or the web browser only. These cases are explicitly referred to in this manual.

System requirements

The following system requirements have to be fulfilled on the users‘ computers to provide them with access to the iQ.Suite User Portal per web browser:

 Newest web browser and with JavaScript enabled. Refer to “Web Browsers” auf Seite 4.  The Domino Web Server (HTTP Task) must have been set up and started2.  For end users, Internet passwords are available.

 Only for iQ.Suite Trailer: Use the newest version of Java Runtime Environment. Furthermore, Java must be enabled in your web browser in order that the Java applets can be executed.

Für die Nutzung of iQ.Suite Trailer, we basically recommend to use the Notes  client for access.

5.2 Functions in the iQ.Suite User Portal

5.2.1 Table: Functions for Users

Most of the functions available for administrators in the iQ.Suite User Portal can also be made available to internal users. For this the associated iQ.Suite role must have been assigned to the user (roles/rights concept)3. The following section describes which roles must have been assigned to display the corresponding action button in the iQ.Suite User Portal:

2. For further Information on setting up the HTTP task, please refer to the HCL Domino documentations. 3. Refer to “Rights/Roles Concept in iQ.Suite User Portal” auf Seite 136.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 129 IQ.SUITE USER PORTAL - FUNCTIONS IN THE IQ.SUITE USER PORTAL 

Button iQ.Suite Role Function

Absence Management (iQ.Suite Clerk)

New -> For- [CREAT-BASIC] The user is allowed to create new forwarding documents ward (Stan- for his/her own absence in standard mode. Quarantine dard) access for deputy (Standard): Create own delegations.

[READ-BASIC] The user is allowed to read all existing forwardings (Stan- dard). Quarantine access for deputy: Read own delegations.

[AUTH-BASIC] The user is allowed to modify all existing forwardings (Standard). Quarantine access for deputy (Standard): Mod- ify own delegations.

New -> For- [CREAT- The user is allowed to create new forwarding documents in ward EXTENDED] advanced mode. Function for specific users, for instance to (Advanced) create forwarding documents for other users. Quarantine access for deputy (Advanced): Create all delegations.

[AUTH- The user is allowed to modify all existing forwardings EXTENDED] (Advanced). Quarantine access for deputy (Advanced): Modify all delegations.

[READ- The user is allowed to read all existing forwardings EXTENDED] (Advanced). Quarantine access for deputy: Read all delegations.

[EDIT-RECIPI- The user is allowed to enter the recipient address as Inter- ENT] net address, e.g. [email protected].

New -> [CREAT-BODY- The user is allowed to create new redirection documents Redirection GUARD] (electronic clerk).

[AUTH-BODY- The user is allowed to change all redirections. GUARD]

[READ-BODY- The user is allowed to read all redirections. GUARD]

Quarantine functions in the Notes client

Deliver To [Deliver] The selected quarantined email is sent to the user (mail- Me box). Any original recipients are ignored.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 130 IQ.SUITE USER PORTAL - FUNCTIONS IN THE IQ.SUITE USER PORTAL 

Button iQ.Suite Role Function

To My [ToMyWL] Adds the sender of the quarantined email to the users’ Whitelist whitelist. The whitelist name is the quarantine category with the suffix "-WL”. This is a person-to-person entry for the sender of the email and the recipient (user). This means, the sender address is listed in the whitelist of this user only. Also refer to ‘To Global Whitelist‘.

To My [ToMyBL] Similar to ’To My Whitelist’‘, with the sender address added Blacklist to the users blacklist.

Resend [Resend] The quarantined email is delivered again to the original recipients (users) specified in the original email. Options for individual or multiple emails are displayed.

Deny [DenyResend] The email selected or just opened is locked to prevent resending. In the overview, locked emails are shown with a red prohibited sign.

Remove [DenyResend] Removes the ’Resend’ lock. Deny

To Global [ToGlobalWL] Adds the sender of the quarantined email to the com- Whitelist pany’s global whitelist. The whitelist name is the quarantine category with the suffix "-WL”. This is a person-to-all entry for the sender of the email and all recipients (users). This means, the sender address is classified as trustworthy for all internal users.

To Global [ToGlobalBL] Similar to ’To Global Whitelist’‘, with the sender address Blacklist added to the global blacklist. The sender address is classified as prohibited for all internal users.

For Training [ToTraining] Adds the quarantined email to the set of training emails for COREa.

Quarantine functions in the web browser

Actions -> [Deliver] The selected quarantined email is sent to the original Deliver To recipients (users mailbox). This function is only available Me from a web browser. the current user will only receive the email if he/she also is the original recipient.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 131 IQ.SUITE USER PORTAL - FUNCTIONS IN THE IQ.SUITE USER PORTAL 

Button iQ.Suite Role Function

Actions -> [Resend] Largely corresponds to the ‚Resend‘ function in the Notes Deliver To client. The email is delivered again to the recipients speci- Recipients fied in the email. As opposed to the Notes client however, further options are not available. If an email is delivered from the quarantine, this action is visualized by a specific icon in the column on the left.

Actions -> [ToMyWL] Similar to the function for the Notes client. To My Whitelist

Actions -> [ToMyBL] Similar to the function for the Notes client. To My Blacklist

Actions -> [ToGlobalWL] Similar to the function for the Notes client. To Global Whitelist

Actions -> [ToGlobalBL] Similar to the function for the Notes client. To Global Blacklist

Additional functions for an open quarantined email

To Other Adds the sender of the quarantined email to an other Whitelist user‘s whitelist. This user can be selected from the address book. The whitelist name is the quarantine category with the suffix "-WL”. This is a person-to-person entry for the sender(s) of the email and the recipient (user). This means, the sender address will be added to the whitelist of the user selected. Attention: You must select individual persons; group entries will be added to the whitelist, but not taken into account when processed.

To Other Similar to ’To Other Whitelist‘, with the sender address Blacklist added to a blacklist.

Blacklists and Whitelists

New -> [iQSUITE-User] Adds a new entry to a whitelist in the USERS-WL category. User’s The recipient is always the current user (can be modified Whitelist with associate role). Entry

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 132 IQ.SUITE USER PORTAL - FUNCTIONS IN THE IQ.SUITE USER PORTAL 

Button iQ.Suite Role Function

New -> [iQSUITE-User] Adds a new entry to a blacklist in the USERS-BL category. User’s The recipient is always the current user (can be modified Blacklist with associate role). Entry

New -> [iQSUITE-User] Adds a new entry to a blacklist/whitelist. The category Black- name of the list can be freely selected by the user. /Whitelist Entry

[Read] Restricted role [Admin]. All documents are displayed and can be edited. However, further functionalities, such as ‚Merge‘, are prohibited.

Merge (in (visible in SENDER category only)

Notes client Merges selected senders as domain. only) Example: User X has in her User Whitelist multiple addresses of the same domain (e.g. [email protected] and [email protected]). By merging (‘Merge’ button), a new Whitelist entry is created for the domain @gbs.com. Optionally, the merged entries can be kept as individual entries in the Whitelist or can be deleted.

User Password (iQ.Suite PDFCrypt)

New -> User No role; but The user is allowed to create new password entries for her Password ‚Author‘ access own user (sender). level

Set to No role; but Users with the access level ‚Author‘ are allowed to set their obsolete ‚Author‘ or ‚Editor‘ own password entries to “obsolete”. With the access level access level ‚Editor, they are additionally allowed to set password entries of other users to “obsolete”.

[PW-ACCESS] This role gives a read permission on all password entries of the user password database.

Refer to “User Password Database: Roles and Rights” auf Seite 118.

Trailer

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 133 IQ.SUITE USER PORTAL - FUNCTIONS IN THE IQ.SUITE USER PORTAL 

Button iQ.Suite Role Function

New -> [Admin] role or no The user is allowed to create new Trailer documents and Trailer docu- role; but ’Editor’ sees all documents set up. He/She is allowed to edit all ment access level "Personalized Trailer" documents. Special features (e.g. language selection) are performed according to the settings in the language configuration document.

No role; but The user sees all documents set up, but is only allowed to ‚Author‘ access edit the documents created by himself. level

Export Exports selected Trailer documents to another storage location, e.g. to the file system.

Configura- (right side of the screen) tion (in To be able to create multilingual Trailers, the language Notes client selection functionality has to be made available within the only) Trailer document. This language selection is set in a separate language configuration documentb. a. Refer to “Text Analysis using CORE” auf Seite 291. b. Refer to “Adding Language-dependent Trailers” auf Seite 459.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 134 IQ.SUITE USER PORTAL - FUNCTIONS IN THE IQ.SUITE USER PORTAL 

5.2.2 Table: Additional Functions for Administrators

Besides all of the user functions, the administrator has access to a number of additional administrative functions ([Admin] role). Assigning these action buttons to end users is not possible:

Button Function

Blacklists and Whitelists

Clearing up (in Notes client (visible in SENDER category only)

only) Removes the entries for a user which are already included in a domain list or in a global list.

Example: User X has added a sender address to her User Whitelist. This sender address is also included in the global Whitelist. With ‘Clearing up’, the corresponding entry is deleted from the User Whitelist.

Please note that clearing up only works within the same list.

Absence Management (iQ.Suite Clerk)

[ClerkAdmin] The user is allowed to configure the fields for content-based forwarding (e.g. for searching content in X-header fields).

Configuration Limits the number forwarding or redirection documents that can be created. When this limit is reached, all you can do is to adjust the existing documents.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 135 IQ.SUITE USER PORTAL - RIGHTS/ROLES CONCEPT IN IQ.SUITE USER PORTAL 

5.3 Rights/Roles Concept in iQ.Suite User Portal

The rights/roles concept is used to set the users’ access rights in the iQ.Suite User Portal (g_user.nsf). Depending on the database access rights granted, users have access to different iQ.Suite User Portal functions (action buttons).

The access rights are set in the iQ.Suite administration console (nav.nsf), using the ACL Manager and cover the following components:

 iQ.Suite Group Refer to “iQ.Suite Groups” auf Seite 138.

 iQ.Suite Roles Refer to “iQ.Suite Roles” auf Seite 139.

 Access Level To ensure that the actions enabled through user roles are available in the iQ.Suite User Portal, be sure to have set the correct access level. As access levels represent a standard Domino functionality, their description is available in your Domino documentation. However, please note that the users require at least the ‚Editor‘ access level to ensure proper functioning of the iQ.Suite User Portal.

The access rights may vary for each enabled database and for each user or user group, in order to enable additional actions for specific users.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 136 IQ.SUITE USER PORTAL - RIGHTS/ROLES CONCEPT IN IQ.SUITE USER PORTAL 

5.3.1 Available Databases

By default, the following User Portal databases are available to administrators:

 Clerk: g_del.nsf Absence management.

 Clerk Log: g_clerkprot.nsf For logging emails processed by Clerk.

 Trailer: g_trailer.nsf For appending text to emails, e.g. legal disclaimers.

 Quarantine: g_arch.nsf For user-specific quarantine management.

 Quarantine Index: g_arch_index.nsf For indirect access to the quarantined documents per link. This allows a faster Quarantine view update, i.e. a faster Quarantine access.

 Blacklists/Whitelists (iQ.Suite Wall): g_connect.nsf

 User Passwords (iQ.Suite PDFCrypt, iQ.Suite Convert)4: g_userpwd.nsf For PDF-based email encryption (PDFCrypt) and encryption of compressed file attachments with a password (Convert).

These databases are marked with under GLOBAL -> DATABASE DEFINITIONS and can be enabled for users through Access User Portal5.

In the standard configuration, only the databases mentioned above are available  in the iQ.Suite User Portal. To display further databases, they need to be specified through the database definitions.

4. Access only possible via Notes, not via web browser. 5. For further Information, please refer to “Setting up the iQ.Suite User Portal for Users” auf Seite 143.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 137 IQ.SUITE USER PORTAL - RIGHTS/ROLES CONCEPT IN IQ.SUITE USER PORTAL 

5.3.2 iQ.Suite Groups

iQSUITE-ADMIN, iQSUITE-USER, iQSUITE-POWUSER

During installation, the following groups are entered in the ACLs of all User Portal databases (through the iQ.Suite templates):  iQSUITE-ADMIN The members of this group have administrative access rights to the iQ.Suite, which should only be granted to administrators. The members of this group have the [Admin] role, which includes all [Creat], [Auth] and [Read] roles required for the administration of the iQ.Suite. Refer to “[Admin] Role” auf Seite 139.

 iQSUITE-POWUSER (formerly GROUP-TOOLS-POWUSER) The members of this group have extended access rights to the iQ.Suite and are authorized, for instance, to set up forwardings and redirections (if using iQ.Suite Clerk). In addition, the members of this group are granted Modify rights to all documents created in the database. This group is intended for authorized users.

 iQSUITE-USER (formerly GROUP-TOOLS-USER) The members of this group have limited access rights to the iQ.Suite. This group is intended for your standard users. If using iQ.Suite Clerk, this means these members are allowed to set up standard forwarding documents from the iQ.Suite User Portal.

Using the iQ.Suite groups, users or user groups are granted different preset permissions to the User Portal databases as well as different permissions as regards the iQ.Suite User Portal functions. The functions actually available to an iQ.Suite group in the iQ.Suite User Portal depend on the roles assigned. The roles are

preset for each of the User Portal databases. Refer to “iQ.Suite Roles” auf Seite 139.

This logic considerably simplifies the administration, as the existing groups from the Domino Directory can simply be assigned to one of the iQ.Suite groups in order to assign specific database access rights to the users. Due to the roles associated with this group, the users from the iQSUITE-POWUSER iQ.Suite group have more rights than those from the iQSUITE-USER iQ.Suite group.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 138 IQ.SUITE USER PORTAL - RIGHTS/ROLES CONCEPT IN IQ.SUITE USER PORTAL 

If you wish to change the default access rights assigned to an iQ.Suite group, you can change the roles accordingly. For further Information on assigning roles and the resulting functions in the iQ.Suite User Portal, please refer to “Functions in

the iQ.Suite User Portal” auf Seite 129 and “Rights/Roles Concept in iQ.Suite User

Portal” auf Seite 136.

5.3.3 iQ.Suite Roles

In the ACLs of the User Portal databases, specific iQ.Suite roles are assigned to the iQ.Suite groups. Using these roles, the members of a group are granted specific access rights and provided with access to the corresponding functions in the iQ.Suite User Portal. To grant additional database access rights to an user (or remove rights), enable (or disable) the associate roles.

For the NEW functions, the user requires (in all views) either the [Admin] role or  the associate [CREAT] role.

5.3.3.1 [Admin] Role

The [Admin] role is available in each User Portal database and should only be granted to administrators. This role implies unrestricted rights to databases, as it automatically includes all other roles.

Each role automatically set with the [Admin] role can be individually assigned to users, in order to provide them with access to specific iQ.Suite User Portal functions.

Be sure to assign the [Admin] role and the ‚Manager‘ access level to your server  and the administrator. Otherwise the server/administrator will not have the necessary access rights to access the documents in the iQ.Suite User Portal. The [Admin] role automatically implies that all functions (action buttons) associated with a database are visible and accessible in the iQ.Suite User Portal.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 139 IQ.SUITE USER PORTAL - RIGHTS/ROLES CONCEPT IN IQ.SUITE USER PORTAL 

5.3.3.2 Table: Assigning an iQ.Suite Group to iQ.Suite Roles

The table below shows which iQ.Suite roles are assigned to an iQ.Suite group. Please note the corresponding access level.

iQ.Suite Group Database iQ.Suite Roles Access Level

IQSUITE-ADMIN Quarantine: [ADMIN] Manager g_arch.nsf [Deliver]

[DenyResend]

[Resend]

[ToGlobalBL]

[ToGlobalWL]

[ToMyBL]

[ToMyWL]

[ToPersBL]

[ToPersWL]

[ToTraining]

IQSUITE-ADMIN Quarantine Index: [ADMIN] Manager g_arch_index.nsf

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 140 IQ.SUITE USER PORTAL - RIGHTS/ROLES CONCEPT IN IQ.SUITE USER PORTAL 

iQ.Suite Group Database iQ.Suite Roles Access Level

IQSUITE-ADMIN iQ.Suite Clerk: [Admin] Manager g_del.nsf [AUTH-BASIC]

[AUTH-EXTENDED]

[AUTH-BODYGUARD]

[ClerkAdmin]

[CREAT-BASIC]

[CREAT-EXTENDED]

[CREAT-BODYGUARD]

[EDIT-RECIPIENT]

[READ-BASIC]

[READ-EXTENDED]

[READ-BODYGUARD]

IQSUITE-ADMIN iQ.Suite Clerk: [Admin] Manager g_clerkprot.nsf

IQSUITE-ADMIN Blacklist/Whitelist: [Admin] Manager g_connect.nsf [Read]

IQSUITE-ADMIN iQ.Suite PDFCrypt: [Admin] Manager g_userpwd.nsf [PW-ACCESS]

IQSUITE-ADMIN iQ.Suite Trailer [Admin] Manager g_Trailer.nsf

IQSUITE-POWUSER Quarantine: Refer to the iQ.Suite-Admin Editor g_arch.nsf roles except for: [Admin] and [ToTraining]

IQSUITE-POWUSER Quarantine Index: No role Reader g_arch_index.nsf

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 141 IQ.SUITE USER PORTAL - RIGHTS/ROLES CONCEPT IN IQ.SUITE USER PORTAL 

iQ.Suite Group Database iQ.Suite Roles Access Level

IQSUITE-POWUSER iQ.Suite Clerk: Refer to the iQ.Suite-Admin Author g_del.nsf roles except for: [Admin] and [ClerkAdmin] + "Create" permission

IQSUITE-POWUSER iQ.Suite Clerk: No role Reader g_clerkprot.nsf

IQSUITE-POWUSER Blacklist/Whitelist: Refer to the iQ.Suite-Admin Editor g_connect.nsf roles except for: [Admin]

IQSUITE-POWUSER iQ.Suite Trailer No role Editor g_trailer.nsf

IQSUITE-USER Quarantine: [Deliver] Editor g_arch.nsf [ToGlobalBL]

[ToGlobalWL]

[ToMyBL]

[ToMyWL]

"Create" permission

IQSUITE-USER iQ.Suite Clerk: [AUTH-BASIC] Author g_del.nsf [CREAT-BASIC]

[READ-BASIC]

IQSUITE-USER iQ.Suite Clerk: No role No Access g_clerkprot.nsf

IQSUITE-USER Blacklist/Whitelist: "Create" permission Author g_connect.nsf

IQSUITE-USER iQ.Suite PDFCrypt: No role Autor g_userpwd.nsf

IQSUITE-USER iQ.Suite Trailer No role No Access g_trailer.nsf

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 142 IQ.SUITE USER PORTAL - SETTING UP THE IQ.SUITE USER PORTAL FOR USERS 

5.4 Setting up the iQ.Suite User Portal for Users

5.4.1 Making Functions Available in the iQ.Suite User Portal

To ensure that users or user groups have access to the iQ.Suite User Portal and are able to perform specific functions, the following requirements must be met:  The databases have been enabled for the users.  The users have been specified in the database definitions: BASICS TAB -> READER FIELD. This is done automatically if the databases are enabled through the Access User Portal (ACL Manager) function.  The users have been entered with the associate roles in the ACLs of these databases (User settings and rights/roles concept).  The correct access level has been set.

For easier operation and administration, you can set the access rights centrally:

1. Open the iQ.Suite User Portal access management feature: GLOBAL ->

ACCESS USER PORTAL:

The Excepted Databases are the ones that can be enabled for your users.

2. Double-click on the desired database. The ACL Manager opens.

As an alternative, select DATABASE DEFINITIONS -> ACCESS MANAGEMENT to open this view directly:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 143 IQ.SUITE USER PORTAL - SETTING UP THE IQ.SUITE USER PORTAL FOR USERS 

Users or user groups who already own access rights to a database and are entered in the ACLs are displayed in the list on the left side of the screen. On the right, you can set the rights/roles concept6.

Use the Domino Directory to assign one of the iQ.Suite groups (IQSUITE-  ADMIN, IQSUITE-POWUSER or IQSUITE-USER) to your users or user groups. The rights/roles concept for these iQ.Suite groups is preset and allows for a reasonable assignment of access rights to the iQ.Suite User Portal7.

3. To add a user to the list, use the ADDRESS BOOK SELECTION and MANUAL

ENTRY buttons. In both cases, the settings of the currently selected entry are copied and assigned to the new user.  Address book selection: Select the desired user from the address book. The new user is automatically entered in the Reader field of the database definitions.  Manual entry: Enter the desired user manually. Using the placeholder asterisk (*) is possible, for instance for hierarchical entries according to

6. Refer to “Rights/Roles Concept in iQ.Suite User Portal” auf Seite 136. 7. Refer to “iQ.Suite Groups” auf Seite 138.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 144 IQ.SUITE USER PORTAL - SETTING UP THE IQ.SUITE USER PORTAL FOR USERS 

the default setting. The user is automatically entered in the Reader field of the database definitions.

The symbols preceding the user entries have the following meaning:

The user is included in the ACLs of this database as well as in the database defi-

nition document (BASICS TAB -> READER FIELD). This database has been enabled, the user has access to its functionality through his/her iQ.Suite User Portal (action buttons).

- The user is included in the ACLs of this database, however not in the database definition document. This database has not been enabled, the user does not have access to its functionality through his/her iQ.Suite User Portal (action buttons).

? The user is already included in the database definition document, but not in the ACLs. Thus, the database has been enabled and it is visible in the users’ iQ.Suite User Portal, but he/she is unable to use its functionality (action buttons). When attempting to access the database, an error message is returned. Click the ENTER button to include the user in the ACLs. The access status then changes to .

+ The user is unknown, the database has not been enabled for him yet. Click the ENTER button to include the user in the database definition document and the ACLs. The access status then changes to .

4. Check the access levels, permissions and iQ.Suite roles assigned8.

5. Make sure the ‚User Portal Access‘ option is enabled. Otherwise the database will not be available to the user in the iQ.Suite User Portal.

6. Click on OK to include the new user in the database definition document and

the ACLs. The access status then changes to . Select REMOVE if the new user is to be removed from the database definition document and the ACLs.

Click on CANCEL to cancel the entire configuration.

7. The new user is displayed in the ACCESS USER PORTAL view. Double-click on the enabled database to open the user-specific access management:

8. Refer to “iQ.Suite Roles” auf Seite 139.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 145 IQ.SUITE USER PORTAL - SETTING UP THE IQ.SUITE USER PORTAL FOR USERS 

In the present example, the head of marketing has access rights to the Trailer database.

As a general rule, under ACCESS USER PORTAL, enabling databases is limited to  quarantine databases, blacklist/whitelist databases, Clerk databases, Clerk protocol databases or Trailer databases. Other database types cannot be made available for the iQ.Suite User Portal. However, the ACL can be configured for other databases through the Access Management function.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 146 IQ.SUITE USER PORTAL - SETTING UP THE IQ.SUITE USER PORTAL FOR USERS 

5.4.2 Special Configurations for the iQ.Suite User Portal

5.4.2.1 User-specific Quarantine Access Configuration

After having enabled the quarantine database and configured the rights/roles

concept, the iQ.Suite User Portal displays the QUARANTINE category with the associated subcategories (Today, This Week, etc.)9.

To ensure that documents (quarantined emails) are also stored under this category and displayed, this needs to be configured in at least one job, e.g. in a Wall mail job Antispam: Block Spam Domains. Otherwise, no quarantined emails

will be displayed in the iQ.Suite User Portal: ADVANCED TAB -> USER-SPECIFIC

QUARANTINE ACCESS -> YES.

Only enable jobs for the user-specific quarantine if they are run after a virus scan  job. Otherwise, it cannot be excluded that, for instance, a spam job is run before a a virus scan job and moves a virus-infected email to the quarantine (that would have been detected by iQ.Suite Watchdog).

To check the jobs that have been enabled for user-specific quarantine access and thus ensure that quarantined emails are displayed in the iQ.Suite User Portal, proceed as follows:

1. Under IQ.SUITE -> GLOBAL -> DATABASE DEFINITIONS, select a quarantine database.

2. Under USER-SPECIFIC QUARANTINE ACCESS click on Mail jobs or Database jobs. All mail jobs or database jobs where you have specified the selected quarantine as quarantine database are displayed. The same action is also available from an open quarantine database:

9. Refer to “Setting up the iQ.Suite User Portal for Users” auf Seite 143.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 147 IQ.SUITE USER PORTAL - SETTING UP THE IQ.SUITE USER PORTAL FOR USERS 

 NO USER ACCESS: Jobs in this category do not have user-specific quarantine access. Documents stored in the quarantine database by these jobs

are not displayed in the iQ.Suite User Portal under the QUARANTINE category (not even to administrators).

 USER ACCESS: Jobs in this category do have user-specific quarantine access. Documents stored in the quarantine database by these jobs are displayed to the users in the iQ.Suite User Portal. Make sure that at least one of these jobs is enabled.

3. Double-click on a job to open the job configuration and enable user-specific

quarantine access, if required: ADVANCED TAB -> USER-SPECIFIC QUARANTINE

ACCESS -> YES -> RECIPIENT IS ALLOWED TO READ QUARANTINED MAIL. This setting is necessary if users are to be able to view their emails that were blocked and quarantined.

Do not allow the quarantine databases (default: g_arch.nsf) to become too big,  as this could result in performance problems for the users (approx. limit: 2 GB). The exact limit depends on your infrastructure and the number of users. To avoid performance problems, you can use a Quarantine index database (default: g_arch_index.nsf). Refer to “Only for Quarantines: Use Quarantine index” auf Seite 26.

If you are using multiple quarantine databases and the users are allowed to switch between these databases, the users require at least ‘Editor‘ rights to the User Portal database (ACL of the g_user.nsf).

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 148 IQ.SUITE USER PORTAL - SETTING UP THE IQ.SUITE USER PORTAL FOR USERS 

5.4.2.2 Configuring the Summary Notification Job

A quarantine summary notification is used to inform internal users about quarantined emails. With a quarantine rule included in the summary notification job, you can specify which emails are to be included in the notification. You can restrict the quarantine report to specific categories or include emails that were quarantined by specific jobs only. This allows to exclude those quarantined emails that users are not authorized to access in any case10.

5.4.2.3 Configuring Jobs for Quarantine Access through Mailbox

Alternatively or additionally to the quarantine summary notification, the personal mailbox of local users can be extended in a way that they can directly access the quarantined emails through their mailbox. This function makes users independent from the delivery intervals of the quarantine summary notification and, in urgent cases, they can directly access their quarantined emails. In comparison with the direct access through the iQ.Suite User Portal, with the method through the mailbox, performance is significantly better11.

5.4.2.4 Whitelist Job Configuration for Automatic Whitelists

When an internal user sends an email to an external communication partner, the external recipient‘s address can be classified as trustworthy. Configure a whitelist job that automatically adds all of the users’ communication partners to a whitelist to whom they send an email12. Depending on the whitelist job configuration, this entry applies to:  the individual user who has sent the original email to the external recipient,  the entire domain, or  all users in the Domino Directory.

This new entry is assigned to the whitelist category specified in the whitelist job.

10. Refer to “Sample Job: Configure Summary Notification” auf Seite 265. 11. Refer to “Sample Jobs: Display quarantined emails in the mailbox” auf Seite 161. 12. For further Information on blacklists/whitelists, please refer to “Address Analysis (Black- lists/Whitelists)” auf Seite 234.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 149 IQ.SUITE USER PORTAL - SETTING UP THE IQ.SUITE USER PORTAL FOR USERS 

When combined with an anti-spam job (Wall Mail Job Advanced), it is possible to configure a scenario where the email address of the external recipient (and, if configured, the entire domain) is considered trustworthy and treated accordingly.

Example:

The internal user David Galler sends an email to the external recipient Anna Glenn. The configured whitelist job will generate a whitelist entry, which sets that Mrs. Glenn is an accepted sender for Mr. Galler. This entry is included in the

whitelist category GENERALWHITELIST. Whenever this whitelist category is specified in a whitelist rule, and this rule is included in an anti-spam job, emails from Mrs. Glenn to Mr. Galler will no longer be checked for spam.

To this end, create a Wall Whitelist Mail Job. Include the InetRecipient and WhitelistSender rules in the job. With the settings in the Operations tab, a whitelist entry will automatically be added to the sender’s personal whitelist for each external recipient to whom an email is sent.

If the sender is to be allowed to edit these automatic whitelist entries, select in the Advanced tab under Mail sender is allowed to edit whitelist entry the ‘Yes‘ option.

Ideally, this job is combined with a job that takes into account the blacklists/whitelists (see section below).

5.4.2.5 Including Blacklists and Whitelists in a Job

To include a blacklist/whitelist in a job, you need to set up an associate rule. So, first create the blacklist/whitelist rule, in which you select the whitelist categories to be included in an anti-spam job as a negated condition.

The rule used in the example is already configured. All you need to do is to enable it and to include it in the job.

1. Open the WLRuleAntiSpam rule: GLOBAL -> MAIL RULES. Click on EDIT:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 150 IQ.SUITE USER PORTAL - SETTING UP THE IQ.SUITE USER PORTAL FOR USERS 

a) Enable the document. b) Under Black-/Whitelist select the desired blacklist or whitelist categories. The selection list is automatically taken from the blacklist/whitelist database g_connect.nsf.

c) If users execute the functions TO MY WHITELIST and TO MY BLACKLIST from the quarantine, entries are created in the blacklist and whitelist categories with the names: -WL or -BL. In the default configuration, only anti-spam jobs are enabled for the user-specific quarantine. Thus, only whitelist entries

of the SPAM-WL category are created. Manual blacklist or whitelist entries

are always placed in the USERS-BL (user blacklist) and USERS-WL (user whitelist) categories. The category created by the whitelist job is also

taken into account. With the default settings, this is GENERALWHITELIST.

2. Configure one or more Wall advanced mail jobs against spam (CORE technology and/or dictionary-based) and include the rule negative in the job.

3. Enable these jobs for user-specific quarantine access: ADVANCED TAB -> 13 RECIPIENT IS ALLOWED TO READ QUARANTINED MAIL .

13. Refer to “Sample Job: Add trustworthy Addresses to a Whitelist” auf Seite240.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 151 IQ.SUITE ACTION -   6 iQ.Suite Action With iQ.Suite Action, extensive interventions in the standard behavior of the iQ.Suite are possible. The mail jobs and database jobs of the iQ.Suite Action module provide functions for the following actions:

 To sign documents  To interpret Notes formulas  To call external programs  To call Notes agents (LotusScript/Java agents)

iQ.Suite Action represents a common iQ.Suite functionality which requires additional licensing only when iQ.Suite Action is used for starting Notes agents. You can check in the job in the Operations tab (Execution mode field) whether a job uses a Notes agent.

At improper use of Notes formulas or Notes agents, unforeseeable effects can  occur. Before running a Notes agent or a Notes formula that is not part of the SAMPLE jobs or DEFAULT jobs, consult the GBS Support Team, the GBS Con- sulting Team or members of the GBS partner program. Otherwise no support is granted. At change of the standard agents, we recommend to copy the g_agents.nsf database under %DataDir%\update\, since the database is overwritten at every iQ.Suite update. Use the database copy in the iQ.Suite jobs.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 152 IQ.SUITE ACTION - ACTION JOBS 

6.1 Action Jobs

There are two types of Action Jobs: Action Mail Jobs and Action Database

Jobs. Action jobs can be configured under GLOBAL -> MAIL JOBS or DATABASE

JOBS1.

6.1.1 Settings in the ‚Operations‘ Tab

The possible settings in the Operations tab are identical in the Action Mail Jobs and Action Database Jobs.

Example with the execution mode ‘Notes formula’:

 Execution mode: Define which actions to execute on emails:  ‘Notes formula’:

1. In the following, only the job-specific details are explained. For information on the settings of the standard tabs, please refer tor “Standard Tabs for Jobs” auf Seite 39.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 153 IQ.SUITE ACTION - ACTION JOBS 

The specified Notes formula is executed. LotusScript is not allowed.

 ‘System call’: An external program is executed according to your settings in the subsequent fields.

 ‘Sign documents’ (only in Action Mail Jobs): Depending on the rules specified in the job document, all emails or only particular emails will be automatically signed. The server ID is used for signing.

 ‘Notes agent run’: A Notes agent is run. With this, you can take advantage of extended possibilities of LotusScript or Java.

Parameters for several execution modes

 Parallel execution: Available for all execution modes. With this option enabled, the action can be executed simultaneously in several threads. This reduces the execution time. Without parallel execution, the action must be completed in one thread before it can be executed in the next thread. By default, parallel execution is disabled.

With Parallel execution enabled, a warning message points out possible risks  of a parallel execution. Parallel execution should only be enabled if you are sure that the action has been designed for a parallel execution. Otherwise, parallel execution may e.g. cause undesired overwriting of data.

 Timeout (in seconds): Available for the execution modes “System call” and “Notes- agent run”. The timeout applies in case the external program/agent run takes too long. When the timeout expires, the program/agent run is aborted and the actions specified under On Errors are executed. The email can be further processed and delivered. Without timeout, the email is blocked until the program/agent is successfully run.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 154 IQ.SUITE ACTION - ACTION JOBS 

Parameters for the execution mode ‘Notes formula’

Notes formula: Enter a Notes formula.

Use the CHECK CORRECTNESS OF FORMULA SYNTAX button to check whether the entered Notes formula has a correct syntax.

Write the formula result in a selectable field: With ‘Yes’, the formula result will be written in a field. The following options are displayed:

 Field name: Specify the desired name for the field in which the formula result shall be written.

 Write field as RFC822 text:  ‘No’: The field is written with the Notes data type that the formula returns. This can be Text, Number, Time value or a list variant of them.

 ‘Yes’: The field is written as RFC822 Text type. The formula result must have the type “Text” or “Text list”, in the last case with exactly one list item.

Conversions, e.g. from Number to Text, and merging several list items to one text, must be performed by the formula itself if required.

Use the Field name field to specify the desired RFC822 Text field name. iQ.Suite converts it automatically to the corresponding Notes field name by replacing minus characters with underscores. Example: If you enter “X-Example-Header”, a field X_Example_Header with the content “X-Example-Header: ” is written.

 Flags to be set for field: Here, you can specify flags to be set for the field (additional properties). The names of the flags are the same as in the Domino documentation and e.g. in the field properties displayed in the Properties window. You can find the meaning of these flags in the Domino documentation:

 SUMMARY

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 155 IQ.SUITE ACTION - ACTION JOBS 

 NAMES: only available for the type “Text” or “Text list”, not for “RFC822- Text”

Only in database jobs:

 PROTECTED  READ-ACCESS (requires NAMES flag)  READ/WRITE-ACCESS (requires NAMES flag)

Use address resolver on formula result: With ‘Yes’, the address resolution is used on formula results of the type “Text’ or “Text list”. Therefore, the formula result should be an address or address list as well.

 Resolve groups / Resolve forwarding addresses: Determine whether to use the address resolution for groups and/or forwardings. Groups and forwardings will not be recursively resolved.

Address format for address resolution: Specify the target format for the address or the single addresses of the address list:

 ‘Original address’: The addresses will not be converted. They remain as they are in the formula results. In case of groups or forwardings, they remain as they are specified in the groups or forwardings in the Domino Directory. Therefore, depending on the formula result or entries in the Domino Directory, the addresses can have different formats. This can be Notes addresses or Internet addresses. Examples:

Notes address: Anna Glenn/MyOrg -> unchanged Internet address: "Anna Glenn" -> unchanged

 ‘Lookup address’: Addresses will be converted in a way that they can be used for lookup into the $Users view of the Domino Directory. For this, all characters are converted to small letters, and unnecessary parts of the addresses are removed, e.g. local domains or phrases.

Examples:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 156 IQ.SUITE ACTION - ACTION JOBS 

Anna Glenn/MyOrg@MyNotesDomain -> anna glenn/myorg "Anna Glenn" -> aglenn [email protected] -> [email protected] MyGroup -> mygroup

 ‘Normalized’: Addresses will be converted in the same way as they are used by iQ.Suite as key, for example in views or for address comparisons. For this, the addresses are converted to lookup addresses which are then searched in the Domino Directory:

If an address is found, the first entry under “User Name” in the Domino Directory document is used for persons, for groups the “Group name” is used. The name is abbreviated, i.e. qualifiers such as "CN=", "OU=" or "O=" are removed, and a '@' character and the domain specified in the Domino Directory document are added to the name. If no domain is specified, the local server domain is added.

If the address is not found, the lookup address is kept. The erhaltenen addresses are converted to small letters.

The conversion to the normalized form allows to compare Notes addresses in different formats with each other and with Internet addresses in different formats:

Example:

Anna Glenn/MyOrg -> anna glenn/myorg@mynotesdomain

"Anna Glenn" -> anna glenn/myorg@mynotesdomain

[email protected] -> [email protected] [email protected] -> mygroup@mynotesdomain MyGroup -> mygroup@mynotesdomain

 ‘Full name or list name‘: The addresses will be converted to the format “Normalized”. However, the domain is not added and no conversion to small letters is done. Examples:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 157 IQ.SUITE ACTION - ACTION JOBS 

Anna Glenn/MyOrg -> Anna Glenn/MyOrg "Anna Glenn" -> Anna Glenn/MyOrg [email protected] -> MyGroup MyGroup -> MyGroup

 ‘Internet’: The respective Internet addresses will be determined. If an address is found in the Domino Directory and an Internet address is specified in the Domino Directory document, this address is returned. Otherwise, the normalized address is returned.

Examples:

Anna Glenn/MyOrg -> [email protected] "Anna Glenn" -> [email protected] [email protected] -> [email protected] MyGroup -> [email protected]

Parameters for the execution mode ‘System call’

 System command: Enter the path (including filename) of the program to be run and any parameters required by the program.

You can use placeholders for the parameters. Placeholders can be used for all fields contained in an email. The placeholders consist of the field name enclosed in percent symbols (%) e.g. %SUBJECT%.

You can, for example, simulate the Notes 'Mailnotification' function: You want the New Mail notification pop-up window to open not on the recipient's PC, but on the administrator's. To do this, use the NET.exe program and the ‘Send’ parameter.

 Call mode: If an external DOS program is to be executed, you can divert the output from this program to the Domino server console to monitor the program start time and message output.

 Return code on successful execution:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 158 IQ.SUITE ACTION - ACTION JOBS 

iQ.Suite Action must be able to determine whether the external program has been correctly executed. Usually, programs output return codes which indicate whether an error occurred. Generally, the return code '0' (zero) is returned in case of success.

The return values of the program are described in the program documentation.

Parameters for the execution mode ‘Sign documents’

For this execution mode, no setting parameters are available.

Parameters for the execution mode ‘Notes agent run’

 Database hosting agent: Specify the path to the database which contains the agent to run.

 Agent name: Specify the name of the agent to run.

6.1.2 Action Mail Jobs

Action Mail Jobs for emails arrived on the mail server are started in the similar way as regular mail jobs according to its priority. The MailGrabber starts the Action mail jobs and executes the configured actions. Sample jobs are available

under GLOBAL -> MAIL JOBS.

6.1.2.1 Replacing German Umlauts

The mail job DEFAULT - Remove German Special Chars replaces german umlauts. Using a Notes formula, this job allows to replace all german umlauts (with their two-letter equivalents) in all emails sent through the Internet.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 159 IQ.SUITE ACTION - ACTION JOBS 

6.1.2.2 Extending Emails with an additional field

Emails can be modified before delivery to the recipients by using agents, e.g. to add fields, to delete existing fields, etc. The sample job SAMPLE - Modify Mail with Agent extends emails with the field SampleField (‘Sample text’ value) by using the Java agent Sample write Field. Use this agent as an example for your individual configurations.

6.1.3 Action Database Jobs

Action Database Jobs for documents stored in databases are started in the similar way as regular database jobs at regular intervals or event-controlled. The DatabaseGrabber starts the Action database jobs and executes the configured

actions. Sample jobs are available under GLOBAL -> DATABASE JOBS.

6.1.3.1 ‘Advanced’ Tab

Only for Action Database Jobs: In the Advanced tab, define with No start on and No start at when the job shall not be executed (days and times), e.g. during database replication.

For further information on the job configuration, please refer to the HELP.

6.1.3.2 Sample Job: Send Notification on Database Changes

An example for using iQ.Suite Action is the SAMPLE - Send Notification about New/Modified Document in Sales Database job. This event-controlled job notifies the members of an address list by email whenever changes were made to a particular database. This is useful if a group of employees uses a database like a "bulletin board" to post group-specific information. To use this job, select the database in the Basics tab and enable the job. For the Notes formula, enter the group list from the Domino Directory in the Operations tab. The members of the group are notified of any changes to the database.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 160 IQ.SUITE ACTION - ACTION JOBS 

6.1.3.3 Sample Jobs: Display quarantined emails in the mailbox

For safety reasons blocked emails are not delivered to the internal users but stored in the quarantine database. To grant local users access to their quarantined emails, the following methods are available:  Direct access via iQ.Suite User Portal. Refer to “iQ.Suite User Portal” auf Seite 126.

 Access via quarantine summary notification. Refer to “Quarantine Summary Notifications” auf Seite 264.

 Access via the personal mailbox of the user. Refer to the description of this section.

The advantage of access via the personal mailbox is first, that the local users are independent from the intervals at which the quarantine summary notification is delivered and second, that the procedure provides high-performance. For this, the following Action database jobs are required:  DEFAULT - Create index folders in quarantine  DEFAULT - Add quarantine folder to user mailboxes

Add index folder to the quarantine

For each local user for whom emails are put into quarantine, the database job DEFAULT - Create index folders in quarantine creates an index folder. This index folder is a prerequisite for running the DEFAULT - Add quarantine folder to user mailboxes job.

1. Click on GLOBAL -> DATABASE JOBS and open the Action job DEFAULT - Cre-

ate index folders in quarantine. Click on EDIT.

2. Enable the job. The job is pre-configured and does not require further modification. The jobs starts in a two-minutes interval and checks whether new quarantined emails are stored in the quarantine database g_arch.nsf. If a new quarantined email is found, it is added to the index folder. After a refresh or a restart of the Notes client, the quarantined email is displayed in the users‘ mailbox. In case of errors, the administrator is notified per default.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 161 IQ.SUITE ACTION - ACTION JOBS 

Note that the first job execution can last for some time, since every quarantined  email is assigned to an index folder within the quarantine database. We recommend postponing the first job start to off-peak time. At every following job start, the duration for email processing is very short – also at high email traffic, since only new quarantined emails are processed. For this, the default setting for the job start is set to a two-minutes interval.

In distributed environments without database replication, do not use the quaran-  tine database g_arch.nsf. Otherwise the database names on both servers are identical.

Add a quarantine link to the mailboxes

In the mailbox of the local users, the database job DEFAULT - Add quarantine folder to user mailboxes extends the Notes outline “Mail” with a link that refers to the quarantine database (here: iQ.Suite Quarantine). The link name corresponds to the title of the quarantine database.

For the mailbox changes, no manual template customizations are necessary.

By clicking on the link iQ.Suite Quarantine the quarantine database is opened. Every user can only see the quarantined emails addressed to him/her.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 162 IQ.SUITE ACTION - ACTION JOBS 

If there are periodical design updates configured for the Notes client, e.g. every  night, make sure that the Action job DEFAULT - Add quarantine folder to user mailboxes is started after this update. Otherwise the quarantine link created by the job will be overwritten.

1. Click on GLOBAL -> DATABASE JOBS and open the Action job DEFAULT - Add

quarantine folder to user mailboxes. Click on EDIT.

2. Enable the job. The job is pre-configured and does not require further modification.

3. The job starts every night, by default. In case of errors, the administrator is notified. If required, set the ToolKit_OutlineAgentLoglevel parameter in the notes.ini to log the job processing2.

It might be possible that the links are not displayed before restarting the Notes  clients.

The job runs only on person documents that are entered in the Domino Direc-  tory. At every job start, the fields MailFile, MailServer and Owner from the personal documents are analyzed (Form is Person rule). Groups are not considered. If mail-in databases shall be processed by the job, use the additional Form is Database rule.

In the iQ.Suite User Portal the corresponding rights have to be set. Refer to  “Rights/Roles Concept in iQ.Suite User Portal” auf Seite 136.

2. Refer to “Description of the Global Parameters (except Job Results)” auf Seite 33.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 163 IQ.SUITE WATCHDOG -   7 iQ.Suite Watchdog iQ.Suite Watchdog provides comprehensive protection of your Notes/Domino environment from email attacks, viruses and harmful content in emails and attachments. The security concept provided by Watchdog allows to analyze over 200 file formats. Using a fingerprint technology, this also includes archives.

A seamless combination with iQ.Suite Crypt ensures that encrypted emails and file attachments are analyzed as well. In addition, it is possible to use multiple scan engines in parallel, which further increases the security of your infrastructure by using different scan algorithms.

The UTILITIES menu provides configuration documents for components to be integrated in Watchdog mail jobs or Watchdog database jobs such as virus scanners, unpackers, etc.

Job types (Mail Jobs)

 Type: Watchdog Attachment Filtering Mail Job This job can block emails with certain file attachment types like multimedia files, archives or files that exceed a maximum file size. To achieve this, the email attachments are checked for the file restrictions defined by you.

Refer to “Sample Job: File and Size Restrictions on the Mail Server” on page 224.

 Type: Watchdog Attachment Filtering Mail Job Pro In addition to the features offered by the Watchdog Attachment Filtering Mail Job, this job permits to use action sequences for the configuration of actions.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 164 IQ.SUITE WATCHDOG - 

Refer to “Sample Job: File and Size Restrictions on the Mail Server” on page 224.

 Type: Watchdog Mail Job (legacy) This job is still available for existing customers who had configured Watchdog Mail Jobs prior to the introduction of the new job types (prior to iQ.Suite 20.1) and want to continue using these jobs. In new configurations and in case of greater changes to the configuration, it is recommended to use the new job types: Virus Scanning Mail Job (Pro) or Attachment Filtering Mail Job (Pro). The SAMPLE Jobs and the DEFAULT Jobs of the standard configuration are based on the new job types.

 Type: Watchdog PDF Protection Mail Job This job can check top-level PDFs and PDF files in top-level PDFs for undesirable elements such as prohibited file attachments, JavaScript objects and unknown URLs.

Refer to “PDF Protection: Checking PDFs for Undesirable Elements” on page 214.

 Type: Watchdog URL Scanning Mail Job With the URL Scanning feature, plain-text and HTML bodies of emails can be scanned for suspicious URLs and phishing URLs.

Refer to “URL Scanning” on page 210.

 Type: Watchdog Virus Scanning Mail Job This job scans emails for viruses.

Refer to “Sample Job: Virus Scanning on the Mail Server” on page 196.

 Type: Watchdog Virus Scanning Mail Job Pro In addition to the features offered by the Watchdog Virus Scanning Mail Job, this job permits to use action sequences for the configuration of actions.

Refer to “Sample Job: Virus Scanning on the Mail Server” on page 196.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 165 IQ.SUITE WATCHDOG - IQ.SUITE WATCHDOG OVERVIEW 

7.1 iQ.Suite Watchdog Overview

7.1.1 Notes about Virus Scanners

The iQ.Suite supports various third-party virus scanners for performing virus checks. Each virus scanner is configured and connected with a Watchdog job by one virus scanner document and one Engine document. For each supported virus scanner, the iQ.Suite standard configuration contains preset configuration

documents for each supported virus scanner under WATCHDOG -> UTILITIES ->

VIRUS SCANNER ENGINES and WATCHDOG -> UTILITIES -> VIRUS SCANNERS.

Integrated virus scanner are installed during the iQ.Suite setup and can be used directly after iQ.Suite installation is completed (e.g. ‚Sophos Scan Engine Sandboxing‘). A licence for the virus scanner can be requested at the iQ.Suite licensing and must not be acquired separately. The virus patterns required for virus scanning are updated by the manufacturer periodically. This ensures virus protection even in case of new invented malware. For this, the iQ.Suite downloads the new virus patterns and other data required for the scanning from the Internet (download area). The search and download interval for new patterns can be configured. Detailed information on the latest engine and/or virus pattern versi-

ons are listed under WATCHDOG -> UTILITIES -> VIRUS SCANNER VERSIONS.

The following virus scanners are provided as integrated scanner versions1:

 Avira This virus scanner uses the ‘Avira Scan Engine’ (for Domino in the 32-bit or 64-bit version) and offers the possibility to use the Avira Protection Cloud (APC), additionally to the conventional virus scanning procedure.

Refer to “What is “Avira Protection Cloud”?” on page 192.

 Kaspersky This virus scanner uses the ‘Kaspersky Scan Engine’ and thus offers the possibility to use the Kaspersky Cloud Protection and the Anti-Phishing URL detection, additionally to the conventional virus scanning procedure.

1. For further information on the virus scanners, please refer to the separate documents (techDocs). Download under www.gbs.com.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 166 IQ.SUITE WATCHDOG - IQ.SUITE WATCHDOG OVERVIEW 

Refer to “What is “Cloud Protection”?” on page 183 and “Specialty: Kas- persky Anti-Phishing URL Detection” on page 185.

 McAfee This virus scanner uses the ‘McAfee Scan Engine’.

 Sophos This virus scanner uses the ‘Sophos Scan Engine’ and offers the possibility to use the so-called Live Protection with or without Sandboxing Protection. When ‘Sandboxing Protection’ is enabled, ‘Live Protection‘ is automatically enabled too.

Refer to “What is ‘Sophos Live Protection’?” on page 195 and “What is ‘Sophos Sandboxing Protection’?” on page 195.

 Command Line Scanner (Parameter) This document type is used to call programs for virus scanning. This virus scanner uses the Engine called ‚Command Line Scanner‘.

Refer to “Engine For Command Line Scanner” on page 187.

For further Information such as configuration details, please refer to the  Comments tab in the Engine document.

To initialize and run a Watchdog virus scan job, you need to have a virus scanner  installed and correctly configured. Otherwise, error messages appear.

7.1.2 Note for unpackers in replicated environments

As of iQ.Suite version 22.0, all unpackers are using an improved Sandbox process. The 'soap.' prefix in the names of unpacker DLLs is no longer needed. In case of new iQ.Suite installations and as well in case of installations when all iQ.Suite replicas have been updated, there is no need for action.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 167 IQ.SUITE WATCHDOG - IQ.SUITE WATCHDOG OVERVIEW 

Note for replicated environments: For unpackers, older iQ.Suite versions are  usually using the previous Sandbox which can be recognized by the 'soap.' prefix as part of the DLL name. In case of replications with older iQ.Suite versions, the 'soap.' prefix in front of the DLL name of unpackers must remain. This way, it can be ensured that these iQ.Suite versions continue using the Sandbox.

7.1.3 Unpackers for Archives and PDFs

iQ.Suite Watchdog generally does not have access to the files contained in archives (e.g. ZIP or RAR) or in PDFs. Archives and PDFs must therefore first be unpacked before Watchdog can perform a virus or file attachment scan.

The default unpacker for archives ‘Unpacker’ is an integrated which is available as a on all operating systems except AIX. For AIX, the external unpacker ‘Unzip’ is available. These unpackers are installed during iQ.Suite installation and are already enabled when the iQ.Suite installation is completed. They require no additional configuration.

The formats supported by the respective unpacker and the parameters which can  be used are listed in the Comments tab of the unpacker document.

The integrated unpacker for PDFs ‘PDFextract’ is installed during iQ.Suite installation as well, but it must be explicitly enabled for use.

Jobs are carried out with all enabled unpackers, for both email and database  scanning.

To be able to use additional command-line unpackers, you must first install them on the Domino server. Then, create a configuration document for the new

unpacker under WATCHDOG -> UTILITIES -> UNPACKER and enable the document.

Archives and PDFs can be recursively unpacked. Refer to Toolkit_Decompression_Depth under “Description of the Global Parame- ters (except Job Results)” on page 33.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 168 IQ.SUITE WATCHDOG - IQ.SUITE WATCHDOG OVERVIEW 

7.1.4 File Restrictions

7.1.4.1 General

iQ.Suite Watchdog checks unpacked attachments with so-called In addition, the fingerprints can be used, to only check certain file attachment types of an email, e.g. to split virus checking between two virus scanners. Every file attachment type

is represented by an individual fingerprint (WATCHDOG -> UTILITIES -> FINGER-

PRINTS).

7.1.4.2 Fingerprints

Fingerprints may be based on different criteria: binary file patterns and/or the file extension or on hash values.

The Binary Pattern identifies a file attachment by means of distinct binary file data. The binary pattern defined in the fingerprint as hexadecimal value is searched for in the file.

The Name Pattern identifies an attachment by means of its filename and/or its file extension, e.g. Att01.cdf or *.cdf. Name patterns can be used to quickly react to new virus attacks even before a virus pattern update is available from the manufacturer of your anti-virus application. In such a case, define a new fingerprint with the virus‘ name pattern. You can also block individual files. If your company employs custom software that uses its own file formats, you can also create fingerprints for these files, which you can use, for instance, to prevent files of this type being sent as email attachments to recipients outside the company.

Unlike name patterns, a binary pattern represents a distinct mapping to a file  format and therefore is not manipulable so easily.

The Hash Value identifies a file attachment by its contents.

Different files have different SHA-2562 hash values. The SHA-256 hash values of two files are only the same if their contents are exactly the same.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 169 IQ.SUITE WATCHDOG - IQ.SUITE WATCHDOG OVERVIEW 

MD5 hash values are shorter and can be computed faster than SHA-256 hash values. Two different files won't have the same MD5 hash value by accident, but it is possible to intentionally create two files with the same MD5 hash value.

Both SHA-256 and MD5 can be used for quickly blacklisting specific files. For example, if all emails of a spam surge happen to contain the same PDF attachment, the hash value of this PDF can be used in a fingerprint to identify and quarantine these spam emails.

SHA-256 is also suitable for whitelisting specific files, for example, for blocking all executable files by a binary pattern except a short list of files known to be benign that are identified by their hash values.

If in doubt, use SHA-256 instead of MD5.

The search result is compared with further file restrictions of the job and, accordingly, either blocked or allowed. For blocked file attachments, the actions defined in the job are performed.

Examples for an action:  The complete document is placed in the quarantine database.  The attachments are removed or the email is deleted, depending on the configuration.  A notification is sent to the administrator, sender and recipient.  A report is generated and saved in the quarantine database, which details how and why the attachment was processed. The reports are available under

QUARANTINE -> REPORTS and the originals under QUARANTINE -> ORIGINALS.  Emails are scanned for prohibited file attachments or other file restrictions when they arrive on the mail server by the MailGrabber. Alternatively, documents stored in databases can be scanned by the DatabaseGrabber.

2. SHA-256 is a cryptographic hash function. Even though, in theory, there can be two different files with the same SHA-256 hash value, in practice, it is infeasible to find or create such files. This makes SHA-256 a reliable method for identifying the contents of a file. It is used for digital signatures and similar applications.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 170 IQ.SUITE WATCHDOG - IQ.SUITE WATCHDOG OVERVIEW 

7.1.5 Processing Description - Virus Check

Virus scanning with iQ.Suite Watchdog can refer to either emails which arrive on the mail server or to emails in databases.

7.1.5.1 Virus Scanning on the Mail Server

Depending on the configuration, the following sequence is possible:

1. The virus scanning job (Virus Scanning Mail Job or Virus Scanning Mail Job Pro) starts. The virus scan detects a virus and triggers a virus alarm. The actions defined in the job for the „Virus found“ case are carried out:

2. A copy of the email is put in the database.

3. Before being delivered to its recipient, the original email is processed according to the processing mode (in the Virus Scanning Mail Job) or according to the configured actions (in the Virus Scanning Mail Job Pro). Example: The virus is removed.

4. The administrator is notified.

5. A scan report is generated and saved in the quarantine database. This report contains the following information:  The type/name of the found virus (only if the virus scanner provides this information in a suitable form)  Whether the virus was removed.  Sender and recipient of the email  Subject of the email  Which job was executed  Other relevant information on the document and the scan.

 The test reports are stored under QUARANTINE -> REPORTS. The associ-

ated original documents are to be found under QUARANTINE -> ORIGINALS.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 171 IQ.SUITE WATCHDOG - IQ.SUITE WATCHDOG OVERVIEW 

7.1.5.2 Virus Scanning in Databases

When databases are replicated (refer to ), there is a risk that viruses are transmitted from one database to the replicates of this database. The Watchdog database jobs check the databases for viruses. Like in all iQ.Suite database jobs you can define whether the job starts according to a time schedule or on an event-controlled basis.

When databases are scanned, a notification is sent to the administrator and, where applicable, to the document owner. The reports and the originals are also saved to the quarantine database.

7.1.6 Configuration Process for Virus Check

To use iQ.Suite Watchdog for virus checks, proceed as follows:

1. Configure the Virus Scanner Engine for the virus scanner to be used for the virus check. Refer to “Creating an Engine Document” on page 175.

2. Configure a virus scanner document which contains both, the calling parameters for the virus scanner and the Engine document. If required, you can create several virus scanner documents with different calling parameters. Refer to “Creating an Engine Document” on page 175.

3. Configure in Watchdog a virus scanning job (Virus Scanning Mail Job or Virus Scanning Mail Job Pro) or a Watchdog database job and select the configured virus scanner document.

Refer to “Sample Job: Virus Scanning on the Mail Server” on page 196 or “Sample Job: Virus Scanning in Databases” on page 204.

7.1.6.1 Notes for a New Installation

After a new installation of the iQ.Suite for every virus scanner that can be used in the iQ.Suite the following configuration documents are available:  an individual virus scanner document: WATCHDOG -> UTILITIES -> VIRUS SCAN- NER. Example: „Kaspersky Virus Scanner“.  an individual Engine document: WATCHDOG -> UTILITIES -> VIRUS SCANNER ENGINES. Example: „Kaspersky Scan Engine“. The Engine document is pre-

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 172 IQ.SUITE WATCHDOG - IQ.SUITE WATCHDOG OVERVIEW 

set. Make sure that the Engine document is enabled. If required, you can modify the settings, e.g. the update settings for the engine and/or the virus patterns (Update tab). For every virus scanner only one Engine document may exist. Refer to “Creating an Engine Document” on page 175.

7.1.6.2 Notes for an Update Installation

If you update from an iQ.Suite < 21.0, you can use already existing Engine documents in the newer iQ.Suite Version with the advanced iQ.Suite Sandbox Tech- nology. Here, the following scenarios are possible:

 If it concerns a Sophos Scan Engine Sandboxing, the new options for the iQ.Suite Sandbox technology will be displayed in the Advanced tab when you open the Engine document. Here, select the ‘Advanced Sandbox’ option.

 If it concerns a generic Engine document (i.e. all Engines except ‘Sophos Scan Engine Sandboxing’), you cannot switch to the advanced Sandbox in the Engine document. If you want this switch, import the appropriate Engine document from the standard configuration.

iQ.Suite Sandbox Technology

The iQ.Suite Sandbox technology determines the way how virus scanner DLLs are loaded by iQ.Suite:

 ‘Traditional sandbox’: This corresponds to the older sandbox procedure described in a separate sandbox-specific document (techDoc). Download under www.gbs.com.

 ‘Advanced sandbox’: By using the new sandbox technology, the sandbox configuration can be entirely done in the iQ.Suite administration console, instead of traditionally in INI files. Log messages are not put out in log files, but in the iQ.Suite Log. No TCP port is used. As of iQ.Suite 21.0, the Advanced Sandbox is automatically used when new Engine documents are created. Therefore, this setting is not available in the newly created Engine documents.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 173 IQ.SUITE WATCHDOG - IQ.SUITE WATCHDOG OVERVIEW 

7.1.6.3 Notes for a Replicated Installation

Usually, only one Engine document may be activated per virus scanner. In a replicated configuration which is used for several servers it can, however, be necessary to configure the engine differently on every server (e.g. to allow the servers to use different proxy servers for the scanner update).

In such a case more than one activated Engine document may exist for the virus scanner. However, every involved server may use only one Engine document. For this, limit the use of the corresponding virus scanner document in the Advanced tab under Server.

Example

Key data:  Server1 and Server2 are using a replicated iQ.Suite configuration.  iQ.Suite was installed in a new installation.  The McAfee virus scanner is to be used.  Server1 uses Proxy1, Server2 uses Proxy2 as a proxy server.  The Engine document "McAfee Scan Engine" and the virus scanner document "McAfee Virus Scanner" are activated.

Procedure:

1. Copy the Engine document „Sophos Scan Engine" twice (WATCHDOG -> UTI-

LITIES -> VIRUS SCANNER ENGINES). Rename the documents to "McAfee Scan Engine (Server1)" and "Sophos Scan Engine (Server2)".

2. In the "McAfee Scan Engine (Server1)" document select Proxy1. In the "McAfee Scan Engine (Server2)" document select Proxy2.

3. Copy the virus scanner document "McAfee Virus Scanner" twice (WATCHDOG

-> UTILITIES -> VIRUS SCANNER). Rename the documents to "McAfee Virus Scanner (Server1)" and "McAfee Virus Scanner (Server2)".

4. Deactivate the "McAfee Virus Scanner" document.

5. In the "McAfee Virus Scanner (Server1)" document select the "McAfee Scan Engine (Server1)". In the Advanced tab under Server, select Server1.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 174 IQ.SUITE WATCHDOG - VIRUS SCANNING 

6. In the "McAfee Virus Scanner (Server2)" document select the "McAfee Scan Engine (Server2)". In the Advanced tab under Server, select Server2.

7.2 Virus Scanning

7.2.1 Creating an Engine Document

7.2.1.1 All Virus Scanner Engines

After a new installation of iQ.Suite for every virus scanner an individual Engine

document is available under WATCHDOG -> UTILITIES -> VIRUS SCANNER ENGINES (e.g. “McAfee Scan Engine”). Double-click the desired Engine document to open the engine. Refer to the details under “Notes for a New Installation” on page 172.

For every virus scanner several virus scanner documents can be created. How-  ever, only one Engine document may exist for every scanner.

Configuration of the ‘McAfee Scan Engine’ as an example:

1. Make the following settings in the Basics tab:

Activate the configuration document.

2. Open the Update tab:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 175 IQ.SUITE WATCHDOG - VIRUS SCANNING 

Download

Third-party manufacturers frequently provide new engine and virus pattern versions for their virus scanner. With this they prevent quality loss due to new malware. To ensure that the virus scanners always use the most current versions of the virus scanner files, the iQ.Suite can download the updated scanner files from the Internet.

Under Windows, the license keys of Kaspersky and Avira are additionally updated at regular time intervals. a) Download virus scanner files: To enable continuous virus scanner updates, select the 'Yes' option. b) Download interval [minutes]: Define the interval for checking the manufacturer‘s download area for new files. If new files are found, the download is started automatically. c) Download timeout [minutes]: Difficulties on checking the download area or on downloading files result in a timeout (default: 15 minutes). d) Download source: The URL to the download area of the is preset. If you create a new Engine document after an update installation, you can enter the URL specified in the default sample Engine document.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 176 IQ.SUITE WATCHDOG - VIRUS SCANNING 

To specify several sources, separate each entry by a semicolon. An exception is the Avira Scan Engine, in which a comma (instead of a semicolon) has to be set as a separator.

Specialty for the License Keys of Kaspersky and Avira:

The license keys are usually downloaded from the GBS Update Server  (updater.gbs.com), even if another download source is specified. A failed download of a license key does not affect the update of virus patterns and of the Engine.

We recommend to regularly look for new key files to be downloaded from the  GBS website for a manual installation. You will be also informed of new key files via the Newsletter.

e) Notify on download errors: To avoid frequent notifications (e.g. due to temporary network failures), the administrators are not notified about download errors, by default. If the pattern and/or engine files were not updated for some time, alarm mails are sent in the course of the version control, instead (default: 5 days).

Proxy

f) If you plan to use a proxy server for pattern updates, set the Use proxy server field to 'YES'. In the next field, select the configuration document

for the desired proxy servers. Configuration is made under GLOBAL ->

PROXY SERVER.

If using the Protection Cloud (Avira) / Cloud Protection (Kaspersky), you can  additionally select a proxy server for the Cloud (Advanced tab of the Engine).

Version check

Changed versions of the engine and pattern files indicate frequent successful updates, hence, a secure virus scanner.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 177 IQ.SUITE WATCHDOG - VIRUS SCANNING 

g) Perform version check: By default, a version check is performed once a minute. h) Checking interval [minutes]: To change the checking interval for the engine and pattern files enter the desired number of minutes in this field. i) Tolerable time without version changes [minutes]: If the versions of the engine and pattern files remain unchanged for more than 7200 minutes (5 days), the tolerable time period without version changes exceeds and an alarm is triggered. Depending on the selected option under Notifi- cation mode the administrators are informed by email. The following options are available:  ‚Do not notify‘: No notifications are sent. The results of the version checks are logged in the iQ.Suite log.  ‚Notify on alarms‘ (default): As soon as the tolerable time period exceeds, notifications are sent.  ‚Notify on alarms and version changes‘: As soon as the engine or pattern versions are changed, or when the last version change is too long ago, notifications are sent.  ‚Notify on every version check‘: Regardless of version changes, notifications are sent after every version check. j) Notification interval on alarms [minutes]: As long as the tolerable time period is exceeded, notifications are sent in the interval defined in this field and errors are logged in the iQ.Suite log (default: 720 minutes = 12h). k) Notification recipient: By default, the administrator (%Admin%) is defined as the recipient of the notifications for the version check. Select another recipient from the Domino Directory, if required.

3. Open the Advanced tab:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 178 IQ.SUITE WATCHDOG - VIRUS SCANNING 

a) Runs on OS: Use this field to define on which operating systems the Engine document shall be valid. b) Prevent multiple starts: For some virus scanners it might be reasonable to prevent the scanner from being started more than once while scanning. In this way, Watchdog is able to see whether or not a virus scanner is busy scanning, in which case the scanner is not called again until the current scan is complete. Enable this option in case of frequent error messages. c) Additional initialization options: Usually, no entries are required in this field. Some virus scanners provide, however, additional options to modify initialization. For further information, please contact the GBS Support Team. d) Number of multiple concurrent calls: Number of threads which can call the Sandbox at the same time. For each thread, a Sandbox process is started. Processes that run a Virus Scanner Engine can use a large amount of memory. This setting is used to limit the number of such processes. The default value is determined by the global parameter ToolKit_SandboxMaxInstancesVS whose default value is ‚2‘. The maximum value is ‚6‘. e) Timeout per sandbox process (seconds): Specify here after how many seconds the sandbox process (in which the Virus Scanner Engine runs) is stopped even if the scan process is not completed. This prevents iQ.Suite to be blocked because of crashed virus scanner processes, for example.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 179 IQ.SUITE WATCHDOG - VIRUS SCANNING 

With the default value ‘0’, the global parameter ToolKit_VS__SandboxTimeout (if set) or the global timeout value for virus scanners (usually 300 seconds) determines the timeout value.

f) Limit disk workspace per processed element to (only for Kaspersky Scan Engine): Use this option to enter a limit (in MB) for archives to be unpacked when Kaspersky Scan Engine is used for virus scanning. The value „0“ means no limitation. This option allows to limit the disk usage per scanned element and thus, counteract so-called „zip bombs“. g) Use the Text for return codes field to specify a descriptive text, which will be displayed in addition to the actual return code. The return codes are defined in the virus scanner document3.

4. Save and close the configuration document.

7.2.1.2 Specialty: Avira Protection Cloud

With Avira, you can use the so-called “Avira Protection Cloud (APC)”, additionally to the conventional virus scanning procedure. Refer to “What is “Avira Protection Cloud”?” on page 192.

The use of APC can be enabled in the Avira Virus Scanner document. The Advanced tab of the Avira Scan Engine (32 bit/64 bit) contains APC-specific settings4:

3. For further information on the return codes, please refer to the documentations of the virus scanner manufacturer. 4. For information on the general settings, please refer to “All Virus Scanner Engines” on page 175.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 180 IQ.SUITE WATCHDOG - VIRUS SCANNING 

 Domino: Depending on the bit version of your Domino server, select ‘32 bit’ or ‘64 bit’.

Avira Protection Cloud

 Use proxy server: When using the Protection Cloud, define whether a proxy server should be used for the Cloud functionality. If so, select the configuration document of the desired proxy server in the subsequent field.

 APC mode: Specify the mode to be used for scanning the files:  ‘Check only hash values': Only the hash values of the files are sent to the APC server and compared with the hash values which are already available on the APC server.  ‘Use complete scan functionality': With this option, not only the hash values are sent to the APC server. Additionally, the files are uploaded to the APC server and scanned there.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 181 IQ.SUITE WATCHDOG - VIRUS SCANNING 

APC Blackout Mechanism

The APC component of SAVAPI, when activated, requires a permanent Internet connection. When the Internet connection is interrupted or becomes very slow, this could lead to performance issues while SAVAPI performs multiple scans. In order to avoid those issues, an APC blackout mechanism is implemented that will temporarily disable the APC. In case of cloud availability problems due to a limited or no Internet connection, the files are scanned locally. In case the local engine has found no malware and the APC is accessible again, the APC is used.

The Blackout mechanism is configured using two options, Retries and Timeout, and it works as follows:

 Timeout: In case the APC is not accessible, the timeout specified here will be used. Possible values: 1 - 86 400 seconds (86 400 sec = 24 hours). When the timeout expires, SAVAPI retries to access the APC. If an APC scan could be successfully performed, the APC is declared ‘available’ and will be used again for scanning the next files.

 Retries: Specify the maximum number of consecutive timeouts allowed before declaring APC unreachable. If retries number consecutive scans using APC fail, APC will be declared unavailable and will no longer be used. The rest of the scans will be performed using the local engine only.

With the value '0', attempting to use APC will not end. As long as the APC is not  reachable, no scan result is delivered for the file and the email communication is thereby blocked. If Retries is set to a value > 0 and APC is not reachable, an error with return value 1091 occurs. In order to prevent this error in this case, enter this value in the virus scanner configuration as an OK return code.

 Cache size (in bytes): In order to increase the scanning speed and to save bandwidth, the fingerprints of the files can be stored in a local cache. Thereby, future requests for the same fingerprints can be served faster. The size of the cache greatly affects the time needed by the APC to process the request. The more size available, the more data can be stored and used later.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 182 IQ.SUITE WATCHDOG - VIRUS SCANNING 

Use this field to specify the maximum size you want to allow. With the value ‘0’, the APC cache is disabled.

Default: 5 242 880 bytes (5 MB); Maximum: 104 857 600 bytes (100 MB).

7.2.1.3 Specialty: Kaspersky Cloud Protection

With the ‘Kaspersky Scan Engine’, you can use the so-called “Cloud Protection”, additionally to the conventional virus scanning procedure.

What is “Cloud Protection”?

The conventional virus scanner identifies harmful objects by using virus definitions which are continuously updated online. Additionally to this, Kaspersky uses “Cloud Protection” to detect new malware: Whenever virus protection detects potential malicious software on a computer, a Cloud module transmits the find- ings to a central database of Kaspersky. After analysis and processing by Kasper- sky‘s specialists, this information is made available to all other users. With this, you can benefit from virus information from other users and contribute yourself to improve the detection rate.

This Cloud option requires a separate license.

Some of the incoming emails on the iQ.Suite server contain malware such as virus. When ‘Cloud Protection’ is used, the hash values of the files which were not identified by the local engine as malware are sent to the Kaspersky Security Net-

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 183 IQ.SUITE WATCHDOG - VIRUS SCANNING 

work (Kaspersky Cloud) for additional analysis. The cloud sends back a return value to the iQ.Suite. If the file is classified as ‘clean’ by the cloud (no malware), it is delivered to the recipients. If the file is identified as ‘malware’ and if iQ.Suite is accordingly configured, the file is quarantined.

Cloud Protection can be activated in the Advanced tab of the Kaspersky Scan Engine5:

With the Use Kaspersky Cloud Protection option, decide whether to use or not the Kaspersky Cloud Protection.

If you enable the Cloud Protection, define whether to use a Proxy server for the Cloud. When required, select in the subsequent field the configuration document

of the desired proxy server. Configuration can be made under GLOBAL -> PROXY

SERVER.

5. For information on general settings, please refer to “All Virus Scanner Engines” on page 175.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 184 IQ.SUITE WATCHDOG - VIRUS SCANNING 

7.2.1.4 Specialty: Kaspersky Anti-Phishing URL Detection

For the detection of phishing URLs in message bodies and file attachments of emails, the Anti-Phishing component of Kaspersky is used. Anti-Phishing allows checking URLs to find out if they are included in the list of phishing URLs.

This Anti-Phishing component is built into “Web Anti-Virus” and “IM Anti-Virus” of Kaspersky Anti Virus and requires a separate license.

Anti-Phishing URL Detection can be activated in the Advanced tab of the Kaspersky Scan Engine6:

With the Use Anti-Phishing URL Detection option, decide whether to use or not the Kaspersky Anti-Phishing component.

6. For information on general settings, please refer to “All Virus Scanner Engines” on page 175.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 185 IQ.SUITE WATCHDOG - VIRUS SCANNING 

7.2.1.5 Specialty: Sophos Live Protection/Sandboxing Protection

The ‘Sophos Scan Engine’ and the virus scanner document ‘Sophos Scanner Sandboxing’ are intended for the use of Sophos Sandboxing Protection. When ‘Sandboxing Protection’ is enabled, ‘Live Protection’ is automatically used as well. Refer to “What is ‘Sophos Sandboxing Protection’?” on page 195.

The ‘Sophos Scan Engine’ and the virus scanner document ‘Sophos Scanner No Sandboxing’ are intended for the use of the cloud-based Sophos Live Protection (without Sandbox). Refer to “What is ‘Sophos Live Protection’?” on page 195.

Configuration of ‘Sophos Scan Engine’

Sophos Live Protection / Sandboxing Protection

For ‘Live Protection’ with or without Sandboxing, use the DNS Server field to specify the IP address of the DNS server to be used by iQ.Suite to request the hash values.

In the Sandbox data center field, specify the URL of the sandbox data center you want to use.

The possible URLs are:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 186 IQ.SUITE WATCHDOG - VIRUS SCANNING 

 https://sandbox.sophos.com (default, automatic): If no URL is specified, this default URL will be used. In this case, the sandbox of the data center which the Sophos client can reach the fastest is used. It is not necessarily the data center geographically closest to your site.

 https://de.sandbox.sophos.com: This is the sandbox in the German data center.

 https://eu.sandbox.sophos.com: This is the data center commonly used in Europe.

The settings which are available in all Scan Engines are described under “All Virus

Scanner Engines” on page 175.

7.2.1.6 Engine For Command Line Scanner

For calling a program for virus check, use the Command Line Scanner Engine and the virus scanner called Command Line Scanner (Parameter).

Configuration of the Engine

a) The Call mode field defines how the virus scanner is to be started:  'Program': The virus scanner is started as command line program. This corresponds to manually calling a program in a MS-DOS prompt window through its filename and the associated parameters.  'Program with command line output': The virus scanner is also started as command line program, but with the scanner’s screen outputs redirected to the Domino server console, i.e. the latter displays the scanner’s messages.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 187 IQ.SUITE WATCHDOG - VIRUS SCANNING 

 'DLL': The virus scanner is started with a DLL. b) The Operating mode field defines whether the virus scanner is able to check for viruses only or also can clean infected files where applicable:  'Scan only': Any viruses detected are not removed, but the virus alarm actions defined are carried out.  'Clean while scanning': Any viruses detected will be immediately removed. If the file to be checked can be cleaned, a virus warning is returned. If the virus cannot be eliminated, a virus alarm is triggered.  'Clean after scanning': The files are first checked without cleaning. If a virus is found, scanning is interrupted to clean the infected file, after which scanning is resumed. If the file to be checked can be cleaned, a virus warning is returned. If the virus cannot be eliminated, a virus alarm is triggered.

A cleaning procedure with option 2 or 3 is only started if the 'Clean - otherwise  remove affected attachments' option is selected in the General modify option field of the job.

c) Path (Scan): Specify the path to the program file so that Watchdog can call the program. The %ExecDir% entry corresponds to the ToolKit_ExecDir parameter in the notes.ini.

For information on the general settings, please refer to “All Virus Scanner Engines”

on page 175.

7.2.2 Creating a Virus Scanner Document

7.2.2.1 All Virus Scanners

1. Open the virus scanner document of the desired virus scanner: WATCHDOG ->

UTILITIES -> VIRUS SCANNER: a) Enable the configuration document. b) Use the Fingerprints to select the types of file attachments that shall be checked7. c) Select the previously created Engine document.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 188 IQ.SUITE WATCHDOG - VIRUS SCANNING 

2. Open the Settings tab:

a) Scan call: Use the Parameter (Scan) field to specify the call parameters for virus scanning. For further information, please refer to the context- sensitive help and the Comments tab in the Engine. b) Return code: Configure the return codes of the virus scanner. The return code texts are set in the Engine document. Possible return code values:  ’OK’: Indicates that the virus scanner was called properly. No errors occurred an no virus was detected.  ’Virus’: Indicates a virus. Define within the job how to proceed with infected emails.  ’Denied’: Indicates detection of something prohibited, e.g. a password-protected file. Define within the job how to proceed with such emails.  ’Password-protected files’: Indicates a compressed and password- protected file. Define within the job how to proceed with such emails. All return codes here not mentioned are processed as errors in the job.

3. Open the Advanced tab:

7. For further information on fingerprints configuration, please refer to “Configuration Document for File Restrictions” on page 222.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 189 IQ.SUITE WATCHDOG - VIRUS SCANNING 

a) Mode: You can use different virus scanners for mail jobs and database jobs. To ensure that the virus scanner document is only used by the desired job, select the appropriate mode. b) Runs of OS: Use this field to define on which operating systems the virus scanner document shall be valid. c) Server: This field defines the servers on which the document is valid. By default, the virus scanner documents are valid for all servers (*). d) Jobs using this virus scanner and Jobs not using this virus scanner: Use these fields to connect the virus scanner document with certain Watchdog jobs.

4. Save the virus scanner document.

7.2.2.2 Avira: Specialty for the Avira Protection Cloud

Open the Virus Scanner document: WATCHDOG -> UTILITIES -> VIRUS SCANNER ->

AVIRA VIRUS SCANNER (32 BIT OR 64 BIT):

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 190 IQ.SUITE WATCHDOG - VIRUS SCANNING 

1. Activate the configuration document.

2. Select the corresponding Engine document. Refer to “Specialty: Sophos Live Protection/Sandboxing Protection” on page 186.

3. Under Use Avira Protection Cloud, determine whether to use or not the Avira Protection Cloud (APC). Refer to “What is “Avira Protection Cloud”?” on page 192. The following options are available:

 ‘Yes, all file types’: All file types will be uploaded to the Avira Cloud.  ‘Yes, selected file types’: With this option enabled, you can select fingerprints in order to upload only certain file types to the Avira Cloud.  ‘No’ (default): The Avira Protection Cloud (APC) will not be used.

4. Save the virus scanner document.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 191 IQ.SUITE WATCHDOG - VIRUS SCANNING 

What is “Avira Protection Cloud”?

Avira Protection Cloud (APC) is an optional component of SAVAPI that enables files of the type “Portable Executable” and “Non-Portable Executable” to be scanned in the Avira Cloud. The additional scan in the cloud improves the malware detection rate.

For scanning Portable Executable files, a separate license is required.

For Non-Portable Executable files, an additional separate license is required. Ple- ase contact the GBS Sales team, if needed.

(1) The application (iQ.Suite) scans a file on a computer. The local engine does not find any malware.

The file‘s fingerprint is sent to the local cache and there compared with the fingerprints contained in the cache. The result is one of the following options:

 The fingerprint is available in the cache. The cache sends the status of the fingerprint to SAVAPI. The status may be ‘clean’ (malware-free) or ‘malware’. Then, SAVAPI sends a corresponding return value to the iQ.Suite.

 (2) If the fingerprint is not available in the cache, the fingerprint is sent to the APC. (3) There, it is compared with the fingerprints which are known to the APC. The result is one of the following options:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 192 IQ.SUITE WATCHDOG - VIRUS SCANNING 

 (A) If the fingerprint is available in the APC, the APC sends the status of the fingerprint to SAVAPI (i.e. ‘clean’ or ‘malware’).  (B) If the fingerprint is not available in the APC, the complete file is uploaded to the APC server. After a deeper analysis in the cloud, it is declared as ‘clean' or ‘malware’.

(4) The APC sends the status of the fingerprint to SAVAPI. Then, SAVAPI sends a corresponding return value to the iQ.Suite.

(5) If the file is classified as malware, the file is handled according to your configuration in the iQ.Suite.

7.2.2.3 Specialty: Sophos Live Protection/Sandboxing Protection

Open the virus scanner document: WATCHDOG -> UTILITIES -> VIRUS SCANNER ->

 Sample document for using Live Protection without Sandboxing: SOPHOS SCANNER NO SANDBOXING  Sample document for using Sandboxing Protection (including Live Pro- tection): SOPHOS SCANNER SANDBOXING

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 193 IQ.SUITE WATCHDOG - VIRUS SCANNING 

Example with ‘Sophos Scanner No Sandboxing’:

1. Activate the configuration document.

2. Select the corresponding Engine document. Refer to “Specialty: Sophos Live Protection/Sandboxing Protection” on page 186.

3. Under Use Sophos Sandboxing Protection, determine whether to use or not the Sandboxing option. With the ‘Yes, selected file types’ option, you can select fingerprints to allow the upload of files to the Sophos Cloud only for certain file types. When ‘Sandboxing Protection’ is enabled, ‘Live Protection‘ is automatically enabled too. ‘Live Protection’ can also be used without ‘Sandboxing Protec- tion’. Refer to “What is ‘Sophos Sandboxing Protection’?” on page 195.

If Sandboxing is enabled, additional options are available:

 You can use a proxy server for the communication between iQ.Suite and the cloud-based Sandbox. Proxy servers can be configured under

GLOBAL -> PROXY SERVER.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 194 IQ.SUITE WATCHDOG - VIRUS SCANNING 

 In the Timeout Sandbox field, specify the number of minutes after which the email processing will be aborted if the Sandbox has not returned an analysis result.

4. If ‘Sandboxing Protection’ is disabled (‘No‘ option), then you can enable the cloud-based ‘Sophos Live Protection’ under Use Sophos Live Protection. Refer to “What is ‘Sophos Live Protection’?” on page 195.

5. Save the virus scanner document.

For ‘Sandboxing Protection’, an iQ.Suite license extension is required. The same  applies for ‘Live-Protection’, unless you have already a license extension for Sandboxing.

What is ‘Sophos Live Protection’?

If using “Live Protection”, the hash values of the files which were not identified as malware by the local engine are sent to the Sophos Cloud (named “Sophos Cen- tral”) for a further analysis. The Cloud sends then a return value to iQ.Suite. If the file was classified by the Cloud as ‘harmless’, it is delivered. If it was identified as malware, it can be moved to the Quarantine if accordingly configured.

No information about the original email (e.g. sender, recipient) is transmitted to the Sophos Cloud.

What is ‘Sophos Sandboxing Protection’?

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 195 IQ.SUITE WATCHDOG - VIRUS SCANNING 

The ‘Sophos Scan Engine with Sandboxing’ acts in the first instance like the Sophos Scan Engine, i.e. it performs a local virus check based on the downloaded engine and pattern files. If this virus check provides no clear result, the determined hash value of the file is sent to the Sophos Cloud (named “Sophos Central”) for further analysis. If also the cloud-based hash value analysis provides no clear result, then an anonymized copy of the suspicious file is sent to the Sandbox. In the Sandbox, the file is executed in a secure Cloud environment and its behavior is monitored and analyzed. If the analysis data is classified as a threat, the file is rejected and blocked. If the file is considered as harmless, it is delivered.

By using the information coming from the Sandbox, iQ.Suite Watchdog finally creates for each threat event a forensic report which gives some deeper insights and context information.

7.2.3 Sample Job: Virus Scanning on the Mail Server

As of iQ.Suite 22.0, there is the Watchdog Virus Scanning Mail Job Pro for virus scanning. In contrast to the older virus scanning job types, "Watchdog Virus Scanning Mail Job" and "Watchdog Mail Job", this job permits the configuration of actions through action sequences.

The configuration of the Watchdog Virus Scanning Mail Job Pro is described hereafter including some hints that point out the differences to older job types. For a detailed description of the "Watchdog Virus Scanning Mail Job", please refer to Administration Manual of iQ.Suite 21.1. A description of the "Watchdog Mail Job" can be found in the Administration Manual of any former version of iQ.Suite.

Notes on older job types:

 In the OPERATIONS -> ENCRYPTION tab of older job types, it is possible to define actions which are executed in the case of Notes-encrypted emails. This option is no longer provided in the "Watchdog Virus Scanning Mail Job Pro".

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 196 IQ.SUITE WATCHDOG - VIRUS SCANNING 

 The "Allow attachments" option in the Advanced tab of the "Watchdog Mail Job" is no longer offered in the more recent jobs.

7.2.3.1 Configuration of the ‚Virus Scanning Mail Job Pro‘

The tabs of the Virus Scanning Pro Job example DEFAULT - Virus Check all

Mails (accessible via: WATCHDOG -> MAIL-JOBS) is described hereafter.

7.2.3.2 ,Basics‘ Tab

In the Basics tab, enable the job.

The default settings in the rules are as follows: The job applies to all emails (Runs on field) – regardless of whether they have an attachment or not. There are no exceptions for incoming or outgoing emails to be defined in rules.

In a replicated environment, the job will run 'on all servers'. This means that an email may be processed several times by the same job on several servers.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 197 IQ.SUITE WATCHDOG - VIRUS SCANNING 

7.2.3.3 ,Operations' -> ‚Options‘ Tab

 Use unpackers: Using an unpacker allows packed archives to be checked for virus-infected files if this cannot be done by the used virus scanners themselves. In older job types: in ‚Advanced‘ tab.

 Consider decompression depth: Use the Consider decompression depth field to define whether or not and up to which level the decompression depth is to be taken into account when checking archives. Setting such a limit is recommended to avoid attacks while ensuring a consistent performance. This limit (default value: 5) is set in the global parameter Decompression

Depth . For further Information, please refer to “Global Parameters” on page 31. In older job types: in ‚Advanced‘ tab

 Extract embedded HTML images: This option allows to extract images which are embedded in HTML bodies and to pass them to the Watchdog Job for processing. These images are treated as part of the email body, i.e. like UU-encoded files which are extracted from the body.

 Treatment for exceeding decompression depth: In case of exceeded decompression depth, the email is treated as described in one of the tabs described hereafter. In the example: as defined in Error actions. In older job types: in ‚Advanced‘ tab.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 198 IQ.SUITE WATCHDOG - VIRUS SCANNING 

 Notification text for modify option ’Remove attachments’: Use this field to enter a text to be included in the notification when attachments are removed, for example, if they contained a virus. In Watchdog Virus Scanning Mail Job: in ‚Advanced‘ tab. This setting is not offered in older job types.

 Process long-term virus scanning in the background: If the Sophos Sandboxing Protection (option in the virus scanner document) is used, scanning files for viruses in the Cloud-based Sandbox can be time-consuming. This could block the processing of other emails which do not require any check in the Sophos Sandbox. To avoid this, enable the option Process long-term virus scanning in the background to perform time-consuming virus checks in the background. Also refer to ToolKit_MGrabBackgroundThreads under “ToolKit_MGrabBackgroundThreads” on page 9. In older job types: in ‚Operations‘ tab.

7.2.3.4 ,Operations‘ -> ‚No Alert‘ Tab

Use the No Alert tab to define the actions to be performed if no viruses and no prohibited or password-protected attachments were found and also no other error occurred during the attachment processing.

Available are:

 A variety of actions which are described under “Actions” on page 47.  Further actions:  Delete the entire email  Only delete all attachments of the email.

 Option ‘Add Notes field to email’ By using this option, the subject line of the email can be extended with the note ‘’. For this, enter ‘Subject’ in the Field name field and enter the note in the Content field:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 199 IQ.SUITE WATCHDOG - VIRUS SCANNING 

In the No Alert tab of the DEFAULT job, only the action ‘Add Notes field to email’ ist set.

In the same tab of older job types, only the option ‘Append message to subject’ is available. With this option enabled, the email subject can be extended as well.

The extension of the email subject implies a change of the email. A possibly exis-  ting signature will be destroyed.

7.2.3.5 ,Operations‘ -> ‚Virus‘ Tab

Use the Virus tab to define the actions to be performed when a virus was found in the text or in attachments of the email.

Available are:

 A variety of actions which are described under “Actions” on page 47.

 Further actions:  Delete the entire email  Only delete all attachments of the email.  Only delete the attachments affected by the virus  Try to clean the affected attachments and only delete them if cleaning does not work.

The set actions are performed before all further actions for prohibited, password- protected or erroneous attachments are performed.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 200 IQ.SUITE WATCHDOG - VIRUS SCANNING 

In the example job, the email is copied to the quarantine, the administrator and the recipient of the email are notified about the virus and then the email will be deleted.

In older job types, the actions for deletion or cleaning are set by the general modify option in the ‚Operations‘ tab and, in the ‚Operations‘ -> ‚Virus‘ tab, it can be chosen if these general actions should be performed.

In older job types, use the ‚Misc‘ tab to define where to move the email in the quarantine. In the ‚Operations‘ -> ‚Virus‘ tab, the decision whether to copy the email into the quarantine is taken by specifying a category for the quarantine.

In older job types, the administrator, the recipient and the sender of the email can be notified.

In the Watchdog Mail Job, the ‚Operations‘ -> ‚Virus‘ tab is used to decide about the use of virus scanners. This option is no longer offered in all new ‚Virus Scan- ning Jobs‘, since those jobs always check for viruses.

7.2.3.6 ,Operations‘ -> ‚Denied Attachments‘ Tab

Use the Denied Attachments tab to define the actions to be performed when a prohibited attachment was reported by an unpacker or a virus scanner. For further information on virus scanners, refer to “All Virus Scanners” on page 188.

Available are:

 A variety of actions which are described under “Actions” on page 47

 Further actions:  Delete the entire email  Only delete all attachments of the email  Only delete the affected, prohibited attachments.

The set actions are performed after the actions for virus-affected attachments and before all further actions for password-protected or erroneous attachments are performed.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 201 IQ.SUITE WATCHDOG - VIRUS SCANNING 

In the example job, no actions are set.

In older job types, the actions for deletion or cleaning are set by the general modify option in the ‚Operations‘ tab and, in the ‚Operations‘ -> ‚Denied Attach- ments‘ tab, it can be chosen if these general actions should be performed.

In older job types, use the ‚Misc‘ tab to define where to move the email in the quarantine. In the ‚Operations‘ -> ‚Denied Attachments‘ tab, the decision whether to copy the email to the quarantine is taken by specifying a category for the quarantine.

In older job types, the administrator, the recipient and the sender of the email can be notified.

In the Watchdog Mail Job, the ‚Operations‘ -> ‚Denied Attachments‘ tab is used to decide about the use of file restrictions. This option is no longer offered in all newer ‚Virus Scanning Jobs‘, since those jobs do not check for file restrictions. Those are checked by the newer Attachment Filtering Jobs.

7.2.3.7 ,Operations‘ -> ‚Password Protection‘ Tab

Use the Password Protection tab to define the actions to be performed when an attachment could not or not completely be processed by a unpacker or a virus scanner because it was protected by a password. For further information on virus scanners, refer to “All Virus Scanners” on page 188.

Available are:

 A variety of actions which are described under “Actions” on page 47.

 Further actions:  Delete the entire email  Only delete all attachments of the email  Only delete the affected password-protected attachments.

The set actions are performed after the actions for virus-affected or prohibited attachments and before the actions for erroneous attachments are performed.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 202 IQ.SUITE WATCHDOG - VIRUS SCANNING 

In the example job, the recipients are notified about unchecked attachments if this had occurred.

In older job types, use the ‚Operations‘ -> ‚Password Protection‘ tab to define whether password-protected attachments are allowed or not. If they are allowed and the email is to be copied to the quarantine, a category can be specified. The recipients can be notified about unchecked password-protected attachments.

If password-protected attachments are not allowed, in older job types, it can be chosen if the actions set by the general modify option in the ‚Operations‘ tab should be performed. Use the ‚Misc‘ tab to define where to move the email in the quarantine. In the ‚Operations‘ -> ‚Password Protection‘ tab, the decision whether to copy the email into the quarantine is taken by specifying a category for the quarantine.

In older job types, the administrator, the recipient and the sender of the email can be notified.

7.2.3.8 ,Operations‘ -> ‚Error‘ Tab

Use the Operations -> Error tab to define the actions to be performed if an error occurred during the processing of an attachment. This can be caused by an unpacker or a virus scanner. For further information on virus scanners, refer to “All Virus Scanners” on page 188.

Available are:

 A variety of actions which are described under “Actions” on page 47.

 Further actions:  Delete the entire email  Only delete all attachments of the email  Only delete the affected erroneous attachments.

The set actions are performed after all actions for virus-affected, prohibited, or password-protected attachments.

In the example job, the email is copied to the quarantine and the administrator is notified.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 203 IQ.SUITE WATCHDOG - VIRUS SCANNING 

In older job types, the deleting actions are set by the general modify option in the ‚Operations‘ tab and, in the ‚Operations‘ -> ‚System Errors‘ tab, it can be chosen if these general actions should be performed.

In older job types, use the ‚Misc‘ tab to define where to move the email in the quarantine. In the ‚Operations‘ -> ‚System Errors‘ tab, the decision whether to copy the email to the quarantine is taken by specifying a category for the quarantine.

In older job types, the administrator, the recipient and the sender of the email can be notified.

7.2.3.9 ,Misc‘ Tab

In the example job, in the ‚Job is critical‘ field, select the option Upon initialization and runtime errors. This means that the emails remain in the Mail.box in both cases and the email processing is not continued.

For a detailed description of the ‚Misc‘ tab, refer to “Misc Tab” on page 49. That description also includes the options which are available in older jobs, but no longer in the Watchdog Virus Scanning Mail Job Pro. The options omitted in this job are reflected by the individual actions in the ‚Operations‘ tab.

7.2.4 Sample Job: Virus Scanning in Databases

1. Open the DEFAULT - DB Virus Check job under WATCHDOG -> DATABASE

JOBS and click on EDIT:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 204 IQ.SUITE WATCHDOG - VIRUS SCANNING 

a) Enable the job. b) Default settings in the rules: The job starts daily at 11 PM and applies to all databases in the Notes mail directory. The job will run for all new and modified documents. Any documents already processed by the job in a previous run are ignored.

2. Open the Operations tab:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 205 IQ.SUITE WATCHDOG - VIRUS SCANNING 

a) Use the General modify option field to set how a document is to be treated when prohibited or virus-infected attachments are found.  'Delete document': The document is deleted.  'No changes': The document is left unchanged, i.e. the attachments are neither removed nor cleaned.  'Clean - otherwise remove attachment': A virus-infected attachment is cleaned and then re-attached to the document. In case the attachment cannot be cleaned or if it is subject to the file restrictions set, it is removed.  'Remove attachments': Prohibited or virus-infected attachments are systematically deleted. Use the other tabs to set whether the action selected here is to be performed for prohibited or virus-infected attachments or in case of an error. If an attachment has been removed, a text is included in the message to show that the file was prohibited for one of the reasons above (ToolKit_WDog_Opts). b) The settings in the Upon Virus tab apply to virus-infected attachments:  Use the Perform general modify option field to set whether or not the actions defined under General modify option are to be per-

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 206 IQ.SUITE WATCHDOG - VIRUS SCANNING 

formed for virus-infected emails. Please note that if set to ’No’, virus- infected attachments will be neither cleaned nor removed.  In the Category in Quarantine report field, set the category under which the message is to be displayed in the quarantine, in this example Database virus.  Use the notification templates to inform the administrator and the document owner of the actions8. c) The settings in the Upon Denied Attachments tab apply to attachments prohibited due to applicable file restrictions. The individual fields are set in the same way as in the Upon Virus tab. Please note that if Perform general modify option is set to ’No’, prohibited attachments will not be removed. This may be useful if the administrator wishes to be informed of specific attachment types or of attachments that exceed a specific size. Archiving is also possible without removing the attachment.

d) The settings in the Upon Errors tab apply to actions to be performed in case of an error. The individual fields are set in the same way as in the Upon Virus tab. Please note that if the Perform general modify option is set to ’No’, prohibited or virus-infected attachments will be neither cleaned nor removed. The documents remain in the database, but they represent a certain risk, because an attached password-protected ZIP file (for instance) is not unpacked. Such files can be kept in the database by the owner regardless of any file restrictions.

3. Open the Advanced tab:

8. Refer to “Notification Templates” on page 37.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 207 IQ.SUITE WATCHDOG - VIRUS SCANNING 

a) The Use scanners field is used to set whether a virus scanner is started at all. For instance, if a document has already been checked for viruses by a preceding job9, a second job may not have to repeat this check and could focus on file restrictions only10. This would save server load. b) Use unpackers: In case the virus scanner used is unable to do so, using an external unpacker allows packed archives/attachments to be checked for virus-infected files. c) Use the Consider decompression depth field to define whether or not and up to which level the decompression depth is to be taken into account when checking packed archives. Setting such a limit can be used to avoid attacks while ensuring a consistent performance. This limit (default value: 5) is set in the global parameter

Decompression Depth. Refer to “Global Parameters” on page 31. Alterna- tively, you can also set the parameter in the notes.ini: ToolKit_Decompression_Depth=

9. Refer to “Sample Job: Virus Scanning on the Mail Server” on page 196. 10. Refer to “Sample Job: File and Size Restrictions on the Mail Server” on page 224.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 208 IQ.SUITE WATCHDOG - VIRUS SCANNING 

d) As set in this example, the Treatment for exceeding decompression depth field sets that the document is to be treated as defined in the Sys- tem Errors tab. e) Use the Use restrictions field to set whether or not documents and attachments are to be checked for file restrictions. The restrictions them-

selves are defined within a separate document. Refer to “Configuration

Document for File Restrictions” on page 222. f) Use the Attachments field to allow or forbid file attachments altogether. If set to ’No attachments allowed’, attachments are systematically prohibited. The rules can be used to set exceptions for specific persons and user groups. If set to ’Check attachments’, attachments are allowed but not necessarily all file types. The file restrictions allow to specify such prohibited file types. If you have selected the General modify option ’Remove attachments’ in the Operations tab, an additional field appears: Notification text for ’Remove attachments’ mode. This field can be used to set a text for the administrator. g) Under Encryption you can set how Notes-encrypted documents are to be treated. As a general rule, Notes-encrypted documents cannot be checked, as the server would have to know the key to do so. Set this field to ’Allowed’ if such documents are to be left unchecked in the database. If set to ’Denied’, Notes-encrypted documents are treated as set in the General modify option field. h) Under the No start on and No start at fields enter the date and time at which a job is not to be run, for instance during a periodic database replication. i) With User-specific quarantine access set to ’No’, the recipients are not allow to view quarantined documents. The reason is that no user should be allowed to access virus-infected documents.

4. Leave the settings in the Misc tab unchanged and save the job.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 209 IQ.SUITE WATCHDOG - URL SCANNING 

7.3 URL Scanning

With the URL Scanning feature, plain-text and HTML bodies of emails can be scanned for suspicious URLs and phishing URLs.

For URL Scanning, the Kaspersky Scan Engine is included in the Kaspersky URL Scanner and this URL Scanner is integrated into a URL Scanning Mail Job.

7.3.1 Engine Configuration

Refer to “Creating an Engine Document” on page 175.

7.3.2 URL Scanner Configuration

1. Open the URL Scanner document: WATCHDOG -> UTILITIES -> URL SCANNER

-> KASPERSKY URL SCANNER:

2. Enable the document.

3. Select the configured Kaspersky Scan Engine.

7.3.3 Sample Job: Scan Email Bodies for Suspicious URLs

The SAMPLE - URL Scanning job extracts the email bodies and search in the bodies for URLs by using regular expressions. Afterwards, it checks whether the found URLs are suspicious by using either the locally downloaded URL patterns or the URL lists existing in the Kaspersky Cloud (depending on your configuration in the Kaspersky Scan Engine).

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 210 IQ.SUITE WATCHDOG - URL SCANNING 

Job Configuration

1. Click on WATCHDOG -> MAIL JOBS and open the SAMPLE - URL Scanning

job. Then, click on EDIT11:

a) Enable the job. b) Default settings in the rules: The job applies to 'Selected mails' (Runs on field). According to the preset rule InetSender, only emails from Internet senders will be scanned.

In a replicated environment, the job will run ‘on all servers’. This means that an email may be processed several times by the same job.

2. Open the Operations tab:

11. This example only illustrates the job-specific details. For a description of the settings under standard tabs, please refer to “Standard Tabs for Jobs” on page 39.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 211 IQ.SUITE WATCHDOG - URL SCANNING 

a) The pre-configured Kaspersky URL Scanner is selected. Make sure that the selected URL Scanner is enabled.

b) The section Regular Expressions contains the regular expression to be used to search for URLs. If required, you can edit the sample expression and/or enter additional regular expressions. For each regular expression, use a separate line.

c) Use the Alarm tab / System Errors tab to determine which user groups (administrator, sender, recipient) has to be notified and which notification templates are to be used for the notifications sent when a suspicious URL was found (Alarm) or when an error occurred (System Errors).

Refer to “Notification Templates” on page 37.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 212 IQ.SUITE WATCHDOG - URL SCANNING 

The following placeholders can be used in the notifications mentioned above:

%ExtractedUrl% or %ExtractedUrlSec% %ExtractedUrlCount% %SuspiciousUrl% or %SuspiciousUrlSec%

For further information on the placeholders, please refer to “Placeholders” on page 59.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 213 IQ.SUITE WATCHDOG - PDF PROTECTION: CHECKING PDFS FOR UNDESIRABLE ELEMENTS 

7.4 PDF Protection: Checking PDFs for Undesirable Ele- ments

Use Watchdog PDF Protection to check top-level PDFs and PDF files in top- level PDFs for undesirable elements such as prohibited file attachments, JavaScript objects and unknown URLs. If undesirable elements are found, the top-level PDF can be cleaned or removed from the email. Alternatively, the email can be entirely deleted. This depends on your configuration.

Elements defined as “prohibited“ can be e.g. file attachments of certain types or sizes, JavaScript objects or other annotations such as URLs to harmful web pages.

Watchdog PDF Protection is only working on Windows.

7.4.1 Important Definitions

Concepts which are used in the context of Watchdog PDF Protection and need an explanation are defined below:

 Top-level PDF PDF which is directly attached to an email. A PDF in an archive (e.g. ZIP or RAR) is not a top-level PDF.

 Annotations As “comment annotations”, we usually mean elements which can be retroactively added on PDF pages by using the comment functions of PDF readers. Examples:

 Highlight or strike out text Examples: Mark important text passages with colors or with wave- like/continuous lines; strike out text passages.

 Enter comments in text form Add comments in text form in the PDF; information tags or text fields can be created and put over the original text.

 Highlight comments by drawing

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 214 IQ.SUITE WATCHDOG - PDF PROTECTION: CHECKING PDFS FOR UNDESIRABLE ELEMENTS 

Highlight comments by using colors and shapes (e.g. rectangles, arrows, circles and clouds).

 Link to a file (file annotation) Highlight comments by using a file.

Besides the “comment annotations” mentioned above, there are the following annotations which we name “interactivity annotations”:

 JavaScript objects With “JavaScript objects”, we mean all JavaScript objects embedded in PDFs, e.g. JavaScript annotations.

Beside the regular use of JavaScript in PDFs, attackers can embed JavaScript in PDF files in oder to produce undesirable effects.

 Link annotations With “Link annotations”, we mean page-link annotations used to jump at different positions in the PDF and URL annotations. The latest can be used to link to harmful web pages in order to phish information.

7.4.2 Selection Tab

Use the Selection tab define which file attachments to prohibit in the checked PDFs by restricting the allowed file sizes and fingerprints.

With “file attachments”, we mean here embedded files and file annotations in the scanned PDFs.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 215 IQ.SUITE WATCHDOG - PDF PROTECTION: CHECKING PDFS FOR UNDESIRABLE ELEMENTS 

 Convert emails from Richtext to MIME: This job can only process emails available in MIME format. With this option enabled, the Richtext emails are first converted to MIME so that the job is able to process them. If this option is disabled, the Richtext emails are passed to the next job in the job processing chain without having been processed by this job.

 Verbose processing log: Not depending on the set log level, additional processing information will be written to the Quarantine report.

 Attachment size must be greater/smaller than ... KB: You can enter a minimum and/or maximum file size to prohibit specific file attachments of the checked PDF because of their file size. Example: File attachments which are greated than 500 KB, but smaller than 1000 KB.

 Prohibit the following file types: Select fingerprints to determine which attachments of the PDF files are to be marked as “prohibited”:  ‘All file types’: All file types will be prohibited.  ‘Selected file types’: Define which file types to prohibit by selecting fingerprints. Under except, you can exclude a subset of the selected file types form the prohibition.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 216 IQ.SUITE WATCHDOG - PDF PROTECTION: CHECKING PDFS FOR UNDESIRABLE ELEMENTS 

The conditions for file size and file types are linked by a logical AND.  Example: Only the EXE files greater than 500 KB should be “prohibited”. If the scanned PDF contains such a file, all ‘Restricted Actions’ (actions for “Restriction found”) will be executed. If an EXE file with 450 KB is found, then the EXE will be marked as “admitted”.

 Scan inside compressed attachments: Use the EDIT ARCHIVES button to determine which types of archives contained in top-level PDFs are to be decompressed until the maximum number of extracted archive levels is reached (e.g. the archive types ‘ZIP’ and ‘RAR’). Archives which are attached directly to emails will not be unpacked. The files extracted from archives are individually checked for prohibited fingerprints. If the archive contains a PDF, this PDF is separately checked for prohibited elements.

The maximum number of extracted levels is ‘5’. Also refer to “PDFs from unpacked archives” on page 221.

Nested PDF files in top-level PDFs are extracted and always checked for prohibited elements until the maximum number of extracted archive levels is reached. The ‘Scan inside compressed attachments‘ option has no impact on this.

Once the maximum number of extracted archive levels is exceeded, processing of the current element (PDF or archive) is aborted with an error.

7.4.3 Options Tab

Use the Options tab to define the constraints for Annotations contained in PDF files:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 217 IQ.SUITE WATCHDOG - PDF PROTECTION: CHECKING PDFS FOR UNDESIRABLE ELEMENTS 

 Allow all annotations: All found annotations remain unfiltered in the processed PDFs. An exception are the file annotations which are prohibited according to the configuration in the Selection tab.

 Prohibit all annotations: All types of annotations will be marked as “prohibited”, including all URLs and JavaScript objects. Even the file annotations which are allowed according to the configuration in the Selection tab will be marked as “prohibited”.

 Prohibit selected annotations:  ‘JavaScript’: Watchdog PDF Protection cannot extract any JavaScript codes and check them for legitimacy. Consequently, all JavaScript objects found in PDFs will be marked as “prohibited” if this option is enabled.  ‘URLs’: The URLs will be extracted from the PDF and filtered against the whitelist configured in the Allowed addresses field: All URLs which are not specified as allowed addresses are marked as “prohibited”.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 218 IQ.SUITE WATCHDOG - PDF PROTECTION: CHECKING PDFS FOR UNDESIRABLE ELEMENTS 

Use a separate line for each allowed address. The wildcards “?” and “*” can be used in the addresses.

 All PDF files must be processed successfully This option is only relevant for emails which contain several PDFs.

If this option is enabled (default) and at least one PDF of the email could not be successfully processed (error), actions are executed depending on the error type:

 Loading error: All occured errors were loading errors => The “Loading actions” (Malformed PDF Actions) are executed.  Other errors: For at least one PDF, an error occured (except loading errors) => The “Error Actions” are executed.

If this option is disabled and at least one PDF of the email could be successfully processed, the following cases are possible:

 No prohibited elements in PDF(s) found: There is no reason to execute actions => No actions are executed.  Prohibited elements found: Prohibited elements were found in at least one PDF => The actions for “Restriction found“ (Restricted Actions) are executed. Refer to “Actions: Restricted / Malformed PDF / Error” on page 220.

 Ignore password-encrypted PDF files: Password-encrypted PDFs cannot be processed.

 Option is enabled (default): Password-encrypted PDFs will be ignored and therefore cannot trigger the defined error actions.  Option is disabled: Password-encrypted PDFs will not be ignored and can trigger the error actions.

Encrypted PDFs without user password can be processed and cleaned, if requi-  red, because no password is required to load these PDFs.

 Ignore signed PDF files:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 219 IQ.SUITE WATCHDOG - PDF PROTECTION: CHECKING PDFS FOR UNDESIRABLE ELEMENTS 

On the one hand, it seems to be rather improbable that harmful PDFs are signed, on the other hand a signature improves the semblance of serious- ness in case of harmful PDFs. Use this option to decide whether to ignore or process signed PDFs. Consider for your decision that signatures are invalidated in case of cleaning.

Ignored PDF files are skipped, i.e. not processed, and are irrelevant for the option  All PDF files must be processed successfully.

7.4.4 Actions: Restricted / Malformed PDF / Error

You can define the following action types:

 Restricted Actions: Actions to be executed when no errors occurred, but prohibited elements were found in at least one PDF.

 Malformed PDF Actions: Actions to be executed when at least one PDF could not be successfully loaded.

 Error Actions: Actions to be executed when at least one error (except load error) occurred during job execution.

For general information on “Actions” in iQ.Suite jobs, please refer to “Actions” on page 47. In the following, only the job-specific actions are described:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 220 IQ.SUITE WATCHDOG - PDF PROTECTION: CHECKING PDFS FOR UNDESIRABLE ELEMENTS 

Restricted Actions (Actions for “Restriction found”):

 ‘Delete email’: If the email contains a PDF with prohibited elements, the email will be irrevocably deleted from the server and will not be delivered to the recipients. With the ‘Copy to Quarantine’ option enabled, a copy of the email can be kept in the quarantine.

 ‘Delete attachment’: If the processed email contains a PDF with prohibited elements, the PDF is deleted from the email. The email will be further processed without the PDF.

 ‘Clean attachment’: The prohibited elements will be removed from the PDF. The PDF will then be re-attached to the email in a cleaned state.

If the email to be processed contains several PDFs, the actions to be executed depend on the setting of the option All PDF files must be processed successfully is considered.

Refer to “All PDF files must be processed successfully” on page 219.

No actions are executed if no error occurs during job execution and one of the following cases applies:

 The email contains no PDF.  The email contains only ignored PDFs.  The email contains only loadable PDFs without prohibited elements.

PDFs from unpacked archives

 PDFs from unpacked archives are scanned, but they can be neither cleaned nor deleted from the archive. If an archive is atttached to a top-level PDF and this archive contains a PDF file, this PDF file is checked for prohibited elements. If this PDF file contains prohibited elements, then the complete archive is marked as “prohibited”. Hence, the top-level PDF contains a prohibited file atttachment (the archive). The subsequent actions depend on the selected actions.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 221 IQ.SUITE WATCHDOG - FILE RESTRICTIONS 

7.5 File Restrictions

iQ.Suite Watchdog is used for virus detection, primarily. Watchdog, however, can be used to block emails with certain attachment types e.g. multimedia files or emails that exceed a configurable data size.

Scanning for file restrictions with iQ.Suite Watchdog requires

 an Attachment Filtering Mail Job (Pro) or a Watchdog database job. Refer to “Sample Job: File and Size Restrictions on the Mail Server” on page 224 or “Sample Job: Virus Scanning in Databases” on page 204.

 a configuration document for file restrictions. Refer to “Configuration Document for File Restrictions” on page 222.

7.5.1 Configuration Document for File Restrictions

You can use to configure Watchdog such that emails with certain file types are blocked. In addition to a configured Watchdog job, you need a configuration document in which to set the prohibited file types (file restrictions).

1. Click on WATCHDOG -> UTILITIES -> FILE RESTRICTIONS to configure the configuration document for file restrictions.

2. Select one of the preset SAMPLE documents from the list, for example,

SAMPLE - Denied big mails, or click on the NEW button to add a new configuration document.

3. In the Basics tab, click on EDIT and set the document to 'Active' :

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 222 IQ.SUITE WATCHDOG - FILE RESTRICTIONS 

Under Fingerprint click on one of the following icons to define the file types allowed: Select categorized, Select a-z, Edit or New.

 ’At least one of list’: The job actions are executed whenever one of the files specified in the list of fingerprints is found.  ’None of list’: The job actions are executed for all file types not included in the list of fingerprints.

Under the Except field exceptions for certain file types can be defined. For

further Information on individual file types, please refer to FINGERPRINT -> UTI-

LITIES -> FINGERPRINTS.

In this example, all files in the list are selected, as the restriction is to apply to the size of the attached files and not to specific file types. Emails with file attachments are blocked – independently of its file type, if the configured size limit is exceeded.

4. Open the Settings tab:

a) Use the Type field to set whether attachments are to be prohibited as of a specific size/number or systematically. The ‘Deny always‘ option is used to block all of the files defined, while selecting ‚Deny by limit‘ provides additional options concerning the file size. b) Make sure that the settings do not cancel each other out. With a combination such as Deny by limit and No limit, all files will be allowed, i.e. Watchdog will not take any action. The settings selected in the example mean that file attachments with a total size exceeding 4 096 KB are prohibited. Change this limit as required.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 223 IQ.SUITE WATCHDOG - FILE RESTRICTIONS 

5. Leave the settings in the Advanced tab unchanged. If you wish to send notifications to the administrator, enter the setting directly in the job.

6. Open the Misc tab: a) Use the Server field to select the server this document is to apply to. It is possible to enter several server names, each on a separate line. The asterisk (*) means the job applies to all servers. b) Select the name of the Job from the selection list. All emails with an attachment that exceeds the size limit set in the file restrictions will be prohibited on all servers. The asterisk (*) means the document is valid for all jobs.

7. Save the document.

7.5.2 Sample Job: File and Size Restrictions on the Mail Server

As of iQ.Suite 22.0, there is the Watchdog Attachment Filtering Mail Job Pro for the checking of the file restriction. In contrast to the older virus scanning job types, "Watchdog Attachment Filtering Mail Job" and "Watchdog Mail Job", this job permits the configuration of actions through action sequences.

The Watchdog Attachment Filtering Mail Job Pro is described hereafter and hints are used to point out the differences to older job types. For a detailed description of the "Watchdog Attachment Filtering Mail Job", please refer to Admi- nistration Manual of iQ.Suite 21.1. A description of the "Watchdog Mail Job" can be found in the Administration Manual of any former version of iQ.Suite.

Notes on older job types:

 In the OPERATIONS -> ENCRYPTION tab of older job types, it is possible to define actions which are performed in the case of Notes-encrypted emails. This option is no longer provided in the Watchdog Attachment Filtering Mail Job Pro.

 The "Allow attachments" option in the Advanced tab of older job types is no longer offered in more recent jobs. It is covered by the actions in the ‚Opera- tions‘ -> ‚No Alert‘ tab.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 224 IQ.SUITE WATCHDOG - FILE RESTRICTIONS 

In the Watchdog Attachment Filtering Mail Job Pro example job, emails arri- ving at the mail server are blocked if they contain a prohibited file attachment type or exceed a certain file size.

7.5.2.1 Configuration of the Attachment Filtering Mail Job Pro

The tabs of the Watchdog Attachment Filtering Mail Job Pro example job

(accessible via: WATCHDOG -> MAIL-JOBS) is described hereafter.

7.5.2.2 ,Basics‘ Tab

In the Basics tab, enable the job.

The default settings in the rules are as follows: The job applies to all selected emails (Runs on field). According to the rules, selected emails are all emails, which do not come from the quarantine (MailRe- sentFromQuarantine) neither are they addressed to the administrator (Recipien- tIsAdmin) nor have they been sent by one (SenderIsAdmin).

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 225 IQ.SUITE WATCHDOG - FILE RESTRICTIONS 

7.5.2.3 ,Operations -> ‚Options‘ Tab

 Consider decompression depth: Use the Consider decompression depth field to define whether or not and up to which level the decompression depth is to be considered when checking archives. Setting such a limit is recommended to avoid attacks while ensuring a consistent performance. This limit (default value: 5) is set in the global parameter Decompression

Depth . For further Information, please refer to “Global Parameters” on page 31. In older job types: in ‚Advanced‘ tab

 Notification text for modify option ’Remove attachments’: Use this field to enter a text that replaces the attachment which was removed from the email, for example, because it was too big. In the ‚Watchdog Attachment Filtering Mail Job Pro example job in the ‚Advanced‘ tab. This setting is not offered in older job types.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 226 IQ.SUITE WATCHDOG - FILE RESTRICTIONS 

7.5.2.4 ,Operations‘ -> ‚No Alert‘ Tab

Use the No Alert tab to define the actions to be performed if no prohibited or password-protected attachments were found and also no other error occurred during attachment processing.

Available are:

 A variety of actions which are described under “Actions” on page 47.

 Further actions:  Delete the entire email  Only delete all attachments of the email.

In the example job, no actions are set in the tab.

In older job types: The option for the subject extension is available in the ,Opera- tions‘ -> ‚No Alert‘ tab.

The extension of the email subject implies a change of the email. A possibly exis-  ting signature will be distroyed.

7.5.2.5 ,Operations‘ -> ‚Denied Attachments‘ Tab

Use the Denied Attachments tab to define the actions to be performed when a file restriction is violated or a prohibited attachment was reported by an unpacker.

Since this is an Attachment Filtering Job, at least one file restriction has to be

configured and be activated: WATCHDOG->UTILITIES -> FILE RESTRICTIONS. In the ‚Misc‘ tab of the file restrictions that you want to use, enter the SAMPLE - Denied Attachments all users job in the ‚Jobs to run with this file restriction‘ field. An asterisk in this field means ‚All jobs‘.

Available are:

 A variety of actions which are described under “Actions” on page 47.

 Further actions:  Delete the entire email  Only delete all attachments of the email

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 227 IQ.SUITE WATCHDOG - FILE RESTRICTIONS 

 Only delete the affected, prohibited attachments.

The set actions are performed before all further actions for password-protected or erroneous attachments are performed.

In the example job, the email is copied to the quarantine, all prohibited attachments are deleted and notifications are sent to the sender, recipient, and the administrator.

In older job types, the administrator, the recipient and the sender of the email can be notified.

In the Watchdog Mail Job, the ‚Operations‘ -> ‚Denied Attachments‘ tab is used to decide about the use of file restrictions. This option is no longer offered in all newer ‚Attachment Filtering Jobs‘, since those jobs always check file restrictions.

7.5.2.6 ,Operations‘ -> ‚Password Protection‘ Tab

Use the Password Protection tab to define the actions to be performed if an attachment could not or not completely be processed because it was protected by a password.

Available are:

 A variety of actions which are described under “Actions” on page 47.

 Further actions:  Delete the entire email  Only delete all attachments of the email  Only delete the affected password-protected attachments.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 228 IQ.SUITE WATCHDOG - FILE RESTRICTIONS 

The set actions are performed after the actions for prohibited attachments and before the actions for erroneous attachments are performed.

In the example job, the email is copied to the quarantine and the recipients are notified about unchecked attachments if this had occurred.

If password-protected attachments are not allowed, in older job types, it can be chosen whether the actions set by the general editing modify option in the ‚Ope- rations‘ tab should be performed. Use the ‚Misc‘ tab to define where to move the email in the quarantine. In the ‚Operations‘ -> ‚Password Protection‘ tab, the decision whether to copy the email to the quarantine is taken by specifying a category for the quarantine.

In older job types, the administrator, the recipient and the sender of the email can be notified.

7.5.2.7 ,Operations‘ -> ‚Error‘ Tab

Use the Operations -> Error tab to define the actions to be performed when an error occurred during the processing of an attachment. This can be caused by an unpacker.

Available are:

 A variety of actions which are described under “Actions” on page 47.

 Further actions:  Delete the entire email  Only delete all attachments of the email  Only delete the affected erroneous attachments.

The set actions are performed after all actions for prohibited or password-protected attachments.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 229 IQ.SUITE WATCHDOG - FILE RESTRICTIONS 

In the example job, the email is copied to the quarantine and the administrator is notified.

In older job types, the deleting actions are set by the general modify option in the ‚Operations‘ tab and, in the ‚Operations‘ -> ‚System Errors‘ tab, it can be chosen whether these general actions should be performed.

In older job types, the administrator, the recipient and the sender of the email can be notified.

7.5.2.8 ,Misc‘ Tab

The example job is critical only upon initialization error.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 230 IQ.SUITE WATCHDOG - FILE RESTRICTIONS 

7.5.3 Sample Job: File and Size Restrictions in Databases

1. Click on WATCHDOG -> DATABASE JOBS and open the DEFAULT - DB Deny File Types job. The configuration of this default job is largely identical to the job described under “Sample Job: Virus Scanning in Databases” on page 204. Proceed as described there and change the following settings:

2. In the Basics tab, set the following: a) Set the Dependence on document edit status field to 'All'. This way, the job will apply to all documents created and/or modified since the last run. b) Set the Dependence on attachment field to 'With attachment'. This way, the job will process documents with one or more attachments. Docu- ments without attachment are ignored.

3. In the Operations tab, set the following: a) In the Upon Virus tab, set all options to 'No', as these settings all refer to virus-infected documents. For the present job, these settings are irrelevant. b) Open the Upon Denied Attachments tab and set the following:  Set the General modify option field to 'Remove attachments', i.e. any attachments that contain a prohibited file type will be deleted.  Set the Perform general modify option to 'Yes'. The documents will be treated as set under General modify option, i.e. the attachments are removed.  Use the notification templates to inform the administrator and the document owner that a prohibited attachment was found in the databases and that this attachment was deleted.

4. In the Advanced tab, set the following: a) Set the Use scanners field to 'No' as this job does not check for viruses. b) Set the Use restrictions field to 'Yes', in order to prohibit the file types defined (using the Edit icon). For instance, from the list displayed, select the SAMPLE Deny Multimedia - DB file restriction document and modify

it as required. Refer to “Configuration Document for File Restrictions” on

page 222.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 231 IQ.SUITE WALL -   8 iQ.Suite Wall iQ.Suite Wall is used to scan emails, documents, and file attachments for spam or undesired content before they are sent to the recipient and to quarantine them if necessary. Quarantine summary notifications regularly inform end users about the emails that have been quarantined for them. Targeted address analysis and classification are used to protect against mail flooding (denial of service) attacks on servers or recipients, and to allow the automatic distribution of emails to defined departments and employees.

In addition to using spam pattern analysis, the iQ.Suite Wall content analysis can be used to analyze emails for specific content and to block them if they violate company policy. Content analysis is also useful for externally addressed emails in order to ensure that outgoing emails conform to the internal security level.

The UTILITIES subcategory provides external programs and elements needed for spam analysis:  DICTIONARIES: At the text analysis emails are checked for undesirable words and/or expressions with dictionaries. Each dictionary has a configured value or weighting.  TEXT ANALYZER: Text analyzers are the executing components used to check the text content. They analyze and evaluate the emails according to the unrequested content found in texts. Besides the message text, this also includes attachments, subject lines and further text fields such as the X-mailer header.  CONVERTER: Converters are used to convert message bodies or attachments before their content is checked by a text analyzer. The conversion eliminates any characters or formats not needed for (or detrimental to) text analysis or converts the file into another file type, also for text analysis purposes.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 232 IQ.SUITE WALL - 

 UNPACKER: Unpackers are used to unpack file archives and PDFs in order to check the files inside them. If an unpacker is selected in the job, the unpacker will decompress file attachments before they are converted by using converters. Unlike iQ.Suite Watchdog, iQ.Suite Wall recursively unpack file attachments which contain nested archives.  FINGERPRINT: A file’s fingerprint is used to identify its type. The contains the binary file patterns. After having checked the result of this analysis against the defined file restrictions, the file is either admitted or rejected. Rejected file attachments trigger the actions specified in the job.  BLACKLIST/WHITELIST: Blacklists and whitelists are used to classify emails as allowed or prohibited, quickly. Allowed emails can be excluded from spam analysis and prohibited emails can be blocked directly on the mail server.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 233 IQ.SUITE WALL - SPAM PROTECTION OVERVIEW 

8.1 Spam Protection Overview

8.1.1 Filtering Methods

iQ.Suite Wall provides a comprehensive protection against spam through a wide range of analysis methods. To ensure an efficient and highly performing spam protection, we recommend to use these methods combined according to the multi-stage job processing1:

8.1.1.1 Address Analysis (Blacklists/Whitelists)

An address analysis job allows to prevent emails coming from senders known to be unrequested from being delivered to the recipients. The unrequested email addresses or entire domains are entered in a blacklist used as filter. On the other hand, an address analysis can also be used to exclude emails from spam analysis if they come from known "acceptable" senders. Such addresses are entered in whitelists. How blocked emails are further processed (e.g. deleted or quarantined), depends on the job configuration. If they are quarantined, the recipient decides for himself what to do with the email (deliver, delete, etc.) and how future emails from this sender are to be handled. To do so, he/she can add the sender’s address to his/her personal blacklist or whitelist (User Blacklist/User Whitelist). For further Information, please refer to “Address Analysis” on page 238.

8.1.1.2 Spam Pattern Analysis

Filtering emails to identify spam is performed through anti-spam engines from third party manufacturers. In the iQ.Suite the engines are provided as analyzers. In general, these analyzers don‘t have to be modified. For configuration sample jobs are available. For further Information, please refer to “Spam Analysis using Spam Analyzers” on page 253.

1. Refer to “Multi-stage Job Processing” on page 235.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 234 IQ.SUITE WALL - SPAM PROTECTION OVERVIEW 

8.1.1.3 Text Analysis

Dictionaries offer a possibility of checking email content for undesirable text. Whenever a configured maximum number of occurrences of search terms listed in the dictionary is exceeded, the email is classified as spam. For further Informa-

tion, please refer to “Configuration Document for Converter” on page 275.

Besides using dictionaries, a text analysis can also be performed using the CORE Analyzer (COntent Recognition Engine), which also analyzes and classi- fies email content. With CORE, the text analysis is based on a statistical learning theory for text classification, where a representative set of incoming and outgoing emails (including SPAM) is analyzed and then used to train a classifier. When combined with the filtering methods above, CORE contributes to a significantly higher spam recognition rate. For further Information, please refer to “Text Analy- sis using CORE” on page 291.

8.1.2 Multi-stage Job Processing

The Wall spam analysis jobs are run according to a proven concept based on several stages. In this concept, the jobs are integrated into the job chain corresponding to the analysis method used:

1. Whitelist scan: Emails from senders included in the whitelist are excluded from further spam analysis.

2. Blacklist scan: Emails from senders included in the blacklist are immediately deleted, quarantined, etc., as configured.

3. Automatic spam pattern analysis with SASI and/or Kaspersky.

4. Text analysis using dictionaries.

5. Text analysis using CORE.

Within the DEFAULT and SAMPLE jobs of the iQ.Suite standard configuration,  appropriate priorities have already been assigned for each job. From experience, this fully functional job chain provides best possible results. The standard configurations can be re-imported whenever required by selecting

EXPORT/IMPORT -> IMPORT STANDARD CONFIGURATION. For further Information, please refer to “Export/Import” on page 17.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 235 IQ.SUITE WALL - SPAM PROTECTION OVERVIEW 

8.1.3 Spam Analysis Sequence

The following description is meant to illustrate how iQ.Suite Wall proceeds to perform spam analysis:

1. A mail job checks an incoming email on the mail server for spam.

2. If positive, the email is considered spam.

3. The job actions defined in the Operations tab are executed according to the priorities assigned in the job.  A copy of the email is stored in the database.  The original email is removed from the mail server.  The administrator, sender and recipient are notified, as required.

4. A report is generated under QUARANTINE -> REPORTS. It provides the details on the email and the analysis, such as:  Type of content found.  Content that triggered the action.  Email removed or not.  Sender and recipient of the email.  Subject of the email.  Jobs executed.  Further information on the document and the analysis.

The original documents are located together with the reports under QUARAN-

TINE -> ORIGINALS. They provide information on the email, the quarantine and the job, e.g. sender, actions, etc.

8.1.4 Note for replicated environments

As of iQ.Suite version 22.0 or 22.1., all unpackers, converters, and analyzers are using an improved Sandbox process. The 'soap.' prefix in the names of unpacker, converter and analyzer DLLs is no longer needed. In case of new iQ.Suite installations and as well in case of installations when all iQ.Suite replicas have been updated, there is no need for action.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 236 IQ.SUITE WALL - SPAM PROTECTION OVERVIEW 

Note for replicated environments: For unpackers and converters, older iQ.Suite  versions are usually using the previous Sandbox which can be recognized by the 'soap.' prefix as part of the DLL name. In case of replications with older iQ.Suite versions, the 'soap.' prefix in front of the DLL name of unpackers and converters must remain. This way, it can be ensured that these iQ.Suite versions continue using the Sandbox. Exception: This does not apply to Teachers. As of iQ.Suite-Version 22.1, Teachers also use the Sandbox, however, in their case, the 'soap.' prefix in the DLL name has always to be omitted. This will ensure that Teachers in older iQ.Suite versions will continue to work without a Sandbox as they had done so far. If issues occure with Teachers in the context of the Sandbox, please contact the GBS support.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 237 IQ.SUITE WALL - ADDRESS ANALYSIS 

8.2 Address Analysis

8.2.1 Using Blacklists and Whitelists

An address analysis job allows to exclude emails from known external senders (and classified as unrequested) from being delivered to internal recipients. The undesirable email addresses and domains are entered in a blacklist used as filter. How blocked emails are further processed (e.g. deleted or quarantined), depends on the configuration of the corresponding Wall Address Mail Job, which can be configured by authorized persons. The senders are either set in the

job under BASICS -> VALID FOR SENDER(S) -> ADVANCED or configured through rules. A description of the configuration for blocking senders listed on a blacklist

is provided under “Spam Analysis using Spam Analyzers” on page 253.

If these emails are stored in the quarantine of the corresponding recipient, the latter decides for himself what to do with the email (deliver, delete, etc.) and how future emails from this sender are to be handled. To do so, he/she can add the sender’s address to his/her personal blacklist2.

On the other hand, address analysis can also be used to exclude emails from spam analysis if they come from known "acceptable" senders. Such addresses are entered in whitelists, which can be defined globally (for the entire company) or individually (for a single recipient). Again, the internal recipient decides for himself whether or not a sender is to be added to his/her personal whitelist.

For emails coming from internal senders, i.e. your users, it is most likely that the email addresses can be added to the whitelist. To automate this, Wall allows to set up a Wall Whitelist Mail Job that automatically adds the sender addresses to the internal sender’s whitelist. For a sample job, please refer to “Sample Job: Add trustworthy Addresses to a Whitelist” on page 240.

If you define senders as a group, you can specify a domain. Using s is possible. Wall takes the groups from the Domino Directory. In this way, you can define groups that can be used as sender or recipient entries in Wall.  To forbid all email addresses, enter *@* in your Wall mail job.

2. For further Information on how to use blacklists and whitelists, please refer to the iQ.Suite User Manual. Download under www.gbs.com.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 238 IQ.SUITE WALL - ADDRESS ANALYSIS 

 To forbid SMTP addresses only, enter *@*.* in your Wall mail job.  To forbid Notes addresses only, enter * in your Wall mail job.

For instance, if you wish to forbid all emails coming from the domain named , enter *@example.com in your Wall mail job.

As a general rule, a blacklist or whitelist includes entries that apply to all users (global blacklist or global whitelist) or to a single person (user blacklist or user whitelist). As a result, a whitelist is not automatically identified a such. The assignment to a list is defined through an enabled job with a blacklist/whitelist rule.

To create a whitelist, the blacklist/whitelist rule must be included as negated rule:  BASICS TAB-> DEPENDENCE ON NEGATED SELECTION RULES. On the other hand, to use it as blacklist, define the rule as positive rule (Dependence on positive selection rules). The selected whitelist rules must be included in every antispam job.

Blacklist or whitelist entries can be created in different ways, depending on the users’ role:

1. As authorized user (administrator):  Manually add an address to an existing list:

QUARANTINE -> ORIGINALS -> TO MY WHITELIST

 Manually create an entry in a specific whitelist:

WALL -> UTILITIES -> BLACK-/WHITELISTS

 Run a Wall Whitelist Mail Job that adds all of the communication partners to the list, e.g. DEFAULT - Whitelist Job

2. As standard user (via iQ.Suite User Portal)  Manually add an address to an existing list:

QUARANTINE -> TODAY -> TO MY WHITELIST

 Manually add an address to an existing list:

BLACK-/WHITELISTS -> BY CATEGORY -> NEW

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 239 IQ.SUITE WALL - ADDRESS ANALYSIS 

Using an address rule, you can enter existing customer addresses on whitelists.  To do so, define a view in the address rule that includes the customers’ email addresses and include the rule in an anti-spam job. For a detailed description,

please refer to the online help under ADDRESS RULE -> DATABASE.

8.2.1.1 Sample Job: Add trustworthy Addresses to a Whitelist

The recipient's addresses of emails which are sent to external communication partners by internal users (employees) can be classified as trustworthy and put on a whitelist automatically. In the future, if an external communication partner addresses emails to internal users, such emails are not checked for spam through which the server load is reduced.

1. Open the Whitelist Mail Job DEFAULT - Whitelist Job under WALL -> MAIL

JOBS and click on EDIT:

a) Enable the job. b) Default settings in the rules: The job applies to selected emails (Runs on field). According to the rule, these are all emails sent via the Internet, i.e. where the recipient is an Internet recipient (InetRecipient). The placeholder *@*.* within the rule refers to all recipient addresses entered in this format. The rule also sets that the sender must be included in the Domino Directory (WhitelistSender). Each Internet recipient of an outgo-

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 240 IQ.SUITE WALL - ADDRESS ANALYSIS 

ing email is automatically added to the sender’s whitelist. Please also refer to the example provided with the description of the Operations tab.

2. Open the Operations tab:

a) Specify the database for blacklists/whitelists that contains the blacklist/whitelist entries. The path to the NSF file specified here must be relative to the Domino data directory. The default database is the g_connect.nsf database in the iQ.Suite data directory. Use %DATADIR% to point to the iQ.Suite data directory. b) Status for new Whitelist entry field: Once a new whitelist entry has been created, it is automatically enabled. Attention: The rule must be created nonetheless. c) Whitelist field: The whitelist category used in this job is called ‘GeneralWhiteList‘. d) If the sender‘s and/or recipient‘s addresses are to be added to the employees‘ or company‘s whitelists (user whitelists or global whitelists), the Create sender entry for and Create recipient entry for fields are used. The principle for the use of these fields is described in the following examples.

Examples

Key data:  External communication partners shall be put on a whitelist automatically if emails from employees are addressed to external receivers.  Ms. Glenn is a local user (employee) in company Y.  Mr. Galler is an external communication partner from company X.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 241 IQ.SUITE WALL - ADDRESS ANALYSIS 

Example 1:

Mr. Galler is to be added to the whitelist of Ms. Glenn, to prevent emails from Mr. Galler to be classified as spam. To do so, for Mr. Galler a sender entry is to be created in Ms. Glenns’ whitelist. Thus, set the Create sender entry for to ’Mail recipient’. If a recipient entry is to be created in Ms. Glenns’ whitelist at the same time, set Create recipient entry for to ’Mail sender’.

Example 2:

If Ms. Glenn not only communicates with Mr. Galler, but with other persons from company X as well, it may be useful to add everyone from company X to her whitelist. In this case, set Create sender entry for to ’Recipient domains’. Now, a sender entry is added to Ms. Glenns’s whitelist for each employee in company X (recipient domain). Please note that this setting could result in an unrequested domain added to the whitelist, if an email is sent to that domain.

Example 3:

Subsequently, Mr. Galler not only communicates with Ms. Glenn, but also with other partners in company Y. Accordingly, he/she is to be added to their whitelists as well. To automatically add Mr. Galler to a whitelist for the entire company Y, set Create recipient entry for to ’Sender domain’. If company Y has several domains, for which a recipient entry is to be created in Mr. Galler’s whitelist, select ’All’.

Example 4:

The Delete mail after creating Whitelist entry is used to prevent the email created by Wall from being sent to the recipient. To that end, a keyword is defined, which each sender (from company Y) writes in the outgoing email in order to have it deleted. In the whitelist job, this keyword is specified in the subject text in order to delete mail field. With these settings, a whitelist entry is created by the job for each recipient of the email. Then, this email is deleted provided the subject line contains an associate keyword. Typical keywords include, for instance, ###TOWHITELIST### or ###DELETEMAIL###.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 242 IQ.SUITE WALL - ADDRESS ANALYSIS 

3. Open the Advanced tab:

As set, the email recipients (employee of company Y, refer to example above) are allowed to edit the created whitelist entries, but not the senders. The sender is able to edit whitelist entries in the iQ.Suite User Portal.

4. Keep the default settings in the Misc tab.

5. Save the job.

By default, the whitelist category ‘GeneralWhiteList‘ is already included in the  WLRuleAntiSpam rule. Defined as negated rule in all sequential anti-spam jobs, this rule can be left unchanged.

8.2.1.2 Sample Job: Add undesirable Addresses to a Blacklist

To block emails from undesirable senders such addresses can be added to a blacklist. For further Information on blacklists, please refer to “Using Blacklists and Whitelists” on page 238.

1. Open the Wall Address Mail Job DEFAULT - Block Blacklist Entries under

WALL -> MAIL JOBS and click on EDIT:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 243 IQ.SUITE WALL - ADDRESS ANALYSIS 

a) Enable the job. b) Default settings in the rules: The Job applies to selected emails (Runs on field). According to the rule, these are emails sent via the Internet and whose senders are included in a global blacklist or a user blacklist (Black- list). In addition, the email must not come from the quarantine (MailRe- sentFromQuarantine).

2. Open the Operations tab:

a) The following settings are pre-configured in the Denied Recipients tab:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 244 IQ.SUITE WALL - ADDRESS ANALYSIS 

 Whenever an incoming email does not comply with the rules set in the Basics tab, it is deleted, i.e. not delivered to the recipient. The administrator and the recipient are not informed.  A copy of the original email is stored in the quarantine database. The corresponding configuration is set in the Misc tab.  According to the Category in Quarantine report setting, an analysis

report is created in the SPAM category and provided under QUARAN-

TINE -> REPORTS.  According to the rule set for this job, all emails sent via the Internet are prohibited. To exclude specific recipients from this rule, define appropriate exceptions under Recipients list. In this job, the list contains all SMTP recipients with an email address in the format *@*.*, e.g. [email protected]. No emails are delivered to SMTP recipients with such an address.

3. Keep the default settings in the Avoid Mail Flooding and Number of Recipi- ents tabs. These settings are irrelevant for checking the recipients.

4. Open the Advanced tab: a) Set Ignore Domino routing path to ’Yes’ to ensures that email addresses will also be recognized with the Domino routing path added to them. Thus, the addresses to be blocked need not be entered with all routing servers, e.g. if provided in info@enterprise.com@routing1@routing2@routing3 format.

Make sure that the Domain entry in your server’s notes.ini is set correctly. If no  domain is specified, the local domain will be added when the job is initialized, i.e. before the address is checked by the job. If the global parameter ToolKit_AddressLookup is set to F, the action will not be performed.

b) Where required, enter further administrators or authorized users who are allowed to read quarantined emails. Through the ACL, administrators automatically have the right to view quarantined emails. Reading rights apply to all documents quarantined by this job.

5. Where required, configure the quarantine document in the Misc tab for instance in order not to create a report.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 245 IQ.SUITE WALL - ADDRESS ANALYSIS 

6. Save the job.

8.2.2 Sample Job: Deny Spam Domains

To block emails sent from a spam domain, use the Wall Address Mail Job DEFAULT - AntiSpam 1.3: Block Spam Domains. The job contains a list of known spam domains.

Please note that this list of spam domains provided is not a recommendation  from GBS. As it comes from an external source, this information is not kept up- to-date by GBS. This list is simply meant to provide a basis for your own configurations. Therefore check the entries and change them as required.

1. Open the DEFAULT - AntiSpam 1.3: Block Spam Domains job under WALL

-> MAIL JOBS and click on EDIT:

a) Enable the job. b) Default settings in the rules: The job will run on selected emails (Runs on filed). According to the rule, these are all incoming emails sent via the

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 246 IQ.SUITE WALL - ADDRESS ANALYSIS 

Internet (InetSender). In the default configuration, this rule is specified as sender domain *.*. In addition, the email must not come from the quarantine (MailResent- FromQuarantine) and the sender must not be included in a whitelist (WLRuleAntiSpam). Please note that the quarantine rule only applies if the system time is the same on the server and the client. The emails that meet these criteria are checked for prohibited text in the subject field and the message text.

A further restriction is defined in the Valid for sender(s) field, which is set to ’Advanced’. The domains to be blocked in the future, e.g. *@00208.com, are listed under ‘All in list‘.

The settings in the remaining tabs are largely similar to those described under “Sample Job: Restrictions for Internal Senders” on page 250.

Exceptions:

 The administrator and the sender are not informed of a blocked email (Denied Recipients tab).  According to the Category in Quarantine report setting (Denied Recipients tab), a report is created in the SPAM category and provided under QUARANTINE

-> REPORTS.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 247 IQ.SUITE WALL - ADDRESS ANALYSIS 

8.2.3 Sample Job: Restrictions for Internal Recipients

Besides address analysis of external senders, it is also possible to set restrictions for internal recipients. Use for instance the Wall Address Mail Job DEFAULT - From Internet to exclude specific internal users (employees) from receiving emails from external senders from the Internet.

1. Open the DEFAULT - From Internet job under WALL -> MAIL JOBS and click

on EDIT:

a) Enable the job. b) Default settings in the rules: The Job applies to selected emails (Runs on field). According to the rule, these are emails sent via the Internet (Inet- Sender). A further restriction is defined in the Valid for sender(s) field, which is set to ’Advanced’. The placeholder *@*.* means that all incoming emails from the Internet or the local Domino domain with a sender address in the format *@*.* are prohibited for all recipients.

To exclude specific recipients from this rule, further settings are available in the Operations tab.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 248 IQ.SUITE WALL - ADDRESS ANALYSIS 

2. Open the Operations tab:

a) The following settings are pre-configured in the Denied Recipients tab:  Whenever an incoming email does not comply with the rules set in the Basics tab, it is deleted, i.e. not delivered to the recipient. The administrator and the recipient receive a notification.  A copy of the original email is stored in the quarantine database. The corresponding configuration is set in the Misc tab.  According to the Category in Quarantine report setting, a report is

created in the DENIED category and provided under QUARANTINE ->

REPORTS.  According to the rule set for this job, all emails sent via the Internet are prohibited. To exclude specific recipients from this rule, define appropriate exceptions under Recipients list. In this job, the list contains all recipients (*@*), except for those included in the ‘Allow Inter- net‘ list. The recipients from this list are allowed to receive Internet mails.  The notification template fields are used to set the message text for the administrator and the recipient3.  Adjust the default settings to your requirements.

3. Refer to “Notification Templates” on page 37.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 249 IQ.SUITE WALL - ADDRESS ANALYSIS 

If you decide to use this job as it is, none of your recipients will be able to receive  Internet mails until they are included in the ‘Allow Internet‘ list.

3. Keep the default settings in the Avoid Mail Flooding, Number of Recipients and Advanced tabs. These settings are irrelevant for checking the recipients.

4. Where required, configure the quarantine document in the Misc tab, for instance in order not to create a report.

5. Save the job.

8.2.4 Sample Job: Restrictions for Internal Senders

Besides address analysis of external senders, it is also possible to set restrictions for internal recipients. Use for instance the Wall Address Mail Job DEFAULT - To Internet to exclude specific internal users (employees) from sending emails to external recipients from the Internet.

1. Open the DEFAULT - To Internet job under WALL -> MAIL JOBS and click on

EDIT:

a) Enable the job.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 250 IQ.SUITE WALL - ADDRESS ANALYSIS 

b) Default settings in the rules: The job applies to selected emails (Runs on field). According to the rule, these are all outgoing emails sent via the Internet, i.e. where the recipient is an Internet recipient (InetRecipient). A further restriction is defined in the Valid for sender(s) field, which is set to ’Advanced’. The placeholder *@*.* means that all SMTP emails with a sender address in the form *@* are prohibited.

The senders excluded from this restriction are those entered in the ’Allow Internet‘ list. These are the only senders who are allowed to send emails via the Internet.

To exclude specific recipients from this rule, further settings are available in the Operations tab.

2. Open the Operations tab:

The following settings are pre-configured in the Denied Recipients tab:

 Whenever an incoming email does not comply with the rules set in the Basics tab, it is deleted, i.e. not delivered to the recipient. The administrator and the recipient receive a notification.  A copy of the original email is stored in the quarantine database. The corresponding configuration is set in the Misc tab.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 251 IQ.SUITE WALL - ADDRESS ANALYSIS 

 According to the Category in Quarantine report setting, a report is cre-

ated in the DENIED category and provided under QUARANTINE ->

REPORTS.  According to the rule set for this job, all emails sent via the Internet are prohibited. To exclude specific recipients from this rule, define appropriate exceptions under Recipients list. In this job, the list contains all SMTP recipients with an email address in the form *@*, e.g. [email protected]. Thus, no SMTP recipients with that kind of address will receive emails unless the sender is included in the ’Allow Internet‘ list (Basics tab).  The notification template fields are used to set the notification text for the administrator and the sender4.

3. Keep the default settings in the Avoid Mail Flooding, Number of Recipients and Advanced tabs. These settings are irrelevant for checking the senders.

4. Where required, configure the quarantine document in the Misc tab, for instance in order not to create a report.

5. Save the job.

4. Refer to “Notification Templates” on page 37.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 252 IQ.SUITE WALL - SPAM ANALYSIS USING SPAM ANALYZERS 

8.3 Spam Analysis using Spam Analyzers

For spam and mass mailing defense, iQ.Suite supports anti-spam engines from third-party manufacturers:

 SASI Analyzer (SASI: Sophos Anti Spam Interface)5  Kaspersky Anti-Spam Analyzer

These spam analyzers are installed during iQ.Suite setup and can be used directly after iQ.Suite installation is completed. They are available in iQ.Suite

under WALL -> UTILITIES -> TEXT ANALYZER.

The spam analyzers “SASI” und “Kaspersky” are only available for Windows and  Linux.

Update: If specific custom settings are used for updating these two Spam Analy- zers, e.g. custom update servers have been configured, then certain parameters have to be set. Before doing so, please contact the GBS support.t

To analyze emails, the spam analyzer checks them against typical spam patterns. The pattern database is located on the server where the iQ.Suite is installed. This database is automatically updated at periodical intervals which are configurable.

For every spam analyzer you want to use, a separate Wall Content Mail Job or Wall Mail Job Advanced (legacy) (hereafter also named „Wall Advanced (legacy) Job“) must be configured. Other text analyzers, such as CORE Analyzer, can also be used in parallel with SASI and Kaspersky.

Unlike SASI, the Kaspersky Anti-Spam Analyzer offers a Cloud option and an anti-phishing filter.

The spam analyzers mentioned above are additional iQ.Suite Wall features and  have to be licensed separately. For further Information, please contact the GBS Sales Team.

5. For further Information on SASI, please refer to the separate document "SASI for iQ.Suite Wall - Integration and Configuration“. Download under www.gbs.com.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 253 IQ.SUITE WALL - SPAM ANALYSIS USING SPAM ANALYZERS 

8.3.1 Analyzer Document: Spam Analysis using a Spam Analyzer

8.3.1.1 Spam Analyzer with SASI as an Example

1. Click on WALL -> UTILITIES -> TEXT ANALYZER and open the sample configuration of the desired spam analyzer (SASI or Kaspersky). Hereafter, the configuration of the SASI Analyzer is described as an example. Particularities of the Kaspersky analyzer are described under “Particularities of the Kaspersky Anti-Spam Analyzer” on page 256.

2. Click in the Basics tab on EDIT. a) Enable the document. b) To exclude specific formats from being checked from the analyzer, click on the Select categorized or Select a-z icon and select the desired formats from the fingerprints section.

3. Open the Settings tab:

a) Under Path to DLL the path to the GROUP Interface DLL is preset. Make sure the path settings are correct. You can enter an absolute path or, as pre-configured, use the placeholders from the notes.ini. The %ExecDir% entry corresponds to the ToolKit_ExecDir parameter in the notes.ini. b) Use proxy server: Spam analyzers require frequently downloads from the internet to update the used files for the analysis. If for this a proxy server is required set this field to ‘Yes‘. In the next field, select the configuration document for the desired proxy servers. The configuration is

made under GLOBAL -> PROXY SERVER.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 254 IQ.SUITE WALL - SPAM ANALYSIS USING SPAM ANALYZERS 

c) Under Parameter values adjust the pre-configured parameters to your requirements.

These parameters and other parameters are described in the Comments tab and under “Parameters for the Engine Update” on page 258 and “General Parameters for the Sandbox” on page 280.

Adjust the parameter values to your configuration, but leave the parameter  names unchanged. Otherwise, the analysis results might be falsified.

4. Open the Advanced tab and select the operating system under which the analyzer will be run.

5. Open the Misc tab:

Keep the default settings under Mode and Categories from dictionaries.

Unlike text analyzers, spam analyzers do not use dictionaries. Therefore, no dictionary categories are evaluated (Categories from dictionaries field). Instead, the categories used by spam analyzers are defined under Sup- ported categories. The categories entered here can then be selected in the Wall Content Mail Job / Wall Mail Job Advanced (legacy) for defining the thresholds in the selection dialog (Operations -> Options tab):

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 255 IQ.SUITE WALL - SPAM ANALYSIS USING SPAM ANALYZERS 

Figure: Selection dialog in the job

When checking for spam, the analyzer returns a percentage to the iQ.Suite that reflects the probability of spam. In the job, a threshold is set for spam detection. Whenever this threshold is exceeded, the email is classified as spam. As such it is blocked and moved to the quarantine database under the

SPAM category. The email is not delivered to the intended recipients.

6. Save the document.

8.3.1.2 Particularities of the Kaspersky Anti-Spam Analyzer

With the Kaspersky Anti-Spam Analyzer, you can use different technologies to detect spam. Make the required settings in the Settings tab:

 Anti-phishing filter: To enable the Anti-Phishing component of Kaspersky, set the parameter UseAntiPhishingHeur=YES.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 256 IQ.SUITE WALL - SPAM ANALYSIS USING SPAM ANALYZERS 

The Anti-Phishing component is applied after the anti-spam technologies “Antispam scanning (AS)” and “URL Reputation filtering (URF)” of the KAS SDK have analyzed the email and no phishing attack has been detected6.

What is the Anti-Phishing component?

Various fraud techniques demand their specific approach to effectively detect them in emails: The anti-phishing component embodies methods for processing email data (message content, including subject and file attachments) and analyzing it using heuristic analysis in order to detect new phishing scam. Heuristic algorithms are used in heuristic analysis to scale to new threats. These algorithms allow KAS SDK to handle phishing schemes made in purpose to overcome regular spam analysis. Although in some cases heuristic processing may result in false positive errors, so that a normal email is considered as phishing scam, the advantage is detection of yet unknown phishing schemes which are not covered by standard definition based analysis.

Refer to false positives.

 Kaspersky Cloud Protection: To enable the Kaspersky Cloud Protection, set the parameter UseCloud=YES. Using the Cloud technologies of Kaspersky Security Network (KSN) improves response time on rapidly emerging spam and phishing. Further- more, the use of data from KSN reduces the risk of false positives. iQ.Suite sends to the cloud-enabled KAS SDK parsed formatted data instead of the whole email. To save on traffic data and deliver responsiveness, the Cloud component computes hash fingerprints against the received data prior to sending this data for analysis to the KSN cloud. Sent data is then analyzed in the cloud and the analysis result with check status is returned to iQ.Suite via the KAS SDK.

For further information on the Anti-Phishing component and the Cloud Protection, please refer to the documentations of Kaspersky.

6. KAS SDK: Kaspersky Anti-Spam Software Development Kit

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 257 IQ.SUITE WALL - SPAM ANALYSIS USING SPAM ANALYZERS 

 Use proxy server: Spam analyzers require frequently downloads from the internet to update the used files for the analysis. If for this a proxy server is required set this field to ‘Yes‘. In the next field, select the configuration docu-

ment for the desired proxy servers. The configuration is made under GLOBAL

-> PROXY SERVER.

 Parameter name / Parameter values: If you want to use another proxy server for the Cloud option, set the parameter UseCloud=YES and the other parameters for proxy server, port, user and password.

These parameters and other parameters are described in the Comments tab and under “Parameters for the Engine Update” on page 258 and “General Parameters for the Sandbox” on page 280.

8.3.1.3 Parameters for the Engine Update

The following parameters determine the automatic update of the Engines for Analyzers and Converters:

 EngineUpdateDownloadFrom URL from which to download Engine updates. Default: GBS Update server (example: http://updater.gbs.com/sasi)

 EngineUpdateInterval

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 258 IQ.SUITE WALL - SPAM ANALYSIS USING SPAM ANALYZERS 

Update interval in minutes. Default: 60 A value of ‚0‘ disables automatic updates.

 EngineUpdateTimeout Update timeout in minutes. Default: 15

 EngineUpdateSuccessRecipients Semicolon-separated list of recipient addresses for notifications in case of update success. Default: no recipient (inactive)

 EngineUpdateErrorRecipients Semicolon-separated list of recipient addresses for notifications in case of failed update. Default: value of the global parameter ToolKit_Admin.

To disable error notifications, set a space as parameter value (no recipient).

8.3.2 Sample Job: Spam Analysis using a Spam Analyzer

7 1. Under IQ.SUITE WALL -> MAIL JOBS, create a Wall Content Mail Job or open the traditional Wall Advanced (legacy) Job DEFAULT - AntiSpam 1.2: Check Spam Pattern by SASI or DEFAULT - AntiSpam 1.5: Check Spam Pattern by Kaspersky AntiSpam . Hereafter, the configuration of the DEFAULT job for SASI is described8. Click

on EDIT:

7. Refer to “Text Analysis with Wall Content Mail Jobs” on page 301. 8. This example only illustrates the job-specific details. For a description of the settings under standard tabs, please refer to “Standard Tabs for Jobs” on page 39.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 259 IQ.SUITE WALL - SPAM ANALYSIS USING SPAM ANALYZERS 

a) Enable the job. b) Default settings in the rules: The job will run on selected emails (Runs on field). According to the rule, these are all emails sent via the Internet (InetSender). In the standard configuration, this rule is specified as sender domain *.*. If you are using the ‘MIME analysis’ mode (refer to Operations tab), the ‘Mail Is MIME’ rule should be used because the MIME mode only works with MIME mails, not with richtext mails. In addition, the email must not come from the quarantine (MailResentFromQuar- antine) and the sender must not be included in a whitelist (WLRuleAntiSpam). To ensure that the MailResentFromQuarantine rule effectively prevents the job from being run, the execution of the Resend action (Notes client) and the evaluation of the rule (server) must occur more or less simultaneously. Thus, make sure that the system time on the server is synchronized with the system time on the Notes client. The emails that meet these criteria are checked for forbidden text.

2. Open the Operations tab:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 260 IQ.SUITE WALL - SPAM ANALYSIS USING SPAM ANALYZERS 

a) Use the Mode field to set the analysis mode. In this case, select ’MIME analysis’ to analyze the MIME body and various MIME header fields (text, attachments, etc.). SASI requires this format to convert it into an file and to perform the analysis. b) In this job, the SASI Analyzer is preset. From experience, the default configuration provides best possible results. However, if you wish to modify these settings, please refer to the separate SASI Analyzer document. Download under www.gbs.com. c) To change the thresholds for the categories click on EDIT in the Thresh- olds for categories section. Change, for instance, the preset threshold

‘80‘ of the SPAM-HIGH category:

d) Select one of the categories from the white box on the left and click on the arrow button. Then enter one of the thresholds in the input field:

 ’0’ for NoSPAM

 ’20’ for SPAM-LOW

 ’50’ for SPAM-MEDIUM

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 261 IQ.SUITE WALL - SPAM ANALYSIS USING SPAM ANALYZERS 

 ’80’ for SPAM-HIGH With the default settings of the DEFAULT jobs, emails are quarantined

with a spam probability of 80% or higher (SPAM-HIGH). If you want to

quarantine emails as of 65% spam probability, configure the SPAM-

MEDIUM category with a threshold of ’50‘ additionally.

To define new categories they have to be defined in the configuration document of the SASI analyzer first (Supported categories field). After- wards these categories can be selected from the selection dialog above9.

3. After having returned to the Operations tab of the DEFAULT job, enter the settings in the second area of this tab: a) When an email exceeds the specified threshold, it is deleted if the Delete mail field is set to ’Yes’.

b) Whenever an email is deleted, a report is created under QUARANTINE ->

REPORTS. Use the Category in Quarantine report field to create categories for these reports or use the default categories. For compressed files a category may also appear more than once. An entry including all thresholds exceeded is created for each element (attachments, text fields, etc.) that causes an alarm. c) The analysis details can be written to a Notes field of the email. To disable this, select ’No’. If set to ’X Token', the results are written in the X header as "X token". For instance, for ’X-AnalyseResult’, the string "X-" is placed before the name internally. When converted to a MIME mail (typical procedure for Internet mails sent via SMTP), this field is preserved. Please note that only one entry is created for compressed files in which several elements (attachments, text fields, etc.) trigger an alarm in the same category. This means that event-controlled database jobs do not trigger a job restart. d) The Alarm and System Errors notification fields can be used to send notifications and the analysis results to the administrator, the sender and the recipient.

4. Open the Advanced tab:

9. For further Information on configuration documents of spam analyzers, please refer to “Spam Ana- lysis using Spam Analyzers” on page 253.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 262 IQ.SUITE WALL - SPAM ANALYSIS USING SPAM ANALYZERS 

According to the default settings, the recipient only is allowed to access the quarantined emails that have been quarantined by the job. Neither senders nor further administrators nor any deputies (Clerk module) have access to these emails. Please note that setting the Clerk quarantine documents access field to ’No’ has an impact on the configurations for standard users in the Clerk module. Any Clerk documents supposed to provide quarantine access to a deputy will be overruled by this option, i.e. the deputy, though authorized, will not be able to access the quarantined emails of the absent user. Keep the default settings.

5. Open the Misc tab. Adjust the default settings to your requirements, e.g. the quarantine configuration. Under Utilities database, the configuration is preset and cannot be changed. The database set here is used by iQ.Suite Wall to locate the analyzer.

6. Save the job.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 263 IQ.SUITE WALL - QUARANTINE SUMMARY NOTIFICATIONS 

8.4 Quarantine Summary Notifications

Quarantine summary notifications are emails that are used to inform administrators and/or internal users of emails that were classified as spam and therefore put into quarantine. The summary notification contains links (Notes and web) that refer to the quarantined emails. By clicking on a link the users the quarantined email is displayed.

Emails can be moved to the iQ.Suite quarantine database for a variety of reasons, e.g. due to processing errors or because they are considered spam or virulent. For security reasons, these emails are not directly delivered to the intended recipients.

Each internal user receives an individual quarantine summary notification that lists all of his/her quarantined emails that were blocked on the mail server within a specific period of time. The summary notification can be extended with additional functions, e.g. links to allow users to display their quarantined emails and have them delivered after all, if required. Also, the user has the possibility to add the sender of the email to his/her own whitelist so as to exclude this sender from future filtering jobs10.

For the configuration of quarantine summary notifications, Wall database jobs are used (Quarantine Notification Job). In this job you can define when and how often quarantine notifications are to be created. To select the quarantined emails that are listed in the summary notification the iQ.Suite quarantine rule is used (database rule). The job applies to all documents that were modified since the last job start.  If you plan to use Quarantine Notification Jobs please observe the following:

10. Note the possibilities for mailbox extensions. Refer to “Sample Jobs: Display quarantined emails in the mailbox” on page 161.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 264 IQ.SUITE WALL - QUARANTINE SUMMARY NOTIFICATIONS 

 It is not possible to use quarantine notification jobs on an event-controlled basis.  If you change the job name, the now "new" job will display all documents that correspond to the configuration. Therefore, the summary notification may also contain emails from a previous notification.  Group addresses can be resolved only, if they are entered in the Domino Directory. In case of large user groups to be resolved the maximum number of notifications to be sent can be reached easily. If reasonable, change this settings in the Advanced tab.  Documents older than 28 days are ignored. To modify this setting, use the global parameter ToolKit_Summary_DocAgeMaxDays.  If a user defines an deputy for the time of his/her absence with iQ.Suite Clerk this deputy will receive the user‘s quarantine notifications but won‘t have access on the quarantined emails11.  In the iQ.Suite User Portal the correct rights have to be set. Refer to “Rights/Roles Concept in iQ.Suite User Portal” on page 136.

8.4.1 Sample Job: Configure Summary Notification

To inform users of quarantined emails you can configure a Quarantine Notifica- tion DB Job. This job is used to check the quarantine databases for user-specific documents and send the notification to the corresponding recipient by email.

You can use the quarantine summary notification as an alternative to the individ-  ual notifications created for the administrator by individual jobs.

1. Click on WALL -> DATABASE JOBS and open one of the following jobs:  DEFAULT - SPAM Report User – to inform users.  DEFAULT - Quarantine Notification for Admin – to inform administra-

tors. Click on EDIT:

11. Refer to “Quarantine Access for Deputies” on page 107.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 265 IQ.SUITE WALL - QUARANTINE SUMMARY NOTIFICATIONS 

a) Enable the job. b) Default settings in the rules: The job starts everyday at 8 AM and applies to documents in the Standard Quarantine (g_arch.nsf) in the Domino

data directory. According to the rule, only documents stored in the SPAM category of the quarantine report (SpamReportUser) are processed. Thus, the users are only informed of quarantined emails identified as spam. If you have created your own category for spam, select that category within the rule. Alternatively, without rule definition, you can also specify a

special quarantine (SPAM) under Quarantine database selection.

2. Open the Operations tab:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 266 IQ.SUITE WALL - QUARANTINE SUMMARY NOTIFICATIONS 

a) In the Mode field, the recipient of the summary notification is preset according to the DEFAULT job selected (users in the present example). This means that each user entered in the Domino Directory will be informed of all of his/her quarantined emails. If set to 'Administrator', you can set that administrators are not only informed of their own emails but also of all emails processed by the database job. b) Under Resolve groups define how to proceed with user groups. By default, user groups are resolved. With this, members of a group will receive both, their own summary notification and the summary notification for this group. c) The quarantine summary notification contains a Subject and an introduc- tory text (Text before table) preceding the list of emails. Each quarantined email listed is a link to the iQ.Suite User Portal, where they can be viewed and delivered after all. Note that for this, the correct access rights on the User Portal are required. d) If the maximum number of quarantined emails listed in a notification is exceeded, a Text below table is created with the %JOB::MAXENTRIES- TEXT% placeholder12. The text for this placeholder is set in the Message in case of exceeding field in the Advanced tab and can be used to inform the users that the list of quarantined emails is incomplete.

3. Open the Advanced tab:

12. For further Information on individual fields, please refer to the online help under HELP.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 267 IQ.SUITE WALL - QUARANTINE SUMMARY NOTIFICATIONS 

a) The Max. number of notifications to send for this job is 100 000. This is the number of users who will receive a notification. The system maximum is 300 000 notifications per job. The maximum number of emails listed within a single notification is 50. The maximum number of entries altogether is 1 000. b) The main features of the jobs are set through the settings in the Link mode and Table mode fields. The default settings of the default jobs ensure the jobs are executed in the proper way. Do not change the settings unless you wish to extend these default settings, e.g. to integrate

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 268 IQ.SUITE WALL - QUARANTINE SUMMARY NOTIFICATIONS 

HTTP links. The default settings under Table mode are the same for each mode.  'Standard Notes': In the users’ client, a Notes link is opened in the quarantine summary notification.  'HTTP': An HTTP link is generated in the quarantine summary notification and opened in the users’ web browser. The Host field displays the host server used, e.g. .  'Advanced': The Details field provides a link displayed in ’Standard Notes’ mode. Adjust the link to your requirements.

Software requirements for a working HTTP link:

 Notes-Client. Refer to “System Requirements” on page 4.  Java Runtime Environment  Web browser and activated JavaScript. Refer to “Web Browsers” on page 4.  Running Domino web server (HTTP Task)  Internet password for the users

In ’Advanced’ Table mode, you can change the display of the quarantine summary notification. Use the individual fields under Table mode (down to HTML table footer) to enter additional HTML settings so as to adjust the display to your requirements. Click on the Preview icon for a preview of your design modifications:

c) Placeholders The placeholders are taken from the server settings, e.g. the Domino Directory and the quarantine. Additional modifications may be required. The placeholders are later replaced and have the following meaning:

 %RES::LABEL_%: Creates the table columns (including table titles) in the quarantine summary notification.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 269 IQ.SUITE WALL - QUARANTINE SUMMARY NOTIFICATIONS 

 %From%: Sender of the quarantined email.  %DATE%, %TIME%: Date and time of the quarantined email.  %FE::HTMLTABLELINK%: The placeholder inserts the associate link mode. In ’Standard Notes’ mode, this corresponds to the following link (refer to ’Advanced’ link mode): -%SUBJECT%-  %SERVER%: Sets the server running the iQ.Suite.  %DBPATHNAME%: Notes path and database name. In replicated environments, replace this placeholder with %REPLICAID% and then enter the path to the replicated database. Check that the client knows the Replica ID.  %DOCUNIID%: Notes Unique ID of the quarantined email.  %SUBJECT%: Subject of the quarantined email.  %ARCH_CATEGORY%: Quarantine category configured in the job. Where required, you can use the %CHECK_DETAILS% placeholder for analysis. d) If you want to extend the functionality of the quarantine summary notification, e.g. to generate summary notifications as shown below, a number of settings are required in the Table mode field:

To configure additional links (see figure above), open one of the following database jobs (Quarantine Notification DB Jobs) and use the existing configuration as a starting point:

 SAMPLE - SPAM Report Admin Notes and Web – to inform administrators (Notes link + HTTP link).  SAMPLE - SPAM Report User Notes and Web – to inform users (Notes link + HTTP link).

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 270 IQ.SUITE WALL - QUARANTINE SUMMARY NOTIFICATIONS 

The links are configured in the HTML for table body field within the code. Copy the code into the DEFAULT job used. For a description of the variables, please refer to “Placeholders” on page 269. Please note that the links (and therefore also the corresponding HTML code) depend on the job selected (Admin or User), e.g. ’Add sender to global whitelist’ or ’Add sender to my whitelist’ respectively.

%HOSTNAME%: Make sure the FQHN (Fully Qualified Host Name) is used for HTTP links. The %SERVER% placeholder must not be used.

e) To create another table column for additional links, insert the HTML code with the placeholder %RES::LABEL_ACTIONS% from the HTML for table body field into your DEFAULT job. f) Use the No start on and No start at fields to specify the date and time at which a job is not to be run, for instance during database replication.

In case the number of spam emails received is very high, summary notifications  can also be sent twice a day.

4. In the Misc tab, under Summary notification from, enter the sender (server) of the notifications to be sent. Use the %SERVER% placeholder to specify the server name. If using replicated databases, this allows to identify the server from where the email comes.

5. Save the job.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 271 IQ.SUITE WALL - QUARANTINE SUMMARY NOTIFICATIONS 

8.4.2 Sample Job: Configure Summary Notification for Mobile End Devices

To be able to display quarantine summary notifications on mobile end devices (e.g. mobile phones, PDAs, etc.) in a user-friendly way, you can further adjust the DEFAULT and SAMPLE database jobs (Quarantine Notification DB Jobs) of the preceding section or create your own jobs.

The content of the quarantine summary notification can be added to the summary notification as separate attachment. Depending on the configuration, various application scenarios can be implemented. For instance, it is possible to format and save the attachment data in a format that enables optimal display on the mobile device used13.

Proceed as described under “Sample Job: Configure Summary Notification” on page 265 and additionally change the following settings:

1. Open the Advanced tab:

a) Set the Attach data without design information to ’Yes’ in order to create a file attachment for the quarantine summary notification. This example is optimized for Blackberry applications: the information included in the summary notification is provided with HTML tags to ensure the best possible display in the Blackberry web browser.

13. Refer to “Sample Job: Configure Summary Notification for Mobile End Devices” on page 272.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 272 IQ.SUITE WALL - QUARANTINE SUMMARY NOTIFICATIONS 

Please note that it is not possible to configure links on mobile devices so that  quarantined emails are opened in the web browser. The only options available are sending the emails to the users’ personal mailbox (default link: ‘Mail to me‘) or adding the sender of the quarantine email to a blacklist or whitelist (‘Add sender to my blacklist‘ or ‘Add sender to my whitelist‘).

b) Attachment name: Change the name and extension accordingly for other mobile devices and application scenarios. c) The attachment consists of three content categories: the ‘Data header‘ and ‘Data footer‘ categories as well as the ‘Data per email‘ category. The information for the ‘Data per email‘ category is determined separately for each quarantined email through the integrated variables14. To add the data as unformatted attachment you can replace the HTML tags with XML tags and select ’XML’ as file extension (refer to the database job DEFAULT - SPAM Report User).

14. For further Information on the variables used, please refer to the online help under HELP.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 273 IQ.SUITE WALL - TEXT ANALYSIS 

8.5 Text Analysis

As of iQ.Suite 21.1, you can use the new job type Wall Content Mail Job for text analysis. The traditional Wall Mail Job Advanced (legacy) will continue to work for a transition period. However, we recommend to use the new job type in new configurations and in case of larger changes. Please note that some DEFAULT and SAMPLE Jobs are currently available only as Wall Advanced Jobs. Refer to

“Text Analysis with Wall Content Mail Jobs” on page 301.

8.5.1 Overview

In addition to performing a spam pattern analysis, iQ.Suite Wall can also be used to check emails for specific content. This type of content analysis is especially useful for emails going to external addresses, for example, in order to ensure that outgoing emails conform to the internal security level.

iQ.Suite Wall supports the following text analysis methods, which can also be used in combination:

 Text analysis with word lists. Refer to “Text Analysis using Dictionaries” on page 282.

 Text analysis with the CORE Analyzer. Refer to “Text Analysis using CORE” on page 291.

 Text analysis with the credit card analyzer. Refer to “Text Analysis for Credit Card Numbers” on page 296.

 Text analysis by using regular expressions. Refer to “Wall Action: Text Analysis by using Regular Expressions” on page 306.

When using different analysis methods such as word lists and CORE, a separate  job is required for each analysis method.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 274 IQ.SUITE WALL - TEXT ANALYSIS 

When performing text analysis with iQ.Suite Wall, the jobs are supplemented by configuration documents for converters, analyzers, and dictionaries if needed. The configuration description for the example jobs references the following configuration documents:

8.5.1.1 Configuration Document for Converter

For analyzers to be able to correctly classify the content of an email or document, the content must be available as unformatted text. Where required, converters are used to convert the texts to be checked by the text analyzer into an appropriate form.

If you use the 'File to Text Converter', note that the converter can only be set  operational if no unpacker is used. Proper converter operation is not possible when used with zip-based document formats such as OpenOffice or Office 2007 files.

All converters available in the iQ.Suite are to be found under WALL -> UTILITIES ->

CONVERTERS. For a detailed description, please refer to the Comments tab. In the following section the most important converter elements are described at the example of the ‚Text Normalizer‘. This converter converts text files into a normalized format.

1. Click on WALL -> UTILITIES -> CONVERTER and open the configuration docu-

ment of the Text Normalizer. Click on EDIT:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 275 IQ.SUITE WALL - TEXT ANALYSIS 

a) Enable the document. b) To restrict the file types to be converted select the ‚Selected Files‘ option. Under Fingerprint use the Select categorized or Select a-z icon to define restrictions for certain file types. With the preset ’None of list’ option all file types not included in the list of fingerprints are converted. All file types defined in the list of fingerprints are not converted.

2. In the Settings tab, use the Parameter name and Parameter values fields to specify the settings for conversion. For instance, it is possible to eliminate unnecessary blanks or suppress hyphenation.

For a description of the Engine-specific parameters, refer to the Comments tab. The parameters which can be used in all Engines are described under “General Parameters for the Sandbox” on page 280.

3. In the Advanced tab select the operating system the converter document is to be valid.

4. Save the document.

8.5.1.2 Configuration Document for Text Analyzer

Text analysis is performed by text analyzers. Text analyzers scan and value the emails‘ message texts, file attachments, subject and text fields like (e.g. X-mailer) on undesired text content.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 276 IQ.SUITE WALL - TEXT ANALYSIS 

In the following, the most important text analyzer elements are exemplified with the ‘Unicode Analyzer‘. This analyzer scans emails or documents by using dictionaries. Dictionaries can be created directly in the configuration document of the text analyzer or under WALL -> UTILITIES -> DICTIONARIES.

1. Click on WALL -> UTILITIES -> TEXT ANALYZER and open the configuration document of the Unicode Analyzer. For a detailed analyzer description, please refer to the Comments tab.

2. In the Basics tab, click on EDIT. a) Enable the document. b) To exclude specific formats from being checked from the analyzer, click on ‚Selected files‘ and afterwards on the Select categorized or Select a-z icon. Select the desired formats from the Fingerprints section.

3. Open the Settings tab:

a) Under Path to DLL the path to the associate analyzer DLL is preset. Make sure the path settings are correct. You can enter an absolute path or, as pre-configured, use the placeholders from the notes.ini. The %ExecDir% entry corresponds to the ToolKit_ExecDir parameter in the notes.ini. b) Use proxy server: Some analyzers like for instance, spam analyzers require frequently downloads from the internet. For this a proxy server might be required. For text analyzer this field is insignificant.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 277 IQ.SUITE WALL - TEXT ANALYSIS 

c) Use the Parameter values fields to set how the analyzer is to analyze text files. For instance, you should set that each word found is counted only once. Refer to “Special Unicode Analyzer features” on page 278.

For a description of the Engine-specific parameters, refer to the Com- ments tab. The parameters which can be used in all Engines are described under “General Parameters for the Sandbox” on page 280.

Adjust the parameter values to your configuration, but leave the parameter  names unchanged. Otherwise, the analysis results might be falsified.

4. In the Advanced tab select the operating system the converter document is to be valid.

5. Open the Misc tab:

a) Under the Modus field the 'Text analysis' is preset. With this emails or documents are analyzed with dictionaries or with CORE. b) In this example dictionaries are used for the text analysis. Therefore select ‘Yes‘ in the Categories from dictionaries field. The categories defined in the dictionaries are assigned as parameters to the analyzer. Only dictionaries defined in the job are considered.

6. Save the document.

Special Unicode Analyzer features

The Unicode Analyzer is also able to analyze dictionaries that use regular expression operators. For instance, the regular expression (.*) can be used to find any character any number of consecutive times: The expression .*call means that "call" can be preceded by any text, e.g. "phonecall"15.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 278 IQ.SUITE WALL - TEXT ANALYSIS 

Please note that the meaning of regular expressions such as asterisk (*) has been changed by using the Unicode character set. To be able to continue using dictionaries from previous iQ.Suite versions, your existing dictionaries are auto-

matically converted to the Unicode Analyzer default settings (SETTINGS TAB ->

’DEFAULTWORDLISTTYPE’ PARAMETER -> LNDREGEX).

Hereafter, the following expressions are used:  LNDRegEx: Regular expressions which only contain the character * and/or ?. *: multiple characters; ?: exactly one character.  ICURegEx: Regular expressions in ICU syntax.

If you create new dictionaries with ICURegEx, the default setting of the DefaultWordlistType parameter has to be changed to ICURegEx. Other- wise, the dictionaries cannot be analyzed correctly. Please note that any existing dictionaries based on LNDRegEx may not be analyzed correctly any more. For this reason, if you want both old and new dictionaries to be analyzed correctly, you need to configure two Wall mail jobs and integrate the appropriate Unicode Analyzer in each one of them:

 Unicode Analyzer for Regular Expressions with the parameter DefaultWordlistType -> ICURegEx. This Analyzer is used in the Wall Advanced (legacy) Job SAMPLE - REGEX Tagging Attachment name contains date.

 Unicode Analyzer with the parameter DefaultWordlistType -> LNDRegEx. For dictionaries with LNDRegEx, use one of the following DEFAULT jobs:

 Wall Content Mail Job16 DEFAULT - AntiSpam 3.3a: Based on Unicode Dictionary (Body-Sub- ject-Attachments)  Traditional Wall Advanced (legacy) Job DEFAULT - AntiSpam 3.3: Based on Unicode Dictionary (Body-Sub-

15. For further Information on regular expressions, please refer to the "ICU User Guide" on the official ICU website. 16. Refer to “Text Analysis with Wall Content Mail Jobs” on page 301.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 279 IQ.SUITE WALL - TEXT ANALYSIS 

ject-Attachments). Refer to “Sample Job: Unicode Text Analysis using Dictionaries” on page 288. Using one of these jobs, all email parts can be analyzed.

8.5.1.3 General Parameters for the Sandbox

The following parameters can be used for the sandbox in all Engines:

 sandbox-max-instances Maximum number of sandbox processes to start for this Engine. Default: value of the global parameter ToolKit_SandboxMaxInstances.

 sandbox-timeout Sandbox timeout in seconds. Default: 90

8.5.1.4 Configuration Document for Dictionaries

The dictionary-based text analysis checks emails for text defined in dictionaries (lists of words). This text can be words, sentences, parameters or any other character strings. Each search term is written into a dictionary. Each dictionary is a

configuration document that is stored in configurable categories under WALL ->

UTILITIES -> DICTIONARIES.

1. Click on WALL -> UTILITIES -> DICTIONARIES and either open a pre-configured

configuration document or create a new one (NEW button).

2. In the Basics tab click on EDIT and enable the document. Only enabled dictionaries will be selectable within the text analyzer later on.

3. Open the Settings tab:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 280 IQ.SUITE WALL - TEXT ANALYSIS 

a) Under Category enter the category name. The dictionary will be stored in

this category under WALL -> UTILITIES -> DICTIONARY. b) Enter a value for the dictionary under Weighting. A search term will be valued with this value. In this example every search term found in emails will be valued with ‘10‘. Several search terms found within one email will be summated to an overall value. If this overall value exceeds the threshold set in the job, the configured job actions are triggered, e.g. the email is deleted, move to quarantine, etc. The threshold is defined in the Oper- ations tab with the buttons under Category. c) Under Words/Phrases enter the search terms to be searched within emails, documents and file attachments.

Do not use additional blanks to define terms or words. Search errors can happen  even with the normalizer function enabled (to reduce the whitespace). Insert asterisks (*) before or after the corresponding word instead, e.g. *term*.

4. Save the document.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 281 IQ.SUITE WALL - TEXT ANALYSIS 

8.5.2 Text Analysis using Dictionaries

The dictionary-based text analysis checks emails for text defined in dictionaries. This text can be words, sentences, parameters or any other character strings. Each search term is written into a list of words (dictionary). For each list a value (weight) is set.

For instance, you can create a dictionary for a "Pharma" topic, including search terms such as overweight, aging, etc. The value for this list is ‘10‘. If several applicable terms are found, their values are added to an overall value. If the term aging is found twice in the email, it is assigned to the "Pharma" dictionary and given the overall value ‘20‘. This overall value is checked against a threshold set in the job. If the latter is exceeded, the job actions are triggered, e.g. the email is deleted, move to quarantine, etc.

For this, you need a Wall Content Mail Job17 or a traditional Wall Advanced (legacy) Job, e.g. the DEFAULT - AntiSpam 2: Based on Dictionary and Con- tent job.

Besides performing a text analysis for incoming emails, you can also ensure that outgoing emails comply with internal confidentiality requirements. Using the dictionaries, it is possible to check the outgoing emails for information that is not supposed to get "outside". For that purpose, use a Wall Content Mail Job or the traditional Wall Advanced (legacy) Job SAMPLE- Block Outgoing Confidential Information with Dictionary (Body-Subject-Attachment) to check email bodies and attachments. The configuration of this job is largely similar the one described hereafter.

Checking emails against dictionaries is performed by text analyzers, which access the dictionaries, search for the terms included and determine the values.

The analyzers are provided with the iQ.Suite. For a detailed description of the

function of a specific analyzer, please refer to WALL -> UTILITIES -> TEXT ANALYZER within the Comments tab of a configuration document.

17. Refer to “Text Analysis with Wall Content Mail Jobs” on page 301.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 282 IQ.SUITE WALL - TEXT ANALYSIS 

8.5.2.1 Notes on Dictionaries

Observe the following when working with dictionaries:

 If you plan to use several dictionaries, try to include them all in a single job. This will provide significantly better results than using several jobs.

 To deny script instructions in emails, use a Wall Content Mail Job or the traditional Wall Advanced (legacy) Job DEFAULT - Block Script Commands.

 If you also wish to check attachments for specific content, create a Wall Content Mail Job or use the traditional Wall Advanced (legacy) Job SAMPLE - Block Outgoing Confidential Information with Dictionary (Body- Subject-Attachment). With this sample job, both the content of the email and its attachments are checked against the search terms in the dictionaries. This ensures that internal (possibly confidential or secret) information is prevented from getting "outside".

 To check certain text fields in emails, use a Wall Content Mail Job or the traditional Wall Advanced (legacy) Job DEFAULT - AntiSpam 3.2: Based on Dic- tionary and X-Mailer.

For information on the Wall Content Mail Job, refer to “Text Analysis with Wall Content

Mail Jobs” on page 301.

If you plan to use the ’File to Text Converter’, please note that the converter can  only be used in the proper way if no unpacker (compressor) is being used. Used along with ZIP-based document formats e.g. OpenOffice or Office 2007 files the converter will not work correctly.

If you plan to use different analysis methods e.g. dictionaries and CORE, you  must create a separate job for each analysis method.

8.5.2.2 Sample Job: Text Analysis using Dictionaries

This job is part of the anti-spam concept described in more detail under “Spam Protection Overview” on page 234.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 283 IQ.SUITE WALL - TEXT ANALYSIS 

1. Create a Wall Content Mail Job18 or open the DEFAULT - AntiSpam 2:

Based on Dictionary and Content job under WALL -> MAIL JOBS and click on

EDIT:

a) Enable the job. b) Default settings in the rules: The job will run on selected emails (Runs on field). According to the rule, these are all emails sent via the Internet (InetSender). In the default configuration, this rule is specified as sender domain *.*. In addition, the email must not come from the quarantine (MailResentFromQuarantine) and the sender must not be included in a whitelist (WLRuleAntiSpam). Please note that the quarantine rule only applies if the system time is the same on the server and the client. The emails that meet these criteria are checked for prohibited text in the subject field and the message text.

2. Open the Operations tab:

18. Refer to “Text Analysis with Wall Content Mail Jobs” on page 301.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 284 IQ.SUITE WALL - TEXT ANALYSIS 

a) Use the Mode field to set the analysis mode. In this case select ’Text analysis’ to have a Text Analyzer analyze the text in a document using dictionaries or CORE. Please note that the other modes, although available, are not supported by this analyzer. b) The Conversion is preset to the ’Text Normalizer’ converter. This converter converts the text files to a standardized format in order to provide a better basis for the subsequent analysis steps. We recommend to keep the default settings19. c) The actual text analysis is performed by the Analyzer. The ’Dictionary- based Analyzer’ pre-configured in this default job checks emails or documents against the dictionaries previously created. Keep in mind that only enabled dictionaries are displayed and can be selected20.

19. For further Information on converter configuration, please refer to “Configuration Document for Converter” on page 275. 20. For further Information on analyzer configuration or dictionary configuration, please refer to “Confi- guration Document for Text Analyzer” on page 276 or “Configuration Document for Dictionaries” on page 280.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 285 IQ.SUITE WALL - TEXT ANALYSIS 

d) According to the settings under Analyze Elements, the text in the subject field and the message text are the only elements checked for prohibited text. If you want to check additional text fields within the email, enter these fields manually under ’Other text fields’ (the field is displayed after the selection). To that end, you can also use the DEFAULT - AntiSpam 3.2: Based on Dictionary and X-Mailer job, refer to Seite 283. e) For analysis purposes, all text fields are combined, i.e. the prohibited strings found in the subject field and the message text are cumulated and the total score is compared with the threshold. f) The Character set is preset to ’LMBCS’, which is a reasonable choice for text analysis based on dictionaries. Please check that the character set is compatible with the analyzer selected. g) To define the thresholds for the categories (and thus also the dictionaries)

set in the analyzer configuration, select a category and click on EDIT.

h) Select one of the categories from the white box on the left and click on the arrow button. Enter a value in the input field underneath. The bigger the difference between this threshold and the value assigned to the dictionary, the less critical this dictionary is. For instance, if, on one hand, you use the dictionary ‘Offensive Lan- guage‘ for pornographic search terms and set it to a value of ‘10‘, and, on the other hand, set the threshold for the higher-ranking category to ‘10‘, the action specified in the job is performed as soon as one search term is found. In order to evaluate spam content that is less strong, e.g. terms from the dictionary ‚Pharmacy Offers‘ set it to a value of ‘5‘ and its threshold to ‘15‘. With this the job actions will be triggered as of three search terms found.

3. Enter the settings in the second area of the Basics tab:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 286 IQ.SUITE WALL - TEXT ANALYSIS 

a) When an email exceeds the specified threshold, it is deleted, i.e. not delivered to the recipient, as set in the Alarm tab in the Delete mail field.

b) Then a report is created under QUARANTINE -> REPORTS. Use the Cate- gory in Quarantine report field to manually create categories for these

reports or use the default categories (here: SPAM). For compressed files a category may also appear more than once. An entry including all thresholds exceeded is created for each element (attachments, text fields, etc.) that causes an alarm. c) The analysis details can be written as multi-value field to a ’Notes field’ of the email (here: AnalyseResult_DicBod). To disable this, select ’No’. If set to ’X Token', the results are written in the X header as "X token". For instance, for ’X-AnalyseResult’, the string "X-" is placed before the name internally. When converted to a MIME mail (typical procedure for Internet mails sent via SMTP), this field is preserved. Please note that only one entry is created for compressed files in which several elements (attachments, text fields, etc.) trigger an alarm in the same category. This means that event-controlled database jobs do not trigger a job restart. d) The different notification fields can be used to send notifications and the analysis results to the administrator, the sender and the recipient. Config- ure a Wall notification database job to inform the users of their spam emails in the quarantine. In this case, notifications to the administrator are not necessary21.

21. For further Information on Quarantine Summary Notifications, please refer to “Quarantine Sum- mary Notifications” on page 264.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 287 IQ.SUITE WALL - TEXT ANALYSIS 

e) The System Errors tab is used to set the handling of system errors. In the default configuration, the email is not deleted.

4. Open the Advanced tab:

According to the default settings, the recipient only is allowed to access the emails in quarantine that have been processed by the job. This way, the recipient can have the email delivered to him after all. Neither senders nor further administrators nor any deputies (Clerk module) have access to these emails. Please note that setting the Clerk quarantine documents access field to ’No’ has an impact on the configurations for standard users in the Clerk module. Any Clerk documents supposed to provide quarantine access to a deputy will be overruled by this option, i.e. the deputy, though authorized, will not be able to access the quarantined emails of the standard user.

5. Open the Misc tab. Change the default settings as required, e.g. the quarantine configuration. Under Utilities database, the configuration is preset and cannot be changed. The database set here is used by iQ.Suite Wall to locate the analyzer.

6. Save the job.

8.5.2.3 Sample Job: Unicode Text Analysis using Dictionaries

To perform a text analysis using dictionaries, you can use the Unicode Analyzer. This analyzer is able to analyze the subject, the message body and the file

attachments. Refer to “Configuration Document for Text Analyzer” on page 276.

To analyze all parts of the email, you need to configure the following Wall mail job:

1. Click on WALL -> MAIL JOBS and open the traditional Wall Advanced (legacy) Job DEFAULT - AntiSpam 3.3: Based on Unicode Dictionary (Body-Sub-

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 288 IQ.SUITE WALL - TEXT ANALYSIS 

ject-Attachments) or the Wall Content Mail Job DEFAULT - AntiSpam 3.3a: Based on Unicode Dictionary (Body-Subject-Attachments)22. In the following, only the job-specific details of the Wall Advanced (legacy) Job are explained. For all other settings, please refer to “Sample Job: Text Analysis using Dictionaries” on page 283.

2. Click on EDIT.

3. Open the Operations tab:

a) Use the Mode field to specify the analysis mode to be used. Select here ‘Text analysis’.

22. Refer to “Text Analysis with Wall Content Mail Jobs” on page 301.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 289 IQ.SUITE WALL - TEXT ANALYSIS 

b) If you want to use an unpacker, you need to configure the Unpacker in a way that excludes Office files (MS Office and OpenOffice) from being unpacked. c) The Conversion is preset to the ’File to Text Converter’. This converter converts file attachments to a text format that can be processed by the Unicode Analyzer23. d) The actual text analysis is performed by the Text Analyzer specified in the Analyzer field. The ‘Unicode Analyzer’ pre-configured in this default job checks emails or documents against the dictionaries previously created. Keep in mind that only enabled dictionaries are displayed and can be selected24. e) According to the settings under Analyze Elements, the subject field, the message body and the file attachments are the elements checked for prohibited text. If you want to check additional text fields within the email, enter these fields manually under ’Other text fields’ (the field is displayed after the selection). f) For analysis purposes, all text fields are combined, i.e. the prohibited strings found in the subject field, the message text and maybe in other text fields are cumulated and the total score is compared with the threshold. g) The Character set for the text dump of the email fields to be analyzed is preset to ‘UTF-8’. Please check that the character set is compatible with the analyzer selected.

23. For further Information on converter configuration, please refer to “Configuration Document for Converter” on page 275. 24. For further Information on analyzer configuration or dictionary configuration, please refer to “Confi- guration Document for Text Analyzer” on page 276 or “Configuration Document for Dictionaries” on page 280.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 290 IQ.SUITE WALL - TEXT ANALYSIS 

8.5.3 Text Analysis using CORE

With CORE (COntent Recognition Engine), emails can also be categorized/checked for undesirable content without matching against dictionaries.

CORE is based on the Support Vector Machines (SVM) method, a statistical learning theory for text classification, where the analyzer is "learned" through a representation of text as vector. The goal of SVM is to reliably assign incoming emails to predefined categories in order to be able to filter out spam according to the text content and handle the emails according to specific topics. This theory is implemented through training documents used to train a classifier. The training documents used comprise a representative set of emails that a company receives (including spam) and are used as basis for categorization. The more representative this selection is, the better this method will work in a productive environment. As spammers use frequently changing (and often non-existing) addresses and varying content, CORE is especially suited for blocking spam because it is train- able, while dictionaries require more maintenance work to keep with the pace at which spammers change their methods.

CORE is not language-specific and allows to classify emails in different, freely definable categories. The categorization and subsequent conversion to the format needed for analysis is performed by Text Analyzers25 and Converters26.

To analyze emails and documents with CORE, a representative set of incoming emails (spam and non-spam emails: business emails, newsletters, offers, requests, etc.) is copied to a database. To that end, GBS provides the g_learn.nsf database in the iQ.Suite data directory, which you can fill with documents for subsequent categorization27. A database job in training mode "learns" your categories and creates a classifier. An Wall database job in analysis mode then uses these for analysis purposes. If the analysis produces satisfactory results, enable a Wall Content Mail Job / Wall Advanced (legacy) Job or database job that applies this classifier to all documents, i.e. filters out everything defined as undesirable.

25. Refer to “Configuration Document for Text Analyzer” on page 276. 26. Refer to “Configuration Document for Converter” on page 275. 27. For further Information on document categorization in the database, please refer to the online help relative to the training database g_learn. nsf.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 291 IQ.SUITE WALL - TEXT ANALYSIS 

A new classifier is generated after each training run. This new classifier is loaded  after each initialization of the Grabber. As an exception however, the database job is loaded before the processing cycle.

You can create several classifiers by duplicating and renaming the CORE Teacher configuration document and changing the name of the classifier parameter value. Then specify this new CORE Teacher in the database teaching job for a new training database (which may be filled with other categories). Together with iQ.Suite Action, you can then automatically forward emails to different recipient addresses according to their content.

Besides performing a text analysis for incoming emails, you can also ensure that outgoing emails comply with internal confidentiality requirements. Using the text analysis documents created, it is possible to check the outgoing emails for information that is not supposed to get "outside". For that purpose, use a Wall Content Mail Job28 or the Wall Advanced (legacy) Job SAMPLE - Block Outgoing Confi- dential Information with CORE (Body-Subject).

If you want the attachments of outgoing emails to be checked as well, adjust the job mentioned above.

The configuration of both jobs is largely similar the one described hereafter.

8.5.3.1 Configuration Steps for CORE

The following description is meant to illustrate the configuration of iQ.Suite Wall for performing a text analysis with CORE29.

1. Fill the g_learn.nsf database with documents by copy-and-paste, or select

QUARANTINE -> ORIGINALS -> FOR TRAINING.

2. Categorize the documents.

3. Configure the CORE Analyzer. Changes in the CORE Teacher are not necessary unless you have changed the CORE Analyzer parameters30.

28. Refer to “Text Analysis with Wall Content Mail Jobs” on page 301. 29. For further Information on how to configure and use CORE, please refer to the separate document. Download under www.gbs.com.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 292 IQ.SUITE WALL - TEXT ANALYSIS 

4. Create a database teaching job or enable the SAMPLE - Teaching Core Categories job, specify a start time and an interval, and let the job process all documents in the database.

5. Create a database checking job or enable the SAMPLE - Validate CORE Categories Training Result job, specify a start time and an interval, and let the job process all documents in the database. This job uses the classifier generated by the teaching job and categorizes the processed documents.

6. If any documents have been wrongly categorized by the checking job, review the categorization and repeat steps 2 + 3.

7. If the categorization result is satisfactory (incorrect classifications reduced to about 5%), create an iQ.Suite Wall checking job or enable the Job DEFAULT - AntiSpam 4.1: Based on CORE (Body-Subject) for emails and/or the corresponding job for databases.  In replicated environments, training must be performed on every server.

8.5.3.2 Sample Job: Text Analysis using CORE

Before you can configure this sample job in a useful way, CORE must have been trained and categorized. Refer to “Configuration Steps for CORE” on page 292.

Please note that activating the DEFAULT job described hereafter requires some  preliminary work. To be able to use the job, it is necessary to have a teaching job create a so-called PARAM file. The standard configuration supplied includes the multi.param file. Using this file is possible but not recommended, because the main advantage of CORE is its individual adaptability. For further Information, please refer to the separate iQ.Suite document entitled "CORE for SPAM Recog- nition".

30. For further Information on configuring analyzers, please refer to the online help and the analyzer’s Comments tab.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 293 IQ.SUITE WALL - TEXT ANALYSIS 

The Wall mail job described below is the last one in the CORE configuration. This job is also the last step within the anti-spam concept. Refer to “Spam Protection Overview” on page 234.

1. Under WALL -> MAIL JOBS, create a Wall Content Mail Job31 or open the traditional Wall Advanced (legacy) Job DEFAULT - AntiSpam 4.1: Based on CORE (Body-Subject).

2. In the job mentioned above, click on EDIT:

The settings in all tabs are largely similar to those described under “Configuration

Document for Converter” on page 275 and can be configured in the same way. The only exceptions are the following:

Exceptions:

1. Conversion: The text to be checked should be available in ASCII format. Using the classifier previously trained (categorizer), the text is analyzed and assigned to the corresponding category. The category and the associated evaluation score are returned to the calling Wall job.

31. Refer to “Text Analysis with Wall Content Mail Jobs” on page 301.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 294 IQ.SUITE WALL - TEXT ANALYSIS 

2. Analyzer: The analyzer used is CORE Analyzer SAMPLE. To configure the analyzer, click on the Edit icon in the Operations tab under the Analyzer field. This analyzer is based on CORE technology and needs to be trained. If you have already defined your own CORE Analyzer, click on the Select icon. a) As set in the Basics tab, the job applies to all files, with no exceptions defined. b) In the Settings tab:  Enter the path to the DLL accessed by the Grabber. Enter the desired parameters and their values in the associate fields. Please note that the first parameter expected by CORE is the Categorizer parameter set to %ExecDir%\multi. The analyzer checks the iQ.Suite program directory (iQSuiteProg) for the PARAM file named multi.param (as supplied), which contains the parameters determined in the learning process. This file must not be changed. Changes to this file could result in fatal damages to the configuration.  The optional MinWordsPerDocument parameter sets the minimum number of words the document to be analyzed must contain, in order to give an evaluation score. If the parameter value (here: ‘50‘) is not reached, NOT-CLASSIFIED=100 is returned. c) In the Advanced tab, select an operating system. d) In the Misc tab:  Under Mode select ’Text analyzer’ to run the text analysis with CORE. Use the 'Text training' CORE option for your "CORE Teacher" if you wish to configure a teaching job.  Set Categories from dictionaries to ’No’.  Under Supported categories, enter the categories the multi.param classifier is supposed to identify (refer to the categories assigned in the training database g_learn.nsf). These categories will then be available in the selection dialog of the Operations tab of the job.

As the CORE Analyzer and the CORE Teacher work together, the Categori-  zer parameter must be set to the same value in both configuration documents.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 295 IQ.SUITE WALL - TEXT ANALYSIS 

e) Save your settings and close the analyzer document. After having returned to the DEFAULT job Operations tab, proceed as described under “Sample Job: Text Analysis using Dictionaries” on page 283. How- ever, in the Threshold field, be sure to enter only categories for emails the recipients are not supposed to receive, i.e. spam categories. Any other categories should be removed from this screen.

3. Quarantine: After a certain time, check the result in the quarantine database

(MISC TAB -> QUARANTINE CONFIGURATION or in the navigation area QUARAN-

TINE -> ORIGINALS). If the result is not satisfactory, (e.g. business email categorized as spam), re-categorize the emails.

8.5.4 Text Analysis for Credit Card Numbers

Cashless financial transactions increasingly rely on card-based payments. In this context, credit cards have become a very popular form of payment in both business and private sectors, which is mainly due to their international acceptance. As a result, credit cards are being increasingly used for electronic banking.

Therefore, the security of credit cards has become a major issue for their holders and the issuing banks. So, to avoid any abuse, it is essential that credit card numbers transmitted by email are exclusively delivered to the intended recipient.

Using the iQ.Suite Wall Credit Card Analyzer (tk_ccanalyzer.dll) allows to restric- tively filter and control the sending of credit card numbers by email. Email bodies and attachments are checked for numerical sequences and, depending on the configuration, blocked whenever credit card numbers are suspected. The analyzer settings support a rule-based handling of credit card numbers that come from specific issuers, are known or unknown, or belong to a specific industry (identified through the Major Industry Identifier - MII).

8.5.4.1 Sample Job: Text Analyses for Credit Card Numbers

32 1. Under WALL -> MAIL JOBS, create a Wall Content Mail Job or open the Wall Advanced (legacy) Job SAMPLE - Deny and Report Outgoing Credit Card

32. Refer to “Text Analysis with Wall Content Mail Jobs” on page 301.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 296 IQ.SUITE WALL - TEXT ANALYSIS 

Numbers job . According to the default setting of the RemoteRecipient rule, this sample job is started for all emails addressed to external recipients. This is to prevent information on credit card numbers from being communicated by

email. Click on EDIT.

2. Open the Operations tab:

 Use the Mode field to set how the email content is to be checked. As the Credit Card Analyzer is a text analyzer, select the option ’text analysis’.  Unpacker: To be able to check both email bodies and attachments for credit card numbers, the attachments first need to be decompressed. We recommend not to change the default setting33.  Once extracted, the attachments are converted by the ‘File-To-Text‘ converter (as set under Conversion) to a text format that can be

33. For further Information on unpackers, please refer to “Unpackers for Archives and PDFs” on page 168.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 297 IQ.SUITE WALL - TEXT ANALYSIS 

processed by the Credit Card Analyzer. We recommend not to change the default setting34.  Analyzer: The ’Credit Card Number Analyzer’ is used to identify credit card numbers. Using the default setting, the analyzer has proven to produce reasonable results, i.e. the setting can be left as is. To generate other results, you need to adjust the Credit Card Analyzer parameters and categories accordingly. Refer to “Credit Card Analyzer Description” on page 299.  Analyze elements: By default, the analyzer checks the email body, the subject line and any attachments. Text fields are aggregated for analysis purposes.  Categories/thresholds: Categories and thresholds are used to trigger job actions according to specific events. In the sample job, the categories

PROBABLEMATCHES and POSSIBLEMATCHES are set thresholds of ’1’ and ’3’ respectively. With this setting, the actions configured in the Alarm tab are executed whenever a numerical sequence is considered ’probable’. Actually, the category ‘probable‘ refers to a numerical sequence which is most likely a credit card number. The same actions are executed when a numerical sequence is considered ’possible’, i.e. it might be a credit card number.

3. Whenever a credit card number is detected, the email is quarantined under

the category CONFIDENTIAL and the (internal) sender informed. Further options can be set as required.

4. Any relevant email analysis results are stored as analysis report in the g_arch.nsf database.

For a numerical sequence to be interpreted as credit card number, the numerical  sequence may only be interrupted by hyphens or blanks.

34. For further Information on converters, please refer to “Configuration Document for Converter” on page 275.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 298 IQ.SUITE WALL - TEXT ANALYSIS 

8.5.4.2 Credit Card Analyzer Description

The Credit Card Analyzer default configuration has proven to produce satisfactory results and therefore does not have to be changed. The parameters set how the analyzer works and how the numerical sequences found are treated. In addition, it can be set which information is to be documented in the form of individual and summary reports, e.g. how many matches were found and how probable it is that the numerical sequence found is a credit card number.

During the analysis, the Credit Card Analyzer performs the following steps:

1. Text analysis for numerical sequences pointing to credit card numbers.

2. Evaluation of the numerical sequences found. Key evaluation parameters:  UnknownIssuerPenalty  MissingIdealSeparationPenalty

3. Analysis and evaluation of the text surrounding the numerical sequence (keywords). Key evaluation parameters:  ProximityPhrase

4. Filtering for known credit card numbers not to be taken into account. Key evaluation parameters:  WhiteListEntry  ReportWellKnownCreditCards or ReportUnknownCreditCards

5. Combination of the steps 1-3 to an overall result and creation of a report.

The numerical sequences found are categorized as follows according to their probability of being a credit card number:  ’probable‘: The numerical sequence found is most likely a credit card number.  ’possible‘: The numerical sequence found could be credit card number.  ’unlikely‘: The numerical sequence found is probably not a credit card number.

To obtain other results or include additional Information in the analysis report, you can change the parameters and categories:

1. Click on the Edit icon to open the configuration document of the Credit Card Analyzer.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 299 IQ.SUITE WALL - TEXT ANALYSIS 

2. Open the Settings tab and change the parameters as required. The key parameters are briefly described hereafter. For a detailed description, please refer to the Comments tab.  UnknownIssuerPenalty Sets how an unknown credit card issuer affects the search results in the ’possible‘ and ’probable‘ categories.

 ’conservative‘: If the credit card issuer is unknown, less results are found, i.e. less numerical sequences are considered credit card numbers. Result: lower number of matches in the ’possible‘ category.  ’aggressive‘: If the credit card issuer is unknown, more results are found, i.e. more numerical sequences are considered credit card numbers. Result: higher number of matches in the ’possible‘ category.  MissingIdealSeparationPenalty Sets how an unusual grouping of digits of a credit card number affects the search result:

 ’conservative‘: If an unusual grouping of digits is identified, less results are found, i.e. less numerical sequences are considered credit card numbers. Result: lower number of matches in the ’possible‘ category.  ’aggressive‘: If an unusual grouping of digits is identified, more results are found, i.e. more numerical sequences are considered credit card numbers. Result: higher number of matches in the ’possible‘ category.  ProximityPhrase The text surrounding a potential credit card number is taken into account for the evaluation. The ProximityPhrase parameters can be used to assign a weighting factor to specific keywords, which makes it more or less likely that the numerical sequence found is a credit card number (value range: -10.0 to 10.0). The evaluation also takes into account the distance between the keyword and the numerical sequence (bandwidth). The total value of all keywords is the overall result recorded in individual reports.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 300 IQ.SUITE WALL - TEXT ANALYSIS 

The value of the report entry ’Likelihood‘ is calculated from the number of all results < 0 (’strong unlikely‘) and results > 0 (’strong likely‘).

 ReportWellKnownCreditCards or ReportUnknownCreditCards Known or unknown credit card numbers are not taken into account in the overall result. The number of credit card numbers found is specified in the ReportWellKnownCreditCards or ReportUnknownCreditCards categories.

 WhiteListEntry Specific credit card numbers are filtered out according to preset digits and not taken into account in the overall result. The number of credit card numbers found is specified in the FilteredOutCardNumbers category.

3. The categories supported by the Credit Card Analyzer are listed in the Misc tab. Each of these categories can be selected and used in the job. Thresh- olds are used to set when and which job actions are triggered in case a credit card number is found.

8.5.5 Text Analysis with Wall Content Mail Jobs

As of iQ.Suite 21.1, you can use the new job type Wall Content Mail Job for text analysis. The traditional Wall Mail Job Advanced (legacy)35 will continue to work for a transition period. However, we recommend to use the new job type in new configurations and in case of larger changes. Please note that some DEFAULT and SAMPLE Jobs are currently available only as Wall Advanced Jobs.

8.5.5.1 Jobs der Standardkonfiguration

The following SAMPLE and DEFAULT jobs of the new job type are available:

 DEFAULT - AntiSpam 3.3a: Based on Unicode Dictionary (Body-Subject- Attachments)

35. Refer to “Overview” on page 274 and the following sections preceding “Text Analysis with Wall Content Mail Jobs” on page 301.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 301 IQ.SUITE WALL - TEXT ANALYSIS 

This job executes a unicode text analysis with dictionaries, like the traditional Wall Advanced (legacy) Job DEFAULT - AntiSpam 3.3: Based on Unicode Dictionary (Body-Subject-Attachments) does. Refer to “Sample Job: Uni- code Text Analysis using Dictionaries” on page 288.

 SAMPLE - AntiSpam 3.3b: Mark Subject of Spam This job executes a unicode text analysis with dictionaries as well.

Contrary to the traditional DEFAULT Wall Advanced (legacy) Job, the identified spam mail is neither quarantined nor deleted. Instead of that, it is only marked as spam mail in the subject by setting the string "SPAM:" in front of the original subject text.

 SAMPLE - Simple Language Analysis by Dictionary for outgoing E-Mails This job executes a language analysis by searching for the 150 most usual words of the languages “German”, “English” and “French” in the email body. It can be used, for example, to determine the language in which a trailer is to be added.

The language identification with this job may be unreliable in case of unk-  nown languages. In some cases, not the default language is determined as a result, but the language which is the most similar to the unknown language.

In this sample job, the [VAR]ResultCategory[/VAR] variable for Wall job results is used in case of a found restriction. If no restriction is found, the default value ‘ENGLISH’ is set in the LANGUAGE field of the email.

 SAMPLE - Move E-Mails without Legal Disclaimer to Quarantine This job contains a list of words in which the three sentences of the Legal Dis- claimer are contained as one entry. The job searches for these sentences by using the Dictionary-based Analyzer. The set threshold is reached only for emails which contain the three sentences. Emails which do not contain the Legal Disclaimer are quarantined and deleted.

This job can e.g. also be used to check whether emails contain trade register entries, account data or other data required by law which can be expressed by using dictionary entries (with regular expressions, if necessary).

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 302 IQ.SUITE WALL - TEXT ANALYSIS 

8.5.5.2 Configuration of Wall Content Mail Jobs

Under WALL -> MAIL-JOBS, you can create new Wall Content Mail Jobs.

Hereafter, the job configuration is described with the DEFAULT - AntiSpam 3.3a: Based on Unicode Dictionary (Body-Subject-Attachments) job as an example. Especially the differences with the traditional Wall Advanced (legacy) Job are mentioned.

1. Open the job and click on EDIT36.

2. Open the Operations -> Options tab:

The settings of this tab are described under “Sample Job: Unicode Text Ana- lysis using Dictionaries” on page 288.

36. In the following, only the job-specific details are explained. For information on the settings of the standard tabs, please refer to “Standard Tabs for Jobs” on page 39.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 303 IQ.SUITE WALL - TEXT ANALYSIS 

3. Tabs for actions: The actions which can be configured in the Wall Advanced (legacy) Job in case of Alarm and error have been replaced in the Wall Content Mail Job with the new action sequences:

a) The Success Actions - No Restriction tab contains the actions for the success case. The actions configured in this tab are executed if the job does not find any restriction. b) The Success Actions - By Restrictions tab corresponds to the Alarm tab in the Wall Advanced (legacy) Job. The actions configured in this tab are executed if an alarm is triggered because of found restrictions. c) The Error Actions tab corresponds to the System Error tab in the Wall Advanced (legacy) Job. The actions configured in this tab are executed if a system error occurs. Refer to “Actions” on page 47.

Additional Actions

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 304 IQ.SUITE WALL - TEXT ANALYSIS 

Additionally, the following job-specific actions are configurable:

 ‘Add Notes field to email’  ‘Add X-token to email’

With these actions, a Notes field or X-token (X field) is added to the email with any definable content. The content can be e.g. analysis results (in case thresholds are exceeded) or a subject extension.

If you select one of these actions and then click OK, the following dialog is displayed (here an example with a Notes field):

If you want to enable this action (not only configure it), you must activate the Write job results in email checkbox.

 Field name for analysis results: Geben Sie hier den gewünschten field name an, e.g. ‘AnalyseResult_DicBod’.

 Variable for analysis results: Specify here the field content, e.g. [VAR]LegacyResult[/VAR]. The content of the field is freely definable. You can specify any fixed text and/or use variables. The variables expect the VAR syntax [VAR][/VAR]. With this, you can also specify default values as follows: [VAR];[/VAR]

The default value will be written if the variable cannot be resolved.

Also namenspaces which precede the variable with "::" can be resolved.

The possible variables are described under “Placeholders” on page 59.

All fields to be written are basically added to the email as text fields, with the following exception: If the field content in the ‘Add Notes field to email’ action

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 305 IQ.SUITE WALL - TEXT ANALYSIS 

contains the [VAR]LegacyResult[/VAR] variable without additional text, the usual analysis result of the job (text list) is written as a text list field as well.

4. The Advanced tab, which is available in the Wall Advanced legacy Job, does not exist in the Wall Content Mail Job. However, a user-specific Quarantine access can be configured after selection of the ‘Copy email to quarantine before/after processing‘ action.

5. In the Misc tab of the Wall Content Mail Job, the following settings can be made:

The standard tab is described under “Misc Tab” on page 49. Some settings of the standard tab are available in the Wall Content Mail Job in the action sequences:

 Quarantine database / Quarantine configuration: This can be configured with the ‘Copy email to quarantine before/after processing‘ action.  Utilities database: The g_wdog.nsf is always used. Since this database cannot be edited, this information is not displayed in this job.  Memo from / Reply to: Corresponds to the Use a custom sender address field of the ‘Notification to administrator’ action, but here no placeholders can be used.

8.5.6 Wall Action: Text Analysis by using Regular Expressions

Wall Action Jobs (Mail Jobs und Database Jobs) use regular expressions to search in emails for certain contents (e.g. machine number or customer number) and write the found matches to email fields.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 306 IQ.SUITE WALL - TEXT ANALYSIS 

1. Create a Wall Action Job, either a Mail Job or a Database Job (according to your needs)37:

 Wall Action Mail Job: WALL -> MAIL JOBS You can use the sample job SAMPLE - Extract Customer Number from

Mailbody or create a new job with NEW.

The sample job uses a regular expression to search for customer numbers in the message bodies of all emails. By using a regular expression, the sample job sets the freely configurable Notes field (here: Customer- Number) in the processed email document and writes the found match (here: customer number) into this field.

 Wall Action DB Job (Database Job): WALL -> DATABASE JOBS -> NEW

2. Open the Operations tab. Example in the SAMPLE mail job:

Use the Search through elements of type option to determine whether email fields or only email attachments are to be searched for a certain text content.

a) ‘Fields’: Under Analyze fields, define which text fields of emails are to be analyzed (subject, body and/or other fields).

37. In the following, only the job-specific details are explained. For information on the settings of the standard tabs, please refer to “Standard Tabs for Jobs” on page 39.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 307 IQ.SUITE WALL - TEXT ANALYSIS 

If you have enabled the ‘Other text fields’ option, specify the desired Notes fields in the input field. For each entry, use a separate line.

b) ‘Attachments’: This option is used to analyze the attachments of emails.  Unpacker: Select the unpacker to be used to extract the files contained in archives and PDFs for analysis purposes. With this unpacker, the attachments are unpacked before the conversion.  Conversion: Here, you can select a converter38.

3. To specify a regular expression, click on ADD:

a) Regular Expression: Only regular expressions in ICU syntax can be used39. b) Use Result field to specify a name for the email field (Notes field) to which the results of the search are to be written. This field can be used in the Connect Workflow Job per [VAR]note::[/VAR]. Refer to description of the Mappings tab under “Configuring Connect Workflow Job” on page 590.

c) Your setting under Use matches found applies in case several matches are found. Possible options:

38. For further information on the configuration of Converters, refer to “Configuration Document for Converter” on page 275. 39. Refer to http://userguide.icu-project.org/strings/regexp.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 308 IQ.SUITE WALL - TEXT ANALYSIS 

 ‘All’: All matches will be written to the result field.  ‘Only no. ’: Only the match placed at the position in the list of the found matches will be written.  ‘from no. ’: Only the matches placed from the position onwards in the list of the found matches will be written.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 309 IQ.SUITE WALL - PREVENTING DENIAL-OF-SERVICE ATTACKS 

8.6 Preventing Denial-of-Service Attacks

A ’Denial-of-Service’ attack is the attempt to overload a server with mass mailing (bulk emails) so that it becomes unable to operate. Basically, there two methods to initiate the sending of bulk emails:

1. Mail-flooding the Server: sending large numbers of emails to a mail server.

2. Mail-flooding the Recipients: sending one email to a large number of recipients.

8.6.1 Mail-flooding the Server

With this form of mail-flooding, the mail server receives a huge amount of emails from the same sender within a few seconds. These attacks strongly affect the server’s performance as this huge number of emails has to be distributed within a short period of time. The senders are either external senders from the Internet who specifically target a company’s email infrastructure, or local users who send bulk emails inadvertently.

To avoid performance drops or failures caused by bulk emails sent by a sender to a mail server, iQ.Suite Wall allows to configure mail jobs that prevent mail-flooding. The job counts the throughput of emails within a specified period of time. The first email that exceeds this limit can be quarantined (for control purposes only). Further emails are handled as set in the job configuration, i.e. delivered or deleted.

Please note that even Notes users working offline may trigger mail-flooding after  having connected to their server: The transmission of all emails collected offline could trigger a spam alarm. This can be avoided by setting exceptions for these users/user groups or by restricting the analysis to external emails.

8.6.1.1 Sample Job: Preventing Mail-flooding the Server

1. Open the Wall Address Mail Job DEFAULT - Block Mail Flooding under

WALL -> MAIL JOBS and click on EDIT:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 310 IQ.SUITE WALL - PREVENTING DENIAL-OF-SERVICE ATTACKS 

a) Enable the job. b) Default settings in the rules: The Job applies to all emails (Runs on field), i.e. there are no exceptions for incoming or outgoing emails to be defined within rules. With the Valid for sender(s) field set to ’Advanced’, the job will be run for all senders with an address in the form *@*.

To exclude specific senders from this rule, further settings are available under Except.

2. Open the Operations tab: a) The settings in the Denied Recipients tab are irrelevant for this job. b) In the Avoid Mail Flooding tab set the following:

a) The administrator is to be notified in case of mail-flooding. To change the Notification template and enter a notification text, click on the Edit or New icon.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 311 IQ.SUITE WALL - PREVENTING DENIAL-OF-SERVICE ATTACKS 

b) The email will be delivered to the recipient. A copy of the original email is stored in the quarantine database. This database can be configured in the Misc tab. c) According to the Category in Quarantine report setting, a report is cre-

ated in the DENIAL OF SERVICE ATTACK category and provided under QUA-

RANTINE -> REPORTS. d) Use the Count mode field to set how spam emails are to be identified as such. As a general rule, spam is identified through the Time range and Number mails / time parameters. The following configuration options are available:  'By sender': The emails are counted separately for each individual sender, i.e. each sender has its own "account". Accordingly, a sender is not allowed to send more emails to all of the recipients specified than the maximum defined for a specific period of time. Otherwise, the actions defined in the job are triggered. As set in the DEFAULT job, a sender must not send more than 20 emails within 10 minutes.  'None': The Wall anti-spam mechanism is disabled altogether.  ’All': All emails are counted under a joint account.  ’By sender domain': The emails are counted separately for each domain.  'By sender and recipient': The emails are counted separately for each sender for each recipient, i.e. each sender/recipient pair has its own account.  ‚By sender phrase‘: The emails are counted by a sender phrase, i.e. a separate count is recorded for each sender phrase. This allows, for example, to search for the phrase CONFIRMATION in emails with the sender address "CONFIRMATION " in the email's FROM field.

3. Keep the default settings in the Number of Recipients, Advanced and Misc tabs. They are irrelevant for preventing mail-flooding.

4. Save the job.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 312 IQ.SUITE WALL - PREVENTING DENIAL-OF-SERVICE ATTACKS 

8.6.2 Mail-flooding the Recipients

With this form of mail-flooding, the same email is sent from the same sender to a huge number of recipients or entire mailing lists. To avoid this kind of attack, iQ.Suite Wall allows to configure a mail job that limits the number of recipients who are allowed to receive the same email. When this limit is exceeded, the actions specified in the job are carried out (delete or quarantine emails, etc.).

To restrict the number of recipients, it is recommended to specify the sender  directly in the job’s Basics tab rather than working with rules. The sender options include a variety of selection criteria, which can be used to restrict or enlarge the set of senders and define exceptions.

8.6.2.1 Sample Job: Restrict the Number of Recipients

This function allows you to restrict the number of recipients to whom an email is delivered.

1. Open the Wall Address Mail Job DEFAULT - Number of Recipients under

WALL -> MAIL JOBS and click on EDIT:

a) Enable the job.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 313 IQ.SUITE WALL - PREVENTING DENIAL-OF-SERVICE ATTACKS 

b) Default settings in the rules: The job applies to selected emails (Runs on field), in the present case to emails without attachment only. With the Valid for sender(s) field set to ’Advanced’, the job will be run for all SMTP senders with an address in the form *@*.*.

To exclude specific senders from this rule, further settings are available under Except.

2. Open the Operations tab: a) The settings in the Denied Recipients and Avoid Mail Flooding tabs are irrelevant for this job. b) In the Number of Recipients tab set the following:

a) The administrator is to be notified in case of mail-flooding. To change the Notification template and enter a notification text, click on the Edit or New icon. b) The email will be delivered to the recipient. A copy of the original email is stored in the quarantine database. This database can be configured in the Misc tab. c) According to the Category in Quarantine report setting (Denied Recip-

ients tab), a report is created in the DENIED NUMBER OF RECIPIENTS cate-

gory and provided under QUARANTINE -> REPORTS. d) Set Limit number of recipients to ’Yes’ and set the Max. number of recipients. In the present case, an email must not be sent to more than 100 recipients. Otherwise the actions defined in the job are performed. This applies to individual recipients specified in the email as well as mailing lists in which the number of recipients is calculated by the job.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 314 IQ.SUITE WALL - EMAIL CLEANING: DELETING HTML BODIES 

3. Keep the default settings in the Advanced and Misc tabs. They are irrelevant for preventing mail-flooding.

4. Save the job.

The counting method described above only works if all recipients are specified in  the same email. if the same email is sent to each recipient separately, this job will not be able to prevent mail-flooding. Refer to “Sample Job: Restrict the Num- ber of Recipients” on page 313.

8.7 Email Cleaning: Deleting HTML Bodies

You can use the Wall Cleaning Mail Job to remove HTML Bodies from emails.

1. Under WALL -> MAIL-JOBS, open the Wall Cleaning Mail Job SAMPLE - Wall Cleaning Remove HTML body or create a new Wall Cleaning Mail Job40.

2. Open the Operations -> Options tab:

40. This example only illustrates the job-specific details. For a description of the settings under standard tabs, please refer to “Standard Tabs for Jobs” on page 39.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 315 IQ.SUITE WALL - EMAIL CLEANING: DELETING HTML BODIES 

 Delete email bodies:  ‚All HTML bodies‘: All HTML bodies are deleted without replacement.  ‚All HTML bodies (auto generate missing text body)‘: All HTML bodies are deleted. If no plaintext body exists, a plaintext body is generated from the extracted content of the HTML body.

3. Use the Success Actions and Error Actions actions to define which actions to execute in case of success and in case of failure. Refer to “Actions” on page 47.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 316 IQ.SUITE CRYPT -   9 iQ.Suite Crypt iQ.Suite Crypt is used to encrypt, decrypt, sign or verify emails. With its flexible configuration options, Crypt lets you centrally define corporate encryption policies. Beside this main task, iQ.Suite Crypt also manages company certificates, personal certificates as well as revocation lists.

Powerful asymmetrical and symmetrical encryption is implemented with standard methods such as PGP, GnuPG or S/MIME (Secure MIME), which can also be used in parallel1. For the user, the encryption is fully transparent, regardless of the email client used.

The GBS solution draws the boundary of confidential communication at the server and not at the client. Within your company, the email is transmitted unencrypted.

Advantages:

1. Email security on the way through the Internet or other public networks. The email cannot be read by unauthorized persons.

2. Convenient key management. The keys are stored only once on the server.

3. Since encryption is not performed on the clients, the required installation and training is considerably reduced. Users benefit from outstanding ease of use.

4. Virus scanning possible before or afterwards.

5. Content analysis possible before or afterwards.

1. For further Information on cryptography and encryption methods, please refer to the Crypt White- paper. Download under www.gbs.com.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 317 IQ.SUITE CRYPT - 

As a general rule, to send encrypted email, a cryptography tool is required on both communication sides on the server (or the client). There are two widely used encryption methods: PGP or GnuPG, a free alternative to PGP, and S/MIME. MIME can use either with PGP/GnuPG or S/MIME to encrypt and decrypt emails. These two methods are not compatible with each other, i.e. you cannot, for example, use S/MIME to decrypt an email encrypted with PGP. You can, however, use both standards at the same time on your server.

An exception to the methods described above is WebCrypt Pro. This additional iQ.Suite Crypt feature enables encryption even if the communication partner does not use any encryption solution2.

Managing S/MIME certificates is best performed by using iQ.Suite KeyManager3. The local storage of S/MIME certificates without KeyManager is not recommended. Refer to “Crypt Engine” on page 319.

PGP keys can be managed in the KeyManager as well as in conventional local key rings.

2. Refer to “Encrypting Emails with WebCrypt Pro” on page 359. 3. Refer to “Using iQ.Suite KeyManager” on page 365.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 318 IQ.SUITE CRYPT - ENGINES 

9.1 Engines

9.1.1 Overview

The term Engines refers to central program elements which perform an application’s basic tasks and can be individually configured. Within Crypt, besides signing, verification, decryption and key import, the engine’s main task is to encrypt emails using both asymmetric (public/private key method) and symmetric methods. Encryption is performed directly at the server. One of the following encryption standards is used:  PGP  GnuPG  S/MIME

For each platform and each version of an encryption program e.g. PGP 6.5,

PGP 7.0, etc. a separate engine is defined centrally listed under CRYPT -> UTILI-

TIES -> ENGINES, sorted by platforms.

With engines, different mail jobs can re-use a Crypt engine configured for different encryption standards, versions and platforms. Setting the parameters, program paths, etc. is performed directly in the engine.

The iQ.Suite standard configuration provides pre-configured default engines that are used in the Crypt default jobs. Entering parameters manually is not required.

9.1.2 Available Engines

The Crypt module contains the following Engines:  Crypt Engine This engine can be used for PGP and GnuPG.

This engine can be used with an external program with freely configurable command line options.

 Crypt Engine ‘S/MIME + KeyManager’ This engine can run on 32-bit and 64-bit systems. It can only be used with iQ.Suite KeyManager for S/MIME.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 319 IQ.SUITE CRYPT - ENGINES 

 Crypt Engine ‘GnuPG + KeyManager’ This engine can only be used with GnuPG in combination with iQ.Suite Key- Manager. The command line options for GnuPG are predefined and cannot be freely configured. Only additional options such as ‚verbose‘ can be specified.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 320 IQ.SUITE CRYPT - ENGINES 

9.1.3 Configuration Document for the Crypt Engine

The following describes the configuration document of the Crypt Engine, using the example of GnuPG. The configuration for PGP is similar to GnuPG, only the paths and parameters are different.

1. Click on CRYPT -> UTILITIES -> ENGINES and open the configuration document GnuPG Engine.

You can also configure an engine directly within a Crypt job: CRYPT JOB

-> OPERATIONS -> FIELD: CRYPT ENGINE -> NEW OR EDIT ICON.

2. Make sure the configuration document is enabled (Basics tab) and click on

EDIT.

3. Open the Settings tab:

a) In the Execution mode field, set how the program is to be started:  If set to 'Program without console output', the command line program of the encryption program will be run. No messages are output to the Domino server console.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 321 IQ.SUITE CRYPT - ENGINES 

 The 'Program with console output' can be used for troubleshooting. Please note that this option may cause problems when using a Java console.  With ‘DLL', the encryption program is accessed via a DLL interface. b) Under Program path, specify the path and the filename of the encryption program used for encrypting/decrypting your emails. The parameters

required by the program can later be assigned (SET DEFAULT VALUES button) or entered manually. c) Under Engine Type select the encryption program. The value selected here must correspond to the settings within the Crypt mail job to be run (Mode field). Otherwise, the Crypt Engine will not work. d) The parameters required for the selected encryption program are pre- configured in the configuration document of the engine. After having

changed these parameters, click on SET DEFAULT VALUES button to import the default parameter settings, if required. Be sure to select the options for the correct version and platform, i.e. the parameters for one version on one platform. If the selected parameters do not match, a message is displayed and the configuration is rejected. Check the paths specified. If applicable, set the values for the identification of the password under Parameters. The password is passed to PGP by Crypt in order to be able to use the default private PGP key. For further Information on these parameters, please refer to the documentation of your encryption program.

4. Open the Advanced tab and set the operating system under which the engine is to be run.

5. Save the document.

9.1.4 Configuration Document for the ‚S/MIME + KeyManager Engine‘

1. Use the sample configuration S/MIME + KeyManager Engine or create a

new KeyManager Engine for S/MIME: CRYPT -> UTILITIES -> ENGINES -> NEW

-> CRYPT ENGINE S/MIME + KEYMANAGER.

2. Open the Settings tab.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 322 IQ.SUITE CRYPT - ENGINES 

a) A more detailed processing log will be written, if you select ‘Yes’ for Verbose report. b) Select an Encryption algorithm and a Signature algorithm. c) Under Encryption padding and Signature padding, select a padding algorithm, respectively for encryption and signing.

3. Activate and save the configuration document.

Return Codes in case of errors with S/MIME Certificates

Besides the numeric return codes (km: for iQ.Suite KeyManager and wincert: for the Windows Certificate Store), there are the following return codes which the Crypt Job use to inform of problems with the status of a certificate or general problems with a certificate request: certificate_email_address_mismatch In a signature verification: The email adress in the certificate does not match the email sender‘s address. The signature and possibly also the email content do not originate from the indicated sender, but from another person. certificate_not_valid The certificate is not within its validity period. certificate_not_trusted The certificate is not trusted.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 323 IQ.SUITE CRYPT - ENGINES 

certificate_source_not_configured No certificate source (iQ.Suite KeyManager or Windows Certificate Store) is configured.

certificate_store_error An unknown error occured during the certificate request.

certificate_trust_unknown The trust status of the certificate is unknown.

certificate_without_email_address In a signature verification: The certificate does not include an email address. It cannot be verified whether the email content and the signature originate from the email sender and not from another person.

9.1.5 Configuration Document for the ‚GnuPG + KeyManager Engine‘

1. Use the sample configuration GnuPG + KeyManager Engine or create a

new Engine: CRYPT -> UTILITIES-> ENGINE -> NEW: CRYPT ENGINE GNUPG +

KEYMANAGER.

2. Activate the configuration document and open the Settings tab:

a) Under Version GnuPG for Engine, select the GnuPG version to be used. b) Under Program path enter the path to the GnuPG installation directory. c) GnuPG options: This field is empty by default. All required GnuPG parameters are preset. If required, additional GnuPG options can be

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 324 IQ.SUITE CRYPT - ENGINES 

defined (e.g. ‚verbose‘ for detailed logging). For each option use a separate line. Do not use preceding hyphens (- -).4

3. Save and close the configuration document.

4. For further information please refer to the GnuPG documentations.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 325 IQ.SUITE CRYPT - ENCRYPTION/DECRYPTION WITH PGP AND GNUPG 

9.2 Encryption/Decryption with PGP and GnuPG

9.2.1 Overview

Using asymmetric encryption with PGP or GnuPG, the email is encrypted by the sender with the recipient’s public key and sent to the recipient. The recipient is the only one who can decrypt the message addressed to him with his/her private key.

With GnuPG, emails can be encrypted asymmetrically and symmetrically. Unlike symmetric encryption methods (refer to symmetrical method and asymmetric encryption) using a password, this does not require "secure channels" for exchanging keys between sender and recipient. Instead, with GnuPG, a pair of keys is created, which consists of a public key and a private key, also referred to as secret key. The public key is disclosed, so that each potential sender can use it and add to his/her key ring. The private key is not disclosed and must be kept secret5.

9.2.2 Procedures for Outgoing and Incoming Emails

The example below refers to encryption with GnuPG. The procedure using the commercial PGP version is the same.

9.2.2.1 Encryption of Outgoing Emails

The subsequent description is meant to illustrate how iQ.Suite Crypt proceeds to encrypt outgoing emails with GnuPG:

1. The user sends the email through his/her client.

2. A Crypt mail job is started on the server and determines the keys for all recipients of the email.

3. Crypt calls GnuPG.

5. For further Information on GnuPG as well as instructions concerning installation and operation, please visit: http:www.gnupg.org/.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 326 IQ.SUITE CRYPT - ENCRYPTION/DECRYPTION WITH PGP AND GNUPG 

4. GnuPG encrypts the message texts and attachments. The originals are replaced with encrypted versions.

5. As soon as the exchange is complete, the email is released and delivered to the recipient.

9.2.2.2 Decryption of Incoming Emails

For decrypting emails, you need to specify the senders whose emails are to be decrypted. These can be all Internet senders or individual users defined through an address rule (in the sender list).

The subsequent description is meant to illustrate how iQ.Suite Crypt proceeds to decrypt incoming emails with GnuPG:

1. An encrypted email arrives.

2. A Crypt mail job checks for encrypted attachments through the filename extension.

3. Crypt checks for encrypted body text by searching for the following standard PGP text string: -----BEGIN PGP MESSAGE-----

4. If found, this means the message text has been encrypted.

5. GnuPG or PGP identifies the key used in the incoming email.

6. The recipient’s private key is used to decrypt the message and any attachments. The encrypted originals are replaced with the decrypted elements.

7. The email is released for delivery to the client and finally delivered to the recipient. Normally, private keys are protected through a password. This password is passed to GnuPG by Crypt in order to be able to use the private key.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 327 IQ.SUITE CRYPT - ENCRYPTION/DECRYPTION WITH PGP AND GNUPG 

9.2.3 Sample Job: Encryption

9.2.3.1 Installation and Initial Configuration

If you wish to encrypt emails with GnuPG or PGP, perform the following steps on the server. To decrypt emails, these preliminary tasks are not required:

1. Open the EncryptionRecipients PGP rule and enter your encryption partners for GnuPG or PGP in this rule (as recipients)6.

2. If you are going to encrypt the emails with a "company key", you can map keys to recipients by entering the email addresses and the corresponding key names in a list. If the key name includes the recipient’s email address, manual mapping is not required.

As a general rule, manual mapping is not necessary since the recipient’s public  key is included in the key ring, i.e. the key is taken directly from the ring.

3. Import the public keys of the recipients into the GnuPG key ring and then sign them. Unsigned keys cannot be used.

9.2.3.2 Requirements

The following conditions must be met to be able to use PGP or GnuPG for encryption:  The recipient’s public key is in the key ring and classified as trusted.  The SAMPLE - Encryption with GnuPG job is enabled.  In the job, the rules for the recipients have been configured accordingly. Where required, create and enable several jobs.  Under Program path set the program path for the cmd.exe program in the Crypt Engine Program Settings. Under Windows this will normally be c:\windows\system32\cmd.exe. Note that different versions of Windows use different subdirectory names.

6. For further Information on how to use rules, please refer to “Mail Rules and Database Rules” on page 24.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 328 IQ.SUITE CRYPT - ENCRYPTION/DECRYPTION WITH PGP AND GNUPG 

 The path of the directory containing gpg.exe or pgp.exe is specified correctly in the Parameter field. The relevant placeholder is: %PASSWORD%, and for PGP 6.5: -z %PASSWORD%.  The password for the private standard key has been set.

To be able to call the corresponding encryption program, shell scripts are used  under Unix and command files under Windows. The content of the scripts or files are specified in the Comments tab of the corresponding DEFAULT or SAMPLE job.

9.2.3.3 Detailed Description

The following description applies to both PGP and GnuPG. In the example, GnuPG is used.

If emails are to be both encrypted and decrypted on a server, two jobs are  required, one for encryption, the other for decryption.

1. Click on CRYPT -> MAIL JOBS and open the SAMPLE - Encryption with

GnuPG job for encryption. Click on EDIT7:

7. Consider the priority of Crypt jobs at the beginning of the job chain. Refer to “Assigning Priorities (Job Chain)” on page 82.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 329 IQ.SUITE CRYPT - ENCRYPTION/DECRYPTION WITH PGP AND GNUPG 

a) Enable the job. b) According to the rules, the default settings of the job are as follows: The job will run on ‚Selected mails‘. According to the rule, these are all incoming emails encrypted with GnuPG. Also, emails are only delivered to recipients specified within the rule as being authorized to receive PGP- encrypted emails. No email is delivered to recipients who use S/MIME for encryption.

2. Open the Operations tab:

a) In the Mode field select ‚PGP/Inline encryption‘ or ‚PGP/MIME encryption‘:  ‚PGP/Inline encryption‘: (traditional method) each part of the email is encrypted separately  ‚PGP/MIME‘: (modern method) the entire email (excluding the email header) is encrypted and signed. This includes: file attachments, meta information, e.g. the attachment type or other email parts. Please note that your communication partner also requires PGP/Inline or PGP/MIME to be able to decrypt your emails.

b) On Error: By default in case of an error, the email is not delivered and deleted from the mail.box. The administrator is notified, the email is quar-

antined and recorded in the Quarantine report under the CRYPT cate-

gory (configuration under MISC TAB -> QUARANTINE CONFIGURATION). c) The Crypt Engine field defines which engine is to be used in the job. The encryption method is set with the definition in the configuration document of the engine. Please note that the method specified here must match the

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 330 IQ.SUITE CRYPT - ENCRYPTION/DECRYPTION WITH PGP AND GNUPG 

settings in the job. In sample jobs the correct engine is preset. If required, check the paths specified. Refer to “Configuration Document for the Crypt Engine” on page 321.

3. Check the details in the Settings section:

a) Use the Person/key combinations field to map keys to recipients. Crypt analyzes this field and then searches for this address in the local key ring. The recipients who are to receive encrypted emails and the corresponding keys are entered in the associate lines. If the email address and the key name are identical, no entry is required in this field.

Enter the recipient’s email address in the left field and the corresponding key in the right field. In the example shown, David Galler has his/her own key.

Wildcards (*) can be used in the left field only. The lists are read from top to bot-  tom. The recipient’s email addresses can be entered in the form [email protected], *@company-y.com or as a Notes name such as dgaller/company-y-city/de@company-y-city.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 331 IQ.SUITE CRYPT - ENCRYPTION/DECRYPTION WITH PGP AND GNUPG 

Application scenario I

You communicate regularly with the company named company-z, which has a single company key for all of its employees. In this case, enter the company address in the form *@company-z.com in the left field and the key company-z-key in the right field. This key will be used for encryption for all employees whose address matches the company address pattern.

Application scenario II

The addressee Anna Glenn no longer sends under the email address [email protected] (which is included in your key ring), but under [email protected]. In this case, enter the new email address in the left field and the old one in the right field. This way, the new address will be mapped to the old address, and you do not have to create a new key for this addressee. b) The Filename extension(s) field contains the filename extensions of attachments that will be identified and decrypted by Crypt. Please enter all extensions to be decrypted. Files already encrypted are not processed, as such files are identified through their filename extensions. For each entry, use a separate line. c) To be able to identify a PGP or GnuPG encrypted message, Crypt requires a keyword that marks the beginning of the encrypted text. Spec- ify the default keyword of your encryption program in the PGP keyword field.  Please make sure that Crypt and the encryption program use the same keyword.  For encryption, signing and compression use: -----BEGIN PGP MESSAGE----- . Example: The unencrypted text is "Hello,...". The keyword -----BEGIN PGP MESSAGE----- marks the beginning of the encrypted email: "Hello,...-----BEGIN PGP MESSAGE----- sfdhgstz43w5zw4thsthsrftw6usrtsjhrthsdrth -----END PGP MESSAGE-----"

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 332 IQ.SUITE CRYPT - ENCRYPTION/DECRYPTION WITH PGP AND GNUPG 

The Crypt job looks for exactly this string, including blanks. Try not to use key names with blanks as these may cause problems. Under Unix, if you must assign key names with blanks, the key names have to be entered in the Key field between quotes. Under Windows, the quotes are added automatically.

Please note that any changes in the PGP keyword field may entail various con-  sequences. Only change the keyword if your encryption program uses another keyword.

d) Under Processing mode, set whether or not Crypt is to encrypt the email’s body text. File attachments are always encrypted. If set to ‚Encrypt attachments only‘, the body text is not encrypted. An encrypted message can be inserted in the email as an unreadable text (option ‘Encrypt attachments only’) or added as an attachment (option ‘Encrypt body text and attach as file’). e) Set the Charset to be used for the body field contents. GnuPG or PGP recommend to use UTF-8 character set in order to simplify communication between different systems and encryption products. Before you change any character set settings, please contact our Sup- port for assistance, as these settings depend on the operating system used.

f) If required, change the default texts of the notifications sent to administrators and email recipients. For this use the Notification templates8. g) Use the Password mode field to set whether you want to enter a password for encryption or decryption or have it calculated with a formula.  If set to ‚Enter password‘, you can enter the password to be used by the encryption program for decryption and initialization (the password of your private key/certificate).  ‚Use formula to compute password‘ means that a new password is automatically generated through a Notes formula for each new email.

8. Refer to “Notification Templates” on page 37.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 333 IQ.SUITE CRYPT - ENCRYPTION/DECRYPTION WITH PGP AND GNUPG 

This password is made up of the name of the sender and a random number. The Notes formula is defined in the Password formula field.

This option only appears if you have set the Mode field to ’PGP/Inline encryption’  or ’PGP/MIME encryption’. For security reasons, this setting is recommended for symmetric encryption/decryption with GnuPG.

h) If a password is generated through a Notes formula, it needs to be communicated to the sender for symmetric encryption. Enable the Password checkbox to set that the sender will receive a notification with a password. In order for the recipient to be informed of the password (to decrypt the email), the sender must communicate the password to the recipient through some other means. This field is only visible if the Password mode is set to ‚Use formula to compute password‘.

4. Use the Advanced tab to set whether the recipient is to be allowed to read emails that were quarantined by this job. The default setting is ‚No‘, in order to grant users access to spam emails only. Refer to “Access User Portal” on page 28.

5. Open the Misc tab. The job is ‚not critical‘, i.e. the emails are to be delivered unchecked if an error occurs. Use the Quarantine configuration field to set how the emails are to be handled in quarantine9.

6. Save the job.

9. Refer to “Quarantine Configuration” on page 107.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 334 IQ.SUITE CRYPT - ENCRYPTION/DECRYPTION WITH PGP AND GNUPG 

9.2.4 Sample Job: Decryption

9.2.4.1 Requirements

The following conditions must be met to be able to use PGP or GnuPG for decryption:  The recipient’s private key is available in the key ring.  The SAMPLE - Decryption with GnuPG job for GnuPG encryption is enabled.  The recipient rules are configured in the job. Where required, several jobs are created and enabled.  Under Program path the program path for the cmd.exe program is set in the Crypt Engine Program Settings. Under Windows this will normally be c:\windows\system32\cmd.exe. Note that different versions of Windows use different subdirectory names.  The path of the directory containing gpg.exe or pgp.exe is specified correctly in the Parameter field. The relevant parameter is %PASSWORD%, and for PGP 6.5 -z %PASSWORD%.  The password for the private standard key has been set.

To be able to call the corresponding decryption program, shell scripts are used  under Unix and command files under Windows. The content of the scripts or files are specified in the Comments tab of the corresponding DEFAULT or SAMPLE job.

9.2.4.2 Detailed Description

The following description applies to both PGP and GnuPG. In the example GnuPG is used.

If emails are to be both encrypted and decrypted on a server, two jobs are  required, one for encryption, the other for decryption.

1. Click on CRYPT -> MAIL JOBS and open the SAMPLE - Decryption with 10 GnuPG job for decryption. Click on EDIT :

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 335 IQ.SUITE CRYPT - ENCRYPTION/DECRYPTION WITH PGP AND GNUPG 

a) Enable the job. b) According to the rules, the default settings of the job are as follows: The job will run on ‚Selected mails‘. According to the rule, these are all emails decrypted with GnuPG and sent via the Internet (InetSender). In the default configuration, this rule is specified as sender domain *.*.

2. Open the Operations tab:

a) In the Mode field to select the ‚PGP decryption‘ option. b) On Error: By default in case of an error, the email is not delivered and deleted from the mail.box. The administrator is notified, the email is quar-

antined and recorded in the Quarantine report under the CRYPT cate-

gory (configuration under MISC TAB -> QUARANTINE CONFIGURATION).

10. Consider the priority of Crypt jobs at the beginning of the job chain. Refer to “Assigning Priorities (Job Chain)” on page 82.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 336 IQ.SUITE CRYPT - ENCRYPTION/DECRYPTION WITH PGP AND GNUPG 

c) The Crypt Engine field defines which engine is to be used in the job. The encryption method is set with the definition in the configuration document of the engine. Please note that the method specified here must match the settings in the job. In sampe jobs, the correct engine is preset. In the engine document under Parameters, enter the path and filename of the encryption program to be used to decrypt of your emails, e.g. gpg.exe. Refer to “Configuration Document for the Crypt Engine” on page 321.

3. Check the details in the Settings section:

a) The Filename extension(s) field contains the filename extensions of attachments that will be identified and decrypted by Crypt. Please enter all extensions to be decrypted. Files already encrypted are not processed, as such files are identified through their filename extensions. For each entry, use a separate line. b) To be able to decrypt a PGP or GnuPG encrypted message, Crypt requires a keyword that marks the beginning of the encrypted text. Spec- ify the default keyword of your encryption program in the PGP keyword field. A PGP-encrypted text always begins with -----BEGIN PGP MES- SAGE----- . This is precisely the string (including blanks) the import job looks for.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 337 IQ.SUITE CRYPT - ENCRYPTION/DECRYPTION WITH PGP AND GNUPG 

Please note that any changes in the PGP keyword field may entail various consequences. Only change the keyword if your encryption program uses another keyword.

c) Set the Charset to be used for the body field contents. GnuPG or PGP recommend to use UTF-8 character set in order to simplify communication between different systems and encryption products. Before you change any character set settings, please contact our Sup- port for assistance, as these settings depend on the operating system used.

d) If required, change the default texts of the notifications sent to administrators and email recipients. For this use the Notification templates11. e) Decryption requires the password of the default private GnuPG key. This password is passed to GnuPG, in order to be able to use the default private key for decryption. Set the Password mode field to ‚Enter password‘. With this option selected, you can enter the password to be used by the encryption program for decryption and initialization (the password of your private key/certificate).

6. Save the job.

11. Refer to “Notification Templates” on page 37. 12. Refer to “Quarantine Configuration” on page 107.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 338 IQ.SUITE CRYPT - ENCRYPTION/DECRYPTION WITH PGP AND GNUPG 

9.2.5 Sample Job: Automatic Key Import

iQ.Suite Crypt is able to automatically import any public keys sent by communication partners with the PGP or GnuPG encrypted email into the key ring.

9.2.5.1 Requirements

The following conditions must be met to be able to use PGP or GnuPG for an automatic key import:  The sender’s public key is included in the email body, for example as a unique block in the text, or as an attachment.  The sender must be the owner of the key and the name of the key must be the same as the sender’s email address. Otherwise, the key will not be signed.  The SAMPLE - Import Key for GnuPG job is enabled and has a higher priority than the decryption job.  Under Program path the program path for cmd.exe is set in the Crypt Engine. Under Windows this will normally be c:\windows\system32\cmd.exe. Note that different versions of Windows use different subdirectory names.

For an automatic key import, shell scripts are used under Unix and command  files under Windows. The content of the scripts or files are specified in the Com- ments tab of the corresponding DEFAULT or SAMPLE job.

 The shell script or command file must be located in the GnuPG program path. In the Crypt Engine under SETTINGS -> PARAMETERS -> KEY IMPORT, the parameter /c C:\Program Files\GnuPG\newkey.cmd (for instance) must point to the location of this script. Adjust the script or file according to your GnuPG configuration.  If the imported keys are to be signed enter the password for the default private GnuPG key in the import job: OPERATIONS TAB -> SETTINGS -> PASS-

WORD.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 339 IQ.SUITE CRYPT - ENCRYPTION/DECRYPTION WITH PGP AND GNUPG 

9.2.5.2 Sequence of iQ.Suite Crypt Operations

The subsequent description is meant to illustrate how iQ.Suite Crypt proceeds for an automatic key import with GnuPG:

1. The sender’s public key is extracted from the email.

2. The public key is imported into the key ring.

3. If you use the script supplied by us, the imported key will be automatically signed with the default private GnuPG key. Requirement: The sender must be the owner of the key and the name of the key must be the same as the sender’s email address; otherwise manual signing will be necessary.

4. The email can now be further processed and delivered to the recipient.

9.2.5.3 Detailed Description

The following description applies to both PGP and GnuPG. In the example GnuPG is used.

If emails are to be both encrypted and decrypted on a server, two jobs are  required, one for encryption, the other for decryption.

1. Click on CRYPT -> MAIL JOBS and open the SAMPLE - Import Key for

GnuPG job for encryption. Click on EDIT13:

13. Consider the priority of Crypt jobs at the beginning of the job chain. Refer to “Assigning Priorities (Job Chain)” on page 82.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 340 IQ.SUITE CRYPT - ENCRYPTION/DECRYPTION WITH PGP AND GNUPG 

2. Open the Operations tab:

a) In the Mode field select the ‚PGP key import‘ option. For PGP key import, the sender’s email address must be the name of the key (otherwise no signing) in order for the sender to be considered owner of the key. b) On Error: By default the administrator is notified at each job processing. In case of an error, the email is delivered to the recipient. A copy of the email is quarantined and recorded in the Quarantine report under the

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 341 IQ.SUITE CRYPT - ENCRYPTION/DECRYPTION WITH PGP AND GNUPG 

CRYPT category (configuration under MISC TAB -> QUARANTINE CONFIGU-

RATION). c) The Crypt Engine field defines which engine is to be used in the job. The encryption method is set with the definition in the configuration document of the engine. Please note that the method specified here must match the settings in the job. In sample jobs, the correct engine is preset. In the engine document under Parameters, enter the path and filename of the encryption program to be used to decrypt of your emails, e.g. gpg.exe. Refer to “Configuration Document for the Crypt Engine” on page 321. Enter the path and the filename of the encryption program to be used, e.g. the command file (Windows) or shell script (Unix). The script is to be found under the Comments tab. Adjust the script and save with the associate extension, e.g. as newkey.cmd. Then copy it to the GnuPG directory (refer to “Requirements” on page 339 and “Sample Job: Automatic Key Import” on page 339).

3. Check the details in the Settings section:

a) The Filename extension(s) field contains the filename extensions for attachments that may contain PGP keys, i.e. these files will be taken into account by the key import job. The key is first written to a temporary file and then imported into the key ring. For each entry, use a separate line.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 342 IQ.SUITE CRYPT - ENCRYPTION/DECRYPTION WITH PGP AND GNUPG 

b) To be able to identify a PGP key embedded in the message text, Crypt requires a keyword that marks the beginning of the key. Specify the default keyword of your encryption program in the PGP keyword field. Make sure Crypt and the encryption program use the same key. PGP keys always start with -----BEGIN PGP PUBLIC KEY BLOCK-----. This is precisely the string (including blanks) the import job looks for.

Please note that any changes in the PGP keyword field may entail various con-  sequences. Only change the keyword if your encryption program uses another keyword.

c) If required, change the default texts of the notifications sent to administrators. For this use the Notification templates14. d) Set the Password mode field if the newly imported key is to be signed with the default private GnuPG key. Select the ‚Enter password‘ option.

6. Save the job.

14. Refer to “Notification Templates” on page 37. 15. Refer to “Quarantine Configuration” on page 107.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 343 IQ.SUITE CRYPT - ENCRYPTION WITH NOTES 

9.3 Encryption with Notes

With iQ.Suite Crypt, it is possible to encrypt emails with Notes. The encryption is performed with the recipient’s Notes public key. For decryption, your communication partners need to know the necessary sender’s key.

To encrypt and decrypt emails with Notes, you need to configure only one job for  email encryption. The decryption is automatically performed by Notes.

1. Create a new Crypt mail job: CRYPT -> MAIL JOBS -> NEW -> CRYPT MAIL JOB.

Click on EDIT. Define the basic job settings in the Basics tab. Enable the job16.

2. Open the Operations tab:

a) In the Mode field select the ‚Notes encryption‘ option. b) Specify in the On Error field how to proceed in the case of an error. In this example the email is delivered to the recipient. The administrator is notified. A copy of the email is quarantined. In the Quarantine report the

email is recorded under the CRYPT ERROR category (configuration under

MISC TAB -> QUARANTINE CONFIGURATION).

3. Check the details in the Settings section:

16. Consider the priority of Crypt jobs at the beginning of the job chain. Refer to “Assigning Priorities (Job Chain)” on page 82.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 344 IQ.SUITE CRYPT - ENCRYPTION WITH NOTES 

If required, change the default texts of the notifications sent to administrators. For this use the Notification templates17. By default for each email processed a note is inserted in the subject field of the email.

6. Save the job.

17. Refer to “Notification Templates” on page 37. 18. Refer to “Quarantine Configuration” on page 107.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 345 IQ.SUITE CRYPT - S/MIME APPLICATION FIELDS 

9.4 S/MIME Application Fields

9.4.1 General

To encrypt and to sign S/MIME compliant, a certificate in X.509 format is required. A certificate links an email address to a cryptographic key. Managing these certificates is done by iQ.Suite KeyManager19.

Sample jobs for S/MIME with KeyManager consider that the required S/MIME certificates are available in KeyManager. When the connection to KeyManager is configured, these sample jobs can be enabled.

The sender's email is encrypted with the recipient's public key. The public key is part of the recipient's X509 certificate. The recipient is the only one who can decrypt the message addressed to him with the private key. The email is signed with the sender's private key (digital signature). The recipient can verify the signature with the sender's public key.

S/MIME-encrypted emails can only be exchanged with people whose email cli-  ent also supports S/MIME encryption. If your communication partner also has a server with iQ.Suite Crypt installed, both encryption and decryption are performed directly on the server, i.e. independently of the email client.

19. Refer to “Using iQ.Suite KeyManager” on page 365.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 346 IQ.SUITE CRYPT - S/MIME APPLICATION FIELDS 

9.4.2 Requirements for Using S/MIME

iQ.Suite Crypt has a built-in S/MIME interface. The following requirements have to be met to use S/MIME in iQ.Suite Crypt:

 A valid license for the iQ.Suite Crypt module with S/MIME.  An iQ.Suite KeyManager installation.  The required certificates are available in KeyManager:  Encryption: X509 certificate of the recipient  Decryption: X509 certificate and private key of the recipient20  Signature: X509 certificate and private key of the sender  Signature verification: X.509 certificate of the sender  The certificates must be trusted. As a general rule, the issuer certificates including the root certificate must be available and trusted. For further infor-

mation, please refer to “Using iQ.Suite KeyManager” on page 365.

Universally accepted S/MIME certificates can be purchased from a Trust Center and imported into the KeyManager21. For the communication with partners, self- created certificates can be used as far as the communication partners agreed to use such certificates. They may also be convenient for test purposes within the own organization. Such test certificates can be created by the KeyManager. Cer- tificates created with an external tool (e.g. Microsoft Windows CA Manager) must be imported into the KeyManager as well.

The configuration of iQ.Suite Crypt for using S/MIME is based on policies, i.e. the rules for encrypting, decrypting, signing and validating signatures can be defined individually for users, user groups, and for the company.

20. Certificates and private keys are contained in a PFX file in PKCS#12 format. After import into the KeyManager, they are displayed under COMPANY CERTIFICATES. 21. Import must not be performed manually. In case an LDAP server is configured in KeyManager, public keys can be automatically imported into the KeyManager.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 347 IQ.SUITE CRYPT - ENCRYPTION/DECRYPTION WITH S/MIME 

9.5 Encryption/Decryption with S/MIME

9.5.1 Sample Job: Encryption

9.5.1.1 Requirements and Processing Principle

The following conditions must be met to be able to encrypt with S/MIME:  The SAMPLE - Encrypt S/MIME Message with KeyManager job is enabled.  In the job, the rules for the recipients have been configured accordingly. Where required, several jobs need to be created and enabled.  A KeyManager Connection is specified in the Operations tab.  The X.509 certificate of the recipient is available in iQ.Suite KeyManager.

The message text and any attachments are converted by iQ.Suite Crypt into the MIME format, the S/MIME Engine performs the S/MIME encryption with the recipient‘s public key and integrates the result back into the email.

To avoid any risk of losing formatting information at the Notes client, send Inter-  net emails through Notes and use the MIME format to do so (select FILE -> PRE- FERENCES -> LOCATION PREFERENCES -> MAIL).

9.5.1.2 Detailed Description

In order to decrypt and encrypt emails with S/MIME on the same server, for each  scenario a separate job is required.

1. Click on CRYPT -> MAIL JOBS and open the SAMPLE - Encrypt S/MIME Mes-

sage with KeyManager job. Click on EDIT:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 348 IQ.SUITE CRYPT - ENCRYPTION/DECRYPTION WITH S/MIME 

a) Enable the job. b) By default, the job will run on ,Selected mails'. According to the Encryp- tionRecipientsS/MIME rule, encrypted emails are only delivered to recipients who have a X.509 certificate and are explicitly specified in the rule as being authorized to receive S/MIME-encrypted emails. Enter these recipients in the rule.

2. Open the Operations tab:

a) In the Mode field select the ‘S/MIME encryption’ option. b) Specify in the On Error field how to proceed in the case of an error. In this example the email is not delivered to the recipient and deleted from the mail.box. The administrator and the email sender are notified. A copy of the email is quarantined. In the Quarantine report the email is

recorded under the CRYPT category (configuration under MISC TAB ->

QUARANTINE CONFIGURATION).

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 349 IQ.SUITE CRYPT - ENCRYPTION/DECRYPTION WITH S/MIME 

c) In the Crypt Engine field, select an ‘S/MIME + KeyManager Engine’. In sample jobs, the correct engine is preset. Refer to “Configuration Docu- ment for the ‚S/MIME + KeyManager Engine‘” on page 322.

3. Check the details in the Settings section:

a) As regards the Person/key combinations field, proceed as described under “Encryption/Decryption with PGP and GnuPG” on page 326. Please also note the following information:

Unlike PGP jobs, S/MIME jobs always require an email address to designate a key.  Usually, the email address in the S/MIME certificate must be the same as the address of the sender or recipient. Therefore, an entry in this field is only useful in special cases, e.g. when using a company certificate instead of personal certificates.

b) If required, change the default texts of the notifications sent to administrators and email senders. For this use the Notification templates22. By default, for each email processed a note is inserted in the subject field of the email. c) The engine uses the KeyManager Connection selected here in order to access the trusted certificates which are available in KeyManager. Refer to “Sample Configuration: KeyManager Connection” on page 366.

22. Refer to “Notification Templates” on page 37.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 350 IQ.SUITE CRYPT - ENCRYPTION/DECRYPTION WITH S/MIME 

5. Open the Misc tab. In the Job is critical field, set the option ‘Upon initialization and runtime errors’, i.e. no emails are to be delivered unchecked if an error occurs during job processing. Use the Quarantine configuration field to set how the emails are to be handled in quarantine23.

6. Save the job.

9.5.2 Sample Job: Decryption

If emails are to be both encrypted and decrypted with S/MIME on a server, you  need to create two job documents, one for encryption, the other for decryption.

1. Click on CRYPT -> MAIL-JOBS and open the SAMPLE- Decrypt S/MIME Mes-

sage with KeyManager job. Click on EDIT24:

a) Enable the job. b) By default, the job will run on ‚Selected mails‘. According to the rule, these are all emails sent via the Internet (InetSender). In the standard configuration, this rule is specified as sender domain *.*. The emails which are not encrypted with S/MIME are not processed by the job.

2. Open the Operations tab:

23. Refer to “Quarantine Configuration” on page 107. 24. Consider the priority of Crypt jobs at the beginning of the job chain. Refer to “Assigning Priorities (Job Chain)” on page 82.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 351 IQ.SUITE CRYPT - ENCRYPTION/DECRYPTION WITH S/MIME 

a) In the Mode field select the ‚S/MIME decryption‘ or the ‚S/MIME decryption Mail Protect‘ option. If S/MIME emails were encrypted with Mail Pro- tect, Crypt is also able to decrypt the S/MIME variant used by Mail Protect. b) Specify in the On Error field how to proceed in the case of an error. In this example, the email is not delivered to the recipient. The administrator is notified. A copy of the email is quarantined. In the Quarantine report

the email is recorded under the CRYPT category (configuration under

MISC TAB -> QUARANTINE CONFIGURATION). c) In the Crypt Engine field, select an ‘S/MIME + KeyManager Engine’. In sample jobs, the correct engine is preset. Refer to “Configuration Docu- ment for the ‚S/MIME + KeyManager Engine‘” on page 322.

3. Check the details in the Settings section:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 352 IQ.SUITE CRYPT - ENCRYPTION/DECRYPTION WITH S/MIME 

a) If required, change the default texts of the notifications sent to administrators. For this use the Notification templates25. By default for each email processed successfully a note is inserted in the subject field of the email. b) The engine uses the KeyManager Connection selected here in order to access the trusted certificates which are available in the KeyManager. Refer to “Sample Configuration: KeyManager Connection” on page 366.

5. Open the Misc tab. The job is ‚not critical‘, i.e. the emails are to be delivered unchecked if an error occurs during job processing. Use the Quarantine configuration field to set how the emails are to be handled in quarantine26.

6. Save the job.

25. Refer to “Notification Templates” on page 37. 26. Refer to “Quarantine Configuration” on page 107.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 353 IQ.SUITE CRYPT - DIGITAL SIGNATURES WITH S/MIME 

9.6 Digital Signatures with S/MIME

iQ.Suite Crypt also supports digital signing with S/MIME. Like a written signature, a digital signature provides verification of the sender’s identity, allowing the recipient to be sure that the email was actually sent by the specified sender and has not been modified on its way. The signature does not prevent viewing of the email along its transmission route. However, iQ.Suite Crypt is able to encrypt signed emails as a whole.

A private key is required for signing, which is included in the company certificate. To check the validity of the signature on the recipient side (signature verification), a public key is required.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 354 IQ.SUITE CRYPT - DIGITAL SIGNATURES WITH S/MIME 

9.6.1 Sample Job: Signing with S/MIME

9.6.1.1 Requirements and Processing principle

The following conditions must be met to be able to sign with S/MIME:

 iQ.Suite KeyManager contains the X.509 certificate and the private key of the sender. Optionally, iQ.Suite KeyManager can create new certificates if required. For this, a connector must be configured in KeyManager and the option ‘Source of attributes of new certificates’ must be accordingly set in the iQ.Suite signing job.

 The job SAMPLE - Sign S/MIME Outgoing Message with KeyManager is enabled.  A KeyManager connection is specified in the Operations tab.

When an email is sent, Crypt converts the email to the MIME format. The S/MIME engine uses the sender's private key to calculate a signature that matches the email content. Afterwards, the unsigned email content is replaced by the signed MIME data.

9.6.1.2 Detailed Description

1. Click on CRYPT -> MAIL JOBS and open the SAMPLE - Sign S/MIME Outgo-

ing Message with KeyManager job. Click on EDIT27:

27. Consider the priority of Crypt jobs at the beginning of the job chain. Refer to “Assigning Priorities (Job Chain)” on page 82.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 355 IQ.SUITE CRYPT - DIGITAL SIGNATURES WITH S/MIME 

a) Enable the job. b) By default, the job will run on ‚Selected mails‘. According to the rule, the selected emails are to be encrypted and signed with S/MIME. These emails are all emails which are sent to Internet recipients via Internet (InetRecipient). In the standard configuration, this rule is specified as recipient domain *.*. For a signing job with personal certificates, you should use a rule that checks whether or not the sender owns a personal certificate.

2. Open the Operations tab:

a) In the Mode field, select the ‘S/MIME signature’ option. b) Specify in the On Error field how to proceed in the case of an error. In this example, the email is not delivered to the recipient. Sender and administrator are notified. A copy of the email is quarantined. In the

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 356 IQ.SUITE CRYPT - DIGITAL SIGNATURES WITH S/MIME 

Quarantine report the email is recorded under the CRYPT category (con-

figuration under MISC TAB -> QUARANTINE CONFIGURATION). c) In the Crypt Engine field, select an ‘S/MIME + KeyManager Engine’. In sample jobs, the correct engine is preset. Refer to “Sample Configura- tion: KeyManager Connection” on page 366.

3. Check the details in the Settings section:

a) If required, change the default texts of the notifications. For this, use the Notification templates28. By default for each email successfully processed a note is inserted in the subject field of the email. b) The engine uses the KeyManager Connection selected here in order to access the trusted certificates which are available in the KeyManager. Refer to “Sample Configuration: KeyManager Connection” on page 366. c) If you use a connector such as Signer in iQ.Suite KeyManager which shall, if required, create new certificates and for this needs to get additional user information, select under Source of attributes of new certificates the option ‘Domino Directory (names.nsf)'. Please note that first and last name must be specified in the Domino Directory. The ‘Do not create new certificates’ option is used to request certificates which are already available in the KeyManager database.

4. Use the Advanced tab to set whether the recipient is to be allowed to read emails that were quarantined by this job. The default setting is ‚No‘, in order

28. Refer to “Notification Templates” on page 37.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 357 IQ.SUITE CRYPT - DIGITAL SIGNATURES WITH S/MIME 

to grant users access to spam emails only. Refer to “Access User Portal” on page 28.

6. Save the job.

If a requested S/MIME certificate is not delivered by iQ.Suite KeyManager immediately (e.g. because it has to be created), iQ.Suite waits about 60 seconds for its delivery. If the certificate cannot be delivered within this time, the request is skipped. You can modify this behavior with the global parameters ToolKit_MC_KmsPendingCertRepetitions and ToolKit_MC_KmsPendingCertWaitSecs.

9.6.2 Signature Verification with S/MIME

Signature verification is performed for emails from external senders to internal employees.

The following conditions must be met to be able to verify a signature with S/MIME:

 KeyManager contains trusted certificates of the sender. Alternatively, trusted issuer certificates are available and can be used to verify the sender certificates.

 The job SAMPLE - Verify S/MIME Signature with KeyManager is enabled.  A KeyManager connection is specified in the Operations tab.

The subsequent description is meant to illustrate how Crypt proceeds to verify a signature:

1. An employee receives a signed email in S/MIME format.

2. Certificates that may be contained in the S/MIME message are imported and verified. Importing certificates can on the one hand be necessary for signa-

29. Refer to “Quarantine Configuration” on page 107.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 358 IQ.SUITE CRYPT - ENCRYPTING EMAILS WITH WEBCRYPT PRO 

ture verification and on the other hand allows to send an encrypted reply to the sender.

3. The S/MIME engine verifies the signature.

4. The signature is removed from the email. Afterwards, the email is a common MIME mail.

5. Optionally, a description of the verification result can be inserted into the message body of the email.

6. Once validated, the email is delivered.

For signature verification, adjust the SAMPLE - Verify S/MIME Signature job to your requirements. Refer to “Sample Job: Decryption” on page 335.

For signature validations, the additional On success section provides the fol-  lowing options:  Keep signature in email  Write verified sender address to an email field If you want to further process the verified sender address, it can be written to a field and/or an X-token. In this case, enter the respective field name.

9.7 Encrypting Emails with WebCrypt Pro

WebCrypt Pro is a modular extension of iQ.Suite Crypt and enables secure encrypted email communication with recipients who do not use any encryption solution. With WebCrypt Pro, no S/MIME certificates or PGP keys are required.

WebCrypt Pro requires a separate license

The WebCrypt Appliance is provided by our partner SEPPmail AGa. For further  Information, please contact the GBS Sales team. a. For further Information on installation and configuration of the WebCrypt Appliance, refer to the separate manual. Download under www.gbs.com.

The WebCrypt SMTP Job adds a marker as a prefix in the subject line of the processed emails.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 359 IQ.SUITE CRYPT - ENCRYPTING EMAILS WITH WEBCRYPT PRO 

The WebCrypt Appliance encrypts the marked emails und then removes the marker before delivering the email to the recipients. For each email individually, the WebCrypt Appliance automatically uses the best encryption method.

To encrypt the email, the recipients log on to the WebCrypt user portal with their email address and password. The password is created when the first encryption request arrives on the WebCrypt server and is transmitted using separate means of communication.

The email routing to the WebCrypt Appliance is configured on the Domino server. For this, the following ways are possible:

 The email routing is made via the WebCrypt Appliance which encrypts only the marked emails.

 The email routing is configured via a smart host server. This server uses the header information to determine which emails are to be routed to the WebCrypt Appliance and which ones are to be directly delivered to the recipients.

For the email routing, please contact the GBS Sales team (Consulting).

Job configuration:

To configure the WebCrypt SMTP Job, proceed as follows:

1. Under CRYPT -> MAIL JOBS, open the DEFAULT job or create a new job30:  DEFAULT - WebCrypt Encryption (SMTP)

 NEW -> WEBCRYPT SMTP MAIL JOB

2. Click EDIT31:

30. In the following, only the job-specific details are illustrated. For a description of the settings under standard tabs, please refer to “Standard Tabs for Jobs” on page 39. 31. Consider the priority of Crypt jobs at the beginning of the job chain. Refer to “Assigning Priorities (Job Chain)” on page 86.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 360 IQ.SUITE CRYPT - ENCRYPTING EMAILS WITH WEBCRYPT PRO 

a) Enable the job. b) By default, the job runs on all emails and all servers.

3. Open the Operations tab:

Specify the Marker to be added as a prefix in the subject line of the processed email.

Valid markers are:

 Default: [priv]  [confidential]

4. Save the job.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 361 IQ.SUITE CRYPT - IMPORTING S/MIME AND PGP KEYS TO IQ.SUITE KEYMANAGER 

9.8 Importing S/MIME and PGP Keys to iQ.Suite KeyManager

The Crypt Pro Import Mail Job is used to copy S/MIME and PGP keys from emails and import them into the iQ.Suite KeyManager regardless of any signature verification. Also key files in archives can be imported. Once the keys are imported, the email is sent to the recipient.

1. Open the job SAMPLE - Import S/MIME Keys into KeyManager or SAM- PLE - Import PGP Keys into KeyManager. Alternatively, you can create a new Crypt Pro Mail Import job. The following description only covers the job-specific settings.

For information on the configuration in the Basics tab, please refer to “Basics Tab - Mail Job” on page 39.

2. In the Operations tab, open the Configuration tab. Example for S/MIME:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 362 IQ.SUITE CRYPT - IMPORTING S/MIME AND PGP KEYS TO IQ.SUITE KEYMANAGER 

3. Convert emails from Richtext to MIME: This job can only process emails available in MIME format. With this option enabled, the Richtext emails are first converted to MIME so that the job is able to process them. If this option is disabled, the Richtext emails are passed to the next job in the job processing chain without having been processed by this job.

4. Under KeyManager Connection, select the connection to the KeyManager server in which to import the keys.

5. If key files in archives (e.g. ZIP files) are to be unpacked and imported into the KeyManager, enable the Search in archives option. The option is valid for S/MIME and PGP.

Searching in archives is only supported under Windows and on 32-bit Linux  systems.

a) Ignore archive extraction errors: Use this option to ignore archive extraction errors (e.g. in case of password-protected or corrupt archives).

6. If S/MIME keys are to be imported, enable the Import S/MIME option.

Imported S/MIME keys are stored as external certificates in the KeyManager data-  base with the trust status UNKNOWN and the trust method COMPUTED. The trust status is automatically changed once the issuer certificate is available in KeyMa- nagera. a. For further information on iQ.Suite KeyManager, please refer to the separate KeyManager manual. Download under www.gbs.com.

7. For importing PGP keys, enable the PGP import option or use the preconfigured job SAMPLE - Import PGP Keys into KeyManager.

8. Use fingerprints to select the file types to be imported. Exceptions can also be defined.

9. Use the Success Actions and Error Actions tabs to specify whether to notify the administrator when an import was successful or failed. If so, select a notification template32.

32. Refer to “Notification Templates” on page 37.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 363 IQ.SUITE CRYPT - IMPORTING S/MIME AND PGP KEYS TO IQ.SUITE KEYMANAGER 

10. Enable and save the job.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 364 IQ.SUITE CRYPT - USING IQ.SUITE KEYMANAGER 

9.9 Using iQ.Suite KeyManager

iQ.Suite KeyManager, as a modular extension of iQ.Suite Crypt, can be used for the convenient and complete administration of S/MIME certificates in combination with the iQ.Suite. Keys in OpenPGP standard (PGP and GnuPG) can be managed, imported in and exported from the KeyManager.

With iQ.Suite KeyManager, self-signed certificates and certificates issued by certification authorities such as VeriSign can be managed centrally. The status of the certificates can be queried and updated automatically with OCSP and/or by using certificate revocation lists (CRLs). However, the KeyManager also offers possibilities for manual control and administration e.g. to avoid unnecessary costs.

For further information, please refer to the iQ.Suite KeyManager manual. Down- load on www.gbs.com.

9.9.1 Using S/MIME Certificates

9.9.1.1 Overview and Configuration

Whenever a certificate is needed from the iQ.Suite to process an email, a certificate is requested from the KeyManager server. Provided such a certificate is available in the KeyManager database, it is passed to the iQ.Suite, e.g. for encrypting/decrypting emails or signing/signature verification. If no matching certificate is found, iQ.Suite KeyManager addresses the request to a selected certification authority, e.g. D-TRUST (Bundesdruckerei).

Communication between iQ.Suite KeyManager and iQ.Suite is possible via HTTP or HTTPS.

The KeyManager server has to be installed and configured before configuring  iQ.Suite. On this server, it must be possible to address the KeyManager web service.

Once the server environment is operational, perform the following steps:

1. Configure and enable an iQ.Suite KeyManager connection. Refer to “Sam- ple Configuration: KeyManager Connection” on page 366.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 365 IQ.SUITE CRYPT - USING IQ.SUITE KEYMANAGER 

2. Enable the available ‘S/MIME + KeyManager Engine’. Refer to “Configuration Document for the ‚S/MIME + KeyManager Engine‘” on page 322.

3. Enable one of the SAMPLE jobs available for S/MIME:  SAMPLE - Encrypt S/MIME Message with KeyManager  SAMPLE - Decrypt S/MIME Message with KeyManager  SAMPLE - Sign S/MIME Outgoing Message with KeyManager  SAMPLE - Verify S/MIME Signature with KeyManager

Refer to “Encryption/Decryption with S/MIME” on page 348 and “Digital Sig- natures with S/MIME” on page 354.

4. To use a proxy server, configure a proxy server connection. This configuration can then be selected in the configuration document for the connection between Crypt and the iQ.Suite KeyManager.

9.9.1.2 Sample Configuration: KeyManager Connection

1. Use the sample configuration SAMPLE - Crypt KeyManager Connection or

create a new connection to a KeyManager server: CRYPT -> UTILITIES -> KEY-

MANAGER CONNECTIONS -> NEW -> CRYPT KEYMANAGER CONNECTION.

2. Open the Basics tab:

a) Use the Detailed Logging option to specify whether to create detailed log entries each time iQ.Suite tries to access the KeyManager: b) Connection timeout: A timeout occurs when the KeyManager Server does not return the requested data within the specified time span.

3. Open the Settings tab:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 366 IQ.SUITE CRYPT - USING IQ.SUITE KEYMANAGER 

a) Under iQ.Suite KeyManager server address, enter the FQDN (Fully Qualified Domain Name) or IP address of the iQ.Suite KeyManager server. This is the server to which the requests are sent in order to determine the sender or recipient address. b) Enter the iQ.Suite KeyManager server port number. This port is used to establish the connection between the iQ.Suite KeyManager server and the iQ.Suite server. Typically, port 80 is used for connections via HTTP and port 443 for connections via HTTPS. If set to ‘0’, the default values are used (port 80 or 443). c) Under iQ.Suite KeyManager Server protocol, select the transport protocol to be used to transmit the certificates from the iQ.Suite server to the iQ.Suite KeyManager server (HTTP or HTTPS). Use HTTPS to ensure a secure data transmission between iQ.Suite and the KeyManager server (recommended). This requires configuring your application server to support SSL. This configuration depends on the application server used and your system environment. A description of the configuration is available in the documentation of the application server: http:tomcat.apache.org or http:jetty.codehaus.org. d) Specify the absolute Path to trusted certificates used for signing the certificates. A trustworthy certificate is the SSL certificate of the applica-

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 367 IQ.SUITE CRYPT - USING IQ.SUITE KEYMANAGER 

tion server (SSL web server certificate) or the certificate(s) of the CA that has issued the SSL certificate. e) Enter the user authentication data, i.e. the name of the iQ.Suite KeyMan- ager user and his password. Note that configurations may be required on the application server. f) To establish a connection to the iQ.Suite KeyManager server via an HTTP proxy (e.g. if the iQ.Suite KeyManager server is hosted externally), enable the Use proxy server option.Then, in the subsequent field, select

the proxy server configuration document (to be configured under IQ.SUITE

-> GLOBAL -> PROXY SERVER). g) Tenant: Click on the button next to the text entry field. In the displayed window enter the GUID of the tenant (view in iQ.Suite KeyManager under

TENANTS). If there are several configured tenants in the iQ.Suite KeyMan- ager configuration, create a separate KeyManager connection for each of them. The GUID is used by the KeyManager to uniquely identify the tenant. h) Tenant display name: Within the iQ.Suite, the tenant is identified through the display name, i.e. this name is displayed, for example, in reports. In addition, it is used to name the subdirectory that is created for the tenant in the Windows certificate store (refer to option “Use local cache for S/MIME certificates” on page 369). The display name must be unique and may only contain the following characters: a - z; A - Z; 0 - 9; '_' (underscore); '-' (minus); '+' (plus)

PGP key cache: i) Caching secret PGP keys:  ‘Normal’ (default): The secret (private) PGP keys are cached in the local cache. For a higher security, use the ‚Limited‘ option.  ‘Limited’: The secret PGP keys are deleted from the local cache (‘secring’) as soon as the MailGrabber is terminated. Please make sure that the KeyManager is available on MailGrabber restart. Other- wise, the Crypt jobs cannot be executed due to missing keys.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 368 IQ.SUITE CRYPT - USING IQ.SUITE KEYMANAGER 

S/MIME certificate cache:

j) Use local cache for S/MIME certificates With this option enabled, a subdirectory of the Windows certificate store is used as local cache. Caching can help reducing the KeyManager server load. The cache can also be used as a fallback store in case the KeyManager is temporarily unavailable. If you use local cache, you have to specify a name in the Tenant display name field mentioned above.

Certificates which are deleted in iQ.Suite KeyManager are not automatically dele-  ted from the cache. Deleting in the cache is only possible manually. Therefore, if possible, you should not delete any certificates in the KeyManager; setting the

trust status to UNTRUSTED should be preferred.

Caching is not supported under Unix. That‘s why this option has no effect under  Unix.

k) For local caching, select a Windows Certificate Store document. For further information on configuring a Windows Certificate Store document, please refer to “Using the Windows Certificate Store” on page 373. l) S/MIME Update Interval [minutes]: At regular intervals, the KeyManager database is queried for the current data (S/MIME certificates). The data in the cache is updated accordingly. Use this field to specify the desired time interval in minutes. m) S/MIME Update Timeout [minutes]: Specify the number of minutes to be passed before an update is aborted due to timeout. A corresponding message is posted in the iQ.Suite log.

4. Activate and save the configuration document.

9.9.2 Using PGP Keys

The PGP keys managed in iQ.Suite KeyManager can be used by iQ.Suite Crypt jobs. For this, GnuPG 1.4 or GnuPG 2.2 is required.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 369 IQ.SUITE CRYPT - USING IQ.SUITE KEYMANAGER 

9.9.2.1 Sample Configuration: KeyManager Connection

How to configure a KeyManager Connection is described under “Sample Confi- guration: KeyManager Connection” on page 366.

9.9.2.2 Sample Configuration: KeyManager Job (PGP)

1. Create a PGP job for encryption or decryption or adjust one of the sample jobs, e.g. SAMPLE - Encryption with GnuPG or SAMPLE - Decryption with GnuPG.

2. Enable the desired job. Change the default settings of the rule, if required.

3. Open the Operations tab:

a) Under Mode, select the correct PGP option depending on the configured job scenario (encryption or decryption). b) Define the job behavior in the case of errors. c) Under Crypt Engine, select the previously configured GnuPG + Key- Manager Engine. Refer to “Configuration Document for the ‚GnuPG + KeyManager Engine‘” on page 324.

4. In the Settings section (in Operations tab), perform the following settings:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 370 IQ.SUITE CRYPT - USING IQ.SUITE KEYMANAGER 

a) If required, change the notification templates for the user groups to be notified. b) Under KeyManager connection, select the configuration document of

the previously configured KeyManager connection. Refer to “Sample Confi-

guration: KeyManager Connection” on page 366.

5. Keep the default settings of the Advanced and Misc tabs.

6. Save the job.

9.9.2.3 Synchronization

The Sync PGP process frequently synchronizes the key data between the iQ.Suite and the KeyManager. The time response of the Sync PGP process can be managed with the following global parameters:  ToolKit_MC_SyncPgpInterval: Specifies the interval for the synchronization in seconds. Default: 60 seconds.  ToolKit_MC_SyncPgpTimeout: Specifies the timeout for the synchronization in seconds. Default: 60 seconds.  ToolKit_MC_SyncPgpWebServiceTimeout: Specifies the timeout for a single web service call during the synchronization. Default: 30 seconds.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 371 IQ.SUITE CRYPT - USING IQ.SUITE KEYMANAGER 

The PGP keys are stored locally under %ExecDir%/gnupg/lks. Please note that the PGP keys must be imported to the KeyManager manually. The iQ.Suite key import job cannot be used.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 372 IQ.SUITE CRYPT - USING THE WINDOWS CERTIFICATE STORE 

9.10 Using the Windows Certificate Store

Certificates that are created and/or managed in iQ.Suite KeyManager can optionally be imported from the iQ.Suite into a local Windows certificate store and be used to encrypt or decrypt emails or to create or verify the signature. Refer to “Use local cache for S/MIME certificates” on page 369.

The advantage of this solution is that the S/MIME functionality is not affected even in case of temporary KeyManager server failures. Email processing is not delayed because of missing certificates.

If you plan to use the Windows certificate store associated with iQ.Suite KeyMan- ager, proceed as follows:

1. Create a user for the Windows certificate store. Refer to “Creating a User for the Certificate Store” on page 374.

2. If the Domino server does not run as local system (LOCAL SYSTEM), but under another user account, the user account must have the right ‘Replace a process level token’. This right is granted at the same location where “Log on as a batch job” is configured; however, it must be granted to the Domino user and not to the Windows certificate store user. If the Domino server runs as local system, no manual action is required

since LOCAL SYSTEM has the right by default.

3. Configure the certificate store. Refer to “Configuration of the Certificate Store” on page 375.

4. Configure a KeyManager Connection. Refer to “Sample Configuration: KeyMana-

ger Connection” on page 366.

Certificates stored in iQ.Suite KeyManager are regularly synchronized with the data of the Windows certificate store. New and modified certificates are imported into the corresponding folders according to the specified trust status (trusted/untrusted/unkonwn):

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 373 IQ.SUITE CRYPT - USING THE WINDOWS CERTIFICATE STORE 

Folder name: iQ.Suite server= tenant= a Since synchronization from the Certificate store to the iQ.Suite KeyManager is  not performed automatically, local trust status changes in the Certificate store are not automatically passed to the KeyManager.

9.10.1 Creating a User for the Certificate Store

1. In the Active Directory, create a new user who has access to the Windows certificate store, e.g. . This user account is used to access the certificates in the Certificate store.

When creating the user account, make sure that the user password will never  expire. That‘s why we recommend to create a own user for the Certificate store.

2. Add the user to the local administrators' group and assign the right to execute batch files. This allows the iQ.Suite to log in to this account in batch mode.

33. Tenant display name: refer to “Sample Configuration: KeyManager Connection” on page 366.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 374 IQ.SUITE CRYPT - USING THE WINDOWS CERTIFICATE STORE 

Under Windows 2012:

LOCAL SECURITY POLICY -> LOCAL POLICIES -> USER RIGHTS ASSIGNMENTS ->

LOGON AS A BATCH JOB.

3. Log in with the authentication information of the previously created user or open the local Windows certificate store within its user context: runas /profile /user:\ “cmd /c mmc certmgr.msc“

9.10.2 Configuration of the Certificate Store

Configure a Windows Certificate Store document to enable access to the Windows certificate store. Access happens when using S/MIME certificates from the Certificate store or when S/MIME certificates are to be imported from the Key- Manager database to the Certificate store.

1. Create a new Windows Certificate Store document: CRYPT -> UTILITIES ->

NEW -> WINDOWS CERTIFICATE STORE:

When a certificate request could not be completed after the time specified in Timeout field, the request is aborted with an error due to a timeout. Specify the timeout in seconds.

2. Open the Settings tab:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 375 IQ.SUITE CRYPT - USING THE WINDOWS CERTIFICATE STORE 

c) Under User and Password, enter the authentication information of the user needed for the Certificate store (e.g.: ). The Certifi- cate store is executed in this user context. Refer to “Creating a User for the Certificate Store” on page 374.

3. Activate and save the configuration document.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 376 IQ.SUITE PDFCRYPT -   10 iQ.Suite PDFCrypt iQ.Suite PDFCrypt offers various possibilities with the following job types:

 PDFCrypt Mail Encryption Converts emails in PDF files and – depending on the job configuration – signs and/or encrypts the generated PDF files before sending them as email attachments.

Refer to “PDFCrypt Mail Encryption Job” on page 390.

 PDFCrypt Signature Verification Verifies the signatures of PDF files to ensure their integrity and authenticity (binding assignment of the PDF to a person).

Refer to “Verifying Signatures of PDF Files” on page 404.

 PDFCrypt File Signing/Encryption Signs PDF files attached in emails by means of the sender‘s certificate and/or encrypts these PDF files with a password. Signing and encryption are performed like with PDFCrypt Mail Encryption.

Refer to “Signing and/or Encrypting PDF Attachments” on page 406.

iQ.Suite PDFCrypt is only working on Windows.

PDFCrypt module in the iQ.Suite administration console:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 377 IQ.SUITE PDFCRYPT - PASSWORD MANAGEMENT 

10.1 Password Management

10.1.1 Configuration of a Password Management

Refer to “The Configuration Document ‘Password Management’” on page 111.

10.1.2 Password Database

Refer to “Password Database” on page 114.

10.1.3 Manual Creation of User Passwords

Refer to “Manual Creation of User Passwords” on page 117.

10.1.4 Methods of Password Transmission

PDFCrypt offers different methods to transmit the password to the recipient of an encrypted email:

 The password can be sent directly with the PDFCrypt mail:  Password as text: [VAR]Password[/VAR]  Password image Refer to “Password in Clear Text in the PDFCrypt Mail” on page 379.

 The password can be sent in a separate PDFCrypt notification by using placehold- ers1:  to the recipient of the encrypted email  to the sender of the encrypted email  to internal recipients / recipient groups

Senders and internal recipients can transmit the password to the recipient of the encrypted email by using another way of communication, e.g. by phone or SMS.

Placeholders for password in notification templates

1. GLOBAL -> NOTIFICATION TEMPLATES -> PDFCRYPT SUCCESS NOTIFICATIONS or ‘USER REQUEST’ NOTIFICATION

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 378 IQ.SUITE PDFCRYPT - PASSWORD MANAGEMENT 

 Password as text: %password%  Password image: %TXT2IMG::password% Please note that TXT2IMG is case-sensitive.

 Only in case the password management is used: By using variables, a password request link or a string and the address for password requests can be sent in the PDFCrypt mail or in a separate PDFCrypt notification:  Password request via a mailto link. Refer to “Password Request via mailto Link” on page 380.  Password request without link. Refer to “Password Request without mailto Link” on page 381.

Requirements for the password transmission

In reply to the password request, the password is sent in a reply email only if the User Request Job is enabled and the sender of the password request is recipient of the encrypted email. For the reply email, the ‘User Request’ notification template selected in the Password Management is used. The placeholders which can be used for the password are described under “Placeholders for password in notification templates” on page 378.

10.1.5 Password in Clear Text in the PDFCrypt Mail

Open the template for the PDFCrypt mails: PDFCRYPT -> UTILITIES -> MAIL TEMPLATES:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 379 IQ.SUITE PDFCRYPT - PASSWORD MANAGEMENT 

In the template of the PDFCrypt mail:

Password The password as text can be inserted into the subject or body of the as text PDFCrypt mail:

To set the variable [VAR]Password[/VAR], open the Basics tab (subject)

or HMTL (body) and click on VARIABLES -> PDFCRYPT: PASSWORD.

Example: The password of the encrypted PDF is: S9G58Kp6=p

Password To set the password as image in the body of the PDFCrypt mail, click in the

as image HMTL tab on IMAGES -> PASSWORD IMAGE (PLACEHOLDER).

Example: The password of the encrypted PDF is .

10.1.6 Password Request via mailto Link  The password request is possible only if the Password Management is used.

With the variable Mail_RequestPasswordLink, you can insert a password request link (mailto link) into the body of the PDFCrypt mail.

In the PDFCrypt mail, the variable is used with the [VAR] tags: [VAR]Mail_RequestPasswordLink[/VAR]

In notifications, the variable is used with the % character: %Mail_RequestPasswordLink%

This variable is replaced with the mailto link MAIL. When clicking on this link, a new password request email is created. In this email, the recipient address, subject and message text are automatically set. The recipient address of the request email corresponds to the Address for password requests specified in the Password Manage- ment. To request the password, the recipient of the encrypted email must send the request email.

By clicking the mailto link, the password can be requested again at any time.

Refer to “Requirements for the password transmission” on page 379.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 380 IQ.SUITE PDFCRYPT - PASSWORD MANAGEMENT 

10.1.7 Password Request without mailto Link  Password requests are only possible if the Password Management is used.

For the password request without link, the variables RequestPassword and RequestPasswordRecipient can be used in the PDFCrypt mail or in PDFCrypt notifications, respectively in the subject or body.

In the PDFCrypt mail, these variables are used with the VAR tags, e.g.[VAR]RequestPassword[/VAR].

In notifications, these variables are used with the % character, e.g. %RequestPassword%

PasswordRequest is replaced with a string (ID) of the password request. The recipient variable RequestPasswordRecipient is replaced with the Address for password requests specified in the Password Management.

To request the password, the recipient of the encrypted email must copy the string mentioned above in a new email and send this new email to the address for password requests. The notification or the PDFCrypt mail must contain an adequate instruction text for the recipient.

By means of this string and the address for password requests, the password can be requested again at any time.

Refer to “Requirements for the password transmission” on page 379.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 381 IQ.SUITE PDFCRYPT - PDFCRYPT ENGINE 

10.2 PDFCrypt Engine

The PDFCrypt Engine is available under PDFCRYPT -> UTILITIES

The PDFCrypt Engine is integrated into PDFCrypt jobs and is used to convert emails to PDF files (when the PDFCrypt Mail Encryption Job is used), to sign and/or encrypt these PDFs and other PDFs attached to emails. Besides this, this Engine can be used to verify the signatures of PDFs.

 ‘Write detailed log data’: A log with processing details will be generated, e.g. for error analysis.

 ‘Block download of external contents’: By default, contents from external URLs (e.g. ) are downloaded. If you want to prevent access to the web in order to block any download from external URLs, enable this option.

 ‘Allow signing/verification’: With this option enabled, PDFs can be signed and the signature of PDFs can be verified.  Certificates: Select the KeyManager which contains the certificates to be used for signing and verification.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 382 IQ.SUITE PDFCRYPT - CONVERTING EMAILS TO (ENCRYPTED/SIGNED) PDFS 

10.3 Converting Emails to (Encrypted/Signed) PDFs

PDFCrypt Mail Encryption converts emails to PDFs which can optionally be signed and/or encrypted with a password. After this, a PDFCrypt mail containing the new PDF as an attachment is created. If the original email contains file attachments, these attachments will be embedded into the PDF with their respective file format. Then, the completed PDFCrypt mail is sent to the recipient.

For the conversion of emails to PDFs and optionally the encryption of these PDFs with a password, use a PDFCrypt Mail Encryption Job.

By means of the PDFCrypt Utilities, you can define the content of the PDFCrypt mail and the header of the PDF file (text and maybe images).

Refer to “Password Database” on page 114, “PDFCrypt Mail Encryption Job” on page 390 and “PDFCrypt Utilities” on page 383.

10.3.1 PDFCrypt Utilities

Under PDFCRYPT -> UTILITIES, you will find additionally to the PDFCrypt Engine other PDFCrypt Utilities which are required for ‘PDFCrypt Mail Encryption’.

Images can be imported; templates for the PDFCrypt mail and the header of the password-protected PDF can be configured. Imported images can be added to these templates via the HTML editor integrated in iQ.Suite.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 383 IQ.SUITE PDFCRYPT - CONVERTING EMAILS TO (ENCRYPTED/SIGNED) PDFS 

10.3.1.1 Importing PDFCrypt Images

To import a PDFCrypt image, proceed as follows:

1. Use the preconfigured PDFCrypt image (Sample Logo) or create a new image:

PDFCRYPT -> UTILITIES -> IMAGES -> NEW -> IMAGE.

2. To replace the existing image or to add an image to a new document, click on

IMPORT and, select the desired image in the file system (GIF, JPG or JPEG). Example:

Under Preview the selected image is displayed.

Icons:

IMPORT Opens the file system to change the image displayed in the preview box.

EXPORT Opens the file system to export the image displayed in the preview box, e.g. for image processing.

In addition, detailed information about the imported image is displayed (e.g., size, image format).

3. In the Usage tab, the templates to which the image was added are displayed:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 384 IQ.SUITE PDFCRYPT - CONVERTING EMAILS TO (ENCRYPTED/SIGNED) PDFS 

4. Save the document.

5. To add the image in a PDFCrypt template, proceed as described under “Integra- ting PDFCrypt Images into a PDFCrypt Template” on page 387.

10.3.1.2 PDFCrypt Templates: PDFCrypt Mail and PDF Header

Under PDFCRYPT -> UTILITIES -> MAIL TEMPLATES / PDF HEADERS, the templates for the PDFCrypt mail and the PDF header of the password-protected PDF file are displayed.

The following sample templates are available for the PDFCrypt Mail:  Sample template in cases when PDFs are encrypted by using the password management.  Sample template in cases when PDFs are encrypted without using the password management.  Sample template in cases when PDFs are signed.

The TinyMCE editor in the configuration documents for PDFCrypt Mail and PDF  Header requires Internet Explorer 11 with activated JavaScript. JavaScript is activated by default.

1. Use the sample templates or create new templates.

2. In the Basics tab, specify the name of the template. In the template for the PDFCrypt mail, additionally define the Subject of the PDFCrypt mail. For this, you can specify a text and/or use variables.

Sample template with password management:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 385 IQ.SUITE PDFCRYPT - CONVERTING EMAILS TO (ENCRYPTED/SIGNED) PDFS 

3. In the HTML tab, you can edit the template with a WYSIWYG editor for HTML:

When you open the source text with the button SOURCE, you can enter HTML codes manually.

Use the area below the toolbar to specify the contents of the PDFCrypt mail's message text resp. of the PDF header. The Toolbar offers various design options: For example, you can insert tables, links, variables and/or images. Internally, these are converted into HTML commands.

The different possibilities to transmit the password of the encrypted PDF are described under “Methods of Password Transmission” on page 378. If required, adjust the standard text of the template for the PDFCrypt mail.

Condition [COND]

In some cases, it might be appropriate to not show some of the lines. For example, if the original email does not contain any attachments, the variable

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 386 IQ.SUITE PDFCRYPT - CONVERTING EMAILS TO (ENCRYPTED/SIGNED) PDFS 

[VAR]AttachmentLinks[/VAR] or [VAR]AttachmentTable[/VAR] in the PDF header cannot be resolved and therefore should be ignored. Consequently, the associated text (e.g. „This PDF contains the following file(s):“) should not be displayed. For this, enter the [COND] variable manually in the source text of the PDF header template:

[COND];...[/COND]

Example:

[COND]AttachmentLinks;This PDF contains the following file(s): [VAR]AttachmentLinks[/VAR] Double-click to open a selected file. [/COND]

The shown example condition is used to check whether the original email contains any attachments.

 If yes, the content between the semicolon and [/COND] is displayed. The variable for the attachments (link or table with icons) is resolved.  If not, a blank line is displayed.

4. Check whether it is displayed as desired and save the document. After you have saved the document, the Images tab shows the images which are used in the template.

10.3.1.3 Integrating PDFCrypt Images into a PDFCrypt Template

To include images in a PDFCrypt template (PDFCrypt mail or PDF header), the images must be available on the iQ.Suite server. Refer to “Importing PDFCrypt Images” on page 384.

Inserting an Image in HTML Format

1. Open the PDFCrypt template into which you want to insert a PDFCrypt image.

2. Open the HTML tab. In the editor, click on IMAGES in the menu of the drop-down

button IQ.SUITE. Then, select the desired image.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 387 IQ.SUITE PDFCRYPT - CONVERTING EMAILS TO (ENCRYPTED/SIGNED) PDFS 

Example for the PDF header:

3. Save the document.

4. Enable the PDFCrypt Mail Encryption job in which you have selected the PDFCrypt templates (mail and header). Then, send a test email to your own address or to a test user.

Example of a PDF file with an integrated image and an attachment:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 388 IQ.SUITE PDFCRYPT - CONVERTING EMAILS TO (ENCRYPTED/SIGNED) PDFS 

Inserting an Image via an HTTP Link

To minimize the size of emails, you can also insert an HTTP link rather than the image itself. Email clients are able to load images from this link and display them to the recipient. Depending on the email program used and the applicable user settings, the images are displayed after a confirmation or manual click on the link by the user.

The following requirements must be met:  The image is available online and in a format that can be processed by web browsers, e.g. JPG.  The sender’s email client sends emails in HTML format.  The recipient is online.  The recipient must have enabled the display of external images.

Adjust the PDFCrypt template as follows:

1. In the template, open the HTML tab.

2. Place the cursor at the position in the text at which you want the image to be inserted and click on :

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 389 IQ.SUITE PDFCRYPT - CONVERTING EMAILS TO (ENCRYPTED/SIGNED) PDFS 

3. Under Source, enter the URL to the desired image file.

4. Where required, use the Image description field to specify an alternative text to be shown if the image cannot be displayed in the web browser.

5. Confirm with OK.

10.3.2 PDFCrypt Mail Encryption Job

PDFCrypt Mail Encryption is used to convert emails to PDFs. Depending on the selected PDFCrypt mode, the created PDF can then be signed and/or encrypted. The following pre-configured sample jobs are available:

 SAMPLE - PDFCrypt Encryption: Is used to encrypt the created PDFs by using the password management. Printing and copying are allowed; editing after PDF creation is prohibited.  SAMPLE - PDFCrypt Signing & Encryption: Is used to sign the created PDFs and encrypt them by using the password management. Printing, copying and editing after PDF creation are prohibited.  SAMPLE - PDFCrypt Signing: Is used to sign, but not to encrypt the created PDFs. Printing and copying are allowed; editing after PDF creation is prohibited.

Under PDFCRYPT -> MAIL JOBS, open a sample job or create a new job: PDFCRYPT ->

MAIL JOBS -> NEW -> .

The possible settings of the PDFCrypt Mail Encryption Job are described below2.

2. In the following, only the job-specific details are explained. For information on the settings of the standard tabs, please refer to “Standard Tabs for Jobs” on page 39.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 390 IQ.SUITE PDFCRYPT - CONVERTING EMAILS TO (ENCRYPTED/SIGNED) PDFS 

In our example, the emails of the Human Resources department that contain confidential documents (DOCX attachments larger than 60 KB) are to be sent as password- protected and signed PDF files:

Activate the job.

At Runs on, select the ‘Selected mails’ option. If you had set an address rule for the Human Resources before, select this rule here.

10.3.2.1 Constraints for File Attachments

Use the Selection tab to specify the constraints for the processing of emails which contain file attachments.

In the Operations tab, open the Selection tab:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 391 IQ.SUITE PDFCRYPT - CONVERTING EMAILS TO (ENCRYPTED/SIGNED) PDFS 

 Process emails without attachments (default): Use this option to process also emails which do not contain any attachments. If this option is disabled, emails without attachments will not be processed – regardless of whether any constraints are defined.

 For emails which contain at least one attachment, you can define Constraints:  Attachment size has to be greater/smaller than ... KB: You can define a minimum size and/or a maximum size to exclude emails from encryption depending on the size of their attachments.  File types: Emails can be encrypted depending on the type of their attachments. Use the option ‘Selected file types’ to specify the file types for which to execute the job or not. If the email contains several attachments, these constraints have to be considered in combination with the option All attachments must match all constraints. This is what determines whether the email is actually getting encrypted.

 All attachments must match all constraints: This option is relevant for emails which contain at least two attachments.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 392 IQ.SUITE PDFCRYPT - CONVERTING EMAILS TO (ENCRYPTED/SIGNED) PDFS 

 Option is disabled (default): The email is encrypted when at least one attachment of the email matches with the constraints.  Option is enabled: The email is encrypted only when all attachments of the email match with the constraints. When at least one attachment of the email does not match with the constraints, the email is not encrypted.

Blacklisted Extensions

A list of the file types which Adobe Acrobat does not allow as attachments is available under https://www.adobe.com/devnet-docs/acrobatetk/tools/AppSec/attachments.html (Blacklisted Extensions). Please note that attachments with these file extensions cannot be opened in Acrobat.

10.3.2.2 Options for Encrypting and Signing PDFs

Open the Options tab:

 PDFCrypt Engine: Select the PDFCrypt Engine to be used to generate the PDF and, if applicable, sign and/or encrypt the PDF. Also refer to “PDFCrypt Engine” on page 382.

 PDFCrypt Mode: Use this option to specify whether to sign and/or encrypt the PDF:  ‘Encrypt’: The PDF will be encrypted.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 393 IQ.SUITE PDFCRYPT - CONVERTING EMAILS TO (ENCRYPTED/SIGNED) PDFS 

 ‘Sign’: The PDF will be signed, but not encrypted.  ‘Sign and encrypt’: The PDF will be signed and encrypted. All setting options of this tab will be shown.  ‘No encryption and signing’: The PDF will be neither signed nor encrypted. Depending on the selected mode, you can make additional settings which are described below.

Options for signing

If „signing“ is enabled, additional options are available:

 ‘Ignore certificate purposes’: The certificate purpose defines the usage of the certificate, e.g. “server authentication” or “encryption”. If you enable this option, iQ.Suite will ignore the intended purpose specified within the certificate. With this option enabled, also certificates with another key usage than signing (e.g. “encryption”) can be used for signing.

 ‘Allow expired certificates for signing‘: By default, PDFCrypt jobs ignore expired certificates for signature creation. With this option, you can allow the use of expired certificates for signing.

 ‘Automatically request certificates from KeyManager‘ (only if iQ.Suite KeyManager is the used certificate store): If no appropriate certificate for signing is found in KeyManager, KeyManager requests a new certificate. If the used connector requires specific user information to request a certificate, this information has to be passed by iQ.Suite. This is only possible if this option is enabled and the first and last names of the user is available in the Active Directory.

Options for encryption

If you want the PDF to be encrypted, select the Password type to be used to create the password for encryption:

 ‘Fixed password’: In the Password field, enter the password to be used for all PDFs.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 394 IQ.SUITE PDFCRYPT - CONVERTING EMAILS TO (ENCRYPTED/SIGNED) PDFS 

 ‘Use command in subject’: In the subject line of the email that is to be encrypted, the sender enters a command (e.g. pwd) and the desired password (e.g. teSt123) as follows: = Example: Agreement pwd=teSt123

Define the command in the Subject command field. Enter a character string that the iQ.Suite will interpret as a command. If the command is added to the email subject by the sender, the job is executed. Otherwise, it is not executed and the email remains unencrypted. If the subject contains several commands, only the first one is executed. The command and the password are removed from the subject before delivery.

The command may only include characters from the 7-bit ASCII character set. The  command is not case-sensitive.

For ‘Fixed password’ and ‘Use subject command’, the following characters are  allowed in the password:  all upper case and lower case letters of the of the ASCII character set. Umlauts are not allowed.  all digits from 0 to 9  special characters: ! $ & / = ? # * + - _ < >

 ‘One-time password’: The Password management selected below generates for each email a new random password. One-time passwords are not saved in a database. Therefore, lost passwords cannot be recovered.

 ‘Use password management‘: The Password management selected below generates a random password in accordance with your setting in the Password generation field. The passwords created with this method are stored in the password database. The password can be communicated to the recipient, e.g. in the PDFCrypt mail or in a separate email, either directly visible in the email or obtainable via a request link.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 395 IQ.SUITE PDFCRYPT - CONVERTING EMAILS TO (ENCRYPTED/SIGNED) PDFS 

 Encryption: Select an encryption algorithm (default: AES-128). Alternatively, ‘AES-256’ with password processing according to PDF 1.7 Adobe Extension Level 3 is available. In comparison with AES-128, this algorithm is supported by less PDF readers and is normally less secure due to a weakness in the Extension Level 3 specification for password encryption, particularly for short passwords. Consequently, we recommend to use ‘AES-128’.

The following setting options and statements only apply if the password management is used:

 Password generation:  ‘For each email’: A new password is generated for each email. All recipients of the email will use the same password.  ‘For each recipient’: If several emails are sent to recipient A, the password that was generated for the first email is also used for all following emails to recipient A.  ‘For each sender-recipient combination’: For each sender-recipient combination, a new password is generated. Examples: 1. Sender A sends several emails to recipient C. For all emails from sender A to recipient C, the same password is used (e.g. ‘Pass1’). 2. Sender B also sends emails to recipient C. A new password is generated (e.g. ‘Pass2’). All emails from sender B to recipient C will then be encrypted with this password.

In the Password Management settings, you can define that recipient-specific passwords expire after a certain time and that new passwords are to be generated in case of expiration.

For the configuration of the Password Management, please refer to “Password Management” on page 378.

10.3.2.3 Settings for Creating the PDF Files

Open the Settings tab:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 396 IQ.SUITE PDFCRYPT - CONVERTING EMAILS TO (ENCRYPTED/SIGNED) PDFS 

 Attachment name: Specify how to name the generated PDF. You can specify a fixed name and/or use variables, e.g. [VAR]Subject[/VAR]. The file extension “PDF” is automatically added to the name in case you do not specify it in this field.

You will find a list of the variables which can be used in the HELP.

 ‘Additionally embed PDF attachments’: All PDF attachments of the processed email will be additionally embedded into the created PDF and therefore are part of the encrypted PDF.

 ‘Additionally attach email as .eml’: The complete email, including attachments, will be attached to the PDF file in EML format.

 ‘File attachments only in .eml’: If you enable this option, the attachments of the email will be available only in the EML file. Otherwise, they will be additionally available in the PDF file. In the Attachment name of .eml field, specify how to name the EML file. The file extension “EML” is automatically added to the name in case you did not specify it in the field.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 397 IQ.SUITE PDFCRYPT - CONVERTING EMAILS TO (ENCRYPTED/SIGNED) PDFS 

 Permissions

In this section, you can restrict the permissions on the processed PDF files.

The set permissions are only guiding values for PDF readers; they are not bin-  ding at all. Furthermore, the different readers may interpret these permissions differently. The provided setting options apply in Adobe Acrobat as described below; this may vary in other PDF readers.

 Deny printing: The PDFs cannot be printed.  Deny copying: No text can be extracted from the PDFs.  Editing:  ‘Deny all editing’: After the PDF creation, the PDF cannot be modified in the PDF reader, e.g. enter comments, attach files, signing, filling out forms, etc.  ‘Deny commenting’: No comments can be added. However, signing by using existing signature forms and filling out forms are possible.  ‘No editing restrictions’: All editing actions are allowed.

Templates

Select a template for the PDFCrypt Mail and a template for the PDF Header.

For further information on these templates, please refer to “PDFCrypt Templates: PDFCrypt Mail and PDF Header” on page 385.

10.3.2.4 Success/Error Actions

Use the tabs Success Actions and Error Actions to define which actions to execute in case of a successful / failed job execution. You can, for example, decide on who should receive a notification. Refer to “Actions” on page 47.

Notification templates for PDFCrypt are available under IQ.SUITE -> GLOBAL -> NOTIFI-

CATION TEMPLATES -> PDFCRYPT. Refer to “Notification Templates” on page 37.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 398 IQ.SUITE PDFCRYPT - CONVERTING EMAILS TO (ENCRYPTED/SIGNED) PDFS 

In the sample templates for the PDFCrypt mail (except signing), it is assumed that the password is sent in a separate email. For this, the Recipient notification in case of success must be enabled and must contain a placeholder for the password (as it is in the predefined notification template).

If you use the Password Management and your template for the PDFCrypt mail  contains the variable [VAR]Mail_RequestPasswordLink[/VAR], the recipient can request the password by clicking on the MAIL link. Therefore, a separate password email is not necessary. If you don‘t enable the recipient notification in this case, do not mention any separate password email in the template for the PDFC- rypt mail.

Also refer to “Methods of Password Transmission” on page 378.

10.3.2.5 Example of a Use Case

In the following example, encryption is performed according to the job configuration under “PDFCrypt Mail Encryption Job” on page 390.

1. Anna Glenn sends an email to David Galler. This email contains the attachment Contract_draft_dgaller.docx (ca. 87 KB):

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 399 IQ.SUITE PDFCRYPT - CONVERTING EMAILS TO (ENCRYPTED/SIGNED) PDFS 

2. Mr. Galler receives a PDFCrypt Mail with the password-protected PDF attachment that is named after the subject of the original email (Contract_Draft.pdf):

3. Mr. Galler receives the password in a separate email that was created based on the predefined Recipient notification in case of success:

4. When the user tries to open the password-protected PDF, the dialog for entering the password is displayed:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 400 IQ.SUITE PDFCRYPT - CONVERTING EMAILS TO (ENCRYPTED/SIGNED) PDFS 

The user has to enter the password and click OK. The PDF opens:

The attachments of the original email are displayed as links in the PDF. In some PDF readers, clicking on the links would not open the attachments. For example, in Adobe Reader, the attachments are listed in a separate area with the paperclip and can be opened from there:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 401 IQ.SUITE PDFCRYPT - CONVERTING EMAILS TO (ENCRYPTED/SIGNED) PDFS 

Please note that for security reasons some PDF readers do not allow some file types  as attachments. The not allowed file attachments cannot be opened. For Adobe Acro- bat: refer to “Blacklisted Extensions” on page 393.

5. When the password is lost: The PDFCrypt mail contains the MAIL link that is used to re-request the password. When the recipient (here: Mr. Galler) clicks on this link, a Password request email is created:

Mr. Galler sends this email and then receives a Password email:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 402 IQ.SUITE PDFCRYPT - CONVERTING EMAILS TO (ENCRYPTED/SIGNED) PDFS 

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 403 IQ.SUITE PDFCRYPT - VERIFYING SIGNATURES OF PDF FILES 

10.4 Verifying Signatures of PDF Files

The PDFCrypt Signature Verification job can be used to verify the signatures of PDF files to ensure the integrity and authenticity of signed PDFs.

Open the sample job SAMPLE - PDFCrypt Signature Verification or create a new

job: PDFCRYPT -> MAIL JOBS -> NEW -> PDFCRYPT SIGNATURE VERIFICATION MAIL

JOB3.

In the Operations tab, open the Options tab:

 PDFCrypt Engine: The PDFCrypt Engine is required for the signature verification. Refer to “PDFCrypt Engine” on page 382.

 Check certificates against certificate store:  Option is enabled (default): The signature certificates will be checked against the certificate store selected in the PDFCrypt Engine (‘iQ.Suite KeyManager’ or ‘Windows certificate store’). Here, the trust status and the validity of the certificate will be checked. Additionally, it will be checked whether the signature and the PDF content match together, i.e. whether the PDF has not been modified after signing.

3. In the following, only the job-specific details are explained. For information on the settings of the standard tabs, please refer to “Standard Tabs for Jobs” on page 39.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 404 IQ.SUITE PDFCRYPT - VERIFYING SIGNATURES OF PDF FILES 

To enable the certificate check against a certificate store, the ‘Allow  signing/verification’ option must be enabled and a certificate store must be selected in the PDFCrypt Engine.

 Option is disabled: The signatures will be verified only against the PDF content. In this case, the ‘Allow signing/verification’ option in the PDFCrypt Engine is not relevant.

Combinable options for checking certificates against the certificate store:

 ‘Allow expired certificates for verification’: By default, expired certificates are ignored for the signature verification. Enable this option if you want to allow the use of expired certificates for the signature verification.  ‘Allow unknown trust status for verification’: By default, the PDFCrypt job only allows the use of certificates which have the trust status “trusted”. Enable this option if you want to use also certificates which have the trust status “unknown”.  ‘No import of certificates on verification’: By default, signature certificates which are not available in the certificate store will be imported into the certificate store. If you do not want this, enable this option.



ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 405 IQ.SUITE PDFCRYPT - SIGNING AND/OR ENCRYPTING PDF ATTACHMENTS 

10.5 Signing and/or Encrypting PDF Attachments

The PDFCrypt File Signing/Encryption job is used to sign and/or encrypt PDF files attached to emails. This applies also to PDFs which are created by Convert PDF, but does not apply to PDFs in archives (e.g. in ZIP or RAR). PDFs in archives can be neither signed nor encrypted.

Depending on the selected PDFCrypt mode, the PDF can be signed and/or encrypted. For this, pre-configured sample jobs are available:

 SAMPLE - PDFCrypt File Encryption: Is used to encrypt PDFs by using the password management.

 SAMPLE - PDFCrypt File Signing: Is used to sign, but not encrypt PDFs.

 SAMPLE - PDFCrypt File Signing & Encryption: Is used to sign PDFs and to encrypt them by using the password management.

In each sample job mentioned above, printing, copying and editing after PDF creation are prohibited.

Signing and encryption are carried out like with PDFCrypt Mail Encryption. Consequently, only the differences to PDFCrypt Mail Encryption are described below.

For information on the settings in the standard tabs, please refer to “Standard Tabs for Jobs” on page 39.

Under PDFCRYPT -> MAIL JOBS, open a sample job or create a new job: PDFCRYPT ->

MAIL JOBS -> NEW -> .

In the Operations tab, open the Options tab:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 406 IQ.SUITE PDFCRYPT - SIGNING AND/OR ENCRYPTING PDF ATTACHMENTS 

 Action on signed or encrypted PDF files With “encrypted”, we mean PDF files which are encrypted with a password or on which permissions are set. These PDFs will not be processed, i.e. they will be neither signed nor encrypted again.

Determine here whether already encrypted and/or signed PDFs have to be handled:

 ‘Ignore’: These PDFs will be ignored. Consequently, no error actions will be triggered. Ignored PDFs are considered as “processed” and can trigger the error actions. The success actions will be executed if the email ...  contains only ignored PDFs.  contains only successfully processed PDFs.  contains only successfully processed and ignored PDFs.  ‘Fail’: An email with at least one already encrypted and/or signed PDF will trigger the error actions.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 407 IQ.SUITE PDFCRYPT - SIGNING AND/OR ENCRYPTING PDF ATTACHMENTS 

For information on the other possible settings in this tab, please refer to “Options for Encrypting and Signing PDFs” on page 393.

Additionally, please note the following information:

 Unlike with PDFCrypt Mail Encryption, no PDFCrypt mail is sent in case of PDFCrypt File Signing/Encryption. To transmit the password in written form, you can send a notification.

If the processed email contains several PDFs, the same password is used for all  PDFs of the email.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 408 IQ.SUITE PDFCRYPT - IQ.SUITE USER REQUEST JOB 

10.6 iQ.Suite User Request Job

It is the iQ.Suite User Request job‘s task to process the password request emails (command mails). The job encodes the command in the email body and executes it.

1. Under PDFCRYPT -> MAIL JOBS open the example job SAMPLE - User Request or create a new User Request job:

With the positive IsUserRequest rule, the job is executed only on command mails. Typically, this rule is an address rule. It is used to check whether the recipient address is equal to the Reply address that is specified in the password management. In the Recipient list field of the rule definition, enter the same address as in the password management (e.g. [email protected]).

The User Request job can process password request emails for all password management configurations. If, in the rule definition, all email addresses that are responsible for password requests are entered, only one User Request job needs to be enabled.

2. Open the Operations tab:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 409 IQ.SUITE PDFCRYPT - IQ.SUITE USER REQUEST JOB 

3. To delete the password request emails after processing, select the option ‚Delete email‘.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 410 IQ.SUITE DLP -   11 iQ.Suite DLP The iQ.Suite module DLP (Data Leakage Prevention) consists of two sub- modules:  DLP Review Enables dual control check. Refer to “DLP Review” on page 412.

 DLP Anomaly Detection Enables detection of anomalies in the email behavior of senders. Refer to “DLP Anomaly Detection” on page 428.

DLP Review and DLP Anomaly Detection can be used individually or combined.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 411 IQ.SUITE DLP - DLP REVIEW 

11.1 DLP Review

For dual control check, you can use DLP Review – in addition or instead of the parking database. With DLP Review, emails can be intercepted on the mail server and put in the configured DLP Review database. They can there be checked (e.g. for compliance with guidelines) and afterwards approved or rejected by a reviewer before sending it to the recipient. Depending on the configuration, the reviewer and/or the sender can be notified when an email has been put in the Review database or has been approved or rejected. Approved emails are sent to the recipients.

A DLP background task handles the delivery to the recipient by removing the emails from the Review database and putting them back into the mail server's Mail.box.

11.1.1 Background Information

11.1.1.1 DLP Review Databases

For DLP Review, the iQ.Suite database type ‘DLP Review Database’ is used. The database template g_review.ntf contains the design used for the Review database.

For each review process, create a own Review database by using the database definition. For example, one database for Sales and another one for the Accounts department. Refer to “Create a DLP Review Database” on page 418.

In a Review database, following data is stored:  All emails which have to be checked.  A protocol document for each email which has to be checked. The review activities on the emails are automatically logged in this document.  The Review Options document, which contains the configuration of the review process.

Refer to “Main View of the Review Database - Emails by Status” on page 425.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 412 IQ.SUITE DLP - DLP REVIEW 

11.1.1.2 DLP Review Mail Job

The DLP Review Mail Job moves the emails from the server´s Mail.box to the specified Review database, so that they can be manually approved or rejected by the reviewers.

The defined job rules control which emails are to be moved to the Review database.

11.1.1.3 Review Background Tasks

In the Review database, only the approval or rejection action is triggered manually by the reviewer. All other actions are automatically performed by the so- called background tasks. This includes:  Sending notifications when emails are put into the Review database, approved, rejected and when a timeout occurs.  Changing the review status of emails. Refer to “Review Status and Notifica- tions” on page 414.  Copying the email to the server‘s Mail.box, when it has been approved.  Writing protocol documents.  Deleting emails and protocol documents after the set time limits.

Use the Review Options document to configure whether the background tasks are to be executed in the Review database. Refer to “Review Options” on page 421.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 413 IQ.SUITE DLP - DLP REVIEW 

If required, use the global parameters ToolKit_Rev_StatusTaskInterval and ToolKit_Rev_RemoveDocTaskInterval to change the time intervals to execute the background tasks1.

11.1.1.4 Review Status and Notifications

During the review process, the email runs through different statuses. In the Review view, the current status of each email is visible to the reviewer.

The email with the status INITIAL is moved to the Review database by the DLP Mail Job.

When the background tasks of the Review database are activated, the emails

with the status INITIAL are automatically set to the status UNREVIEWED. If configured in the Review Options, notifications may be sent to the senders and reviewers.

1. For a description of these parameters, please refer to “Global Parameters” on page 31.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 414 IQ.SUITE DLP - DLP REVIEW 

If timeout is set in the Review Options, the emails with the review status

UNREVIEWED are automatically set to the status TIMEOUT by the background task after the defined time for timeout. Depending on your configuration, a notification may be sent to the reviewer delegates.

Emails with the status UNREVIEWED or TIMEOUT may be rejected (REJECT EMAIL button) or approved (APPROVE EMAIL button) by any reviewer (delegate):

Rejected emails first receive the status TO BE REJECTED. Then, these emails are set to the status REJECTED by the background task. Depending on your configuration, a notification may be sent to the sender.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 415 IQ.SUITE DLP - DLP REVIEW 

Approved emails first receive the status TO BE APPROVED. Then, these emails are

set to the status APPROVED by the background task. Depending on your configuration, a notification may be sent to the sender and the email is copied back to the server‘s Mail.box. Thereafter, the email can be processed by subsequent jobs and sent to the recipient.

An email with the status APPROVED can be approved again.

11.1.2 Rights/Role Concept to access the Review Database

A rights/roles concept is used to set the users’ access rights to the Review database. The access rights are set in the iQ.Suite administration console (nav.nsf), using the ACL Manager and the following components:  Review Roles  iQ.Suite Groups  Access Level: The correct access level must be set so that the functions that are activated through the set roles are actually available in the Review data- base2.

When installing the iQ.Suite, iQ.Suite sample groups are registered in the ACL of the Review database.

In the ACL, predefined review roles are assigned to the iQ.Suite sample groups. Using these roles, the members of a group are granted specific access rights and provided with access to the corresponding functions in the Review database.

iQ.Suite Sample Roles and Review Roles

The following table shows which review role is assigned to which iQ.Suite sample group by default.

Review Role iQ.Suite Group Access Level

[RevAdmin] IQSUITE-ADMIN Manager

[Reviewer] IQSUITE-REVIEWER Editor

2. For further information on access levels, please refer to the Domino documentation.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 416 IQ.SUITE DLP - DLP REVIEW 

Review Role iQ.Suite Group Access Level

[Reviewer] IQSUITE-REVDELEGATE Editor

[RevReader] IQSUITE-REVREADER Reader

[RevProtReader] IQSUITE-REVPROTREADER Reader

None IQSUITE-REVSENDER Reader

 IQSUITE-ADMIN Members of this group can configure the Review Options in the Review database. Emails of the Review database can either be read, approved or rejected by them. They do not have access to the review protocols.

 IQSUITE-REVIEWER Members of this group are Reviewers. They have read-only access to all emails of the Review database. They can, with appropriate buttons, either approve or reject emails in the database.

 IQSUITE-REVDELEGATE Members of this group are Reviewer delegates. These reviewers can act in place of the actual reviewers (e.g. when the reviewers are on holiday or sick). They have the same rights on the Review database as the reviewers.

 IQSUITE-REVREADER Members of this group have read-only access to all emails of the Review database. They cannot execute any approval or rejection actions and do also not have access to the review protocols.

 IQSUITE-REVPROTREADER Members of this group have read-only access to all protocol documents (not to the emails) in the Review database. They cannot execute any approval or rejection actions.

 IQSUITE-REVSENDER Members of this group have read-only access to the emails in the Review database which they have sent themselves. If all users should generally have

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 417 IQ.SUITE DLP - DLP REVIEW 

this access, activate the ‘Read access for sender’ option in the Basics tab of the Review Options3.

Assign to the iQ.Suite servers in use the ‘Manager’ access level and all review  roles. We recommend to use the predefined IQSUITE-SRV group.

You can use the sample groups or adjust them to your requirements.

If you want to change the default access rights assigned to an iQ.Suite group, change the roles accordingly.

If you want to change the default access rights of any iQ.Suite group, deactivate or activate the desired roles. You can, for example, assign multiple roles to the

IQSUITE-ADMIN group in order to enhance their rights in the Review database.

The groups that you want to use (iQ.Suite sample groups or self-created groups)  must exsist in the Domino Directory, which means that they have to be created manually if necessary.

If you assign the role [RevAdmin] to self-created groups or individual persons,  you have to assign rights to these groups/persons on the database g_wdog.nsf manually. Read-only rights are required to select the Review notification templates; write rights are required to edit notification templates.

11.1.3 Create a DLP Review Database

The database definition iQ.Suite Review for the sample Review database g_review.nsf is available and activated in the iQ.Suite standard configuration:

GLOBAL -> DATABASE DEFINITIONS -> DLP REVIEW.

If the Review database is activated, the corresponding DLP menu items are displayed in the iQ.Suite navigation area under DLP.

To create a new Review database, click DATABASE DEFINITIONS -> NEW ->

DATABASE DEFINITION.

3. Refer to “Sample Job: Move Emails from Credit Department to Review Database” on page 419.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 418 IQ.SUITE DLP - DLP REVIEW 

To configure the new database definition, please refer to “Database Definitions” on

page 25 and additionally note the following points:

1. As Database type‚ select ‘DLP Review database’.

2. Click the Icon Create Database under Database file path. The ACL Manager opens:

3. If necessary, adjust the ACL and click OK.

4. Save the configuration document.

11.1.4 Sample Job: Move Emails from Credit Department to Review Database

In the following example, all emails from the Credit department sent to external recipients will be moved to the Review database. This ensures that emails with contracts, loan commitments or other sensitive data are reviewed by a second person (e.g. Department Manager) before they are sent to the recipients.

The following description only covers the job-specific settings:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 419 IQ.SUITE DLP - DLP REVIEW 

1. Under DLP -> MAIL JOBS, open the SAMPLE - Review Mails from Credit Department, or create a new DLP Mail Job:

2. Open the Operations tab and make the desired settings:

a) The Review database field displays the path to the Review database (incl. file name) to which the job will move the emails that have to be checked. The path is automatically specified when you select the DLP Review database definition. b) Copy email to database instead of move: By default, the email is deleted from the Mail.box and moved to the Review database4. If a copy of the email is created in the Review database (option ‘Yes’), the original email remains in the server‘s Mail.box and is released for further processing by subsequent mail jobs and then by the router. The email may be sent to the recipient, regardless of the reviewer action (approve/reject). In

4. For further information, please refer to “DLP Review Mail Job” on page 413.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 420 IQ.SUITE DLP - DLP REVIEW 

this case, the Review database can ie.g. be used for monitoring purpose for the reviewer. c) Use the Review reason field to specify why the emails processed by this job will be moved to the Review database (e.g. “Credit Department”) This information can be useful when multiple jobs move emails with different content types to the same Review database. Emails can be categorized by the review reason and be sorted accordingly in the Review database.

3. Activate and save the job.

11.1.5 Review Options

To facilitate the review process in the DLP Review database and to adapt it to your needs, configure the Review Options document

1. Open the sample document under DLP -> REVIEW -> DLP REVIEW OPTIONS, or create a new document:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 421 IQ.SUITE DLP - DLP REVIEW 

For further information on the preset iQ.Suite groups (e.g. IQ.SUITE-REVIEWER in  the Reviewer field), please refer to “Rights/Role Concept to access the Review Database” on page 416.

2. Activate the document with the Activate review process option, so that the background task can be executed and the Review Options take effect. Refer to “Review Background Tasks” on page 413.

3. In case of a multi-server environment, use the Server field to specify the servers on which the background tasks should be executed. Enter an asterisk (*) to validate the job for all servers. In the Server exceptions field, you can enter the servers to be considered as exceptions to the specifications in the Server field. You can specify multiple servers in both fields. Use a separate line for each entry.

In replicated environments: if a Review database is replicated on multiple  servers and the background tasks are also executed on multiple servers, replication conflicts may occur. Therefore, in such constellations, the background tasks should only be executed on selected servers.

4. Select the persons / groups from the Domino Directory who should act as Reviewers.

Sample group: IQSUITE-REVIEWER

5. Use the notification options to define whether the reviewers and/or the senders are to be notified. For each case, select the notification template to be used.  Notification of incoming email to reviewer: The reviewers will be notified when an email has been moved to the Review database.  Notification of incoming email to sender: The sender will be notified when an email has been moved to the Review database.  Notification of approval email to sender: The sender will be notified when his email has been approved.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 422 IQ.SUITE DLP - DLP REVIEW 

In the Review notification templates mentioned above, you can use the  placeholder %REVIEWDOCLINK% in addition to the usual placeholdersa. With this placeholder, a Notes document link is inserted to the email document in the Review database. a. For information on the non-review-specific placeholders, please refer to “Notification Templates” on page 37.

 Notification of rejection to sender: The sender will be notified when his email has been rejected. Use the input field to specify the text to be used by default as Rejection reason in the notification. The reviewer can edit this default text for each rejection.

In the notification template, you can use the placeholder %BLOCKCOMMENT% which will be replaced in the notification with the rejection reason.

6. In the Delete emails after field, specify how many days the emails shall remain in the Review database. After this number of days is elapsed, the emails are automatically deleted from the Review database.

The deletion occurs regardless of the status of the emails, which means that also  emails with the status UNREVIEWED will be deleted after the specified time.

7. In the Delete protocols after field, specify how many days after the last modified date of protocol documents, the protocol documents should be automatically deleted from the Review database (minimum: 14 days).

8. In Read access for sender field, specify whether the sender should have read-only access to his emails in the Review database.

To enable read access to their emails, make sure that the potential senders also  have read-only access to the Review database.

9. With the option Allow approval only if reviewer is not sender enabled, reviewers are not allowed to approve the emails they have sent. This ensures dual control check.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 423 IQ.SUITE DLP - DLP REVIEW 

In the Advanced tab, make the following settings:

1. In the Reading access of the protocols field, select from the Domino Directory the persons / groups to be granted read access to all protocol documents (not to the emails) of the Review database.

Sample group: IQSUITE-REVPROTREADER

2. Under Reviewer Delegate, select from the Domino Directory the persons / groups who should act as reviewer delegates.

Sample group: IQSUITE-REVDELEGATE

Reviewer delegates can also be reviewers at the same time.

If you Set a timeout and enable the Notification of timeout, the reviewer delegate will be notified after the specified time. This ensures that no emails remain unreviewed beyond a period of time.

3. Additional read access: Select from the Domino Directory the persons / groups to be granted read access to all emails of the Review database, e.g. to enable them to see the current review status.

Sample group: IQSUITE-REVREADER

To enable read access to the emails for the specified persons / groups, make sure  that they also have read-only access to the Review database.

4. Save the Review Options.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 424 IQ.SUITE DLP - DLP REVIEW 

 Modifications of the Review Options take effect only after MailGrabber‘s restart.

11.1.6 The DLP Review Database

11.1.6.1 Acccessibility

If you have access rights on the Review database, you can go one of the following ways to open the Review database:  As iQ.Suite Administrator: IQ.SUITE ADMINISTRATION CONSOLE -> DLP -> REVIEW -> DLP REVIEW DATABASE.  On the iQ.Suite Server, open the Notes application called iQ.Suite Review (default: g_review.nsf).  Via the iQ.Suite WebClient5: In the WebClient, only those emails that are in the Review database can be retrieved. Users with a Review role can either approve/reject the emails or send them to their own user mailbox.

11.1.6.2 Review View of the Review Database in HCL Notes

Main View of the Review Database - Emails by Status

APPROVE EMAIL / REJECT EMAIL: Multiple emails can be approved or rejected simultaneously.

The approval is not executed until the reviewer confirms the approval by clicking ‘Yes’ in the confirmation dialog.

5. For further information on the iQ.Suite WebClient, please refer to the iQ.Suite Installation manual.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 425 IQ.SUITE DLP - DLP REVIEW 

Emails can be approved several times. In this case, note that the emails will be  sent to the sender with each approval.

After clicking the REJECT EMAIL button, a dialog box appears with an editable default text for the rejection reason.

Confirm the rejection with OK. Click CANCEL to abort the rejection.

Approval and rejection are irrevocable. In case of rejection, sending the email  to the recipient is only possible if the sender sent it again (after revision of the email according to the rejection reason). Afterwards, the email must be reviewed again and then approved.

11.1.6.3 Review Protocols

The review protocols can be seen by the groups and users who are specified in the Reading access of the protocols field in the Review Options.

Example:

Column Description

Entry Date and time when the email was put in the Review database.

Review done Date and time when the first review action (approval/rejection) was carried out

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 426 IQ.SUITE DLP - DLP REVIEW 

Column Description

Description for Current status of the email actual state

Actual state Date and time when the current status of the email was set.

With a double-click on a review protocol, the corresponding protocol opens:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 427 IQ.SUITE DLP - DLP ANOMALY DETECTION 

11.2 DLP Anomaly Detection

With DLP Anomaly Detection, the mailing behavior of your company's employees can be monitored to detect possible anomalies. For example, you might be able to prevent employees from sending business-critical data intentionally or not.

Email data of different types is collected per sender, stored in the selected database and then analyzed by using analysis criteria and thresholds. For the analysis, different email properties can be evaluated individually or combined, e.g. email size, number of recipients and/or size of the file attachments. With this, sending suspicious emails, for example in case of an unusually high data volume or number, can be first stopped for review. These emails can then be approved or rejected by a reviewer in accordance with the dual control principle (DLP Review). In case the thresholds are exceeded, the Warning or Error actions defined in the DLP Data Analyze Job are executed.

Example of a use case:

The user David Galler usually sends emails with an average size of 20 KB. If Mr. Galler now sends an email with a size of 200 KB, this large difference could be a sign of an “anomaly”. This anomaly can be detected by collecting email sizes and configuring appropriate analysis criteria.

11.2.1 Important Definitions

 DLP Anomaly database: Notes database (g_dlp_anom.nsf) where the data for Anomaly Detection (Collect data, Baseline data and possibly Live data) is written to. For the Live data, a separate Notes database can be used optionally. Refer to “Creating a DLP Configuration” on page 431.

 Collect data (Collect entries): Collect data is general email data and attachment data, both collected by the DLP Data Collection Job. This data is written per sender and server. Attachment data depends on a fingerprint category.

 Live data (Live entries): Like the Collect data, Live data (real-time data) consists of general email data and attachment data which is collected by the DLP

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 428 IQ.SUITE DLP - DLP ANOMALY DETECTION 

Data Analyze Job. Unlike for the Collect data, a single data record per day (from 00:00 AM to 11:59 PM) is written for each sender and server. Every iQ.Suite server collects its own Live data. If Live data is required for the evaluation of analysis criteria, then the Data Analyze Job sums up the Live data of all servers.

Which email information is collected, depends on your settings in the DLP Confi-  guration.

 Baseline data (Baseline entries): The data collected by the DLP Data Col- lection Job is accumulated per sender at the configured date and time. Based on this data, average values and daily values are calculated. The calculated values are afterwards saved as “Baselines” in the database. One Baseline (data record) is created per sender. Based on the Baselines, thresholds can be defined in the DLP Data Analyze Job. In case these thresholds are exceeded, it may be a sign of an anomaly (suspicious or dangerous email) and, if so, the defined Warning or Error actions are triggered.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 429 IQ.SUITE DLP - DLP ANOMALY DETECTION 

11.2.2 Viewing DLP Data in iQ.Suite WebClient

The data used for the DLP Anomaly Detection (Collect, Live and Baseline data) can be accessed through iQ.Suite WebClient. The ACL Manager and the database definition are used to control this access.

11.2.2.1 Settings in ACL Manager

Select under IQ.SUITE -> GLOBAL -> DATABASE DEFINITIONS the desired DLP

Anomaly database and click on ACCESS MANAGEMENT. The ACL Manager opens. A rights/roles concept is used to set the users’ rights to the Anomaly database:

When installing the iQ.Suite, iQ.Suite sample groups are registered in the ACL of the Anomaly database. Predefined DLP roles are assigned to these sample groups:

DLP Role iQ.Suite Group Access Level

[View] IQSUITE-ANOMVIEWER No Access

[View] IQSUITE-ANOMVIEWERPERS No Access

[SeePersonal]

 IQSUITE-ANOMVIEWER Users of this group have the [View] role and therefore are authorized to view and evaluate only anonymized DLP data via iQ.Suite WebClient.

 IQSUITE-ANOMVIEWERPERS

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 430 IQ.SUITE DLP - DLP ANOMALY DETECTION 

Users of this group have the [View] and [SeePersonal] roles and therefore are authorized to view and evaluate all DLP data, i.e. also not anonymized data, via iQ.Suite WebClient.

In Notes, 'No Access' is provided for the users of the sample groups in order to ensure that the DLP data can only be viewed in iQ.Suite WebClient6.

You can adjust the sample groups, if required.

Assign to the iQ.Suite servers in use the ‘Manager’ access level and all DLP  roles. We recommend to use the predefined IQSUITE-SRV group.

The groups that you want to use (iQ.Suite sample groups or self-created groups)  must exsist in the Domino Directory, which means that they have to be created manually if necessary.

11.2.2.2 Settings in Database Definition

 The iQ.Suite groups used in the ACL Manager must be specified in the Reader field of the database definition.

 The option Enable for 'Data Service' Applications must be enabled.

For further information on iQ.Suite WebClient, please refer to the iQ.Suite installation manual.

11.2.3 Creating a DLP Configuration

For the DLP Anomaly Detection, at least one DLP Configuration is required. This one must be selected in the DLP Data Collection Job and in the DLP Data Ana- lyze Job.

In the DLP Configuration, define which data is to be collected and written to which database and how the Baselines are to be calculated. Beside this, make settings concerning the database maintenance.

Use the sample configuration or create a new DLP Configuration: IQ.SUITE ->

DLP -> ANOMALY -> DLP CONFIGURATIONS.

6. For further information on access levels, please refer to the Domino documentation.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 431 IQ.SUITE DLP - DLP ANOMALY DETECTION 

You can create configurations for the DLP Anomaly Detection under IQ.SUITE ->

DLP -> ANOMALY -> DLP CONFIGURATIONS -.

11.2.3.1 General Settings

Use the Basics tab to make general settings:

 Name: Specify a name for the DLP Configuration.

 Anomaly database: Select a database definition to determine the database where the Collect data and the calculated Baseline data will be written to. Default: g_dlp_anom.nsf.

 Anomaly database (Live): Optionally, select a database definition to determine the database where the Live data will be written to. If you leave this field empty, the database from the Anomaly database field will be used. In multi-server environments, a separate database for Live data might be appropriate, since the replication of the Collect data might possibly be too slow for the Live data. You might use a database that is replicated more frequently. Alternatively, a central database without replication can be used. Advantages and disadvantages of the central Live database without replication: No tolerance in case of failure of this database, but a minimal time interval in which thresholds can be exceeded.

 Server / Server exceptions: In these fields, the servers specified in the selected database definition are displayed automatically.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 432 IQ.SUITE DLP - DLP ANOMALY DETECTION 

Background tasks for the database maintenance are executed on all servers on which the database definition applies. If you want these tasks be running only on certain servers, adjust the contents of the Server / Server exceptions fields in the database definition. Then, re-select the database definition in the DLP Configuration to ensure that your changes are applied.

11.2.3.2 Defining the Data to be collected

In the Data Collection tab, essentially define the email properties to be collected by the DLP Data Collection Job (Collect data) and by the DLP Data Analyze Job (Live data):

The following email properties can be collected:

 General email data:  Size of emails (including file attachments)  Size of email bodies  Number of recipients

 Attachment data  Number of file attachments  Overall number of attachments

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 433 IQ.SUITE DLP - DLP ANOMALY DETECTION 

 Overall number of attachments per selected fingerprint category  Size of the file attachments per selected fingerprint category

 Fingerprint categories: If you want to collect email information on file attachments (number and/or size), you can qualify the data collection for certain file types.

 Enable data accumulation (only for Collect data): If data accumulation is enabled, the Collect data is not written to the database as a separate data record for every single email, but the data is accumulated per sender. During the set time interval (minutes), the data accumulated in this interval is written as one record. A short time interval improves the temporal resolution of the data, a long time interval reduces the memory consumption of the database. By using data accumulation, one entry with all values for the time period, which results from the defined time interval (e.g. from 9:30 AM to 10:00 AM), is written in the database per sender. If data accumulation is disabled, an entry is written directly in the database for each processed email. Therefore, more space is used in the database if data accumulation is disabled.

Example: David Galler sent in the last 30 minutes three emails. The email property “Size” shall be observed like defined in the DLP Configuration. The collected sizes were:

 Email 1 = 19 KB  Email 2 = 71 KB  Email 3 = 5 KB

Overall size: 19 KB + 71 KB + 5 KB = 95 KB

With the data accumulation enabled, one entry with the overall size is written in the database; without data accumulation, three database entries are written.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 434 IQ.SUITE DLP - DLP ANOMALY DETECTION 

11.2.3.3 Calculation of the Baseline Data

Baseline calculation is performed for all senders with existing Collect data in the selected Anomaly database.

Refer to the definition of “Baseline” under “Important Definitions” on page 428.

Open the Baseline Calculation tab:

 Calculation server: When sharing configuration with multiple iQ.Suite servers, email data from multiple iQ.Suite servers can be collected in the same database – depending on your configuration. Define here which iQ.Suite server is responsible for calculating and writing the Baselines. The calculation server is additionally responsible for deleting older Baseline data - regardless of whether it is a deletion as part of the maintenance process or caused by the 'Delete old Baseline data' option.

In a replicated multi-server environment, all Collect data of all iQ.Suite servers  must be replicated to the server that is responsible for the Baseline calculation.

 Calculate Baseline for the last day(s): Baseline calculation starts at the dates and times specified below. When you

click ADD, a schedule dialog opens.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 435 IQ.SUITE DLP - DLP ANOMALY DETECTION 

The values used to calculate the Baselines are the Collect data of the last days. Specify the number of days in this field.

 ‘Calculate overall Baseline for all senders’: Additionally to the sender-specific Baselines, an overall Baseline can be calculated over all email data from all senders available in the calculation period. Unlike the sender-specific Baselines, no daily values are saved for the overall Baseline.

This overall Baseline values are used during email analysis as comparison values for senders for whom no sender-specific Baseline exists in the database.

 ‘Delete old Baseline data’: With this option enabled, the Baseline values for which new updated values exist are deleted from the database during new calculation. The new calculated Baseline values will replace the deleted values. The thresholds are always determined based on the newest Baselines. Keeping the old values can be useful, for example, to observe the Baseline evolution of users over the time.

This option differs from the option ‘Delete Baseline data older than days’ in the Maintenance tab. With the latter option, values of users for whom no new calculation was performed are deleted as well. This is typically the case for employees who left the company and were removed from the addresses to be processed.

11.2.3.4 Database Maintenance

In the Maintenance tab, specify whether old Collect data, Baseline data and Live data is to be deleted from the database and when (dates and times) this maintenance is to be started:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 436 IQ.SUITE DLP - DLP ANOMALY DETECTION 

The data which is older than days, beginning with the start date of the maintenance, is deleted. With the settings in the example above, the maintenance starts every monday at 1:00 AM. Example:

If maintenance starts on 06/12/2016, all data which was stored in the database before 06/05/2016 at 1:00 AM is deleted.

The option ‘Delete Baseline data older than days’ differs from the option ‘Delete old Baseline data’ in the Baseline Calculation tab. Refer to note in the description of the option ‘Delete old Baseline data’.

For further information on the data types mentioned above, please refer to “Important Definitions” on page 428.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 437 IQ.SUITE DLP - DLP ANOMALY DETECTION 

11.2.4 Defining Analysis Criteria

To create criteria to be used to analyze emails, click DLP -> ANOMALY -> ANALYSIS

CRITERIA -> NEW. The analysis criteria can then be selected in the DLP Data Analyze Job.

An analysis criterion consists of a main criterion and a sub-criterion.

1. Select a main criterion. Here, decide on the one hand between “Baseline data” and “Live data” and on the other hand between “Email data” and “Attachment data”.

Example with the ‘Baseline email data (average)’ criterion:

Make sure that data matching the selected criterion is collected (refer to DLP  CONFIGURATION -> TAB: DATA COLLECTION).

2. In the Basics tab, proceed as follows:

Read the description text carefully to understand the purpose of the selected criterion.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 438 IQ.SUITE DLP - DLP ANOMALY DETECTION 

Use the Name field to specify a name for the analysis criterion. We recomm- nend to use a meaningfull name so that you can easily identify the target of the criterion.

3. In the Settings tab, select a sub-criterion. Example:

Read the description text carefully to understand the purpose of the selected sub-criterion.

The available sub-criteria depend on the selected main criterion. With the sub-criterion, specify which email property is to be analyzed, e.g. email size. Depending on your setting, the average value (property per email) or the daily value (property per day) is considered.

The average/daily value is checked against the thresholds specified below.

4. Concerning the criteria with Baseline data, you can specify absolute and/or relative thresholds, respectively for Warning and Error, and activate/desacti- vate these values for the analysis. Example:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 439 IQ.SUITE DLP - DLP ANOMALY DETECTION 

Here, the real-time email data of the sender is compared with the thresholds. These thresholds are calculated by adding the specified relative and/or absolute values (deltas) to the Baseline values of the sender. With ‘0’ (no tolerance), the Baseline itself is the threshold.

Examples for the calculation of average values and daily values:

Example 1: With the settings on the screenshot above, an average value is considered. To calculate the average value, the selected email property (here: email size) is divided by the number of emails which were sent by the sender during the Baseline calculation period. Example:

Mr. Galler sent within the calculation period 5 emails with an overall size of 112 KB. Average value: 112 KB : 5 = 22,4 KB

Example 2: With the setting ‘Baseline email data (daily)’ and the sub-criterion ‘email size (daily)’, a daily value is considered. To calculate the daily value, the email property (e.g. email size) is divided by the number of days in the calculation period. Example:

The Baseline calculation period has 7 days. Mr. Galler sent in this time period 5 emails with an overall size of 112 KB. Daily value: 112 KB : 7 = 16 KB

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 440 IQ.SUITE DLP - DLP ANOMALY DETECTION 

In the following tables, you will find respectively three examples with different Baselines and different threshold settings. The email to be analyzed has 113 KB.

Examples with absolute thresholds:

Baseline Absolute threshold Absolute threshold Thresholds email- for Warning for Error exceeded? size

120 KB 10 30 None of the thresholds

(120 KB+10 KB=130 KB) (120 KB+30 KB=150 KB) was exceeded.

90 KB 20 50 Only the threshold for

(90 KB+20 KB=110 KB) (90 KB+50 KB=140 KB) Warning was exceeded.

60 KB 20 40 Both thresholds were

(60 KB+20 KB=80 KB) (60 KB+40 KB=100 KB) exceeded.

Examples with relative thresholds:

Baseline Relative threshold Absolute threshold Thresholds email- for Warning for Error exceeded? size

120 KB 20 % 40 % None of the thresholds

120 KB+(120 KB x 0,2) 120 KB+(120 KB x 0,4) was exceeded. =144 KB =168 KB

90 KB 20 % 40 % Only the threshold for

90 KB+(90 KB x 0,2) 90 KB+(90 KB x 0,4) Warning was excee- =108 KB =126 KB ded.

60 KB 20 % 40 % Both thresholds were

60 KB+(60 KB x 0,2) 60 KB+(60 KB x 0,4) exceeded. =72 KB =84 KB

If you activate absolute AND relative thresholds, the option Both thresholds must apply to hit job actions is available. Which actions are executed in

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 441 IQ.SUITE DLP - DLP ANOMALY DETECTION 

which case, depends on whether this option is enabled. The following table indicates some of the possible scenarios (cases):

Case Absolute Relative Absolute Relative threshold threshold threshold threshold Warning Warning Error Error

1 exceeded exceeded not not exceeded exceeded

2 exceeded not exceeded not exceeded exceeded

3 not exceeded not exceeded exceeded exceeded

4 not not not not exceeded exceeded exceeded exceeded

5 exceeded exceeded exceeded exceeded

6 exceeded exceeded exceeded nicht exceeded

Which actions are triggered?

Fall Option is enabled. Option is disabled.

1 Warning Warning

2 Success Error

3 Success Error

4 Success Success

5 Error Error

6 Warning Error

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 442 IQ.SUITE DLP - DLP ANOMALY DETECTION 

5. Concerning the criteria with Live data, you can enter an absolute threshold (Limit per day), respectively for Warning and Error. Hereafter an example with the main criterion ‘Live attachment data (daily)’ and the sub-criterion ‘attachment count (daily)’:

The thresholds for the analysis with Live data are not sender-specific, but the Live data is collected per sender.

These thresholds are absolute values. They are used to define a daily limit for all senders respectively for Warning and Error. For each sent email, the Live data is compared with the defined limits. The time from 00:00 AM to 23:59 PM is considered.

For attachment criteria, select the Fingerprint category for which the analysis criterion is to be valid.

The fingerprint category selected here should be also selected in the DLP  Configuration specified in the DLP Data Analyze Job which uses this criterion. Otherwise, no data will be available in the database for the analysis based on this criterion and the criterion will have no effect.

Example:

Each sender is not allowed to send more than 7 attachments of the category “Microsoft Office” per day.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 443 IQ.SUITE DLP - DLP ANOMALY DETECTION 

David Galler sends on 02/01/2016 several emails (refer to table). The sender- specific daily value growths in the course of the day if the sender sends several emails with attachments. For each email, the daily value is compared with the limit (here: 7):

Sender Sent on 02/01/2016 Number of attach- Daily value -> at ments of the cate- Action gory “MS Office”

David Galler 07:10 AM 3 3 -> Success

07:47 AM 2 5 -> Success

08:05 AM 0 5 -> Success

10:11 AM 1 6 -> Success

13:05 PM 0 6 -> Success 15:47 PM 2 8 -> Warning

16:36 PM 3 10 -> Error

Up to the email at 1:05 PM, Mr. Galler does not reach his daily limit. With the email at 3:47 PM, the daily limit for Warning (7 attachments) is exceeded; with his email at 4:36 PM, Mr. Galler exceeds his daily limit for Error.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 444 IQ.SUITE DLP - DLP ANOMALY DETECTION 

11.2.5 Job for Data Collection and Baseline Calculation

The DLP Data Collection Job is responsible for the extraction and collection of email data which is then used to calculate the Baselines. The information required by the job for collecting data and calculating the Baselines is defined in a DLP Configuration.

1. Use the SAMPLE - DLP Data Collection Job or create a new job: DLP ->

MAIL JOBS -> NEW -> DLP DATA COLLECTION JOB7:

2. Open the Options tab in the Operations tab:

 DLP Configuration: Select a DLP Configuration to determine the database to be used by the job.

To avoid undesired effects, use for each DLP Data Collection Job a own DLP  Configuration with a own database. Under these conditions, different data can be collected in different databases by configuring multiple Data Collection Jobs.

 Collect data for emails without file attachments: With this option enabled, also data from emails which do not contain any file attachments is collected. If this option is not enabled, only data from emails with file attachments is collected.

7. This example only illustrates the job-specific details. For a description of the settings under standard tabs, please refer to “Standard Tabs for Jobs” on page 39.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 445 IQ.SUITE DLP - DLP ANOMALY DETECTION 

11.2.6 Job for Live Data Collection and Email Analysis

The DLP Data Analyze Job analyzes emails. The analysis is based on Baseline data and/or Live data and considers the analysis criteria defined in the job. Live data can be collected optionally.

11.2.6.1 Selecting DLP Configuration and Analysis Criteria

1. Use the SAMPLE - DLP Data Analyze Job or create a new job: DLP -> MAIL 8 JOBS -> NEW -> DLP DATA ANALYZE JOB :

2. Open the Options tab in the Operations tab:

 DLP Configuration: Select a DLP Configuration to determine the database to be used by the job.

If you are using multiple DLP Data Analyze Jobs with the same DLP  Configuration, make sure that the Live data of different users is not collected several times. Otherwise, the analysis of Live data criteria will be falsified.

8. This example only illustrates the job-specific details. For a description of the settings under standard tabs, please refer to “Standard Tabs for Jobs” on page 39.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 446 IQ.SUITE DLP - DLP ANOMALY DETECTION 

 Analyze emails without attachments: With this option, determine whether also emails which do not contain any file attachments are to be analyzed and whether Live data is to be collected for such emails (in case the option ‘Coll- ect Live data’ is enabled as well). If this option is not enabled, emails without attachments are skipped, i.e. for these emails, no Live data is collected and no analysis is performed.

 Collect Live data: With this option, determine whether Live data is to be collected by this job. If the DLP Configuration does not contain any Live data, analysis can only be performed with Baselines.

 DLP Analysis criteria: Select the desired analysis criteria from the list of the criteria previously created. Note that only the activated criteria will be considered for the analysis.

11.2.6.2 Actions in Case no Data exists / in Case Limits are exceeded

Use the Actions tab of the DLP Data Analyze Job to define the actions to be executed in which case:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 447 IQ.SUITE DLP - DLP ANOMALY DETECTION 

If an analysis criterion cannot be evaluated, e.g. because there is no Baseline for the given sender, the criterion is considered invalid for this sender. If all configured criteria are invalid, the analysis itself is considered invalid. Select in the drop-down list the actions to be executed in this case.

If no analysis criterion exceeds at leat one of the thresholds, the defined Success actions are executed.

If at least one analysis criterion exceeds the Warning threshold, the defined Warning actions are executed.

If at least one analysis criterion exceeds the Error threshold, the defined Error actions are executed.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 448 IQ.SUITE DLP - DLP ANOMALY DETECTION 

11.2.7 Combining DLP Anomaly Detection and DLP Review

Before being delivered, emails that have been analyzed and identified as being suspicious can be reviewed according to the dual control check of DLP Review:

The DLP Data Analyze job writes its analysis results into a definable email field. If the result value corresponds to a warning or an error, the email will be put into the Review database by a DLP Review job. Depending on the configuration, the reviewer will be notified and can approve or reject the email. Refer to “DLP Review” on page 412.

To make the scenario described above possible, proceed as follows9:

1. Under GLOBAL -> GLOBAL PARAMETERS, set the parameter ToolKit_UseDynamicRuleEvaluation to ‘YES’ and enable the parameter document.

2. Open the SAMPLE - DLP Data Analyze Job job or create a new DLP Data Analyze job10:

a) Enable the job. b) Under Email field for job result, keep the preset name DLPAnalysisResult. This name is part of the formula rules that control the moving of the email to the Review database.

3. Open the SAMPLE - Review Mails dependent on analysis result job or create a new DLP Review mail job11:

9. In the following, only the scenario-specific details are explained. 10. For further information on the job configuration, please refer to “Job for Live Data Collection and Email Analysis” on page 446.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 449 IQ.SUITE DLP - DLP ANOMALY DETECTION 

4. In the Basics tab: a) Enable the job. b) Default settings in the rules: The job applies to selected emails (Runs on field): According to the DLP Analysis Result Warning and DLP Analysis Result Restricted rules, only those emails which contain the ‘Warning’ or ‘Restricted’ value in the email field for job result are put in the Review database.

Value Description

Warning The email data to be analyzed has exceeded the threshold value for warning.

Restricted The email data to be analyzed has exceeded the threshold for restriction.

5. In the Operations tab, specify to which Review database the emails are to be moved.

11. For further information on the job configuration, please refer to “Sample Job: Move Emails from Credit Department to Review Database” on page 419.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 450 IQ.SUITE TRAILER - OVERVIEW   12 iQ.Suite Trailer 12.1 Overview

iQ.Suite Trailer allows to integrate individual Trailer texts into emails as disclaimers (so-called Trailers). With this, you can add greetings, company information, legal disclaimers or notices to emails that are sent to external recipients. With the additional option iQ.Suite Trailer Advanced, you can combine the Trailers with images such as company logos, vCards, images of the employees or QR code images.

Due to its flexibility, iQ.Suite Trailer allows to include text at every email position, for specific departments, groups, Internet domains or individuals, language- dependent, and/or for a limited period of time. Easy configuration and a central- ized administration help to optimize usage and improve the company’s image. Trailers are not only displayed on email clients but also in Apple and Mac appli- ances.

The text blocks of a Trailer document can be retrieved by sender from one of the databases you have created, with the sender information taken from your domain’s Domino Directory. Combined with rules, this lets you create “signatures” for different persons or departments without having to keep redundant information. Note that “signatures” in this context refers to a closing phrase and some sender-specific information rather than digital signatures.

Under Trailer Database all Trailer databases defined under GLOBAL -> DATABASE

DEFINITIONS are displayed. This menu entry is only visible if at least one Trailer database is configured. The data to be included in the Trailer is taken from these databases.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 451 IQ.SUITE TRAILER - OVERVIEW 

12.1.1 iQ.Suite Trailer vs. iQ.Suite Trailer Advanced

iQ.Suite Trailer Advanced is a supplement for iQ.Suite Trailer and provides additional features for appending Trailers.

 iQ.Suite Trailer When you use iQ.Suite Trailer without iQ.Suite Trailer Advanced, the Trailers are configured with a Trailer document and a Trailer Job (Mail Job). Refer to “iQ.Suite Trailer” on page 454.

 iQ.Suite Trailer Advanced When you use iQ.Suite Trailer combined with iQ.Suite Trailer Advanced, the Trailers are configured with a Trailer Advanced document and a Trailer Advanced Job (Mail Job). Optionally, further Trailer elements such as images, file attachments or search patterns can be used. Refer to “iQ.Suite Trailer Advanced” on page 465.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 452 IQ.SUITE TRAILER - OVERVIEW 

12.1.2 Procedure for Trailer Configuration

1. To attach a Trailer to emails, at least one configured Trailer Job or Trailer Advanced Job is required. Refer to “Configuring a Trailer Job” on page 460 or “Configuring a Trailer Advanced Job” on page 490.

2. Usually, every Trailer job contains at least one Trailer document with the content that shall be attached as Trailer. The Trailer documents are configured before configuration of the Trailer job. Then, these documents can be selected in the job (Operations tab). Refer to “Configuring a Trailer Document” on page 454.

3. With iQ.Suite Trailer Advanced, you can include Trailer images or Trailer attachments to the Trailer. In addition, you can use Trailer search patterns for Trailer positioning. Images, file attachments and search patterns are configured before configuration of the Trailer Advanced job. Afterwards, the configured documents for images and attachments can be selected in the job (Operations -> Selection tab).

Refer to:

“Conventional and Personalized Trailer Images” on page 467 “Trailer Attachments” on page 475 “Search Patterns” on page 473

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 453 IQ.SUITE TRAILER - IQ.SUITE TRAILER 

12.2 iQ.Suite Trailer

12.2.1 Configuring a Trailer Document

12.2.1.1 Trailer Document for a Legal Disclaimer

1. Click on TRAILER -> TRAILER DATABASE and open the desired configuration document for Trailer documents. In this example, the Trailer document SAM-

PLE - Legal Disclaimer is used. Click on EDIT:

a) Enable the document. b) Use the Language dependent field to attach a Trailer dependent on the language of the email text. For this, please note the further requirements

under “Adding Language-dependent Trailers” on page 459. By default the option ‚No‘ is set. c) Under Trailer Type the Trailer type for the selected Trailer document is preset. The option selected here reflects on categorization and storage of

the Trailer document under TRAILER -> TRAILER DATABASE. In the example the Trailer document is stored in the Legal disclaimer category. Use the arrow button to change category or to create a new one through the New Keyword field in the dialog, e.g. MyCategory. The Trailer document is stored under MyCategory. A categorization might be reasonable if there are several Trailer documents in various languages. Please note that the type selected here must match the type of the Trailer mail job1.

1. The special case of the 'Personalized' type is dealt with separately under “Scenario: Adding a Per- sonalized Signature” on page 464.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 454 IQ.SUITE TRAILER - IQ.SUITE TRAILER 

d) Use the Timed field to limit validity of a Trailer to a specific period of time, for instance the duration of a specific project. A calendar function is available to set the start and end dates. e) Under Trailer text, enter the text that shall be attached as a Trailer. Note: To ensure readability consider the total text length. If the Trailer type ‘Personalized’ is selected, placeholders such as %FirstName% can be used.  The settings for pagination are not available for the rich-text field Trailer Text.

12.2.1.2 Trailer Document for a Personalized Trailer

If employee-related data such as name and phone number shall be determined from the Domino Directory and appended as a Trailer (depending on the email sender), you can use the SAMPLE - Personalized Trailer document as a guideline for your own configuration2.

1. Click on TRAILER -> TRAILER DATABASE and open the sample document men-

tioned above. Click on EDIT:

2. For further information on adding pictures to personalized Trailers, please refer to “Scenario: Indivi- dual Signature and Personalized Image” on page 497.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 455 IQ.SUITE TRAILER - IQ.SUITE TRAILER 

a) Enable the document. b) Use the Language dependent field to attach a Trailer dependent on the language of the email text3. By default, the ‚No‘ option is set. c) Under Trailer type the ‚Personalized‘ option is set, by default. This allows to create individual signatures by including the personal data determined from the database. d) The Database for person data is the server’s Domino Directory (names.nsf) by default. All of the data needed for the Trailer text is determined from this database. e) The Lookup view field is used for searching for the personal data specified in the Database for person data field. The names.nsf database contains the Notes view ‚$VIMPEOPLE‘. This view includes the documents

3. For further Information, please refer to “Adding Language-dependent Trailers” on page 459.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 456 IQ.SUITE TRAILER - IQ.SUITE TRAILER 

that are checked for the personal data. Note: When several enabled Trailer documents use the same search term (e.g. the same date), the first Trailer found in the search view is used.

When you select the lookup view, please note that some views in the Domino  Directory do not differentiate between umlauts and accents. For example, the ‘$VIMPEOPLE’ view does not differentiate between “ue” and “ü” (among other things). If your Domino directory contains names which vary only in umlauts or accents, like e.g. Müller and Mueller, the used view should differentiate such names (e.g. the ‘$Users’ view). Otherwise, confusions may occur.

f) For the individual signature, iQ.Suite Trailer requires a search term to search for in the database (names.nsf). Under Field in email, enter the name of the field specified in the email. By default, this is the email field FROM. Thus, iQ.Suite Trailer reads the information in the FROM field, e.g. David Galler/Dev/[email protected]. Then, the email address David Galler/Dev/[email protected] is searched for in the names.nsf database. The placeholders in the Trailer text are replaced with the data found in the Domino Directory. g) Use the Default placeholder field to define the default content to be used in the event of an error. Whenever the sender of an email is not found in the Domino Directory, iQ.Suite Trailer will replace the placeholders specified in the Trailer text with the default content specified here. Adapt these values to your requirements. A typical entry is the company’s main telephone switchboard number and address. If no general terms are available, delete the default values. Otherwise, a blank line will be inserted in the Trailer for each blank field. Please make sure that no blank is entered before or after the equal sign. h) The Replacement multiple value text field is used to set how a placeholder is to be replaced with the content of a list field. 'Use all entries': the entire list field content is used to replace the placeholder. 'Use first entry only': The first entry of the list field is used.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 457 IQ.SUITE TRAILER - IQ.SUITE TRAILER 

Keep in mind that default values are only used if the corresponding field in the  database is empty. Therefore, please ensure the database specified in iQ.Suite Trailer is always up-to-date.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 458 IQ.SUITE TRAILER - IQ.SUITE TRAILER 

12.2.1.3 Adding Language-dependent Trailers

In order to append Trailer documents dependent on the language of the email, you can configure language-dependent Trailer documents. This means, if you create Trailer documents in several languages, the Trailer document is attached to the email in which the email text is written.

Note: For this, a job for language analysis has to be run before (Wall Mailjob  Advanced - DEFAULT - Language Identification).

To attach a language-dependent Trailer, proceed as follows:

1. Under IQ.SUITE TRAILER -> TRAILER DATABASE select the Trailer document

that shall be attached language-dependent. Click on the CONFIGURATION button in the main menu (no double click on the document).

2. Under Language choice click on the arrow button and select the languages of your Trailer texts from the dialog:

3. Save the language document.

4. Open the Trailer document to be attached language-dependent. Activate the ‚Yes‘ option in the Language dependent field and select the language of the Trailer text in the subsequent Language field.

5. Save the Trailer document.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 459 IQ.SUITE TRAILER - IQ.SUITE TRAILER 

12.2.2 Configuring a Trailer Job

If no images shall be used in the Trailer, you can configure a Trailer Job.

1. Click on TRAILER -> MAIL JOBS and open the desired Trailer job (not Trailer

Advanced), e.g. the DEFAULT- Add a Legal Disclaimer job. Click on EDIT:

a) Enable the job. b) According to the rules, the default settings of the job are as follows: The job will run on ‚Selected mails‘, i.e. emails sent via the own (company) domain (LocalSender) and addressed to at least one recipient outside the local domain (RemoteRecipient). Also, the email must not contain the ‚$Signature‘ field, i.e. the email does not have a valid Notes signature (NoSignPresent). This job adds a default Trailer to each unsigned email that leaves the company. If working in a replicated environment select the ‚just once‘ option. This is to prevent a Trailer from being appended more than once to the same email if the job is run on several servers.

2. Open the Operations tab:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 460 IQ.SUITE TRAILER - IQ.SUITE TRAILER 

a) The Append mode is preset to ‘Append always’. If several iQ.Suite Trailer Mail jobs are enabled, several Trailers will be added to the email. To avoid this, select ‘Only append when no other Trailer is used’. For iQ.Suite Trailer to be able to recognize whether or not a text has already been appended, the email must contain a special field. This field is only available for Notes emails, not for Internet emails. b) Text position: You can insert a trailer before or after the message body. If the option ‘By placeholder’ is enabled, the Placeholders in email field and additional options are displayed. By using one of the placeholders specified here, the users can decide at which position the trailer shall be inserted. For a description of the Placeholders in email field, please refer to “Placeholders” on page 494.

With the next option, define what should happen if multiple placeholders are found in the email. Refer to “If multiple placeholders are found” on page 494.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 461 IQ.SUITE TRAILER - IQ.SUITE TRAILER 

c) Under Mode define how the text is to be appended. Use the ‘Select Trailer of database’ option to select an existing Trailer document from a database. Use the ‘Calculate Trailer from database’ option to configure complex Trailer documents directly in the job, including language-dependent options and time limits. This mode requires licenses for language analysis. Please note that changes in this field affect the default configuration of your Trailer. d) The Trailer Database menu provides the databases, that are defined for

iQ.Suite Trailer on this server (under GLOBAL -> DATABASE DEFINITIONS). Define the database to be used to provide the required information for the Trailer text. It is possible to set up different databases for different user groups in order to append varying Trailer documents. e) Under Trailer document use the Select icon to select the desired Trailer document. Click on Edit or New to modify an existing enabled document or to create a new one. Refer to “Configuring a Trailer Document” on page 454. The default job uses the english text from the Trailer document preset as a legal disclaimer.

3. Open the Misc tab. By default, for Trailer jobs the Job is critical field is set to ‚No‘. This means that, in the event of an error, the email will be delivered without processing, i.e. without a disclaimer.

4. Save the job.

12.2.3 Scenario: Adding a Legal Disclaimer

You can append a legal disclaimer with legal information to emails such as privacy policies or copyrights. The Trailers are appended server-based to emails that are addressed to an external communication partner.

1. Configure a Trailer document. Refer to “Configuring a Trailer Document” on page 454.

2. Configure a Trailer job with the DEFAULT - Add a Legal Disclaimer job. Refer to “Configuring a Trailer Document” on page 454.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 462 IQ.SUITE TRAILER - IQ.SUITE TRAILER 

12.2.4 Scenario: Adding a Department Disclaimer

You can append specific Trailers with individual Trailer texts for certain departments or user groups e.g. Marketing Trailers, that are attached to emails from members of the Marketing group. For every department or user group for which an individual Trailer shall be attached, both  a separate Trailer job and  a separate database, is required. Create the databases under GLOBAL -> DATABASE DEFINITIONS.

To configure a job, proceed as follows:

1. Open the SAMPLE - Add a Department Disclaimer job or the SAMPLE - Add a Marketing Disclaimer job and modify it as follows4: a) In the Operations tab in the Append mode field enable the ‚Only append when no other Trailer is used‘ option to append only one Trailer. In the case that more than one Trailer is configured only the first Trailer document that is found in the iQ.Suite configuration will be used. b) Both SAMPLE jobs use the Trailer document SAMPLE - Department Disclaimer, by default. If required, modify the default settings. Refer to “Scenario: Adding a Department Disclaimer” on page 463.

2. Open the Misc tab. By default, the Job is critical field is set to ‚No‘. This means, in the event of an error, the email is to be delivered without processing, i.e. without a disclaimer.

3. Save the job.

4. Also refer to “Configuring a Trailer Document” on page 454.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 463 IQ.SUITE TRAILER - IQ.SUITE TRAILER 

12.2.5 Scenario: Adding a Personalized Signature

If employee-related data such as name and phone number shall be determined from the Domino Directory and appended as a Trailer (depending on the email sender), proceed as follows:

1. Create a Trailer job as described under “Configuring a Trailer Document” on page 454. However, use the SAMPLE - Add a Personalized Signature job and modify the following: a) Please note that you can define keywords (placeholders) to include a ‘personalized signature’. b) In the Operations tab in the Append mode field enable the ‚Only append when no other Trailer is used‘ option to append only one Trailer. In the case that more than one Trailer is configured only the first Trailer document that is found in the iQ.Suite configuration will be used.

2. Both SAMPLE jobs use the Trailer document SAMPLE - Department Dis- claimer, by default. Refer to “Configuring a Trailer Document” on page 454.

3. Open the Misc tab. By default for Trailer jobs the Job is critical field is set to ‚No‘. This means that, in the event of an error, the email is to be delivered without processing, i.e. without a disclaimer.

4. Save the job.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 464 IQ.SUITE TRAILER - IQ.SUITE TRAILER ADVANCED 

12.3 iQ.Suite Trailer Advanced

In combination with a Trailer Advanced Job, further Trailer elements such as images can be integrated in the Trailers.

12.3.1 Using iQ.Suite WebClient for Trailer Utilities

Set up Access to Trailer Utilities

As well as in the iQ.Suite administration console in Notes, the Trailer Utilities (documents, images, file attachments and Notes data sources) can be viewed and configured in iQ.Suite WebClient.

The ACL of the Trailer Advanced database (g_trailer_advanced.nsf) is used to control the access to the Trailer Utilities through iQ.Suite WebClient:

A roles concept is used to set the users’ rights to the Trailer module of iQ.Suite WebClient.

In case of a new iQ.Suite installation, iQ.Suite sample groups for Trailer are registered in the ACL. Predefined roles are assigned to these sample groups:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 465 IQ.SUITE TRAILER - IQ.SUITE TRAILER ADVANCED 

Trailer Role iQ.Suite Group Access Level

[Admin] IQSUITE-ADMIN Manager

[TrlCfgEditor]

[TrlCfgReader]

[TrlCfgEditor] IQSUITE-TRAILEREDITOR no access

[TrlCfgReader]

[TrlCfgReader] IQSUITE-TRAILERREADER no access

 IQSUITE-TRAILERREADER Users of this group have only the [TrlCfgReader] role and therefore are only authorized to view all Trailer Utilities in WebClient. They cannot edit the configuration of Trailer Utilities.

 IQSUITE-TRAILEREDITOR Users of this group have the [TrlCfgReader] and [TrlCfgEditor] roles and therefore are authorized to view and edit all Trailer Utilities. They can also delete Trailer Utilities which are not used.

 IQSUITE-ADMIN Users of this group have, additionally to the [TrlCfgReader] and [TrlCfgEditor] roles, the [Admin] role which implies unrestricted rights to the Trailer Advanced database.

In Notes, 'No Access' is provided for the users of the sample groups in order to ensure that these users can only view or edit the Trailer Utilities in iQ.Suite WebClient.

We recommend to assign to the iQ.Suite servers in use the ‘Manager’ access level and all Trailer roles. For this, you can use the predefined IQSUITE-SRV group.

You can adjust the sample groups, if required. Furthermore, you can create new groups in the Domino Directory and add them to the ACL with the desired roles. In case of an iQ.Suite update installation, no sample groups are available.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 466 IQ.SUITE TRAILER - IQ.SUITE TRAILER ADVANCED 

For further information on iQ.Suite WebClient, please refer to the iQ.Suite installation manual.

Important Note in case both the Notes Client and the WebClient are used

Before creating or editing Trailer Advanced Jobs or Trailer Utilities in the iQ.Suite  administration console, lock the Trailer module for access by iQ.Suite WebClient in order to avoid data conflicts.

Open the Trailer Advanced database (g_trailer_advanced.nsf) and click on the top right side on the corresponding button:

Use the same button to unlock access.

12.3.2 Configuring Trailer Utilities (Optional)

In order to realize certain scenarios, you can use optional Trailer elements such as images, search patterns or Trailer attachments in the Trailer Advanced job or Trailer Advanced document. These optional elements are configured in advance and can be selected in the jobs or documents later on.

12.3.2.1 Conventional and Personalized Trailer Images

Frequently, the Trailers for HTML emails shall not only include text but also contain images. Images can be provided by one of the following Trailer image types:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 467 IQ.SUITE TRAILER - IQ.SUITE TRAILER ADVANCED 

 conventional Trailer images  personalized Trailer images

Conventional Trailer Image

For the images that shall be used for all employees or a certain user group a conventional Trailer image can be used (e.g. for company logos or small icons). Con- ventional Trailer images are not stored in a Notes data source but imported to the iQ.Suite server.

To create a conventional Trailer image, proceed as follows:

1. Select TRAILER -> UTILITIES -> IMAGES -> NEW -> IMAGE, or open an existing

Image document and click on NEW.

2. Click in the new image document on IMPORT and select the desired image from the file system. Sample image:

Icons:

IMPORT Opens the file system to change the image displayed in the preview box.

EXPORT Opens the file system to export the image displayed in the preview box, e.g. for image processing.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 468 IQ.SUITE TRAILER - IQ.SUITE TRAILER ADVANCED 

In addition, detailed information about the imported image is displayed (e.g., size, image format).

3. By default, the Name field contains the name of the image file. Adjust the name to your requirements.

4. Under Image category, select one category from the list of the existing image categories or specify a new image category.

5. Save the document. The image is loaded on the iQ.Suite server and is available in the image category.

The created image will be part of a Trailer if you insert it into a Trailer Advanced Document. Refer to example under “Scenario: Company Logo” on page 495.

Personalized Trailer Image

When the image refers to a single person such as an employees‘ photo or his/her scanned signature, create a personalized Trailer image. Personalized Trailer images are stored in a Notes database as a Notes data source by storing the user‘s image in a certain database field. Refer to “Scenario: Individual Signature and

Personalized Image” on page 497.

Image Categories

The conventional and personalized Trailer images are managed in image categories. By using image categories, you can build up a specific structure to store the images e.g. to use an individual category for the company logos or to store the employees‘ images by department. The image category is defined in the image document.

Under TRAILER -> UTILITIES -> IMAGES, you will find in the standard configuration the sample image categories SAMPLE - Company Logos, SAMPLE - Market- ing Images and SAMPLE - Personalized Images. The images available in those categories have been uploaded to the iQ.Suite server.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 469 IQ.SUITE TRAILER - IQ.SUITE TRAILER ADVANCED 

The images must be provided as GIF, PNG or JPG and should be as small as  possible in terms of file size. We recommend you to use GIF or JPG images since these formats can be displayed by the mail clients and web browsers, usually. In addition we recommend you, not to exceed a file size of 200 KB. Large attachments could cause problems during transport or on recipient side.

12.3.2.2 Notes Data Sources

With Notes data sources, you can use Notes formulas to perform specific actions for any database, e.g. the Domino Directory. This allows for instance, to add an individual signature to an email.

The Trailer Advanced document SAMPLE - Personalized Trailer with Image contains various variables, which are resolved and replaced by the configured values when the job is processed. A Notes formula in the corresponding Notes data source is used to define how to resolve the variables. For instance, in the standard configuration, the address-specific variables [VAR]FirstName;[/VAR] or [VAR]LastName;[/VAR] are resolved according to the Domino Directory data and replaced with the corresponding personal data.

1. Create a new Notes data source: TRAILER -> UTILITIES -> NOTES DATA SOUR-

CES -> NEW -> NOTES DATA SOURCE:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 470 IQ.SUITE TRAILER - IQ.SUITE TRAILER ADVANCED 

2. Specify a Name and perform the following settings:  Database: Path to the database from where the data for the Trailer text is taken (to resolve the variables). The path has to be specified relative to the server’s data directory. Default: names.nsf (Domino Directory).  View (for lookup): The Notes view of the database specified above contains the documents to be searched for the personal data by iQ.Suite Trailer. Default: ‚$Users‘. This data will replace the placeholders in the Trailer text.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 471 IQ.SUITE TRAILER - IQ.SUITE TRAILER ADVANCED 

 Field (lookup formula): Valid Notes formula applied to emails, e.g. an email field name. Default: FROM. The result of the Notes formula specified here is used to select Notes documents from the Notes view (set under View (for Lookup)). The fields in the selected Notes documents are used as replacement text. Example: The employee Anna Glenn, listed in the Domino Directory, sends an email with an individual Trailer signature: The FROM field of the email is read to determine the email address, e.g. Anna Glenn/Mng/mycompany/[email protected]. The ‚$Users‘ view of the names.nsf is searched for Notes documents with that email address. The documents found are then used to replace text.

3. Click on CHECK FOR CORRECT FORMULA SYNTAX to check the syntax of the Notes formula. A dialog with the check result is displayed. A syntax error occurs when, for example, under Field (lookup formula) the value @dbtitle_ has been entered instead of @dbtitle.

4. Assign the configured Notes data source to a Trailer Advanced document:

UTILITIES -> DOCUMENTS -> -> TAB: NOTES DATA SOURCE ->

ICON: SELECT:

The order of the Notes data sources on the right affects the order in which text will be replaced. The first Notes data source in the list is the first one used for replacing text.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 472 IQ.SUITE TRAILER - IQ.SUITE TRAILER ADVANCED 

12.3.2.3 Search Patterns

Trailers can be inserted at different positions within an email. The position is set in the Trailer Advanced job (Operations -> Selection tab). In some cases, however, it may be useful to search for specific patterns in the email. For instance, if the Trailers are not to be appended at the end of the email when forwarded (i.e. at the end of the original message), but at the end of the forwarding text (beginning of the original message), you need to define a search pattern that will identify the beginning of the original email text.  Every activated search pattern is used by the Trailer Advanced job automatically.

1. Create a new search pattern: UTILITIES -> SEARCH PATTERNS -> NEW ->

SEARCH PATTERN. Use the search patterns included in the standard configuration as a guideline:

2. Under Search mode, set how the search pattern is to be interpreted: If set to ‘Text’, the email fields are searched for the string defined as search pattern.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 473 IQ.SUITE TRAILER - IQ.SUITE TRAILER ADVANCED 

If set to ‘Regular expression’, you can use regular expressions in the search pattern, e.g. including operators and wildcards. For instance, the search pattern .* .*/UNIT/ORG allows to find the email address Anna Glenn/UNIT/ORG, which would not be possible in text mode.

3. Specify the desired search patterns (for multiple languages where required). Search patterns can be entered in the Multiline and Line by line tabs: In Multiline, multiple search patterns are to be separated by line breaks. In this tab, you can quickly access the complete content of the field at once, e.g. in order to save it or to replace it entirely. In case of longer search patterns which stretch across several lines, it is difficult to see where the individual search pattern ends.

In Line by line, each individual search pattern is arranged line by line – not depending on its actual length – and, if required, are displayed in a shortened form. Icons to Add, Edit and Remove individual search patterns are available.

With the Edit dialog of Line by line, the complete search pattern of the

selected line number can easily be copied via the COPY ALL button, without additional manual marking. It is then available, e.g. for a text editor or a test tool for regular expressions:

Regular expressions allow to perform complicated replacements of text. Make  sure that the regular expressions you have defined are correct and comply with the syntax of the ICU library. Otherwise critical error situations may occur. Please note that regular expressions are not case-sensitive.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 474 IQ.SUITE TRAILER - IQ.SUITE TRAILER ADVANCED 

4. Enable the document.

12.3.2.4 Trailer Attachments

12.3.2.4.1 Attachment Categories

Use Trailer attachments to append a file attachment stored in a database in a rule-based way. Unlike other Trailer elements such as Trailer texts or Trailer images the Trailer attachments are not integrated into the email body but are attached to emails like a conventional file attachment.

Types of Trailer attachments:  Text attachment Use a text attachment to append attachments from a Notes data source such as public or private PGP keys, S/MIME keys or pesonalized vCard data. A text attachment can be used to deliver iCalendar information that is entered into the recipients calendar software automatically. The data can be converted to QR code for appending data as a QR code image. With the text attachment SAMPLE- vCard available in iQ.Suite standard configuration, vCards can be attached. Refer to “Trailer Text Attachments” on page 476.

 Binary attachment Use a binary attachment to append binary file formats from the file system such as PDF or MS Office documents. With the binary attachment SAMPLE - Terms & Conditions available in iQ.Suite standard configuration, the binary attachment privacy_statement.pdf is attached. Refer to “Binary Trailer Attach- ments” on page 477.

 Personalized attachment Use a personalized attachment to append personalized files such as the employees‘ image or his/her scanned signature. The files must be stored in a field of a Notes database. Refer to “Personalized Trailer Attachments” on page 478.

Representation of Trailer attachments in the email is determined by the recipient‘s  mail client.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 475 IQ.SUITE TRAILER - IQ.SUITE TRAILER ADVANCED 

The Trailer attachments are managed in attachment categories under TRAILER ->

UTILITIES -> ATTACHMENTS. By using attachment categories, you can build up a specific structure to store the Trailer attachments e.g. in order to store vCards separately or to sort the Trailer attachments by department. The attachment category must be defined in the attachment document.

12.3.2.4.2 Trailer Text Attachments

This example describes how to configure a Trailer text attachment by the example of a PGP key:

1. Create a new Trailer text attachment: ATTACHMENTS -> NEW -> TEXT ATTACH-

MENT:

2. Name: Name of the document. This name is used to list the Trailer attachment in the appropriate attachment category.

3. Perform the following settings:  Attachment category: Select an attachment category from the list of the existing categories or define a new attachment category.  Attachment name: This name will be used to name the attachment in the email.  Content type: For binary text attachments select the ‚Binary‘ option. If the content type for the attachment is not binary, select the ‚Custom‘ option and enter the correct content type in the following field.  Custom content type: This field is editable only, if ‚Custom‘ option is selected in the Content type field. In the example, the text attachment is

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 476 IQ.SUITE TRAILER - IQ.SUITE TRAILER ADVANCED 

a text file of the content type ‚text/plain‘. The value of this field is written into the attachment‘s "content type" header.  Provide the text as QR code image in Trailer documents: Enable this option in order to convert the data defined under Content into QR code. With this, a QR code image is created, that can be selected in a Trailer document (HTML tab).

Once a QR code image is used in a Trailer document, this option cannot be  disabled and is grayed-out.

 Content: Enter the data for the Trailer attachment in this field. Use [VAR] variables to append the data set with variables from a Notes data source (e.g. the Domino Directory). When the data shall be provided as a QR code image, we recommend you, not to exceed 1500 characters. A larger quantity of data might not be displayed correctly.

4. Open the Notes Data Source tab and select a Notes data source. The Notes data source will be used to determine the replacement texts for the variables in the Trailer (e.g. user data from the Domino Directory names.nsf). If

required, define a new Notes data source. Refer to “Notes Data Sources” on

page 470.

5. Save the document.

6. In order to provide the data defined in the Trailer text attachment as a QR code image, a Trailer Advanced document is required. In the HTML tab of the Trailer Advanced document (e.g. SAMPLE - Signature with QR Code),

select the Trailer attachment (QR code image): BUTTON: IMAGES -> QRCODE

IMAGES. The QR code image is displayed.

12.3.2.4.3 Binary Trailer Attachments

In order to create a binary Trailer attachment, proceed as follows:

1. Create a new binary Trailer attachment: TRAILER -> UTILITIES -> ATTACHMENTS

-> NEW -> BINARY ATTACHMENT.

2. Select the desired binary attachment from the file system:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 477 IQ.SUITE TRAILER - IQ.SUITE TRAILER ADVANCED 

3. Name: Name of the document. This name is used to list the Trailer attachment in the appropriate attachment category.

4. Perform the following settings:  Attachment category: Select an attachment category from the list of the existing categories or define a new attachment category.  Attachment name: This name will be used to name the attachment in the

email. To change the previously selected binary attachment, click SELECT

FILE.  Content type: The ‚application/octet-stream‘ content type is preset for binary attachments and cannot be changed. If this content type is not suitable for your attachment, select the ‚Binary‘ option and enter the correct content type in the following field.  Custom content type: This field is editable only, if ‚Custom‘ option is selected in the Content type field. Enter the content type for the attachment in this field.

5. Save the document.

12.3.2.4.4 Personalized Trailer Attachments

In the following example, a text file stored in a Notes database shall be attached depending on the sender (employee). For this, the text files must be stored in a certain field of a Notes database.

1. Create a new personalized Trailer attachment: TRAILER -> UTILITIES ->

ATTACHMENTS -> NEW -> PERSONALIZED ATTACHMENT:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 478 IQ.SUITE TRAILER - IQ.SUITE TRAILER ADVANCED 

2. Name: Name of the document. This name is used to list the Trailer attachment in the appropriate attachment category.

3. Perform the following settings:  Attachment category: Select an attachment category from the list of the existing categories or define a new attachment category.  Field name: Enter the field name, in which the attachment is stored in the Notes data source. In the example, the sender related data has been stored in the customized field ‘UserTxT’. The first attachment found in this field will be used (here: the TXT file for this user).  Use original name of the file attachment: Since this option is enabled by default, the original attachment name is used as defined in the data source. In order to use another name for the attachment, disable this option and enter the desired name in the following field.  New attachment name: This name will be used to name the personalized attachment in the Trailer. With this, all attachments will be appended with the same name.  Content type: Depending on the attachment type, select the ‘Binary’ or ‘Custom’ option.  Custom content type: This field is only relevant if ‘Custom’ option is selected in the Content type field. Keep the default settings.

4. Save the document.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 479 IQ.SUITE TRAILER - IQ.SUITE TRAILER ADVANCED 

12.3.2.5 ‘Copy To Sent Items’ Options

If you use the ‘Update sent documents’ action in a Trailer Advanced Job, it will

make sense to configure a Copy To Sent Items Option document under TRAILER

-> UTILITIES in the following cases:

The target database for the email copy cannot be determined correctly via the Principal or From field of the original email. The associated user mailbox or the mail-in database cannot be surely identified via the Domino Directory. In this case, use this configuration to select the database or email address or to specify a formula to determine this database or email address:

1. Specify a Name for the configuration.

2. Set the status to ‘Active’ to enable the configuration document.

3. Specify the Servers for which this configuration is to be used. Asterisk (*) means ‘alle servers’. In the Server exceptions field, you can exclude specific servers.

4. Use the Sender list field to select the addresses you want to be processed by using this configuration.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 480 IQ.SUITE TRAILER - IQ.SUITE TRAILER ADVANCED 

5. If the ‘Copy to Sent Items’ action shall not be executed, no additional settings are required. In this case, this configuration document is used to exclude the selected senders from the action mentioned above.

6. If the ‘Copy to Sent Items’ action shall be executed, additional settings are required to determine the target database to which the email copy has to be put. This target database (mail-in database or user database) can be determined by means of various ways, by using a formula or not. In every case, you must specify the Destination type:

 With the ‘Database’ option, you can select the target database or specify a formula to determine this database. The target database must exist on the iQ.Suite server.  With the ‘Address’ option, you can select an address from the desired Domino Directory or enter a formula to determine this address. By means of this address, the target database can be determined via the Notes address.

The Target for action ‘Copy to Sent Items’ field is used to specify the formula or to select a database or an address.

The formula to determine the target address must result in a database or an address and can be checked for correct syntax.

7. If the Check existence of original email option is disabled, the email is copied even if the original email has not been found in the target database. If this option is enabled and the original email is not found, the ‘Copy to Sent Items’ action is not executed.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 481 IQ.SUITE TRAILER - IQ.SUITE TRAILER ADVANCED 

12.3.3 Configuring a Trailer Advanced Document

Trailer Advanced documents (created under TRAILER -> UTILITIES -> DOCUMENTS)  can only be used for the Trailer Advanced Jobs (stored in the g_Trailer_advanced.nsf database). Trailer documents (created under TRAILER ->

DATABASE) can only be used for Trailer Jobs (stored in the g_Trailer.nsf database).

The TinyMCE editor in the Trailer Advanced documents requires Internet  Explorer 11 with activated JavaScript. JavaScript is activated by default.

1. Create a new Trailer Advanced document: UTILITIES -> DOCUMENTS -> NEW ->

TRAILER ADVANCED DOCUMENT:

2. Name the document, e. g. CeBIT - Hannover. Where required, enter the validity period for the Trailer. The Trailer will be appended to emails during the period set in the Start date and End date fields. Please note that the server time is specified here. If no dates are set, the Trailer remains valid indefinitely.

Only enabled documents are appended to emails (even if the job itself is  enabled). Advantage of enabling/disabling Trailer Advanced documents separately is a simplified administration. For instance, if usually several documents are appended to an email, but one of these documents is to be temporary omitted for some reason, you can simply disable the concerned Trailer Advanced document without changing the job configuration.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 482 IQ.SUITE TRAILER - IQ.SUITE TRAILER ADVANCED 

3. Use the HTML and Plain text tabs to create and set the desired Trailer texts according to the email body format. The Trailer text specified in the HTML tab will be appended to email bodies in HTML format, while the Trailer text specified in the Plain text tab will be appended to email bodies in text format. Since HTML and plain text are not displayed in the same way, the Trailer texts may differ in layout and structure according to the email format. For instance, in unformatted plain text you can use line breaks for structuring purposes, while the HTML format allows to highlight text by way of font properties (bold, color, etc.). Please note that images can only be inserted into Trailers in HTML format.

12.3.3.1 HTML Trailer and Plain-Text Trailer

 HTML For HTML emails, the editor used (CKEditor) provides a multitude of formatting options to individually design the Trailer. Besides standard formatting options (such as font properties, including tables or links), this application also allows to insert images into HTML text. The HTML text specified here is inserted into the HTML email body of MIME emails5.

5. For further Information on the editing options, please refer to the CKEditor documentation.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 483 IQ.SUITE TRAILER - IQ.SUITE TRAILER ADVANCED 

Images can be inserted with .

For contact information, different variables can be used which will be replaced with the data coming from the specified Notes data source (e.g. names.nsf). Insert the desired variables with .

If you open the source code (SOURCE button), you can also enter HTML code manually. However, please note that it cannot be guaranteed that the HTML functionality is fully supported by all email clients.

 Plaintext To append a Trailer to a Text email, the Trailer must be available in plain text. This means that the Trailer cannot be formatted in any way. Use the Plain- text tab to define another Trailer text or layout for text emails. This allows to adapt the Trailers to the specific requirements of plain text emails. The text specified here is inserted into the plain text email body of MIME emails.

If an email does have an email body, an empty plain text body is created after  which the Trailer document is inserted.

Also refer to the sections from “Variables for Notes Email Fields” on page 484 to “Inserting Image to the Trailer Advanced Document” on page 487.

12.3.3.2 Variables for Notes Email Fields

In trailers (HTML and Plaintext), variables for Notes email fields can be used:

Syntax: [VAR]note::[/VAR] Example: [VAR]note::subject[/VAR]

The [VAR]note::[/VAR] variable is replaced with the content of the corresponding email field.

The following field types are supported: text, text list, number, time and RFC822 text.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 484 IQ.SUITE TRAILER - IQ.SUITE TRAILER ADVANCED 

If (e.g. ident) does not exist in the email, the variable (e.g. [VAR]note::ident[/VAR]) is not replaced and therefore entirely displayed in the trailer (including tags). If you want that, instead of this, an empty string is transferred in this case, a semicolon must be set before the [/VAR] tag, e.g. [VAR]note::ident;[/VAR].

If exists in the email but contains no value (i.e. not even an empty string), then the variable is replaced with an empty string.

12.3.3.3 [COND] Condition

In individual cases, it may make sense not to show specific Trailer lines in HTML or text emails, for instance when the Domino Directory does not contain a mobile phone number for all users. In this case, it would be better to omit the complete line in the Trailer. In the Trailer Advanced documents such as SAMPLE - Person- alized Trailer with Image the [COND] variable is used to this end. As an alternative, you can also insert the variable manually in the source text of any Trailer Advanced document.

Example:

Name: [VAR]FirstName;[/VAR] [VAR]LastName;[/VAR] Phone: [VAR]OfficePhoneNumber;My phone number[/VAR][COND]CellPhoneNumber; Mobile:[VAR]CellPhoneNumber[/VAR][/COND] Fax: [VAR]OfficeFaxNumber[/VAR]

The variables of the standard configuration are resolved for each address according to the information in the Domino Directory and replaced with the personal data, e.g. [VAR]FirstName;[/VAR] is replaced with the employee‘s first name.

Be sure to use the proper syntax. The first semicolon (here: after [COND]CellPhoneNumber;) must be followed by a line break. iQ.Suite Trailer checks whether an entry exists in the Domino Directory for the field specified after

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 485 IQ.SUITE TRAILER - IQ.SUITE TRAILER ADVANCED 

[COND] (here: MobileNumber). If the Domino Directory does not contain an appropriate entry or no entry exists for this user, the entire line following the semicolon is removed from the Trailer - including [/COND] and the line break.

By default, HTML information included in fields is not interpreted as HTML. To take into account external HTML information in Trailer Advanced documents when the variables are evaluated, you can add a namespace before the variable in the HTML Trailer: [VAR]ishtml::variable;default[/VAR]

The ishtml:: entry means that the field already contains HTML. The variable (field content from the database) is not converted to HTML.

The validity of the replaced HTML text is not verified, i.e. it is essential to check  for correct syntax. The field referred to by the variable must be a text field or a text list field with the HTML text located in the first entry.

12.3.3.4 Text List Fields with Several Entries

Text list fields can be comprised of several entries (e.g. in the case of several phone numbers). Example: The text list field ‘OfficePhoneNumber’ contains the following entries: 0123-456-7 0123-456-8 0123-456-9

By default with Phone: [VAR]OfficePhoneNumber;My phone number[/VAR] only the first phone number is displayed in the Trailer: Phone: 0123-456-7

To display all phone numbers, change the entry to Phone: [VAR]multiline::OfficePhoneNumber;My phone number[/VAR]. This entry is displayed in the Trailer as follows: Phone: 0123-456-7 0123-456-8 0123-456-9

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 486 IQ.SUITE TRAILER - IQ.SUITE TRAILER ADVANCED 

To indent the text for the last two phone numbers, change the entry to Phone: [VAR]multiline::{}::OfficePhoneNumber;My phone number[/VAR]. The text between the curly brackets is added in front of each entry.

To indent the entries for Text Trailers, add space signs for .

To indent the entries for HTML Trailers, use HTML commands. Usually, space signs are not displayed in HTML Trailers. Example: Phone: [VAR]ishtml::multiline::{
}: :OfficePhoneNumber;My phone number[/VAR]

In both cases, the text list field is displayed as follows: Phone: 0123-456-7 0123-456-8 0123-456-9

Please note that ishtml:: must not be entered between multiline:: and  {}::.

12.3.3.5 Inserting Image to the Trailer Advanced Document

You can integrate Trailer images physically in the Trailer Advanced document or as an HTTP link.  Images that shall be integrated physically have to be imported to the iQ.Suite server before the Trailer Advanced document can be used. Refer to “Conventi-

onal and Personalized Trailer Images” on page 467.  Images that shall be integrated by an HTTP link do not have to be imported. Email programs can load images via these links and display them to the recipient. Depending on the email client and the user settings, the images are displayed immediately, after a confirmation or after having clicked on the link. The advantage of the HTTP link is a reduced email size. For HTTP links, the following requirements must be met:

 The image is available in the Internet in a format supported by the web browser, e.g. JPG.  The sender’s email client sends emails in HTML format.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 487 IQ.SUITE TRAILER - IQ.SUITE TRAILER ADVANCED 

 The recipient is online.

Procedure:

1. In the Trailer Advanced document, open the HTML tab. In the Trailer text, select the position where the Trailer image is to be inserted.

2. To insert an image, proceed as follows:

a) To insert an image physically, click on IMAGES and select from the drop- down list a Trailer image:

The list contains Image documents which are available under TRAILER -> UTI-

LITIES -> IMAGES6. The image is added in the HTML format.

To edit the properties of the image, click on the image and then on .

b) To insert an image as an HTTP link, open the dialog ‘Image Properties’ with and enter the URL to the desired image:

6. For information on creating a new Image document, please refer to “Conventional and Persona- lized Trailer Images” on page 467.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 488 IQ.SUITE TRAILER - IQ.SUITE TRAILER ADVANCED 

 Alternative Text: Enter the text to be displayed in case the image cannot be displayed.  Width/Height: Enter the dimensions of the image in the HTML email (may differ from the original size). The values are entered in pixels or percent (in relation to the environment). If left empty, the image is used in its original size. Resets the dimensions of the displayed image to their original value.  Horizontal/Vertical space: Distance from the image to the text or left border of the document (set in pixels).  Alignment: Alignment of the image in the Trailer Advanced document: right-aligned, left-aligned or ‚‘ (no changes).

3. Click on OK.

4. If required, assign a Notes data source to the Trailer Advanced Document7. For this, open the Notes Data Source tab and click on the Select icon:

7. The Notes data source must be already configured. Refer to “Notes Data Sources” on page 470.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 489 IQ.SUITE TRAILER - IQ.SUITE TRAILER ADVANCED 

Use the arrow buttons to add the configured Notes data sources to a Trailer Advanced document. The order of the Notes data sources right-hand in the dialog represent the order for the text replacement. The first Notes data source found in this list is used first.

12.3.4 Configuring a Trailer Advanced Job

In order to use images in a Trailer, a Trailer Advanced Job is required.

1. Click on TRAILER -> MAIL JOBS and open a Trailer Advanced job (no regular Trailer job), e.g. DEFAULT - Add Personalized Signature and Legal

Disclaimer. Click on EDIT. a) Activate the job. b) The job starts for ‚All Mails‘ by default. Modify the settings if required:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 490 IQ.SUITE TRAILER - IQ.SUITE TRAILER ADVANCED 

According to the rules, the default settings of the job are as follows: The job will run on ‘Selected mails’, i.e. emails sent via the own (company) domain (LocalSender) and addressed to at least one recipient outside the local domain (RemoteRecipient). Also, the email must not contain the ‘$Signature’ field, i.e. the email does not have a valid Notes signature (NoSignPresent). This job adds a default Trailer to each unsigned email that leaves the company.

If working in a replicated environment select the ‘just once’ option. This is to prevent a Trailer from being appended more than once to the same email if the job is run on several servers.

2. Open the Operations tab:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 491 IQ.SUITE TRAILER - IQ.SUITE TRAILER ADVANCED 

 Convert emails from Richtext to MIME: Usually, the Trailers are appended only to MIME emails. In order to append a Trailer to rich text emails, these emails first need to be converted to MIME. As this conversion could result in the loss of basic rich text functions such as ‘DocLinks’, the conversion option is disabled by default. No Trailer is appended to rich text emails8.  Ignore S/MIME signed emails: By default, no Trailer is appended to emails signed by the client (S/MIME signature). As iQ.Suite Trailer needs to modify the email to insert the text, the signature would be invalidated.  Disable automatic generation of HTML body: By default, MIME emails without HTML body are converted into the multi-part/alternative format. The HTML body is generated from a plain-text body (if available) in order that images in MIME emails with attachments (without text part) are correctly inserted. If you don‘t want this, enable this option.

3. In the Selection tab, specify the Trailer Advanced document(s) to be used by the job. To change the default setting, click on the Select icon.

8. In order to handle rich-text emails and MIME emails differently, use a ’Field Type Rule’ email rule, please refer to “Scenario: Individual Signature and Personalized Image” on page 497.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 492 IQ.SUITE TRAILER - IQ.SUITE TRAILER ADVANCED 

All Trailer Advanced documents shown in the list on the right will be used by the job. The document at the top of the list (here: Marketing Trailer) is the first one to be appended. Use the top arrow buttons to change the order of the documents.

4. Use the Position tab to set the position at which the Trailer is to be inserted in the email.

The insert position of trailers is set globally in the job. If you want to insert two  Trailers at two different positions, e.g. a marketing Trailer at the beginning and a disclaimer at the end of the email, you need two Trailer Advanced jobs.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 493 IQ.SUITE TRAILER - IQ.SUITE TRAILER ADVANCED 

Trailers can be inserted anywhere within the email message. The following options are available to determine the position:  Beginning of email message / End of email message: The Trailer is inserted before or after the email message.  Certain position in email message: The Trailer position is defined by a placeholder or a search pattern.  Placeholders By using defined placeholders, the trailer is inserted either automatically by the client or manually by the user at the desired positions within the email. For instance, to automatically add a sales-specific trailer to emails, freely define the placeholders which can be used for this trailer (here: %trailer-sales% and %trailer-vertrieb%). Each time one of the defined placeholders is found, it is replaced with the configured trailer.

 If multiple placeholders are found Define how to replace the placeholders in case multiple placeholders are found in the email9:

 ‘Replace first’: Only the placeholder that is found first will be replaced with the trailer. Note that the other placeholders will remain visible for the recipient of the email.  ‘Replace all’: All placeholders that are found in the email will be replaced with the trailer. With this, the same trailer may be placed at different positions within the email.  ‘Replace first and delete remaining’: Only the placeholder that is found first will be replaced with the trailer. The other placeholders are removed from the email.  Automatically detect position regarding Trailer patterns: The trailer is automatically inserted at the position defined by a search pattern. Refer to “Search Patterns” on page 473. The search pattern can be used to set, for instance, that a trailer is not to be appended at the end of the email body if it is forwarded (i.e. at the end

9. It doesn‘t matter whether these are different placeholders or the same placeholder is found several times in the email.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 494 IQ.SUITE TRAILER - IQ.SUITE TRAILER ADVANCED 

of the original message), but at the end of the forwarding text (beginning of the original message).

This option can be combined with the ‘Placeholders’ option. In this case ‘Placeholders’ has the higher priority. The trailer will only be inserted at the position determined by the search pattern if no placeholder has been set by the user. If no position can be determined, the trailer is appended at the end of the email body.

 Add trailer at the end of email message if placeholder is missing: The trailer is automatically inserted at the end of the email. This option can only be used together with the ‘Placeholders’ option. If no insert position can be determined, the trailer is automatically placed at the very end of the email.

5. Activate the Trailer Advanced job, save your configuration and send a test email to yourself or any test user. If the trailer is placed directly behind the message text, enter the line breaks in the Trailer Advanced document manually.

12.3.5 Scenario: Company Logo

You can append images to trailers (e.g. a company logo):

1. Open the Trailer Advanced document SAMPLE - Marketing Trailer with

Image. Adjust the document to your requirements. Refer to “Configuring a Trai-

ler Advanced Document” on page 482. a) If required, limit the period of time for attaching the trailer. b) Select the desired company logo. Refer to “Inserting Image to the Trailer Advanced Document” on page 487.

2. Assign the configured Trailer Advanced document to a Trailer Advanced job (Selection tab in the job). Refer to “Configuring a Trailer Advanced Job” on page 490.

3. Activate the Trailer Advanced job, save your configuration and send a test email to a test user.

4. Sample test email including a configured trailer:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 495 IQ.SUITE TRAILER - IQ.SUITE TRAILER ADVANCED 

The image is displayed regardless of whether it was inserted from the iQ.Suite server or via an HTTP link. Whenever an image cannot be displayed, a red cross ( ) is displayed instead. This can be due, among others, to a security setting of the email client (HTML viewer).

If the Trailer is appended right at the end of the message text, you can add manual line breaks in the Trailer Advanced document as required.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 496 IQ.SUITE TRAILER - IQ.SUITE TRAILER ADVANCED 

12.3.6 Scenario: Individual Signature and Personalized Image

When you use a Trailer Advanced Job, you can extend the individual signature of the Trailer Advanced document with a personalized image. With this, the Trail- ers appended to emails, not only contain the personal data of the employee such as name and phone number, but also a picture of this person. Especially for sales representatives or service staff, this feature can be used to personalize the email Trailers. The pictures are inserted at the desired position in the HTML body.

Prerequisites:  For every employee for whom an image shall be appended a picture is available in a database document (in the Domino Directory or another Notes database).  The pictures are stored as a file attachment or inline within a rich text field (e.g. 'image') in the database documents. This rich text field is used in the personalized configuration documents later on. Therefore, the pictures do not have to be imported to the iQ.Suite server.

The pictures must be provided in GIF, PNG or JPG format and should be as small  as possible in terms of file size. We recommend you to use GIF or JPG images since these formats can be displayed by the mail clients and web browsers, usually. In addition we recommend not to exceed a file size of 200 KB. Large attachments could cause problems during the transport or on the recipient side.

Proceed as follows:

1. Open the Trailer Advanced document SAMPLE - Personalized Trailer with Image and adjust the document to your requirements. This document uses the personalized configuration document SAMPLE - Personalized Image in order to append individual pictures of the employees. If the Trailer Advanced document mentioned above is not available, create a new one10. You can copy the default values for personalized data from the Default placeholder field in the Trailer document SAMPLE - Personalized Trailer11.

10. Refer to “Configuring a Trailer Advanced Document” on page 482. 11. Refer to “Trailer Document for a Personalized Trailer” on page 455.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 497 IQ.SUITE TRAILER - IQ.SUITE TRAILER ADVANCED 

2. The database that contains the pictures of the employees is defined as Notes data source. By default, the Trailer Advanced document SAMPLE - Person- alized Trailer with Image uses the Domino Directory names.nsf. This database can be modified in the Notes Data Source tab. If you use a different Trailer Advanced document or if the pictures are stored in another database,

create a new Notes data source, first. Refer to “Notes Data Sources” on

page 470. Then, select the new Notes data source in the Notes Data Source tab of the Trailer Advanced document.

3. Personalized Image Adjust the personalized Image document SAMPLE - Personalized Image

under TRAILER -> UTILITIES -> IMAGES to your requirements or create a new

personalized Image document: IMAGES -> NEW -> PERSONALIZED IMAGE.

4. Specify a Name for the document.

5. Under Image category, select one category from the existing image categories or specify a new image category for personalized pictures, e.g. Sales_Employees_Images.

6. Under Field name, enter the name of the rich text field in which the pictures are stored (in the Domino Directory or another database). In the example the pictures are stored in the rich text field „Image“. The image for an employee is

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 498 IQ.SUITE TRAILER - IQ.SUITE TRAILER ADVANCED 

determined automatically from this field and is inserted in the email Trailer. The database is defined as Notes data source. Refer to step 2.

7. Assign the configured Trailer Advanced document to a Trailer Advanced job. Refer to “Configuring a Trailer Advanced Job” on page 490.

Using a Default Picture

If for an employee no picture is found (e.g. because for this employee no picture is stored in the database), a silhouette picture is inserted in the Trailer when using the Trailer Advanced document SAMPLE - Personalized Trailer with Image. The silhouette picture is stored as a default picture in the personalized configuration document SAMPLE - Personalized Image. Any image can be used as a default image (e.g. the Company logo).

To change the default picture, proceed as follows:

1. Import the picture which shall be used as a default picture to the iQ.Suite server. Refer to “Conventional Trailer Image” on page 468.

2. Click on SELECT IMAGE in the personalized configuration document and select the previously imported picture.

3. Save your configuration. If for an employee no image is found, the default picture will be used.

4. If you do not want to insert a default picture when using the Trailer Advanced document SAMPLE - Personalized Trailer with Image, add the command [COND]HasImage::;[/COND] in the HTML tab of the Trailer document. Please ensure the correct position of the ending [/COND] variable:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 499 IQ.SUITE TRAILER - IQ.SUITE TRAILER ADVANCED 

12.3.7 Scenario: vCard Data as QR Code Image

A Trailer Advanced Job, e.g. SAMPLE - Add Personalized Signature with vCard and QR Code Image, can be used to extend the individual signature of the Trailer Advanced document with the sender‘s vCard data. With this, the Trailer appended to an email, not only contains the employee‘s personal data such as name and phone number, but also data of the electronic calling card of this person. Click on the vcard file attachment to import the calling card's data directly into the Domino Directory.

If required, the vCard data can be converted as a QR code image to enable recipients to scan the image with their smartphones. With this, the sender‘s vCard data is imported into the Domino Directory of their smartphone.

To provide data as a QR code image, we recommend you, not to exceed file size  of 1500 characters. A larger quantity of data might not be displayed correctly.

For configuration proceed as follows:

1. Open the Trailer text attachment SAMPLE- vCard under TRAILER -> UTILITIES

-> ATTACHMENTS:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 500 IQ.SUITE TRAILER - IQ.SUITE TRAILER ADVANCED 

2. Name: Name of the document. This name is used to list a Trailer attachment in a Trailer attachment category.

3. Perform the following settings:  Attachment category: Select an attachment category from the list of the existing categories or define a new attachment category.  Attachment name: To determine an employee‘s first name and last name from the Domino Directory, preset variables are used. Depending on the sender the correct names are used in the attachment name of the vCard. The attachment name is the original name of the attachment. The name ends with a file extension (in this example: *.vcf). Keep the default settings.  Content type: In the sample document the ‘vCard’ option is preset. Keep the default setting in order to append vCard attachments.  Custom content type: Since this field is editable only if the ‘Custom’ option is selected in the Content type field, this field can be ignored in this example.  Provide the text as QR code image in Trailer documents: Enable this option in order to convert the data defined under Content into QR code.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 501 IQ.SUITE TRAILER - IQ.SUITE TRAILER ADVANCED 

With this, a QR code image is created that can be inserted in a Trailer Advanced document (HTML tab). The QR code images are created in the PNG format.

Once a QR code image is used in a Trailer Advanced document, this option  cannot be disabled and is grayed-out.

 Content: Enter the data for the Trailer attachment in this field. Use [VAR] variables to append this content with variables from a Notes data source (e.g. the Domino Directory). When the data shall be provided as a QR code image, we recommend you, not to exceed file size of 1500 byte. A larger quantity of data might not be displayed correctly.

4. Open the Notes Data Source tab. Since the user data such as name and phone number is stored in a Notes database, e.g. in the Domino Directory (names.nsf), this data can be inserted to the Trailer. For this, configure a Notes data source and then select it in the Notes Data Source tab. Refer to

“Notes Data Sources” on page 470.

5. Save the document.

6. Open the Trailer Advanced job SAMPLE - Add Personalized Signature with vCard and QR Code Image. a) In the Operations tab open the Selection tab. Under Assigned Trailer Advanced documents, select the Trailer Text attachment SAMPLE- vCard. b) n the Operations tab open the Position tab. Specify the position the Trailer Advanced document shall be integrated into the email body.

7. Save the job. The configured Trailer attachment won‘t be integrated into the email body, but appended to the email.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 502 IQ.SUITE TRAILER - IQ.SUITE TRAILER ADVANCED 

12.3.8 Scenario: Attaching Binary Attachments such as PDF

A Trailer Advanced Job can be used to attach binary attachments such as PDF or office files in a rule-based way. This section describes how to append the privacy_statement.pdf as a Trailer attachment.

For configuration proceed as follows:

1. Configure a binary Trailer attachment:

2. Open the sample text attachment SAMPLE- Terms & Conditions PDF under

TRAILER -> UTILITIES -> ATTACHMENTS:

3. Name: Name of the document. This name is used to list a Trailer attachment in a Trailer attachment category.

privacy_statement.pdf is preset. To use another file, click on SELECT FILE and select the desired file from your file system.  Content type: In the sample document the ‘Custom’ option is preset. Keep this default setting in order to append vCard attachments.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 503 IQ.SUITE TRAILER - IQ.SUITE TRAILER ADVANCED 

 Custom content type: This field is editable only if the ‘Custom’ option is selected in the Content type field. Enter the content type of your attachment in this field. In the sample document the correct content type is preset. Keep the default settings to append PDF attachments.

5. Save the document.

6. If required, create a Trailer Advanced document. Refer to “Configuring a Trailer

Advanced Document” on page 482.

7. Open a Trailer Advanced Job. a) Enable the job and define the settings for the job. b) In the Operations tab open the Selection tab. Under Assigned Trailer Advanced documents, select the desired document(s). If no data from a Trailer Advanced document shall be attached, remove the preset documents with the Select icon. c) In the Operations tab open the Selection tab. Under Assigned Trailer Advanced Attachments, select the binary Trailer attachment SAMPLE- Terms & Conditions PDF.

8. Save the job. The configured Trailer attachment won‘t be integrated into the email body, but appended to the email.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 504 IQ.SUITE TRAILER - IQ.SUITE TRAILER ADVANCED 

12.3.9 Scenario: Appending a Personalized Attachment

A Trailer Advanced Job can be used to attach a personalized attachment depending on the sender. In the following example, text files shall be attached depending on the employee.

For configuration proceed as follows:

1. Store the text files for your employees in any field of a Notes database, e.g. in a self defined field ‘UserTxT’.

2. Create a new personalized attachment. Refer to “Binary Trailer Attachments” on page 477.

3. If required, create a Trailer Advanced document. Refer to “Configuring a Trailer

Advanced Document” on page 482.

4. Open a Trailer Advanced Job. a) Enable the job and define the settings for the job. b) In the Operations tab open the Selection tab. Under Assigned Trailer Advanced documents, select the desired document(s). If no data from a Trailer Advanced document shall be attached, remove the preset documents with the Select icon. c) In the Operations tab open the Selection subtab. Under Assigned Trailer Advanced Attachments, select the previously configured personalized Trailer attachment.

5. Save the job. The configured Trailer attachment won‘t be integrated into the email body, but appended to the email.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 505 IQ.SUITE TRAILER - IQ.SUITE TRAILER ADVANCED 

12.3.10Scenario: Update Sent Email in the Sender Mailbox

By default, a sent email is put in the ‘Sent Items’ folder before processing (i.e. without trailer), since the email is processed by the Trailer job only after it has left the email client.

With the Trailer-specific ‘Update sent documents’ action, the email is copied to the sender mailbox in the processed state. This allows the sender to see how his email including trailer is delivered to the recipient.

When sending emails from local replicas of the user mailboxes, the ‘Update  sent documents’ action does not work. The reason is that the sent email does not exist in the server replica, but only exists in the local replica at the time of sending.

In the job SAMPLE - Add Marketing Trailer with Image and Update Sent Items, the action mentioned above is enabled:

Important Definitions

 Original email: Sent email in the state it has before email processing, e.g. without trailer.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 506 IQ.SUITE TRAILER - IQ.SUITE TRAILER ADVANCED 

 Email copy: Email in the state it has after email processing, i.e. in the state it is delivered to the recipient (e.g. with trailer).

The sender can perform the same actions on the processed email as on the sent original email, e.g. resend or forward.

Important Notes

To create the email copy, the original email is searched in the identified sender mailbox. In case the search is unsuccessful, the action is aborted with a warning in the Windows Event Log. No email copy is created.

The encrypted Crypt Jobs and PDFCrypt Jobs should be executed after Trailer Advanced Jobs which use this action12. Reason: When, depending on your configuration, the original email is deleted in the sender database and replaced with encrypted email copies, the sender cannot read the sent email anymore.

If mail server and iQ.Suite server do not run on the same computer, access issues to the mailboxes can exist. In this case, the action is not executed.

What does happen with Invitation Emails?

Contrary to invitations in MIME format (Form = Memo), invitations in Richtext format (Form = Notice) are not processed.

For every Notes invitation in MIME format, a document is created in the configured folder by using this action. If you don‘t want this, please note the information specified under Job Configuration, step 2.

Job Configuration

1. In the Success Actions tab, select the ‘Update sent documents’ action.

12. Refer to “Priorities” on page 82.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 507 IQ.SUITE TRAILER - IQ.SUITE TRAILER ADVANCED 

If several Trailer jobs are to be executed in the configuration and it is not possible,  because of the defined rules, to foresee which job will be executed last, then a Trailer Advanced job with an empty Trailer document should be configured and activated extra for the update action. This job should be executed after all other Trailer jobs. Furthermore, the update action should not be activated in other Trailer Advanced jobs because the email should be updated in the sender mailbox only once after the complete Trailer processing.

2. Define in which folder of the sender mailbox the email copy will be put and whether the original email will be deleted:  ‘Replace the original sent document’ (default): The original email will be deleted and instead of that the email copy will be stored in the view of sent emails (Sent view) by default. With the ‘Create new document in custom folder’ option enabled, a different folder can be specified instead of this view.

If the original email was not in the view of sent emails, but was stored in a diffe-  rent folder, this folder will not be used for the email copy.

 ‘Create a new document‘: The original email remains in the sender mailbox. By default, the new document (email copy) will be stored in the view of sent emails.

With the ‘Create new document in custom folder’ option, the email copy can be stored in a custom folder. Use the input field to specify the name of the desired folder. If you want to use a subfolder (i.e. on level 2 or deeper), specify the path of the folder hierarchy. Separate the path elements with backslashes. Specified folders which do not exist yet will be created automatically. Example: folder1\subfolder1

3. Optionally, the subject of the email copy can be extended with a custom extension. Determine whether the extension is to be set before the original subject (‘at the beginning’) or after the subject (‘at the end’).

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 508 IQ.SUITE TRAILER - IQ.SUITE TRAILER ADVANCED 

In the input field, specify the extension to be used. To differentiate the extension from the subject, you can use brackets.

Example: Your contract information [draft]

4. Emails addressed to multiple recipients can be split by the Notes client or a Split job13 to be processed by different Trailer jobs, for example. If the ‘Generate only one copy for all split emails’ option is disabled (default), then a own copy is created for each email which has been created due to splitting. In this case, only the trailer which is valid for the recipients of the respective copy is visible in each copy. If the option is enabled, only one email copy is created and the trailer in the copy may consequently not be valid for all recipients of the email. Also refer to Important note: Updating the email recipient fields.

To exclude certain emails from the copy actions, you can either use a rule or configure a ‘Copy To Sent Items’ option.

In some cases, it can make sense to additionally configure a ‘Copy To Sent Items Option’ document. Refer to “‘Copy To Sent Items’ Options” on page 480.

Important note: Updating the email recipient fields

The email recipient fields in the sender mailbox are not updated in any case. This depends on whether the checkbox Generate only one copy for all split emails is enabled:

 If the checkbox is checked and the email was splitted in several emails and each of these emails were respectively sent to a part of the recipients, the email in the sender mailbox is updated from only one of the processed emails. The recipient fields SendTo, CopyTo and BlindCopyTo are not updated. Therefore, the email in the sender mailbox contains all recipients, but it has the state of only one of the processed emails. This state does not match the state received by all email recipients.

13. Refer to “iQ.Suite Split” on page 94.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 509 IQ.SUITE TRAILER - IQ.SUITE TRAILER ADVANCED 

 If the checkbox is not checked, the job assumes that additional email copies will be sent to the sender mailbox. These copies may contain different trailers. Therefore, the recipient fields SendTo, CopyTo and BlindCopyTo are updated when the email in the sender mailbox is updated, so that each email copy in the sender mailbox only contains the recipients who receive the email in the respective state.

Common use case:

Emails to external recipients should contain a trailer and emails to internal recipients not. In this case, you can use only one Trailer Advanced Job and use the fact that emails to internal and external recipients are usually splitted by the Notes Client since the internal recipients receive a rich-text email and the external recipients a MIME email. According to this, the checkbox Convert emails from Richtext to MIME (in the Operations tab of the job) is not checked. If the emails in the sender mailbox are updated by using this job, only one copy is sent to the sender mailbox since the job does not process the rich-text emails. Depending on whether the checkbox Generate only one copy for all split emails is checked, the fields SendTo, CopyTo and BlindCopyTo of the updated email contain either all recipients or only the external recipients.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 510 IQ.SUITE CLERK -   13 iQ.Suite Clerk With iQ.Suite Clerk emails can be permanently redirected or temporarily forwarded, e.g. due to vacation, illness or business travels. In case of a frequent recurring absence a periodic forwarding can be configured, e.g. for part-time employees.

Emails from different senders or Internet domains can be delivered to different deputies and exceptions can be defined for special emails, e.g. for emails with confidential information. Where required, notifications and read confirmations can be sent to senders, recipients and deputies. In addition, in case of non-periodic forwarding, calendar entries for absence periods can be created automatically and Info emails notifying of the absence can be sent in advance.

The basic functionality of iQ.Suite Clerk is defined by the administrator in the

Admin Portal. User access is provided through the “iQ.Suite User Portal” on

page 126. This enables the local users to create their own redirections or forwardings to specific persons or groups for the time period of their absence.

The Absence Settings by User category displays the redirection and forwarding documents, that were created by the local users. The view for the absence settings is the g_del.nsf database by default. If required, additional databases can be created. In the iQ.Suite pre-configured configuration documents for redirection and forwarding are available. You can change the configuration or create new

documents using the NEW button.

With the Absence Templates the administrators can create templates for persons, user groups and departments. On the basis of the rule set defined within the templates, the local users create their own forwarding documents.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 511 IQ.SUITE CLERK - 

The Clerk Protocols are used to log email redirection and forwarding. Each document contains information such as date/time of arrival and processing, server name, original email recipient, etc. The default Clerk protocol database is g_clerkprot.nsf.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 512 IQ.SUITE CLERK - IQ.SUITE CLERK OVERVIEW 

13.1 iQ.Suite Clerk Overview

13.1.1 Clerk in the Admin Portal and the User Portal

The basic functionality of iQ.Suite Clerk is defined by the administrator with the

settings of the Admin Portal. User access is provided through the “iQ.Suite User

Portal” on page 126. This enables the local users to create their own redirections or forwardings to specific persons or groups for the time period of their absence. Since the iQ.Suite User Portal can also be configured via Web access, external working employees can use the iQ.Suite Clerk absence management, as well.

Based on these definitions the internal users create their own configuration documents in the iQ.Suite User Portal. The configuration documents are preset, hence only few changes have to be made by the local users, e.g. to enter the time period of their absence or to define the deputy. You can use the iQ.Suite User Portal rights/roles scheme to grant internal users individual access rights on iQ.Suite Clerk.

Each redirection or forwarding document is stored in the central Clerk database (in the Admin Portal under Absence Settings by User) and not in the users’ mail database. This enables authorized internal users to create redirection or forwarding documents for other employees1. This possibility is useful in the event of illness, when an employee cannot come to work in order to activate the absence management system. In this case authorized users, e.g. a secretary, can handle this task.

Administrators can use the sample configuration documents for redirection, reg-  ular forwarding and periodic forwarding contained in the Admin Portal and the User Portal. Internal users can see these documents only, if the correct access rights are set in the User Portal.

1. The rights management is described under “Rights/Roles Concept in iQ.Suite User Portal” on page 136.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 513 IQ.SUITE CLERK - IQ.SUITE CLERK OVERVIEW 

13.1.2 Forwarding vs. Redirection

13.1.2.1 Regular Forwarding

Forwardings are limited to a certain time period and can be configured by the local users in the User Portal, e.g. in case of vacation or business travels. In the configuration document Forward the user specifies the time period of his/her absence and defines the deputy, who will receive a copy of each email addressed to the (absent) user.

The original email remains with the original recipient. In addition, Clerk can be configured to notify the email sender with an out-of-office reply of the fact, that the original recipient is unavailable. Also a calendar entry can automatically be created for the given period of time.

In case that a user has not arranged his absence, e.g. in the event of illness, iQ.Suite Clerk provides possibilities of granting special access rights to certain users. For example, for employees of the HR department. Such authorized users can arrange the email forwarding for other local users.

13.1.2.2 Periodic Forwarding

At periodic recurring absence of a user, e.g. for part-time employees, it is possible to arrange a periodic forwarding to a deputy on an hourly time scale for specific days of the week. For this, the configuration document Periodic forward is available. The configuration settings mostly match with those of a regular forwarding.

13.1.2.3 Retroactive Forwarding

The retroactive forwarding is a supplement for email forwarding or redirection. Without use of the retroactive forwarding, emails are delivered to a deputy not before an authorized user has arranged a redirection or forwarding in iQ.Suite Clerk. In the case a redirection or forwarding is only enabled at the 3rd day of the user‘s absence, the emails of the two days before are not available for the deputy. By use of the retroactive forwarding, this gap is closed.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 514 IQ.SUITE CLERK - IQ.SUITE CLERK OVERVIEW 

Retroactive forwarding requires activation of retroactive email processing or collecting emails for a posterior activation of retroactive email processing: To enable retroactive forwarding, the emails must be available for iQ.Suite Clerk. For this, before activation of the retroactive forwarding, the email communication is stored in archival databases and necessary email data is logged in special log databases. With the help of this data, emails are forwarded retroactively from the archival databases later on. New archival and log databases are created daily.

If a retroactive forwarding is arranged, the original recipient receives a summary notification with all emails that were forwarded retroactively. In addition, the user

can request a forwarding summary that lists all forwarded emails (FORWARDING

SUMMARY button). Also a calendar entry can be automatically created for the given period of time.

In case retroactive email processing is activated, retroactive sender notifications can be sent as well. The sender receives a notification for a past time period – no matter whether the email has been forwarded retroactively.

If retroactive forwarding is enabled, every email that arrives on the mail server  will be archived and logged. Before enabling this feature, please ensure sufficient storage space. Formula for evaluation of the required storage space:

Required storage space = (Ø email size x amount of emails per day x days of retroactive forwarding) x 2.

If necessary, reduce the time period for the retroactive forwarding: GENERAL

DATABASE SETTINGS -> FIELD: START OF RETROACTIVE PROCESSING.

If required, you can enable notification on scarce disk space which can be

explained by use of retroactive forwarding: MAIL JOB -> OPERATIONS TAB-> SEND

WARNING AS OF.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 515 IQ.SUITE CLERK - IQ.SUITE CLERK OVERVIEW 

13.1.2.4 Redirection

A redirection is permanently established, to always assign incoming emails to a deputy. The mailbox of the original recipient is not charged since the original email is delivered to the deputy. A redirection can be established, for example, for a managing director to redirect the emails addressed to him, to an assistant or the office of the general manager. The email senders are not informed of the redirection.

Also at collaborative usage of public folders, a redirection might be reasonable. Example: A user has entered his/her email address in a mailing list. Emails received from this list are to be stored in a public folder instead of being delivered to his/her mailbox. Since the sender is a mailing list, you may not want to send an automatic notification of this redirection to the sender.

13.1.3 Information on Absence Documents

13.1.3.1 Priorities of Forwarding Documents

Administrators can define for users or user groups the number of redirection and forwarding documents that are taken into account by the job. If there are several forwarding documents for one user, it is possible that the validity periods of the documents overlap.

In such a case, please consider the priorities for forwarding documents:  The priority of a regular forwarding document for a user is higher than the priority of his/her periodic forwarding document. This ensures that an employee who is absent periodically can create a regular forwarding document for his/her vacation without having to deactivate the periodic forwarding document.  If there are two activated regular forwarding documents available, the one with the earlier start time has a higher priority. If the start time is the same, the document with the lower Note ID has a higher priority.  If there are two activated periodic forwarding documents available, the one with the earlier day of the week has a higher priority. The Monday is defined as the week‘s start day. If the days of the week are the same, the document

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 516 IQ.SUITE CLERK - IQ.SUITE CLERK OVERVIEW  with the earlier start time has a higher priority. If both settings are the same (the day of the week and the start time), the document with the lower Note ID has a higher priority.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 517 IQ.SUITE CLERK - IQ.SUITE CLERK OVERVIEW 

13.1.4 Databases

According to the configuration of iQ.Suite Clerk several databases are created. Most of these databases are available only for administrators.

13.1.4.1 Clerk Database

For the module iQ.Suite Clerk the g_del.nsf database is used by default. This database can be displayed and accessed by the local users with the iQ.Suite User Portal.

13.1.4.2 Clerk Protocol Database

To record the operations of redirections and forwardings the Clerk protocol database g_clerkprot.nsf is preset. If you have created several Clerk databases or several Clerk protocol databases in the database definitions, these databases are displayed in the Admin Portal and User Portal and can be administrated2.

13.1.4.3 Clerk Archival Database

The Clerk archival databases are created only if emails are forwarded retroactively. To enable retroactive forwarding with iQ.Suite Clerk the emails must be available. For this, email communication is stored in the archival databases before activation of the retroactive forwarding. Using this data, certain emails can be forwarded retroactively from the archival databases later on. Every day a new archival database is created (g_clerkarchive.ntf template) and stored under %DATADIR%\Clerk by default. Archival databases that are no longer needed are deleted automatically.

Note that for data protection reasons no access to these databases is intended. Access is only possible with the [Archive-Access] role.

2. Refer to “Database Definitions” on page 25.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 518 IQ.SUITE CLERK - IQ.SUITE CLERK OVERVIEW 

13.1.4.4 Clerk Log Database

The Clerk log databases are created along with the Clerk archival databases if retroactive forwarding functionality is enabled. When email communication is stored in the archival databases, relevant information is logged to the log databases. This information is required to enable retroactive forwarding.

For each created archival database a corresponding log database is created in the same directory as the archival database. For this the g_clerkprot.ntf template is used. Log databases that are no longer needed are automatically deleted along with the archival databases.

Note that for data protection reasons no access to these databases is intended. Access is only possible with the [Log-Access] role.

13.1.4.5 Clerk Notifications Database

The Clerk notifications database (notifications.nsf) is essentially required to inform email senders with an out-of-office reply about the fact that his/her email was redirected or forwarded. The email data required for sending notifications are stored in the Clerk notifications database.

The database is created within the same directory as the Clerk archival database/ log database are stored (in a subdirectory). Please note that no modification/access on the Clerk notifications database is intended. g_connect.ntf is used as database template.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 519 IQ.SUITE CLERK - SERVER-BASED SETTINGS (BY ADMIN ONLY) 

13.2 Server-based Settings (by Admin only)

As administrator, you set the server-related iQ.Suite Clerk configuration in the Admin Portal. The user-specific settings defined in forwarding or redirection documents are based on these server-based settings.

13.2.1 Absence Templates

13.2.1.1 Notes on Absence Templates

Internal users create their forwarding documents based on the absence templates defined by administrators. Due to the template definitions, configuration is reduced for local users. This ensures simplified absence management for the users.

In the absence templates administrator can restrict the actions that are available and customizable for the users, e.g. to prevent that certain tabs are displayed or that the default texts can be modified. With this, various configuration possibilities can be granted for different users or user groups.

The texts from the absence templates can be reused: Under ABSENCE TEMPLA-  TES set the cursor on a template and click on NEW. Note that this only copies the texts from the template but not its configuration.

The absence templates can be categorized as follows:

 Persons: A template for a person is valid only for this specific user. Use this template type to define exceptions for a certain user.  Groups: A template for a group is valid for one user group.  Departments: A template for a department is valid for one or several user groups that are members of the department.  Default: The default template is only used if no other absence template is defined for the user.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 520 IQ.SUITE CLERK - SERVER-BASED SETTINGS (BY ADMIN ONLY) 

The priority of the template falls from above to below. If there is a person template  and a group template for a user, the person template is used for the redirection and forwarding documents. At configuration of several group or department templates the priority also sinks from above to below. If a user is assigned to several user groups, the valid template at first position is used. Position can be changed with the icons.

13.2.1.2 Creation of Absence Templates

In the following example, a department template for the marketing department is created.

To prevent complexity for the users, some fields can be grayed-out for the users  (‚Not visible‘ option). Furthermore, with the selection dialogs you can define the fields to be editable (Default) or not editable (grayed-out).

1. Click on CLERK -> ABSENCE TEMPLATES -> NEW -> DEPARTMENT:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 521 IQ.SUITE CLERK - SERVER-BASED SETTINGS (BY ADMIN ONLY)  a) Under Settings are valid for select the desired department (here: Mar- keting Department). Only one user group can be selected from the Dom- ino Directory. b) Under Address selection mode define the eligibility for address selection:  ‚Selection from address book‘: A user assigned to the marketing department can select any number of addresses from the Domino Directory. The redirection or forwarding document is consequently valid for several users.  ‚Single selection from address book‘: Only one address can be selected from the Domino Directory. The redirection or forwarding document is consequently valid for one user only.  ‚No selection‘: no address can be selected. A user assigned to the marketing department can create a redirection or forwarding only for himself/herself but not for other local users. c) Hide ‘Forwarding summary’ action: By default, absent users can request a summary of the emails which were forwarded for him/her in the

absence time period. For this, the user can click on the FORWARDING

SUMMARY button in the redirection or forwarding document. As a prereq-

uisite, the job processing must be logged (job document: OPERATIONS TAB

-> WRITE PROTOCOL). Otherwise, no entries are displayed in the forwarding summary. If end users are not to be allowed to use this action, click ‘Not visible’. d) Hide ‘Description’ field: By default, the Description field is displayed in the absence documents (Settings tab). If you don‘t want this, click ‘Not visible’. e) Under Status, specify the default status of the forwarding documents. By default, the forwarding documents receive the status ‚Active‘ and this status is ‚Editable‘. f) The Forward emails field is set to ‚Yes‘ by default to generally forward emails and notify the senders. We recommend to keep the default settings. If emails shall not be forwarded but merely the email senders shall receive an out-of-office reply for the absence of the user (here: employee

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 522 IQ.SUITE CLERK - SERVER-BASED SETTINGS (BY ADMIN ONLY) 

of the marketing department), enable the option ‚No - only notify sender‘. With ‚No - don‘t notify sender‘, the emails are not forwarded and the senders are not notified.

Sender notifications can be sent only if the Allow sender notification option is set to ‘Yes’ in the Notifications tab or Notifications Periodic tab. g) In the Use for Quarantine Access field, set whether the forwarding recipient (deputy) is to be granted access to the quarantined emails of the forwarding person by default. h) In the Use for Calendar entries section, specify whether, in the forwarding documents, the settings for creating calendar entries shall be displayed and whether the user shall be allowed to change them. With ‘Yes’ enabled, the option to automatically create calendar entries will be preset in the forwardings documents (default: ‘No’). If ‘Yes’ is enabled here and ‘No’ is set in the Clerk Database Settings under Create calendar entries (Calendar tab), a conflict message is displayed. If required, click the Edit of Clerk Settings icon:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 523 IQ.SUITE CLERK - SERVER-BASED SETTINGS (BY ADMIN ONLY) 

A Calendar document consists of a header (red frame) and a descripi- tion (green frame)3 – Example:

i) Use the Subject / Body fields to enter the text to be displayed as subject/body in the calendar entries by default. The following placeholders can be used:  %ABSENTEE%: absent person‘s name  %STARTTIME%: start time of the absence  %ENDTIME%: end time of the absence For further information on these placeholders, please refer to “Placehol- ders” on page 59.

3. The illustration is valid for a mail database template of Version 8.5.3.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 524 IQ.SUITE CLERK - SERVER-BASED SETTINGS (BY ADMIN ONLY) 

j) Use the Category field to enter arbitrary text for the category of the calendar entries, for example ‘Vacation’. k) Use the Mark as private field to set whether to mark the calendar entries as “private”. If ‘Yes’, other people can only see the period of absence. l) Use the Mark as available field to set whether the user is available during her absence (e.g. for online meetings). This information is visible in the Notes scheduler area of the new appointment and therefore can be taken into account when new appointments are scheduled. m) In the Location of absence field, you can enter arbitrary text. This information might be helpful for other users, for example in case you are working alternately at several locations. The lower part of the calendar document (Description) consists of:

 Arbitrary text for the notification .  Arbitrary text that tells the user by which tool the calendar entry had been created .  A product logo .  A message requesting not to edit the calendar entry since changes can be overwritten by changing the corresponding Clerk forwarding document .  Meta data about the last modification date and time of the calendar entry and about the server on which it has been created .  A link to the Clerk forwarding document from where the calendar entry has been created .

n) If you enable the ‚Not visible‘ option in the Entry of hours/time zones (non-periodic forwarding) field, the users will not be able to modify the time zone or to configure a forwarding on an hourly time scale. o) To simplify Clerk configuration for the users, the Exceptions, Misc and Infomail tabs in the configuration documents of the users can be hidden. For this, enable the ‚Not visible‘ option.

2. Notifications

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 525 IQ.SUITE CLERK - SERVER-BASED SETTINGS (BY ADMIN ONLY) 

The definitions in the Notifications tab affect the documents for regular forwarding. a) Under Message for forwarding recipient, write the Text for the out-of- office reply to be sent by default to the forwarding recipient (deputy). For example, enter a request for processing the forwarded email.

Subject

Enter a subject in the Subject field. The following placeholders can be used:

 For the subject of the original email: %SUBJECT%  For the deputy: %DEPUTY%, %CLERK%, %DELEGATE%, %VERTRETER%, %ADJOINT% The name of the deputy defined in the Clerk document is identified and interpreted.

These placeholders are replaced at runtime with the current entries. Sev- eral addresses are separated with a comma.

Text

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 526 IQ.SUITE CLERK - SERVER-BASED SETTINGS (BY ADMIN ONLY) 

In the Text field, write the text for the out-of-office reply. The following placeholders can be used:

 %START-DATE%, %END-DATE% oder %FINAL-DATE%  %START-TIME%, %END-TIME%  %START-ZONE%, %END-ZONE%

For more details on these placeholders, refer to Placeholders -> Place- holders in iQ.Suite Clerk.

These placeholders are replaced with the current entries when saving the configuration document.

Contrary to the sender, the forwarding recipient does not receive any separate notification email. The text specified here is inserted into the original email. b) Under Replace original body select the ‘Yes’ option only if the deputy shall not be able to read the original message text of the email. In this case, the email contains only the original subject and the message text written under Message for forwarding recipient. Please note that your deputy will be virtually unable to answer any of the emails if he/she does not know its content. If, in turn, your deputy has set up a forwarding (to a further person) with this option set to ‘No’, this further person will receive the email with both texts, i.e. with the original message and with the forwarding message defined above.

Use the options ‘Visible’ and ‘Not visible‘ to determine whether to make this setting option available or not in the absence documents. c) With the Allow sender notification option, specify whether the sender can be notified by default when an email sent by him has been forwarded or not forwarded. This setting is also valid for the retroactive sender notification. If you do not allow sender notification and do not set this option to ‚Edit- able‘, then the user cannot activate sender notification in her absence document.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 527 IQ.SUITE CLERK - SERVER-BASED SETTINGS (BY ADMIN ONLY) 

Make sure that within the job in the Operations tab under Allow sender notifica-  tion the ‚As per user settings‘ option is selected. Otherwise the settings in the configuration documents of the users are overwritten with the job settings, regardless of the settings in the absence template.

d) Under Retroactive sender notification, specify whether the sender is allowed to be notified retroactively for emails he has sent in the past (e.g. 3 days before the forwarding document was activated). The following requirements must be met for a sender notification to be sent retroactively:  The Retroactive email processing is enabled in the Clerk Global Database Settings. Otherwise, a corresponding conflict message is displayed in red.  Under Allow sender notification, the ‘Yes’ or ‘Editable’ option is set. A Retroactive notification can be sent regardless of the fact whether the email has been forwarded retroactively or not.

e) Message for sender: In section , define the sender notification for the regular case (without retroactive email processing). In section , define the retroactive sender notification. In both cases, different messages can be defined, depending on whether the email is forwarded or not. The message to the sender is sent as a separate email.  With the message in case of forwarding, the out-of-office reply that is specified under Text is sent to the sender via email. It notifies the sender of the recipient's absence and, if appropriate, of the forwarding of the email to a deputy. By default, an out-of-office reply contains the subject „Autoreply“ and the email's original subject text (%SUB- JECT%).  With the message in case of non-forwarding, the original sender can be notified of the recipient's absence. Besides the period of absence, a contact person/deputy can be specified. Refer to Subject and Text.

3. Notifications Periodic

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 528 IQ.SUITE CLERK - SERVER-BASED SETTINGS (BY ADMIN ONLY) 

The settings in the Notifications Periodic tab affect the documents for periodic forwarding.

For a description of the settings in this tab, please refer to “Notifications” on page 525. However, please note that the placeholders for Text (refer to Text) make no sense in case of periodic forwarding and therefore cannot be used there. Furthermore, the retroactive email processing is not possible in case of periodic forwarding.

4. Save the template.

5. With CHECK you get information about which template is used from which user, and to which group this user is assigned:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 529 IQ.SUITE CLERK - SERVER-BASED SETTINGS (BY ADMIN ONLY) 

13.2.2 Job Configuration

13.2.2.1 Hints on the Configuration

As administrator, you set the server-related iQ.Suite Clerk configuration for redirections and forwardings. Configure the DEFAULT - Absence Management job to enable regular forwarding, periodic forwarding, retroactive forwarding and redirection.

Only one configured mail job is required to activate both, forwarding and redirec-  tion. The job uses all active forwarding and redirection documents that are valid for the Clerk database specified in the job. However, if different Clerk databases are to be used or the job processing is to be separated by using rules, several jobs are required.

On the server based job definitions local users configure their own redirection and forwarding documents. The settings in the redirection and forwarding documents have a lower priority than the job settings and are ignored in case of conflicts.

The logo in retroactive forwardings, in forwarding summaries and in sender noti-  fications derives from the global parameter ToolKit_Clerk_Logo. To modify the email header, use the global parameters ToolKit_Clerk_SenderMsgLogo and ToolKit_Clerk_RetroMsgLogo. Refer to “Description of the Global Parameters (except Job Results)” on page 33.

13.2.2.2 Sample Job: Forwarding or Redirection

1. Click on CLERK -> MAIL JOBS and open the DEFAULT - Absence

Management job. Click on EDIT. a) Enable the job. b) By default, the job runs on ‚All Mails‘. In replicated environments select the ‚on all servers‘ option.

2. Open the Operations tab:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 530 IQ.SUITE CLERK - SERVER-BASED SETTINGS (BY ADMIN ONLY) 

a) It might be possible that a user defined as deputy has configured a forwarding or redirection for his/her own absence. Under Maximum number of forwards specify how often an email may be redirected or forwarded. For instance, if set to ‚2‘, the email will be redirected or forwarded to the first and the second deputy specified. The Clerk log can be used to check which emails were forwarded/redirected for what reason and when. b) Notifications inform the deputy of the fact that the email was redirected or forwarded. In the Position of forwarding information field define whether the notification texts defined in the absence template are to be added at the beginning or at the end of the email.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 531 IQ.SUITE CLERK - SERVER-BASED SETTINGS (BY ADMIN ONLY) 

c) In rare cases, an email is not delivered to a deputy only in his/her function as a deputy, but also as an original recipient. In such a case, it might be reasonable to deliver the original email to him/her, e.g. for acknowledge- ment of receipt or for accepting appointments. For this, select the ‚Yes‘ option in the Original mail to substitute, if being original recipient field. d) Path to Archive /Log databases: This field is only required, if the retroactive forwarding is used. Specify the directory in which the archival and log databases used for retroactive forwarding are to be created (Default: %DATADIR%\Clerk). Refer to “Clerk Archival Database” on page 518 and “Clerk Log Database” on page 519.

3. If required, select under iQ.Suite Clerk another Clerk database for the job (Default: g_del.nsf). To change the default settings of the Clerk database (grayed-out fields), click on Edit Clerk settings.

Clerk Database Settings

If you have specified the same database in several Clerk jobs, changes made in  the database settings are copied to all other configured Clerk jobs!

a) To limit the number of configuration documents users are allowed to create, enable the ‘Yes‘ option under Limit number and enter the desired number in the subsequent fields. b) Limited future offset: Limits the time period for forwarding documents. Users can prepare documents for their absence for max. 1 year in

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 532 IQ.SUITE CLERK - SERVER-BASED SETTINGS (BY ADMIN ONLY) 

advance. Specify the number of days in the Limit for future email processing field. c) Retroactive email processing:  ‚Not active‘ disables the functionality for the retroactive email processing. No data is written to the archival and log databases (Default).  ‚Active‘ enables the retroactive email processing with the next job start. Data is written to the archival and log databases. As soon as an email is stored in the archival database, this email can be processed retroactively.  With ‚Collecting‘, emails are written to the archival and log databases with the next job start, however, they are not processed retroactively. Enable this option to collect data for a later retroactive processing, or to deactivate retroactive processing temporarily. With this option, data is written further to the archival and log databases, which prevents “gaps” in email communication.  ‚Start of retroactive processing: X days‘: If one of the options ‚Active‘ or ‚Collecting‘ is enabled, emails are archived, logged and processed retroactively with the job start. With the default value ‚14‘ emails from the last 14 days can be processed retroactively to a deputy. The set value defines the time period before the archival databases and log databases are deleted. By default, on the 15th day the first archival database and the first log database are deleted. If you want to modify this value, consider the storage capacities of the server. d) Server for ‚Forwarding summary‘: After their return, absent users can request a summary of the emails forwarded in the absence time period. Select the server to which the so-called forwarding summary is to be transferred. e) If in the Write protocol field the option ‘Yes’ is enabled, you can select the Domino database in the displayed Protocol database field. This database is used to log the redirection and forwarding operations (Default: g_clerkprot.nsf). For each redirected or forwarded email, an individual log is created in the selected protocol database. Forwarding summary requires that a protocol is written (option ‘Yes’).

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 533 IQ.SUITE CLERK - SERVER-BASED SETTINGS (BY ADMIN ONLY) 

f) If calendar entries should be created automatically for the forwarding users, open the Calendar tab and pay attention to the notes under “Crea- ting Calendar Entries automatically” on page 537. g) If Info emails should be sent, open the Infomail tab and proceed as described under “Configuration in the Clerk Job” on page 542. h) Click OK to save changes in the database configuration and to return to the job configuration.

4. In the Deactivate forwarding for field, special emails can be excluded from a redirection or forwarding, e.g. confidential emails that are encrypted and/or signed. Use the ‚all emails‘ option, if no emails are to be redirected or forwarded, however, the sender shall receive an out-of-office reply. With ‚no emails‘ all emails are redirected or forwarded to a deputy. This includes encrypted emails as well.

5. With the Allow sender notification option, decide whether the sender is allowed to be notified of the recipient‘s absence.  With ‘Yes’, the users can activate the sender notification option in their absence documents, provided that she is authorized to do this via the absence template settings.  With ‘As per user settings’ the job settings for the sender notification is ignored. The settings from the absence documents of the local user is used instead. When this option is set, each local user can decide whether the email senders shall receive an out-of-office reply.  With ‘No’ the email senders do not receive an out-of-office reply.

For ‘Yes’ and ‘As per user settings’: By default, when a sender sends several emails to an absent recipient, the email sender receives only one out-of-office reply per 24 hours (in 1 day). If required, the frequency of the out-of-office replies can be changed.

6. When retroactive email processing is enabled in the Clerk database settings, you can specify under Retroactive sender notification that the sender notification is to be sent retroactively - regardless of the fact whether the email was forwarded or not. The following options are available:  Retroactive sender notifications are sent for all emails that have arrived within a definable period of time that is prior to the activation of the for-

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 534 IQ.SUITE CLERK - SERVER-BASED SETTINGS (BY ADMIN ONLY) 

warding document on the server. Enter the time in the Hours before activation field.  Maximum = (number of days under Start for retroactive processing + 1 day) X 24 hours.  Use the For all emails of the same day option to send retroactive sender notifications for emails that have arrived at the day when the forwarding document was activated.  Please note that both options are connected with a logical OR expression.

For retroactive sender notifications that are sent based on these options, the same message (subject and text) is used as for not retroactive sender notifi-

cations: FORWARDING DOCUMENT -> TAB: NOTIFICATIONS -> :

For retroactive sender notifications that are sent based on the period of time set in the forwarding document, a different message can be used ( ).

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 535 IQ.SUITE CLERK - SERVER-BASED SETTINGS (BY ADMIN ONLY) 

Normally, the retroactive sender notification in a job should be set for all emails  that arrive relatively shortly before the forwarding document is activated. For older emails, we recommend to set the retroactive sender notification in the forwarding document individually.

The job configuration has a higher priority than the settings in the absence docu-  ments.

7. Suppress notification header: Use this option to suppress the header of the sender notification (logo, line, and absentee):

With this option enabled, only the message „I am out of office ...“ will be displayed in the notification.

8. Send warnings as of: When retroactive forwarding is used, the data volume in the Clerk notifications database, the Clerk log database and the Clerk archive database might quickly increase considerably. Administrators can be notified by email as soon as a critical data volume has been reached so that they can early react on short storage capacities on the server. Here, enter the critical data volume for sending warnings. Use ‚0‘ to disable the feature.

9. If required, adjust the default settings in the Misc tab:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 536 IQ.SUITE CLERK - SERVER-BASED SETTINGS (BY ADMIN ONLY) 

The Run only on Home server option is available for email processing by Clerk and is relevant only in multi-server environments.

By default, the job is executed for all recipients of all emails (option ‚No‘).

When the job only runs on the Home server, the job is executed by default only for those recipients whose mailboxes are located on the server which executes the job.

These are not affected by this setting:

 email recipients for whom no mail server is specified in the Domino Direc- tory.  email recipients who are not entered in the Domino Directory.

10. Save the job.

13.2.2.3 Creating Calendar Entries automatically

The user might not be able to edit his emails during his absence and also not be able to attend meetings. To inform her communication partners inside of the company and especially for the appointment planning, iQ.Suite Clerk can automatically create calendar entries for the user‘s absence periods.

The creation of calendar entries does not depend on...

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 537 IQ.SUITE CLERK - SERVER-BASED SETTINGS (BY ADMIN ONLY) 

 ... the user‘s email traffic: Even if no emails addressed to the user arrive, or if, based on the configured rules, none of her incoming emails are processed by the job, calendar entries can be created for the user.  ... how current the Clerk forwarding is: Calendar entries can always be created – no matter if the Clerk forwarding is up-to-date or if it has been created for an absence that lies in the past or in the future.

Basic condition: Calendar entries are documents in the users‘ mailboxes. That is why every Domino server in charge of creating calendar entries must have write access to the respective users‘ mailboxes. If the server is not administrating these mailboxes, it needs remote access to them.

To enable the creation of calendar entries, a Clerk job needs to be configured correspondingly. The Clerk job instantiates a background task that takes care that calendar entries are being created, changed or deleted.

The settings in the Clerk job that are not valid especially for the creation of calendar entries are described under “Sample Job: Forwarding or Redirection” on page 530. For the calendar entries especially, proceed as follows:

1. In the Operations tab, double-click on Clerk database and then on Editing the Clerk settings.

2. Open the Calendar tab:

a) Under Create calendar entries, determine whether to allow the automatic creation of calendar entries from non-periodic forwarding documents in general. b) If applicable, select the desired Type of calendar entries:  ‘All Day Event’: Only one calendar entry is created for the complete absence period. If an absence does not cover whole days, but a time

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 538 IQ.SUITE CLERK - SERVER-BASED SETTINGS (BY ADMIN ONLY) 

of day is specifed for beginning or end of the absence, the calendar entry is extended to include the complete days on which the absence begins or ends.  ‘Appointment’: One calendar entry is created for each day of the absence period. If an absence does not cover whole days, but a time of day is specifed for beginning or end of the absence, calendar entries for the exact time span are created. These entries are visible in the daily view of the Notes calendar.

Example: Absence from Tuesday, 11/25/2018 at 13:00 h to Thursday, 11/27/2018 at 12:00 h.

With the Option ‘All Day Event’, one calendar entry is created for the three complete days from Tuesday to Thursday.

With the ‘Appointment’ option, three calendar entries are created:

For Tuesday, 11/25/2018 from 13:00 to 24:00 h For Wednesday, 11/26/2018 from 0:00 to 24:00 h For Thursday, 11/27/2018 from 0:00 to 12:00 h

If you have set the same database in several Clerk jobs, only the first processing  Clerk job instantiates the background task for creating the calendar entries. This is how the multiple creation of calendar entries is prevented.

You can use Clerk absence templates for both the job configuration and for defining the default settings to be used to create calendar entries for certain people, groups or departments. Refer to “Creation of Absence Templates” on page 521.

13.2.2.4 Notification Options for Internal and External Senders

You can define different notification options for internal and external email senders. For example, you can configure that internal senders shall always receive an out-of-office reply to be informed about the absence of a colleague. However, the external senders shall not be informed, or only in case of an enabled out-of-office reply action in the user‘s forwarding document.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 539 IQ.SUITE CLERK - SERVER-BASED SETTINGS (BY ADMIN ONLY) 

1. Configure two Clerk mail jobs, one for internal and one for external senders,

e.g. with the RemoteSender and InetSender rule: CLERK -> MAIL JOBS -> NEW

-> CLERK MAIL JOB.

2. Use the same database for both jobs

3. In the job for internal senders, select in the Operations tab under Allow sender notifications the ‘Yes’ option, in the job for external senders select the ‘As per user settings’ option.

With this configuration, the internal senders are always informed about the absence of his/her colleague. The external senders, however, only receive an out-of-office reply when the Allow sender notification option is enabled.

13.2.3 Job Configuration for the Info Emails

Info emails can be sent to the involved people (absentee, deputy, and important communication partners) in advance.

13.2.3.1 Important Definitions and Application Example

 Info emails „Info emails“ implies both the absence emails and the presence emails.

 Absence emails These are the first Info emails, reminder emails, and update emails.

 Presence emails The emails that are sent once the absentee has returned are called „presence emails“. On the Graphical User Interface (Admin Portal and User Por- tal), „presence“ is also named „Represence“.

Definition of the person types:

 Absentee Absent person for whom a forwarding document was created.

 Deputy

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 540 IQ.SUITE CLERK - SERVER-BASED SETTINGS (BY ADMIN ONLY) 

Persons (one or more) that are specified as deputies in the forwarding document.

 VIP Potential sender. Defined in more detail, this is a person who might possibly send emails to the absentee during the absence time and whom the absentee wants to inform about the absence in advance. Typically, these are important communication partners, e.g. customers.

Application example:

For his planned vacation from Nov. 09, 2015 to Nov. 18, 2015, David Galler sets up a forwarding on Oct. 08, 2015 at 9:00 PM. Anna Glenn is defined as his deputy, Boris Zidane and Kai Baron are specified as VIPs. By default, about 5 to 6 minutes after the forwarding document is saved, the first Info email is sent to the absentee and the deputies. On Aug. 24, 2015, Mr. Galler changes his vacation plans since he has to return to work already on Nov. 15, 2015. Based on this change, in the forwarding document on Aug. 24, 2015, by default 5 to 6 minutes later, an update email is sent to the absentee and the deputies. Since the VIPs haven‘t received any first Info email yet, they won‘t receive an update email. By default, the VIPs will receive the first Info email 7 days before the absence time starts.

13.2.3.2 Important Information prior to the Job Configuration

In the following, you will find an overview about the possibilities of the Info email feature:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 541 IQ.SUITE CLERK - SERVER-BASED SETTINGS (BY ADMIN ONLY) 

If the ‚Info emails‘ feature is activated, a notification to the absentee and the deputy is automatically generated when the forwarding is set up (first Info email). The setup may take place already weeks or months ahead of the actual absence and therefore can easily be forgotten. Therefore, in addition, a reminder can be defined that is sent shortly before the absence starts (reminder email). The first Info email for the VIPs is normally sent only a few days before the absence starts. That is why any reminder email for VIPs is not intended.

When a saved forwarding document is changed (e.g. change of the absence time), an update email can be sent to all person types.

When the absentee is present again, presence emails can be sent.

All Info emails have a sender address. The reply to the Info email is sent to the defined reply address. For all Info emails, the following applies:

Info email to Sender Reply Address

absentee Is read from the entry under Clerk Job -> Misc tab -> Reply to field. Is read from the entry under Usually, the iQ.Suite administra- Clerk Job -> Misc tab -> tor is specified. Memo from field.

deputy Absentee

VIPs Absentee

13.2.3.3 Configuration in the Clerk Job

1. On the Operations tab, double-click on the Clerk Database and then on Edit of Clerk Settings.

2. Open the Infomail tab: a) Specify whether you want to allow the automatic sending of Info emails from non-periodic forwarding documents in general (default: ‚No‘):

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 542 IQ.SUITE CLERK - SERVER-BASED SETTINGS (BY ADMIN ONLY) 

If you have specified the same database in several Clerk jobs, only the first pro-  cessing Clerk job will instantiate the background task that sends the Info emails. This is how the multiple sending of Info emails is prevented. An additional background task takes care that reminder emails and presence emails are not sent several times.

Specify additional settings for the sending of Info emails:

b) Use the option Send infomails to external VIPs too to specify whether only senders of the local Notes or Internet domain (internal senders) or also senders from Internet domains (external senders) should be informed. c) Specify the content of the notification emails that are to be sent to the absentee, the deputy, and the VIPs. To do so, use the corresponding tab for each person type.

Predefined notification templates are available under IQ.SUITE -> GLOBAL

-> NOTIFICATION TEMPLATES: For each of the person types, a separate template exists for the absence emails (Notification template about

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 543 IQ.SUITE CLERK - SERVER-BASED SETTINGS (BY ADMIN ONLY) 

absence to ) and a template for the presence email (Notification template about presence to ), with corresponding to the person type. Adjust these templates to your needs or create new notification templates.

In the context the ‚Info emails‘ feature, the following placeholders can be used in Clerk notification templates:

%ABSENTEE%/%ABSENTEE2% %DEPUTY%/%DEPUTY2% %STARTTIME%, %ENDTIME% %FORWARDING_ACTION% %CLERK_FORWARDING_LINK% %MAILTYPE% %SUMMARY%

For further information on these placeholders, please refer to “Placehol- ders” on page 59.

Also take note of the global parameters for Clerk Info emails. These parameters begin with Toolkit_Clerk_Infomail*, e.g. Toolkit_Clerk_InfomailEntryDeletionDelayMinutes for the represence. Refer to “Description of the Global Parameters (except Job Results)” on page 33.

d) The placeholder %FORWARDING_ACTION% is used in all predefined notification templates for the absence emails. This placeholder is replaced with the text that is entered in the field in case of forward to /for VIPs resp. in case of non forward to /for VIPs – depending on whether or not the email was forwarded.

3. Open the Text replacement tab:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 544 IQ.SUITE CLERK - SERVER-BASED SETTINGS (BY ADMIN ONLY) 

a) Specify the text that will replace the placeholder %MAILTYPE%: %MAILTYPE% is usually used in the subject line of the notification emails, as it is the case in all predefined notification email templates for Info emails. This placeholder is replaced with the appropriate text, e.g.:  Info for the first Info emails  Reminder / Erinnerung for the reminder emails  Update / Aktualisierung for the update emails  Ended / Beendet for the presence emails

b) The placeholder %SUMMARY% is replaced with a summary that lists the emails that were sent to the absentee and processed by Clerk during the absence time (Forwarding Summary)4.

4. This summary corresponds to the summary that is displayed via the FORWARDING SUMMARY button in the forwarding document.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 545 IQ.SUITE CLERK - SERVER-BASED SETTINGS (BY ADMIN ONLY) 

Use the input fields to define the column titles of the tabular overview:

 Time: date and time of the email processing by Clerk  From: the sender‘s email address  Subject: original subject of the processed email  Forwarded to: the deputy‘s email address

No email processed: Use this field for the text to display in the forwarding summary on top of the table if no email was processed by Clerk.

Also refer to Toolkit_Clerk_InfomailMaxSummaryEntries under “Description of the Global Parameters (except Job Results)” on page 33.

4. Click on OK.

For the configuration of Info emails in the forwarding document, please refer to “Configuration Document: Forwarding” on page 548.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 546 IQ.SUITE CLERK - INDIVIDUAL SETTINGS (BY USERS ALSO) 

13.3 Individual Settings (by Users also)

To enable users to set up permanent redirections or temporary forwardings independently, they have access on a restricted range of functionality of iQ.Suite Clerk. According to the user‘s access rights he/she can create new redirection or

forwarding documents in the User Portal (NEW button)5.

To simplify operation for the users it might be helpful to provide sample documents, which demonstrate how to set up absence management. In the Admin Portal the iQ.Suite standard configuration contains sample documents for redirec-

tion and forwarding (CLERK -> ABSENCE SETTINGS BY USER). These sample documents are displayed in the User Portal of the internal users only, if the corresponding roles/rights have been set:

Use the absence templates to restrict configuration of iQ.Suite Clerk for the local users. With this, only certain fields and options are visible or editable in the redirection and forwarding documents. The users create their personal absence documents for redirection and forwarding based on these templates.

The configuration documents created by the users remain in the user's User Por-  tal and can be reused later.

5. Refer to “Rights/Roles Concept in iQ.Suite User Portal” on page 136.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 547 IQ.SUITE CLERK - INDIVIDUAL SETTINGS (BY USERS ALSO) 

13.3.1 Configuration Document: Forwarding

The following section describes how administrators or other internal users can create a regular forwarding, e.g. in case of vacation or illness.

Non-periodic forwarding documents can also be used to automatically create calendar entries for absence periods. Depending on the iQ.Suite configuration (Clerk job and potentially absence template), the forwarding documents can be used to specify that calendar entries are to be automatically created and how they should look (e.g. subject and notification).

1. Click on CLERK -> ABSENCE SETTINGS BY USER -> NEW -> FORWARDING:

a) Enable the document. b) In this example David Galler is defined as deputy for the user Anna Glenn. By default, forwarding is enabled on a 24-hour basis. Where required, forwarding can also be set to the minute by enabling the ‚Specify times‘ option under Start at. In this case, enter the forwarding start time and end time. In the example, Mrs Glenn works on the first day of the forwarding part-time. Therefore, her emails are forwarded only as of 12:00 PM. On Sept. 20 at 12:00 AM the forwarding to David Galler is stopped. c) If required, define the applicable time zone used for time specification. Using this setting, the Domino server (possibly located in another time

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 548 IQ.SUITE CLERK - INDIVIDUAL SETTINGS (BY USERS ALSO) 

zone than the absent original recipient) will calculate the times. This ensures job execution at the intended time. The default time zone (Local Time) corresponds to the time set in the Notes client of the absent person. This will normally be the correct setting. d) The Retroactive email processing field is displayed only if in the Clerk Database Settings this function is enabled entirely (‘Active’) or in part (‘Collecting’). If the date given at Start at is in the past, we recommend to enable the option ‘should be used‘. With this, emails that were already delivered to the recipient are processed (i.e. forwarded) retroactively according to the start date/time. As a prerequisite, retroactive email processing is enabled in the job and data has been collected at the time of the given start date. If no time is specified, the emails are processed retroactively as of 12:00 AM of the start date. Refer to “Clerk Database Set- tings” on page 532. e) Under Forward emails, ‘Yes‘ is the default setting. This means that, by default, no email is forwarded. If the option ‘No - notify sender‘ is selected, no emails are forwarded, but the senders are informed of the absence of the recipient. The notification text is the one defined in the Notifications tab under Text.

If set to ‚No - don‘t notify sender‘, no email is forwarded and the senders do not receive any notification either. Use this setting only to perform the actions defined in the Exceptions tab under Exceptions. f) You can use the Non-forwarding deputy field to specify the contact person who should be shown in the notifications instead of the placeholder for deputies (e.g. %DEPUTY%). The contact person(s) specified here will also be used in case ‘non-forwarding is defined as an exception’ and in case of ‘retroactive email processing without forwarding’.

You can select the deputy from the Domino Directory or enter the name manually. The non-forwarding deputy does not need to be entered in the Domino Directory. In case of several deputies, separate the entries by comma + blank.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 549 IQ.SUITE CLERK - INDIVIDUAL SETTINGS (BY USERS ALSO) 

Non-forwarding deputies are notified as deputies in case of Info emails, too.

Placeholders for deputies: refer to Subject.

g) Under Forward to, select the deputy to whom the emails are to be forwarded in case of forwarding. h) By default, the deputy has no access to the quarantined emails of the original recipient. If in the Use for Quarantine Access field the ’Yes’ option is selected, a separate area for the quarantined emails of the original recipient is displayed in the deputy‘s User Portal. Refer to “Quaran- tine Access for Deputies” on page 568. i) In the Calendar Settings section, you can specify settings for the creation of calendar entries, provided that the Clerk job and the absence template that is valid for the user are configured correspondingly. Under Create calendar entries, define whether calendar entries are to be created automatically for the users of this Clerk forwarding. If ‚Yes‘ (default: ‚No‘), you can specify additional settings:

For further information on the configuration, please refer to “Creation of Absence Templates” on page 521.

When you change the settings for calendar entries in an existing forwarding docu-  ment, usually the calendar entry is created 5 to 6 minutes after saving the forwarding document.

2. Open the Notifications tab:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 550 IQ.SUITE CLERK - INDIVIDUAL SETTINGS (BY USERS ALSO) 

This tab contains the notification texts from the absence templates. According to the right concept, which is also defined in the absence templates, the local users can see or modify each field or only certain fields.

For further informationen on the settings in the Notifications tab, please refer to “Notifications” on page 525.

a) The configuration under Allow sender notification applies only if it is

specified in the job that the user setting is to be used (OPERATIONS TAB ->

ALLOW SENDER NOTIFICATION: AS PER USER SETTINGS). b) The Retroactive sender notification can be enabled only when the Allow sender notification option is set to ‘Yes’ and the retroactive email processing (in the Settings tab) has been enabled. Enter the subject and the message text to be used for the retroactive sender notification in the case of forwarding or not forwarding.

3. Where required, you can define exceptions in the Exceptions tab. In the absence templates you can mark this tab not to be displayed for the local users. Configuration options of the Exceptions tab are described under “Configuration of Exceptions” on page 561. No exceptions are defined in this example, i.e. all emails are forwarded to the deputy.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 551 IQ.SUITE CLERK - INDIVIDUAL SETTINGS (BY USERS ALSO) 

4. In the Misc tab, under Document authors specify the persons, who are authorized to edit this document and manage the forwarding settings. The asterisk (*) in the Runs on server field means that the document is valid for all servers.

5. Open the Infomail tab:

a) Use the left column of the SEND INFOMAILS ABOUT ABSENCE table to specify to which person types to send absence emails. The checkboxes at the left border (to ) apply to the first Info emails and update emails:  to me: to the absentee. This is the person for whom the forwarding document is configured (entry on the Settings tab in the Absence profile for field).  to deputy: These are both, the persons who are entered under Set- tings in the Forward to field and in the Non-forwarding deputy field, and the deputies in case of exceptions (Exceptions tab).  to VIPs: Persons entered in the My VIPs field. Use this field to specify the VIPs‘ addresses. If these persons are entered in the Domino Directory, select their addresses from the Domino Directory. Other- wise, enter the VIP‘s Internet addresses manually. Use a separate line for each address.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 552 IQ.SUITE CLERK - INDIVIDUAL SETTINGS (BY USERS ALSO) 

b) If, in addition to the first Info emails and the update emails, reminder emails are to be sent, activate the option Reminder and, under days before, specify how many days prior to the start of the absence time a reminder email should be sent (possible values: 1 to 14 days). For the VIPs, the previous information is the first Info email. In the field next to Previous information, enter how many days in advance of the absence time start the VIPs should be notified of the coming absence. Please note that no reminder emails are sent to VIPs. That‘s why we recommend to inform the VIPs not too long in advance (default: 7 days; possible values: 0 to 30 days).

All person types (incl. VIPs) will receive update emails when changes are made to the absence period. This applies only if the changes were made after the first Info email was received.

c) In the SEND INFOMAILS ABOUT PRESENCE section, specify the person types who should receive a presence email once the absence time is over.

6. Save the document.

The example demonstrates an email originally addressed to Mrs Glenn but forwarded to her deputy Mr Galler:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 553 IQ.SUITE CLERK - INDIVIDUAL SETTINGS (BY USERS ALSO) 

What happens with the calendar entry when the forwarding document is changed or deleted?

1. In case of temporal changes, it depends on whether the periods of time between old and new absence overlap: a) In case the periods of time overlap, the calendar entries will always be changed. b) In case the periods of time do not overlap, the calendar entries or parts of past calendar entries will not be changed. A change can only be done manually by the user. For the new period of time, a new calendar entry will be created. If the old period of time lies in the future, the old calendar entry will be updated. For non-temporal changes (e.g. subject changes), the changes will be performed in the existing calendar entry – no matter where the calendar entry temporally lies (in the present, past or future).When deleting a Clerk forwarding document, it depends on whether the period of time is still in the present or completely lies in the past or the future:

a) If the period of time begins in the past and ends in the future, the calendar entry will be kept up to the deletion time. b) If the period of time is in the past, the calendar entry will be maintained. c) If the period of time is in the future, the calendar entry will be removed completely. To summarize: The user himself is responsible for the deletion of the past and parts calendar entries.

For the rules mentioned above, please note that “Today” is considered to be in the  past.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 554 IQ.SUITE CLERK - INDIVIDUAL SETTINGS (BY USERS ALSO) 

13.3.2 Configuration Document: Periodic Forwarding

The following section describes how the administrator or other internal users can configure a forwarding to a deputy in case of a periodic, regular absence, e.g. employees who are working part-time.

Example 1

For the part-time employee Anna Glenn a periodic forwarding shall be established. Mrs Glenn works from Monday to Friday from 08:00 AM to 12:00 PM. By experience Mrs Glenn receives many emails that are critical in terms of time. Hence, emails that arrive between 12:00 PM and 06:00 PM are to be forwarded to the deputy David Galler.

1. Click on CLERK -> ABSENCE SETTINGS BY USER -> NEW -> PERIODIC FORWAR-

DING:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 555 IQ.SUITE CLERK - INDIVIDUAL SETTINGS (BY USERS ALSO) 

Example 2

For the part-time employee Robert Fontane a periodic forwarding shall be established. Mr Fontane works on Monday, Tuesday and Thursday from 08:00 AM to 12:00 PM and on Friday from 09:00 AM to 06:00 PM. On Wednesday he is usually not in the office. Hence, from Tuesday 12:00 PM to Wednesday 06:00 PM his emails are to be forwarded to the deputy David Galler.

1. Click on CLERK -> ABSENCE SETTINGS BY USER -> NEW -> PERIODIC FORWAR-

DING:

a) Enable the document. b) Under Absence profile for the user who creates the forwarding document is preset. According to the user‘s rights he/she can select another local user. c) Usually no entries are required in the Start date and End date fields and can be left disabled. The fields are only relevant to limit the forwarding to a specific time period. d) The time zone field (Local Time) affects the Start date / End date and the time for the days of the week. The default time zone (Local Time) is

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 556 IQ.SUITE CLERK - INDIVIDUAL SETTINGS (BY USERS ALSO) 

the time set on the Notes client computer of the absent person. This will normally be the correct setting. e) In the fields of the weekdays, define the time period of the absence. The default setting from ‘00:00‘ to ‘00:00‘ is interpreted as a 24-hour forwarding. Emails that arrive at this weekday are forwarded.

f) For further information on the settings Forward emails, Non-forwarding deputy and Use for Quarantine Access, please refer to “Configuration Document: Forwarding” on page 548.

2. Open the Notifications tab:

For further informationen on the settings in the Notifications tab, please refer to “Notifications Periodic” on page 528. Additionally, please note the following:

The configuration under Allow sender notification applies only if it is speci-

fied in the job that the user setting is to be used (OPERATIONS TAB -> ALLOW

SENDER NOTIFICATION: AS PER USER SETTINGS).

3. Where required, you can define exceptions in the Exceptions tab. In the absence templates you can mark this tab not to be displayed for the local

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 557 IQ.SUITE CLERK - INDIVIDUAL SETTINGS (BY USERS ALSO) 

users. Configuration options of the Exceptions tab are described under “Configuration of Exceptions” on page 561. No exceptions are defined in this example, i.e. all emails are forwarded to the deputy.

4. In the Misc tab under Document authors specify the users who are authorized to edit this document and manage the forwarding settings. The asterisk (*) in the Runs on Server field means that the document is valid for all servers.

5. Save the document.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 558 IQ.SUITE CLERK - INDIVIDUAL SETTINGS (BY USERS ALSO) 

13.3.3 Configuration Document: Redirection

The following section describes how the administrator or other internal users can configure a permanent redirection to a deputy.

To prevent certain emails from being redirected, define the exceptions in the  Exceptions tab.

1. Click on CLERK -> ABSENCE SETTINGS BY USER -> NEW BUTTON -> REDIREC-

TION:

a) Enable the document. b) Specify a Name for the document. c) In this example the emails addressed to Julie Bonet are permanently redirected to David Galler. Under Redirection for select the user whose emails are to be redirected. d) Under Retroactive email processing enable the ‚should be used‘ option. In the subsequent field, enter the start time for retroactive forwarding. In the example, the complete email correspondence is forwarded retroactively as of and including Oct. 29, 2015 at 12:00 AM. The recipient of these retroactively forwarded emails is defined in the Redirect to field. e) Under Redirect emails select the option ‘Yes‘. If you select ‘No‘, no redirection is performed. Only the exceptions defined in the Exceptions tab are executed. f) Under Redirect to select the recipient of the redirected emails.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 559 IQ.SUITE CLERK - INDIVIDUAL SETTINGS (BY USERS ALSO) 

g) Use for Quarantine Access: In the example Mr Galler receives access rights on the quarantined emails of Mrs Bonet. The emails quarantined for Mrs Bonet are displayed in a separate quarantine area of the User

Portal (QUARANTINE -> SUBSTITUTE FOR QUARANTINE ACCESS).

2. In the Notifications tab, write the Text for the out-of-office reply to be sent by default to the deputy. For example, enter a request for processing the redirected email or to inform the original recipient about important or time-critical emails.

3. Where required, you can define exceptions in the Exceptions tab, e.g. to prevent emails from certain senders from being redirected or to enable retroactive forwarding. Refer to “Configuration of Exceptions” on page 561. No exceptions are defined in this example, i.e. all emails are redirected to the deputy.

4. In the Misc tab under Document authors specify who is authorized to edit this document and manage the redirection settings.

5. Save the document.

The example demonstrates an email originally addressed to Mrs Bonet, but forwarded to her deputy Mr Galler:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 560 IQ.SUITE CLERK - INDIVIDUAL SETTINGS (BY USERS ALSO) 

13.3.4 Configuration of Exceptions

In the Exceptions tab the administrators can define exceptions for redirection and forwarding documents. To enable local users to modify these settings as well, the associate rights have to be set.

With the options ‚Check sender only‘ and ‚Check sender and content‘ you can link emails from special senders to a special action, e.g. preventing private emails from being forwarded to a deputy. You can define several exceptions for various senders and subject to the email content. All exceptions are listed in the Excep- tions tab. Use the Sort icon to change the order of the entries. The first entry in the list is the first one processed.

The following examples refer to redirection and forwarding documents.

13.3.4.1 No Forwarding of Newsletters, no Notification of the Senders

In general emails shall be forwarded to a deputy and the senders shall receive an out-of-office reply. Exception: Subscribed newsletters shall be delivered to the original recipient only, and the sender of the newsletter shall not be informed. Consider that the sender address must be known.

1. Configure a regular or periodic forwarding as described in the previous chapters.

2. Open the Settings tab and select ‘Yes‘ for Forward emails. In the Notifica- tions tab, select ‘Yes‘ as well for Allow sender notification.

3. Open the Exceptions tab. Under Checking mode, select the ‚Check sender only‘ option. With this, only the sender address (not the content of the incoming email) is checked.

4. Under Controls for Exceptions, click on the Edit or New icon:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 561 IQ.SUITE CLERK - INDIVIDUAL SETTINGS (BY USERS ALSO) 

5. Select the option ‚Do not forward - do not notify sender‘ and enter the corresponding sender with his/her Internet address, in this case the newsletter address. If the Sender field is left empty, all senders will be included to the selection. The following placeholders can be used to enter character strings:  * (asterisk) = any character string. Examples: hous* finds house or housekeeper, *hou* also finds house- hold, summerhouse or shout.

 ? (question mark) = any single character. Example: ho?se finds house, horse, ho3se, etc.

 \! (backslash exclamation mark) = any single letter. Example: be\!t finds belt, best, bent, etc.

 \# (backslash lozenge) = any digit. Example: Ha\#s finds Ha1s, Ha3s, Ha9s, etc.

6. Click on OK and save the document.

An email from the sender [email protected] is not forwarded to the deputy but delivered to the original recipient. The senders do not receive an out-of- office reply. Other emails are handled as defined in the Settings tab.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 562 IQ.SUITE CLERK - INDIVIDUAL SETTINGS (BY USERS ALSO) 

13.3.4.2 No Forwarding of Private Emails, Notification of the Senders

In general emails shall be forwarded to a deputy and the senders shall receive an out-of-office reply. Exception: As private marked emails shall be delivered to the original recipient only, and the email sender shall be informed. In the example, all emails with the text 'private' in the subject line shall be excluded from a forwarding.

1. Configure a regular or periodic forwarding as described in the previous sections.

2. Open the Settings tab and select ‘Yes‘ for Forward emails. In the Notifica- tions tab, select ‘Yes‘ as well for Allow sender notification.

3. Open the Exceptions tab. Under Checking mode select the ‘Check sender and content’ option.

4. Under Controls for Exceptions click on the Edit or New icon:

5. Select the ‘Do not forward - notify sender only‘ option.

6. Use the Field for content field to search for certain keywords in field names. In this example the email‘s subject line is analyzed for certain keywords. As an alternative you can select ‘Body‘ to analyze the email body.

7. Under Content specify the keywords to be looked for, here: *private*. Note that only emails that contain the string ‚private‘ in the subject line of the email are recognized and classified as private ones.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 563 IQ.SUITE CLERK - INDIVIDUAL SETTINGS (BY USERS ALSO) 

For each keyword, an exception must be created. Put an asterisk before and after the keyword (**).

8. Leave the Sender field empty. With this, emails from all senders are analyzed.

9. Click on OK and save the document.

Emails with the word ‚private‘ in the subject line are not forwarded to the deputy but only delivered to the original recipient. The email sender receives an out-of- office reply. Non-private emails are handled as defined in the Settings tab.

13.3.4.3 Forwarding Emails with Special Content to a different Deputy

In general, emails shall be forwarded to a deputy and the senders shall not receive an out-of-office reply. Exception: Emails from company-x that contain confidential content are not to be delivered to the deputy but to another person (David Galler).

1. Configure a regular or periodic forwarding as described in the previous sections.

2. Open the Settings tab and select ‘Yes‘ for Forward emails. In the Notifica- tions tab, select ‘No‘ under Allow sender notification.

3. Open the Exceptions tab. Under Checking mode select the ‘Check sender and content‘ option.

4. Under Controls for Exceptions click on the Edit or New icon:

5. Select the ‚Forward to‘ option.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 564 IQ.SUITE CLERK - INDIVIDUAL SETTINGS (BY USERS ALSO) 

6. In the Field for content field select ‘Body‘ to search for certain keywords within the email body (here for *confidential*). For each keyword, an exception must be created. Put an asterisk before and after the keyword (**).

7. Under Content, specify the keywords to be searched for in the email body. In this example, the original recipient knows precisely that emails from company-x are always marked with the keyword ‚confidential‘.

8. In the Sender field, enter the sender address of the company (here: company-x).

9. Click on OK and save the document.

You want to check both, the sender and the content. For this, the ‚Check sender  and content‘ option is selected. However, one entry in the list under Field for content in the Exceptions tab is to be excluded from the content analysis. Define an exception within the combined sender and content analysis option. To do so, create a new entry and, under Field for content, select the ‚No content analysis‘ option. Specify the sender and save the entry. This entry will also be displayed in the list in the Exceptions tab, however, with the note [No content analysis].

13.3.4.4 Retroactive Email Forwarding with a Redirection Document

If for a local user a permanent redirection is configured, a retroactive forwarding can be configured in a redirection document.

As an alternative, you can configure an additional forwarding document with ret-  roactive forwarding enabled for this user.

1. Configure a redirection document according to the description of the previous chapter.

2. Open the Settings tab:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 565 IQ.SUITE CLERK - INDIVIDUAL SETTINGS (BY USERS ALSO) 

3. Under Retroactive email processing enable the ‚should be used‘ option. In the subsequent field enter the start time for retroactive forwarding. In the example, the complete email correspondence is forwarded retroactively as of and including Oct. 29, 2015 at 12:00 AM. The recipient of these retroactively forwarded emails is defined in the Redirect to field.

4. Click on OK and save the document.

13.3.4.5 Redirecting Emails from Special Senders to Another Deputy

Emails shall be redirected permanently to a substitute. Exception: Emails from company-x are not to be delivered to the usual substitute, but to another deputy (David Galler).

1. Configure a redirection as described in the previous sections.

2. In the Settings tab under Redirect emails, select the option ‚Yes‘ and specify the usual substitute in the Redirect to field.

3. Open the Exceptions tab. Under Checking mode, select the ‚Check sender only‘ option.

4. Under Controls for Exceptions, click on the Edit or New icon:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 566 IQ.SUITE CLERK - INDIVIDUAL SETTINGS (BY USERS ALSO) 

5. Select the ‚Redirection to‘ option.

6. In the Sender field enter the desired sender address (here: company-x). Emails from this sender are not sent to the usual substitute.

7. In the Redirection to field select the email address of the special deputy from the Domino Directory.

8. Click on OK and save the document.

As of now, emails from company-x are redirected to the deputy David Galler. All other emails are redirected to the substitute defined in the Settings tab.

13.3.4.6 No Redirecting of Emails from Special Senders

Emails from certain senders shall not be redirected.

1. Configure a redirection as described in the previous sections.

2. In the Settings tab under Redirect emails, select the option ‘Yes‘ and specify the usual substitute in the Redirect to field.

3. Open the Exceptions tab. Under Checking mode, select the ‘Check sender only‘ option.

4. Under Controls for Exceptions, click on the New icon.

5. Select the ‚Do not forward‘ option.

6. In the Sender field enter the desired sender address. Emails from this address will not be redirected to the substitute.

7. Click on OK and save the document.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 567 IQ.SUITE CLERK - QUARANTINE ACCESS FOR DEPUTIES 

13.4 Quarantine Access for Deputies

If a user is absent and has defined a deputy, the latter will receive the user‘s summary notifications (as they are forwarded), but he/she will be unable to edit any of these emails. To enable the deputy to access the user‘s quarantined emails, the deputy can be provided with quarantine access during the absence of the original recipient. Use one of the following methods to set up quarantine access for a deputy:

 Within a Clerk forwarding or redirection document: SETTINGS TAB -> USE FOR QUARANTINE ACCESS.  Within a separate quarantine document, proceed as follows:

1. Click on QUARANTINE -> SUBSTITUTE QUARANTINE ACCESS -> NEW.

2. Select one of the two options available and click on EDIT. The procedure is largely identical for the Standard and Advanced options. Any differences are noted accordingly.

3. Set the Mode:  ‚Redirection‘: The access permission to the email is taken away from the original recipient and granted to the deputy.  ‚Forward‘: The original recipient keeps the access permission to the email; the deputy is given the same permission.

4. Under SUBSTITUTE QUARANTINE ACCESS (STANDARD), the Access for field cannot be changed and it is automatically set to the name of the user who

has created the document. Under SUBSTITUTE QUARANTINE ACCESS (ADVAN-

CED), this field is changeable. Use the Access for field to specify the deputy, i.e. the user to whom the access rights are to be transferred.

5. In the Misc tab under Document authors you can specify another user as document author and provide this person with appropriate rights (activate, edit, deactivate). Whenever the document owner is absent, the document author can handle the user‘s tasks.

6. Save the document.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 568 IQ.SUITE CLERK - QUARANTINE ACCESS FOR DEPUTIES 

To enable the deputies to access the quarantined emails of the absent user,  enable the following options in the Advanced tab in each quarantining job:  ‚User-specific quarantine access‘  ‚Recipient is allowed to read quarantined email‘  ‚Clerk quarantine document access‘

Consider the options provided for user-specific quarantine access. Refer to “Set- ting up the iQ.Suite User Portal for Users” on page 143.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 569 IQ.SUITE CONNECT - OVERVIEW   14 iQ.Suite Connect 14.1 Overview

With iQ.Suite Connect social business collaboration plattforms can be connected to the iQ.Suite.

iQ.Suite Connect offers an automated solution for central storage of file attachments. For the pre-processing, filtration and classification of emails and file attachments iQ.Suites‘ sophisticated rule set is used, to allow rule-based selection and transfer of the file attachments to a collaboration system. If required, the file attachments are replaced in the email by URLs which refer to their location in the collaboration system. This prevents redundant data storage within mailboxes and connected systems, and moreover, reduces the load on the mail server during email transport. By clicking on the URLs, email recipients have access to the file attachments originally attached to the email.

Your individual guidelines and an automated classification guarantee that only file attachments of business relevant emails are transferred to and stored on your collaboration system. Into combination with the spam checking and virus checking modules of the iQ.Suite, safety of your collaboration platform is supported and required disc space is reduced.

Job Types

 Type: Connect SharePoint This job exports email attachments to a connected “Microsoft SharePoint” Social Business Collaboration System.

 Type: Connect Connections This job exports email attachments to a connected “IBM Connections” Social Business Collaboration System.

 Type: Connect Workflow By using Connect Workflow, you can save documents as well as create and start workflows in GBS Workflow Manager in an automated way.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 570 IQ.SUITE CONNECT - CONNECT ENGINES 

14.2 Connect Engines

Connect engines are used to connect collaboration systems with iQ.Suite. After configuring the Connect engines, they can be selected in Connect jobs. For every supported collaboration platform, an individual engine type is provided for iQ.Suite configuration.

The Connect Workflow Engine is used to connect iQ.Suite to GBS Workflow Manager. The configured engine can then be selected in the Connect Workflow Job.

14.3 Connecting iQ.Suite to Microsoft SharePoint

iQ.Suite Connect allows to connect iQ.Suite to Microsoft SharePoint. Email‘s file attachments are uploaded and stored onto the SharePoint server according to your configuration.

Supported SharePoint versions: 2013, 2016 and Online

Required components:

To be able to use SharePoint in combination with iQ.Suite, install after iQ.Suite installation the following additional packages on the iQ.Suite server:

 SharePoint Client Runtime: sharepointclientcomponents_16-4351-1000_x<86/64>_en-us.msi

This MSI file is available in the iQ.Suite program directory under Support/Connect.

If the file attachments contained in emails are replaced by URLs, internal and  external email recipients require appropriate access rights on the SharePoint server. Otherwise the file attachments cannot be opened.

14.3.1 Configuring a SharePoint Engine

SharePoint connection is provided by a SharePoint engine.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 571 IQ.SUITE CONNECT - CONNECTING IQ.SUITE TO MICROSOFT SHAREPOINT 

A SharePoint Engine document (SAMPLE) is available in the iQ.Suite standard configuration under CONNECT -> UTILITIES -> CONNECT ENGINES.

1. Open the SAMPLE Engine document or create a new Engine document.

2. In the Basics tab, perform the following settings:

 Connect Interface: DLL file that links the iQ.Suite with the SharePoint server. Do not change this entry.

 Timeout: Usually, the default settings can be kept. If the engine causes frequent timeouts in your system environment, increase the number of seconds in this field. A timeout can occur if an engine test (per engine) or an upload event (per email attachment) is not finished within the specified time period. Please take into account that the size of the file attachments affects upload duration.

 ‘Write detailed log data’: A log with more detailed processing information is written, e.g. for error analysis.

3. In the Settings tab, perform the settings to allow connection between iQ.Suite and the SharePoint server:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 572 IQ.SUITE CONNECT - CONNECTING IQ.SUITE TO MICROSOFT SHAREPOINT 

 Server name/address: Server name or IP address of the Sharepoint server to which the file attachments are to be sent from the iQ.Suite server.

 Server port: Port number of the SharePoint server. The port is used to establish connection between SharePoint and the iQ.Suite server. Typically, port 80 is used for connections via HTTP and port 443 for connections via HTTPS. If set to ‘0’, the standard port is used (port 80 or 443).

 Server protocol: Select the protocol to be used for the transport of file attachments. For security reasons, we recommend to use HTTP for test scenarios only.

Using a proxy server is possible only with HTTPS. When using a proxy server  with HTTP, an error occurs and uploading attachments is cancelled.

 Certificate path: If using HTTPS, you can specify the path to the SharePoint server certificate to be used to validate the certificate returned by SharePoint. Enter the absolute path or the path relative to the iQ.Suite program directory (parameter ToolKit_ExecDir in notes.ini).

If no path is entered, the returned server certificate is considered as trustable without previous validation.

 Site: Path to the website or Web Site Collection which contains the Library. This path results from the URL of the website or Web Site Collection. A web

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 573 IQ.SUITE CONNECT - CONNECTING IQ.SUITE TO MICROSOFT SHAREPOINT 

application may contain several Web Site Collections and each Site Collec- tion may contain top-level sites with subsites.

 Library: Name of the SharePoint upload library, e.g. ‘Shared Documents’ (SharePoint 2010) or ‘Documents’ (SharePoint 2013). This library will be used to store the file attachments. You can specify the SharePoint library in the Connect job as well, however, the job settings overwrite the engine settings. This behavior is important if you use several Connect jobs and/or Con- nect engines.

 Domain: Name of the domain in which the user specified below is located.

 User / Password: Data for user authentication on the SharePoint server. This user requires read and write permissions on the specified Library.

 Office 365 connection (if using SharePoint Online): Since the authentication on SharePoint Online differs from the authentication on traditional SharePoint servers, you must enable this option if the specified server is a SharePoint Online server.

 Use proxy server: To establish a connection to the SharePoint server via a proxy, enable this option. In the subsequent field, select the configuration document of the proxy server.

Using a proxy server is possible only with the SharePoint Server protocol  HTTPS. When using a proxy server with HTTP, an error occurs and uploading attachments is cancelled.

4. Activate the configuration document and save the configuration.

14.3.2 SAMPLE Job: Storing File Attachments in Microsoft SharePoint

Once a SharePoint Engine is configured, configure a Connect SharePoint Job, e.g. based on the SAMPLE job. The following description only covers the job-specific settings.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 574 IQ.SUITE CONNECT - CONNECTING IQ.SUITE TO MICROSOFT SHAREPOINT 

1. Click on CONNECT -> MAIL-JOBS and open the job SAMPLE - Upload Office

Attachments to SharePoint. Click on EDIT and enable the job.

For further information on configuration, please refer to “Basics Tab - Mail Job” on page 39.

2. Open the Operations tab:

3. Use the Selection tab to filter the email attachments to be uploaded. In the following example, Office files will be uploaded:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 575 IQ.SUITE CONNECT - CONNECTING IQ.SUITE TO MICROSOFT SHAREPOINT 

Additionally to the usual Selection settings, which are described under “Selection Tab (only in particular jobs)” on page 46, the following option is available:

 Ignore inline attachments: The file attachments that are embedded in the email body will not be uploaded.

A configurable filter for prohibited file types exists on the SharePoint server. This  filter can disable the automatic upload of files, regardless of the SharePoint Job configuration.

If no attachments to be uploaded remain after filtering, the job processing is  stopped and none of the selected actions on Success or on Error is executed.

4. Use the Options tab to modify upload behavior of the file attachments to the SharePoint server:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 576 IQ.SUITE CONNECT - CONNECTING IQ.SUITE TO MICROSOFT SHAREPOINT 

 SharePoint Engine: Select a SharePoint Engine.  Library: Name of the SharePoint upload library, e.g. ‚Shared Documents' (SharePoint 2010) or ‚Documents‘ (SharePoint 2013). This library will be used to store the file attachments. You can specify the SharePoint library in the Connect engine as well, however, the job settings overwrite the engine settings. This behavior is important if you use several Connect jobs and/or Connect engines. Make sure that the authorized SharePoint user is provided with the required permissions on this library.

 Directory path: Path to the directory inside of the llbrary which will be used to store the file attachments. If the ‘Create directories’ option is enabled, the directories specified in the path will be created in the SharePoint library during upload (in case they do not already exist).

If the ‚Create directories‘ option is disabled and the specified directory path does  not exist, the attachments will not be uploaded.

Separate the directories specified in the path with a slash. Prohibited characters (: * ? '' < > | # { } % ~ &) will be automatically replaced by underscores.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 577 IQ.SUITE CONNECT - CONNECTING IQ.SUITE TO MICROSOFT SHAREPOINT 

Example: Development/Share/[VAR]sender[/VAR]/Mails/

 ‘Create directories’: refer to Directory path.

 Collision behavior: Define how to upload a file attachment in case a file with the same name already exists:  ‘Cancel with error‘: The upload is cancelled for the colliding file attachment and is evaluated as an upoad error.  ‘Cancel with success‘: The upload is cancelled for the colliding file attachment and is evaluated as an upoad success.  ‘Overwrite and preserve version‘: The existing file is overwritten with the new file; the new file gets the version number of the overwritten file.  ‘Overwrite with new version‘: The existing file is overwritten with the new file; the new file is handled according to the Check-in behavior settings.

 Check-in behavior: Specify whether and how to check in the uploaded file attachments into the SharePoint library:  ‘No check-in‘: The file attachments are uploaded but not checked in.  ‘Check in as minor version‘: The file attachments are checked in as a minor version (e.g. version number 3.2 -> 3.3).  ‚Check in as major version‘: The file attachments are checked in as a new major version (e.g. version number 3.2 -> 4.0).

Please note that this behavior depends on the settings on the SharePoint server  as well.

 Check-in comment: For identifying the uploaded file attachments, you can enter a SharePoint comment. Use variables to display the upload date, for example.

 File attachment links: Specify whether and how to insert the URLs to the uploaded file attachments in the email.  ‘Do not insert‘: No URLs are inserted.  ‘Insert at end of email‘: The URLs are inserted at the end of the email body.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 578 IQ.SUITE CONNECT - CONNECTING IQ.SUITE TO MICROSOFT SHAREPOINT 

 ‘Insert at top of email‘: The URLs are inserted at the beginning of the email body.

 ‘Remove file attachments from email‘: Specify whether successfully uploaded file attachments are to be removed from the email. File attachments that could not be uploaded are kept unchanged. We recommend you not to enable this option, when the ‘Do not insert‘ option is selected under File attachment links.

 Perform success actions: Specify when to perform the success actions defined for this job:  Option 1: ‘At least one upload successful‘: At least one of the file attachments to be uploaded from an email has been uploaded successfully. If not, the selected error actions will be executed.  Option 2: ‘All uploads successful‘: All file attachments to be uploaded from an email have been uploaded successfully. If not, the selected error actions will be executed.

Example of an email with several file attachments, one of those with collision:

Some of the file attachments have been uploaded, but at least one of the file attachments to be uploaded could not be uploaded due to a collision.

If option 1 is selected, the success actions are executed. If option 2 is selected, the success actions are not executed.

5. Use the Mappings tab to declare mappings in order to set additional data in existing columns of your SharePoint library:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 579 IQ.SUITE CONNECT - CONNECTING IQ.SUITE TO MICROSOFT SHAREPOINT 

 Column: Specify the name of a column which exists in your SharePoint library. This field is case-sensitive.

If the specified column name does not exist in the SharePoint library, the values  entered in Value cannot be set.

 Value: For every uploaded email attachment, specify the values which are to be automatically set in the SharePoint library‘s column specified in the Column field. For values in the columns, strings and certain variables1 are supported. With this, a lot of column types can be used since SharePoint interprets and automatically converts the defined strings. For further information, please contact the GBS Support.

In case of errors when setting values in the column of the SharePoint library, no  value is set in the columns. This is, for example, the case when a value cannot be interpreted as a number.

 Description: Use this field, for example, to write a comment about the field mapping.

1. The supported variables are described in the online help under HELP.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 580 IQ.SUITE CONNECT - CONNECTING IQ.SUITE TO MICROSOFT SHAREPOINT 

If the option for notifying the administrator is enabled in the Success  Actions/Error Actions tab and the %QuarantineReport% variable is set in the notification template, you will be informed of successful/failed mapping actions in the notification email.

6. Use the Success Actions and Error Actions tabs to select additional actions to be triggered in case of successful or failed uploads of file attachments. You can, for example, notify the administrator in case of errors. For further information on these tabs, please refer to “Actions” on page 47.

7. Save the configuration document.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 581 IQ.SUITE CONNECT - CONNECTING IQ.SUITE TO HCL CONNECTIONS 

14.4 Connecting iQ.Suite to HCL Connections

iQ.Suite Connect allows to connect iQ.Suite to HCL Connections. Email‘s file attachments are uploaded and stored onto the Connections server according to your configuration.

Supported versions of HCL Connections: vrsion 4.5 or higher.

If the file attachments are replaced by URLs in the emails, internal and external  email recipients require appropriate access rights on the Connections server. Otherwise the file attachments cannot be opened.

14.4.1 Configuring Connections Engine

Connection to the Connections server is provided by a Connections engine.

A Connections Engine document (SAMPLE) is available in the iQ.Suite standard

configuration under CONNECT -> UTILITIES -> CONNECT ENGINES.

1. Open the SAMPLE Engine document or create a new Engine document.

2. In the Basics tab, perform the following settings:

 Connect Interface: DLL file that links the iQ.Suite with the Connections server. Do not change this entry.  Timeout: Usually, the default settings can be kept. If the engine causes frequent timeouts in your system environment, increase the number of seconds in this field. A timeout can occur if an engine test (per engine) or an upload event is not finished within the specified time period. An upload event consists of the

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 582 IQ.SUITE CONNECT - CONNECTING IQ.SUITE TO HCL CONNECTIONS 

upload of all email‘s file attachments to be uploaded. Please take into account that the size/number of the file attachments affects upload duration.

 ‘Write detailed log data‘: A log with more detailed processing information is written, e.g. for error analysis.

3. In the Settings tab, perform the settings to allow connection between iQ.Suite and the Connections server:

 Server name/address: Server name or IP address of the Connections server to which the file attachments are to be sent from the iQ.Suite server.  Server port: Port number of the Connections server. The port is used to establish connection between the Connections server and the iQ.Suite server. If set to ‘0’, the HTTPS standard port ‘443’ is used.  Server protocol: Uploading files to IBM Connections is only possible via HTTPS. Therefore, the server protocol ‘HTTPS’ is preset and cannot be changed.  Certificate path: Specify the path to the SSL certificate (Connections server certificate or root certificate) to be used to validate the certificate returned by Connections. Enter the absolute path or the path relative to the iQ.Suite program directory (parameter ToolKit_ExecDir in notes.ini).

If no path is entered, the returned server certificate is considered as trustable without previous validation.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 583 IQ.SUITE CONNECT - CONNECTING IQ.SUITE TO HCL CONNECTIONS 

 Folder name: Specify the name of the Connections folder to which the uploaded file attachments are to be added. If this field is empty, no attachments are added to a folder.  User / Password: Specify the authentication data of the user who has read and write permissions on the Connections server so that the file attachments can be uploaded to the Connections server.  Use proxy server: To establish a connection to the Connections server via a proxy, enable this option. In the subsequent field, select the configuration document of the proxy server.

4. Activate the configuration document and save the configuration.

14.4.2 SAMPLE Job: Storing File Attachments in HCL Connec- tions

Once a Connections Engine is configured, configure a Connect Connections Job, e.g. based on the SAMPLE job. The following description only covers the job-specific settings.

1. Click on CONNECT -> MAIL-JOBS and open the job SAMPLE - Upload Office

Attachments to Connections. Click on EDIT and enable the job:

For further information on configuration, please refer to “Basics Tab - Mail Job” on page 39.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 584 IQ.SUITE CONNECT - CONNECTING IQ.SUITE TO HCL CONNECTIONS 

2. Open the Operations tab:

3. Use the Selection tab to filter the email attachments to be uploaded. In the following example, Office files will be uploaded:

Additionally to the usual Selection settings, which are described under “Selection Tab (only in particular jobs)” on page 46, the following option is available:

 Ignore inline attachments: The file attachments that are embedded in the email body will not be uploaded.

4. Use the Options tab to modify upload behavior of the file attachments to the Connections server:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 585 IQ.SUITE CONNECT - CONNECTING IQ.SUITE TO HCL CONNECTIONS 

 Connections Engine: Select a Connections Engine.  ’Publish files’: If enabled, the uploaded files are published. In case of publi- shing, all users which have access to the Connections server can view and download these files – i.e. also unregistered users. To be able to add files to Public Folders or Shared Folders, this option must be enabled.  ‘Cancel upload on first error’: If enabled, the whole upload process is cancelled in case of upload errors. If the option is not enabled and an upload error occurs, only the affected file is skipped. Uploading continues for the other files.  File attachment links: Specify whether and how to insert the URLs (links) to the uploaded file attachments in the email.  ‘Do not insert‘: No URL is inserted.  ‘Insert at end of email‘: The URLs are inserted at the end of the email body.  ‘Insert at top of email‘: The URLs are inserted at the beginning of the email body.  ‘Create direct attachment link’: This option is editable if you have configured that links to the attachments are to be inserted in the email. If this option is enabled, direct download links to the uploaded files are returned. Otherwise, links to the Connections pages containing the files are returned.  ‘Remove file attachments from email’: If enabled, successfully uploaded file attachments are removed from the email. File attachments that could not be

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 586 IQ.SUITE CONNECT - CONNECTING IQ.SUITE TO HCL CONNECTIONS 

uploaded are kept unchanged. We recommend you not to enable this option, when the ‘Do not insert’ option is selected under File attachment links.  Run success actions: Specify when to perform the success actions defined for the job:  ‘At least one upload successful’: At least one of the email‘s file attachments to be uploaded has been uploaded successfully.  ‘All uploads successful’: All file attachments to be uploaded have been uploaded successfully.

5. Use the Success Actions/Error Actions tab to select additional actions to be triggered in case of successful / failed uploads of attachments. You can, for example, notify the administrator in case of errors: For further information on these tabs, please refer to “Actions” on page 47.

6. Save the configuration document.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 587 IQ.SUITE CONNECT - WORKFLOW: CONNECTING IQ.SUITE TO GBS WORKFLOW MANAGER 

14.5 Workflow: Connecting iQ.Suite to GBS Workflow Manager

By using iQ.Suite Connect, you can save documents as well as create and start workflows in GBS Workflow Manager in an automated way, provided that you have an appropriate license for GBS Workflow Manager and your Workflow Manager is configured accordingly. Supported GBS Workflow Manager Server versions: 3.1 or higher.

As a prerequisite for Connect Workflow, a Workflow Manager application must exist and contain the forms and workflows which will be used to create the connection. Refer to “Configuring Connect Workflow Job” on page 590.

For Workflow Manager-specific information, please refer to https://gbs.com/de/workflowmanagement and the Workflow Manager documentation.

14.5.1 Configuring a Workflow Engine

Connection to the Workflow Manager server is provided via a Workflow engine.

1. Open the document SAMPLE - Workflow Engine or create a new Workflow

Engine: CONNECT -> UTILITIES -> CONNECT ENGINES.

2. In the Settings tab, perform the settings to allow the connection between iQ.Suite and the Workflow Manager server:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 588 IQ.SUITE CONNECT - WORKFLOW: CONNECTING IQ.SUITE TO GBS WORKFLOW MANAGER 

 Server name/address: Server name or IP address of the Workflow Manager server to which iQ.Suite shall be connected.

 Server port: Port number of the Workflow Manager server. This port is used to establish connection between Workflow Manager server and iQ.Suite server. Typically, port 80 is used for connections via HTTP and port 443 for connections via HTTPS. If set to ‘0’, the standard port is used (port 80 or 443).

 Server protocol: Select the protocol to be used for the transport of the emails and email data from iQ.Suite to Workflow Manager. For security reasons, we recommend to use HTTP for test scenarios only.

 Certificate path: If using HTTPS, you can specify the path to the Workflow Manager server certificate to be used to validate the certificate returned by Workflow Manager.

If no path is entered, the returned server certificate is considered as trustable wit-  hout previous validation.

 Domain: Name of the Workflow Manager domain in which the Workflow Manager application and the user specified below are located.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 589 IQ.SUITE CONNECT - WORKFLOW: CONNECTING IQ.SUITE TO GBS WORKFLOW MANAGER 

 Application: Specify the Workflow Manager application to which you want to connect iQ.Suite.

 User / Password: iQ.Suite uses the authentication data of the Workflow Manager user specified here to communicate with the selected Workflow Manager application. This user must have appropriate rights in Workflow Manager to be able to execute the action selected in the Connect Workflow Job.

 Use proxy server: To establish a connection to the Workflow Manager server via a proxy, enable this option. In the subsequent field, select the configuration document of the proxy server.

3. Activate the configuration document and save the configuration.

14.5.2 Configuring Connect Workflow Job

Assign the previously configured Workflow Engine to a Connect Workflow Job. The configuration basically consists of three steps and spreads across the following tabs:

 Options: Selection of the action (e.g. ‚Create and start workflow‘) and basic assignment to the engine and a workflow or a form created in Workflow Manager

 Selection: Handling of file attachments

 Mappings: Mapping between email fields and fields of Workflow Manager documents or workflows.

The following description only covers the job-specific settings.

1. Click on CONNECT -> MAIL-JOBS and create a new Connect Workflow Mail Job. Enable the job:

2. Configure the job by using the tabs mentioned above and described in the following.

3. Then click on OK and save the configuration.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 590 IQ.SUITE CONNECT - WORKFLOW: CONNECTING IQ.SUITE TO GBS WORKFLOW MANAGER 

14.5.2.1 Operations -> Options Tab

 Workflow Engine: Select a Workflow Engine.

 Action: Select one of the following actions:  Create document: In the configured Workflow Manager application, a document will be created based on a form which is available in the Work- flow Manager application. The mapping set up between the email data type and the fields that are available in the respective Workflow Manager form determines which email data will be transferred to the document. The document will not be part of a workflow.  Enter the form name in the Form field.  Upload email body option (optional) - Body field name: Name of the field into which the email body will be entered. The content of the email body will be saved in the HTML format in the Workflow Mana- ger field.  Create and start workflow: A configured workflow will automatically be started in the Workflow Manager application. As an example, a received email which has been identified as a complaint by the iQ.Suite, could trigger a complaints workflow. The mapping set up between the email data type and the fields available in the respective workflow start task determines which email data will be transferred to the workflow.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 591 IQ.SUITE CONNECT - WORKFLOW: CONNECTING IQ.SUITE TO GBS WORKFLOW MANAGER 

Enter the information:

 Workflow field: Name of the workflow (is required)  Task field: Name of this workflow‘s start task. In case, no task is entered, and the workflow has several start tasks, the first one found will be used.  Upload email body option (optional) - Body field name: Name of the field into which the email body will be entered. The content of the email body will be saved in the Workflow Manager field in HTML format.  Create workflow: A configured workflow will automatically be created but not started yet. The settings needed for this job are the same as for the ‚Create and start workflow‘ action.

14.5.2.2 Selection Tab

Use the Selection tab to specify whether file attachments should be uploaded to the Workflow Manager application and, if so, define additional details.

In addition to the usual settings, which are described under “Selection Tab (only in particular jobs)” on page 46, the following options are available:  Attachments field name:All attachments which are uploaded will be saved in one field in Workflow Manager. This field (control) must be an ‚attachment‘ type field and be present in the Workflow Manager form. Enter the field name (control name).  Ignore inline attachments: The file attachments that are embedded in the email body will not be uploaded.

14.5.2.3 Mappings Tab

Use this tab to declare mappings in order to set email data or also meta data of the email in user-defined fields of the Workflow Manager form:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 592 IQ.SUITE CONNECT - WORKFLOW: CONNECTING IQ.SUITE TO GBS WORKFLOW MANAGER 

Use ADD to create new mappings.

 Workflow field: Enter the name of the field (control name) exactly the way it is specified in the Workflow Manager form. Note that in Workflow Manager the field names are case-sensitive.  Value: Enter the value for the desired variable manually according to the required syntax.

Possible values for fields:  Fixed strings Example: incomingType = email

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 593 IQ.SUITE CONNECT - WORKFLOW: CONNECTING IQ.SUITE TO GBS WORKFLOW MANAGER 

 Standard variables: jobname, date, dateonly, timeonly, subject, msgid Syntax: [VAR][/VAR] Example: [VAR]date[/VAR].

 Variables for Notes email fields. Syntax: [VAR]note::[/VAR] Example: [VAR]note::CustomerNumber[/VAR]

The following field types are supported: text, text list, number, time and RFC822 text.

In case variables for Notes email fields are used, the Workflow job can only fill the fields correctly if an accordingly configured Wall Action Mail Job has previously processed the email. Refer to “Wall Action: Text Analysis by using Regular Expressions” on page 306.

If (e.g. CustomerNumber) does not exist in the email, the Workflow job transfers the variable as a string. If you want that, instead of this, an empty string is transferred in this case, a semicolon must be set before the [/VAR] tag, e.g. [VAR]note::customer_number;[/VAR].

If exists in the email but contains no value (i.e. not even an empty string), then an empty string is transferred.

14.5.2.4 Success Actions/Error Actions Tab

Use the Success Actions/Error Actions tab to define which notifications are to be sent in case of a successful / failed processing. For further information on these tabs, please refer to “Actions” on page 47.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 594 IQ.SUITE CONVERT - OVERVIEW   15 iQ.Suite Convert 15.1 Overview

iQ.Suite Convert is used to convert email file attachments to PDF or PDF/A or compress them to ZIP or 7-ZIP before delivery, based on rules.

PDF reduces the risk of data manipulation and, due to its widespread use, also avoids compatibility problems when opening files on the recipient side. Compres- sion to ZIP additionally allows to reduce the size of the file and therefore of the email, which in turn relieves your infrastructure and increases the overall performance.

Fingerprints allow to restrict the attachments to be converted according to the file type.

Job types  Type: Compression Compress file attachments to ZIP or 7-ZIP

 Type: Decompression Extract attachments from archives (e.g. RAR, ZIP, 7-ZIP, TAR, etc.) and PDF files

 Type: PDF Conversion Convert file attachments to PDF or PDF/A

 Type: Command Line Execute actions for attachments from the command line

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 595 IQ.SUITE CONVERT - SAMPLE JOB: COMPRESSING FILE ATTACHMENTS 

As a rule, emails encrypted or signed with S/MIME or PGP/MIME are not pro-  cessed by iQ.Suite Convert jobs in order to avoid difficulties on the recipient side.

15.2 Sample Job: Compressing File Attachments

Before they are delivered, it is possible to compress email attachments to ZIP or 7-ZIP (Open Source software) and, where required, protect them with a password. The significant reduction of the file size resulting from the compression process allows to reduce both the server load caused by the email traffic and the disk space required in the recipients‘ mailboxes.

As a general rule, images embedded in email bodies are not compressed in  order to avoid display errors on the recipient side.

Click on CONVERT -> MAIL JOBS and open the DEFAULT - Compress Outgoing Attachments job. Set the job configuration settings in the standard tabs. Refer to “Standard Tabs for Jobs” on page 39.

The following description only covers the job-specific settings. Set which conditions must be met by emails for the Convert job to start. As configured, the DEFAULT job only processes internal emails addressed to external recipients (positive rule RemoteRecipient). In addition, the job is only to process emails with a file attachment. To this end, select the ‘Only with attachment’ option in the Basics tab under Attachment dependency.

15.2.1 Selection Tab

1. In the Operations tab, open the Selection tab:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 596 IQ.SUITE CONVERT - SAMPLE JOB: COMPRESSING FILE ATTACHMENTS 

 Convert emails from Richtext to MIME: As a general rule, Convert jobs only process emails available in MIME format. Therefore, Richtext mails are not processed but passed to the next job in the job processing chain. To be able to process Richtext mails, they need to be converted to MIME first.

 Keep/Remove originals: Decide how to handle the original file attachments. With ‘Remove originals’ (default), the attachments will be removed and simply sent in compressed form.

In the section Configuration of the attachments to be compressed, specify conditions to filter the attachments to be compressed by file size and file type:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 597 IQ.SUITE CONVERT - SAMPLE JOB: COMPRESSING FILE ATTACHMENTS 

 Attachment size has to be greater/smaller than ... KB: Use these fields if you want the file attachments to be processed depending on the file size. You can specify a minimum and/or maximum size. By default, attachments will only be compressed if their size is not less than 100 KB. Without any size restrictions, even very small attachments will be compressed although the benefit of the compression is negligible regarding the disk space saved. Furthermore, processing a large number of very large files may seriously affect the server performance.

 File types: The file attachments can be filtered by file types: Use the option ‘Selected file types’ to specify for which file types (fingerprints) the job shall be executed or for which it shall not be executed (exceptions). With the default settings, all attachments will be compressed, except already compressed files (archive files).

 Compression is equal to or greater than: Specify the minimum compression percentage to be reached for an attachment to be sent in compressed form. With the setting of 10% (default), the file size of a compressed file attachment must be at least 10% smaller than the original file. Please note that, even with this option enabled, each file attachment is processed and therefore affects the server load. If the specified value cannot be reached, the file attachment is delivered without being compressed.

15.2.2 Options Tab

Open the Options tab:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 598 IQ.SUITE CONVERT - SAMPLE JOB: COMPRESSING FILE ATTACHMENTS 

Compression:

The default Compression method is ‘ZIP’ with the ‘Normal compression’ level. As an alternative, you can select the compression method ‘7-ZIP’ and/or change the Compression level:

 ‘High compression’: The focus is on maximum compression for maximum space saving. Please note that this may significantly increase the duration of the compression process for each file. In this case, you may have to adjust the period of time after which compression is aborted (‘Call timeout after ... seconds’ option).

 ‘Normal compression’ (default): The focus is on achieving a compromise between quick and high compression. From experience, this is a setting that yields reasonable results.

 ‘Quick compression’: The focus is on quick compression and minimizing the computing time and resources needed. Please note that with this setting the compression level achieved may be less than maximum.

 ‘No compression’: The attachments are simply converted to the ZIP format, but not compressed.

Protection:

To protect compressed attachments with a password, proceed as follows:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 599 IQ.SUITE CONVERT - SAMPLE JOB: COMPRESSING FILE ATTACHMENTS 

1. Enable the Protect compressed attachments option.

2. In the Encryption method field, select the encryption method to be used:  ‘ZIP’  ‘AES’

3. Select a Password type:  ‘Fixed password’: Click on the button to enter the Password to be used to encrypt all files which will be processed by this job.

 ‘Use subject command’: Specify in the Subject command field the command to be entered by the sender in the subject line of his email as follows:

Command=Password Example: Contract pwd=teSt123

The command and password are removed from the subject before the email is delivered to the recipient.

For ‘Fixed Password' and ‘Use subject command’, the following characters can  be used in the command and password:  all small and capital letters of the Roman alphabet (umlauts are not allowed)  all numbers from 0 to 9  special characters: ! $ & / = ? # * + - _ < > The command is not case-sensitive.

 ‘One-time password’: iQ.Suite generates a random password which can be sent to the sender or administrator via a notification.

For the password complexity, select the Password management to be used1.

 ‘Use password management’:

1. Refer to „Password complexity“ under “The Configuration Document ‘Password Management’” on page 111.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 600 IQ.SUITE CONVERT - SAMPLE JOB: COMPRESSING FILE ATTACHMENTS 

iQ.Suite uses the selected Passwort management to generate a password according to the option set in the Password generation field:

 ‘For each email’: A new password is generated for each email. All recipients of the email will use the same password.

 ‘For each recipient’: If several emails are sent to recipient A, the password that was generated for the first email is also used for all following emails to recipient A. In the Passwort Management, you can configure that recipient-specific passwords expire after a certain time and that new passwords are to be generated in case of expiration.

 ‘For each sender-recipient combination’: For each sender-recipient combination, a new password is generated. Examples: 1. Sender A sends several emails to recipient C. For all emails from sender A to recipient C, the same password is used (e.g. ‘Pass1’). 2. Sender B also sends emails to recipient C. A new password is generated (e.g. ‘Pass2’). All emails from sender B to recipient C will then be encrypted with this password.

For information on the Password Management, refer to “Password Management” on page 110.

Please note: The password must be communicated to the email recipients and  either the unpacker used by the recipient must support the encryption method or a Decompression Job must be configured accordingly and enabled.

Sending the password in notifications

By using the standard notification tempates, the password can be sent to the sender and administrator in a notification. For this, the following placeholders can be used in the Convert notification templates:

 Passwort as text: %password%

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 601 IQ.SUITE CONVERT - SAMPLE JOB: COMPRESSING FILE ATTACHMENTS 

 Passwort image: %TXT2IMG::password% Note: TXT2IMG is case-sensitive.

The password can be communicated to the recipient by SMS or phone, for example.

Other Options:

 All attachments must be compressed successfully: This option applies for emails which contain multiple file attachments. ‘Processing’ means hereafter the compression.

In case this option is disabled and at least one file attachment could be processed, the Success Actions are triggered. If no attachments could be processed, the Error Actions are triggered.

In case this option is enabled, all file attachments must be processed for the Success Actions to be triggered. Otherwise (i.e. if at least 1 attachment could not be processed), the Error Actions are triggered.

 Combine multiple files into one archive: In case the email contains several attachments, all attachments will be compressed into a single archive. In the Filename field, specify how to name the archive file. If this option is disabled, each file attached to the email will be compressed to a single archive.

 Call timeout after ... seconds: Depending on the number of files or the size of the files, it may make sense to set a timeout in order to limit the processing time allowed for each attachment. If an attachment cannot be processed within the specified time, processing is aborted and continued with the next attachment or next email. In this case, the email is delivered with the attachment in the original format.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 602 IQ.SUITE CONVERT - SAMPLE JOBS: EXTRACTING FILE ATTACHMENTS FROM ARCHIVES/PDFS (DECOMPRESSION)

15.3 Sample Jobs: Extracting File Attachments from Archives/PDFs (Decompression)

Convert Decompression Jobs are used to extract files from archives (e.g. RAR, ZIP, 7-ZIP, TAR etc.) and from PDFs. This way, the end user is not charged with different archive formats. However, please note that decompression increases the disk space required in the recipients‘ mailboxes.

The SAMPLE - Decompress PDFs job is used to extract files from PDF attachments. The PDFs created/encrypted by iQ.Suite PDFCrypt are excluded from the processing.

The SAMPLE - Decompress Archives job is used to extract files from ZIP and SFX archives. Some files like the ZIP files created/encrypted by iQ.Suite Convert are excluded from the processing. For details on the files types which are excluded, please refer to the Operations -> Selection tab.

Click on CONVERT -> MAIL-JOBS and open the desired sample job or create a new Convert Decompression Job2.

15.3.1 Selection Tab

In the Operations tab, open the Selection tab and define which file types are to be extracted. Additionally, you can determine the timeout value.

Example in SAMPLE - Decompress PDFs:

2. How to configure the standard tabs is described under “Standard Tabs for Jobs” on page 39.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 603 IQ.SUITE CONVERT - SAMPLE JOBS: EXTRACTING FILE ATTACHMENTS FROM ARCHIVES/PDFS (DECOMPRESSION)

 Abort decompression after ... seconds: With this timeout option, you can set a time limit for a decompression action. In case of timeout, the extraction is aborted.

For further information on the other settings in this tab, please refer to “Selection Tab (only in particular jobs)” on page 46.

15.3.2 Options Tab

The extraction options documented below are valid for archives and for PDFs.  PDFs which contain file attachments are considered as “archives”. Therefore, the word “archive” mentioned below includes “PDF” as well.

Use the Options tab to make the following settings:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 604 IQ.SUITE CONVERT - SAMPLE JOBS: EXTRACTING FILE ATTACHMENTS FROM ARCHIVES/PDFS (DECOMPRESSION)

 Maximum depth of extraction: In case emails contain nested archives, specify here the maximum number of recursive decompression actions per archive. With “nested archives”, we mean “archives which contain archives”. Example:

An email contains a ZIP archive (A1) which again contains a ZIP archive (A2). A1 contains 2 files (XLS and DOC), A2 contains 3 TXT files. In case of a recursive extraction (Maximum depth of extraction is ‘2’ or higher), two decompression actions are performed and all files from both archives are added together (2 + 3 = 5).

 Maximum size after decompression (KB): Maximum absolute size of all extracted files per archive.

 Maximum number of files to extract: Maximum number of files that should be extracted per archive. If the archive contains more files, the archive is not unpacked.

Other Options:

 Use password for decryption: To decompress password-protected archives, the Decompression Job needs to know the password to be used for decryption. The selected Password type determines the password to be used:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 605 IQ.SUITE CONVERT - SAMPLE JOBS: EXTRACTING FILE ATTACHMENTS FROM ARCHIVES/PDFS (DECOMPRESSION)

Click on the button to enter the Password to be used to decrypt all files which will be processed by this job.

 ‘Use subject command’: Use this option if you want the sender to write the password for decryption as a command in the email subject field. Specify the command to be used in the Subject command field.

The sender must enter the command and password in the subject field as follows:

Command=Password Example: Contract pwd=teSt123

The command and password are removed from the subject before the email is delivered to the recipient.

The command is not case-sensitive.

 ‘Use password management’: Select the Password management to be used. All passwords which exist in the associated password database and are valid for the sender or the sender-recipient combination are checked for decryption.

 Extract PDF files: With this option enabled, the files contained in PDFs will be extracted. Contrary to archives which are removed from the email after their decompression, the PDF remains unchanged in the email.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 606 IQ.SUITE CONVERT - SAMPLE JOB: CONVERTING ATTACHMENTS TO PDF 

The options relative to the depth of extraction, size and number of files after ext-  raction apply to PDF files as well if the ‘Extract PDF files‘ option is enabled. Fur- thermore, the specified password is also used to decrypt PDFs.

15.4 Sample Job: Converting Attachments to PDF

Before they are sent to the recipients, the attachments attached to an email can be converted to PDF or PDF/A. This allows to meet corporate policies and security requirements, for instance that it is not allowed to send editable files to external recipients. The conversion to the PDF format allows to reduce the risk of data manipulation, e.g. in Office files or images. In addition, once converted, any additional Information included in the original files such as markups, metadata, etc. is no longer available to the recipients.

In addition, the conversion to the widely used PDF format avoids the problem that recipients are not able to open the files due to a proprietary format or compatibility issues related to outdated software versions.

1. Click in the administration console on MAIL JOBS and open the job SAMPLE - Convert Outgoing Attachments To PDF. As configured, the SAMPLE job only processes internal emails addressed to external recipients (positive rule RemoteRecipient).

3 2. Click on EDIT and activate the Job .

3. Because the job is only to process emails with a file attachment, select the ‘Only with attachment’ option in the Basics tab under Attachment dependency.

4. In the Operations tab, open the Selection tab:

3. How to configure the standard tabs is described under “Standard Tabs for Jobs” on page 39.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 607 IQ.SUITE CONVERT - SAMPLE JOB: CONVERTING ATTACHMENTS TO PDF 

 Keep/Remove originals: Decide how to handle the original file attachments. With ‘Remove originals’ (default), the attachments will be removed and simply sent in PDF format.

 In the section Configuration of the attachments to be converted, specify conditions to filter the attachments to be converted. Refer to “Selection Tab (only in particular jobs)” on page 46. By default, all file attachments are to be converted, except the file attachments which are already PDF files.

5. In the Operations tab, open the Options tab:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 608 IQ.SUITE CONVERT - SAMPLE JOB: CONVERTING ATTACHMENTS TO PDF 

 Use PDF/A format: By default, the PDF conversion job converts file attachments to the popular PDF format. Alternatively, the attachments can be converted to the ISO standard PDF/A format. To do so, enable the ‘Use PDF/A format’ option. In both cases, you can use advanced PDF conversion parameters to modify the PDF output. To create documents conform with PDF/A, the parameter WRITE_PDFA_1B_METADATA has to be added with the value 'True' in the Advanced convert options. For an application example, please refer to “Advanced convert options PDF / PDF/A” on page 610.

 All attachments must be converted successfully: This option applies for emails which contain multiple file attachments. ‘Processing’ means hereafter the conversion.

In case this option is disabled and at least one file attachment could be processed, the Success Actions are triggered. If no attachments could be processed, the Error Actions are triggered.

 Call timeout after ... seconds: Depending on the number of files or the size of the files, it may make sense to set a timeout in order to limit the processing time allowed for each attachment. If an attachment cannot be processed within the specified time, processing is aborted and continued with the next attachment or next email. In this case, the file attachment is delivered in the original format.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 609 IQ.SUITE CONVERT - SAMPLE JOB: CONVERTING ATTACHMENTS TO PDF 

 Advanced convert options PDF / PDF/A Click on ADD:

In the Parameter field, enter the parameter name and in the Value field the corresponding value. Click OK to confirm4.

Example:

Users sometimes use special fonts to format documents. If these fonts are unavailable on the server where the documents are converted to PDF, they are replaced with default fonts. To change these default fonts, you can set the following PDF parameters:

4. For further Information on PDF parameters, please refer to the separate document iQ.Suite Convert_TechDoc. Download under www.gbs.com.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 610 IQ.SUITE CONVERT - SAMPLE JOB: CONVERTING ATTACHMENTS TO PDF 

Parameters Value Description

PRINTFONTALIAS_ Name of the missing character set, If the character set is unavaila- ORIGINAL<_x> e.g. Britannic Bold. ble, it is replaced with the cha-

<_x>: As usually more than one font racter set specified in the will have to be replaced, you can use PRINTFONTALIAS_ALIAS the <_x> counter (_1, _2, _3 etc.) to <_x> parameters. set specify several fonts.

PRINTFONTALIAS_ Name of the replacement character Character set to be used ALIAS<_x> set, e.g. Arial. instead of the character set specified in the PRINTFONTALIAS_ORIGI NAL<_ x> parameters.

PRINTFONTALIAS_ SCCVW_FONTALIAS_ALIASNAME:a Sets if and how the settings in FLAGS<_x> The replacement character set is PRINTFONTALIAS_ORIGI used. If a default character set exists, NAL<_x> and it is overwritten. PRINTFONTALIAS_ALIAS <_x> are used.

a. Further values can be configured besides SCCVW_FONTALIAS_ALIASNAME.

Under Unix: For the Convert PDF Mail Job to be able to start, you need to add the parameter FONTDIRECTORY and specify the path to the fonts of the operating system. Example for Linux with Domino 9.x:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 611 IQ.SUITE CONVERT - SAMPLE JOB: CONVERTING ATTACHMENTS VIA COMMAND LINE 

15.5 Sample Job: Converting Attachments via Command Line

The Convert Command Line job allows to run your own application (.exe, .bat) that performs specific actions with the attachments, e.g. convert specific file types to TIFF.

When processing the email, the job starts this application. The application must contain certain parameters, which are read by the job and passed to iQ.Suite via the command line. The actions specified in your own application and in the iQ.Suite job are applied to the attachments of the email.

The Convert Command Line Job is only working on Windows.

15.5.1 Selecting Attachments

1. Open under CONVERT -> MAIL JOBS the job SAMPLE - Convert Command Line. As configured, the sample job processes all emails.

5 2. Click on EDIT and activate the Job .

3. In the Operations tab, open the Selection tab:

5. How to configure the standard tabs is described under “Standard Tabs for Jobs” on page 39.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 612 IQ.SUITE CONVERT - SAMPLE JOB: CONVERTING ATTACHMENTS VIA COMMAND LINE 

Determine what is to be done with the original attachments. By default, they are removed and the result of the job action is attached to the email as a file attachment.

To limit the size of the attachments to be processed, set the Attachment size fields accordingly.

By default, all attachments are processed, including embedded attachments such as embedded images. If you want to exclude specific files from being processed, click the ‘Selected file types’ option and specify the file types to converted by selecting fingerprints.

15.5.2 Conversion Options

Open the Options tab:

 File extension: The file extension specified here is added to the converted attachments. Specify this file extension if the application to be run modifies the file type, but does not change its extension.

 Remove original file extension: Define whether the original file extension shall be removed from the filename of the created file during conversion. Example: convert.exe -> convert.exe.tif or only convert.tif

 All attachments must be converted successfully:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 613 IQ.SUITE CONVERT - SAMPLE JOB: CONVERTING ATTACHMENTS VIA COMMAND LINE 

This option applies to emails that contain multiple file attachments. Hereafter, 'processing' means the conversion.

In case this option is disabled and at least one file attachment could be processed, the Success Actions are triggered. If no attachments could be processed, the Error Actions are triggered.

Configuring Your Own Application

Open the Options tab and click on EDIT to configure an application:

Example with ImageMagick Resizing:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 614 IQ.SUITE CONVERT - SAMPLE JOB: CONVERTING ATTACHMENTS VIA COMMAND LINE 

 Application: Specify the filename or the path to the application.

 Parameters: iQ.Suite provides the following parameters for the command line. For any action to be applied to attachments, you have to define at least the parameters [Cmd_InFile] and [Cmd_OutFile] in the application.

 [Cmd_InFile]: Content of the original file attachment (input file).  [Cmd_OutFile]: Content of the converted attachment (output file). The original file attachment is replaced with the content of this file. If no output file is created, the file attachment is not replaced.  [Cmd_ReportFile] (optional): If the application to be run writes a processing report to this file, the report is later included in the job report.  [AttachmentName_Safe] (optional): This parameter is replaced with the ASCII name of the file attachment without the file extension.  [AttachmentExtension_Safe] (optional): This parameter is replaced with the ASCII file extension of the file attachment.

Not-ASCII characters and most of the ASCII special characters are replaced  with underscores.

 Timeout: Specify a timeout for the application. If the attachments cannot be processed within the period of time specified here, processing is aborted.

Application:

If your application is located in the iQ.Suite program directory (parameter ToolKit_ExecDir), you can specify the filename without path.

If you specify a path, do not set the path in quotation marks. They are automatically set by the iQ.Suite. Example: Correct: C:\Program Files (x86)\mydir\myprog.exe Wrong: "C:\Program Files (x86)\mydir\myprog.exe"

If you set quotation marks, the following error message will appear:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 615 IQ.SUITE CONVERT - SAMPLE JOB: CONVERTING ATTACHMENTS VIA COMMAND LINE 

External program call failed (Reason: Error starting "c:\Program Files (x86)\mydir\myprog.exe". Windows error 0x0000007b - The filename, directory name, or volume label syntax is incorrect.)

Parameters:

For any action to be applied to attachments, you have to define at least the parameters [Cmd_InFile] and [Cmd_OutFile] in the application.

INFILE= and OUTFILE= are usually not needed.

If the path to the iQ.Suite‘s temporary directory contains spaces (e.g. ToolKit_TempDir=c:\Documents and Settings\...), set the parameters in quotation marks.

When specifying a path to call the application, set the directories containing spaces in quotation marks.

The placeholders %ExecDir% and %COMSPEC% cannot be used!

In case the call must be wrapped in a batch file, e.g. to make different calls or if multiple OK return codes exist, the configuration looks like in the following example:

Application: c:\windows\system32\cmd.exe

Parameter: /C c:\"Program Files (x86)"\mypath\mybatch.cmd "[Cmd_InFile]" "[Cmd_OutFile]" "[Cmd_ReportFile]"

If you want a processing report to be output and your application has no parameter which allows specifying a log file, an input/output redirection via the application cmd.exe is required.

Refer to “Example with ImageMagick Resizing:” on page 614.

When a batch file is called, the batch file uses the DOS codepage for the output  of non-ASCII characters such as umlauts. If these characters are not properly shown in the report file, you can change the codepage with the command-line command chcp, e.g. ‘chcp 1252’ changes the codepage to the Windows-1252 character set which is used by Windows for Western European languages.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 616 IQ.SUITE CONVERT - SAMPLE JOB: CONVERTING ATTACHMENTS VIA COMMAND LINE 

15.5.3 Actions In Case Of Success / Error

Use the Success Actions and Error Actions tabs to select the actions to be triggered in case of a successful / failed job processing.

Refer to “Actions” on page 47.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 617 IQ.SUITE SMART -   16 iQ.Suite Smart iQ.Suite Smart uses a Smart mail job on the mail server to capture emails and store them in the Smart parking database. Various actions can be performed for these "parked" emails. For example, they can be double-checked by authorized persons for compliance with guidelines1. Alternatively, they can be sent with a time delay controlled by the server or the user. This makes it possible to move the processing of large emails to off-peak times as the processing of them puts a strain on the server structure.

Finally, a Smart database job handles the delivery to the recipient by removing the emails from the parking database and putting them back into the mail server's Mail.box.

In addition, iQ.Suite Smart can also resolve Notes document links.

Alternatively to the dual control check with the parking database, the dual control check can be accomplished with iQ.Suite DLP. Refer to “iQ.Suite DLP” on page 411.

1. For further information on the dual control check, please refer to the “Dual Control Check with Par- king Database” on page 629.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 618 IQ.SUITE SMART - DELAYED SENDING OF EMAILS 

16.1 Delayed Sending of Emails

16.1.1 User-Controlled Scheduling

Emails can be send user-controlled on particular days and/or times of a day. A user might, for instance, want to send his/her email on a specific day (offers, invitations, etc.), but is out-of-office on that day. He/she could nonetheless send the email immediately, with an instruction in the header that it is to be sent by the mail server on day X at time Y. This instruction is set through a keyword in the email‘s subject field.

For the standard delay, the default keyword is , for user-defined delays it is . If you change these keywords, note that the %PATTERN% placeholder must be part of the keyword for user-defined delays. For %PATTERN%, the user enters the number of minutes by which the email is to be delayed or the time and date at which the email is to be sent. It depends on the settings in the Smart mail job how the keywords are converted and how emails are time delayed. Use one of the following methods to delay email delivery:

1. Sending with a specified delay With this option, the email is sent with a delay of the specified number of hours/minutes. For a 5-minute delay the keyword in the email‘s subject field is .

Possible formats: hh:mm

Legend: h=hours, m=minutes

2. Sending at a set time With this option, the document is sent at a user-specified time. To send at 12:05 AM the keyword in the email‘s subject field is .

Possible formats: dd.mm.yyyy|hh:mm dd.mm.yy|hh:mm

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 619 IQ.SUITE SMART - DELAYED SENDING OF EMAILS 

mm-dd-yyyy|hh:mm mm-dd-yy|hh:mm

Legend: d=Day, m=Month, y=Year h=Hours, m=Minutes

When specifying both date and time, always separate them with the pipe character (|), without spaces. A date without time is prohibited. If this time is in the past, the message is automatically sent on the following day at the specified time.

For the user, the entry to be made in the subject line is the same for both  functions (sending with a 5-minute delay or at 12:05 AM). The action actually performed depends on the setting set by the administrator on the server. Be sure to inform the users on the applicable Smart settings.

If you want to allow users to work with both delayed and specified time sending,  you have to set up two Smart mail jobs and define different keywords, e.g. (for the ‘Send at fixed time‘ option) and (for the ‘Interval delay‘ option).

16.1.2 Sample Job: Sending Emails with User-defined Delay

To allow internal users to send emails at a later time, you need to set up a Smart mail job and a Smart database job. The emails to be delayed will be intercepted by this job and moved to the Parking database (default: g_delay.nsf). The emails are kept ("parked") in this database until a specific Smart database job is started. This job takes the emails from the parking database, returns them to the mail server and finally sends them.

Use the Smart mail job DEFAULT - Delay Mail with in Subject and the Smart database job DEFAULT - Send Parked Mail.

1. Open the DEFAULT - Delay Mail with in Subject job: SMART ->

MAIL JOBS. Click on EDIT: a) Enable the job.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 620 IQ.SUITE SMART - DELAYED SENDING OF EMAILS 

b) The job is run for ‚All mails‘. When required, use the rules to select certain emails for delayed delivery.

2. Open the Operations tab:

a) In Work mode select the 'User-defined' option. b) In Delay mode define which method is to be used for delayed email delivery. Refer to “User-Controlled Scheduling” on page 619. By default, the ’Send at fixed time’ option is set. Emails containing the keyword in the subject field are sent at 08:00 PM (standard delay). With email senders are able to control the time the email is sent. With 'Interval delay’ selected, all emails are sent 60 minutes after the official send time by default. c) Under Item for delay the subject option is set to analyze the email’s subject field. Thus, if this keyword is found in the email’s subject field, the email is delayed. As an alternative to the subject field, it is also possible to use the email body. For a default delay, the user only sets whether the emails are to be delayed or not, but not how long this delay is. This is determined by the setting under Delay mode, i.e. emails are delayed by a specific interval (n minutes) or, as set in this example, sent at a specific time.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 621 IQ.SUITE SMART - DELAYED SENDING OF EMAILS 

d) On success, the sender is informed that his/her email has been moved to the parking database and will be send later. In case of an error however, the administrator is informed. e) The Resolve Document Link tab can be disregarded in this job. Nor- mally, this tab is used to set whether or not and under which circumstances document links in emails are to be resolved. Refer to “Sample Job: Resolving Document Links” on page 627.

3. Where required, specify weekdays and times at which the job is not be run in the Advanced tab. This setting can be used, for instance, to avoid conflicts with database replication jobs.

4. Leave the remaining settings unchanged and save the job.

With this Smart mail job, the emails to be delayed according to user-defined settings are moved to the parking database g_delay.nsf (Misc tab).

Now configure a Smart database job to retrieve the emails from the parking database and send them to the recipients.

1. Open the Smart database job DEFAULT - Send Parked Mail: SMART ->

DATABASE JOBS. Click on EDIT:

a) Enable the job. b) Under Execution mode, set when and how often the emails stored in the parking database are to be delivered. As set, this database job is run

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 622 IQ.SUITE SMART - DELAYED SENDING OF EMAILS 

once per day at 10.00 PM. This means, that, at that time every day, the g_delay.nsf database is checked for emails to be sent. These emails are immediately passed to the mail server.

Please note the database job has a higher priority than the mail job. If, in the  Smart mail job, you have set the Work mode field to ’User-defined’ (Operations tab), please do not select the ’Event-driven’ option. It would not be possible to retrieve the email from the parking database and deliver it, since the event takes place while the email is parked in the database.

2. In the Operations tab, select the notification template to be used in case of success or error. These notifications are sent by the database job.

3. Where required, specify weekdays and times at which the job is not to be run in the Advanced tab. This setting can be used, for instance, to avoid conflicts with database replication jobs.

4. Leave the remaining settings unchanged and save the job.

This Smart database job starts where the Smart mail job has stopped before. The emails previously moved to the parking database by the Smart mail job are now retrieved by the Smart database job. The database job then forwards the emails to the mail server from where they are sent according to a defined schedule or specific events.

As a general rule, the Smart database job delivers the emails to the mail server  from where they come originally.

You can use this database job for most of your Smart mail jobs, as it passes all  parked emails to the mail server once per day at 10:00 PM hours, regardless of the type of delay.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 623 IQ.SUITE SMART - DELAYED SENDING OF EMAILS 

16.1.3 Server-controlled Scheduling

Delayed sending can also be controlled by the server independent from the users.

Example: To prevent overloading your network connections to other servers, you want emails with large attachments or addressed to a larger number of recipients to be sent only in the evening, after 09:00 PM. Emails sent by the internal users between 06:00 AM and 09:00 PM are moved to the iQ.Suite Smart parking database, from where they are sent at 09:15 PM. Emails sent between 09:00 PM and 06:00 AM are sent without delay.

This requires a mail job and a database job. The mail job filters the emails according to the selection rules, moves the relevant emails to the parking database and sets a time for sending them. The database job scans the parking database for deliverable emails at a specified interval and returns them to the outgoing mail server. Emails delivered include those that do not have a delivery time (Time to Send) or those for which the time to send is reached.

In the Operations tab in the mail job, you can define at Message on success or  Message on error, that a message is delivered to the sender or administrator when an email is moved to the parking database.

16.1.4 Sample Job: Delay Emails with Excessive Size

Large emails or emails addressed to many recipients can be delayed to reduce server load. The limit is calculated through the formula Document size x Number of recipients. Whenever the limit is exceeded, the Smart mail job is triggered and the email moved to the parking database. The users have no influence on this type of delayed sending.

Use the Smart mail job DEFAULT - Park Big Mail and the Smart database job DEFAULT - Send Parked Mail.

1. Open the DEFAULT - Park Big Mail job: SMART -> MAIL JOBS. Click on EDIT:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 624 IQ.SUITE SMART - DELAYED SENDING OF EMAILS 

a) Enable the job. b) The job processes ’Selected mails’, which you can configure through rules. As configured here, the default job applies to selected emails sent by local employees (LocalSender) between 06:00 AM and 09:00 PM (From6To21), but that exceed 5 MB (BigOrManyRecipients). The number of recipients is multiplied by the email size, and this value is then compared with the limit that you have specified.

2. Open the Operations tab:

a) Under Work mode select the ‚Always delay‘ option. Under Delay mode select the ‚Send at fixed time‘ option. With the default settings, the selected emails are always delayed until 09:15 PM. The senders are not informed of this action, but the administrator is notified in case of an error.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 625 IQ.SUITE SMART - DELAYED SENDING OF EMAILS 

b) The Resolve Document Link tab can be disregarded in this DEFAULT job. Normally, this tab is used to set whether or not and under which circumstances document links in emails are to be resolved. Refer to “Sam- ple Job: Resolving Document Links” on page 627.

3. Leave the remaining settings unchanged and save the job.

With this Smart mail job, emails whose size exceed 5 MB are moved to the parking database (g_delay.nsf) to be sent at a later time.

Now use the Smart database job DEFAULT - Send Parked Mail to retrieve the emails from the parking database, pass them to the mail server and finally send them to their recipients. To configure this job, proceed as described under “Sample Job: Sending Emails with User-defined Delay” on page 620.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 626 IQ.SUITE SMART - RESOLVING DOCUMENT LINKS 

16.2 Resolving Document Links

iQ.Suite Smart can be used to replace Notes document links with the document content before the email is sent to a non-Notes user. The content is included in the email as Notes Rich Text.

When resolving links to Notes documents which contain file attachments, the file  attachments are ignored, i.e. they are not sent together with the email.

16.2.1 Sample Job: Resolving Document Links

To resolve document links, you need a Smart mail job and a Smart database job. For the Smart mail job use the DEFAULT - Park Big Mail or DEFAULT - Delay Mail with in Subject job and for the Smart database job the DEFAULT - Send Parked Mail job.

1. Open the desired DEFAULT job under SMART -> MAIL JOBS. Click on EDIT:

a) Enable the job. b) By default, the job processes ’Selected mails’, which you can configure through rules. Use the RemoteRecipient rule (as positive condition) to restrict the emails selected to those with at least one recipient outside the own domain.

2. Open the Operations tab:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 627 IQ.SUITE SMART - RESOLVING DOCUMENT LINKS 

c) Select the Resolve document link tab. Use the Resolve document link field to set whether and under which circumstances document links in emails are to be resolved.  Select ’Always’ if document links are to be systematically resolved, like in our example.  Select ’Never’ if document links are never to be resolved. Also refer

to “Dual Control Check with Parking Database” on page 629.  Select ’User-defined’ if the user (sender) is to decide whether or not document links are to be resolved. In the subsequent fields, specify the keyword and the field required for running the job. For further information on these fields, please refer to “Sample Job: Sending Emails with User-defined Delay” on page 620. d) Depending on whether you want to send the emails with a delay, select in the Delay tab the ‘Always delay’ or ‘Never delay‘ work mode. Also refer

to “Dual Control Check with Parking Database” on page 629. e) In our example, the sender will not be notified on the action performed, the administrator only in case of errors.

3. Leave the remaining settings unchanged and save the job.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 628 IQ.SUITE SMART - DUAL CONTROL CHECK WITH PARKING DATABASE 

This Smart mail job is used to resolve document links in emails. Now, use the Smart database job DEFAULT - Send Parked Mail to retrieve the emails from the parking database, pass them to the mail server and finally send them to their recipients. To configure this job, proceed as described under “Sample Job: Sending Emails with User-defined Delay” on page 620.

Exception: In the Basics tab select under Execution mode the ’Event-driven’ option or set for the ‘Scheduled’ option the ’Interval’ to approx. 1 minute. This ensures that the email is sent shortly after having been moved to the parking database.

16.3 Dual Control Check with Parking Database

Checking emails according to the dual control check allows to double-check emails by authorized persons (e.g. for compliance with guidelines) before the emails are delivered to the recipient.

To enable dual control check, the emails have to be stopped on the mail server and moved to the parking database before delivery to the recipient. To do this, the delay option or the option for resolving document links must be enabled:

OPERATIONS -> SUB-TAB: DELAY or RESOLVE DOCUMENT LINK -> WORK MODE or

RESOLVE DOCUMENT LINKS. Both options can be combined.

Example: If the emails are to be checked for compliance with guidelines, but shall not be delivered with a delay, combine the resolving option with the ‘Never delay’ option.

If you select the ‘Never resolve document links‘ under Resolve document links  and the ‘Never delay‘ under Work mode, no emails will be moved to the parking database. Dual control check is not possible in this case.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 629 IQ.SUITE SAFE -   17 iQ.Suite Safe iQ.Suite Safe is used for email archival and provides logical archiving structures that enables searching and restoring of archived emails. The statutory obligation for companies to archive internal and external business occurrences for a specified period of time - in a traceable, complete and verifiable way - also includes email communication. iQ.Suite Safe complies with the ISO 9000ff requirements concerning revision-proof archiving.

The emails are stored in specific archives before they are delivered, which effectively prevents manipulation of the data. You can set whether or not and which messages are to be archived in encrypted form and provided with a digital signature. The supervision of the keys used can be performed by selected authorized persons, e.g. data protection representatives.

If also using the iQ.Suite Bridge module, the emails archived in Safe can be transferred to a revision-proof archival system or a storage system such as iQ.Suite Store.

The Safe log database contains a list of all Safe archival databases created. Each document in this list includes all information relating to the archives (e.g. size, number of files, etc.) as well as a database link for direct access to the corresponding archives.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 630 IQ.SUITE SAFE - FUNCTIONING 

17.1 Functioning

Every email is copied to a Safe archival database (Domino database), that are generated in defined intervals automatically e.g.:  Every week  Every four weeks  Every quarter of a year  Once (no further databases are created)  When size reached (a new database is created whenever x MB is exceeded)  Every day  For every mail

Safe creates new archival databases in the directory specified in the job (Archive path field). The database is named automatically depending on the job configuration. If the archival databases are created e.g. every week, the name consists of a prefix, the current year, and the current calendar week1. The prefix is configurable, by default, it is ‚g‘.

iQ.Suite Safe also checks available drive space and will issue an alarm if a critical value is exceeded.

To meet typical data protection requirements, you can sign or encrypt the documents with Notes encryption when they are stored in the archive database, so that only authorized persons can access the archived email.

By default, the databases are created in ODS43 format. To create databases in  ODS48 format, set Create_R8_Databases=1 in the notes.ini.

1. For further Information on individual fields, please refer to the online help under HELP.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 631 IQ.SUITE SAFE - ARCHIVING EMAILS IN DATABASES 

17.2 Archiving Emails in Databases

Each incoming email can be archived by a Safe job. To keep an overview of all emails sent, you can use the Safe job settings to periodically create a Safe database.

1. Click on SAFE -> MAIL JOBS and open the DEFAULT - Archive Every Mail

job. Click on EDIT:

a) Enable the job. b) The default settings of the job are set as follows in the rules: The job applies to ‚All mails‘, i.e. no restrictions can be defined for senders or recipients through rules. This job archives every single email.

To define restrictions for specific senders or recipients, configure the associate rules accordingly. If using several jobs with different rules, specify a different archiving directory for each job (Advanced tab).

2. Open the Operations tab:

a) Under New database specify the interval for creating a new archival database. In the example, a new database is created on a weekly basis in order to collect all emails archived by Safe each week in a separate database.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 632 IQ.SUITE SAFE - ARCHIVING EMAILS IN DATABASES 

b) (Optional) To use a prefix for the database name different from ,g‘ which is the default prefix, enter the desired prefix at Custom prefix used for database names instead of 'g‘. Note: For the settings ‚Once‘ and ‚For every mail‘, this option is not available. c) With Aware of Cluster mates set to ’No, the databases are not replicated in the Domino Cluster. If set to ’Yes’, the system would check for an existing replica each time a new archival database is created. If such a replica is found, the Replica ID of the existing database is used for the new one, thus ensuring automatic replication of the documents stored. d) Expansion of Recipient list: Specify if the expanded recipient lists are stored with the archived email. This allows to determine the actual recipients of the email - regardless of subsequent modifications on distribution lists or groups in the server address book. e) Sign or encrypt archived documents: With set to ‚Yes‘ the email is signed or encrypted on archiving. With this only authorized persons have access to the documents. f) Sender/Recipient mark as reader: If set to ’Yes’, the recipient and sender addresses are included in a Reader field in the mail document. This way, each email recipient or sender has access to his/her emails in the Safe database. Default setting: ‚No‘.

3. Open the Advanced tab:

a) In the Archive path field, enter the directory name in which the Safe databases are located. The path needs to be specified relative to the iQ.Suite data directory and can normally be used as is. b) Use the Minimum disk space in folder to set the minimum disk space needed in the directory where the Safe databases are located. If the

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 633 IQ.SUITE SAFE - ARCHIVING EMAILS IN DATABASES 

available disk space in the Safe working directory drops below 500 MB, the actions defined in the subsequent field are executed and a warning message is sent to the administrator. c) Upon lacking disk space in folder: Specify how Safe is to react when the critical disk space limit is reached. Set to ‚Leave in mail.box‘ the email remains in the Mail.box of the server. The email is set to the status "Dead Progress Mxx" and it is not forwarded. "Mxx" designates the last Mail- Grabber thread that has processed the email. If set to ’Do not archive', the email is delivered but nor archived, regardless of whether the remaining disk space is sufficient or not. With 'Attempt archiving' enabled, the emails are systematically delivered and archived until the disk space available is insufficient.

4. Leave the default settings in the Misc tab unchanged. The Memo from field is preset to the mail entry server. After having been archived, the email is delivered and not deleted.

5. Save the job.

Additional option:

If you wish to archive specific emails only, use rules2 to set the corresponding definitions. For instance, you could limit archiving to incoming emails from specific domains addressed to specific groups within your company.

In the Basics tab enable the ‚Selected mails‘ option and include the (positive) RemoteRecipient and RemoteSender rules. In this way, any emails with at least one sender or recipient outside the local domain *@%LOCAL% will be taken into account by the rule and archived by this job.

If you are using several jobs with different rules, specify a different archiving  directory for each job (Advanced tab).

2. Refer to “Mail Rules and Database Rules” auf Seite 24.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 634 IQ.SUITE SAFE - LOG DATABASES 

17.3 Log Databases

iQ.Suite Safe stores Information such as the date of creation, the last saved date, the number of documents stored, the size of the database, etc. in the log database (default: g_prot.nsf). The path to the NSF file is to be specified relative to the Domino data directory.  Do not specify any other log database, iQ.Suite Safe would be unable to find it. 1. All protocol databases are listed under SAFE -> SAFE PROTOCOL DATABASES. The most recently created database is at the top of the list:

2. Open the desired database:

The icon next to the Database link field opens the selected database to provide a view of the archived emails.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 635 IQ.SUITE BRIDGE -   18 iQ.Suite Bridge It is often necessary to make email information simultaneously available in several applications. iQ.Suite Bridge completely eliminates the time consuming manual handling of email data for further processing in CRM, ERP, database or archival systems. iQ.Suite Bridge acts as a "switchboard" that routes emails to third-party systems to their contents and a set of rules.

Whether for archival purposes or to meet compliance requirements, use mail or database jobs to set up an efficient email workflow, seamlessly integrating email into your business processes and applications.

iQ.Suite Bridge lets you review all inbound and outbound emails and helps you fulfill any regulatory compliance requirements, such as SOX, HIPAA, and GDPdU. Emails are reviewed before delivery (Pre-Review mode) and after delivery (Post-Review mode). Your corporate policies and an automated classification iQ.Suite mechanism ensure that only business-related email is reviewed. The classification results and other information are passed to the compliance system for processing. The interaction between iQ.Suite and your compliance system lets you process emails in compliance with legal requirements and according to the results of the review.

iQ.Suite Bridge helps to fulfill legal obligations related to email archiving and set up a rule-based process. The interface and integration module is the first archiving tool that uses fine-tunable email preprocessing, filtering and classification policies. As an integrated, highly customizable solution, it lets you implement rule-based long-term email archiving that fully complies with both legal requirements and your corporate policies.

For further Information on iQ.Suite Bridge, please refer to the separate iQ.Suite Bridge Administration Manual. Download under www.gbs.com.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 636 IQ.SUITE BUDGET - THE COST OF AN EMAIL   19 iQ.Suite Budget iQ.Suite Budget enables an immediate and accurate determination of incurring email costs, provides a transparent view of budget limits, and allows to notify relevant persons or groups in order to initiate organizational or administrative controlling actions. iQ.Suite Budget supports accounting by providing differentiated views for the cost center-based recording and allocation of accumulated email costs, thus allowing to implement a budgeting policy tailored to company needs and goals.

It is for instance possible to define determination and restriction rules for hierar- chies, domains, groups and persons, which can be used among others to control the size of emails and file attachments, but also to provide a differentiated view of incoming and outgoing email under economical aspects.

You can define the email costs by group and cost center and list them using summary logs and itemized single logs.

19.1 The Cost of an Email

Just as sending a letter costs the price of a stamp, email traffic, too, has associated costs. These arise from operating the mail server and the network, and through the use of a provider.

For iQ.Suite Budget, the costs for an email are as follows: (basic cost + volume cost) for each server.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 637 IQ.SUITE BUDGET - THE COST OF AN EMAIL 

19.1.1 Basic Cost

The basic cost (or fixed component) are the costs per email. Basic cost are covered under Connection Costs and are user-definable. You calculate a value per email based on the fixed cost for operating your company’s email infrastructure and enter this value under Account Settings – Connection Costs. Typically, fixed cost consist of investment cost, hard disk storage requirement, network load and provider cost.

You can define the costs depending on the priority of the email. There are three priority levels:  High  Normal  Low

For each priority, you can enter a different basic cost value. You can also specify different connection costs for specific source and destination servers.

19.1.2 Volume Cost

Volume cost are added to the above basic cost. They are also classed as connection cost and can be defined in kilobytes (KB) under the corresponding menu.

The cost of an email depending on its size is calculated with the following formula: email size in KB x defined cost per KB (priority).

This total is then added to the basic cost.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 638 IQ.SUITE BUDGET - THE COST OF AN EMAIL 

19.1.3 Per Server/Per Recipient Cost

Sending an email to one recipient is cheaper than sending the same email to a hundred people. You can decide whether Budget counts emails according to Recipient or Destination server. If you calculate emails by recipient, every sent email is counted, regardless of the server to which it is sent. If you choose the destination server option, only the emails sent to each server are counted.

Example:

You send one email to 50 recipients. Of these, 30 are sent to destination server A and 20 to destination server B. If you are counting by recipient, 50 emails are invoiced to your cost center (or group); if you have chosen to count by destination server, only 2 emails are invoiced.

 If you calculate your email cost by destination server, (both amounts per destination server), the resulting equation is: Basic cost + (size of email x specified cost per kilobyte)

 If you calculate your email costs by recipient, (both amounts also by destination server), the calculation looks like this: [Basic cost + (size of email x specified cost per kilobyte)] x number of recipients

The total cost per email is calculated as follows:

[Basic cost + (size of email x specified cost per kilobyte)] x number of recipients across all servers

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 639 IQ.SUITE BUDGET - THE COST OF AN EMAIL 

19.1.4 Calculation Example

You send a 2 KB email to 30 recipients on server A and to 20 recipients on server B. Your connection costs are defined as follows:

Connection costs Costs for server A € 0.3 + € 0,003 per KB

Costs for server B € 0.1 + € 0,001 per KB

The basic cost is:

Server A (0.3 + 2 x 0,003) = 0,306

Server B (0.1 + 2 x 0,001) = 0,102

= € 0,408 (sum)

The total basic cost for this email transmission is € 0,408.

For server A, you calculate the costs per destination server, and for server B per recipient.

This calculation looks as follows:

Server A (0.3 + 2 x 0,003) x 1 = 0,306

Server B (0.1 + 2 x 0,001) x 20 = 2.04

= € 2,346

Thus, your email to 50 recipients has cost a total of € 2,346.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 640 IQ.SUITE BUDGET - EVALUATION LOGS 

19.2 Evaluation Logs

A number of logs are available:

 Account statement, including the percentage of available resources used. You can set for each account how detailed single entries are to be (collective account statement). This data is to be found under Summary Logs. The summary logs can be viewed by account, week or month.  List of individual emails without assigning them to a specific account (individual connections without assignment). The list contains the following information:  The sender of the email  The recipient of the email  The time the email was sent  The accounts to which the email was posted  The size of the email  The number of attachments  The total size of the attachments  The size of the individual attachments  The names of the attachments This kind of evaluation data is to be found under Single Logs. Under the Budget job Operations tab, you can define whether or not you want these itemized logs to be generated. You can also enable or disable file attachment logging.

Data can be saved in the Log database and/or as a comma-separated ASCII text file for further processing by a spreadsheet program.

Example 1

Allocation to sender account for the email from A@MyDomain -> B@Some- where

MyServer Budget A’s Home -> OtherServer B’s Home Connection from MyServer to target: OtherServer Statement for sender account A

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 641 IQ.SUITE BUDGET - EVALUATION LOGS 

Date Time EMail Attach Costs Sender/destination server/ ment recipient

5/18/2013 05:35 5 KB 0 KB 2.8 A@MyDomain/OtherServer/ PM B@Somewhere

Example 2

Allocation to recipient account for the email from A@MyDomain -> B@Somewhere

MyServer Budget A’s Home -> OtherServer B’s Home Connection from MyServer to target: OtherServer Assumption: Connection costs are the same in both directions Statement for recipient account (*)

Date Time EMail Attach Costs Recipient/source server/ ment sender

5/18/2013 05:35 5 KB 0 KB 2.8 B@Somewhere/MyServer/ PM A@MyDomain

The same email is allocated twice. In one case, A is regarded as sender, in the other B as the recipient. The email is allocated to two different accounts, once to that of sender A and once to the recipient account (*).

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 642 IQ.SUITE BUDGET - EVALUATION LOGS 

19.2.1 Summary Log View by Account

We will now demonstrate this example using a sender log. Click on BUDGET ->

SUMMARY LOGS -> BY ACCOUNT.

Accounts are divided into  recipients (Recipientaccounts) and  senders (Senderaccounts).

In addition, their accounts are categorized into DEFAULT and EXTERN.

For further Information open the desired document.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 643 IQ.SUITE BUDGET - EVALUATION LOGS 

19.2.2 Summary Log View by Week and Month

You can also view the list by week and by month.

To do so, click on BUDGET -> SUMMARY LOGS -> BY WEEK or

BUDGET -> SUMMARY LOGS -> BY MONTH.

List by week

List by month

In both cases, double-click an entry to view its details.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 644 IQ.SUITE BUDGET - STATISTICS 

19.3 Statistics

The Statistics menu provides a possibility to evaluate your email costs. The following default reports are available:

1. Under SINGLE LOGS -> STATISTICS, select the type of report.

The example below shows a PERCENTAGE DISTRIBUTION OF ACCOUNTS.

2. Assign a name to the report created and define a period of time. Adjust the remaining fields to your requirements.

3. Save the statistics file and click on CREATE CHART.

4. Double-click the chart in the Charts created tab. By default, charts are displayed as pie charts, but you can select other display types under View.

All charts can be exported as BMP, JPG and as CSV file and can also be

printed (FILE menu in chart).

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 645 IQ.SUITE BUDGET - DEFINING CONNECTION COST 

Similarly, the other reports provide evaluation data according to different criteria and aspects.

19.4 Defining Connection Cost

When entering your costs, you can also include the routing path. This means that you can create several connection cost documents, each containing different costs depending on the source and destination servers. The source server is defined as the server on which iQ.Suite Budget is installed; the destination servers are the communication partners. An asterisk (*) represents all local servers running iQ.Suite Budget.

First, specify your connection cost as follows1:

1. Click on BUDGET -> ACCOUNT SETTINGS -> CONNECTION COSTS:

2. Open the preset Connection Costs and click on EDIT:

In the Basics tab, specify the Source server and the Target server (multiple entries to be separated by line break) and set whether costs are to be booked by recipient or by destination server. As you are editing a default document, these connection costs are already enabled, i.e. these settings are used if no other connection document is found.

1. Refer to “The Cost of an Email” auf Seite 637

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 646 IQ.SUITE BUDGET - DEFINING CONNECTION COST 

If the database is replicated, enter the exact server name; otherwise enter an  asterisk (*). If you enter an asterisk (*) in the Destination server field, the connections costs specified apply to all communication partners. However, a specific entry has priority. The asterisk only applies if no entry for the destination server is found. If fields remain empty or contain invalid values, the internal default values are used, e.g. the asterisk (*) in the Source server and Destination server fields (= all servers).

To define different costs for different connections (source and destination  server), create several connection cost documents. You can do this most easily by making copies of these documents, renaming them and entering the servers to which these connection costs are to apply. Then, in the Costs tab, define the amounts for each server.

3. Open the Costs tab:

Use this tab to define the connection costs. Replace the existing values with the values that apply to your company. In the first place, enter the costs per email and in the second the costs per kilobyte. Costs per email are fixed costs, calculated from the operating costs of your mail servers, your provider fees, etc.

The currency in which your costs are displayed depends on your client PC’s sys-  tem settings. To view figures in a specific currency, specify that currency in your operating system settings. Budget does not carry out currency conversions when a switching to another currency, but works with the figures that you have entered. This is display only! If your country belongs to the European Mon- etary Union, we suggest that you set your system to Euro.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 647 IQ.SUITE BUDGET - SETTING UP ACCOUNTS AND SPECIFYING LIMITS 

19.5 Setting Up Accounts and Specifying Limits

In addition to the settings in the connection costs, you also need valid account settings to determine your costs.

An account is identified through the account name, which also describes the account holder(s).

Sample accounts with hierarchical user names2 are supplied with the software. You can use these as templates and modify them to suit your requirements. Finally, you need to enable a Budget job.

There are three different account types:  Personal accounts  Group account  Domain account

You can specify cost limits for each person (group/domain) for whom you have set up an account, both for the total costs per period of time (= absolute amount or per day/week/month) and for each individual email. In the Account Settings, the destination server specified for the connection costs is used for Sender account, and the source server for Recipient account.

19.5.1 Account Types

Personal account

You can set up a personal account in two different ways:  By specifying "First name, family name", e.g. David Galler.  By specifying the full hierarchical name in reverse order, for instance De/Company/City/Sales/David Galler

Both examples point to the account for David Galler: @MyDomain/De/Com- pany/City/Sales/David Galler.

Group account

A group account can also be defined in two ways:

2. Refer to “Hierarchical User Names in Budget” auf Seite 650 under Account Types.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 648 IQ.SUITE BUDGET - SETTING UP ACCOUNTS AND SPECIFYING LIMITS 

 By specifying a group from the address book (which must be an email group), e.g. Sales  By specifying the hierarchical name containing the group, e.g. US/Com- pany/Sales (if the users’ complete hierarchical name reflects their group membership). Although using groups is more complicated (maintenance in the address book), it is more flexible, since you can create email groups according to cost centers. With group accounts, all group members are settled through the same account.

Changes of group members in the address book only take effect after the Mail-  Grabber is restarted.

Domain account

Domain accounts are created by specifying the domain including the @-character, e.g. @company-x.com or @MyDomain.

To specify several groups or domains in an account, make one entry per line. You will then receive a separate cost calculation for each of these entries. The same conditions and limits that you have defined in these account settings apply to the various groups.

Three sums are calculated for each account:  Total size of all emails,  Total size of all attachments for the corresponding account  Total cost of the emails.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 649 IQ.SUITE BUDGET - SETTING UP ACCOUNTS AND SPECIFYING LIMITS 

19.5.2 Hierarchical User Names in Budget

Hierarchical user names define the membership in a particular Notes domain.

Example for an email address:

David Galler/Sales/City/Company/De This means: CN=David Galler/OU=Sales/OU=City/O=Company/C=De Where:

CN David Galler= Common Name (required)

OU Sales = Organization Unit (0 to 4) (optional)

OU City = Organization Unit (0 to 4) (optional)

O Company = Organization (Top Certifier or Org Certifier, required)

C De = Country (optional)

You can create accounts for each hierarchy level, e.g. De/Company/ or also De/Company/City. Please note that the order is reversed when entering the path, i.e. first C for Country, then O for Organization etc.

In the example above, enter the following in Budget in order to define a single account for the entire "Sales" unit, including David Galler:

De/Company/City/Sales

You can also specify the user names and business units of external domains. In that case, the account name also includes the domain name.

Example:

User name in the external domain: David Galler/Sales/City/Company/De@External. Corresponding account name in Budget: @External/De/Company/City/Sales/David Galler

Use slashes for hierarchical user names only. If you use persons, groups or  domains from the Domino Directory, be sure not to use slashes, since Budget would interpret the information as a hierarchical address.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 650 IQ.SUITE BUDGET - SETTING UP ACCOUNTS AND SPECIFYING LIMITS 

How does Budget find the sender or recipient account?

Budget generates a search key, with which it scans the specified accounts. For our example, this key is:

@MyDomain/De/Company/City/Sales/David Galler

This starts a search for an account with this name. If no account is found, the search is repeated at the next level with:

@MyDomain/US/Company/City/Sales

This process is repeated up to @MyDomain. If this does not yield a match either, Tom Jones is assigned to the “asterisk” account. Because an account has been found, the costs can now be allocated accordingly. This process is repeated for each email sent and received.

Multiple definition: Especially when groups are used to define accounts, it is  possible that individual persons are defined more than once because they belong to several mail groups. In such cases, Budget calculates the email sent or received only once, randomly selecting one of the accounts and ignoring the others. Also, as of log level 7, multiple definitions are reported to the administrator on startup. This message is for information only, no further action is taken.

As accounts are kept separately for senders and recipients, each email appears twice in the cost statement. As costs incurred by senders from foreign domains are generally irrelevant for internal purposes, they are therefore best placed into a common pool – the “asterisk” account. All costs incurred within the own domain are assigned to appropriate categories (according to sender and recipient) and thus to possible cost centers.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 651 IQ.SUITE BUDGET - SETTING UP ACCOUNTS AND SPECIFYING LIMITS 

19.5.3 Setting up a Sender Account

1. Select the sender account under BUDGET -> ACCOUNT SETTINGS -> FLAT and

double-click on .../Jack Goose. Click on EDIT:

2. In the Basics tab enter the account name.

In the Account name field, enter the group or unit to which this account is to apply. If these settings are to apply to several groups, enter each group on a separate line.

This corresponds to the defining your own document (only the limit definitions are the same), so that you can receive separate statistics for each group.

You can assign a category to this group to break down the data by cost center. Finally, select the log level that you need for this group. This field is used to set how detailed the job is to log the processing results in the log database (g_log.nsf)3.

3. Open the Operations tab:

3. For further Information on individual fields, please refer to the online help under HELP.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 652 IQ.SUITE BUDGET - SETTING UP ACCOUNTS AND SPECIFYING LIMITS 

In this tab, specify the actions to be carried for emails when the account is blocked and which cumulative limits are to apply. The Default option in Mail handling in case of stopped account means that the default settings from the Budget job are used.

You should also decide whether you want to set Allow to exceed to ’Yes’. This  means that a member of this group will still be able to send another email although this would cause the limit to be exceeded. This could result in the limit being be exceeded by a considerable amount. Example: You have set a limit of 100 MB for this group and allowed this to be exceeded. 90% of the available budget has already been reached. If a member now sends a 15 MB message, it will still be delivered. The limit is then exceeded and the account blocked. If you have set Allow to exceed to ’No’, this email would not be sent, but other group members could still send many smaller emails without reaching the limit.

4. Open the Limits by mail tab.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 653 IQ.SUITE BUDGET - SETTING UP ACCOUNTS AND SPECIFYING LIMITS 

Use this tab to specify whether a limit per email is to apply to this group. Our above example shows that it is advisable to specify a per-mail limit if a cumulative limit has been defined, since a single group member could otherwise reach the limit with a single, very large email. Specify a size in kilobytes or a cost limit per email here.

5. Open the Advanced tab.

In this tab, set the warning level and enter the message texts. Please note: New cumulative balance ≥ cumulative limit x warning level in %.

6. Open the Misc tab.

The Server field contains the destination server. You can also use this field to specify whether or not the email group is allowed to send to external domains, and you can define a delivery priority overriding any client settings.

7. Use the Comments tab, to add a comment for each account.

8. Save the document.

To specify different limits for different groups or organizational units, set up multi-  ple sender accounts. To do so, simply make a copy of one account, rename the copy and modify the settings.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 654 IQ.SUITE BUDGET - SETTING UP ACCOUNTS AND SPECIFYING LIMITS 

19.5.4 Setting Up a Recipient Account

You can now do the same for one or more recipient accounts.

In our example, we have created a recipient group named Admins, which  includes all those listed in the address book under this group.

1. Select an account for the recipients: BUDGET -> ACCOUNT SETTINGS -> FLAT

and double-click on Admins. Click on EDIT:

2. In the Basics tab enter the account name.

In the Account name field, enter the group or hierarchical address to which this account is to apply. If these settings are to apply to several groups, enter each group on a separate line. You can assign a category to this group to break down the data by cost center. Finally, select the log level that you need for this group. This field is used to set how detailed the job is to log the processing results in the iQ.Suite log database (g_log.nsf)4.

3. Open the Operations tab:

4. For further Information on individual fields, please refer to the online help under HELP.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 655 IQ.SUITE BUDGET - SETTING UP ACCOUNTS AND SPECIFYING LIMITS 

In this tab, specify the actions to be carried for emails when the account is blocked and which cumulative limits are to apply. The ‚Default‘ option in Mail handling in case of stopped account means that the default settings from the Budget job are used.

As set in this example, no restrictions have been defined for the Admins group as to receiving messages. If you plan to set up another group of recipients and assign a cumulative limit to that group, specify the Limit type.

4. Open the Limits by mail tab:

For individual emails, no limit is set either. If you want to assign a per-mail limit to another group of recipients, specify the Limit type.

5. Open the Advanced tab:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 656 IQ.SUITE BUDGET - SETTING UP ACCOUNTS AND SPECIFYING LIMITS 

Use this tab to specify the warning level and enter the message texts. If you have not set any limits, the settings in this tab will be ignored.

6. Open the Misc tab:

The Valid for server field refers to the source server.

7. Use the Comments tab to add a comment for each account.

8. Save the document.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 657 IQ.SUITE BUDGET - SETTING UP ACCOUNTS AND SPECIFYING LIMITS 

19.5.5 Activating a Budget Job

Now it is time to decide whether all emails are to be accounted for, whether or not you want single logging and which actions are to be performed when a limit is exceeded.

1. Click on BUDGET -> MAIL JOBS and open the DEFAULT - Budget Job job.

Click on EDIT:

a) Enable the job. b) First specify the emails to which this job is to apply. We recommend to select in the Runs on field the ‚All emails‘ option, i.e. every email is recorded by this job and included in the cost calculation. c) The example above shows the options available after having enabled the Selected mails option.

2. Open the Operations tab:

The default settings are as follows:

a) Itemized (single) logging in database is enabled. b) Single logging in CSV file5 is disabled.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 658 IQ.SUITE BUDGET - SETTING UP ACCOUNTS AND SPECIFYING LIMITS 

c) A detailed log of file attachments is generated. d) When the limit is reached, the emails are returned to their senders. e) The administrator does not receive any additional notification when limits are exceeded. Modify the settings to suit your requirements. Specify the actions to be performed as well as the single logging type.

3. Open the Advanced tab:

Use this tab to specify whether or not undeliverable emails sent to your domain (but not to an existing local user) are to be forwarded to a freely selectable "Postmaster". Such emails are forwarded as "non-delivery report“, which contains the original email. You can also prevent the senders from receiving these non-delivery reports by setting the Remove unreachable recipient from document? field to ‚Yes‘. These two settings should be used together. If you do not want non-delivery reports to be sent to the senders, be sure to set up forwarding to a "Postmaster" or any other appropriate collecting point; otherwise these emails will be lost. If this field is not enabled, the non-delivery reports are sent to the sender.

This tab is also used to define user-specific quarantine access settings.

4. Open the Misc tab:

5. Comma-Separated Value format, for import into other applications.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 659 IQ.SUITE BUDGET - SETTING UP ACCOUNTS AND SPECIFYING LIMITS 

The job will run on all servers, as set by the asterisk (*) in the Server field. The %Admin% variable is used for the Administrator’s email address (also refer to “Placeholders” auf Seite 59). The job is not critical. This means that, in the event of an error, the email is to be delivered without having been processed by the job6.

Check the Administrator’ s email address and database settings. Change the paths where required or keep the default settings. Under Quarantine configuration, select your settings for handling quarantined emails7.

5. Use the Comments tab to enter comments about the job.

6. Save the job.

6. For further Information, please refer to the online help under HELP. 7. Refer to “Quarantine Configuration” auf Seite 107.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 660 IQ.SUITE MAILFLOW CHECK -   20 iQ.Suite MailFlow Check Monitoring Mail Routing from iQ.Suite 360 to iQ.Suite

The iQ.Suite MailFlow Check Job is a mail job which monitors the mail routing from iQ.Suite 360 to iQ.Suite. Not the concrete deficient route part but interruptions in the entire route can be detected.

In case of interruptions, iQ.Suite administrator or other selected persons can be informed via entries in the iQ.Suite Log and receive alert emails in case of longer interruptions. This way, interruptions can be detected sooner and reparation times can be reduced.

In the MailFlow Check Job, make the settings required for this feature 1:

1. Open the sample job SAMPLE: MailFlow Check or create a new job:

MAILFLOW CHECK -> MAIL-JOBS -> NEW -> MAILFLOW CHECK MAIL JOB

1. In the following, only the job-specific details are explained. For information on the settings of the standard tabs, refer tor “Standard Tabs for Jobs” auf Seite 39.

ADMINISTRATION - IQ.SUITE FÜR DOMINO  SEITE 661 IQ.SUITE MAILFLOW CHECK - 

a) Enable the job. b) The MailFlow Check Job should be executed on selected emails (emails coming from iQ.Suite 360). c) The address rule IsMailFlowCheck must be set as a positive rule. This rule contains the iQ.Suite recipient address to which the ping emails will be sent:

2. In the MailFlow Check Job, open the Operations tab:

a) iQ.Suite 360 sends a ping email at a regular time interval to the recipient address which is specified in the address rule mentioned above. No access to these emails via a user mailbox is required.

Use the Waiting period for ping emails field to specify the time interval (seconds) within which a ping email is expected to arrive at the recipient address.

ADMINISTRATION - IQ.SUITE FÜR DOMINO  SEITE 662 IQ.SUITE MAILFLOW CHECK - 

b) Under Period count, specify the number of missing ping emails after which the first alert email will be sent. A log message is output at log level ‘5’.

c) The Notification interval on alarms setting is only relevant for the sending of alert emails after the first alert email has been sent. Use this field to specify the time interval (seconds) after which an alert email will be sent again as long as no ping email arrives.

d) Under Recipient address for alert emails, specify the address(es) to which the alert emails will be sent. You can also use placeholders for addresses like %Admin%, for example.

e) Under Delete ping emails, specify whether or not to delete the received ping emails from the server. If ‘Yes’, then the emails will be deleted and not delivered to the mailbox.

3. Save the job.

Example:

The following example illustrates the MailFlow Check:

 Waiting period for ping emails: 30 sec.  Period count: 10  Notification interval on alarms: 3600 sec. (60 min.)

According to the settings in this example, a ping email is sent to the recipient address (address rule) every 30 seconds.

If the ping email does not arrive after 30 seconds, a log message is output to the iQ.Suite Log.

If the email does not arrive ten times consecutively, i.e. in our example after 5 minutes ( x ), an alert email is sent to the recipient address for alert emails. Afterwards, an alert email will be sent again every 60 minutes as long as no ping email arrives.

ADMINISTRATION - IQ.SUITE FÜR DOMINO  SEITE 663 APPENDIX: GLOBAL PARAMETERS (EXCEPT JOB RESULTS) - INSTALLATION   21 Appendix: Global Parameters (except Job Results) This section provides a description of all parameters for the server, except the parameters for job results.

The parameters marked notes.ini only must not be configured under GLOBAL

PARAMETERS, but have to be entered directly in the server‘s notes.ini.

The parameters set in the notes.ini are required for iQ.Suite to work properly. For  further Information, please refer to “notes.ini File” on page 8.

21.1 Installation

21.1.1 DBG_Setup

ToolKit_DBG_Setup_Continue (nur notes.ini) ToolKit_DBG_Setup_Continue=1 forces continuing of iQ.Suite installation despite of appearing errors at database creation. A rollback is prevented. Please note, that using this parameter may cause unforeseeable error situations. There- fore please contact the GBS Support before changing this parameter.

ToolKit_DBG_Setup_Nosign_DBS ToolKit_DBG_Setup_Nosign_DBS=1 prevents installed Domino databases and templates from being signed with the ID of the current Domino server during the installation. To prevent signing, set this parameter in the notes.ini of the Domino server before installing iQ.Suite.

ToolKit_DBG_Setup_Suppress_Importdialog By default the 'Import Standard Configuration' dialog is displayed when opening the iQ.Suite Entry database. To suppress this view in the notes.ini set the parameter to value 1 before updating the iQ.Suite.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 664 APPENDIX: GLOBAL PARAMETERS (EXCEPT JOB RESULTS) - INSTALLATION 

21.1.2 iQ.Clustering / iQ.Mastering

ToolKit_Mastering_Tasks This parameter is used for iQ.Mastering. Enter the names of the tasks that process the emails within the third-party product. Multiple entries have to be separated by a comma (,). The task names are not case-sensitive.

ToolKit_MonitorServer Clustering parameter for monitoring the MailGrabber. Example: Multi-server environment with server 1 and server 2. On server 1, the entry ToolKit_MonitorServer=server2 is set. When the MailGrabber becomes unavailable on server 2, server 1 is informed accordingly.

ToolKit_WatchServer Clustering parameter used to monitor another server and execute its processing requests as required. Enter the name of the monitored server, e.g. ToolKit_WatchServer=.

21.1.3 iQ.Suite Directories

ToolKit_DataDir (notes.ini only) This parameter sets the iQ.Suite-Datenverzeichnis where the control databases of the products are stored. This entry is relative to the Domino data directory.

ToolKit_ExclusiveTempDir iQ.Suite requires a working directory for temporary files to be exclusively used by iQ.Suite. Therefore, public temporary directories like %TEMP% (under Windows) or /tmp (under Unix) are not appropriate. The absolute path to this directory is determined during iQ.Suite installation and automatically added to the global parameter ToolKit_ExclusiveTempDir of the iQ.Suite configuration. On partitioned servers, iQ.Suite must use a different working directory in each partition. To specify the path, you can use the %ServerCommonName% placeholder. In most cases, this should be sufficient to assign a unique directory to each instance.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 665 APPENDIX: GLOBAL PARAMETERS (EXCEPT JOB RESULTS) - GENERAL PARAMETERS 

ToolKit_ExecDir (notes.ini only) This parameter sets the iQ.Suite Programmverzeichnis where the executable files, licenses and product resources are located. The path is absolute.

21.2 General Parameters

21.2.1 Notifications

ToolKit_NotificationSender ToolKit_NotificationSender= can be used in notifications to define a global sender address. To use this global address in a configuration document, the %NotificationSender% variable can be set. By default, this parameter is not set.

ToolKit_NotificationSubject This parameter can be used to configure the subject line of notification emails which are not already configurable by means of notification templates. With the default value [%Server%] %Subject%, the name of the Domino server from which the notification is coming is set in squared brackets in front of the actual subject. The following placeholders can be used: %Server%, %ServerFullName% and %Subject%. If this parameter is set in a parameter document, it has no effect in notifications due to very early iQ.Suite initialization errors. Therefore, it can make sense to set it in the notes.ini, like ToolKit_NotificationSender.

ToolKit_NotificationReplyTo ToolKit_NotificationReplyTo= can be used in notifications to define a global recipient address for reply emails. To use this global address in a configuration document, the %NotificationReplyTo% variable can be set. By default, the parameter is not set.

ToolKit_OptimizeSummaryMails ToolKit_OptimizeSummaryMails=YES ensures creation of summary notifications for original senders and recipients only. The summary notifications are processed by the MailGrabber. This allows forwarding or redirection of the notifications by iQ.Suite Clerk. If ACL groups and roles are to be entered as recipients

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 666 APPENDIX: GLOBAL PARAMETERS (EXCEPT JOB RESULTS) - GENERAL PARAMETERS 

as well, set the parameter to YES. With NO the summary notifications are also created for forwarded and redirected emails and that emails are not processed by the Grabber. Possible values: YES, NO. Default: YES.

ToolKit_Summary_AddressFormat This parameter sets the address format for the recipients of the quarantine summary notifications. Default: NOTES. Possible values:  INTERNET : The Internet addresses of the email recipients are used, as stored in the Notes address book. Use this option for gateways that only support Internet addresses.  NOTES : The Notes addresses of the email recipients are used, as stored in the Notes address book. For both options: If no matching address is found in the Notes address book, the "consolidated recipient address" is used. This is the original Notes or Internet address of the email recipient without additional phrases, comments, etc.

ToolKit_Summary_DocAgeMaxDays This parameter sets the maximum age of quarantined emails for which a quarantine summary notification is created. Possible values: 1–24000 days. Default: 28.

21.2.2 Job Errors

21.2.2.1 Critical Jobs

ToolKit_Critical_InitErrorDelay ToolKit_Critical_InitErrorDelay= sets the time before the MailGrabber is restarted if a critical job has not been started.

ToolKit_Critical_MaxJobErrors ToolKit_Critical_MaxJobErrors= sets the maximum number of consecutive processing errors allowed in critical jobs before the MailGrabbers is restarted.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 667 APPENDIX: GLOBAL PARAMETERS (EXCEPT JOB RESULTS) - GENERAL PARAMETERS 

ToolKit_Critical_WorkErrorDelay ToolKit_Critical_WorkErrorDelay= sets the time in seconds before the MailGrabber is restarted if processing errors have occurred in a critical job.

21.2.2.2 Other JobError Parameters

ToolKit_JobError_Ignore This parameter sets whether or not processing errors in uncritical jobs are to be ignored. Possible values:  YES: Errors are ignored, the email is processed in the normal way.  NO: Errors are not ignored, the email remains on the server.

ToolKit_JobError_ReactDelay ToolKit_JobError_ReactDelay= sets the time after which an interrupted job is restarted.

ToolKit_JobError_Reactivate This parameter sets whether or not interrupted jobs are restarted after a specified delay. Possible values: YES, NO.

ToolKit_JobError_Restart This parameter sets whether interrupted jobs are restarted by a Grabber restart or by placing the jobs back onto the Grabber’s processing list. Possible values:  YES: Wait for next restart - even for non-initialized uncritical jobs. This may take until the next housekeeping.  NO: Includes the job in the list of jobs after the configured delay.

ToolKit_MaxJobErrors This parameter sets the maximum number of errors before a job is disabled. ToolKit_MaxJobErrors=OFF disables this function, so that jobs are not stopped at all. Default: 10.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 668 APPENDIX: GLOBAL PARAMETERS (EXCEPT JOB RESULTS) - GENERAL PARAMETERS 

21.2.3 Logging

ToolKit_AgentLogFile With ToolKit_AgentLogFile= you can specify location for the log files that are written for the agent that sets entries in the quarantine folders. Refer to ToolKit_QuaFolderAgentLoglevel.

ToolKit_DGrabLogLevel This parameter sets the log level of the DatabaseGrabbers. Possible values: 1 - 9. It is set to the same value as defined in ToolKit_LogLevel.

ToolKit_EventLogLevel Use this parameter to specify the log level for the event log of the Grabbers. Pos- sible values: never, low, med, high, always. Default: med. This parameter takes priority over ToolKit_GlobalEventLogLevel. ToolKit_ExclusiveTempDir=

ToolKit_GlobalEventLogLevel Use this parameter to set the log level globally for the Event log. Possible values: never, low, med, high, always. Default: med. When the Grabber is started, the parameter value is written to the Windows Registry. Any further use of the parameter value through the Sandbox depends on the Sandbox type: If the 'Traditional Sandbox' is used, the parameter value is then read by the Sandbox. When the EventLogLevel parameter is set in the SOAP.INI (log level for the Event log of the Sandbox), it takes priority over the Registry value. The ‘Advanced Sandbox‘, however, will ignore the parameter value.

ToolKit_HookLogConfigChanges (notes.ini only) ToolKit_HookLogConfigChanges=TRUE enables change log creation for the Hook. Changes of iQ.Suite configuration are logged in the Configuration Change Log. After enabling this feature, reboot the Domino server.

ToolKit_HookLogIgnoreCreator=entry1;entry2;... (only notes.ini) With this paramater, specified users or servers can be excluded from the configuration change log. For this, this parameter must be set in the notes.ini and the Domino server must be restarted. The format to be used for the entries is the Dis-

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 669 APPENDIX: GLOBAL PARAMETERS (EXCEPT JOB RESULTS) - GENERAL PARAMETERS  tinguished Name (CN=...). With this, changes which are transferred from a server by replication can be excluded from the logging, for example.

ToolKit_HookLoglevel ToolKit_HookLoglevel=YES enables log data creation for the Hook. The files are stored in the iQ.Suite program directory under TECHNICAL_SUPPORT. With value NO no log files are created.

ToolKit_LogCompact This parameter sets whether or not the iQ.Suite log database is compressed. Possible values: ON, OFF. Default: OFF.

ToolKit_LogDB This parameter sets the database where the logs of the iQ.Suite log database of the mail jobs and database jobs are to be written to, e.g. %datadir%/g_log.nsf.

ToolKit_LogDB_Flags ToolKit_LogDB_Flags=[Max. seconds],[Max. lines] sets the maximum delay in seconds and the maximum number of lines in the buffer. Whenever one of these values is reached, the external log database is updated. This parameter is only used in combination with ToolKit_LogDB. The value 0 is considered as error and replaced with the default 60,30 (60 seconds delay, 30 lines in buffer). Note: The smaller the values entered, the longer the logging duration. Do not set the parameter to the values -1,-1 or 1,1. Such a configuration might lead to future entries in the log database due to a Domino processing restriction on documents. Possibly these entries result in the error message Database (XXX) time is too far in the future. It is also possible to set the delay and the number of lines separately. Example: ToolKit_LogDB_Flags=123 (max. 123 seconds) ToolKit_LogDB_Flags=,234 (max. 234 lines)

ToolKit_LogDGrabDB The DatabaseGrabber and the MailGrabber use the same log database by default. This may lead to access problems and errors at database compression.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 670 APPENDIX: GLOBAL PARAMETERS (EXCEPT JOB RESULTS) - GENERAL PARAMETERS 

To avoid this, a seperate log database for the DatabaseGrabber can be created with ToolKit_LogDGrabDB. If this parameter is not set, the setting from the ToolKit_LogDB parameter is used. With a database definition this additional log database can be integrated into the iQ.Suite front-end.

ToolKit_LogLevel The log level sets to what extent error messages are included in the Notes Log Book. Possible values: 1 - 9. The higher the value, the more detailed the log book entries: 1 ... 3Errors are logged. 4 ... 6Errors and notes are logged. 7 ... 9Errors, notes and debugging messages are logged.

ToolKit_LogLevel7Subject, ToolKit_LogLevel8Subject, and ToolKit_LogLevel9Subject These parameters allow to increase the log level during email processing to 7, 8 or 9. For this, a keyword is set. When this keyword appears in the email subject, the email is processed at log level 7, 8 or 9, depending on the parameter. If several parameters are set and several keywords are found in the same email, the highest log level applies.

ToolKit_LogToConsole With ToolKit_LogToConsole=3, log messages logged on the server console can be written to a separate file under %ExecDir%/grabber.log.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 671 APPENDIX: GLOBAL PARAMETERS (EXCEPT JOB RESULTS) - GENERAL PARAMETERS 

ToolKit_MailQueueLogLevel Use this parameter to specify the log level when searching for emails in the server mailbox. Possible values: 0-9. Default: 0. The values 1 - 9 have the same meaning as for the ToolKit_LogLevel parameter. If set to 0, the ToolKit_LogLevel parameter settings are used.

ToolKit_OutlineAgentLoglevel (notes.ini only) The Notes clients of local users can be extended by an additional view in the Notes application “Mail” by an Action database job (view: quarantine). By clicking on this new quarantine view, the quarantine database is opened and the user gets direct access to her quarantined emails. To log the job processing, set this parameter. Possible values: 0-3. Default: not set. With the values 0 to 2, logging is performed only on the server console.  0= only error messages  1= reduced logging  2= debug logging  3= debug logging to a log file (default: %execdir%\TECHNICAL_SUPPORT\outlineModify-CN-myserver-O- myorg.log The path, including file name, can be changed via the parameter ToolKit_AgentLogFile.

Logging is additionally performed in the iQ.Suite log (g_log.nsf) if the log level of the job is set to ‘7’.

ToolKit_QuaFolderAgentLoglevel (notes.ini only) This parameter can be used to enable logging for the agent that adds entries in the quarantine folders. Possible values:  0= No logging is enabled.  1= A short logging is enabled.  2= A detailed debug logging is enabled.  3= A detailed debug logging is enabled, the log file is written to a separate file. Use the global parameter ToolKit_AgentLogFile= to define a directory in which the log file will be stored. If the global parameter is not set, the log file will be stored in the TECHNICAL_SUPPORT directory. Default: 0.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 672 APPENDIX: GLOBAL PARAMETERS (EXCEPT JOB RESULTS) - GENERAL PARAMETERS 

ToolKit_RuleLogLevel This log level parameter can be used for the evaluation of rules and job conditions, irrespective of ToolKit_LogLevel. The parameter logs the messages displayed during initialization and rule evaluation. Possible values: 0 - 9. Default: 0. The values 1 - 9 have the same meaning as for the ToolKit_LogLevel parameter. If set to 0, the ToolKit_LogLevel parameter settings are used.

21.2.4 MailGrabber/DatabaseGrabber

21.2.4.1 Housekeeping (MailGrabber)

ToolKit_HouseKeepingAt ToolKit_HouseKeepingAt=hh sets the MailGrabber "resting time". During this period of time (hh-20min ... hh+10min) the Mail.box is not opened. This allows to perform a synchronization with the router task, which in turn allows the Mail.box to be compressed (compacted). Possible values: 00 - 23, Off. Default: 3 (3:00 AM). Note: Together with the ToolKit_HouseKeepingAt_Minute=mm parameter, compression is started at 03:58 AM. Note: Set up housekeeping with the Housekeeping Global Parameter, which allows to set all three housekeeping parameters in a single operation.

ToolKit_HouseKeepingAt_Minute ToolKit_HouseKeepingAt_Minute=mm sets the minutes to the full hour for housekeeping (see ToolKit_HouseKeepingAt=hh). Possible values: 1 - 59 minutes. Default: 58.

ToolKit_HouseKeepingDuration This parameter sets the duration of housekeeping in minutes (time during which iQ.Suite does not work). Possible values: 00 - 59 minutes. Default: 4.

21.2.4.2 Grabber Threads

ToolKit_DgrabThreads This parameter sets the number of threads the DatabaseGrabber is able to start simultaneously. Possible values: 1-10 (Windows), 1-20 (Unix). Default: 5.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 673 APPENDIX: GLOBAL PARAMETERS (EXCEPT JOB RESULTS) - GENERAL PARAMETERS 

ToolKit_DGrabWorkerPriorityBelowNormal This parameter is only relevant under Windows. The value YES sets the priority of the worker threads of the DatabaseGrabbers to "Below Normal". This priority setting prevents working processes from starting simultaneously. Possible values: YES, NO.

ToolKit_MGrabBackgroundThreads Number of threads which are allowed to process emails in the background, e.g. when long-term virus scanning is configured in the Virus Scanning Job. This number is a part of the MailGrabber threads which are specified by ToolKit_MGrabThreads. If no background processing is to be performed, these threads process emails like the other MailGrabber threads. Possible values: minimum: 1; maximum corresponds to the value of ToolKit_MGrabThreads. Default: 60% of ToolKit_MGrabThreads.

ToolKit_MgrabThreads This parameter sets the maximum number of threads the MailGrabber can start simultaneously. Possible values: 1-10 (Windows) and 1-20 (Unix). Default: 5.

21.2.5 Removing Quarantine Fields from Resent Emails

You can use the following parameters to specify which Quarantine fields shall be removed from the emails which are resent from the Quarantine. Possible values: no or yes

ToolKit_DeleteAtEndFlag96 Name (replica ID) of the Quarantine database Default: yes

ToolKit_DeleteAtEndFlag97 Name of the Quarantine server Default: yes

ToolKit_DeleteAtEndFlag98 Start date and time of quarantining Default: yes

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 674 APPENDIX: GLOBAL PARAMETERS (EXCEPT JOB RESULTS) - GENERAL PARAMETERS 

ToolKit_DeleteAtEndFlag99

End date and time of quarantining Default: no

21.2.6 Sandboxes

ToolKit_SandboxMaxInstances

This parameter, which only applies to the ‘Advanced Sandbox‘, sets the default value for the maximum number of sandbox processes per Analyzer, Teacher, Converter, and Unpacker Engine. Default: 6.

ToolKit_SandboxMaxInstancesVS This parameter, which only applies to the ‘Advanced Sandbox‘, sets the default value for the maximum number of sandbox processes per Virus Scanner Engine. Default: 2.

21.2.7 Update of the Unpacker License Key

The key file of the Unpacker engine (license key ‚avpack.key’) can be automatically updated.

To configure the automatic update, the following possibilities are available:

 Use the global parameter Unpacker Update of the standard configuration.  Create a new parameter of the type „Unpacker Update Global Parameter“.  Set the ToolKit parameters individually in the notes.ini of the server.

The Unpacker engine is not only used in Job configuration documents (Wall Con- tent and Watchdog Jobs), but also internally by some other jobs. The update of the key file is relevant in both cases.

The following ToolKit parameters have an effect on the update:

Toolkit_UnpckUpdInterval This parameter specifies the interval in minutes after which the license key of the Unpacker engine is updated. With ‚0‘, the update is disabled.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 675 APPENDIX: GLOBAL PARAMETERS (EXCEPT JOB RESULTS) - IQ.SUITE CLERK 

Default: 720

Toolkit_UnpckUpdTimeout This parameter specifies the timeout in minutes for the download of the up-to- date key file. If this parameter is not set or set to ‚0‘ (zero), a default of 15 minutes applies. Default: 0

Toolkit_UnpckUpdDownloadFrom This parameter specifies the URL of the site from which the up-to-date key file will be downloaded (download source). The download is currently only possible from the GBS update server. Default: http://updater.gbs.com/unpacker (GBS update server)

Toolkit_UnpckUpdProxy If a proxy server shall be used, this parameter indicates the UNID of the corresponding Proxy configuration document. Default: no proxy

Toolkit_UnpckUpdSuccessNotif This parameter specifies the recipient of the success notification. Possible values: Email address or placeholder (e.g. %Admin%) Default: not set (disabled)

Toolkit_UnpckUpdErrorNotif This parameter specifies the recipient of the error notification. Possible values: Email address or placeholder (e.g. %Admin%) Default: %Admin%

21.3 iQ.Suite Clerk

21.3.1 Parameter Values for Name Formats

 Name: Common Name In the case “Address is found in the Domino Directory”, the Common Name is formed with the name part set before the slash of the first entry under Username.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 676 APPENDIX: GLOBAL PARAMETERS (EXCEPT JOB RESULTS) - IQ.SUITE CLERK 

Example: David Galler/EU/company-x -> David Galler

In the case “Address is not found in the Domino Directory or has no username”, the name part set before the first @ character of the normalized address is used. Here, dots and underscores are replaced with a blank and the initial letters are converted into capital letters.

Example: [email protected] -> Anna Glenn

 UserName: full username In the case “Address is found in the Domino Directory”, the first entry in the Username field (field=Fullname) is used.

In the case “Address is not found in the Domino Directory or has no username”, the normalized address (address after address processing) is used.

Example: David Galler/EU/company-x

Exception: The UserName value of the ToolKit_Clerk_SenderFromFmt  parameter is formed in a different way, as described under “Name Formats (except Info Emails)” on page 679.

 Internet: Corresponds to the Internet address specified in the Domino Directory. If no Internet address is found in the Domino Directory, the normalized address is used. Example: [email protected]

21.3.2 Info Emails

For a description of the parameter values for name formats mentioned below, please refer to “Parameter Values for Name Formats” on page 676.

Toolkit_Clerk_InfomailAbsenteeFormat This parameter determines the name format for the absentee %ABSENTEE% in Clerk Info emails. Possible values: Name, Username, Internet. Default: Name

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 677 APPENDIX: GLOBAL PARAMETERS (EXCEPT JOB RESULTS) - IQ.SUITE CLERK 

Toolkit_Clerk_InfomailAbsentee2Format This parameter determines the name format for the absentee %ABSENTEE2% in Clerk Info emails. Possible values: Name, Username, Internet. Default: Internet

Toolkit_Clerk_InfomailDeputyFormat This parameter determines the name format for the deputy %DEPUTY% in Clerk Info emails. Possible values: Name, Username, Internet. Default: Name

Toolkit_Clerk_InfomailDeputy2Format This parameter determines the name format for the deputy %DEPUTY2% in Clerk Info emails. Possible values: Name, Username, Internet. Default: Internet

Toolkit_Clerk_InfomailEntryDeletionDelayMinutes This parameter determines how long after the absentee‘s comeback Clerk Info emails can be sent to notify of the presence (presence emails). After expiration of this time, Clerk deletes the forwarding document from the processing list of Clerk for Info emails. Afterwards, no presence emails can be sent. We recommend to set enough time to make sure that, for example, after a short server downtime or maintenance works during the weekend, Clerk presence emails can still be sent . Values: Minutes Default: 4320 (= 3 days)

Toolkit_Clerk_InfomailMaxSummaryEntries This parameter determines the maximum number of emails which are listed in the Forwarding Summary. By using the placeholder %SUMMARY%, the Forwarding Summary can be inserted into the Clerk presence email which can be sent to the absentee when he/she comes back. The Forwarding Summary is a table. A row with dots "..." in each column at the end of the Forwarding Summary shows that more emails have been forwarded than the number set for this parameter. Possible values: 10-10000 Default: 250

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 678 APPENDIX: GLOBAL PARAMETERS (EXCEPT JOB RESULTS) - IQ.SUITE CLERK 

21.3.3 Name Formats (except Info Emails)

For a description of the parameter values for name formats mentioned below, please refer to “Parameter Values for Name Formats” on page 676.

ToolKit_Clerk_NewRecMsgFmt This parameter determines the name format of the original recipient (absentee) in the Clerk notifications for the deputy. Possible values: Name, Username, Internet. Default: Name

ToolKit_Clerk_OrigRecMsgFmt This parameter determines the name format of the deputy in the Clerk notifications which are inserted into the original email sent to the original recipient. Possible values: Name, Username, Internet. Default: Name

Toolkit_Clerk_SenderFromFmt This parameter determines the name format of the sender in the From field of the Clerk absence notification. The sender corresponds here to the recipient of the original email (i.e. the absentee). Possible values:

 Original (default): The nomalized absentee‘s address is used.

 Internet: The absentee‘s Internet address is used if it can be determined. Otherwise, the default behavior applies.

 UserName: The absentee‘s username, including all CN=, O= etc., is used if it can be determined. Otherwise, the default behavior applies.

ToolKit_Clerk_SenderMsgFmt This parameter determines the name format of the deputy (%DEPUTY%) in the Clerk sender notification. Possible values: Name, Username, Internet. Default: Internet

ToolKit_Clerk_SenderOrigMsgFmt This parameter sets the name format of the original recipient in sender notifications. Possible values: Name, Username, Internet. Default: Name.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 679 APPENDIX: GLOBAL PARAMETERS (EXCEPT JOB RESULTS) - IQ.SUITE CLERK 

21.3.4 Database Templates

ToolKit_Clerk_MemArchiveTemplate This parameter defines the database template to be used for generating the Clerk archive databases. Possible values:  %datadir%/g_clerkarchive.ntf (default): The template from the iQ.Suite standard configuration is used (g_clerkarchive.ntf).  {Path to the database}: Enter the path to the desired database template (relative to the data directory of the Domino server). The placeholder %datadir% can be used.

ToolKit_Clerk_MemLogTemplate This parameter defines the database template to be used for generating the Clerk log databases. Possible values:  %datadir%/g_clerkprot.ntf (default): The template from the iQ.Suite standard configuration is used (iQ.Suite g_clerkprot.ntf).  {Path to the database}: Enter the path to the desired database template (relative to the data directory of the Domino server). The placeholder %datadir% can be used.

21.3.5 SpaceCheck

ToolKit_Clerk_SpaceCheckInterval Notification on using retroactive forwarding: The required disc space is checked in a 6-hour-interval by default (ToolKit_Clerk_SpaceCheckInterval=6). Modify this interval if required (possible values: 0-72). Since the disc space is checked on job start, interval is limited by the house keeping. With 0 the disc space is only checked on the job start.

ToolKit_Clerk_SpaceCheckMailInterval Notification on using retroactive forwarding: An already reported problem can be reported again periodically. Use this parameter to specify the interval. Possible values: 0-72 hours (default: 24 hours). Resent warning mails are sent independently from MailGrabber restarts. As a prerequisite parameter ToolKit_Clerk_WarnEachSpaceCheck=NO must be set.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 680 APPENDIX: GLOBAL PARAMETERS (EXCEPT JOB RESULTS) - IQ.SUITE CLERK 

ToolKit_Clerk_WarnEachSpaceCheck Notification on using retroactive forwarding: The warn mails are sent in the interval specified in the ToolKit_Clerk_SpaceCheckMailInterval parameter, by default. With ToolKit_Clerk_WarnEachSpaceCheck=YES a warn mail is sent after each check on the disc space (default: NO).

21.3.6 Other Clerk Parameters

ToolKit_Clerk_ForceCopySubject

In the email body of a sender notification the %SUBJECT% and %BETREFF% variables can be resolved. However, the subject of an original email is not attached to the subject of a sender notification by default if neither %SUBJECT% nor %BETREFF% is configured. In order to force appending the subject of an original email to the subject of a sender notification, set the global parameter ToolKit_Clerk_ForceCopySubject=YES. Possible values: YES , NO. Default: NO.

ToolKit_Clerk_Logo This parameter sets how the email header is displayed in Clerk notifications. Pos- sible values:  Oldstyle (default): The email header is displayed as set with the global parameter ToolKit_Logo, complemented by the module name and a black dividing line.  None: No email header is created.  : A freely configurable text is created in black font as email header, complemented by a black dividing line.

ToolKit_Clerk_MailForPossibleQuotaExeedance Notification on using retroactive forwarding: Use this parameter to send warn mails as soon as a possible exeeding of the defined limit is determined. Possible values: YES , NO. Default: YES. Independent from this setting the warning is logged in the iQ.Suite log.

ToolKit_Clerk_MailForQuotaTooBig Notification on using retroactive forwarding: Use this parameter to send warn mails as soon as it is determined that the specified limit for the disc space exeeds

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 681 APPENDIX: GLOBAL PARAMETERS (EXCEPT JOB RESULTS) - IQ.SUITE CLERK  the disc space actually available. Possible values: YES , NO. Default: YES. Inde- pendent from this setting the warning is logged in the iQ.Suite log.

ToolKit_Clerk_MailForRealQuotaExeedance Notification on using retroactive forwarding: Use this parameter to send warn mails as soon as an actual exeeding of the defined limit is determined. Possible values: YES , NO. Default: YES. Independent from this setting the warning is logged in the iQ.Suite log.

ToolKit_Clerk_MailForUnknownFiles Notification on using retroactive forwarding: Use this parameter to send warn mails on unknown files in the directory of the archive database or the log database. Possible values: YES , NO. Default: YES. Independent from this setting the warning is logged in the iQ.Suite log.

ToolKit_Clerk_NotificationCheckLatencyHours This parameter defines when the Clerk sender notification entries are deleted after expiry of the validity of a forwarding. The value applies to classic forwardings as well as to periodical forwardings with a final date. Possible values: 1 - 72 hours. Default: 24. By default the documents are deleted 24 hours after expiry of the validity at the earliest. Note: If a user reuses his/her forwarding document by definition of a new start time, existing sender notification entries might be reused, as well.

ToolKit_Clerk_NotificationMinimumCheckDays This parameter defines for unlimited periodical forwarding documents the period of time which must pass at least between two checks of a corresponding Clerk sender notification. Possible values: 1 - 92. Default: 7. By default at least seven days pass between two checks of a periodical forwarding without a final date.

ToolKit_Clerk_PossibleQuotaExceedanceCheck Notification on using retroactive forwarding: With ToolKit_Clerk_PossibleQuotaExceedanceCheck=YES it is checked on a possible limit exceeding by default. With NO no checking is performed. On exceeding the limit, no warn mails are sent. The warning is not logged in the iQ.Suite log.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 682 APPENDIX: GLOBAL PARAMETERS (EXCEPT JOB RESULTS) - IQ.SUITE CLERK 

ToolKit_Clerk_ProcessSenderMsg ToolKit_Clerk_ProcessSenderMsg=YES sets that sender notifications are to be processed again by the MailGrabber. If set to NO, the notifications are directly delivered to the sender. Possible values: YES, NO. Default: NO.

ToolKit_Clerk_QuotaWarningMessageLevel Notification on using retroactive forwarding: This parameter dertermines the log level for the warnings in the iQ.Suite log. After each check, the exceedings of the defined limit are logged in the iQ.Suite log. The exceeding is logged independend of sent warn mails. Possible values: 1-9 (default: 3). Note: In the iQ.Suite log some values are displayed with the same log level. For example, the values 1-3 are displayed as log level 1.

ToolKit_Clerk_RetroMsgLogo This parameter defines the design of the email header for retrospective forwarded emails and for summary notifications that are send to the original recipient. Possible values:  {empty} (default): If the parameter is not set or it‘s value is empty, the settings from the global parameter ToolKit_Clerk_Logo are used.  OLDSTYLE: The previous email header from the settings of the global parameter ToolKit_Logo is used. The header ends with a parting line.  NONE: No email header is used.  {text}: The entered text is used for the email header (font: black). The header ends with a parting line.

ToolKit_Clerk_SenderMsgLogo This parameter defines the design of the sender notifications. Possible values:  {empty} (default): If the parameter is not set or it‘s value is empty, the settings from the global parameter ToolKit_Clerk_Logo are used.  OLDSTYLE: The previous email header from the settings of the global parameter ToolKit_Logo is used. The header ends with a parting line.  NONE: No email header is used.  {text}: The entered text is used for the email header (font: black). The header ends with a parting line.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 683 APPENDIX: GLOBAL PARAMETERS (EXCEPT JOB RESULTS) - IQ.SUITE CRYPT / CRYPT PRO (KEYMANAGER) 

21.4 iQ.Suite Crypt / Crypt Pro (KeyManager)

ToolKit_MC_IgnorePGPCharsetHeader

This parameter is used with iQ.Suite Crypt only. Where applicable, a PGP charset header is taken into account during PGP decryption. The conversion of the character set depends on the character set specified for the encrypted email data. ToolKit_MC_IgnorePGPCharsetHeader=YES can be used to switch this off.

ToolKit_MC_KmsIgnoreCertPurpose Using this parameter allows you now as of KeyManager Version 4.5 to influence whether with signing/encryption with S/MIME certificates from a KeyManager, only certificates with correct use of keys are used. Possible values: YES, NO. Default: NO. With YES, also certificates with wrong key use can be used.

ToolKit_MC_KmsPendingCertRepetitions This parameter is used with iQ.Suite KeyManager only. If a requested S/MIME certificate is not delivered by iQ.Suite KeyManager immediatelly (e.g. because it has to be created), iQ.Suite waits about 60 seconds for it‘s delivery. If the certificate cannot be delivered within this time, the request is skipped and a job error occurs.With the parameter ToolKit_MC_KmsPendingCertRepetitions set the number of attempts for requesting the certificate. Default: 12. Please refer to the parameter ToolKit_MC_KmsPendingCertWaitSecs.

ToolKit_MC_KmsPendingCertWaitSecs This parameter is used with iQ.Suite KeyManager and the parameter ToolKit_MC_KmsPendingCertRepetitions only. The parameter ToolKit_MC_KmsPendingCertWaitSecs sets the waiting period between the attempts (in seconds). Default: 5.

ToolKit_MC_OPTS This parameter is used with iQ.Suite Crypt only. ToolKit_MC_OPTS=TOPMEMO inserts Crypt recipient notifications at the beginning of the email. By default they are inserted at the end of the email.

ToolKit_MC_PGPKeyCacheDir Local directory for storing PGP keys that have been downloaded from an iQ.Suite KeyManager. Default: %ExecDir%/gnupg/lks.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 684 APPENDIX: GLOBAL PARAMETERS (EXCEPT JOB RESULTS) - IQ.SUITE CRYPT / CRYPT PRO (KEYMANAGER) 

With GnuPG 2.2 on Windows, this path must not be longer than 38 characters. If  the path to the iQ.Suite installation directory, and therefore %ExecDir%, is longer than 28 characters, this parameter must be set to a shorter path. On Unix, if a socket directory has been created under /run/user or /var/run/user, as recommended by the GnuPG documentation, there is no special limit for the path length and this parameter is unnecessary. Otherwise it may be required as well; the maximum path length varies among the different Unix versions. The older GnuPG version 1.4 has no special path length limit on any platform.

ToolKit_MC_PGPReportCharset This parameter sets the character set for the character set conversion of PGP reports. Besides standard character set names, the following values can be specified:  Console (default) Under Windows: OEM code page Under Unix: System character set

 Native Under Windows: ANSI code page Under Unix: System character set

ToolKit_MC_RequireEncryptionResult If on encryption the return value of the external program or of the DLL announces a success but, however, no output file is available, this is interpreted as an error. To keep the data uncoded set the parameter to NO. Possible values: YES, NO. Default: YES.

ToolKit_MC_SyncPgpInterval This parameter specifies the interval for synchronization between iQ.Suite Key- Manager and the iQ.Suite. Default: 60 seconds.

ToolKit_MC_SyncPgpTimeout This parameter specifies the timeout for synchronization between iQ.Suite Key- Manager and the iQ.Suite. Default: 60 seconds.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 685 APPENDIX: GLOBAL PARAMETERS (EXCEPT JOB RESULTS) - IQ.SUITE DLP 

ToolKit_MC_SyncPgpWebServiceTimeout This parameter specifies the timeout for a single webservice call during synchronization between iQ.Suite KeyManager and the iQ.Suite. Default: 30 seconds.

ToolKit_MC_TextColor This parameter sets the text color of the Crypt notifications. The color values correspond to the Notes Text Color Value table. Possible values: 0-255.

ToolKit_MC_TextSize This parameter can be used in iQ.Suite Crypt only and sets the font size in Crypt notifications. If the value is smaller than 8 pt, larger than 32 pt or not set at all, the default value is used. Possible values: 8-32 pt. Default: 8 pt.

ToolKit_NotesEncryptSender ToolKit_NotesEncryptSender=YES ensures that an email encrypted in Crypt (Notes encryption) is also encrypted for the sender. Possible values: YES, NO. Default: NO.

ToolKit_OnAccessScanCheck To ensure virus scan functionality, a harmless virus test file is stored in the iQ.Suite working directory. Keep the default setting to ensure error-free virus scans. Use the ToolKit_ExclusiveTempDir parameter to set the working directory. Possible values: ON, OFF. Default: ON.

21.5 iQ.Suite DLP

ToolKit_Rev_RemoveDocTaskInterval

This task runs through all email documents that have been newly added to the DLP Review database and compares the last modified date with the configured

timeout value. In case of timeout, the status UNCHECKED AND NOTIFIED is set to

TIMEOUT and, if configured accordingly, a notification is sent to the rreviewer delegate. Furthermore, this task runs through all documents (emails and protocols) and compares the last modified date with the individually configured time after which the documents are to be deleted. When the defined time limit is exceeded, the document is deleted and no notifications are sent anymore; an entry is created in the log database.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 686 APPENDIX: GLOBAL PARAMETERS (EXCEPT JOB RESULTS) - IQ.SUITE TRAILER 

Default: 3600

ToolKit_Rev_StatusTaskInterval This status task runs through all email documents that have been newly added to

the DLP Review database and sets the status INITIAL to UNCHECKED. If configured accordingly, this task also sends a notification to the reviewer and the sender. Furthermore, this task runs through all email documents which have been che-

cked by the reviewer and sets the status TO BE RELEASED to RELEASED or TO BE

REJECTED to REJECTED. Default: 60

21.6 iQ.Suite Trailer

ToolKit_TrailerFontColorSize

ToolKit_TrailerFontColorSize=,, is used to format the Trailer standard text. Possible values:  : SWISS, ROMAN, UNICODE, TYPEWRITER.  : Possible values: 0 - 239. Refer to the color table for the ToolKit_Logo parameter.  : Size in pt. If this parameter is set, the settings apply to all text trailers created on this server.

ToolKit_TrailerNoRestartOnConfigChange (notes.ini only) ToolKit_TrailerNoRestartOnConfigChange=1 prevents that changes in Trailer Utilities documents cause a MailGrabber restart, e.g. when changing such documents in iQ.Suite WebClient.

ToolKit_TrlHtmlAppendLF (notes.ini only) ToolKit_TrlHtmlAppendLF=TRUE seperates several Trailers attached to a MIME mail with a line break. Alternatively, put a blank after the last line break in the desired place of the trailer document.

ToolKit_TrlInsertHtmlTopLF If several Trailer documents are to be inserted at the beginning of the email, set this parameter to YES. With this, a line break is inserted before the Trailer document. Possible values: YES, NO. Default: NO.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 687 APPENDIX: GLOBAL PARAMETERS (EXCEPT JOB RESULTS) - IQ.SUITE TRAILER ADVANCED 

ToolKit_TrlPersSleepSeconds (notes.ini only) For placeholder substitution in trailer texts of personalized Trailer documents the address book (names.nsf) is accessed. If temporary no access to this database is possible, two more access attempts are carried out within a configurable interval. This interval between the access attempts can be configured with ToolKit_TrlPersSleepSeconds. Default: 1 second.

Toolkit_TrlTestReplyAddressForPosition With Toolkit_TrlTestReplyAddressForPosition=NO, no address watching is performed in case of a reply email. When address watching is enabled (parameter value: YES) and the recipient address of the reply email and the name in the header above the original email cannot be matched, the beginning of the original email cannot be found for inserting the trailer text before it. Possible values: YES, NO. Default: NO.

21.7 iQ.Suite Trailer Advanced

ToolKit_CopyToMailbox_MaxOriginalDelayHours

This parameter determines, for the first search attempt, how many hours to go back in time in order to locate the original email or email copies in the sender database. Possible values: 0-2160. Default: 24 (1 day); 2160 corresponds to 90 days. When 0 is used, the entire database is searched. If the first attempt is unsuccessful, the following searches start at the point where the preceding search ended.

Toolkit_CopyToMailbox_MaxOriginalWaitMillis This parameter determines for the ‘Update sent documents’ action the maximum duration of the search for original emails and copies in the sender database. Attempting to find the original email or email copies is repeated until the time set by the parameter has passed. The value is given in milliseconds. Default: 5000 (5 sec.)

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 688 APPENDIX: GLOBAL PARAMETERS (EXCEPT JOB RESULTS) - IQ.SUITE WALL 

Toolkit_Dbg_CopyToMailboxSearch With Toolkit_Dbg_CopyToMailboxSearch=1, additional debug outputs at log level 7 are initiated for each analyzed email during the search for the original email and email copies. Possible values: 0,1. Default: 0 (parameter is disabled).

Toolkit_CopyToMailbox_SearchRepeatMillis This parameter determines for the ‘Update sent documents’ action the time between two attempts to find an original email or email copies. After the set time, the attempt is repeated. Default: 300 (0,3 sec.)

21.8 iQ.Suite Wall

ToolKit_Wall_MaxReportElements

This parameter sets the maximum number of attachments listed in the detailed denied recipients (address filtering) report in iQ.Suite Wall.

ToolKit_Wall2_Opts ToolKit_Wall2_Opts=BOTTOMMEMO adds the recipient notification underneath the message body of the email in the event of an alarm (Wall Mail Advan- ced Job). If not set, the notification is inserted at the top of the message body.

21.9 iQ.Suite Watchdog

ToolKit_ScannerUpdateErrorNotif

This parameter can be used with iQ.Suite Watchdog only. If errors occur on the engine or pattern download of the used virus scanner, the administrator can be informed. For this, set the parameter to True.

ToolKit_VS__VersionCheckInterval This parameter can be used in iQ.Suite Watchdog only and defines the interval for the version check of the engine and pattern files of a virus scanner. With value 10 it is checked every 10 minutes whether new data is available. Default: 0 (not set).

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 689 APPENDIX: GLOBAL PARAMETERS (EXCEPT JOB RESULTS) - IQ.SUITE WATCHDOG 

ToolKit_VS__VersionUnchangedInterval This parameter can be used in iQ.Suite Watchdog only. If the engine or pattern files of a virus scanner are not updated within the interval specified in this parameter, the administrator is notified. Default: 7200 minutes (5-day interval).

ToolKit_VS__VersionCheckMailMode This parameter can be used in iQ.Suite Watchdog only. If the engine or pattern files of a virus scanner are not updated within the interval specified in this parameter, the administrator can be notified. With this parameter you can define, on which event the administrator shall be notified. Possible values:  0: No notifications are sent. The results of the version check are logged in the iQ.Suite log (‚Subsystem Maintenance' process of the appropriate Grabber).  1: (default): Notification mails are sent when the interval defined under ToolKit_VS__VersionUnchangedInterval has expired.  2: Notifications are sent when the engine or pattern versions have been changed or when the last version change is too far in the past (ToolKit_VS__VersionUnchangedInterval).  3: Notifications are sent after every version check (independent from changed versions).

ToolKit_VS__VersionCheckRecipient This parameter can be used in iQ.Suite Watchdog only and specifies the recipient's address for the notifications. By default, the iQ.Suite administrators are set (%admin%).

ToolKit_VS__VersionCheckSender This parameter can be used in iQ.Suite Watchdog only and specifies the sender's address for the notifications (default: server name). The placeholder %admin% can be used and corresponds to the first entry in the list of the iQ.Suite administrators. Please note that the address is not checked for validity.

ToolKit_WDog_Opts The ToolKit_WDog_Opts environment variable allows to set the following iQ.Suite Watchdog options:  BOTTOMMEMO: Watchdog adds its messages at the end of the email rather than at the beginning.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 690 APPENDIX: GLOBAL PARAMETERS (EXCEPT JOB RESULTS) - IQ.SUITE WATCHDOG 

 NOOLE: OLE attachments are not checked.  HEALMEMO: Notifies the recipient of a message even after successful virus elimination.  TIMEOUT: Sets the time in minutes Watchdog waits for external programs before they are aborted.  TIMEOUTnn: Timeout format for external programs in minutes (nn). Example: TIMEOUT20 corresponds to a timeout of 20 minutes for external programs.  HOSTFORMAT: Defines exceptions for processing attachment types. Attach- ments of the specified host type are not processed by iQ.Suite. One or more host formats can be specified. Multiple host formats must be written one after the other, without delimiter. Example: HOSTFORMAT0X00010X08000X1234. The following host formats are supported:

HOST_MSDOS0x0000 HOST_OLE0x0100 HOST_MAC0x0200 HOST_UNKNOWN0x0300 HOST_HPFS0x0400 HOST_OLELIB0x0500 HOST_BYTEARRAY_EXT0x0600 HOST_BYTEARRAY_PAGE0x0700 HOST_CDSTORAGE0x0800 HOST_STREAM0x0900

Before setting the host formats, please consult the GBS Support Team.  Incorrect settings may result in reduced iQ.Suite functionality.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 691 APPENDIX: GLOBAL PARAMETERS (EXCEPT JOB RESULTS) - IQ.SUITE WEBCLIENT 

21.10 iQ.Suite WebClient

WebClient_AdminGroup

Use this parameter to specify the administrator group from the Domino Directory whose members should have unrestricted administrative access to the WebClient component Roles & Rights .

This administrator group is automatically specified as the parameter value if the iQ.Suite setup is run in the ‘Advanced’ mode and the ‘iQ.Suite WebClient’ feature is selected during the setup.

Default: iQSuite-WebAdmin

WebClient_ChangeLogDB Changes of the iQ.Suite configuration made by the WebClient (e.g. editing of Trailer documents) are logged. By default, the change log is saved in Notes documents in the g_status.nsf database. Use this parameter to specify a different database for the saving of those documents. Enter the path to the desired database as the parameter value. Default: %datadir%\g_status.nsf

WebClient_DirectoryCacheInterval

In iQ.Suite WebClient, calling user data from Domino Directories which are integrated via Directory Assistance may take a long time, e.g. in the context of Roles & Rights. To improve the performance, a cache mechanism has been introduced. This cache is updated in a regular time interval which is defined via the parameter value. Possible values: Default: 0 (30 minutes); Minimum: 5; Maximum: 1440 (1 day)

ToolKit_DisableStatisticsDB With ToolKit_DisableStatisticsDB=NO, iQ.Suite data is collected into the g_statistics.nsf. Based on this data, statistics can be displayed in the Cockpit of iQ.Suite WebClient. If you do not want to use this feature, set the value to YES in order to disable the data collection. Possible values: YES, NO. Default: NO.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 692 APPENDIX: GLOBAL PARAMETERS (EXCEPT JOB RESULTS) - OTHER GLOBAL PARAMETERS 

WebClient_MaxChangeLogEntries If this parameter is set to -1, all entries of the WebClient change log are displayed. If it is set to another integer value, the number of displayed entries is limited to this number. Possible values: integer. Default: -1.

21.11 Other Global Parameters

extmgr_addins (notes.ini only) Extension Manager Add-ins (Domino parameter). This mechanism allows, for instance, monitoring of operations on documents in Notes databases. The te_hook monitors the control data and the system’s Mail.box.

servertasks (notes.ini only) This parameter provides a list of the server tasks loaded when the Domino server is started (Domino parameter). To remove a Grabber from the system, delete the corresponding entry.

ToolKit_AddressLookup This parameter changes the address lookup behavior in the Notes address book as an alternative to the server‘s Router/SMTP setting. Please note that changes to this parameter become effective only after you restart the Grabber. Possible values:  FL (default): Full address lookup (full name search) before a search for the local part during address resolution. If the address is not found, only the local part of the email address is searched.  F: Full address lookup (full name search) during address resolution. If the address is not found and the domain corresponds to the address of a local Internet domain, the domain is replaced with the primary Internet domain and a new address lookup is performed. This disables the ’Ignore Domino routing path’ option in the Advanced tab of a Wall job.  L: Only the local part of the email address is searched for during address resolution. All characters preceding the @ character are used for the search in the address book - provided the address is from a local domain. Blank characters in the address book entries are replaced with underscores and dots.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 693 APPENDIX: GLOBAL PARAMETERS (EXCEPT JOB RESULTS) - OTHER GLOBAL PARAMETERS 

ToolKit_Admin This parameter specifies the individual or group to receive notifications from the iQ.Suite. This is the default setting for all jobs. Within the job, this setting can be overwritten (administrator: %Admin%).

ToolKit_AmbiguousAddressMode This parameter sets whether the address to be used in case of ambiguous address book entries is the one searched for in the address book (value: SEARCHED) or the first one found alphabetically in the address book (value: FIRSTALPHA). Default setting (parameter not set or erroneous): SEARCHED. Example: Ambiguous address: [email protected]. Matching address book entries: "John Miller-Admin" and "John Miller". Both entries point to the same mailbox as they belong to the same person (once as Administrator, once as normal user) with different rights and different IDs. In such a case, FIRSTALPHA is the recommended option.

ToolKit_AttachmentsOnly (notes.ini only) ToolKit_AttachmentsOnly=YES means that iQ.Suite processes only messages with attachments, i.e. only messages with attachments are intercepted by the hook. Possible values: YES, NO. Default: NO. Use this parameter only after consulting the GBS Support Team.

ToolKit_Budget_LookupNextHop ToolKit_Budget_LookupNextHop=NO disables lookup of the next hop server for each message sender/recipient. YES, NO. Default: YES.

ToolKit_CheckControlDbs This parameter sets the interval at which the module control databases (e.g. g_wdog.nsf, g_elma.nsf, g_del.nsf) are checked. Possible values: 1 - 60 minutes. Default: 15. This parameter is not included by default.

ToolKit_DatabaseCompact ToolKit_DatabaseCompact=Off compresses the Smart, Bridge and Safe databases preventively upon initialization. Possible values: ON, OFF. Default: OFF

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 694 APPENDIX: GLOBAL PARAMETERS (EXCEPT JOB RESULTS) - OTHER GLOBAL PARAMETERS 

ToolKit_DBGrabberMaxNumDBsPerPattern This parameter restricts the number of locatable databases in a list of databases or exceptions. Possible values: 0 - 65535. Default: 0. If set to 0, no restriction is applied.

ToolKit_DBGrabberSetActivityProfile This parameter creates a profile document of the database scanned by the Data- baseGrabber and contains the start/end times of the scan procedure. Possible values: YES , NO. Default: NO.

ToolKit_Decompression_Depth This parameter sets the maximum nesting depth of compressed files. Possible values: 1 - 20. Default: 5. iQ.Suite Watchdog allows to configure appropriate alarm actions.

ToolKit_DisableInlineConversion ToolKit_DisableInlineConversion=YES or 0 disables the conversion of inline attachments in MIME emails. ToolKit_DisableInlineConversion= sets the maximum number of inline attachments to be converted. Possible values: 1 - 100. Default: 100. Default: 300 (0,3 sec.)

ToolKit_DoNotServerDecrypt ToolKit_DoNotServerDecrypt=YES prevents iQ.Suite from decrypting documents that are encrypted with the server ID. The value NO enables decryption of such documents - if possible. Possible values: YES, NO. Default: NO.

ToolKit_EmptyRecipientReplacement With this parameter, empty recipient entries in the ‚Recipients' field can be handled. This parameter is interpreted from the MailGrabber before email processing. Please refer to the description of the parameter ToolKit_InexistentRecipientReplacement. Possible values:  LEAVE (default): Empty recipient entries remain unchanged.  SHRINK: Empty recipient entries are deleted except for the first empty entry.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 695 APPENDIX: GLOBAL PARAMETERS (EXCEPT JOB RESULTS) - OTHER GLOBAL PARAMETERS 

 REPLACE : Empty recipient entries are deleted except for the first empty entry. This entry is replaced by the new entered recipient address. Note: The new recipients address will not be verified if well formed. It is not possible to enter more than one recipient address.

 REMOVE: Empty recipient entries are deleted. If there are no further recipient entries (‚Recipients' field is empty), the whole field will be deleted.

ToolKit_HookStatus (notes.ini only) ToolKit_HookStatus=0 disables the Hook if using third-party systems that do not support co-existence (no iQ.Mastering possible). When the server is restarted, the parameter is removed. This parameter is set even if the iQ.Suite is manually disabled in the administration console ("iQ.Suite disable"). Value 1 enables the Hook.

ToolKit_IgnoreRulesSubject Use this parameter to specify a text which has to be enter in the suject line of an email to avoid the processing of rules, emails with file attachments and of time scheduling. Possible values: , OFF. Default: OFF. With OFF, this feature is disabled.

ToolKit_InexistentRecipientReplacement Mit diesem Parameter kann auf leere Empfängereinträge im Feld ‚Recipients‘ reagiert werden. Der Parameter wird vor der E-Mail-Verarbeitung vom MailGrab- ber ausgewertet. Mögliche Werte:  LEAVE (Default): Ein nicht existierendes Recipients-Feld bleibt nicht existent.  REPLACE : Wenn kein Recipients-Feld existiert, wird es mit der neuen, angegebenen Empfängeradresse erzeugt. Hinweis: Die neue Empfängeradresse wird nicht auf Korrektheit geprüft. Die Eingabe mehrerer Empfängeradressen ist nicht möglich. Beachten Sie in diesem Zusammenhang auch den Parameter ToolKit_EmptyRecipientReplacement.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 696 APPENDIX: GLOBAL PARAMETERS (EXCEPT JOB RESULTS) - OTHER GLOBAL PARAMETERS 

ToolKit_Inherent_Addresses_Symbol This parameter sets the single character for marking an inherent address (exact match with the address entry without standardization) in iQ.Suite Wall and in group rules. Any character can be specified here. Default character is tilde (~).

ToolKit_LocalDomains and/or ToolKit_LocalDomainsXXX This parameter sets one or more domains to be considered local for address verification purposes. Upon initialization, the %LOCALDOMAIN% metasymbol in the configuration documents is replaced with the names of the local Notes domains entered as parameter values. Possible values: Names of the local Notes domains. As the server domain is automatically considered a local Notes domain, it is not necessary to specify it as parameter value. Multiple entries are separated by semicolon. Default: not set. For ToolKit_LocalDomainsXXX, the XXX represents a consecutive number, beginning with 1, with no gaps allowed. Example: Server domain: ServerDomain. Additionally, the following parameters are set: - ToolKit_LocalDomains=Marketing;Sales - ToolKit_LocalDomains1=Development;IT - ToolKit_LocalDomains2=Test With these parameters, the domains "Marketing", "Sales", "Development", "IT" and "Test" are defined as local domains, in addition to the server domain. The address: *@%LOCALDOMAIN% thus defines the following addresses: *@Server- Domain *@Marketing *@Sales *@Development *@IT *@Test.

ToolKit_Logo Ensures that the messages sent by the MailGrabber (ToolKit_Demon ...) display a product logo like that of the function modules such as iQ.Suite Watchdog. Otherwise ToolKit_MailGrabber would be used. Default: GROUP. If ToolKit_Logo=NONE is set, no product logo is displayed in the notifications. In addition, this parameter can contain: ;color1;color2.  : Is the company name that appears in the notification and replaces the default value GROUP.  color1: Is the text color for .

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 697 APPENDIX: GLOBAL PARAMETERS (EXCEPT JOB RESULTS) - OTHER GLOBAL PARAMETERS 

 color2: Is the text color for the module name. These settings also apply if the %Header% variable is used in the notification templates. color1 and color2 are specified as Notes color values.

Defining Notes Color Values

1. Open the Notes client.

2. Open a Notes text document.

3. Open PROPERTIES -> TEXT -> COLOR.

4. Select the required color.

5. To determine the Notes color value, count to the row containing the color from left to right and from top to bottom. Counting starts with Black (top left), which has the Notes color value = 0 and the RGB value = 0, 0, 0. For a complete list of all RGB values1 and Notes color values, refer to “The Notes Colors” on page 739.

The "Notes Colors" table shows the 16 standard Notes colors. The first value of the "Colors sorted by Notes Color Values" table is the Notes color value set as parameter in the notes.ini entry (NOTES_COLOR_BLACK is "0" and "239"). The three values next to this are the corresponding RGB values.

The "Colors Sorted by RGB Value (Ascending)" table shows the colors according to their RGB values. Use this table to find the Notes color value for any given RGB color value.

The notes.ini is limited to 240 color values. If no Notes value is defined for your RGB values, try to find a similar value among the 240 colors.

ToolKit_MailboxCompact ToolKit_MailboxCompact=ON compresses the Mail.box whenever a given size of unused memory is exceeded when the MailGrabber is initialized. Possible values: ON, OFF. Default: OFF.

1. The RGB color model is used with all monitors. The screen colors are made up of a red, a green and a blue component. If all colors are displayed to 100 %, the result is white. The highest value is 255 = 100 %, so that white has the RGB values 255/255/255.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 698 APPENDIX: GLOBAL PARAMETERS (EXCEPT JOB RESULTS) - OTHER GLOBAL PARAMETERS 

ToolKit_MailIntercept (notes.ini only) ToolKit_MailIntercept=YES ensures that the te_hook monitors the system mailbox, i.e. all messages are kept in the Mail.box until they are processed by the MailGrabber. Possible values: YES, NO. Default: YES. We recommend to leave the parameter set to YES to prevent messages from being delivered unchecked.

ToolKit_NewProcessOnRestart When this parameter is set, the Grabber process is fully terminated at a re-initialization and restarted through the console as a server task. Possible values: YES, NO. Default: YES.

ToolKit_Password (notes.ini only) The password on the Notes server ID is stored in the names.nsf and used when the server or RemoteGrabber is restarted. It provides protection for the server and RemoteGrabber installations. To be able to use this password, the log.nsf database must be available. Otherwise the password is checked. Possible values:  #: A password has already been saved, and will be used on startup without user input.  ?: Activates the password dialog to save the password.

ToolKit_PreferredMIMECharset This parameter specifies an alternative character set that is used if the original character set (UTF-8) is insufficient. The following character sets are supported: US-ASCII, UTF-7, ISO-8859-1 through ISO-8859-9, windows-1250 through windows-1257, ISO-2022-JP, Shift_JIS, GB2312, Big5, EUC-JP, EUC-KR, EUC-CN, EUC-TW. The alternative character set applies to all notification messages and the appended Trailer.

ToolKit_QuarantineCompact This parameter sets whether or not the iQ.Suite quarantine database is compressed. Possible values: ON, OFF. Default: OFF.

ToolKit_RestartOnConfigChange The parameter value NO is used to prevent iQ.Suite from being automatically restarted when the configuration is modified. In multi-server environments with a

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 699 APPENDIX: GLOBAL PARAMETERS (EXCEPT JOB RESULTS) - OTHER GLOBAL PARAMETERS  replicated configuration, this parameter gives you more control over when iQ.Suite is restarted. Possible values: YES, NO. Default: YES.

ToolKit_RemainDeadSubject This parameter sets a keyword that has to appear in the email subject. If the keyword is found there, the email remains in Hold Error status in the Mail.box after the job processing. There, the email can be deleted or explicitly released.

ToolKit_RestoreReturnReceipt ToolKit_RestoreReturnReceipt=YES restores the ReturnReceipt field for quarantined emails, for which a receipt confirmation was enabled in the original, when the email is resent from the quarantine. This restores the request for a receipt confirmation. Default: NO. Also refer to: ToolKit_RestoreReturnReceiptDays.

ToolKit_RestoreReturnReceiptDays This parameter sets the period of time within which a receipt confirmation request can be restored. As soon as this period has expired, restoring is no longer possible. Possible values: 1-3600 days. Default: 7. With the default setting, the receipt confirmation can be restored until up to seven days after the email is moved to the quarantine. If set to 0, no restore period is checked at all. Also refer to: ToolKit_RestoreReturnReceipt.

ToolKit_RuleEvaluationMode This parameter controls the rule evaluation across all jobs. This setting applies whenever nothing else has been specified in the job. Possible values:  BEFORE: The rules are evaluated before any of the jobs is run.  ALWAYS: The rules needed by a job are evaluated before this job is run, however only once. Prerequisite: The ToolKit_UseDynamicRuleEvaluation parameter is set to YES.

ToolKit_RunDefaultServerJobs This parameter allows to disable jobs on specific servers in replicated environments. Possible values: YES, NO. Default: YES. On each server for which this

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 700 APPENDIX: GLOBAL PARAMETERS (EXCEPT JOB RESULTS) - OTHER GLOBAL PARAMETERS  parameter is set to NO, the only jobs executed are those where - in the Misc tab in the Server field - the server name is entered completely, without wildcards. Note: Try to set specific servers in the parameter configuration document and avoid entries with the asterisk (*).

ToolKit_Secure (notes.ini only) ToolKit_Secure=* allows to deactivate the handling of Notes update events by te_hook for all tasks. If the parameter is set, only the handling of ToolKit_Password is activated.

ToolKit_SenderExceptions [email protected] is used to record the names of trusted senders that are always excluded from checking. Multiple entries are separated by a semicolon. This allows to enter a sender of mass emails and thus avoid mailflooding the server as these emails are ignored by the hook. Attention - potential security issue! This parameter is used to exclude emails from certain senders from being checked. Usually, only trusted sender addresses are listed (syntax: [email protected]). However, the addresses from senders that are well-known for sending mass emails can be specified in this parameter in order to avoid mail- flooding the server, as these emails are ignored by the hook. Multiple entries are separated by a semicolon (;). Please note, that this parameter involves potential security issues. Before setting this parameter, please consult the GBS Support Team.

ToolKit_ServerLanguage This parameter sets the language for the program messages, notifications etc. Possible values: DE, EN.

ToolKit_SetupIDFile (notes.ini only) This parameter signs the databases of partitioned servers with different IDs. For this enter different ID files (ToolKit_SetupIDFile=). If no ID files are specified, the databases are signed with the corresponding server ID. When using a Windows operating system passwords can be used.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 701 APPENDIX: GLOBAL PARAMETERS (EXCEPT JOB RESULTS) - OTHER GLOBAL PARAMETERS 

Note: The ID file can be specified in course of the installation (Advanced mode). If the password is unknown yet, it is requested interactively during installation. The entry in the notes.ini overwrites possible details in the set-up dialog. Note: At a silent installation databases can only be signed with a user ID that does not containing a password.

ToolKit_SetupNoSafeDbs (notes.ini only) During an update installation existing databases are temporarily stored on the server. This is done in case of a failed installation and the databases need to be restored in the original state. On large databases the installation possibly last very long or disk space problems occur. To deactivate the temporary data storage set the parameter to value 1.

ToolKit_Split_AddressFormat This parameter sets the address format of the iQ.Suite Split jobs. Default: ORI- GINAL. Possible values:  ORIGINAL: The addresses are left unchanged. Addresses from groups are used as they appear in the group.  NOTES: The addresses are converted to the Notes format in the form user@domain if they are found in the address book; otherwise the standardized address is used. This does not affect the resolution of individual addresses.

ToolKit_Statistics This parameter allows to record Notes statistical data. Possible values: YES, NO. Default: YES.

ToolKit_StatisticsInterval This parameter sets the interval for creation of the Grabber statistics. Default: 60 minutes.

ToolKit_UseDynamicRuleEvaluation ToolKit_UseDynamicRuleEvaluation=YES enables the dynamic rule evaluation. This parameter can be used to evaluate the rules right before the job initialization. In this way, a job is able, for instance, to react to the result of a preceding job. This requires that the ToolKit_RuleEvaluationMode parame-

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 702 APPENDIX: GLOBAL PARAMETERS (EXCEPT JOB RESULTS) - OTHER GLOBAL PARAMETERS  ter is set to ALWAYS. Possible values: YES, NO. Default: NO (all rules are evaluated before all jobs).

ToolKit_UserLogo This parameter sets the appearance of the header in user notifications. The entry is made in the same way as for ToolKit_Logo. In addition, adding ;NOSERVER at the end of the company entry allows to suppress the server name. Example: ToolKit_UserLogo=GROUP;0;0;NOSERVER generates a standard header with standard colors, however without the server name line. If not set, the ToolKit_Logo settings apply.

Toolkit_UserRequestUseSubject

The mailto links generated by iQ.Suite have the user request to be executed in the email body by default (parameter value = 0). The subject contains only a string which transcribes the user request, e.g. ‘PUR’ (PasswordUserRequest).

Example of a non-abbreviated mailto link: mailto:[email protected]?subject=PUR&body=[UR]:ver=3* id=7tkmllSVIEJMP/DONPgRan7wERgvLSaPFV2ZqDw1Pp0W8lYufG1Q_g==

Some webmailers can resolve these mailto links only up to the subject. There- fore, the emails sent via these webmailers are by default for iQ.Suite unusable since the user request (command) is expected in the body. In order to handle this problem, create the global parameter (GLOBAL -> GLOBAL PARAMETERS -> NEW ->

GENERAL GLOBAL PARAMETER) and set the parameter value to ‘1’. With this, the user request is written in the subject line when the mailto links are generated, and iQ.Suite can process these request emails.

Example of an abbreviated mailto link: mailto:[email protected]?subject=[UR]:ver=3* id=7tkmllSVIEJMP/DONPgRan7wERgvLSaPFV2ZqDw1Pp0W8lYufG1Q_g==

ToolKit_WasEncryptedFlagFieldName This parameter allows to specify a field name. In case an encrypted document was decrypted by iQ.Suite using the server ID, a text field with the name specified and the value 1 is created in the document.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 703 APPENDIX: GLOBAL PARAMETERS (EXCEPT JOB RESULTS) - OTHER GLOBAL PARAMETERS 

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 704 APPENDIX: JOB RESULTS - META RESULTS   22 Appendix: Job Results Some Mail Jobs can provide results form the job processing. In this chapter, you will find a description of these results. These job results are written in the email field that is specified in the Misc tab of the respective job1.

22.1 Meta Results

Meta results are no results of a job processing. They are only used to classify the results more easily, for example by processing job.

Tag: Job

The job name of the processing job is displayed after this tag in the job results, provided that the Toolkit_JobResult_WriteJobName parameter enables this information to be written in the job results.

Job:Job name

Job name is the name of the job which is specified in the job configuration document.

Tag: Start

The start time and date of the job processing is displayed after this tag in the job results, provided that the Toolkit_JobResult_WriteStart parameter enables this information to be written in the job results.

Start:Start date and time

Tag: End

The end date and time of the job processing is written after this tag in the job results, provided that the Toolkit_JobResult_WriteEnd parameter enables this information to be written in the job results.

End:End date and time

1. Refer to “Misc Tab” auf Seite 49.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 705 APPENDIX: JOB RESULTS - GENERAL RESULTS 

22.2 General Results

Tag: Result

The overall result of the job processing is written after this tag:

Result:Overall result

The overall result can take one of the following values:

Value Description

Success The email processing was completed successfully.

Error The email processing failed.

Tag: Error

If an error occurs during email processing by a job, the error code is written after this tag:

Error:Error code

Tag: ErrorText

If an error occurs during email processing by a job, the error text relative to the error code is written after this tag:

ErrorText:Error text

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 706 APPENDIX: JOB RESULTS - RESULTS OF THE ACTION MAIL JOBS 

22.3 Results of the Action Mail Jobs

Tag: Mode

The execution mode of the Action Mail Job is displayed after this tag, provided that the Toolkit_JobResult_Action_WriteMode parameter enables the execution mode to be written in the job results.

Mode:Mode

The mode can take one of the following values:

Value Description

Formula Corresponds to the mode Notes formula.

SystemCall Corresponds to the mode System call.

Signing Corresponds to the mode Sign documents.

AgentCall Corresponds to the mode Notes agent run.

Tag: Detail

The action to be executed after the resolution of all metasymbols is written after this tag:

Detail:Action

The action can take one of the following values:

Value Description

Formula text In the mode Formula, the Notes formula to be executed is written.

Command line In the mode SystemCall, the command line to be executed is written.

Sign document In the mode Signing, ‘Sign document’ is written

DB name::Agent name In the mode AgentCall, the name of the agent and the database which contains the agent are written.

Tag: DetailNOP

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 707 APPENDIX: JOB RESULTS - RESULTS OF THE ACTION MAIL JOBS 

 In the mode SystemCall, if a metasymbol cannot be resolved and this prevents the system call to be run, the tag DetailNOP is written with the value ‘UnresolvableMetaSymbol’:

DetailNOP:UnresolvableMetaSymbol

 In the mode Signing, the tag DetailNOP is written with the value ‘AlreadySigned’ in case of an already signed email:

DetailNOP:AlreadySigned

 In the mode Signing, the tag DetailNOP is written with the value ‘Encrypted’ in case of an encrypted email:

DetailNOP:Encrypted

Tag: DetailRc

If an error occurs during email processing by the Action Mail Job, the error code is written after this tag:

DetailRc:Error code

Tag: DetailResult

The detailed result which were determined during email processing is written after this tag:

DetailResult:Detailed result

The detailed result can take one of the following values:

Value Description

Success In the mode SystemCall or AgentCall, the command or the agent was executed successfully.

Unchanged In the mode Formula or Signing, executing the formula did not change the email or the email was not signed because it was already signed or already encrypted.

Modified In the mode Formula, executing the formula changed the email.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 708 APPENDIX: JOB RESULTS - RESULTS OF THE ACTION MAIL JOBS 

Signed In the mode Signing, the email was successfully signed.

Error An error occured during email processing.

Tag: DetailFormulaResult

The results of a formula execution are written after this tag:

DetailFormulaResult[x]:Formula result

A single formula result can be a text, a number or a time.

Tag: DetailNumFormulaResults

This tag indicates the number of formula results:

DetailNumFormulaResults:Number

Tag: DetailCommandResult

The result of a system call is written after this tag:

DetailCommandResult:Command result

The command result is a positive integer.

Tag: DetailAgentResult

The outputs of an agent on the command line are written after this tag:

DetailAgentResult[x]:Command output line

Tag: DetailNumAgentResults

This tag indicates the number of output lines of an agent on the command line:

DetailNumAgentResults:Number

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 709 APPENDIX: JOB RESULTS - RESULTS OF THE CONVERT DECOMPRESSION JOBS 

22.4 Results of the Convert Decompression Jobs

Tag: NOP

If during email processing by a Decompression Job, the job detects that no action is required for this email, then the reason for “No action” is written after this tag:

NOP:Reason

The reason for ‘No action’ can take one of the following values:

Value Description

EncryptedOrSigned Because the email is encrypted or signed, it was ignored.

NoPreConditionMatching The email contains no attachment which meets the Attachments preconditions of the job for a decompression.

NoPostConditionMatching The email contains no attachment which meets the Attachments postconditions of the job after the decompression.

Tag: ErrorDetail

If an error occured during email processing by a Decompression Job, more detailed information is written after this tag:

ErrorDetail:Details

The details can take one of the following values:

Value Description

BadConfig Checking the configuration data resulted in an error.

DecompressionFailed One of the attachments to be processed could not be decompressed.

Tag: ErrorReason

If an error occured during email processing by a Decompression Job, the reason for the error is written after this tag:

ErrorReason:Reason

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 710 APPENDIX: JOB RESULTS - RESULTS OF THE CONVERT DECOMPRESSION JOBS 

For the reason of the error, no special values can be specified. Usually, the reason is a short text. The value is partially created during email processing.

Tag: NumAttas

The number of the attachments contained in the email is indicated after this tag.

The indices [x] of the single attachment tags refer to the value in this tag:

NumAttas:Number of attachments

Tag: DetailNumAttasToProcess

The number of the attachments to be processed is indicated after this tag, if this number is relevant in the set working mode:

DetailNumAttasToProcess:Number of attachments

Tag: DetailNumAttasToReplace

The number of the attachments to be replaced is indicated after this tag, if this number is relevant in the set working mode:

DetailNumAttasToReplace:Number of attachments

Tag: AttaName[x]

The name of the x-th attachment of the email is written after this tag.

AttaName[x]:Attachment name

Tag: AttaNOP[x]

If the x-th attachment is not processed due to any reason. The reason is written after this tag:

AttaNOP[x]:Reason

The reason for ‘No processing’ of the attachment can take one of the following values:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 711 APPENDIX: JOB RESULTS - RESULTS OF THE CONVERT DECOMPRESSION JOBS 

Value Description

LinkedToBody Because the attachment is referenced in the email body, it was not processed.

SizeLimitViolation The attachment does not meet the size limitations of the job.

NoMatchingFingerprint The attachment does not match the fingerprint configuration of the job.

DecompressionNot No decompression is necessary for the attachment. Neccessary This is, for example, the case when an archive is empty or a PDF document does not contain internal attachments.

Tag: AttaEngineResult[x]

The result of the decompression of an attachment is written after this tag:

AttaEngineResult[x]:Result

The result can take one of the following values:

Value Description

Success The decompression of an attachment was completed successfully.

Error The decompression of an attachment failed.

Tag: AttaResult[x]

The overall result of the processing of an attachment is written after this tag:

AttaResult[x]:Result

The result can take one of the following values:

Value Description

Success The gesamte processing of an attachment was successfully completed.

Error The processing of an attachment failed.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 712 APPENDIX: JOB RESULTS - RESULTS OF THE CONVERT DECOMPRESSION JOBS 

Tag: AttaDetails[x]

If an attachment was not processed successfully, more detailed information is written after this tag.

AttaDetails[x]:Details

The following values are possible:

Value Description

DecompressionFailed The attachment could not be unpacked.

ReattachmentFailed One file which was unpacked from this attachment could not be attached to the email.

Tag: AttaNumReplacements[x]

If an attachment could be successfully unpacked, the number of unpacked files which replace the attachment is written after this tag. If the original file is kept, for example in case of PDF files, the original file is added to this number and is specified in the following tags.

AttaNumReplacements[x]:Number of replacements

The indices [y] of the following attachment tags refer to the value in this tag:

Tag: AttaName[x][y]

The name of the y-th file which replaces the x-th attachment of the email is written after this tag:

AttaName[x][y]:Filename

Tag: AttaResult[x][y]

The overall result of the processing of the y-th file which replaces the x-th attachment of the email is written after this tag:

AttaResult[x][y]:Result

The result can take one of the following values:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 713 APPENDIX: JOB RESULTS - RESULTS OF THE CONVERT DECOMPRESSION JOBS 

Value Description

Success The file could be attached to the email without an error.

Error The file could not be attached to the email.

Tag: AttaDetails[x][y]

If a file coud not be attached to the email, more detailed information is written after this tag.

AttaDetails[x][y]:Details

The following value is possible:

Value Description

ReattachmentFailed The file could not be attached to the email.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 714 APPENDIX: JOB RESULTS - RESULTS OF THE CRYPT MAIL JOBS 

22.5 Results of the Crypt Mail Jobs

Tag: Mode

The Crypt processing mode is displayed after this tag, provided that the Toolkit_JobResult_Crypt_WriteMode parameter enables this information to be written in the job results.

Mode:Mode

The mode can take one of the following values:

Value Mode

PGP_EncryptInline PGP/Inline encryption

PGP_EncryptMIME PGP/MIME encryption

PGP_Decrypt PGP decryption

PGP_KeyImport PGP key import

SMIME_Encrypt S/MIME encryption

SMIME_Decrypt S/MIME decryption

SMIME_Sign S/MIME signature

SMIME_SignValidate S/MIME signature validation

SMIME_DecryptAtta S/MIME decryption Mail Protect

NotesEncrypt Notes encryption

WEB_Encrypt WebCrypt encryption

For further information on these modes, please refer to the context-sensitive

HELP.

Tag: NOP

If during email processing by a Crypt job no action is required for this email, then the reason for ‘No action’ is written after this tag:

NOP:Reason

The reason for ‘No action’ can take one of the following values:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 715 APPENDIX: JOB RESULTS - RESULTS OF THE CRYPT MAIL JOBS 

Value Description

WebCryptSystemMail The email is a WebCrypt system email and can therefore be processed only in the modes S/MIME encryption, S/MIME decryption Mail Protect and S/MIME signature validation.

NotesEncrypted The email is encrypted with Notes and can therefrore be processed only in the modes S/MIME decryption, S/MIME decryption Mail Protect and S/MIME signature validation.

NotNotesICalandar Although the email is a Notes calendar notification, it has not the iCalendar format and therefore cannot be processed in the modes S/MIME encryption, PGP/Inline encryption, PGP/MIME encryption and WebCrypt encryption.

NotMIME The email is not a MIME email. Therefore, it cannot be processed in the modes S/MIME decryption, S/MIME decryption Mail Protect and S/MIME signature validation.

UnknownSender The email sender could not be determined. Therefore, the email cannot be processed.

AlreadySMIMESigned The email to be signed with S/MIME is already signed or encrypted with S/MIME.

AlreadySMIMEEnveloped The email to be encrypted with S/MIME already contains an S/MIME envelope.

NotSMIMEEnveloped The email to be decrypted in the mode S/MIME decryption or S/MIME decryption Mail Protect contains no valid S/MIME envelope.

NotSMIMESigned The email to be verified in the mode S/MIME signature validation contains no S/MIME signature.

NoLocalNABRecipients The email to be encrypted in the mode Notes encryption contains no recipient address that exists in the server‘s local address book.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 716 APPENDIX: JOB RESULTS - RESULTS OF THE CRYPT MAIL JOBS 

AlreadyWebCryptEnveloped An email to be encrypted in the mode WebCrypt encryption is already encrypted with WebCrypt.

NotImplemented In the job configuration, a mode which this iQ.Suite version does not know yet is selected.

Tag: NumAttas

The number of file attachments to be processed is displayed after this tag, provided that this information is relevant for the selected working mode:

NumAttas:Number of attachments

Tag: AttaName[x]

The Notes-internal name of the x-th email attachment is written after this tag:

AttaName[x]:Attachment name

Tag: AttaNOP[x] / Tag: BodyNOP

If the x-th attachment or the body is not processed for any reason, the reason is indicated after the tag AttaNOP[x] or BodyNOP:

AttaNOP[x]:Reason

BodyNOP:Reason

The reason for ‘No processing’ of the attachment or body can take one of the following values:

Value Description

HasCryptoExtension An attachment or a body to be encrypted with PGP/Inline or PGP/MIME is already encrypted.

InvalidExtension An attachment or a body to be decrypted with PGP or to be processed in the mode PGP key import is not encrypted.

UnexpetedPGPFormat An attachment or a body to be decrypted with PGP has an incorrect PGP format.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 717 APPENDIX: JOB RESULTS - RESULTS OF THE CRYPT MAIL JOBS 

NotSignedSMIMEMail An attachment or a body to be verified in the mode S/MIME signature validation is not signed with S/MIME.

NoSMIMESignature A certificate required for the S/MIME signature validation of an attachment or a body is not available in the email.

NotEncryptedSMIMEMail An attachment or a body to be decrypted in the mode S/MIME decryption is not encrypted with S/MIME.

NoEnvelopedData An attachment or a body to be decrypted in the mode S/MIME decryption Mail Protect is not encrypted with S/MIME.

Tag: AttaEngine[x] / Tag: BodyEngine

If file attachments or the email body are processed by an Engine in the selected mode (all modes except Notes encryption), then the return value is written after the tag AttaEngine[x] or BodyEngine.

AttaEngine[x]:Number BodyEngine:Number

The return value is a positive integer. The value ‘0’ means for numerous Crypt Engines a successful Engine call. However, processing an attachment or a body is not completed with the Engine call. Therefore, further errors may occur and processing can fail despite a successful Engine call.

Tag: AttaResult[x] / Tag: BodyResult

The overall result of the processing of an attachment or an email body is written after the tag AttaResult[x] or BodyResult.

AttaResult[x]:Result BodyResult:Result

The result can take one of the following values:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 718 APPENDIX: JOB RESULTS - RESULTS OF THE CRYPT MAIL JOBS 

Value Description

Success The processing of an attachment or a body was successfully completed.

Error The processing of an attachment or a body failed.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 719 APPENDIX: JOB RESULTS - RESULTS OF THE CRYPT PRO IMPORT JOBS 

22.6 Results of the Crypt Pro Import Jobs

Tag: NOP

If during email processing by a Crypt Pro Import Job no action is required for the email to be processed, then the reason for ‘No action’ is written after this tag:

NOP:Reason

The reason for ‘No action’ can take one of the following values:

Value Description

NotesEncrypted The email is encrypted with Notes and therefore cannot be processed.

NotesCalendarMail The email is a Notes calendar email and therefore cannot be processed.

NotificationMail The email is a notification email of the iQ.Suite which is not to be processed by this job.

NotesMail The email ist a Notes email which is not to be processed by this job.

NoFingerprint No fingerprints were configured for PGP and S/MIME keys.

NoAttachment The email contains no attachments.

NoKeys The email contains attachments, but these attachments are not PGP or S/MIME keys.

Tag: NumAttas / NumAttas[x]

Either the number of attachments to be processed or the number of the contained elements (if the attachment is split (e.g. in case of an archive)) is specified after the appropriate tag:

NumAttas:Number of attachments NumAttas[x]:Number of elements

The attachment can be accordingly split into elements and sub-elements so that additional indexes can be added.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 720 APPENDIX: JOB RESULTS - RESULTS OF THE CRYPT PRO IMPORT JOBS 

Tag: AttaName[x]

The internal name of the x-th email attachment is written after this tag:

AttaName[x]:Attachment name

The attachment can be accordingly split into elements and sub-elements so that additional indexes can be added.

Tag: AttaNOP

If the x-th attachment is not processed for any reason, the reason is specified after this tag:

AttaNOP[x]:Reason

The reason for ‘No processing’ of the attachment can take one of the following values:

Value Description

Archive An attachment to be checked is an archive. Archives are to be processed according to the job configuration.

NoElement An archive to be checked contains no elements.

NoKeys An archive to be checked contains no PGP or S/MIME keys.

NotAKey An attachment to be checked or an archive‘s element to be checked is neither a PGP key nor an S/MIME key.

The attachment can be accordingly split into elements and sub-elements so that additional indexes can be added.

Tag: AttaIsArchive[x]

Value Description

Yes The x-th attachment is an archive.

No The x-th attachment is not an archive.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 721 APPENDIX: JOB RESULTS - RESULTS OF THE CRYPT PRO IMPORT JOBS 

The attachment can be accordingly split into elements and sub-elements so that additional indexes can be added.

Tag: AttaResult[x]

Value Description

Success The x-th attachment was processed successfully.

Error Processing the x-th attachments failed.

The attachment can be accordingly split into elements and sub-elements so that additional indexes can be added.

Tag: AttaType[x]

Value Description

PGP The x-th attachment was a PGP key.

S/MIME The x-th attachment was a S/MIME key.

The attachment can be accordingly split into elements and sub-elements so that additional indexes can be added.

Tag: AttaEngineKMS[x]

Return value of the KeyManager Engine:

AttaEngineKMS[x]:Number

The return value is a positive integer. The value ‘0’ means a successful Engine call, but processing the attachment is not completed with the KeyManager Engine call. Therefore, further errors may occur and the processing of an attachment can fail despite a successful Engine call.

The attachment can be accordingly split into elements and sub-elements so that additional indexes can be added.

Tag: AttaImportedPGP[x]

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 722 APPENDIX: JOB RESULTS - RESULTS OF THE CRYPT PRO IMPORT JOBS 

The number of PGP keys which were imported from the x-th attachment through the KeyManager is specified after this tag:

AttaImportedPGP[x]:Number of imported PGP keys

The attachment can be accordingly split into elements and sub-elements so that additional indexes can be added.

Tag: AttaExistingPGP[x]

The number of the PGP keys from the x-th attachment which are already known by the KeyManager is specified after this tag:

AttaExistingPGP[x]:Number of known PGP keys

The attachment can be accordingly split into elements and sub-elements so that additional indexes can be added.

Tag: AttaFailedPGP[x]

The number of PGP keys which were not imported from the x-th attachment through the KeyManager is specified after this tag:

AttaFailedPGP[x]:Number of not imported PGP keys

The attachment can be accordingly split into elements and sub-elements so that additional indexes can be added.

Tag: AttaImportedSMIME[x]

The number of S/MIME keys which were imported from the x-th attachment through the KeyManager is specified after this tag:

AttaImportedSMIME[x]:Number of imported S/MIME keys

The attachment can be accordingly split into elements and sub-elements so that additional indexes can be added.

Tag: AttaExistingSMIME[x]

The number of S/MIME keys from the x-th attachment which are already known by the KeyManager is specified after this tag:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 723 APPENDIX: JOB RESULTS - RESULTS OF THE CRYPT PRO IMPORT JOBS 

AttaExistingSMIME[x]:Number of known S/MIME keys

The attachment can be accordingly split into elements and sub-elements so that additional indexes can be added.

Tag: AttaFailedSMIME[x]

The number of S/MIME keys from the x-th attachment which were not imported through the KeyManager is specified after this tag:

AttaFailedSMIME[x]:Number of not imported S/MIME keys

The attachment can be accordingly split into elements and sub-elements so that additional indexes can be added.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 724 APPENDIX: JOB RESULTS - RESULTS OF THE DLP DATA ANALYZE JOBS 

22.7 Results of the DLP Data Analyze Jobs

Tag: NOP

If no action is required for this email during email processing by a DLP Data Ana- lyze Job, then the reason for ‘No action’ is written after this tag:

NOP:Reason

The reason for ‘No action’ can take one of the following values:

Value Description

NotesEncrypted The email is encrypted with Notes and therefore cannot be processed.

NotesCalendarMail The email is a Notes calendar email and therefore cannot be processed.

NotificationMail The email is a notification email of the iQ.Suite which is not to be processed by this job.

NotesMail The email is a Notes email which is not to be processed by this job.

NoCriteria No analysis criterion is configured.

InsufficientData The email is ignored since too less data is available.

Tag: ErrorDetail

If an error occured during email processing by a DLP Data Analyze Job, more detailed information is written after this tag:

ErrorDetail:Details

The details can take one of the following values:

Value Description

BadConfig A configuration data check resulted in an error.

FailedUpdateLiveData The Live data could not be updated.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 725 APPENDIX: JOB RESULTS - RESULTS OF THE DLP DATA ANALYZE JOBS 

FailedRetrieveBaseline No baseline could be determined for the sender.

FailedRetrieveLiveData No Live data could be determined for the sender.

Tag: Detail

The analysis result of an email is written after this tag:

Detail:Analysis result

The analysis result can take one of the following values:

Value Description

Unrestricted The email data to be analyzed did not exceed any threshold values.

Warning The email data to be analyzed did not exceed the threshold value for warning.

Restricted The email data to be analyzed did not exceed the threshold for restriction.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 726 APPENDIX: JOB RESULTS - RESULTS OF THE PDFCRYPT MAIL ENCRYPTION JOBS 

22.8 Results of the PDFCrypt Mail Encryption Jobs

Tag: NOP

If during email processing by a PDFCrypt Job no action is required for this email, then the reason for ‘No action’ is written after this tag:

NOP:Reason

The reason for ‘No action’ can take one of the following values:

Value Description

NotesEncrypted The email is encrypted with Notes and therefore cannot be processed.

NotesCalendarMail The email is a Notes calendar email and therefore cannot be processed.

NotificationMail The email is a notification email of the iQ.Suite which is not to be processed by this job.

NotesMail The email is a Notes email which is not to be processed by this job.

SubjectCondition The encryption password is specified in the subject line of the email after a keyword. However, the processed email does not contain the keyword in the subject line.

AttachmentCondition The email contains no attachments which meet the selection criteria defined in the job.

NoRecipient The email contains no recipient for which a PDFCrypt encryption is to be performed.

Tag: ErrorDetail

If an error occurs during email processing by a PDFCrypt Job, detailed information is written after this tag:

ErrorDetail:Details

The details can take one of the following values:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 727 APPENDIX: JOB RESULTS - RESULTS OF THE PDFCRYPT MAIL ENCRYPTION JOBS 

Value Description

BadConfig Checking the configuration data resulted in an error.

BadPassword The password could not be determined or created. The reason for the error is specified after the tag ErrorReason.

BadEncryption The email could not be encrypted.

FailedCreateResultMail A result email with the encrypted content could not be created.

FailedEngineCall An error occured when trying to encrypt the email. The reason for the error is specified after the tag ErrorReason,

Tag: ErrorReason

If an error occured during password calculation or during PDFCrypt encryption, then the reason for the error is written after this tag:

ErrorReason:Reason

For the reason, no special values can be specified. Usually, the reason is a short text. Partially, the value is determined during email processing.

Tag: DetailRecipients

The recipients for whom the email is processed are listed after this tag and separated by a comma in the list:

DetailRecipient:List of recipients

Tag: DetailResult

This tag indicates whether processing was successful for a subset of the recipients:

Value Description

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 728 APPENDIX: JOB RESULTS - RESULTS OF THE PDFCRYPT MAIL ENCRYPTION JOBS 

Success Processing was successful for a subset of the recipients.

Error Processing failed for a subset of the recipients.

Tag: DetailPassword

This tag specifies the password which is used for a subset of the recipients:

DetailPassword:Password

Issuing the password can be enabled separately via the global parameter Tool-kit_JobResult_PDFCrypt_WritePassword and is disabled by default.

Tag: DetailEngine

Return value of the PDFCrypt Encryption Engine for a subset of the recipients:

DetailEngine:Number

The return value is a positive integer. The value ‘0’ means a successful Engine call, but email processing is not completed with the PDFCrypt Encryption Engine call. Therefore, further errors may occur and processing can fail despite a successful Engine call.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 729 APPENDIX: JOB RESULTS - RESULTS OF THE PDFCRYPT FILE SIGNING/ENCRYPTION JOBS 

22.9 Results of the PDFCrypt File Signing/Encryption Jobs

Tag: NOP

If during email processing by a PDFCrypt File Signing/Encryption Job no action is required for this email, then the reason for ‘No action’ is written after this tag:

NOP:Reason

The reason for ‘No action’ can take the following value:

Value Description

NoPDFAttachments The email contains no attachments or all attachments are not PDF files.

Tag: ErrorDetail

If an error occured during email processing by a PDFCrypt File Signing/Encryption Job, more detailed information is written after this tag:

ErrorDetail:Details

The details can take the following values:

Value Description

BadConfig A check of the configuration data resulted in an error.

NoCertificate For the sender, no certificate could be found or created for signing.

NoPassword For the recipient, no password could be found or created for encryption.

Tag: DetailNumAttasToProcess

This tag shows the number of PDF attachments in the email which are to be processed:

DetailNumAttasToProcess:Number of PDF attachments

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 730 APPENDIX: JOB RESULTS - RESULTS OF THE PDFCRYPT FILE SIGNING/ENCRYPTION JOBS 

Tag: DetailNumAttasProcessed

This tag shows the number of successfully processed PDF attachments in the email:

DetailNumAttasProcessed:Number of successfully processed PDF attachments

Tag: DetailNumAttasNotProcessed

This tag shows the number of not successfully processed PDF attachments in the email:

DetailNumAttasNotProcessed:Number of not successfully processed PDF attachments

Tag: DetailNumAttasAlreadyEncrypted

This tag shows the number of already encrypted or signed PDF attachments in the email. Depending on the configuration, this is a subset of the successfully or not successfully processed PDF attachments:

DetailNumAttasAlreadyEncrypted:Number of already encrypted or signed PDF attachments

Tag: NumAttas

The total number of attachments is written after this tag:

NumAttas:Number of attachments

Tag: AttaName[x]

The internal name of the x-th attachment in the email is written after this tag:

AttaName[x]:Attachment name

Tag: AttaDetails[x]

The details which have been determined during processing of the x-th attachment are written after this tag.

AttaDetails[x]:Details

The following values are written in case of a successfully processed attachment:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 731 APPENDIX: JOB RESULTS - RESULTS OF THE PDFCRYPT FILE SIGNING/ENCRYPTION JOBS 

Value Description

Signed The attachment has been successfully signed.

Encrypted The attachment has been successfully encrypted.

SignedAndEncrypted The attachment has been successfully encrypted and signed.

The following values are written in case of errors during the processing of an attachment:

Value Description

CanNotBeSigned The attachment could not be signed.

CanNotBeEncrypted The attachment could not be encrypted.

CanNotBeSignedAndEnc- The attachment could be neither encrypted nor signed. rypted

Depending on the configuration, the following value is written in case of a successful or failed processing of the attachment:

Value Description

AlreadyEncrypted The attachment is already signed or encrypted.

Tag: AttaResult[x]

The overall result of the processing of an attachment is written after this tag.

AttaResult[x]:Result

The result can take one of the following values:

Value Description

Success The processing of an attachment has been completed without errors.

Error The processing of an attachment failed.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 732 APPENDIX: JOB RESULTS - RESULTS OF THE PDFCRYPT SIGNATURE VERIFICATION JOBS 

22.10 Results of the PDFCrypt Signature Verification Jobs

Tag: NOP

If during email processing by a PDFCrypt Signature Verification Job no action is required for this email, then the reason for ‘No action’ is written after this tag:

NOP:Reason

The reason for ‘No action’ can take the following value:

Value Description

NoPDFAttachments The email contains no attachments or all attachments are not PDF files.

Tag: ErrorDetail

If an error occurs during email processing by a PDFCrypt Signature Verification Job, more detailed information is written after this tag.

ErrorDetail:Details

The details can take the following value:

Value Description

BadConfig A check of the configuration data resulted in an error.

Tag: DetailNumAttasToProcess

This tag shows the number of PDF attachments in the email which have to be processed:

DetailNumAttasToProcess:Number of PDF attachments

Tag: DetailNumAttasUnsigned

This tag shows the number of unsigned PDF attachments for which no verification is possible:

DetailNumAttasUnsigned:Number of unsigned PDF attachments

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 733 APPENDIX: JOB RESULTS - RESULTS OF THE PDFCRYPT SIGNATURE VERIFICATION JOBS 

Tag: DetailNumAttasVerified

This tag shows the number of processed PDF attachments of which the signatures could be successfully verified:

DetailNumAttasVerified:Number of verified PDF attachments

Tag: DetailNumAttasNotVerified

This tag shows the number of processed PDF attachments of which the signatures could not be verified. This includes also encrypted attachments:

DetailNumAttasNotVerified:Number of unverified PDF attachments

Tag: DetailNumAttasPasswordProtected

This tag shows the number of processed PDF attachments which were encrypted and therefore could not be verified.

DetailNumAttasPasswordProtected:Number of encrypted PDF attachments

Tag: NumAttas

The total number of attachments is written after this tag.

NumAttas:Number of attachments

Tag: AttaName[x]

The internal name of the x-th attachment of the email is written after this tag.

AttaName[x]:Attachment name

Tag: AttaNOP[x]

If the x-th attachment is not processed, the reason for ‘not processed’ is written after this tag:

AttaNOP[x]:Reason

The reason for ‘No processing’ of the attachment or the body can take one of the following values:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 734 APPENDIX: JOB RESULTS - RESULTS OF THE PDFCRYPT SIGNATURE VERIFICATION JOBS 

Value Description

NotSigned The attachment to be checked was unsigned.

NotSignedVerified The attachment to be checked was unsigned. This has been determined during the signature verification.

Tag: AttaDetails[x]

The details which have been determined during processing of the x-th attachment are written after this tag:

AttaDetails[x]:Details

The details can take the following values:

Value Description

MissingCertificate Some certificates required for the verification of the signature of the attachment could not be found.

NotVerified The signature of the attachment could not be verified.

Verified The signature of the attachment could be successfully verified.

Tag: AttaResult[x]

The overall result of the processing of an attachment is written after this tag.

AttaResult[x]:Result

The result can take one of the following values:

Value Description

Success The processing of an attachment has been completed without error. If the attachment was signed, the signature has been verified.

Error The processing of an attachment failed or a signature could not be verified.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 735 APPENDIX: JOB RESULTS - RESULTS OF THE TRAILER ADVANCED MAIL JOBS 

22.11 Results of the Trailer Advanced Mail Jobs

Tag: NOP

If during email processing by a Trailer Advanced Job no action is required for this email, the reason for ‘No action’ is written after this tag:

NOP:Reason

The reason for ‘No action’ can take the following value:

Value Description

NoTrailerNoAtta No trailer or file must be attached to the email.

EncryptedOrSigned Since the email is encrypted or signed, it must not be changed.

Tag: ErrorDetail

If an error occured during email processing by a Trailer Advanced Job, more detailed information is written after this tag:

ErrorDetail:Details

The details can take the following value:

Value Description

NotAMail The document to be processed is not an email.

TrailerOrAttaFailed At least one trailer or file could not be attached.

Tag: ErrorReason

If an error occured during email processing by a Trailer Advanced Job, the reason for the error is written after this tag:

ErrorReason:Reason

For the reason of the error, no special values can be specified. Usually, the reason is a short text.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 736 APPENDIX: JOB RESULTS - RESULTS OF THE TRAILER ADVANCED MAIL JOBS 

Tag: DetailNumTrailerToAppend

The number of trailers to be attached to the email is written after this tag:

DetailNumTrailerToAppend:Number of trailers to be attached

Tag: DetailNumAttasToAppend

The number of files to be attached to the email is written after this tag:

DetailNumAttasToAppend:Number of files to be attached

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 737 APPENDIX: JOB RESULTS - RESULTS OF THE WALL MAIL JOBS 

22.12 Results of the Wall Mail Jobs

Tag: NOP

If during email processing by a Wall Job, the job detects that it is not configured for the sender of the email, this tag indicates this with the value ‘NotForThisSender’:

NOP:NotForThisSender

Tag: DetailDeniedNOP

If no prohibited recipients are configured in the Wall Job, this tag indicates this with the value ‘NoRecipientCheck‘:

DetailDeniedNOP:NoRecipientCheck

Tag: DetailDeniedNumRecipients

The number of prohibited recipients found is displayed after this tag:

DetailDeniedNumRecipients:Number

Tag: DetailDeniedRecipient

The prohibited recipients found are displayed after this tag:

DetailDeniedRecipient[x]:Recipients

Tag: DetailDeniedRecipientDelete

This tag indicates whether prohibited recipients were removed:

DetailDeniedRecipientDelete:Value

Value Description

Yes Prohibited recipients were removed.

No Prohibited recipients were not removed.

Tag: DetailDeniedResult

The result of the check for prohibited recipients is displayed after this tag:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 738 APPENDIX: JOB RESULTS - RESULTS OF THE WALL MAIL JOBS 

DetailDeniedResult:Result

The result can take one of the following values:

Value Description

Clean The email check could not find any prohibited recipient.

Violated No prohibited recipient was found.

Error Checking the email for prohibited recipients failed.

Tag: DetailFloodingFoundSpam

This tag indicates the spam criterion which was determined during the check for mail flooding:

DetailFloodingFoundSpam:Spam criterion

Tag: DetailFloodingNOP

If no mail flooding is enabled in the processing Wall Job or the email to be processed does not meet the mail flooding criterion, this is displayed after this tag:

DetailFloodingNOP:Reason

The reason can take one of the following values:

Value Description

NothingToDo The mail flooding criterion to be analyzed could not be determined from the email.

NoMailFloodingCheck Checking for mail flooding is disabled.

Tag: DetailFloodingResult

The result of the check for mail flooding is displayed after this tag:

DetailFloodingResult:Result

The result can take one of the following values:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 739 APPENDIX: JOB RESULTS - RESULTS OF THE WALL MAIL JOBS 

Value Description

Clean The email analysis could not detect any mail flooding.

Violated Mail flooding was detected with the defined criteria.

Error Checking the email for mail flooding failed.

Tag: DetailNumberCount

If the number of email recipients exceeds the allowed number of recipients, the number of recipients of the email is specified after this tag:

DetailNumberCount:Number

Tag: DetailNumberMax

If the number of email recipients exceeds the allowed number of recipients, the allowed number of recipients is written after this tag:

DetailNumberMax:Number

Tag: DetailNumberNOP

If the Wall Job does not contain any restriction concerning the number of recipients, this tag indicates this with the value ‘NoNumberOfRecipientsCheck’:

DetailDeniedNOP:NoNumberOfRecipientsCheck

Tag: DetailNumberResult

The result of the check for the number of recipients is written after this tag:

DetailNumberResult:Result

The result can take one of the following values:

Value Description

Clean The number of email recipients does not exceed the maximum limit.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 740 APPENDIX: JOB RESULTS - RESULTS OF THE WALL CLEANING MAIL JOBS 

Violated The number of email recipients exceeds the maximum limit.

Error Checking email for the number of email recipients failed.

22.13 Results of the Wall Cleaning Mail Jobs

Tag: ErrorDetail

If an error occured during email processing by a Wall Cleaning Job, more detailed information is written after this tag:

ErrorDetail:Details

The details can take the following value:

Value Description

ExceptionOccured An exception occured during the deletion of an email part.

Tag: ErrorReason

If an error occured during email processing by a Wall Cleaning Job, the reason for the error is written after this tag:

ErrorReason:Reason

For the reason of the error, no special values can be specified. Usually, the reason is a short text.

Tag: DetailBodiesDeleted

The number of the email bodies which were deleted from the email is written after this tag:

DetailBodiesDeleted:Number of deleted email bodies

Tag: DetailNOP

If during email processing by a Wall Cleaning Job no action is required for this email, the reason for ‘No action’ is written after this tag:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 741 APPENDIX: JOB RESULTS - RESULTS OF THE WALL CLEANING MAIL JOBS 

DetailNOP:Reason

The reason for ‘No action’ can take the following value:

Value Description

NothingToDelete The email analysis showed that the email does not contain any parts to be deleted.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 742 APPENDIX: JOB RESULTS - RESULTS OF THE WATCHDOG MAIL JOBS 

22.14 Results of the Watchdog Mail Jobs

Tag: NOP

If during email processing by a Watchdog Job no action is required for this email, the reason for ‘No action’ is written after this tag:

NOP:Reason

The reason for ‘No action’ can take the following value:

Value Description

NoAttachmentsAndNoBody The email contains neither a body nor attachments to be checked.

Tag: Detail

The details which have been determined during email processing are written after this tag:

Details:Detail

The details can take one or more of the following values mentioned in the table below. Several values are separated by a comma.

Value Description

Ok None of the other values occured.

ContainsVirus The email contained a virus.

Denied The email contained a prohibited attachment or a file restriction was violated.

Error An error occured during email processing.

Encrypted The email contained Notes-encrypted attachments.

PasswordProtected The email contained password-protected attachments.

Tag: NumAttas

The number of the attachments to be processed is specified after this tag:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 743 APPENDIX: JOB RESULTS - RESULTS OF THE WATCHDOG MAIL JOBS 

NumAttas:Number attachments

Tag: AttaName[x]

The Notes-internal name of the x-th email attachment is written after this tag:

AttaName[x]:Attachment name

Tag: AttaNOP[x] / Tag: BodyNOP

If the x-th attachment or the body was not processed, then the reason is written after the tag AttaNOP[x] or BodyNOP:

AttaNOP[x]:Reason BodyNOP:Reason

The reason for ‘No processing’ of the attachment or the body can take one of the following values:

Value Description

EvalStateSet A result already exists for an attachment to be checked.

Missing An attachment which has been buffered locally for analysis cannot be accessed.

Tag: AttaAbortedError[x] / BodyAbortedError

If processing the x-th attachment or the email body was aborted, e.g. due to a timeout, the error code for abortion is written after the tag AttaAbortedEr- ror[x] or BodyAbortedError:

AttaAbortedError[x]:Error code BodyAbortedError:Error code

Tag: AttaAbortedText[x] / BodyAbortedText

If processing the x-th attachment or the email body was aborted, e.g. due to a timeout, the error text relative to the error code for abortion is written after the tag AttaAbortedText[x] or BodyAbortedText:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 744 APPENDIX: JOB RESULTS - RESULTS OF THE WATCHDOG MAIL JOBS 

AttaAbortedText[x]:Error text BodyAbortedText:Error text

Tag: AttaDetails[x] / BodyDetails

The details which were determined during processing of the x-th attachment or the email body are written after the tag AttaDetails[x] or BodyDetails:

AttaDetails[x]:Details BodyDetails:Details

One or more of the following values are possible. Multiple values are separated by a comma:

Value Description

ContainsVirus Attachment or body contained a virus.

Cured Attachment or body contained a virus and was cleaned.

ExternalError During processing of an attachment or the body, an error occured in an external program.

InternalError During processing of an attachment or the body, an internal error occured.

NotesEncrypted The attachment or the body is encrypted with Notes.

TooBig A size restriction was reached.

Denied The attachment or the body is prohibited.

TooMuch A number restriction was reached.

ArchiveEncrypted An encrypted archive was found.

ArchiveTooDeep A too deeply nested archive was found.

Tag: AttaVirusName[x] / BodyVirusName

If a virus was found during processing of the x-th attachment or the email body, the virus name is written after the tag AttaVirusName[x] or BodyVirusName:

AttaVirusName[x]:Virus name BodyVirusName:Virus name

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 745 APPENDIX: JOB RESULTS - RESULTS OF THE WATCHDOG MAIL JOBS 

Tag: AttaRestriction[x] / BodyRestriction

If a file restriction was violated through the x-th attachment or through the email body, the name of the file restriction is written after the tag AttaRestric- tion[x] or BodyRestriction:

AttaRestriction[x]:Restriction BodyRestriction:Restriction

The content usually corresponds to the analysis details in the Quarantine.

Tag: AttaIsArchive[x]

This tag indicates whether the x-th attachment was an archive from which files could be successfully unpacked.

AttaIsArchive[x]:Archive status

The archive status can take one of the following values:

Value Description

Yes Files could be successfully unpacked from the attachment.

No No files could be unpacked from the attachment.

NOTE: The value ‘No’ is displayed when no trial to unpack the attachment took place, for example when a virus was found in an archive and the virus scanner already detected this. Furthermore, this value is displayed when the attachment was an empty or corrupt archive.

Tag: AttaResult[x] / Tag: BodyResult

The overall result of the processing of an attachment or an email body is written after the tag AttaResult[x] or BodyResult:

AttaResult[x]:Result BodyResult:Result

The result can take one of the following values:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 746 APPENDIX: JOB RESULTS - RESULTS OF THE WATCHDOG MAIL JOBS 

Value Description

Success The processing of an attachment or a body was completed successfully.

Error The processing of an attachment or a body failed.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 747 APPENDIX: JOB RESULTS - RESULTS OF THE WATCHDOG PDF PROTECTION JOBS 

22.15 Results of the Watchdog PDF Protection Jobs

Tag: Result

Refer to Tag: Result.

Notes:

Since the ‘Clean attachments’ action is executed after job processing, the ‘Success’ value is returned even for a PDF attachment considered as “prohibited, but able to be cleaned”. This value says nothing about whether the attachment could be cleaned.

For a statement on whether the attachments could be cleaned, a second job must deliver the value ‘PdfSafe’ or ‘PDFIgnored’ in the tag AttaNOP[y] for all PDF attachments or the number of prohibited attachments must be ‘0’ in the second job after the Tag DetailNumAttasDenied.

Tag: NOP

If during email processing by a Watchdog PDF Protection Job, the job detects that no action is required for this email, then the reason for “No action” is written after this tag:

NOP:Reason

The reason for ‘No action’ can take the following value:

Value Description

NoPDFAttachments The email contains no attachments or all attachments are not PDF files.

Tag: ErrorDetail

If an error occurs during email processing by a Watchdog PDF Protection Job, more detailed information is written after this tag.

ErrorDetail:Details

The details can take the following value:

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 748 APPENDIX: JOB RESULTS - RESULTS OF THE WATCHDOG PDF PROTECTION JOBS 

Value Description

BadConfig A check of the configuration daten resulted in an error.

Tag: DetailNumAttasToProcess

This tag shows the number of PDF attachments which have to be processed:

DetailNumAttasToProcess:Number of PDF attachments

Tag: DetailNumAttasDenied

This tag shows the number of processed PDF attachments which are prohibited according to the configuration but can be cleaned:

DetailNumAttasDenied:Number of prohibited PDF attachments

Tag: DetailNumAttasSafe

This tag shows the number of processed PDF attachments which are allowed according to the configuration:

DetailNumAttasSafe:Number of allowed PDF attachments

Tag: DetailNumAttasIgnored

This tag shows the number of processed PDF attachments which were ignored according to the configuration:

DetailNumAttasIgnored:Number of ignored PDF attachments

Tag: DetailNumAttasError

This tag shows the number of processed PDF attachments which could not be processed successfully:

DetailNumAttasError:Number of failed PDF attachments

Tag: NumAttas

The total number of attachments is written after this tag:

NumAttas:Number of attachments

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 749 APPENDIX: JOB RESULTS - RESULTS OF THE WATCHDOG PDF PROTECTION JOBS 

Tag: AttaName[x]

The internal name of the x-th attachment is written after this tag.

AttaName[x]:Attachment name

Tag: AttaNOP[x]

If the x-th attachment is not processed, the reason for ‘not processed’ is written after this tag:

AttaNOP[x]:Reason

The reason for ‘No processing’ of the attachment or the body can take one of the following values:

Value Description

PdfSafe The attachment to be checked contains no prohibited elements.

PdfIgnored The attachment to be checked has been ignored according to the configuration.

Tag: AttaDetails[x]

The details which have been determined during processing of the x-th attachment are written after this tag.

AttaDetails[x]:Details

The details can take the following values:

Value Description

PdfDenied The attachment contains prohibited elements. These elements must be removed.

PdfProcessingFailed The attachment could not be processed successfully.

Tag: AttaResult[x]

The overall result of the processing of an attachment is written after the tag.

AttaResult[x]:Result

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 750 APPENDIX: JOB RESULTS - RESULTS OF THE WATCHDOG PDF PROTECTION JOBS 

The result can take the following value:

Value Description

Success The processing of an attachment has been completed without error.

Notes:

Since the ‘Clean attachments’ action is executed after job processing, the ‘Success’ value is returned even for a PDF attachment considered as “prohibited, but able to be cleaned”. In this case, AttaDetails[x] takes the value ‘PdfDenied’. This value says nothing on whether the attachment could be cleaned.

For a statement on whether the attachments could be cleaned, a second job must deliver the value ‘PdfSafe’ for these attachments in the tag AttaNOP[y]. The indices of the attachments can be different for both job executions. However, usually on the basis of their attachment names they can be assigned to one another.

If all prohibited attachments could be successfully cleaned by the first job, the second job must return the value ‘PdfSafe’ or ‘PDFIgnored’ for all PDF attachments in the tag AttaNOP[y], or the number of prohibited attachments in the tag DetailNumAttasDenied must be ‘0’ in the second job.

Value Description

Error The processing of an attachment failed.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 751 APPENDIX: JOB RESULTS - EXAMPLES WITH A CRYPT MAIL JOB 

22.16 Examples with a Crypt Mail Job

The following field name was automatically created for the job SAMPLE - Encryption with GnuPG:

res_1_sampleencryptionwithgnupg

Maximum result in case of a successful PGP encryption

When all possible job results of the job mentioned above are written in the result field, the content of the result field for an email with an attachment looks as follows:

Job:SAMPLE - Encryption with GnuPG Start:2013-09-18T19:22:52.682-00:00 Mode:PGP_EncryptInline NumAttas:1 AttaName[1]:Cake.docx AttaEngine[1]:0 AttaResult:Success BodyEngine:0 BodyResult:Success Result:Success End:2013-09-18T19:22:54.802-00:00

Every line corresponds to an element of the result field.

Minimum result in case of a successful PGP encryption

If all job results which can be disabled via a global parameter are disabled in the Crypt Job as well, the content of the result field for an email with an attachment looks as follows:

Result:Success

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 752 APPENDIX: COLOR VALUES FOR TOOLKIT_LOGO PARAMETER - THE NOTES COLORS   23 Appendix: Color Values for ToolKit_Logo Parameter 23.1 The Notes Colors

Color RGB value Notes value

NOTES_COLOR_BLACK 0, 0, 0, 0 or 239

NOTES_COLOR_WHITE 255, 255, 255, 1 or 16 or 31

NOTES_COLOR_RED 255, 0, 0, 2

NOTES_COLOR_GREEN 0, 255, 0, 3

NOTES_COLOR_BLUE 0, 0, 255, 4

NOTES_COLOR_MAGENTA 255, 0, 255, 5

NOTES_COLOR_YELLOW 255, 255, 0, 6

NOTES_COLOR_CYAN 0, 255, 255, 7

NOTES_COLOR_DKRED 128, 0, 0, 8

NOTES_COLOR_DKGREEN 0, 128, 0, 9

NOTES_COLOR_DKBLUE 0, 0, 128, 10

NOTES_COLOR_DKMAGENTA 128, 0, 128, 11

NOTES_COLOR_DKYELLOW 128, 128, 0, 12

NOTES_COLOR_DKCYAN 0, 128, 128, 13

NOTES_COLOR_GRAY 128, 128, 128, 14

NOTES_COLOR_LTGRAY 192, 192, 192, 15

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 753 APPENDIX: COLOR VALUES FOR TOOLKIT_LOGO PARAMETER - COLORS SORTED BY NOTES COLOR VALUE 

23.2 Colors Sorted by Notes Color Value

Notes value RGB value

0 or 239 0, 0, 0,

1 255, 255, 255,

2 255, 0, 0,

3 0, 255, 0,

4 0, 0, 255,

5 255, 0, 255,

6 255, 255, 0,

7 0, 255, 255,

8 128, 0, 0,

9 0, 128, 0,

10 0, 0, 128,

11 128, 0, 128,

12 128, 128, 0,

13 0, 128, 128,

14 128, 128, 128,

15 192, 192, 192,

16 255, 255, 255,

17 255, 239, 206,

18 255, 255, 194,

19 255, 255, 208,

20 224, 255, 191,

21 224, 255, 223,

22 224, 255, 255,

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 754 APPENDIX: COLOR VALUES FOR TOOLKIT_LOGO PARAMETER - COLORS SORTED BY NOTES COLOR VALUE 

Notes value RGB value

23 194, 239, 255,

24 224, 241, 255,

25 224, 224, 255,

26 232, 224, 255,

27 241, 224, 255,

28 255, 224, 255,

29 255, 224, 245,

30 255, 224, 230,

31 255, 255, 255,

32 255, 255, 220,

33 255, 225, 176,

34 255, 255, 127,

35 241, 241, 180,

36 194, 255, 145,

37 193, 255, 213,

38 164, 255, 255,

39 161, 226, 255,

40 192, 255, 255,

41 191, 191, 255,

42 210, 191, 255,

43 225, 191, 255,

44 255, 193, 253,

45 255, 192, 228,

46 255, 192, 206,

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 755 APPENDIX: COLOR VALUES FOR TOOLKIT_LOGO PARAMETER - COLORS SORTED BY NOTES COLOR VALUE 

Notes value RGB value

47 247, 247, 247,

48 255, 192, 182,

49 255, 194, 129,

50 255, 255, 53,

51 241, 241, 128,

52 127, 255, 127,

53 130, 255, 202,

54 127, 255, 255,

55 130, 224, 255,

56 130, 192, 255,

57 159, 159, 255,

58 194, 159, 255,

59 226, 159, 255,

60 255, 159, 255,

61 255, 159, 207,

62 255, 159, 169,

63 239, 239, 239,

64 255, 159, 159,

65 255, 159, 113,

66 255, 255, 0,

67 224, 224, 116,

68 65, 255, 50,

69 66, 255, 199,

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 756 APPENDIX: COLOR VALUES FOR TOOLKIT_LOGO PARAMETER - COLORS SORTED BY NOTES COLOR VALUE 

Notes value RGB value

70 66, 255, 255,

71 0, 191, 255,

72 82, 145, 239,

73 128, 128, 255,

74 192, 130, 255,

75 224, 129, 255,

76 255, 127, 255,

77 255, 130, 194,

78 255, 130, 160,

79 225, 225, 225,

80 255, 128, 128,

81 255, 129, 65,

82 255, 225, 24,

83 225, 225, 64,

84 0, 255, 0,

85 0, 255, 178,

86 0, 255, 255,

87 0, 161, 224,

88 33, 129, 255,

89 97, 129, 255,

90 161, 96, 255,

91 192, 98, 255,

92 255, 95, 255,

93 255, 96, 175,

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 757 APPENDIX: COLOR VALUES FOR TOOLKIT_LOGO PARAMETER - COLORS SORTED BY NOTES COLOR VALUE 

Notes value RGB value

94 255, 96, 136,

95 210, 210, 210,

96 255, 64, 64,

97 255, 66, 30,

98 255, 191, 24,

99 225, 225, 0,

100 0, 225, 0,

101 0, 225, 173,

102 0, 224, 224,

103 0, 130, 191,

104 0, 128, 255,

105 65, 129, 255,

106 130, 66, 255,

107 13, 64, 255,

108 255, 66, 249,

109 255, 64, 160,

110 255, 64, 112,

111 192, 192, 192,

112 255, 31, 53,

113 255, 31, 16,

114 255, 129, 0,

115 191, 191, 0,

116 0, 194, 0,

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 758 APPENDIX: COLOR VALUES FOR TOOLKIT_LOGO PARAMETER - COLORS SORTED BY NOTES COLOR VALUE 

Notes value RGB value

117 0, 193, 150,

118 0, 193, 194,

119 65, 129, 192,

120 0, 98, 225,

121 65, 65, 255,

122 66, 0, 255,

123 194, 0, 255,

124 255, 34, 255,

125 245, 43, 151,

126 255, 34, 89,

127 178, 178, 178,

128 224, 31, 37,

129 225, 32, 0,

130 226, 98, 0,

131 161, 161, 0,

132 0, 160, 0,

133 0, 159, 130,

134 63, 128, 128,

135 0, 96, 160,

136 0, 65, 194,

137 0, 33, 191,

138 65, 0, 194,

139 129, 0, 255,

140 255, 0, 255,

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 759 APPENDIX: COLOR VALUES FOR TOOLKIT_LOGO PARAMETER - COLORS SORTED BY NOTES COLOR VALUE 

Notes value RGB value

141 255, 0, 128,

142 255, 0, 65,

143 162, 162, 162,

144 194, 0, 0,

145 255, 0, 0,

146 191, 65, 0,

147 128, 128, 63,

148 63, 128, 63,

149 0, 130, 80,

150 0, 96, 98,

151 0, 64, 128,

152 0, 31, 226,

153 64, 64, 194,

154 64, 0, 162,

155 96, 0, 161,

156 224, 0, 224,

157 223, 0, 127,

158 194, 0, 65,

159 143, 143, 143,

160 160, 0, 0,

161 225, 0, 0,

162 161, 63, 0,

163 98, 98, 0,

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 760 APPENDIX: COLOR VALUES FOR TOOLKIT_LOGO PARAMETER - COLORS SORTED BY NOTES COLOR VALUE 

Notes value RGB value

164 0, 96, 0,

165 0, 96, 60,

166 0, 64, 65,

167 0, 47, 128,

168 0, 0, 255,

169 32, 32, 160,

170 34, 0, 161,

171 64, 0, 159,

172 161, 0, 159,

173 192, 0, 127,

174 159, 0, 15,

175 127, 127, 127,

176 96, 0, 0,

177 194, 18, 18,

178 130, 66, 0,

179 66, 66, 0,

180 0, 66, 0,

181 0, 64, 35,

182 0, 50, 63,

183 0 32, 96,

184 0, 32, 194,

185 34, 34, 192,

186 0, 0, 128,

187 31, 0, 127,

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 761 APPENDIX: COLOR VALUES FOR TOOLKIT_LOGO PARAMETER - COLORS SORTED BY NOTES COLOR VALUE 

Notes value RGB value

188 128, 0, 128,

189 130, 0, 64,

190 128, 0, 0,

191 95, 95, 95,

192 64, 0, 0,

193 161, 31, 18,

194 96, 66, 0,

195 33, 33, 0,

196 0, 33, 0,

197 0, 32, 31,

198 0, 32, 65,

199 0, 32, 79,

200 0, 0, 224,

201 0, 0, 161,

202 0, 0, 97,

203 31, 0, 98,

204 64, 0, 95,

205 98, 0, 66,

206 98, 0, 18,

207 79, 79, 79,

208 208, 177, 161,

209 224, 161, 117,

210 210, 176, 106,

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 762 APPENDIX: COLOR VALUES FOR TOOLKIT_LOGO PARAMETER - COLORS SORTED BY NOTES COLOR VALUE 

Notes value RGB value

211 192, 194, 124,

212 130, 193, 104,

213 129, 192, 151,

214 127, 194, 188,

215 123, 178, 207,

216 177, 177, 210,

217 159, 159, 224,

218 192, 161, 224,

219 226, 159, 222,

220 239, 145, 235,

221 226, 159, 200,

222 241, 143, 188,

223 47, 47, 47,

224 127, 96, 79,

225 161, 98, 82,

226 128, 98, 16,

227 130, 130, 63,

228 63, 98, 31,

229 60, 97, 62,

230 55, 96, 94,

231 16, 65, 96,

232 66, 66, 130,

233 98, 96, 161,

234 98, 65, 129,

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 763 APPENDIX: COLOR VALUES FOR TOOLKIT_LOGO PARAMETER - COLORS SORTED BY NOTES COLOR VALUE 

Notes value RGB value

235 96, 49, 129,

236 96, 33, 98,

237 98, 33, 82,

238 129, 63, 98,

239 or 0 0, 0, 0,

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 764 APPENDIX: COLOR VALUES FOR TOOLKIT_LOGO PARAMETER - COLORS SORTED BY RGB VALUE (ASCENDING) 

23.3 Colors Sorted by RGB Value (Ascending)

RGB value Notes value

0, 0, 0, 0 or 239

0, 0, 128, 10 or 186

0, 0, 161, 201

0, 0, 224, 200

0, 0, 255, 4 or 168

0, 0, 97, 202

0, 128, 0, 9

0, 128, 128, 13

0, 128, 255, 104

0, 130, 191, 103

0, 130, 80, 149

0, 159, 130, 133

0, 160, 0, 132

0, 161, 224, 87

0, 191, 255, 71

0, 193, 150, 117

0, 193, 194, 118

0, 194, 0, 116

0, 224, 224, 102

0, 225, 0, 100

0, 225, 173, 101

0, 255, 0, 3 or 84

0, 255, 178, 85

0, 255, 255, 7 or 86

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 765 APPENDIX: COLOR VALUES FOR TOOLKIT_LOGO PARAMETER - COLORS SORTED BY RGB VALUE (ASCENDING) 

RGB value Notes value

0, 31, 226, 152

0, 32, 194, 184

0, 32, 31, 197

0, 32, 65, 198

0, 32, 79, 199

0, 32, 96, 183

0, 33, 0, 196

0, 33, 191, 137

0, 47, 128, 167

0, 50, 63, 182

0, 64, 128, 151

0, 64, 35, 181

0, 64, 65, 166

0, 65, 194, 136

0, 66, 0, 180

0, 96, 0, 164

0, 96, 160, 135

0, 96, 60, 165

0, 96, 98, 150

0, 98, 225, 120

123, 178, 207, 215

127, 127, 127, 175

127, 194, 188, 214

127, 255, 127, 52

127, 255, 255, 54

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 766 APPENDIX: COLOR VALUES FOR TOOLKIT_LOGO PARAMETER - COLORS SORTED BY RGB VALUE (ASCENDING) 

RGB value Notes value

127, 96, 79, 224

128, 0, 0, 8 or 190

128, 0, 128, 11 or 188

128, 128, 0, 12

128, 128, 128, 14

128, 128, 255, 73

128, 128, 63, 147

128, 98, 16, 226

129, 0, 255, 139

129, 192, 151, 213

129, 63, 98, 238

13, 64, 255, 107

130, 0, 64, 189

130, 130, 63, 227

130, 192, 255, 56

130, 193, 104, 212

130, 224, 255, 55

130, 255, 202, 53

130, 66, 0, 178

130, 66, 255, 106

143, 143, 143, 159

159, 0, 15, 174

159, 159, 224, 217

159, 159, 255, 57

16, 65, 96, 231

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 767 APPENDIX: COLOR VALUES FOR TOOLKIT_LOGO PARAMETER - COLORS SORTED BY RGB VALUE (ASCENDING) 

RGB value Notes value

160, 0, 0, 160

161, 0, 159, 172

161, 161, 0, 131

161, 226, 255, 39

161, 31, 18, 193

161, 63, 0, 162

161, 96, 255, 90

161, 98, 82, 225

162, 162, 162, 143

164, 255, 255, 38

177, 177, 210, 216

178, 178, 178, 127

191, 191, 0, 115

191, 191, 255, 41

191, 65, 0, 146

192, 0, 127, 173

192, 130, 255, 74

192, 161, 224, 218

192, 192, 192, 15

192, 192, 192, 111

192, 194, 124, 211

192, 255, 255, 40

192, 98, 255, 91

193, 255, 213, 37

194, 0, 0, 144

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 768 APPENDIX: COLOR VALUES FOR TOOLKIT_LOGO PARAMETER - COLORS SORTED BY RGB VALUE (ASCENDING) 

RGB value Notes value

194, 0, 255, 123

194, 0, 65, 158

194, 159, 255, 58

194, 18, 18, 177

194, 239, 255, 23

194, 255, 145, 36

208, 177, 161, 208

210, 176, 106, 210

210, 191, 255, 42

210, 210, 210, 95

223, 0, 127, 157

224, 0, 224, 156

224, 129, 255, 75

224, 161, 117, 209

224, 224, 116, 67

224, 224, 255, 25

224, 241, 255, 24

224, 255, 191, 20

224, 255, 223, 21

224, 255, 255, 22

224, 31, 37, 128

225, 0, 0, 161

225, 191, 255, 43

225, 225, 0, 99

225, 225, 225, 79

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 769 APPENDIX: COLOR VALUES FOR TOOLKIT_LOGO PARAMETER - COLORS SORTED BY RGB VALUE (ASCENDING) 

RGB value Notes value

225, 225, 64, 83

225, 32, 0, 129

226, 159, 200, 221

226, 159, 222, 219

226, 159, 255, 59

226, 98, 0, 130

232, 224, 255, 26

239, 145, 235, 220

239, 239, 239, 63

241, 143, 188, 222

241, 224, 255, 27

241, 241, 128, 51

241, 241, 180, 35

245, 43, 151, 125

247, 247, 247, 47

255, 0, 0, 2 or 145

255, 0, 128, 141

255, 0, 255, 5 or 140

255, 0, 65, 142

255, 127, 255, 76

255, 128, 128, 80

255, 129, 0, 114

255, 129, 65, 81

255, 130, 160, 78

255, 130, 194, 77

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 770 APPENDIX: COLOR VALUES FOR TOOLKIT_LOGO PARAMETER - COLORS SORTED BY RGB VALUE (ASCENDING) 

RGB value Notes value

255, 159, 113, 65

255, 159, 159, 64

255, 159, 169, 62

255, 159, 207, 61

255, 159, 255, 60

255, 191, 24, 98

255, 192, 182, 48

255, 192, 206, 46

255, 192, 228, 45

255, 193, 253, 44

255, 194, 129, 49

255, 224, 230, 30

255, 224, 245, 29

255, 224, 255, 28

255, 225, 176, 33

255, 225, 24, 82

255, 239, 206, 17

255, 255, 0, 6

255, 255, 0, 66

255, 255, 127, 34

255, 255, 194, 18

255, 255, 208, 19

255, 255, 220, 32

255, 255, 255, 1, 16 or 31

255, 255, 53, 50

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 771 APPENDIX: COLOR VALUES FOR TOOLKIT_LOGO PARAMETER - COLORS SORTED BY RGB VALUE (ASCENDING) 

RGB value Notes value

255, 31, 16, 113

255, 31, 53, 112

255, 34, 255, 124

255, 34, 89, 126

255, 64, 112, 110

255, 64, 160, 109

255, 64, 64, 96

255, 66, 249, 108

255, 66, 30, 97

255, 95, 255, 92

255, 96, 136, 94

255, 96, 175, 93

31, 0, 127, 187

31, 0, 98, 203

32, 32, 160, 169

33, 129, 255, 88

33, 33, 0, 195

34, 0, 161, 170

34, 34, 192, 185

47, 47, 47, 223

55, 96, 94, 230

60, 97, 62, 229

63, 128, 128, 134

63, 128, 63, 148

63, 98, 31, 228

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 772 APPENDIX: COLOR VALUES FOR TOOLKIT_LOGO PARAMETER - COLORS SORTED BY RGB VALUE (ASCENDING) 

RGB value Notes value

64, 0, 0, 192

64, 0, 159, 171

64, 0, 162, 154

64, 0, 95, 204

64, 64, 194, 153

65, 0, 194, 138

65, 129, 192, 119

65, 129, 255, 105

65, 255, 50, 68

65, 65, 255, 121

66, 0, 255, 122

66, 255, 199, 69

66, 255, 255, 70

66, 66, 0, 179

66, 66, 130, 232

79, 79, 79, 207

82, 145, 239, 72

95, 95, 95, 191

96, 0, 0, 176

96, 0, 161, 155

96, 33, 98, 236

96, 49, 129, 235

96, 66, 0, 194

97, 129, 255, 89

98, 0, 18, 206

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 773 APPENDIX: COLOR VALUES FOR TOOLKIT_LOGO PARAMETER - COLORS SORTED BY RGB VALUE (ASCENDING) 

RGB value Notes value

98, 0, 66, 205

98, 33, 82, 237

98, 65, 129, 234

98, 96, 161, 233

98, 98, 0, 163

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 774   Glossary ACL Access Control List; list of entries in a database used for controlling access rights.

AES Advanced Encryption Standard; symmetric encryption system based on the Rijndael algorithm with a variable block size/key length of 128, 192 or 256 bits. The variable key length is used to distinguish between different AES variants, i.e. AES-128, AES-192 and AES-256.

API Application Programming Interface; software user interface for calling program functions and exchanging data.

ASCII American Standard Code for Information Interchange; ISO-standardized 7-bit code used to display characters such as upper case and lower case letters, digits and special characters. As each character is represented with 7 bits, 128 characters are represented altogether and used in many databases. National special characters outside the English language (e.g. German umlauts) are available in the Extended ASCII version with an 8-bit character set.

ASP Application Service Provider. Single-source provider of IT services at an agreed price.

asymmetric encryption Public–private key encryption method, which uses two keys – a public key and a private key, which together form a pair. Each sender needs the public key of each recipient. Because the two keys are different, this method is called asymmetrical. The public key is published so that any recipient can choose to receive encrypted messages. The private key used to decrypt messages is known only to its owner.

authentication A procedure to verify whether a person is entitled to access specific services. Authentica- tion may, for example, use digital signatures. See also digital signature.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 775  bitmap A bitmap is a non-compressed, pixel-based image format for graphics and photos. Because it does not support compression, the bitmap file format (*.BMP files) is not commonly used on the Internet. Also refer to GIF and JPEG.

CA Certification Authority. See Certification Authority. certificate Digital certificates are electronic documents linked to a public key. Certificates are digitally signed by a trustworthy authority (Certification Authority/trust center; also refer to PKI) that certifies that the key belongs to a specific person and has not been altered. The certification authority’s digital signature is an integral part of the issued certificate. and allows any- one with access to this certification authority’s public key to verify its authenticity. Using this method at multiple levels results in a Public Key Infrastructure (PKI). The advantage of such an infrastructure is that only the public key of the so-called root instance, i.e. the root certificate, will be required for complete verification, as the intermediate certificates are validated automatically. Also refer to public key and private key.

Certification Authority The Certification Authority (CA) is a trustworthy public authority that certifies cryptographic keys (see certificate). It is part of a PKI. The CA issues certificates and adds its digital signature to confirm the validity of the data they contain. This is usually the name of the key owner of the and any additional information to allow identification of the owner, the owner’s public key, its validity period, and the name of the certification body. The degree of trust put in such a certificate depends on the operational procedures applied by the Certification Authority, i.e. the methods used to check the owner’s identity. Once a certificate has been issued, the CA must provide a possibility to revoke the certificate and must provide revocation lists (CRLs) if any of the certificate data becomes invalid. This is in particular the case, when any of the owner’s private keys have been compromised. Also refer to public key and private key. client/server systems The server is a program that provides a service and a client is a program that uses this service. These services can both be installed on the same computer or be distributed across a network consisting of at least one central computer (the server), which makes its data, pro-

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 776  grams and any other connected devices available to one or more network stations (the clients). compression File size reduction to reduce network load and transfer times and/or save storage space. Multiple files can be compressed into a single archive. There are many compression formats, some of which are self-extracting. The most common ones are ZIP, TAR, ARJ, GZip, ARC and LZH. Which of these are used depends in part on the computer system: on UNIX systems, for example, GZip and TAR tend to be used, while ZIP and ARJ are the preferred choice for Windows systems (also refer to Packer). Because viruses can easily hide in archives, content security tools must be able to perform recursive analyses on nested archives, i.e. decompress the files repeatedly to scan them in their original state.

Configuration Document All documents displayed in the display area of the iQ.Suite are so-called configuration documents. With configuration documents the settings of the components are defined, e.g. for virus scanners, analyzers or iQ.Suite jobs.iQ.SuiteiQ.SuiteiQ.Suite. content security The management and scanning of the content of digital correspondence. Content security products protect computer networks and users from dangerous content that is either delib- erately or accidentally embedded in emails or Internet transmissions.

CORE COntent Recognition Engine; a language-independent method used for checking and clas- sifying emails according to categories. The analysis of the emails is performed through a vector-related evaluation of representative text, e.g. business emails, newsletters, offers etc., based on SVM (Support Vector Machines). As spammers use frequently changing (and often non-existing) addresses and varying contents, CORE is better suited for blocking spam than working with dictionaries or keywords. The statistical method used by CORE deals with this difficulty by providing a company-specific "learning program". You can define your own categories and CORE will "learn" how to assign mails and documents to the appropriate categories. This allows emails to be identified and categorized where a dictionary would fail.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 777 

CRL Certificate Revocation List. When information in a certificate becomes invalid during its life- time, it must be revoked. Because certificates are digital documents, they can not be collected or destroyed. Revoked certificates are therefore registered in another document, the revocation list. A standard for revocation lists is defined in the X.509 protocol.

CSV Comma Separated Value file; standard based on ASCII code, used as exchange format between programs in order to import records. The data fields are separated by delimiters, e.g. commas, defined for all programs that access the data.

DatabaseGrabber Extension of the Grabber. The DatabaseGrabber actively "grabs" emails from the database (e.g. a mailbox) and then processes them. Actions are mostly time-controlled, but can also be event-controlled. Also refer to MailGrabber. digital signature The electronic equivalent of a handwritten signature. It is used to verify the authenticity of an electronic document (i.e. its originator), its integrity as well as its binding character (i.e. the sender must not be able to contest its creation). This can be achieved with asymmetric encryption, which uses private keys to generate information with which others can verify the integrity and authenticity of received mail using the associated public key.

DLL Dynamic Link Library. DLLs are libraries under Windows, which contain objects that can be loaded (dynamically) whenever they are needed at runtime. This technology is not only used to save memory, but also, and primarily, to set up widely accessible libraries with ready-to-use (standard) objects, which can be used when developing software.

DNS Domain Name Service; assigns IP addresses to the logical names of computers on the Internet.

DXL Domino EXtensible Language; description language developed by IBM Notes for IBM Notes Domino. Also refer to GXL.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 778 

EML Electronic Mail File; email file format used to display (multipart) MIME mails. Original incoming emails not provided in EML format are converted by a Wall job for further processing. Analyzers such as SASI require this format. encryption Making a message illegible to prevent it from being read by unauthorized people. A range of different encryption methods can be used. Also refer to PGP, GnuPG and S/MIME. false positives Inbound email wrongly classified as spam. fingerprint Unique feature of a file, by which it can be identified. Consists, for example, of the file’s content or, if this is not possible, of a unique characteristic of the filename, such as its extension. Fingerprints are used to determine whether files should be blocked or passed by a mail filter. You can create your own file patterns, which Watchdog uses to identify the file types of attached files. frontend/backend configuration Separate server groups for handling protocols (POP3, etc.) and data stores. The clients access front-end protocol servers, which sequentially establish connections to and query back-end database servers to retrieve the data needed.

GIF Graphics Interchange Format; standard Internet graphics format. Supports a color depth of 256 (8 bits per pixel) and compression of image data to reduce file size, which results in shorter transfer times and relieves network load. As opposed to the JPEG format, GIF does not provide gradual color transitions. Also refer to compression. global settings General settings that apply to the entire iQ.Suite.

GnuPG GNU Privacy Guard; free cryptographic system used to encrypt/decrypt data (e.g. emails) and create/verify digital signatures. Emails containing confidential information can thus be sent to one or more recipients, who are the only ones capable of decrypting this information. A digital signature is created to ensure the authenticity and the integrity of the data

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 779  transmitted. Both functions can be combined. Typically, the signature is created first and attached to the data. This package is then encrypted and sent to the recipient(s).

Grabber Basic module used to verify emails. The Grabber acts as an interface that actively "grabs" the emails. Also refer to MailGrabber and DatabaseGrabber.

GXL GROUP EXtensible Language; description language developed by GBS on the basis of DXL (Domino Extensible Language). This ensures full compatibility with Domino servers. Both languages are based on the XML standard.

ISO International Standards Organization; developers of the OSI model for communication networks. job A job defines a sequence of actions that are performed when a particular event takes place or a particular rules applies. Jobs can be selectively disabled and enabled. Several jobs can be defined for each module, which are then processed according to their assigned priority for all modules.

JPEG Joint Photographic (Experts) Group Format; also JPG; standard Internet format for photo- graphs and other images with a high level of detail or a high color resolution. Supports high compression ratios up to a color depth of 16 777216 (24 bits per pixel), which results in shorter transfer times and relieves network load. As opposed to the GIF format, the JPEG format is particularly well suited for images with many color tones. junk mail All forms of unsolicited emails, such as invitations to view websites, images, chain letters, hoax virus warnings, advertising etc. Junk mails cost company resources and time for their recipient. Also refer to spam (often used as synonyms). “junk mail” is also the name of a folder in Microsoft email programs (e.g. Outlook, Windows Live Mail). In the GBS documentations, we only use the term “junk mail” to name the folder. In other cases, we use the term “spam” or the generic term “unsolicited email”.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 780  key ring The key ring contains all keys required for encryption. One key ring is used for the public keys, a second one for the private keys. For PGP or GnuPG, this key ring file is stored in the directory specified by the user at installation. For GnuPG, these are the pubring.gpg and secring.gpg files, for PGP the pubring.pkr and secring.skr files. Also refer to public key and private key.

LDAP Lightweight Directory Access Protocol; Internet protocol developed to promote the adop- tion of the X.500 directory standard after the original DAP (Directory Access Protocol) proved too complex for use with simple Internet clients. LDAP provides a standard for Inter- net-based communication with databases, enabling, for example, access to an online directory service to retrieve information such as email addresses or certificates. Using gateways, it is not restricted to that specific directory service. The entries are packed as objects and structured in a hierarchical tree. They consist of attributes with types and values, with object classes defining which value types can be assigned to which attributes. Possible types include IA5 (ASCII) character strings, ASCII images, sound, URLs and JPEGs.

LDIF LDAP Data Interchange Format; used for exchanging address data on LDAP servers. Being (ASCII) text-based, LDIF files can be conveniently edited with standard text editors. It is supported by many clients for importing and exporting address books (e.g. Outlook, Outlook Express, Netscape, ...).

Mail flooding Mail flooding is bulk sending of a large number of emails, usually from a single domain at intervals of a few seconds. These “attacks” overload the mail server handling the flood of messages, which severely affects its performance. These messages are usually unwanted mail sent with malicious intent. Also refer to spam).

MailGrabber Extension of the Grabber. The MailGrabber is a module that actively "grabs" emails from the email traffic and then processes them directly on the server. To do so, the MailGrabber calls the associate function modules configured . Also refer to DatabaseGrabber.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 781 

MIME Multi-purpose Internet Mail Extensions; STM files. Originally a method for encrypting non- text objects to allow their transmission using SMTP and email. Today, this method is used universally for data transfers through the Internet. Providing the ability to define custom control codes for special characters – such as accents – and to attach all types of files extends the functionality of email communications. Also refer to S/MIME. module A program unit with definable boundaries and action, which is embedded in an overall system as an independent, autonomous program component.

NDosCall NDosCall starts and controls the external programs that can not be run on the Domino Ser- ver by a commando console. For example, if a virus scanner does not answer, the programs are determined and restarted if possible.

OEM Original Equipment Manufacturer; company that buys other manufacturers’ products or components and incorporates these in other products that it sells under its own name. on-access scanner Virus scanner component that usually runs in the background and continuously checks the files accessed by the computer. The on-access scanner ensures permanent monitoring of the file system on servers and workstations. packer Compression program. See compression. passphrase A long but easy-to-memorize character sequence (e.g. short sentences with punctuation) used in place of a password for increased security.

PDF/A Portable Document Format (for Archiving); ISO standard for the PDF format used for long- term archiving of electronic documents. Defines a number of requirements for a standard- compliant PDF and sets the use of PDF/A for outputs to screen or printer.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 782 

PGP Pretty Good Privacy; program for encrypting and decrypting emails. Uses the public key and asymmetric encryption, i.e. the sender and the recipient use two different keys (one public, the other private). Can also be used to electronically sign documents. Guarantees the recipient of such a document that the sender is the real author and the document was not sent or modified by another user. PGP is freeware and available from many shareware archives. In the context of email, PGP is a platform-independent standard, like GnuPG and S/MIME.

Phishing Phishing is a fraud method used to obtain personal access information like passwords, account data etc. are found out by fraudsters. A phishing email is sent to the Internet users, which pretends to be from a trustworthy, mostly commercial source address, e.g. from a bank or an insurance company. The email contains a request to log-in to the company‘s home page or gateway and to confirm/correct the personal data for this user. By clicking on the link in the phishing email a forged web presence is displayed for the user.

PKCS#12 PKCS#12 is a file format in the PKI environment that securely saves key pairs and provides built-in security mechanisms. PKCS#12 file are normally used to distribute keys. policies A combination of rules and jobs that make up the overall configuration of iQ.Suite.

POP3 Post Office Protocol 3 (3 for the version of the protocol); a transfer protocol used for controlling the receipt of email from a remote server on which messages are stored until their retrieval by the recipient. POP3 uses TCP/IP. Developed specifically for receiving email, it does not (as opposed to SMTP) require a dedicated line. priority In the GBS environment: Priorities describe the "order" and "relevance" of jobs. Jobs with a higher priority are processed before those with a lower priority. Priorities are expressed through a value, which can be freely changed for each job (Basics tab). private key The private key is the part of a pair of keys that a user has to store at a safe place. It is used to decrypt information addressed to the owner of the private key and to generate digital sig-

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 783  natures. Private keys are protected by a password or a passphrase. The safest place is a security token such as a smartcard. Also refer to public key.

PST The Personal Store (PST) of Microsoft Outlook is a proprietary container file in which tasks, memos, emails and the calendar are stored. Additionally to a standard file, Outlook can manage a lot of other PST files. public key The public key is the part of a pair of keys that is made publicly accessible, e.g. on a trust center (LDAP) server. It is used to encrypt messages addressed to the owner of the public key and to check his digital signatures. A public key certified by a CA is termed certificate.

Quarantine The Quarantine is an archival database in which virus-infected and/or blocked files are stored and where they can be accessed by authorized persons. registry The Windows registry is a central hierarchical built-up Windows database in which the system configurations are stored. The registry contains information, which is questioned on by the operating system during running operation. Use the registry editor “Regedit” to edit the registry data. replication Synchronization of data between two identical databases on two different servers.

RFC The Request for Comments is a document for specification of a technology suggested for standardization of the Internet. If a suggestion is accepted after a substantial check by the audience, a RFC can be established as a standard.

RFC 821 Defines the SMTP protocol and is today‘s basis for transporting emails on the Internet.

RFC 822 Defines the email format.

RFC 2822 Subsequent document of RFC 822.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 784 

RFC 5322 Subsequent document of RFC 2822. root certificate The highest instance of a certificate. Refer to certificate.

RSA Commonly used encryption method named after its inventors – Rivest, Shamir and Adle- man. Used also with PGP. In RSA encryption, two large prime numbers are linked to form an even larger single prime number, which is then used for encryption. As of a certain bit width (about 100 bit), not even the fastest supercomputers can crack this encryption. The required processing capacity is doubled with every additional bit. Also refer to ECC.

RTF Rich Text Format; generic file format used for transferring formatted text between applications, also between different operating systems. rules Rules are used to restrict the number of emails or databases to be checked by an iQ.Suite job. The rules filter the messages and databases according to user-defined policies, which allows to optimize the company’s security concept.

Sandbox A Sandbox is a secure environment which is completely isolated from the IT infrastructure of a company. In this secure environment, various computer systems with different operating systems are provided in order to simulate a real IT environment. Unknown and suspicious programs and files are executed in this secure environment in order to observe their behavior and impacts on the computer system. These observations are used to determine whether the file is dangerous for the system or not. The decision on whether the program or the file should be admitted or blocked on the end device is based on this evaluation.

S/MIME Secure Multipurpose Internet Mail Extensions; as the secure version of MIME, S/MIME is the industry standard for the encryption of emails sent between the same and different types of email systems. S/MIME can use a range of signature and encryption algorithms. Also refer to PGP.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 785 

SMTP Simple Mail Transfer Protocol; protocol for sending and receiving email. Based on RFC 821 and belonging to the TCP/IP family. SMTP messages consist of a header containing at least a sender and recipient ID, and the actual message. An email program – the User Agent (UA) – forwards messages to a dedicated server – the Message Transfer Agent (MTA) – in its own network. The MTA, in turn, forwards the email to other MTAs along the transmission path according to the ”store and forward” principle until the email reaches its recipient. Because SMTP works with 7-bit ASCII, special characters (accents, umlauts, etc.) cannot be represented and no protection is provided against unauthorized access. On the other hand, ESMTP uses 8 bits for transmission. Unlike POP3, SMTP requires a dedicated line.

SSL Secure Socket Layer; a method for sending data securely through a network. Developed by Netscape, SSL allows data to be encrypted for transmission (RSA encryption) to protect it from third-party access. Used, for example, for sending credit card information.

SVM Support Vector Machines; mechanism used by CORE to analyze and classify emails. symmetrical method In this case, emails are decrypted using the same key with which they were encrypted. This is called the symmetrical method as the keys are identical. This means that the key has to be accessible to both the sender and the recipient of the email. Keys are exchanged between recipient and sender using password-protected key files. The recipient of an email receives the password for the key file required to decrypt the email from the sender via an alternative route, i.e. on a “secure line”.

TCP Transmission Control Protocol; Besides IP (see IP address), the main protocol used on the Internet. Provides applications with a connection-oriented, reliable duplex service in the form of a data stream.

TCP/IP Combination of TCP and IP (see IP address); originally developed for UNIX networks, it is today used as the main network protocol of the Internet. It splits data into convenient packages and sends them across the network using IP addresses to find the message destina-

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 786  tion. There, TCP reassembles the data packets again. TCP/IP also allows several Internet applications to be run using a single modem or ISDN line. te_hook iQ.Suite mechanism that stopps emails on the mail server by taking the emails from the server‘s Mail.box and setting to HOLD mode. Thus, the email is out of the transportation stream and is not delivered to the email recipient. The te_hook is defined as an Extension Manager Addin (nte_hook.dll) in the notes.ini, e.g. ExtMgr_Addins=te_hook. trust center Trust centers are typically commercial service providers that issue, manage and provide public keys, e.g. under http:www.d-trust.net/. They usually combine three functions: the actual Certification Authority (CA) certifies the information submitted; the Registration Authority (RA) is responsible for identifying the participants and issuing out the certificates; the Directory Service provides the information required for the creation and verification of certificates and signatures (e.g. timestamps or CRLs). trusted domain A domain that is trusted by another domain. Users in trusted domains can, for example, access the resources or receive user rights in a trusting domain. trusting domain Refer to trusted domain. trust level A certificate can be classified as trusted. Whenever a CA certificate is considered trustworthy, this trust also applies to all lower-ranking certificates.

UAC User Account Control;

UNC Universal Naming Convention. A naming convention for files and other resources. The two backslashes (\) at the beginning of a name indicate that the corresponding resource is located on a network station. The syntax for UNC names is\\server name\shared resource.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 787 

UNID Universal Notes IDentifier; Notes assigns a unique number to each newly created Notes document, which clearly identified the document. For instance, if a configuration document refers to another configuration document, the UNID is used to do so. variables Refer to metasymbol.

VPN Virtual Private Network; a simulated private network that uses public networks (for example the Internet) to connect its nodes. Encryption is used to prevent unauthorized listening to communications across the VPN. wildcard A character which represents another character or a character string. The most common wildcards are the question mark and the asterisk, which are used by the DOS command interpreter. The question mark (?) represents individ?al letters and num??rs, while the asterisk (*) represents a string of one or more consecutive ch*cters.

X.509 Standard for creating and coding certificates, CRLs and authentication services. X.509 is globally the most commonly used standard for certificate structures.

ZIP of Death A rather small 42 KB email containing an attachment of recursively packed ZIP files which, in themselves, are neither dangerous nor virus-infected. They do, however, contain over 1

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 788  million packed files that, once unpacked, add up to 49,000,000 Gigabytes. When processed by a virus scanner decompression tool, this inconspicuous email initiates virtually endless loops, usually resulting in a system crash. This not only affects the virus scanners of client computers but also the mail servers which usually crash and paralyze the entire email traffic within a few minutes.

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 789 INDEX   Index A Absence 126, 137 Absence Templates 520 Access rights, see Rights Accounting 641 Accounts 638, 648 ACL Manager 143 Action jobs 152 Addresses 239 Check 238 List, database modification 160 Rules 87, 240 Analysis report 236 Anti-Phishing URL Detection (Kaspersky) 185 Anti-spam 243 Jobs 150, 240 Anti-virus 13 Attachment size Compressed attachments 596 Automatic start, see notes.ini Avira Protection Cloud (APC) 180 B Basic cost 638 Blacklist/whitelist 240, 241 Overview 126, 137, 238 Rules 87, 150, 239 Whitelist job 149 Blocking 20, 105 Browser see Web browser Budget 637, 638 C CA, see Certification Authority Calendar entries 537 Certificate 776 Classifier, see Text analysis under Wall Clerk Absence 137 Info email 540 Cloud Protection (Kaspersky) 183, 257 Cluster 13 Color values 698

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 790 INDEX 

Compress file attachments 596 Configuration Erroneous 18 Global parameters 31 Configuration data Exchange 17, 96 Export/import 17, 96 Standard 100 Configurations database Open 16 Update 17, 96 Connect Connect Engines 571 GBS Workflow Manager 588 IBM Connections 582 Microsoft SharePoint 571 Connection cost 638, 646 Convert File attachments to PDF 607 File attachments to ZIP 596 Convert file attachments 607–611 CORE 292, 777 Cost calculation 637–640 CRL, definition 778 Currency 647 D DatabaseGrabber, see Grabber Databases 518 Create 25 Database definitions 25, 109, 518 Database job log 122 Database jobs, see Jobs Database rules, see Rules Default, see iQ.Suite User Portal 136 g_learn.nsf (CORE) 292 Log 122 Multiple in parallel 19, 109, 148 Open (iQ.Suite User Portal) 128 Deputy 107 Display Area 128 DLP 411 DLP Anomaly Detection 428 DLP Review 412 DLP Anomaly Detection Analysis criteria 438 Collect data, Live data, Baseline 428

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 791 INDEX 

DLP Configuration 431 Domain account 649 E Email cost, see Cost calculation 637 Export/import 17, 96, 104 F Forwarding 514, 516, 530, 548 Function bar 14, 15, 128 G Global parameters 24, 41 Configuration 31 Entry - Collect Statistic Data 123 Entry - Dynamic Rule Evaluation 85, 86 Grabber 11 notes.ini 31, 33, 664 Grabber 8 DatabaseGrabber 10, 160 Definition 780 MailGrabber 9, 10, 24 Rules 84 Group account 648 H Help, context-sensitive / online help 15 I Importing data 17, 96 Individual modules 19 iQ.Clustering, see Cluster iQ.Mastering, see Mastering iQ.Suite ADMIN 138 POWUSER 138 Start 5, 6 Terminate 7 User interface description 14 iQ.Suite Action, see Action jobs iQ.Suite data directory Open database 128 Start iQ.Suite 6 iQ.Suite KeyManager 365 iQ.Suite Log 122 iQ.Suite Split, see Split jobs iQ.Suite User Portal 126–265 Default databases 136

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 792 INDEX 

Setting up 143 J Job results 705 Jobs Action-Jobs 152 Critical / uncritical 24 Database jobs 22, 291 Default jobs 240, 265, 272 Edit multiple 11 Priorities 82 K Kaspersky Anti-Virus 166 L Language selection 16 Licenses 16, 28 Live Protection (Sophos) 186 Logs and statistics 20, 122 M Mail flooding / attacks, see Wall Mail jobs, see Jobs Mail rules, see Rules MailGrabber, see Grabber Mastering 13 McAfee 167 Metasymbols 8 Mobile end devices 272 Module bar 19, 128 Modules 19 N Navigation pane 14 NDosCall 782 Notes formulas, see External programs notes.ini 5, 8, 11 servertasks 693 ToolKit ??–689, 693–?? Notification templates 37, 149 P Parameters Description 33–?? Global, see Global parameters Parameter document, general 31 Parameter document, special 33 PDF/A 782

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 793 INDEX 

PDFCrypt File Signing/Encryption 406 Mail Encryption 383, 390 Password database 114 Password management 110, 378 Password transmission 378 PDF Header 385 PDFCrypt images 384 PDFCrypt mail 385 PDFCrypt templates 385 PDFCrypt utilities 383 Signature verification 404 User password database 118 User passwords 117 Performance 148 Periodic Forwarding 514, 555 Personal account 648 Placeholder, see Wildcard 788 Priority 82, 638, 783 Processing log, see Logs and statistics Q QR codes 475 Quarantine 20, 105, 107, 149, 236, 784 Summary notification 265, 272 User quarantine 20, 105, 126, 137 Database 109, 148 Deputy 107 Update 129 Quarantine Access 568 R Redirection 514, 530, 559 Retroactive forwarding 514, 533 Rights 139 Access 126 Read 25, 28, 151 Roles 129, 136 Rules Address rules 87 Blacklist/whitelist rules 87 Errors, see Troubleshooting Execution mode 85 Formula rules 88 Mail rules / database rules 24 Mechanism 84 Not used 85

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 794 INDEX 

Signature rules 89 Text rules 89 S Sandboxing Protection (Sophos) 186 SASI 253 SAVAPI 166 Single logs 641 Sophos Anti-Virus 167 Source server 646 Spam 310 Split jobs 94 Standard configuration 100 Statistics 107, 123, 645 see Logs and statistics see Quarantine see Single logs under Budget 645 Summary log 641, 643 Summary notification 149, 265, 272 SVM, definition 786 T Target server 646 td_grab.nsf 10 te_hook 8, 10, 693 Text Analyzer, see Text analysis under Wall tm_grab.nsf 10 ToolKit ToolKit statistics 123 ToolKit_dgrabthreads 11 ToolKit_ExecDir 188 ToolKit_Logo 697, 753 ToolKit_mgrabthreads 11 ToolKit_RuleEvaluationMode 85, 86 Trailer Create 453 Trailer attachments 475 Troubleshooting Block 82 Configuration 18 Initialization and execution 24 Mail jobs / database jobs 23 Performance 148 Rules 84 Spam alarm 310

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 795 INDEX 

U Unicode 288, 301, 303 Update 140 URL Scanning 210 User interface description iQ.Suite (Admin) 14 User Portal, see iQ.Suite User Portal User settings 126 Utilities, see Utilities under Wall V Variablen 74 vCards 475 Volume cost 638 W Wall Database jobs 291 Mail jobs 235, 238, 291 Mail-flooding / attacks 310 Text analysis 274–293 Utilities 161, 264, 275 Web browser 6, 129 WebCrypt Pro 359–?? Wildcards 31, 788

ADMINISTRATION - IQ.SUITE FOR DOMINO  PAGE 796