Two items from the Domino 7.0.2 readme
by Volker Weber
Domino 7.0.2 allows certain URLs, for example those that generate RSS feeds, to use Basic Authentication, even if Domino Session Authentication is in effect.
I understand why this feature is necessary. RSS readers cannot use Domino Session Authentication, so you can only provide unprotected feeds from Domino (7.0.1 or older) if you are using Domino Session Authentication (which you should). This would open up project databases which you want to monitor with RSS feeds. However, be very careful with this feature in 7.0.2. RSS readers will send user names and passwords in plain text for each refresh. Basic authentication is only encoded with Base64. You need to force the RSS feed into an SSL pipe.
Microsoft Outlook and Microsoft Exchange can be configured to send e-mail to other Outlook and Exchange users by encapsulating Microsoft-specific data in a Transport Neutral Encapsulated Format (TNEF) object. ... Beginning with Domino 7.0.2, the MIME itemizer now recognizes TNEF objects, pulls out any attachments which are encapsulated in a TNEF object, and adds those attachments to the message before writing it to the Domino router's mail box.
Halleluja.
Comments
No more winmail.dat ?
I'll miss them.
Why would you consider session-based authentication (which I assume means cookie-based) preferable to HTTP basic authentication?
realizing that TNEF/winmail.dat is a completely proprietary format, and Domino implementing support for it is a concession to bad interoperability. Not sure we should be singing praises for it, but at least it removes one of the "it's not compatible with Microsoft" BS objections from the list.
It's good for the customer.
Thank You IBM to fix that winmail.dat issue! This is really a need! Thank You!
The alternative to #1 would be to use an own web site for the feeds and to turn session authentication off just for that site.
Yup, that’s what we’ve done in the past, as our corporate single sign-on mechanism (entirely separate from Domino) doesn’t play nice with news readers at all.
Stefan: Basic authentication sends passwords in the clear (effectively) on every single request from the browser. Session authentication sends it only once, during the login. So if you want to protect your passwords, you have to use SSL on all transactions with basic authentication. With session authentication it is true that a session cookie can be sniffed, but the vulnerability lasts only as long as the session, so SSL on the login is sufficient to protect against a permanently compromised account.
Simply bouncing application/ms-tnef and the like at the inbound SMTP pipe with a permanent error solved this problem for me.
In other words:
In the beginning was the word. And the word was Content-Type: text/plain.
O:-)
