I am a: Quirky sysadmin. Geek. Gamer. Comic fangirl. My little space, my home on the interwebs. I blog about personal stuffs, work, various coding projects, and anything else I feel like.

While setting up a new Traveler server at work, I ran across this article detailing how to block the Outlook app for iOS and Android that breaks company security. IBM soon posted something to their site about the issue, but with less information. The two sources basically suggested a single solution: just add a parameter to the notes.ini file.

Sounds simple right?

Well, we ran into mixed results. After having trouble getting the server to block this and other user agents, I opened a PMR with IBM Support. They suggested I enclose the parameter’s value in quotes. That blocked everything from accessing the server EXCEPT those user agents (the ones which still were not being blocked). After escalating the issue, I saw the following update on my PMR which explained this parameter in greater detail and explained which format would work and why:

PMR UPDATE: This is with regards to blocking Microsoft OWA app for iOS/Android.

The customer is trying to block a certain user-agent (masscan/1.0) from connecting to Traveler. They also wanted to block Outlook apps on their Traveler server.

We refer to the technote and provided this:

NTS_USER_AGENT_ALLOWED_REGEX="^((?!Outlook-iOS-Android/1.0).)*$"

When they tried this, the OPPOSITE happened. Instead of blocking the Outlook app, all devices cannot connect (iPhones, Android, BB), BUT the Outlook app.

Also, since they wanted to block masscan we modified the parameter and made this like:

NTS_USER_AGENT_ALLOWED_REGEX="^((?!masscan/1.0).)*$ | ^((?!Outlook-iOS-Android/1.0).)*$"

However the same adverse effect happened.

From L2 SWE’s testing, here is what we found out:

1) NTS_USER_AGENT_ALLOWED_REGEX="^((?!Outlook-iOS-Android/1.0).)*$"

      all devices cannot connect to the Server (cannot send and receive mail)

2) NTS_USER_AGENT_ALLOWED_REGEX=^((?!Outlook-iOS-Android/1.0).)*$

      devices can connect back (we’re unable to connect Outlook)

3) NTS_USER_AGENT_ALLOWED_REGEX="^((?!masscan/1.0).)*$ | ^((?!Outlook-iOS-Android/1.0).)*$"

      all devices but Outlook and masscan cannot connect

4) NTS_USER_AGENT_ALLOWED_REGEX=^((?!masscan/1.0).)*$|^((?!Outlook-iOS-Android/1.0).)*$

      devices can connect back (though masscan is still showing up in the domlog.nsf)

5) NTS_USER_AGENT_ALLOWED_REGEX=^((?!masscan/1.0).)*$

      devices can connect

So going from these. Here is what we have deduced.

A. With quotes (” “), what happens is WHITELISTING -> only the user-agent in the REGEX can connect to the server. The rest of the devices cannot.

B. Without quotes, what happens is BLACKLISTING -> all other device types (user-agents) can connect BUT the user-agent on the REGEX parameter.

Please confirm this one so we make sure we relay the accurate answer to the customer. Thank you.

We are currently using a variation of option 4 in the example above and everything is working fine now. I haven’t been able to find any of the above whitelisting and blacklisting information anywhere else online, and figured I’d share here just in case anyone else runs into this in the future. ^_^

UPDATE: Per IBM Support, “the notes.ini parameters have a limit of 256 characters. Therefore, you block as many clients as you can fit in 256 characters and allow everyone else. Or, you can allow as many clients as you can fit in 256 characters and block everyone else.”

So plan your blacklisting/whitelisting carefully!