BP SunONE Messaging Server

5/17/2018 BP SunONE Messaging Server - slidepdf.com

http://slidepdf.com/reader/full/bp-sunone-messaging-server 1/284

Send comments about this document to: [email protected]

Sun™ ONE Messaging ServerPractices and Techniques for

Enterprise Customers

Dave Pickens

Part No. 817-0763-10August 2003, Revision A

Sun Microsystems, Inc.4150 Network CircleSanta Clara, CA 95054 U.S.A.

650-960-1300



Copy right 2004 Sun Microsystems, Inc., 4150 Networ k Circle, Santa Clara, California 95054, U.S.A. All rights reser ved.

Sun Microsystems, Inc. has intellectual property rights relating to technology that is d escribed in this docum ent. In particular, and withoutlimitation, these intellectual property rights may include one or more of the U.S. patents listed at http:/ / ww w.sun.com/ patents and one ormore ad ditional patents or pend ing patent app lications in the U.S. and in other countries.

This document an d the produ ct to which it pertains are distributed u nd er licenses restricting their use, copying, distribution, anddecomp ilation. No part of the produ ct or of this docum ent may be reprodu ced in any form by any means without p rior written authorization of Sun an d its licensors, if any.

Third-party software, includ ing font technology, is copyrighted an d licensed from Sun supp liers.Parts of the prod uct may be d erived from Berkeley BSD systems, licensed from th e University of California. UNIX is a registered tradem ark inthe U.S. and in other coun tries, exclusively licensed through X/ Open Com pany, Ltd.

Sun, Sun Microsystem s, the Sun logo, docs.sun.com, StarOffice, AnswerBook2, BluePrints, N 1, Netr a, Sun Docs, Sun Solve, Sun Enterpr ise, SunFire, iPlanet, Java, JavaScript, Jump Start, and Solaris are trad emar ks, registered trad ema rks, or service marks of Sun M icrosystems, Inc. in theU.S. and in other countries.

Netscape is a tradem ark or registered tradema rk of Netscape Commu nications Corporation in the United States and other countries.

All SPARC tradem arks are u sed u nder license and are tradem arks or registered tradem arks of SPARC International, Inc. in the U.S. and in othercountries. Produ cts bearing SPARC tradema rks are based upon an a rchitecture developed by Sun Microsystems, Inc. The OPEN LOOK andSun™ Graph ical User Interface was develop ed by Sun Microsystems, Inc. for its users an d licensees. Sun acknowled ges the pioneering efforts

of Xerox in researching an d developing the concept of visual or gra phical user interfaces for the comp uter ind ustry. Sun holds a n on-exclusivelicense from Xerox to the Xerox Graphical User Inter face, wh ich license also covers Sun’s licensees w ho imp lement OP EN LOOK GUIs andotherwise comply w ith Sun’s wr itten license agreemen ts.

U.S. Government Rights—Commercial use. Government users are subject to th e Sun Microsystems, Inc. standard license agreement andapplicable provisions of the FAR and its sup plements.

DOCU MENTATION IS PROVIDED “AS IS” AN D ALL EXPRESS OR IMPLIED CON DITIONS, REPRESENTATION S AND WARRAN TIES,INCLUDING AN Y IMPLIED WARRANTY OF MERCHAN TABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON -INFRINGEMENT,ARE DISCLAIMED, EXCEPT TO TH E EXTENT TH AT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID.

Copy right 2004 Sun Microsystems, Inc., 4150 Networ k Circle, Santa Clara, California 95054, Etats-Unis. Tous droits réserv és.

Sun Microsystem s, Inc. a les droits de p rop riété intellectuels relatan ts à la technologie qui est décrit d ans ce docum ent. En particulier, et sans lalimitation, ces droits de propriété intellectuels peuvent inclure un ou p lus des brevets américains énumérés à http:/ / ww w.sun.com/ patents etun ou les brevets plus su pplémentaires ou les app lications de brevet en attente da ns les Etats-Unis et dans les autres pays.

Ce prod uit ou document est protégé pa r u n copyright et d istribué avec des licences qui en restreignent l’utilisation, la copie, la distribution, et ladécomp ilation. Aucune pa rtie de ce produ it ou document n e peut être reproduite sous aucune form e, par qu elque moyen que ce soit, sansl’au torisation p réalable et écrite de Sun et de ses b ailleur s de licence, s’il y ena.

Le logiciel déten u pa r des tiers, et qui compren d la technologie relative aux polices de cara ctères, est prot égé par u n copyright et licencié par d esfournisseurs de Sun.

Des par ties de ce produ it pour ront être dér ivées des systèm es Berkeley BSD licenciés par l’Université de Californie. UNIX est une ma rquedéposée au x Etats-Unis et dans d ’autres pays et licenciée exclusivement par X/ Open Compan y, Ltd.

Sun, Sun Microsystem s, the Sun logo, docs.sun.com, StarOffice, AnswerBook2, BluePrints, N 1, Netr a, Sun Docs, Sun Solve, Sun Enterpr ise, SunFire, iPlanet, Java, JavaScript, Jum pStart, et Solaris sont des m arqu es de fabrique ou d es marq ues dép osées de Sun Microsystem s, Inc. aux Etats-Unis et dans d’autres pays.

Netscape est une mar que de N etscape Comm unications Corporation aux Etats-Unis etdans d’autres pays.

Toutes les marqu es SPARC sont utilisées sous licence et sont d es m arques d e fabrique ou d es m arques d éposées de SPARC International, Inc.aux Etats-Unis et dan s d’autres pays. Les produits protan t les marqu es SPARC sont basés sur u ne architecture d éveloppée par SunMicrosystems, Inc.L’inter face d’utilisation grap hiqu e OPEN LOOK et Sun ™ a été développ ée par Sun Microsystem s, Inc. pour ses u tilisateu rset licenciés. Sun r econnaît les efforts de p ionniers d e Xerox pour la recherche et le dévelop pem ent d u concept d es interfaces d’utilisation visuelleou grap hiqu e pour l’indus trie de l’informa tique. Sun d étient un e license non exclusive de Xerox sur l’interface d’utilisation graphiqu e Xerox,cette licence couvran t égalemen t les licenciées de Sun qui met tent en p lace l’interface d ’utilisation grap hiqu e OPEN LOOK et qui en outre seconform ent aux licences écrites de Sun.

LA DOCUMENTATION EST FOURNIE “ EN L’ÉTAT” ET TOUTES AUTRES CONDITIONS, DECLARATIONS ET GARAN TIES EXPRESSESOU TACITES SONT FORMELLEMENT EXCLUES, DAN S LA MESURE AUTORISEE PAR LA LOI A PPLICABLE, Y COMP RIS NOTAMMEN TTOUTE GARAN TIE IMPLICITE RELATIVE A LA QUALITE MARCH ANDE, A L’APTITUDE A UN E UTILISATION PARTICULIERE OU AL’ABSENCE DE CON TREFAÇON .



iii

Contents

Acknowledgments xv

Preface xvii

Su n Blu ePrints Program xvii

Who Shou ld Use This Book xviii

Before You Read This Book xviii

H ow This Book Is Organized xix

Related Documentation xxiii

Shell Promp ts xxiii

Typograph ic Conventions xxiv

Ord ering Sun Docum ents xxiv

Accessing Sun Docum entation xxiv

Using UN IX Comm and s xxv

Contacting Sun Techn ical Su pp ort xxv

Su n Welcomes Your Com m ents xxv

1. Messaging Overview 1

Connectivity 2

N um ber of Devices 2

Nu mber of Messages 3

Averag e Message Size 4



iv Contents

Protocols 4

Secu rity and Privacy 5

Regulatory Issues 5

2. Messaging Services 7

Sun’s Messaging Strategy 7

Open Standards 7

Popular Clients 8

Messag ing Services Beyon d the Basics 8

Directory Services 9

Web Messaging 9

Add ress Book 10

Calendar 10

Portal 10

Web Serv ices 11

Any one, Anytime, An yw here, Any Device 11

Integrated Yet Op en—Project Or ion 11

SDN Con cept 12

Conclusion 13

3. Messaging Architectures 15

Directory 16

MTA 17

Mailstore 17

Proxy Servers 18

Simple Single-Layer Architecture 18

Simp le—Alternative Architectu re 20

Typical Architecture 23

Secur e—Basic Arch itecture 25



Contents v

H igh A vailability—Failover Architectu re 27

4. Installation Preparation 31

Prepar ation Process 31

Good Comp uting Practices 31

Differences Between Prod uctionand Non-production 32

Basic Solaris OE Installation 33

Network Connectivity 37

Host Name Resolution With / etc/ hostsand DNS 37

Nam ing Services Setup and Best Practices 38

Netw ork Load Balancing 39

DHCP 39Domain N ame 39

5. Sys tem S tartup 41

Basic System Status 41

Provisioning 52

Adm inistration Console 53

Web 54

Comm and -Line Interface 55

Lightw eigh t Directory A ccess Protocol 57

Methods Analysis 59

Issues 60

Au thoritative Sources 61

Data Feed s 62

User ID 64

Samp le Data File 65

Samp le Provisioning Script 66



vi Contents

Test User Generation Scrip t 66

6. Sof tware Installation

and Configuration 69

Simple Installation 71

M Creating UN IX User and Group Accounts 73

M Disabling Send Mail 74

M Installing a M aster Directory Server 75

M Prepar ing the M aster Directory Serverfor Messaging 77

M Installing the M essaging Server 81

M Installing the Delegated Ad min istrator Server 82

M Installing the Enterprise Web Server 82

MInstalling the Delegated Administrator 84

M Setting Up M essaging Accou ntsand Testing th e Server 85

M Creating a Postmaster User Accou nt 85

M Creating Test Account s 86

M Verifying You r Messaging Server Works Usin g WebMail 87

Au toma ted Installation Script 89

7. Message Transfer Age nt Confi guration 91

Changing the Mappings 93

Direct LDAP Looku p 94

M Testing LDAP Looku p 96Add ing New Dom ains to the MTA 97

M Modifying th e imta.cnf file 99

SMTP Au thentication 100

M Examining the imta.cnf File 100

8. Advanced Mess aging Client Confi guration 103



Contents vii

Wha t Is a Shar ed Folder? 104

Sup ported Standards 105

Limitations 107Setup Procedu res 107

M Letting You r Ad ministrator Read You r Inbox 107

M Sharin g Folders in MAP Clients 111

M Sharin g a Fold er in Mu lberry 111

M Sharin g a Fold er in Netscape Messenger 114M Using Ou tlook Express 119

9. Customization 123

Changing and Add ing a Logo 124

M Custom izing the Login Screen 126

M Chan ging th e Main Web Mail Screen Bann er 127

Remov ing and Ad ding Op tions on the Options Tab 130

M Remov ing Op tions 131

M Adding Op tions 133

Sing le Sign O n 138

M Enabling Sing le Sign ON 139

Setting the Initial Welcome Email 146

Over-Quota Limits and Warning Email 147

M Configuring Ov er-Quota Limits and Warn ing Email 148

Customizing Return Errors 151

10. Security 153

Network 154

System 157

Basics of Solaris OE Secur ity 157

Messaging Software Pro tocols 159



viii Contents

Directory 159

ACI 159

Search Limits 160Enabling SSL Sup por t 161

Non -standard Ports 161

Message Store 162

SMTP 162

MTA 162RDNS 162

Antivirus and Antispam 163

Secu ring the Message Conten ts 163

M Imp lementing PGP Signing 163

SMIME 165Conclusion 165

11. Migration 167

Basic Steps (Generic) 168

User Information 168

Why Are Password s Important? 168

Password Handling Options 168

Messages and Fold ers 169

M Letting Users Maintain Messages and Fold ers 169

Aliases and System-w ide Mailing Lists 170

Aliases File 171

Delegated Adm inistrator 171

M Creating Dyn amic Group s and Em ail Lists Using Direct LDAPManipu lation (Sun ONE Ad ministrator Console) 171

Personal Ad d ress Books, Lists, and Bookm arks 172

Send mail (UNIX Mail) 174



Contents ix


Mailbox Conten t 175

Mailing Lists (aliases) 175Personal Ad d ress Books 175

Exchan ge, No vell Grou pw ise,and Lotus Notes 175


Mailbox Conten t 176

Mailing Lists 177

Personal Ad d ress Books 177

12. Perfo rmance Tuni ng 179

Netscap e Directory Server 179

Solaris OE 180

M Setting TCP/ IP Parameters 180

M Setting tcp_local_option an dtcp_ internet_option File Par am eter s 181

M Setting /etc/system Para meters 181

MSetting configutil Pa ra meters 182

MMP 184

MTA Tu ning 184

Dispatcher 185

Job_Controller 185

ims_master ch an nel 185Message Dequeu e 185

ims-ms Channel-Specific Information 186

Option.dat 186

MAX_INTERNAL_BLOCKS 187

Reverse Databa se 187IMTA_TAILOR File 187



x Contents

Notices 187

Postmaster Mail 188

13. Advanced MTA Conf iguration 189

Conversion Chann el 189

M Add ing a Disclaim er 191

M Conver ting PostScript to Acrobat 197

Virus Scanning 198

Antispam 199

Other Possibilities 199

14. Highly Available Messaging D eployment 201

H igh Availability Architecting Differences 201

High Availability A rchitectures 203The Parts 203

Oth er Architectures 204

Alternative No. 1 205

Alternative No. 2 205

Differences in Plann ing for High Availability Messag ing 206Differences in Installing HA Messaging 206

Best Practices and Caveats 207

Installation Procedu re and Notes 207

Conclusions 207

15. Managing Mess aging S ervices

and Preven tive Maintenance 209

Periodic Mainten ance Checklists 209

Daily Checks 210

Weekly Ch ecks 212

Monthly Checks 212



Contents xi

Quarterly Checks 213

Annu al Checks 214

16. Monitoring a Sun ON E Messaging Server 215

SNMP 215

Alternative Tools 216

Wha t’s Up Gold 216

Sun Management Center 217

Orca 218

Big Brother 218

BMC Pat rol 219

A. Case Studies 221

Acme University 221Timeline 222

Lessons Learned 223

Baker Tech 224

Timeline 226

Lessons Learned 226Comm un ity City College 227

Timeline 228

Lessons Learned 228

B. Majordomo Integration 231

M Preparin g for Integration 231

Glossary 243

Bibliography 251

Index 253



xii

Figures

FIGURE 3-1 Messaging Server, Storage, and Firewall Messaging System 19

FIGURE 3-2 Alternate Configuration With SMTP Firewall 21

FIGURE 3-3 Alternate Configuration With SMTP Relays and Firewall 23

FIGURE 3-4 Proxy Configuration With SMTP Relays and Firewall 25

FIGURE 3-5 Simple Failover Configuration 27

FIGURE 3-6 Failover With Relays and Firewall 28

FIGURE 5-1 top Command Output 44

FIGURE 5-2 Administration Interfaces Architecture Overview 53

FIGURE 5-3 Delegated Administrator for Messaging 56

FIGURE 6-1 Simple Architecture With Administration Ports 70FIGURE 6-2 DC Tree and UG Organization Tree 88

FIGURE 8-1 Web Mail Shared Folder Permissions 104

FIGURE 8-2 Getting to the Permissions Screen 105

FIGURE 8-3 Sharing a Folder Other Than the Inbox 107

FIGURE 10-1 Security Layers 153

FIGURE 10-2 Secure Network Architecture for Messaging Environment 156

FIGURE 13-1 MTA Conversion Channel Diagram 190

FIGURE 14-1 High Availability Configuration Failover 205

FIGURE 14-2 Failover Using Both Nodes in a High Availability Configuration 206

FIGURE A-1 Acme University Architecture Diagram 222

FIGURE A-2 Baker Tech Architecture Diagram 225FIGURE A-3 Community City College Architecture Diagram 229



xiii

Tables

TABLE 6-1 Values Required for Installation 72

TABLE 8-1 Web Mail Permission and RFC2086 Rights 106

TABLE 10-1 Enterprise Messaging Access in a Typical Enterprise 154

TABLE 10-2 Enterprise Messaging Access in a University 155



xiv

Code Samples

CODE EXAMPLE 5-1 ps -ef Command Output 42

CODE EXAMPLE 5-2 configutil Output—Current Configuration Settings 45

CODE EXAMPLE 5-3 Sam ple CLI Show ing Creation of “testuser” Accou nt 57

CODE EXAMPLE 5-4 Samp le Temp late 59

CODE EXAMPLE 5-5 Test User Script Usage Exam ple 66

CODE EXAMPLE 5-6 Add Test User Script Error Message 67

CODE EXAMPLE 5-7 Add Test User Completion Message 67



xv

Acknowledgments

This book was certainly not a on e-person effort. There are ma ny p eople to thank an dI am sure I w ill miss a few.

First and foremost are the other contribu tors to th is effort: Portia Shao, ChadStewart, and Dan Liston. They all add ed significantly to this book in term s of content, technical review, and overall commen ts. This book w ould not be as g oodnor as complete without their contributions. Portia Shao contributed the Advanced

Messaging Client Configurat ion chapter, Chad Stewart contribu ted th e Perform anceTuning chapter, and Dan Liston contributed the Majordomo appendix.

As a technical product manager, Portia frequently provides answers and researchregarding the m essaging server to the engineers in the field. Chad is a SeniorConsu ltant at Sun Microsystems w orking in th e Professional Services Organization.Dan contributes to the free software environment by su pp orting m ajordomo.

Next, I w ould like to than k Kelly Caud hill for her time an d effort d ur ing the final

months of this project to review rough drafts and provide feedback.

I cann ot fail to men tion the best help th at a w riter at Su n could have—George Wood ,the writer/ editor who kept me on m y toes and pitched in to write some portionswhen words just would not come to mind; Billie Markim and Sue Blumenberg foradditional editing assistance; and Dany Galgani, the graphics designer who turnedmy scribbles into art .

I would also like to thank my manager, Casey Palowitch, for his support this pastyear an d for encoura ging me to tackle a project of this m agnitud e.

Last but n ot least, I would like to thank my wond erful wife and kids, who p ut u pwith me working m any long and late hours.



xvi Acknowledgments



xvii

Preface

Th e Sun™ ON E M essaging Server Practices and Techniques for Ent erprise Customers book is pu blished u nd er the au spices of the Sun BluePrints™ program . This book isa collection of practices and techniques for dep loying a messaging sy stem. Thesepractices and techniques have been gathered from many customers’ messagingsystem deployments and internal testing labs. The book covers some things thatadvanced users might believe is common knowledge but is not. The goal of thisbook is to make the administration of Sun™ Open Net Environment (Sun ONE)Messaging Server (form erly know n as iPlanet™ Messaging Server) easier bycollecting this knowledge and organizing it as you might encounter it during thedeployment of a messaging project, that is, from planning to day-to-day operation.

Sun BluePrints ProgramThe mission of the Sun BluePrints program is to empower Sun’s customers with thetechn ical know ledge requ ired to imp lement reliable, extensible, and secu reinformation systems within the d ata center u sing Sun produ cts. This programprovides a framework to identify, develop, and distribute preferred practicesinformation th at ap plies across the Sun p rodu ct lines. Experts in techn ical subjects invarious areas contribute to the p rogram and focus on the scop e and advan tages of

the information.

The Sun BluePrints p rogram includ es books, guides, and online articles. Throughthese vehicles, Sun can provid e guida nce, installation and imp lementationexperiences, real-life scenarios, and late-breaking technical information.



xviii Preface

The mon thly electronic magazine, Sun BluePrints OnLine, is located on the Web at:

http://www.sun.com/blueprints.

To be notified abou t up d ates to the Sun BluePrints progra m, please register on thissite.

Who Shou ld Use This BookThis book is intended for readers with varying degrees of experience with andknowledge of computer system and server technology, who are designing,deploying, and managing a Sun ONE Messaging Server within their organizations.Typically these ind ivid uals already have UN IX® knowledge, but have been given theadded responsibility for messaging too.

The book is targeted at enterprise customers deploying the Sun ONE MessagingServer software version 5.2 and later. An enterp rise custom er is an organ ization th at

is running m essaging for its own internal use an d is not providing messagingservices to other organizations; that is, it is not an app lications serv ice p rovider(ASP) or Internet Service Provider (ISP). The org anization could be sma ll (thou sand sof users), large (100,000 users), or anywhere in between. This book offers practicaladvice on design, architecture, deployment, and operation, with these customers inmind.

Before You Read This BookThis book covers some of the basics of messaging and the services such as Doma inName Service (DNS) or Lightweight Directory Access Protocol (LDAP) thatmessaging r elies up on, but cann ot ad d ress these services thorou ghly. You s hou ld

have some basic knowledge of messaging systems and architecture, and becomfortable with u sing GUI-based tools and the UN IX comm and line (shell). See oneor more of the following documents for this information.

I DN S and BIN D, 4th Edition, October 2002, O’Reillyhttp://www.oreilly.com/catalog/dns4/

I DN S & BIN D Cookbook , October 2002, O’Reillyhttp://www.oreilly.com/catalog/dnsbindckbk

I

LDA P Syst em Administration, Ma rch 2003, O’Reillyhttp://www.oreilly.com/catalog/ldapsa/

http://www.sun.com/blueprints

http://www.oreilly.com/catalog/dns4/

http://www.oreilly.com/catalog/dnsbindckbk/

http://www.oreilly.com/catalog/ldapsa/




http://www.oreilly.com/catalog/dns4/

http://www.sun.com/blueprints



Preface xix

I Essent ial Systems Administration, 3rd Ed ition, Aug u st 2002, O’Reillyhttp://www.oreilly.com/catalog/esa3/

I Sun BluePrints on Na ming and Directory Services

http://www.sun.com/solutions/blueprints/browsesubject.html#nds

How This Book Is OrganizedThis book is mod eled after the typical pr ocess an enterp rise uses to dep loy itsmessaging infrastructure, from the initial planning steps to day-to-day operations.

It follows a basic systems d evelopm ent life cycle (SDLC) for an enterprise m essagingsystem—planning, testing, deployment, and maintenance. Each of these phasesad dresses p ractices and techn iques to enh ance availability, performan ce, and ease of use.

The book has 16 chapters and two ap pend ixes.

Chapter 1, “Messaging Overview,” on p age 1—This chap ter provid es an overview of the factors facing messaging implementations, how messaging systems are beingused, what the messaging trends within enterprises are, future uses of messagingcurrently being developed, and so forth. This chapter is designed to provide thebasis for establishing m essaging as a m ission-critical system w ithin the en terpr iseand expose readers to issues that they may not currently be considering.

Chap ter 2, “Messaging Services,” on p age 7—This chapter provides an overview of

the Sun ON E Messaging Server prod u ct as it fits into the softwa re delivery netw ork(SDN ) concept, along w ith brief d escriptions of the ind ivid ual comp onents tha t gointo makin g an enterp rise m essaging system w ork. It highlights specific strengths of the Messaging Server comp ared w ith other offerings in the m arket. The mainemp hasis of this chap ter is on covering the interoperability of prod u cts that su pp ortopen standard s and the advantages they bring.

Chap ter 3, “Messaging Architectu res,” on page 15—This chap ter describes thearchitectures of some of the m ore comm on configurations an d explains th at there arealmost infinite comb inations. It ou tlines th e pros and cons of each ar chitecture toprovide you with information to determine w hich architectures m eet your enterprisemessaging requirements.

Chapter 4, “Installation Preparation,” on p age 31—This chapter outlines som e issuesand practices that are important during the pre-installation. These issues can havesignificant imp act on installation, op erations, and recovery capability. It p rovidesinsight into situations that norm ally cause consternation. References are mad e to








xx Preface

specific sections of manu als or add itional sup plem ental mater ials. Think of thischapter as a remind er regarding op erating system best pr actices that can be foun d inother BluePrints and elsewhere.

Chapter 5, “System Startup,” on p age 41—This chap ter covers the b asics of gettingthe system started and provisioning users once the system is operational. It isdesigned to p rovide an und erstanding of the various m echanisms for provisioningas w ell as the p ros and cons of each method . You can easily autom ate provisioning,but there are tim es when m anual entry is required too.

Chap ter 6, “Software Installation an d Configura tion,” on pag e 69—This chap terprovides information and caveats that you m ay need d uring the installation p hase of the overa ll messaging environm ent. It also d iscusses scalability issues. For add itionaldetails, refer to the iPlanet M essaging Server Installation Guide for UNIX .

The chapter discusses the pros and cons of various answers to configurationqu estions an d installation options so that you can avoid p ost-installation p itfalls,wh ether they ar e related t o flexibility (that is, top d omain nam e selection indirectory), scalability, availability, performance, or ease of use. Thus, this chaptercovers items not found in the current docum entation an d conveys information thatcan only be learned through experience

Chap ter 7, “Message Transfer Agent Configuration,” on page 91—This chapterprovides best practices and techniques regarding the setup and configuration of theMessage Transfer Agent (MTA) compon ent w ithin the Sun ON E Messaging Server.Due to its complexity, this is an a rea that can cause significant issues related tosecurity as well as basic functionality. This section dissects the default “out-of-the-box” MTA configur ation file to provide a star ting p oint for the reader. Many u sers of the p revious v ersions, Sun Internet Mail Server (SIMS) or N etscape MessagingServer (NMS) had never seen an Inn osoft PMDF produ ct MTA configu ration file.Therefore, this area is very intimid ating and confusing . This chap ter add resses sometypical changes in plain language.

Chap ter 8, “Ad van ced Messaging Client Configu ration,” on page 103—This chap tercovers the following key concepts and topics for u sing shared folders: wh at a sharedfolder is, sup ported standard s, limitations, how to let your ad ministrator read yourmailbox, and how to share a folder in an Intern et Message Access Protocol (IMAP)client, Netscap e Messenger, and O utlook Express.

Chapter 9, “Customization,” on p age 123—This chapter d escribes how to customizethe Messaging Server. Customers typ ically m ake several customizations right afterinstalling the basic Messaging Server (Sun ONE Directory Server, Sun ONE WebServer, Sun ONE Delegated Administration, email, and perhaps even Sun ONECalendar Server). The most comm on of these includ e chan ging th e look and feel of the w eb mail interface (Sun One Messenger Express and pr oviding a single sign on(SSO) between the w eb m ail, web-based calend ar, and Delegated Ad ministrationinterfaces. Some of the other comm on custom izations th at are don e alm ost

immediately include defining the welcome message for new accounts, along with



Preface xxi

the over-quota m essage for p eople about to go over qu ota or already over quota.Some customers would also like to customize some of the return errors that themessage system sends back to u sers.

Chap ter 10, “Secu rity,” on p age 153—This chap ter d iscusses in d etail the sp ecificissues sur roun d ing the security of the Messaging Server, includ ing the serverplatform, the various protocols and their impact, and securing the contents of themessages. This chap ter d ivides the top ic of secu rity as it relates to th e MessagingServer into th ree different layers or topics—netwo rk, system, and messaging systemprotocols.

Chap ter 11, “Migration,” on p age 167—This chap ter d escribes the best p ractices formigration an d identifies potential problems that m ay occur du ring the m igrationph ase. After th e basic Messaging Server is installed, one of th e m ore d ifficult tasks isto m igrate the existing user base and mailbox contents. Different techniqu es can beused , but only sp ecific techniques are valid for specific migrations, Exchan ge forexamp le. Ad d itionally, other p arts of the m igration hav e specific issues, such asusing the m igration as an opp ortunity to standardize mail address formats whilemaintaining legacy ad dresses that can be ad dressed.

Chap ter 12, “Performan ce Tun ing,” on page 179—As with any system, performance

is a key element to getting the most return on investment, as well as maintaininghap py u sers. This chapter contains pr actices and p rinciples specifically related toperform ance tun ing of the Messaging Server, wh ich m ay d iffer or contrad ictconventional tuning wisdom. This chapter points out the areas on which aMessaging Server administrator should concentrate.

Chap ter 13, “Ad vanced MTA Configur ation,” on page 189—This chap ter containsexamp les of the conversion chan nel feature of the MTA, includ ing some sam plescripts. It also d iscusses som e of the ot her possibilities for ad vanced MTAconfiguration.

Chap ter 14, “Highly Available Messaging Deploymen t,” on p age 201—Someorganizations d o n ot see messaging as a m ission-critical service or, for w hateverreason, they decide not to imp lement high ly available messaging. This chap ter re-enforces w hy m essaging is mission critical and needs high a vailability. It ad d ressesspecific issues (p ros and cons) with v arious high-availability architectures th atcustomers h ave implemented as well as some of the caveats to keep in mind wh en

plann ing and installing messag ing in a high-availability environm ent. These lessonshave been learned the hard way at various cu stomer sites and are foun d n owhereelse in the docu men tation or technical notes.

Chap ter 15, “Mana ging Messaging Services and Preventive Mainten ance,” on page209—As with any system , your m essaging server requires routine maintenan ce. Thischapter outlines the best p ractices and issues surrou nd ing da y-to-day and routinemain tenance involved in m anaging a m essaging server, sp ecifically the Sun ON E



xxii Preface

Messaging Server. While the current d ocumen tation explains the basic comm and s, itdoes not address automation or scripting of these functions, nor does it adequatelycover techniques that can improve backup and recovery time.

Chap ter 16, “Monitoring a Sun ON E Messaging Server,” on pag e 215—This chap terexplains h ow to m onitor your systems an d the Messaging Server software thatcomprises your email infrastructure. System monitoring is an important part of theoverall manag ement effort. Tools can range from simple m onitoring of the basichardw are and n etwork infrastructure to m ore comp lex monitoring such as responsetime and error logging. They can be homegrown, open source, or commercialprod ucts. You can implem ent one or m any.

App end ix A ,“Case Stu dies,” on pa ge 221—This app end ix contains a series of casestud ies to illustrate several points mad e throug hou t this book as well as to highlightsome sp ecific lessons learned . Architecture d iagram s and time lines are p rovided forreference. These cases occu rred ov er the p ast few years an d a re actually a comp ositeof the case stud ies of several d ifferent customers.

App end ix B, “Majordom o Integration,” on page 231—This app end ix containsprocedu res for integrating all of the fun ctionality of m ajordom o with send mail intothe M essaging Server.

This book is based on the followin g software:

I Solaris™ 8 or Solaris 9 Operating Environment (Solaris OE)

I Sun ONE Messaging Server 5.2

I Sun ONE Directory Server 5.1

I Sun ON E Web Server 6.0

I Sun ON E Calend ar Server 5.1.1

It does n ot cover in d etail basic UNIX ad ministration, DNS or LDAP services,command reference information, or other information that is normally found in theproduct manuals. Moreover, the book does not address older versions of messagingsoftware such as Sun™ Internet Mail Server (SIMS v3.x or SIMS v4.x) software orNetscape Messaging Server (NMS v3.x or NMS v4.x) software.



Preface xxiii

Related DocumentationThe following table lists manu als that prov ide ad ditional useful information. TheSun ONE prod ucts were form erly know n as iPlanet p rod ucts so the titles of man y of the ma nu als listed con tain iPlanet instead of Sun ONE.

These man uals are located at:

http://docs.sun.com/db/prod/sunone.

Shell Prompts

Title Author and Publisher Part Number

iPlanet Messaging S erver 5.2 A dministration Guide Sun Microsyst ems 816-6009

iPlanet Messaging Server Installation Guide for UN IX Sun Microsyst ems 816-6014

iPlanet Directory Server Installation Guide Sun Microsyst ems 816-5610

Sun ON E Calender Server 5.1.1 Installation Guide Sun Microsyst ems 816-6414

iPlanet Messaging Server Reference M anual Sun Microsyst ems 816-6020

iPlanet Messenger Express 5.2 Customization Guide Sun Microsyst ems 816-6010

Solaris 8 (SPARC Platform Edition) Installation Guide Sun Microsyst ems 806-0955Solaris 9 Installation Guide Sun Microsyst ems 816-7171

Solaris System A dministrators Guide on S ecurity

Services

Sun Microsyst ems 806-4078

Shell Prompt

C shell machine-name%

C shell sup eruser machine-name#

Bourne shell and Korn shell $

Bourne sh ell and Korn shell sup eruser #

http://docs.sun.com/db/prod/sunone



xxiv Preface

Typographic Conventions

Ordering Sun DocumentsThe SunDocsSM program provides m ore than 250 manu als from Sun Microsystems,Inc. If you live in the Un ited States, Canada, Europ e, or Japa n, you can p urchasedocum entation sets or individu al manuals through this program .

Accessing Sun DocumentationYou can v iew, print, or p urchase a broa d selection of Su n d ocumen tation, includ inglocalized versions, at:

http://docs.sun.com/.

Typeface Meaning Examples

AaBbCc123 The nam es of comman ds, files,and directories; on-screencompu ter outpu t

Edit your.login file.

Use ls -a to list all files.

% You have mail.

AaBbCc123 What you typ e, wh en contrasted

with on-screen computer output

% su

Password:

A aBbCc123 Book titles, new w ords or terms,words to be emp hasized.Command-line variables; replacewith real names or va lues.

Read Chap ter 6 in the User’s Guide.

These are called class options.

You must be superuser to do this.

To delete a file, type rm filename.

http://docs.sun.com/

http://docs.sun.com/



Preface xxv

Using UNIX Comm and sThis document does not contain information on basic UNIX command s andprocedures such as shu tting d own the system, booting the system, and configuringdevices. See one or mor e of the following for th is inform ation:

I Solaris Handbook for Sun Peripherals

I AnswerBook2™ online docum entation for the Solaris OEI Other software d ocumentation th at you received with you r system

Contacting Sun Technical SupportIf you have technical questions about this product that are not answered in thisdocum ent, go to:

http://www.sun.com/service/contacting.

Sun Welcom es Your CommentsSun is interested in imp roving its d ocum entation an d welcomes your comm ents andsuggestions. You can submit your comments by going to:

http://www.sun.com/hwdocs/feedback.

Su n ON E Messaging Server Practices and Techniques for Enterprise Customers,

ISBN number 0-13-145496-X, part number 817-0763-10.

Please includ e the title, ISBN nu mber, and part n um ber of your docum ent w ith yourfeedback.

http://www.sun.com/service/contacting

http://www.sun.com/service/contacting



xxvi Preface



1

CHAPTER 1

Messaging Overview

This chap ter provid es an overview of the factors facing messaging im plem entationstoday, how messaging systems are being u sed, wh at m essaging trends withinenterprises are, future uses of messaging currently being developed, and so forth.This chap ter p rovides th e basis for establishing m essaging as a mission-criticalsystem within the enterprise and exposes you to issues that you m ay not currentlybe considering. This chap ter contains the following top ics:

I Connectivity

I Number of Devices

I Nu mber of Messages

I Average Message Size

I Protocols

I Secur ity and Privacy

I Regulatory Issues

Electronic messaging, or em ail as it is more comm only referred to, is becoming m oreof a mission-critical network service every year. It is d oub tful if any per son in anorganization can identify everyone or everything that relies upon the messagingsystem. Typ ically, the only time it becomes clear wh o and w hat actu ally relies up onthe messaging system is when there is a major outage or problem. Many factors arebehind this trend, driving messaging to becoming more and more mission critical.Some of these factors are:

I Conn ectivity is getting better.I Nu m ber of devices is increasing.

I Nu m ber of m essages (traffic) is increasing.

I Size of the messages (attachments) is getting larger.

I Protocols to access email are changing.

I Security is more of a concern.

I Regulatory issues



2 Messaging Overview

ConnectivityToday m ore band wid th is available than at an ytime before. It is no longerun comm on in an environm ent to find 10BASE-T switched n etwork access, and inman y cases n ow 100BASE-T, throu ghou t an organ ization. In u niversities, it iscomm on to find network p orts in the d orm rooms (sometimes m ore than one port),facu lty offices, stud y room s, the library, and other p laces across campu s. Som ecampu ses are de ploying Gigabit Ethernet in labs an d select faculty offices. Corporateorganizations a re also d eploying ban d wid th like never before, w ith 100BASE-T to

offices and Gigabit Ethernet in the data center and select facilities. Wires are nolonger a constraint either. Band w idth is even av ailable from th in air as man yorganizations are deploying w ireless netw orks (802.11a/ b/ g) or have plans in placeto do so in the n ear future.

This access to bandw idth anytime an d anywh ere results in m ore messaging u sagethat n ow com es from a diverse p opu lation of clients (d evices). N o longer do u sershave to return t o their base of operations, also know n as a d esk or cubicle, to send andreceive email.

Older methods of modeling and u nd erstand ing of messaging systems w ere basedup on dial-up connections, low bandw idth , and limited access assum ptions. Intoday’s environment, these assumptions no longer apply.

Number of DevicesCheap er electronics, personal d igital assistants (PDAs), cell ph ones, and compu tershave resulted in a plethora of devices on the network, many of which are emailenabled by d efault or can be quickly messaging en abled. It is no longer safe toassu me a r atio of one person p er d evice (access point ). It is, given tod ay’s pen chantfor connectivity and alw ays-on mod els, p ossible to have tw o or three access pointsper p erson. This can, in fact, lead to situa tions wh ere users are generating tw o or

three connections simu ltaneously. It is not that hu man s (or the softwa re for tha tmat ter) have learned to mu ltitask so well, but ra ther that hu ma ns are not logical.Thescenario of a stud ent runn ing to class wh ile leaving a d esktop comp uter ru nning(and checking em ail in the backgrou nd ), accessing email from class or across campu swith a PDA or laptop, is not far fetched. In th e corp orate wor ld, an equivalentscenar io wou ld be J. Q. Manag er leaving an office desktop ru nning (an d checkingemail) w hile leaving for a meeting and checking ema il on a PDA d ur ing the m eeting.This means that you can no longer simply say one user equals one connection

(device), and must plan for more connections in the future.



Number of Messages 3

Number of MessagesIn many ways, email has taken over what the telephone used to do. Today it is notun comm on for someon e wh o is an active ema il user to receive over 100 messagesper day or m ore. Try to th ink of the last tim e you h ad 100 voice ma il messageswaiting in y our voice m ail box. Some say that instan t messaging (IM) is going toovertake email and email will be obsolete. There is no d oub t that instant m essagingwill affect email in some m ann er, but IM is a real-time commu nication m ethod akinto actually talking on the p hon e. Email is like calling som eone w ho is no t there or is

busy, and leaving a m essage on th eir answ ering mach ine or voice m ail. Email isasynchronous and does not require the user’s immediate attention like instantmessaging d oes, althou gh m any p eople leave email running all the time and use itlike IM in som e ways.

Anoth er issue w ith IM is interop erability. IM is an im matu re techn ology wh encompar ed w ith email. It is hard to bridge across Yahoo! and A OL or MSN u sing IM,for examp le. The situ ation is getting better w ith the ad vent of new p rotocols such asSimple Internet Protocol (SIP) and SIMPLE, but IM is not there yet—and it is not

quite as universal as email.

Another issue driving up the quantity of messages being sent and received is thatother systems are becoming more integrated with email. Today many organizationsare looking for unified messaging, provid ing a single p oint for ema il, faxes, and v oicemail. Unified me ssaging allows integration betw een an or ganization’s voice mailsystem (or fax system) and an em ail (messaging) system in such a w ay that th e voicemail system a ctually stores the voice m ail messages in a p erson’s em ail inbox (or

other folder). That way you can read your email and listen to you r voice mail (or seeyour faxes) without h aving to check two separ ate systems. This capability add s yetanoth er factor in term s of volum e as well as size, since aud io attachments can belarge depend ing u pon the samp ling rate.

At some p oint in the future, IM m ight actually pa rticipate in this unified messagingenvironment. Imagine that email becomes the answering machine or recordingdevice for IM sessions—for example, you are not able to participate in the 11:00 a.m.IM session to discuss the n ew m arketing camp aign, but the conference (includ ing all

the attachm ents an d collaboration) gets saved in you r inbox. How exactly has IMreduced your messaging requirements? IM might, in fact, add more traffic to yourmessaging system.




Average Message SizePartly because of the increase in band w idth bu t also as a result of the desire forfuller, richer mu ltimed ia exp eriences (for examp le, singing and d ancing Pow erPointpresentation s), the average em ail is getting bigger. Wh ere three or four years ago itwas norm al to hav e 10-kilobyte messages w ith occasional 100-kilobyte m essagestraversing th e messaging system , today those figures are noticeablylarger—somewh ere aroun d 25 to 30 kilobytes average message size, with occasionalmultimegabyte (one megabyte plus) messages appearing more frequently. Older

mod els for messaging systems that were fine d uring the days of dial-up Internetwh ere a 10-kilobyte email would take a m inute to send ju st do n ot app ly today.

Protocols

Older m odels for architecture an d sizing generally based everything on Post OfficeProt ocol (POP) an d Simp le Mail Tran sfer Protocol (SMTP) only. POP wa s forretrieving m ail, and SMTP wa s for transferring ma il betw een systems. Prior to POP,there w as no protocol even to read email; rather, email clients like Pine andelectronic m ail (elm) really just brow sed the inbox d irectly via the N etwork FileServer (NFS) or t he file system . These were typ ically sized as generic or lightw eightinteractive logins.

Today, Internet Message Access Protocol (IMAP) and web mail hav e taken over PO Pin enterp rise accoun ts, and wh ile SMTP is still the transfer pr otocol, other transferprotocols such as Short M essaging Service (SMS) for pagers and PDAs h ave beenadded too. SMS does not carry the same overhead in terms of headers, signatures,and attachments that SMTP does, but it does not do attachments either. Oneadv antag e that SMS offers beyond being lightw eight is the ability to embed shortresponses such as Y ES an d N O w ithin the message for qu ick reply by th e recipient.Environmen ts such as hosp itals that rely up on p agers typically use SMS to allow fora m essage with response.



Security and Privacy 5

Security and PrivacyThis is a hu ge topic on wh ich an entire book could be written. As we h ave increasedreliance upon email, increased bandwidth, increased access to bandwidth, andincreased th e num ber of devices on the netw ork, we have also increased the need forsecurity a nd pr ivacy. More and mor e customer s are u sing Secure Sockets Layer (SSL)meth od s to secure the commu nication pr otocol wheth er it is POP, IMAP, SMTP, orHTTP (web m ail).

Many customers are ad ding virus scanning to their messaging layer—wha t used to

be uncommon (virus-scanning messages in the messaging system) is now common.In reality, this was not a comp lete sur p rise or a giant step. Man y organizations beganwith scann ing just m essages com ing into their system from th e Intern et. Tw o orthree years ago, when customers asked about virus scanning, that was it. Then, itbecame necessary or d esirable to scan out going em ail (being a g ood Internet citizenand all that) and to scan everything betw een users too. So, nowad ays it more likelyto scan everything due to issues of viruses within the enterprise.

In add ition to virus scanning, man y organ izations also wan t to eliminate spam , alsocalled unsolicited bulk email (UBE) or unsolicited commercial email (UCE). Thisadd s yet an ad ditional workload to the messaging system that was not th ere fiveyears ago.

Regulatory IssuesNew regulatory issues beyond those on privacy are facing institutions these days.One of th e more recent interp retations of existing law s (the Freedom of InformationAct or their state-level equiv alents) classifies em ail as official wr itten corresp ond encefor schools and govern men t entities. In other cases, email is becoming a legal issuedu e to the Enron-type accoun ting scandals. And so email regarding official mattersmu st be archived or retained for a set nu mb er of years. Therein lies the p roblem.

How exactly can you pinp oint w hich emails are related to official matters an darchive only those emails?. Many times th e answ er is that you cannot. Therefore,archiving ever ything is requ ired. Archiving increases the requirement for storage aswell as the need for solid backu p an d recovery procedu res. At Sun , the term “infinitemailbox” is being used to describe ju st such a m essage system.



7

CHAPTER 2

Messaging Services

This chapter provides an overview of the Sun ONE Messaging Server product as itfits into the softwar e d elivery n etwork (SDN) concept, along w ith brief descriptionsof the individ ual compon ents that go into m aking an enterprise messaging systemwor k. It highlights specific strength s of the Messaging Server p rodu ct com paredwith oth er offerings on th e mar ket. The main em ph asis of this chapter is on coveringthe interoperability of produ cts that sup port open standard s, and the adv antagesthey offer.

Sun’s Messaging StrategySun Microsystems, Inc. was founded on the philosophy of open systems, openstandards. The mantra at Sun is “agree on standa rds and comp ete onimp lementation.” This philosophy is no different w hether it is the Solaris OE or theSun ONE Messaging Server p rod uct. In fact, the “ON E” in Sun ON E stands for OpenNetwork Environment, in respect of open standards.

Open Standards

One of the nice things abou t messaging is that it is a matu re area in the Intern etspace and has been aroun d for more than 25 years. Thus, there are many m ature,open protocols for messag ing, unlike some of the other Internet protocols such asinstant m essaging (IM) or calendar ing w hich still d o not offer truly u biquitou sprotocols althou gh som e are emerging like SIP/ SIMPLE and iCAL. The currentmessaging protocols are:

I Internet Message Access Protocol (IMAP)

I Post O ffice Protocol (POP)



8 Messaging Services

I Simple Mail Transfer Protocol (SMTP) and Extended Simple Mail TransferProtocol (ESMTP)

I Lightweight Directory Access Protocol (LDAP)

I

HyperText Transfer Protocol (HTTP)I Secure Sockets Layer (SSL)

Popu lar Clients

By sup por ting stand ards, the Sun O NE Messaging Server is client agn ostic, so Sun

does n ot offer a thick (native) client for the v arious op erating systems such asWind ow s, Mac OS, or Linux. Some of the m ore pop ular clients are:

I Netscape™ 7.0

I Mozilla

I Outlook

I Eudora

I Ximian

Any client that su pp orts IMAP or POP along w ith SMTP should wor k just fine. Mostmod ern clients go beyond this basic supp ort, adding LDAP for add ress book lookupand SSL for secu rity.

For a good technical overview of the Sun ON E Messaging Server p rod uct, includ inga list of supported open standards, obtain “Sun ONE Messaging Server version5.2—A Technical Whitepaper” from your local Sun Sales Representative or SystemEngineer.

Messaging Services Beyond the BasicsBeyond the basics of prov iding m essaging services, the issue is how th ese services

are provided. Can the produ ct scale? Is the p rodu ct secure? How hard is the produ ctto install and manage? How easily can users be provisioned? How flexible is theprod uct? There are many messaging p rodu cts out th ere, and each of them isarchitected and designed slightly differently. One p rodu ct may store user nam es andpassw ords in a flat file, while others leverage LDAP. One prod u ct m ay p rovideintegrated antivirus measures but not allow you to integrate a slightly better third-party product for antivirus protection.

Th l k i



Messaging Services Beyond the Basics 9

There are several key items:

I Directory Serv ices

I Web Messaging

I Address BookI Calendar

I Portal

I Web Services

I Anyone, Anytime, Anywhere, Any Device

Directory Services

The directory is the brain or m emor y of the Sun ON E Messaging Server. It is usedacross the various produ cts within the Sun ON E produ ct line to provide u serinformation, auth entication, storage of policies and ru les, configuration inform ation,and registration of web services—for examp le, u niversal description, discovery, andintegration (UDDI). It plays a central role in being able to easily pr ovision accoun ts

and services without managing separate user data for each application in anenvironm ent. By leveraging a d irectory as th e central rep ository for userinformation, provisioning is a matter of granting privileges to the user or group of users to sp ecific resources (services) by configuring attributes ap prop riately—bychanging an attribute an d access to a service. This eliminates the n eed to p rovisionusers in man y separate systems.

Web MessagingWhen the Web first started becoming a popular way to provide some abstractionregarding wh ere you w ere located, the compu ter you w ere using, and the resource(for examp le, email) you w ere trying to access, ad ding an ad ditional softw arepackage to prov ide this web m ail interface was the nor m. How ever, as time went b y,this became a feature d emand ed b y customers as part of the base m essagingsoftware, to eliminate the n eed to select, dep loy, and man age som ething sep arate. By

offering w eb mail as pa rt of the m essaging server, yet prov iding th e ability tocustom ize the “look and feel” of it for your u sers plu s control wh ich u sers haveaccess to web m ail, the Sun ON E Messaging Server offers savings over having tointegrate a separate w eb ma il software utility too. The n ice part th ough is thatshou ld you decide, either for legacy or other reasons, to select and integr ate anotherweb ma il interface—for examp le, IMP—you still hav e that op tion.

Ad d B k




Ad d ress Book

A core requirement of m essaging is being a ble to store and retrieve contactinformation. The Sun ON E Messaging Server leverages the u nd erlying directory to

provide p ersonal address books. A new feature coming to the a dd ress bookfunctionality is shared address books, which allow you to share your address bookentries with other people and applications in a secure manner (for example, onlythose people and applications you wish to have access).

Calendar

As par t of the overall Sun ON E prod uct line, Sun offers a we b-based calend arproduct called the Sun ONE Calendar Server. By providing calendar managementfor peop le, resources, and events, calend aring can b e offered as a service to an entireorganization and beyond.

The main issue regarding calendar technology adoption is lack of widely adoptedcalend ar stand ard s. iCal, SyncML, and vCal have been a vailable for some time now ;however, there is no single calendar standard that all vendors use.

Portal

Portals are very hot these days, but people rarely think beyond the basics to whatlies behind t he port al or makes a good portal. Simp ly pu t, a por tal is technology thataggregates services and content together in a secure m ann er for a particular

commu nity of users. The services behind t he scenes are things such as m essagingand calend ar services, wh ile the content can be a variety of things, from sta tic HTMLcontent to true web applications and services.

A por tal really brings to life the concept that the su m of the p arts is greater than th ewhole. Without quality services and applications provided to the right people at theright time, a por tal is just an other p retty interface.

Sun’s philosophy is to leverage network identity management and scalable services

like the Sun O NE Messaging Server, along w ith wor ld-class partn ers such as A ltioand FatWire, to provide a best-of-breed approach to meet customer portal needswith the Sun ONE Portal Server prod uct.

By combining th ese things and leveraging w eb services for rolling ou t new services,the Sun ONE Portal Server provides a solid portal platform, today and tomorrow.

Web Services



Integrated Yet Open—Project Orion 11

Web Services

By m aking m essaging a w eb service, or at least a service that it is always on andalways there m uch like d ial tone, the p ossibilities for u se become significantly

greater—now it can truly become the asynchronous messaging backbone for morethan just person-to-person communication. Messaging can become integrated intoworkflow and business processing, becoming the transport of choice.

Anyon e, Anytime, Anyw here, Any Device

Since early 1996 and before Sun released Java™ to th e w orld, Sun ’s m otto has been“Anyon e, Anytime, Anyw here, and Any Device.” This is d efinitely true w ith the SunON E Messaging Server.

By thinking “ service” and pr oviding d evice- and locale-neutral m essaging, thenumber of nodes that can take advantage of such a messaging service (system) isenorm ous. Metcalf’s law (formu lated by Robert Metcalf, found er of 3COM andregarded as the inventor of Ethern et) states that the “value” or “pow er” of a netwo rkincreases in proportion to the squ are of the n um ber of nodes on the network.

Marc And reesen, one of the found ers of the Web, said :

“A network in general behaves in su ch a way th at the more nod es thatare added to it, the whole thing gets more valuable for everyone on itbecause all of a sudd en there is all this new stu ff that w as not therebefore. You saw it with the p hon e system. The m ore ph ones that are onthe netw ork, the more valu able it is to everyon e because then you can callthese peop le. Federal Express, in ord er to grow their bu siness, wou ld ad da nod e in Topeka an d b usiness in N ew York w ould spike. You see it onthe Internet all the tim e. Every new nod e, every new server, every newuser exp and s the p ossibilities for everyone else wh o is already there.”

Reference: http://www.si.edu/resource/tours/comphist/ma1.html.

Integrated Yet Open—Project OrionProject Orion is a new a nd innova tive initiative w ith the goal of making enterp riseinfrastructure software predictable in its delivery, more freely accessible forevaluation, and even more affordable to purchase.

Project Orion is d esigned to take a v iew of the entire enterpr ise infrastru cture

http://www.si.edu/resource/tours/comphist/ma1.html

http://www.si.edu/resource/tours/comphist/ma1.html




Project Orion is d esigned to take a v iew of the entire enterpr ise infrastru cturesoftware life cycle process, from development through production and ongoingoperation, identifying and reducing the complexity and cost associated with eachstep.

Project Orion leverages Su n’s proven comp etency in developing and releasing large-scale systems software, best dem onstrated by its m ulti-platform Solaris OE. Theeffort will align the integration, testing, and release of all of the comp any’s softwar eprod ucts and pr icing m odels. One of the biggest changes in Sun ’s software releasestrategy h as been to create a sp ecific release mod el whe re ma jor Solaris OE releasesare only done every two years, providing stability for customers, and predictableminor releases are schedu led like clockw ork on a qu arterly basis. This is sometim esreferred to as the Solaris train . All new software or features that are ready a reallowed on boa rd an d released as p art of the Solaris OE. Any software or featuresthat miss the train catch the next one the following quarter, assuming the boardingcriteria have been m et. This allow s for both qu ality an d rap id release of features.

Project Orion brin gs this release model to the Sun ON E softwa re pa ckages, ju st asthe Sun Solaris train model does. As each individual Sun ONE software componentprod uct satisfies th e Project Orion criteria, it boards the softw are train. Each softwaretrain leaves on a regular qu arterly schedu le. New comp onent p rodu ct features or

versions that are not ready for board ing catch th e next software tra in if they areready. Each software train goes th rough extensive end -to-end testing based oncustomer use scenarios p rior to shipping. Comp onent p rodu cts m ust su ccessfullycomplete testing p rior to shippin g on a qu arterly-release softwa re train.

Project Orion also allows custom ers to select best-of-breed comp onents from Sun ’spar tners if they so choose. If you already have a sp ecific Java App lication Server,continue to u se it—Sun ONE is integrated, yet open.

SDN ConceptToday’s migration towards “always-on” services requires a new type of networkarchitecture, one th at is built from the top dow n w ith the goal of delivering software

as “services” regardless of the final d elivery technology (such as wireless orbroad band ) or w hat sp ecific “service” is being d elivered (for examp le, w eb servicesversus messaging). These solutions require optimal architectures that can supportubiqu itous service access.

The emp hasis on service delivery is the heart of the SDN, a service-based netw orkarchitecture for data center d eploym ents. The SDN architecture services provid e afound ation for scalable e-services, such as those offered by Sun ON E, while helpingcustomers meet demands for reliability and performance.

Several growth areas affect futur e comp uting p latform s and the services delivered



Conclusion 13

g p g pby organizations tod ay:

I Growth an d availability of network band width

I

Growth of data-intense w ireless servicesI The need for d isaster recovery and m ission-critical service d elivery

I Growth of computer processing, taking advantage of rich content

These factors significantly en han ce the need for scalable, highly secure, an d high -performance network topologies that can support high-velocity change. The SunProfessional Services Software Delivery Network architecture service offerings havebeen developed to help cu stomers meet these needs w hile sup porting future

technology requirements.The SDN architecture is a h ighly scalable, maintainable, sup por table networ karchitecture that can be d eployed in Internet d ata centers (IDCs), service providernetworks (SPNs), and other areas and projects that are designed, integrated, andsup p orted b y Sun Professional Services and Enterprise Services as Su nToneCertified, w here p ossible.

The ma jority of SDN architecture sales are m ade in conjun ction w ith a fairly large

infrastructure solution p roject such as Messaging or Directory design an dimp lementation. Man y of these are for large service p rovider (SP) organizations, butthe concepts, availability, and security issues ap ply to m ost organizations.

SDN architecture is project based, u sua lly coup led w ith a d ata centerimp lementation similar to the business m odel already seen in EMEA, often includ ingWeb services an d Sun ONE or Wireless. It will be an essential comp onent of theseimp lementations to enable achievement of ou r custom ers’ Qua lity of Service (QoS)requirements.

For more information see:

http://www.sun.com/service/sunps/architect/delivery/.

ConclusionBy sticking w ith open s tand ards, thinking of messaging as a “service,” and lookingat futu re possibilities for u se (for examp le, por tals) w hen evaluating or architecting amessaging infrastructure, the resu lt will be a solid , scalable, open a rchitecture w ithflexibility to meet futu re needs n ot yet d efined .

http://www.sun.com/service/sunps/architect/delivery/

http://www.sun.com/service/sunps/architect/delivery/




CHAPTER 3



15

CHAPTER 3

Messaging Architectu res

This chap ter describes the architectures of some of the more comm on configurationsand explains that there are almost infinite com binations. It outlines the pr os andcons of each architecture to provide you with information to determine whicharchitectures meet your enterprise messaging requirements. Chap ter 10, “Security,”on p age 153 ad dresses security in detail, bu t a secure architecture is discus sed in th ischapter t o ind icate the u se of firew alls in m ultiple layers, that is, a dem ilitarizedzone (DMZ) as not all messaging system s actually are behind firewalls.

This chap ter covers the follow ing top ics:

I Directory

I MTA

I Mailstore

I Proxy Servers

I Simple Single-Layer Architecture

I Simp le—Alternative Architecture

I Typ ical Architecture

I Secure—Basic Architectu re

I High Availability—Failover Architecture

Often there is more than one method of doing things. Designing and installing amessaging system is no different. Depending upon your organization’s specific

goals, skills, and netw orking env ironmen t, one architecture m ay be more relevantthan another.

Generally, the architectu res can be organized into several categories or comb inationsof categories:

I Simple Single Layer

I Multitiered

I Secure

I High ly available

To help you understand more about messaging architecture, this chapter reviewsf h b i f h i fi



16 Messaging Architectures

some of the ba sic part s of the messaging sy stem first.

Four basic parts of a messaging system are important or can be sized.

I DirectoryI Gateway, also called message transfer agent (MTA)

I Mail server, also called mailstore

I Proxy server

DirectoryThe directory or user store in th e messaging ar chitecture stores user informationsuch as ID, password, and email address. The software of many messaging serversutilizes the u ser store mechanism of the host, such as /etc/hosts on the SolarisOE. Oth ers, such as the Sun ON E Messaging Server, utilize a d irectory or LDAPservice to store and access user informa tion.

The Sun ONE Messaging Server ships w ith and requ ires a fully comp liant LDAPdirectory that contains d irectory objects sp ecific to the Su n O NE Messaging Serversoftware. These directory objects extend the defau lt Internet Engineering Task Force(IETF) schema w ith add itional attributes. A comp lete gu ide to the Su n ON EMessaging Schema is part of the existing d ocum entation.

These add itional attributes contain information such as an alternate ad dress, or aliasas it is sometimes called . Other attributes are used to store user p references for w eb

mail and configur ation information abou t email services, as well as groupinformation (mailing lists) and person al add ress books. In the Messaging Serversoftware, information regard ing processing a user ’s inboun d email such as vacationmessages, server side filters, and forward ing is also stored in the d irectory.

The directory is a lot like a d atabase—a very sm all, fast d atabase. One thin g to n oteis that wh en d irectories or LDAP were originally d eveloped, they w ere prima rilydesigned to be mainly read oriented, say a 90 percent read and 10 percent write

ratio. Today’s usage of the directory has changed significantly. Things likemessaging, calend ar, and por tal all store preferences and information in a d irectoryserver. The read/ wr ite ratio is now closer to 80 percent read an d 20 percent w rite. Soit is critical that th e directory is available and perform ance of the d irectory is good orbetter than good.



MTA 17

MTAThe MTA, wh ich is som etimes referred to as th e m ail gateway or SMTP server,routes th e mail to its destination or rejects it if not prop erly format ted or ad d ressed,or simp ly not for th is messaging system. This is typically don e via SMTP or relatedprotocols such as the Extended Simple Mail Transfer Protocol (ESMTP) and LocalMail Tran sfer Proto col (LMTP). Basically, the M TA is to ema il wh at a Cisco rou ter isto Ethernet packets.

The MTA is also wh at d etermines how m essages are handled for specific users based

on th eir preferences stored in th e directory (for examp le, a vacation message). And,it is the p lace w here expa nsion of m ail lists, grou ps, an d aliases occurs. The MTA istypically w here advanced p rocessing gets done an d how integration w ith third-partysoftware packages such as virus scanning and antispam functionality occurs.

MailstoreThe basic fun ction of th e m ailstore, sometimes incorrectly referred to as th e m ailserver, is to store and send email to u sers via IMAP, POP, and w eb ma il. The SunONE Messaging Server software is somewhat unique among the messaging systemson th e market. Most messaging system s store email in a file system on ly or within ada tabase only. The Messaging Server system offers a hy brid app roach, storingmessages in a file system, but also storing a copy of the head er information (date,

time, subject, sender, and so forth) in a d atabase. This improv es performa nce so thatwh en u sers log in or sort ema il in their client, very little if any file system interactionis necessary. The informat ion all comes from t he d atabase, which shou ld be m ostlyin memory.

Mailstores can often be hu nd reds of gigabytes du e to requirements for archiving an dthe volum e and size of email messages these d ays, as outlined in th e first chapter. Itis not un common to find terabyte-sized mail stores, for exam ple:

50,000 mailboxes ∗ 20-megabyte quota = 1,000,000 megabytes = 1000 gigaby tes = 1 terabyte




Proxy ServersTo allow for flexibility, redu nd ancy, and abstraction and to pr ovide a layer of security, organizations often u tilize a concept kn own as p roxy servers. They arefairly stand ard w ithin the web s erver side of the infrastru cture, but less so formessaging.

The Sun ONE Messaging Server software en vironmen t offers two proxy servers:

I messaging multiplexer proxy (MMP)

I messenger express mu ltiplexer (MEM)MMP p roxies POP and IMAP conn ections, wh ereas the MEM off-loads th e web m ailclient from the mailstore, so in a tru e sense MEM is a front-end, not a p roxy.

Why a p roxy fu nction? Well, in a large Internet Service Provider or in environm entsthat have grown beyond a single mailstore, the proxy hides the fact you havemu ltip le back-end ser vers, allowing a single client configuration (for examp le,smtp.company.com an d imap.company.com) regardless of wh ich m ail server the

user ’s ph ysical inbox is on.

Sometimes network security requirements dictate the use of a proxy mechanism aswell so the serv ice, such as POP or IMAP, can b e exposed wh ile the content server(mailstore) is not.

Simple Single-Layer Architectu reIn the simp lest form, som etimes referred to as m essaging in a box, all thecomponents of the m essaging server run on a single system (FIGURE 3-1) and noproxy is involved.

The comp onents are:

I DirectoryI MTA

I Mailstore

Internet or WAN



Simple Single-Layer Architecture 19

FIGURE 3-1 Messaging Server, Storage, an d Firew all Messaging System

The benefits and draw backs to this type of architecture are:

I Simple

I Easy to man age

I Easy to troubleshoot

I Low total cost of own ership (TCO)

I Limited scalability—This architecture is obviously limited in scalability to thecompu ter system’s size (CPU an d mem ory) and opera ting system’s scalability. Donot let this fool you into thinking th at it cann ot scale at all. In som e messagingarchitectures, servers utilizing Sun hard w are and the Solaris OE have scaled ashigh as 16 CPUs and are sup porting thou sands of concurrent users.

I No h igh availability—With everythin g in a single server, you have n o redu nd ancy

beyond wh at is provided with th at single system. You can get som e availabilitythrough redundant components such as:

I Power sup plies

I Network interfaces

I CPU/ Memory boards

I RAID p rotected storag e

Internet or WAN

Firewall

Storage

Server

I Secur ity—Just b ecause it is a simp le configuration d oes not m ean th at it is entirelywithout security or that you cannot secure the system. Standard practices of




y y y pturning off unused services, for example telnet, and replacing them withalternatives like ssh still apply, as does the use of firewall technology. However,

withou t som e form of relay or p roxy for SMTP traffic from the Intern et, thissystem will be accessible throu gh SMTP d irectly from th e Internet.

So, while a simp le configuration is less secure than other configurations, it is notcompletely insecu re. Overall this simp le configuration ten ds to w ork for labs,training facilities, and very sm all systems w here simp licity is the foremostrequirement.

Simple—Alternative Architectu reThe preceding configuration or a rchitecture is very sim ple. One of the m ost comm onadd itions to the simp le configu ration is viru s scann ing in som e man ner. There arevarious methods of adding virus scanning to the messaging architecture including:

I Add ing a virus ap pliance such as Borderware or SymantecI Adding a virus firewall such as Trend Micro’s VirusWall

I Add ing viru s scann ing software on th e messaging server itself. Each of theseapp roaches has pros and cons.

As many organizations are well aware, relying only on desktop virus-scanningsoftware d oes not eliminate all viruses for m any reason s. Since viruses spreadthrough email in add ition to other methods, add ing virus scanning to the m essaging

environment is a natural choice.

By combining a simple m essaging install with an SMTP firewall prod uct (FIGURE 3-2)offering antiviru s (and p otentially antisp am) pr otection, the system accomplishesseveral things:

I Off-load s antivirus scanning from th e messaging system—Often scanning tak essignificant p rocessing pow er du e to the requirement to examine all attachm ents aswell as uncompressed attachments that are stored in compressed formats, such as

zip files. It is not u ncomm on to h ave comp ressed files within comp ressed files.The level to wh ich you scan is configurable, but each level takes m ore pow er.

I Isolates the Sun ON E Messaging Server from d irect Internet a ccess—Manyhackers are w ell aware of exploits via SMTP and use th e SMTP protocol to hackinto peop le’s netw orks or system s. By p lacing a firew all between t he Internet an dthe mail server, a level of security is added. However, firewalls that offer SMTPrelaying fun ction are often not nearly as secure as the Sun O NE Messaging Serverrelay—careful consideration is requ ired .

I Reduces the messaging workload—In addition to off-loading the antivirus andantispam wor kload, it also off-loads the rejection of email not destined for your



Simple —Alternative Architecture 21

messaging s erver.

I Maintains overall simplicity—Still maintains most of the benefits of simplicity

while adding additional security.

FIGURE 3-2 Alternate Configuration With SMTP Firewall

Typically th e m ain d raw backs of this configuration a re:

I Add ed server requirement—The need to n ow m anage two p hysical servers add sslightly more workload for the system administrator.

I Messaging head ers—To scan all m essages, som etim es messaging head ers mu st berewritten an d forward ed to the scanning virus w all from the messaging server.

Internet or WAN

SMTP firewall

Server

Storage

I Lack of flexibility—There are not a whole lot of optional configurations with afirewall and virus scann er in p lace; sometimes, this is the only su ch op tion




available.

I Little, if any, redu nd ancy—Since there is only on e m essaging system , there is no

redu nd ancy, or little beyond that w hich the single system p rovides (that is, RAIDstorage or redun dan t power su pp lies). Messages may or may not qu eue up on thevirus w all server, dep end ing u pon its capabilities.

Although man y sites use a virus firewall in front of the m essaging server, there aredisadvantages w hen p utting another SMTP server in front of the Sun ONEMessaging Server ’s MTA as the outer m ost SMTP server in you r organization. Hereis a p artial list of the major reasons:

I First and foremost, the vend ors sp ecialize in v irus filtering. They are not expertsin MTA technology, so their SMTP server is basic and not a s full featu red a s th eSun ON E Messaging Server

I Lim ited if any SMTP extensions su pp ort. Which m eans:

I No SMTP AUTH

I No NOTARY (for example, delivery receipt requests)

I Deliver By (certain date)

I Size-based extensions

I Pipelining

I SSL/ TLS

I MIME support is minimal, no support for other messaging formats (for example,RFC1154, wh ich is wh at M icrosoft u sed before Exchang e, NeXT Mail, BINH EX orUUENCODE)

I Limited if any realtime blackhole list (RBL) support

I Han dling of very long head er lines (a comm on techniqu e to exploit bufferoverflow errors in v arious m ail clients)

I Tools for blocking m ail based on various p ieces of originator inform ation

I No MMP

I Lim ited m ail routing capabilities

How ever, for sim plicity sake, man y org anizations still elect to u se this alternativearchitecture.



Typical Architecture 23

Typ ical Architectu reA slightly m ore typ ical architecture (FIGURE 3-3) more comm only foun d ad ds acouple of SMTP relays to the sim ple configu ration.

FIGURE 3-3 Alternate Configuration With SMTP Relays and Firewall

Internet or WAN

Firewall

Firewall

Storage

Server

SMTP relay SMTP relay

Often one relay is configured as inbound and the other outbound. These relays off-load the rou ting and rejecting of messaging. These relays can also ru n an tiviru s andantispam softw are This configura tion assum es that the only p rotocol coming from




antispam softw are. This configura tion assum es that the only p rotocol coming fromthe Internet or going out t o the Internet is SMTP. Users access the m essaging system

internally only, through a virtual p rivate netw ork (VPN) or throu gh th e firewall.Com bining a simp le messaging installation w ith a pa ir of MTAs (SMTP routers) anda firewall accomp lishes severa l things:

I Redu ces routing w orkload for messaging —Some of the routing work load is beingoff-loaded , so messages d estined for other m ail servers internally or externally donot u se the m ain messaging server.

I Isolates the m essaging server from d irect Internet access—Many h ackers are well

awar e of exploits via SMTP and use th e SMTP p rotocol to h ack into peop le’snetwo rks or system s. By p lacing a firewall between the Intern et and the m ailserver, a level of secur ity is add ed. By no m eans is this 100 percent secure, bu t itdoes add some security.

I Off-loads antivirus scanning from the messaging system—Antivirus scannerssuch as Sophos Sweep or Symantec for UNIX can be loaded and integrated withthe MTA of the Sun ONE Messaging Server.

I Du plicate MTAs—Wh ile th ey are typ ically configured as one MTA, with one MTA

hand ling inboun d messages and the other hand ling outbou nd messages, they canbe configured identically and used as redun dant systems with one MTA han dling(but not exclusively) inbound messages and the other p rimarily hand lingoutbound messages. This is accomp lished via round -robin DNS and maileXchanger record (MX) configuration.

The main d raw backs of this configuration are:

I Add ed server requirements—The need to m anage more p hysical servers ad ds

more w orkload for the system adm inistrator.I The need to main tain two MTAs—The need t o edit and maintain both MTAs and

keep them configured and synchronized w ith one another ad ds som e complexity.

I Little, if any, redu nd ancy—Since there is only on e m essaging system , there is noredu nd ancy, or little beyond that w hich the single system p rovides (that is, RAIDstorage or red un d ant pow er su pp lies). If one of the MTAs fails, messages w ill stillqu eue u p for d elivery on the MTAs (for u sers) and ou tgoing m essages will still

get sent to the Internet, but n o users w ill be able to read th em.

S B i A hit t



Secure —Basic Architecture 25

Secure—Basic ArchitectureThis architecture (FIGURE 3-4) continu es to build up on the typ ical architectu re,ad ding the p roxy servers for user access (that is, IMAP or POP).

FIGURE 3-4 Proxy Configuration With SMTP Relays and Firewall

The addition of these proxy servers extends the protocols through the firewallsecurely. Users mu st au thenticate to these servers first, then they are p roxied to themessaging server and only the messaging server.

Internet or WAN

Firewall

Firewall

Storage

Server


Proxy Proxy

Note – This configura tion does no t ad dress all aspects of messaging security such asSSL, Secure Multipurpose Internet Mail Extensions (SMIME), or encrypted file




, p p ( ), ypsystem. Som e of these m ethod s are discussed in m ore detail later in this book. Thisarchitecture only addresses the physical and basic network layout.

Add ing the p roxy servers for IMAP, POP, and web m ail:

I Extends the messaging server externally without requiring a virtual privatenetwork (VPN).

I Redu ces routing w orkload for messaging —Some of the routing work load is beingoff-loaded , so messages d estined for other m ail servers internally or externally do

not u se the m ain messaging server.I Provides d up licate MMP and MEM servers which add s redun dan cy—Using

round-robin DNS or a network-based load balancer, redundancy for this type of server can be accomp lished .

I Isolates messaging server from direct Internet access—Many h ackers are wellawar e of exploits via SMTP and use th e SMTP p rotocol to h ack into peop le’snetwo rks or system s. By p lacing a firewall between the Intern et and the m ailserver, a level of secur ity is add ed. By no m eans is this 100 percent secure, bu t it

does add some security.I Off-loads antivirus scanning from the messaging system—Antivirus scanners

such as Sophos Sweep or Symantec for UNIX can be loaded and integrated withthe MTA of the Messaging Server.

The main d raw backs of this configuration are:

I Add ed server requirements—The need to m anage more p hysical servers ad dsmore w orkload for the system adm inistrator.

I Need to maintain two MTAs—The need to edit and maintain both MTAs andkeep the configurations synchronized with one another adds some complexity.

I Add itional firewa ll configura tion required—Du e to all the por ts and servers, thefirewall mu st be configur ed ap prop riately.

I Little, if any redu nd ancy—since there is only one m essaging system, there is noredu nd ancy or little beyond that w hich the single system p rovides (that is, RAIDstorage or red un d ant pow er su pp lies). If one of the MTAs fails, messages w ill still

qu eue u p for d elivery on the MTAs (for u sers) and ou tgoing m essages will stillget sent to the Intern et, but no u sers w ill be able to read em ail. Web m ail userswill not h ave anything.

High Availability Failover Architectu re



High Availability —Failover Architecture 27

High Availability—Failover Architectu reOne of th e easiest and simp lest w ays of architecting a h igh-availability configu rationis to cluster, using the Sun ™ Cluster 3.0 software for examp le (FIGURE 3-5).

FIGURE 3-5 Simple Failover Configuration

This architectu re provid es a highly available yet sim ple configu ration. As you wou ldexpect, the ben efits and dr aw backs of this architectu re closely mirror th ose of thesimple configuration, with th e exception being it is now h ighly available.

The clustering software not only handles hardware failures but in may cases,software issues as w ell, trying to restart failed d aemon s or p rocesses first, thentriggering a com plete restart or failover of the entire system.

Failover itself can vary between minutes to as mu ch as an hou r d epend ing up on thespecific configu ration, settings, and storage statu s. Shou ld a catastrophic storagefailure occu r, p arity and sanity checks on th e storage subsystem can add significantto the norm ally fast (that is, less than 10 minutes) failover time.

Firewall

NetworkBackup net connection

Shared

storage

Server

Cluster

interconnect

Server

A m ore complex high av ailability configu ration (FIGURE 3-6) com bines the por tions of the secure architectu re with that of the simple failover.




FIGURE 3-6 Failover With Relays and Firewa ll

By comb ining th e failover of the secure configuration with parts of the simple failover, you can obtain availability for the routing (MTA), access (proxy), and mailstore, yethave th e ability to extend services such a s w eb m ail, IMAP, and POP access to u sersexternal to the internal network.

One asp ect of availability that w ill be add ressed furth er in Chapter 14, “HighlyAvailable Messaging Dep loyment,” on page 201,” is Directory Serv er av ailability.

Curr ently there are two mod els for p roviding availability of LDAP (directory)

Internet or WAN

Firewall

Firewall


Proxy Proxy

NetworkBackup net connection

Sharedstorage

Server

Cluster

interconnect

Server

services—the trad itional failover u sing Sun C luster or VERITAS prod ucts and theMultiple Master Replication feature of the Sun ONE Directory Server. Each has itsown benefits and dr awbacks, with m any people looking at Multiple Master



High Availability —Failover Architecture 29

Replication as the new d efacto meth od for add ressing availability of the d irectory

server.Sun has a Reference Architecture program that defines the hardware and softwarecomponents needed to build end-to-end solutions that meet specific business needs.Each Reference Architecture has been d esigned, tested, and d ocum ented , so userscan redu ce the comp lexity, costs, and risks of deploying n ew technology in th eirenterprises. Sun’s Reference Architectures combine:

I A documented multitiered architecture

I Recomm ended technology produ cts from Sun and other vendorsI Architecture, sizing, and implementation guides

For m ore d etails on the Messaging Reference Architecture, see:

http://www.sun.com/products/architectures-platforms/refarch/specs.html#g1_5.1.

http://www.sun.com/products/architectures-platforms/refarch/specs.html#g1_5.1







CHAPTER 4



31

Installation Preparation

To continue in further chap ters, it is recommen ded that a fun ctional messagin gsystem be available to the reader for hands-on work. This chapter outlines someissues and pr actices that are imp ortant d urin g the p re-installation. These issues canhave significant imp act on ins tallation, operations, an d recovery capability. Itprov ides insight into situations th at norm ally cause constern ation. References aremad e to specific sections of manu als or add itional sup p lemental materials. Think of this chapter as a reminder regarding operating system best practices that can befound in other BluePrints and elsewhere.

This chap ter contains the following top ics:

I Preparation Pr ocess

I Network Connectivity

Preparation ProcessThis section p rovides an overview of the p reparation p rocess. It covers the followingtopics:

I Good Computing Practices

I Differences Between Production and Non-production

I Basic Solaris OE Installation

Good Computing Practices

A very w ise system en gineer at Sun once gave me p erhap s the best piece of ad viceever: “Prior planning prevents poor performance.”

The general idea is to start w ith a solid foun dat ion (the Solaris OE) and bu ild a solidstructure (the Sun ON E Messaging Server) on it. If an incomp lete or poor Solaris OEinstallation is don e, do not exp ect ap p lications su ch as the Messaging Server tooperat e correctly or efficiently It all starts w ith good compu ting p ractices and



32 Installation Preparation

operat e correctly or efficiently. It all starts w ith good compu ting p ractices andpreparation.

In some organizations, standards and practices regarding system installation andconfigur ation exist. While most organizations agree that stand ard s are a good thin g,man y simp ly do n ot go to this level of detail or effort. If you r organization ha s suchstand ard s and p ractices, that is the p lace to start. Then incorp orate or ad just (if absolutely necessary) anyth ing sp ecific to the messaging en vironm ent.

For those organizations that have n o standa rds or perhaps only basic system

administration knowledge, there are definitely things that will make the overallprocess smooth er. This chap ter outlines some of th e basic issues th at m ight interferewith getting the messaging system operational.

Differences Between Productionand Non-production

There is a distinct difference between a production and a non-productionenvironment or system. In many situations, it goes way beyond the issue of simplybeing able to reboot the system at w ill. Oth er issues such as chan ge controlprocedures, security requirements, patching, disk layout, upgrades, anddocumentation are all different for a production environment than for a non-production environment. Standards and practices typically address these issueswithin an organization.

One issue that th is chap ter ad dresses specifically is the d isk layout or pa rtitioning.To simp lify the pr ocess of creating a p rototyp e or test system for m essaging, thesystem hard drive configuration has only three partitions:

I swap has at least 256 megaby tes minimu m, up to 1x ph ysical memor y.

I / has four gigabytes or more.

I /export/home uses the remainder of the d rive.

In a production environment, you would definitely create additional partitions tosegregate specific d ata and app lications (some of th is is also discussed in Chapter 12,“Performan ce Tun ing,” on p age 179. In add ition to the p receding p artitions, youwould have partitions for the following functions:

I queues—Used to temporarily store the m essages wh en rou ting

I store—Also referred to w ithin the messag ing server as a p artition. There mightbe mu ltip le stores, d epend ing u pon the nu mber of m ailboxes or specific policies.

I var—/var d irectory in the Solaris OE where logs and som e temp files are stored

I usr—/usr directory in the Solaris OE

I logs—Sometimes d epend ing up on sp ecific needs or volum e of logs, it is a goodidea to have a separate volume or partition to write to.



Preparation Process 33

I opt—Where optional prog ram b inaries are stored. Messaging software can be

installed here if desired.

Your organ ization m ight h ave sp ecific p ractices regard ing d isk layout. Start w ith thisand mod ify or incorporate the messaging requ irements.

Note – Do not take the AUTO LAYOUT defaults of the Solaris installation program.This will typically und ersize the root and ot her p artitions.

For some basic system (Solaris OE) install practices, the following resources arerecommended:

I Solaris System Administrator’s Guide, 3rd Edition, Janice Winsor

I Sun Blueprint book, Operating Environment: Solaris 8 Installation and Boot Disk

Layout , March 2000, Richard Elling

I Sun Bluep rint book Configuring Boot Disks, December 2001, John S. Howard and

David DeethsI Solaris Docum entation Set

Basic Solar is OE Installation

Some a d vice regard ing th e initial Solaris OE installation that can p revent issues in

the future:I Install the latest upd ate.

I Install the en tire distribution.

The Solaris 8 OE will be installed on ou r p rototype sy stem. As a gen eral practice, itis good to star t w ith the m ost recent u pd ate. Currently, this is Solaris 8 OE 02/ 02.You cou ld also ins tall the latest Solaris 9 OE 04/ 03, ho w ever, som e installationinstructions m ay be slightly different. Using the latest release will redu ce the am oun t

of patching required.One of the areas that can sometimes create problems is th e specific installation of th eSolaris OE. Those familiar w ith the overall install p rocess kn ow that the Solaris OEinstallation program provides five options when performing an interactive install:

I Entire distribution with OEM Support

I Entire distribution

I Developer

I End-user

I Custom

The mistake that is often m ade is to install someth ing less than the entire




gdistribution w ithout sp ecifically know ing that you r ap plications will work correctlyin this configu ration. The entire d istribution load s libraries and other files that areoften required by applications for various reasons such as dynamic linking. Nothaving access to th ese libraries or files w ill create some interesting issues th at m ayappear only after the program has been installed and operational for some time. Soun less your organization has a specific stand ard regard ing wh at is installed, use theentire distribution. If you begin to have problems or the software runs strangely(sometimes thing s like char acter sets missing can cause issues), investigate w hichload of the Solaris OE was installed. For the d emo or prototy pe system , the Entire

Distribu tion of Solaris 8 OE 02/ 02 is used .

For details regardin g installing the Solaris OE, refer to th e Solaris Installation Guide.

Now that Solaris is installed, the next step is to p atch the system . Begin bydow nload ing the latest Solaris Recom men ded Patch Cluster for the specific versionof the Solaris OE from the SunSolveSM web site at:

http://sunsolve.sun.com.

In our case, the Solaris 8 Patch cluster contains the latest security an d recommen d edpatches for Solaris 8 OE. Follow th e installation instru ctions p rovided with theSolaris Recommen ded Patch Cluster.

Now check the Release Notes for the Sun ONE Messaging Server, or any ot herapp lication th at you p lan on installing, for any ad ditional required pa tches that maynot be in clud ed as par t of the Solaris Recomm end ed Patch Clu ster. You can retrieveind ivid ual p atches from the SunSolve w eb site as well. These p atches are generally

available, how ever, in som e rare situations they m ay only be ava ilable to customerswith sup port contracts.

Now is the time to consider how best to maintain your system patch level. Severaltools or utilities can help you d o this:

I Patch Manager—Automates patch management and patch analysis accuracy.Provides configuration -specific patch analysis, au tomated pat ch dow nload , p atchdependency resolution, and install. Available for Solaris OE 2.6 through Solaris

OE 9, Sun Cluster, Network Storage, Sun Enterprise™ 10000, and Sun Fire™systems.

I PatchPro/ PatchPro Expert—PatchPro Interactive generates a custom p atch listthat can be d own loaded in a single tar file. This file is based on selections of various Sun hard ware and software p roducts. PatchPro Expert is a signed ap pletthat analyzes your system and generates a custom patch list. The applet willattemp t to detect software in all categories listed for PatchPro Interactive.PatchPro Expe rt requ ires a Java -enabled Net scape™ brow ser. Available for Solaris

OE 2.6 through Solaris OE 9.

I PatchCh eck—Replaces PatchDiag. Determines th e pa tch levels on y our systemagainst Sun’s Recom men ded and Security patch list. Add itionally, it op eratesfrom inpu t files and lists all patches that p ertain to packages installed on thesystem. This tool is sim ilar to the Pa tchDiag Tool that you may have u sed in the

http://sunsolve.sun.com/



Preparation Process 35

past, with the add ed ad vantage of produ cing reports in H TML format that allowyou to select and receive you r d esired p atches.

Why go to this degree of effort to patch th e system?

In man y cases, this will be the only chance to patch to this d egree of thorou ghn ess.Once a system is in p rod uction, it becomes m ore difficult to obtain m aintenancewindows.

There are several Su n technologies to assist an organ ization in installation an d

man agemen t of the Solaris OE:

I Ju mp Start—The Jum pStart™ system is useful for mu ch more than installing theSolaris OE. Solaris JumpStart is an automatic installation (auto-install) processavailable in the Solaris OE and comes free with Solaris. It allows systemadministrators to categorize machines on their network, and automaticallyinstalls systems based on th e category (Class) to wh ich a m achine belongs. Inman y w ays, Jum pStart is similar to th e RedH at Linux KickStart fun ctionality.

The Jum pStart system is like a scripting langu age; the Jum pStart framewor kprovides a toolkit of operators that can be used individually or combined. Theseoperators function well individually, but their true power is realized when theyare combined .

You can even perform JumpStart over a wide area network (WAN) in the newerversions of the Solaris OE. With the boot comm and , you can specify the locationof the Jum pStart p rofile and sysidcfg information to use to p erform th einstallation. You can sp ecify a p ath t o an H TTP server, an N FS serv er, or a file tha t

is available on local med ia.For a comp lete list of Su n BluePrints on the Jump start Flash Archive, see:

http://www.sun.com/solutions/blueprints/browsesubject.html#jumpstart.

I Solaris Flash—The Solaris Flash featu re p rovides n ew installation a ndprovisioning fun ctionality. System ad m inistrators can captu re a snap shot image of a comp lete server—includ ing th e Solaris OE, the ap plications stack, and th e

system configuration—into a new Flash Archive format. Using this system im age,ad ministrators can then replicate reference server configur ations onto m ultipleservers or cloned. Solaris Flash images can be deployed using standard media or

over the n etwork via HTTP and NFS. Solaris Flash images can be installed u singcustom Solaris JumpStart scripts, the Solaris Web Start graphical interface, orSolaris OE interactive installation.

Solaris Flash technology provides the ability to layer Flash Archives. You can

http://www.sun.com/solutions/blueprints/browsesubject.html#jumpstart






gy p y y

create p artial Flash Archives to install in a variety of w ays. This feature increasesthe flexibility for rapid modular deployment.

For examp le, you can create one archive th at contains th e Solaris OE files, asecond archive tha t contains the files necessary to ru n a Web server, and a thirdarchive that contains the files for an NFS server. You can then install the first andsecond archives to one m achine to create a web server, and the first and th irdarchives to create an NFS server.

For more details, see:

http://wwws.sun.com/software/solaris/webstartflash/ an dhttp://wwws.sun.com/software/whitepapers/wpsolarisinst/solaris_installation_deployment.pdf.

I Change Manager—Change Manager is part of the Sun™ Management Centerprodu ct family. Change Man ager is a provisioning and change m anagementsoftware product that delivers a fast and easy way to install, configure, update,provision, and audit the software stacks running on Sun systems. It can

significantly im prov e IT staff efficiency and pr odu ctivity in a comp utingenvironm ent that relies on replicated server s to provid e softw are services. Chan geManag er software utilizes Solaris Flash, Solaris Live Upgr ade, an d SolarisJu mp Start technologies to p rovision serv ers. It can leverage existing Jum pstar tscripts an d Flash Archive files to a d egree.

Chan ge Manager w orks on Solaris 8 OE platform 2/ 02 or later as well as theSolaris 9 OE. It is not b un d led w ith the Solaris OE, but r ather is a separ atepackage av ailable for p urchase.


http://wwws.sun.com/software/solaris/sunmanagementcenter/ds/ds-smccm/index.html.

I N1™ for Blades—Due to their specific nature, Blade servers are som ewh atdifferent than oth er types of servers when it comes to p rovisioning the opera tingenvironmen t and configuring the un derlying hardw are. Sun recently introducedthe N 1 Provisioning Server 3.0 Blades Ed ition softwa re to ad d ress the

provisioning issue for their Blade servers. This software prov ides a pow erfulmanagement environment for Sun Fire Blades and Shelves. Running on one ormore dedicated servers, this software performs many of its managementfun ctions through an out-of-band manag ement netw ork. The N 1 ProvisioningServer 3.0 Blades Ed ition softw are enables system ad ministrators to r ap idlydesign, configu re, provision, and scale blade-based logical server farmsautom atically. The software m anages th is pool, along w ith other netw orkingresources to qu ickly reconfigure, d eploy, and decomm ission large collections of

blades whether they are in the same data center or are geographically dispersed.

As the requ ired testing and certification of the Sun ON E Messaging Server an drelated software take p lace on these Sun Fire Blade servers, the N 1 ProvisioningServer 3.0 Blades Edition software w ill und oubt edly be very useful.


http://wwws.sun.com/software/solaris/webstartflash/

http://wwws.sun.com/software/whitepapers/wp-solarisinst/solaris_installation_deployment.pdf



http://wwws.sun.com/software/solaris/webstartflash/




,

http://wwws.sun.com/software/products/provisioning_server/.

Network Connectivity

Some qu ick caveats regarding netw ork connectivity. It goes withou t saying tha tnetw ork conn ectivity is required. There are, how ever, a coup le of items that cancause issues or confusion in this area, either d urin g the installation of the op eratingsystem or d uring the installation of the Messaging Server.

The issues tend to fall into on e of five areas within n etworking :

I Host Name Resolution With / etc/ hosts and DNS

I Nam ing Services Setup and Best Practices

I Netw ork Load Balancing

I DHCP

I Domain Nam e

Host Name Resolution With /etc/hosts

and DNSYou can d o two things to avoid p roblems.

First, pu t all critical hosts th at are abs olutely, positively requ ired for op eration intoth e /etc/hosts file. Second, pu t the fully qu alified host nam e (FQN ) in the/etc/hosts file in add ition t o the short n ame.

Dur ing som e par ts of the installation p rocess, the Messaging Server installationprogram needs fully qualified host names. If it cannot resolve the FQN, manualentry is required. Unfortunately humans are not as accurate as computers, so errorscan occur. Following this ad vice allows th e installation p rogram to au tom aticallyobtain th e FQN d irectly.

Example:

root@sparc5-1# cat /etc/hosts#

http://wwws.sun.com/software/products/provisioning_server/

http://wwws.sun.com/software/products/provisioning_server/




This exam ple p rovides for resolution of both th e fully qu alified an d non -qualifiednames if the normal naming service, such as NIS, XX NIS+, or DNS becomesun available or slow. This can prev ent som e out ages or p roblems. You r organ ization’sstandards may dictate otherwise—after all, this does add some maintenance over

relying upon the naming service for everything.

N am ing Services Setup and Best Practices

A number of options for naming services are available, including /etc/hosts,DNS, NIS, NIS+, and LDAP. The k ey here is to m ake su re that an y n aming servicebeing used is accurate and available. If you u se /etc/hosts, you mu st maintain it

and keep it up to date. If you are using DN S, you mu st make sure that it is properlyconfigured and is fun ctional for each on e of the name servers listed in the/etc/resolv.conf file. Why ? If you simply test th at the DN S is w orking p roperly,you will only be testing t hat the server listed first resolves correctly, not th e secondor other servers listed:

So in the ev ent of an issue w ith 10.0.62.1, 10.0.62.14 will be u sed . How ever, if wenever tested 10.0.62.14, it may not work either.

# Internet host table#127.0.0.1 localhost loghost10.0.0.171 demo demo.test.sun.com# Directory Server node#10.0.0.172ldap ldap.test.sun.com# SunCluster nodes#

10.0.0.173node0 node0.test.sun.com10.0.0.174node1 node1.test.sun.com

root@sparc5-1# cat /etc/resolv.conf

domainname test.sun.comnameserver 10.0.62.1nameserver 10.0.62.14root@sparc5-1#

N etwork Load Balancing

Netw ork-based load balancing allows for failover of IP ad d resses and services. Thiscan be done several ways:




I Round -robin DN S feature of newer revisions of DNS (bind).I Layer 3/ 4 switches—Alteon is an examp le.

I Software—Resonate is an examp le.

There are pros and cons to each of these ways, how ever. While roun d-robin DN S isinexpensive, it also takes several minu tes or longer to fail over. Layer 3/ 4 switchesand software operat e quickly, within second s or even faster, but they ar e expen sive.Depending on your av ailability requirements and bud get, you m ust begin planning

your netw orking ava ilability strategy u p front. Otherw ise, this will im pact theinstallation and configuration of the messaging systems. Renaming and re-addressing the systems is not a simple task.

DHCP

The Dynamic Host Configuration Protocol (DHCP) for a server running theMessaging Software is not sup p orted. There are places within the software th at theIP add ress of the server, for security reasons, is cod ed.

Domain Nam e

It is generally a good id ea to set or configure the d efault dom ain nam e, eitherthrough the comman d line or the /etc/defaultdomain. Not having this set cansometimes cause problems. H owever, the default does not hav e to match u p to anyspecific d omain nam e of the Messaging Server, DNS, or Netw ork Informa tionService (N IS).




CHAPTER 5



41

System Startu p

This chap ter covers the basics of getting the system started and prov isioning u sersonce the system is op erational. It is d esigned to provide you an u nd erstanding of thevarious m echanisms for p rovisioning as w ell as the p ros and cons of each m ethod.You can easily automate provisioning, but there are times when manual entry isrequired too.

First, this chapter reviews the daem ons run ning on a test or dem o system so you cansee wh at a correctly installed system shou ld look like from top or ps -ef

commands and utilities. Then, the chapter describes the various options forad ministration of the system , includ ing pr ovisioning. Som e specific ad m inistrativeactions are only available using one m ethod or anoth er. There are others you reallyshould do one way and not anoth er. A sim ple example of provisioning accoun ts andusers by using a Perl script is provided, plus a script for generating test users.


I To check on th e status of th e test system installed for th is book, use the ps -ef

command: (should be op erational)I Provisioning

I Sample Data File

I Samp le Provisioning Script

I Test User Generation Script

Basic System Statu sFirst, the system sh ould be installed an d operational. If you h ad difficu lties or areun sure th at the system is operational, there are several ways to check the systemstatus using either the start and stop scripts from the p revious chapter or m orefamiliar UNIX comm and s and ut ilities such as top an d ps -ef.

To check on th e status of th e test system installed for th is book, use the ps -ef command:

CODE EXAMPLE 5-1 ps -ef Command Output



42 System Startup

UID PID PPID C STIME TTY TIME CMD

root 0 0 0 Apr 11 ? 0:01 sched

root 1 0 0 Apr 11 ? 0:01 /etc/init -

root 2 0 0 Apr 11 ? 0:00 pageout

root 3 0 0 Apr 11 ? 35:08 fsflush

root 482 1 0 Apr 11 ? 0:00 /usr/lib/saf/sac -t 300

root 487 456 0 Apr 11 ? 0:00 /usr/dt/bin/dtlogin -daemon

root 176 1 0 Apr 11 ? 0:00 /usr/sbin/rpcbind

root 57 1 0 Apr 11 ? 0:00 /usr/lib/sysevent/syseventd

root 59 1 0 Apr 11 ? 0:00 /usr/lib/sysevent/syseventconfdroot 202 1 0 Apr 11 ? 0:01 /usr/lib/autofs/automountd

root 343 341 0 Apr 11 ? 0:00 /usr/sadm/lib/smc/bin/smcboot

root 217 1 0 Apr 11 ? 0:00 /usr/sbin/syslogd

root 232 1 0 Apr 11 ? 0:02 /usr/sbin/nscd

root 238 1 0 Apr 11 ? 0:00 /usr/lib/lpsched

root 486 456 0 Apr 11 ? 0:01 /usr/openwin/bin/Xsun :0 -nobanner -auth /var/dt/A:0-lcaa5a

root 27697 1 0 Apr 14 ? 0:00 /A1000/demo6789/ims52/bin/msg/admin/bin/enpd

root 476 1 0 Apr 11 ? 0:00 /usr/lib/dmi/snmpXdmid -s sparc5-1

nobody 27822 1 0 Apr 14 ? 0:00 /A1000/demo6789/ims52/bin/msg/imta/bin/dispatcher

root 370 1 0 Apr 11 ? 0:00 /usr/sbin/ifbdaemon /dev/fbs/ifb0

root 251 1 0 Apr 11 ? 0:00 /usr/lib/utmpdroot 199 1 0 Apr 11 ? 0:00 /usr/sbin/inetd -s

root 296 1 0 Apr 11 ? 0:10 /usr/lib/osa/bin/arraymon

root 311 1 0 Apr 11 ? 0:00 /usr/lib/osa/bin/sparcv9/rdaemon 29 203 5

root 372 1 0 Apr 11 ? 0:00 /usr/sbin/vold

root 446 1 0 Apr 11 ? 0:00 /usr/lib/nfs/nfsd -a 16

root 485 482 0 Apr 11 ? 0:00 /usr/lib/saf/ttymon

root 456 1 0 Apr 11 ? 0:00 /usr/dt/bin/dtlogin -daemon

root 340 311 0 Apr 11 ? 0:00 /usr/lib/osa/bin/sparcv9/rdaemon 29 203 5

root 341 1 0 Apr 11 ? 0:00 /usr/sadm/lib/smc/bin/smcboot

root 466 1 0 Apr 11 ? 0:00 /usr/lib/snmp/snmpdx -y -c /etc/snmp/confroot 483 1 0 Apr 11 console 0:00 /usr/lib/saf/ttymon -g -h -p sparc5-1 console login: -T

sun -d /dev/console -l

root 440 1 0 Apr 11 ? 0:00 /usr/lib/nfs/mountd

root 471 1 0 Apr 11 ? 0:02 /usr/lib/inet/xntpd

root 475 1 0 Apr 11 ? 0:00 /usr/lib/dmi/dmispd

root 426 1 0 Apr 11 ? 0:28 /usr/local/sbin/prngd /var/spool/prngd/pool

root 489 1 0 Apr 11 ? 0:00 /usr/openwin/bin/fbconsole -d :0

root 502 487 0 Apr 11 ? 0:00 dtgreet -display :0

root 501 466 0 Apr 11 ? 1:18 mibiisa -r -p 32787

root 27601 1 0 Apr 14 ? 0:00 ./ns-admin -d /A1000/demo6789/ims52/admin-serv/config

nobody 27664 1 0 Apr 14 ? 0:04 /A1000/demo6789/ims52/bin/msg/store/bin/mshttpd -d 5 -D 6nobody 27821 1 0 Apr 14 ? 0:00 /A1000/demo6789/ims52/bin/msg/imta/bin/job_controller

nobody 27635 1 0 Apr 14 ? 0:01 /A1000/demo6789/ims52/bin/msg/store/bin/popd -d 5

root 29899 29897 0 13:27:35 pts/3 0:00 ps -ef

root 27709 1 0 Apr 14 ? 0:00 ./uxwdog -d /A1000/demo6789/iws60/https-sparc5-1.central.sun.com/config

root 27700 1 0 Apr 14 ? 0:00 ./uxwdog -d /A1000/demo6789/iws60/https-admserv/config

nobody 27622 1 0 Apr 14 ? 0:02 /A1000/demo6789/ims52/bin/msg/admin/bin/stored -d

nobody 29608 1 0 09:32:28 ? 0:00 /A1000/demo6789/ims52/bin/msg/imta/bin/tcp_smtp_server

root 27710 27709 0 Apr 14 ? 0:00 ns-httpd -d /A1000/demo6789/iws60/https-sparc5-1.central.sun.com/config

root 29890 29888 0 13:27:21 pts/3 0:00 -sh

root 29888 199 0 13:27:21 ? 0:00 in.telnetd

root 29897 29890 0 13:27:24 pts/3 0:00 bash

root 27594 1 0 Apr 14 ? 0:00 ./uxwdog -d /A1000/demo6789/ids51/admin-serv/config

CODE EXAMPLE 5-1 ps -ef Command Output (Continued)

UID PID PPID C STIME TTY TIME CMD




As you can see, several things are running on the system in addition to theMessaging Server. You could filter the results looking only for th e m essagingcomponents by user or group, but that requires that you know that all the daemon sare proper ly installed an d oper ating as the messaging user or group . For diagn ostics,sometimes it is better to review everything running.

Anoth er UNIX ut ility that you can use is top, w hich presents a nicer view of theprocesses running on the system as well as the ability to sort and organize theoutput (FIGURE 5-1).

Regardless of the method used to view the current processes on the system, youshould h ave the following d aemons ru nning at this point wh en everything isinstalled on the same server:

I mshttpd—Web ma il daem on

I stored—Mailstore daemonI ns-slapd—LDAP daemon

I ns-httpd—web server for delegated administration and administration servers;you should h ave three

I enpd—event notification d aemon

I dispatcher—Dispatcher

I tcp_smtp_server—SMTP da emon

I job_controller—Job controller d aemon

I popd—POP d aemon

I imapd—IMAP daemon

p g g

nobody 27711 27710 0 Apr 14 ? 0:01 ns-httpd -d /A1000/demo6789/iws60/https-sparc5-1.central.sun.com/config

nobody 27649 1 0 Apr 14 ? 0:00 /A1000/demo6789/ims52/bin/msg/store/bin/imapd -d 5 -D 6

root 27595 27594 0 Apr 14 ? 0:01 ns-httpd -d /A1000/demo6789/ids51/admin-serv/config

root 27703 27701 0 Apr 14 ? 0:01 ns-httpd -d /A1000/demo6789/iws60/https-admserv/config

root 20075 1 0 Apr 13 ? 0:00 /usr/sbin/cron

root 27597 27595 0 Apr 14 ? 0:01 ns-httpd -d /A1000/demo6789/ids51/admin-serv/config

nobody 29609 1 0 09:32:28 ? 0:00 /A1000/demo6789/ims52/bin/msg/imta/bin/tcp_smtp_server

nobody 27587 1 0 Apr 14 ? 0:09 ./ns-slapd -D /A1000/demo6789/ids51/slapd-sparc5-1 -i/A1000/demo6789/ids51/sla

root 27701 27700 0 Apr 14 ? 0:00 ns-httpd -d /A1000/demo6789/iws60/https-admserv/config]



44 System Startup

FIGURE 5-1 top Command Output

If the directory server w ere running on a separate system, you would not hav e thens-slapd daem on run ning on this server or one of the ns-httpd for the DirectoryAdm inistrator. If you tu rned off w eb mail, the ms-httpd daemon wou ld not beru nn ing, and so forth. So you really mu st know the sp ecifics of your installation,otherw ise you w ill think som ething shou ld be there that is not, or vice versa. Since




we installed everything on the same server, all the daemons appear.

Keep in m ind that this is a d efault installation on a sm all server. For larger,production servers, it is possible to have multiple daemons running too. Forexample, depending on the configuration parameters, there might be multiple ms-httpd daemon s to supp ort many w eb mail users.

To get a list of the current configur ation settings, execute the following comm and :

This comm and lists the curren t configura tion of the Messaging Server, wh ichinclud es inform ation such as p ort nu mbers, protocol status (off/ on), log file location,process settings, and so forth. It is a good id ea to maintain an archive or repositoryof this informa tion so wh en p roblem s or issues arise, the current settings can becompared with the last know n g ood settings. Print th ese settings out for futurereference as you go th rou gh the rem aining sections an d exercises in th is book.

# configutil

CODE EXAMPLE 5-2 configutil Outp ut—Current Con figuration Settings

alarm.createtimestamp = 20030414042706Z

alarm.creatorsname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"

alarm.diskavail.createtimestamp = 20030414042706Z

alarm.diskavail.creatorsname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"

alarm.diskavail.modifiersname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"alarm.diskavail.modifytimestamp = 20030414042706Z

alarm.diskavail.msgalarmdescription = "percentage mail partition diskspace available"

alarm.diskavail.msgalarmstatinterval = 3600

alarm.diskavail.msgalarmthreshold = 10

alarm.diskavail.msgalarmthresholddirection = -1

alarm.diskavail.msgalarmwarninginterval = 24

alarm.diskavail.objectclass = nsmsgCfgAlarm,top

alarm.modifiersname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"

alarm.modifytimestamp = 20030414042706Z

alarm.msgalarmnoticeport = 25alarm.msgalarmnoticercpt = postmaster

alarm.msgalarmnoticesender = postmaster

alarm.objectclass = nsmsgCfgAlarmContainer ,top

alarm.serverresponse.createtimestamp = 20030414042706Z

alarm.serverresponse.creatorsname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"

alarm.serverresponse.modifiersname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"

alarm.serverresponse.modifytimestamp = 20030414042706Z

alarm.serverresponse.msgalarmdescription = "server response time in seconds"

alarm.serverresponse.msgalarmstatinterval = 600

alarm.serverresponse.msgalarmthreshold = 10

alarm.serverresponse.msgalarmthresholddirection = 1

alarm.serverresponse.msgalarmwarninginterval = 24

l bj t l Cf Al t

CODE EXAMPLE 5-2 configutil Outp ut—Current Con figuration Settings (Continued)




46 System Startup

alarm.serverresponse.objectclass = nsmsgCfgAlarm ,top

createtimestamp = 20030414042706Z

creatorsname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"

encryption.createtimestamp = 20030414042706Z

encryption.creatorsname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"

encryption.fortezza.createtimestamp = 20030414042706Z

encryption.fortezza.creatorsname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"

encryption.fortezza.modifiersname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"

encryption.fortezza.modifytimestamp = 20030414042706Z

encryption.fortezza.nssslactivation = offencryption.fortezza.objectclass = nsEncryptionModule,top

encryption.modifiersname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"

encryption.modifytimestamp = 20030414042706Z

encryption.nscertfile = alias/msg-sparc5-1-cert7.db

encryption.nskeyfile = alias/msg-sparc5-1-key3.db

encryption.nsssl2 = off

encryption.nsssl3 = on

encryption.nsssl3ciphers = rsa_rc4_40_md5

,rsa_rc2_40_md5

,rsa_des_sha

,rsa_rc4_128_md5,rsa_3des_sha

encryption.nsssl3sessiontimeout = 0

encryption.nssslclientauth = 0

encryption.nssslsessiontimeout = 0

encryption.objectclass = nsEncryptionConfig,top

encryption.rsa.createtimestamp = 20030414042707Z

encryption.rsa.creatorsname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"

encryption.rsa.modifiersname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"

encryption.rsa.modifytimestamp = 20030414042707Z

encryption.rsa.nssslactivation = onencryption.rsa.nssslpersonalityssl = Server-Cert

encryption.rsa.nsssltoken = internal

encryption.rsa.objectclass = nsEncryptionModule,top

gen.accounturl = http://%[email protected]:55555/bin/user/admin/bin/enduser

gen.configversion = 4.0

gen.createtimestamp = 20030414042707Z

gen.creatorsname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"

gen.folderurl = http://%[email protected]:55555/bin/user/admin/bin/mailacl.cgi?folder=%M

gen.installedlanguages = en

gen.modifiersname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"

gen.modifytimestamp = 20030414042707Zgen.objectclass = nsmsgCfgGen,top

gen.sitelanguage = en

local.defdomain = sparc5-1.central.sun.com

local.enduseradmincred = }3:0R77?xB

local.enduseradmindn = "uid=msg-admin-sparc5-1.central.sun.com-20020710153937, ou=People, o=sparc5-1.central.sun.com, o=isp"

local.hostname = sparc5-1.central.sun.com

local.imta.imta_tailor = /A1000/demo6789/ims52/msg-sparc5-1/imta/config/imta_tailor

local.imta.ssrenabled = yes

local.installeddir = /A1000/demo6789/ims52/bin/msg

local.instancedir = /A1000/demo6789/ims52/msg-sparc5-1

local.lastconfigfetch = 1050433755

local.ldapbasedn = o=NetscapeRoot

local ldapcachefile = /A1000/demo6789/ims52/msg-sparc5-1/config/local conf






local.ldapcachefile = /A1000/demo6789/ims52/msg sparc5 1/config/local.conf

local.ldaphost = sparc5-1.central.sun.com

local.ldapport = 389

local.ldapsiecred = VCk3UUl38W

local.ldapsiedn = "cn=msg-sparc5-1, cn=iPlanet Messaging Suite, cn=Server Group (2), cn=sparc5-1.central.sun.com, ou=sparc5-1.central.sun.com, o=NetscapeRoot"

local.ldapusessl = False

local.servergid = nobody

local.servername = sparc5-1

local.serverroot = /A1000/demo6789/ims52

local.servertype = msglocal.serveruid = nobody

local.service.pab.attributelist = pabattrs

local.service.pab.enabled = 1

local.service.pab.ldapbasedn = o=pab

local.service.pab.ldapbinddn = "uid=msg-admin-sparc5-1.central.sun.com-20020710153937, ou=People, o=sparc5-1.central.sun.com, o=isp"

local.service.pab.ldaphost = sparc5-1.central.sun.com

local.service.pab.ldappasswd = }3:0R77?xB

local.service.pab.ldapport = 389

local.service.pab.maxnumberofentries = 500

local.supportedlanguages = "[en,de,fr,es,af,ca,da,nl,fi,gl,ga,is,it,no,pt,sv,ja,ko,zh-CN,zh-TW]"local.tmpdir = /A1000/demo6789/ims52/msg-sparc5-1/tmp

local.ugldapbasedn = o=isp

local.ugldapbindcred = }3:0R77?xB

local.ugldapbinddn = "uid=msg-admin-sparc5-1.central.sun.com-20020710153937, ou=People, o=sparc5-1.central.sun.com, o=isp"

local.ugldapdeforgdn = "o=sparc5-1.central.sun.com, o=isp"

local.ugldaphost = sparc5-1.central.sun.com

local.ugldapport = 389

local.ugldapuselocal = yes

local.webmail.da.host = sparc5-1.central.sun.com

local.webmail.da.port = 88

local.webmail.sso.enable = 0

local.webmail.sso.singlesignoff = 0

logfile.admin.buffersize = 0

logfile.admin.createtimestamp = 20030414042707Z

logfile.admin.creatorsname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"

logfile.admin.expirytime = 604800

logfile.admin.flushinterval = 60

logfile.admin.logdir = /A1000/demo6789/ims52/msg-sparc5-1/log/admin

logfile.admin.loglevel = Notice

logfile.admin.logtype = NscpLoglogfile.admin.maxlogfiles = 10

logfile.admin.maxlogfilesize = 2097152

logfile.admin.maxlogsize = 20971520

logfile.admin.minfreediskspace = 5242880

logfile.admin.modifiersname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"

logfile.admin.modifytimestamp = 20030414042707Z

logfile.admin.objectclass = nsmsgCfgLog ,top

logfile.admin.rollovertime = 86400

logfile.createtimestamp = 20030414042707Z

logfile.creatorsname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"

logfile.default.buffersize = 0

logfile.default.createtimestamp = 20030414042707Z

logfile.default.creatorsname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"

logfile.default.expirytime = 604800





48 System Startup

g p y

logfile.default.flushinterval = 60

logfile.default.logdir = /A1000/demo6789/ims52/msg-sparc5-1/log/default

logfile.default.loglevel = Notice

logfile.default.logtype = NscpLog

logfile.default.maxlogfiles = 10

logfile.default.maxlogfilesize = 2097152

logfile.default.maxlogsize = 20971520

logfile.default.minfreediskspace = 5242880

logfile.default.modifiersname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"

logfile.default.modifytimestamp = 20030414042707Zlogfile.default.objectclass = nsmsgCfgLog ,top

logfile.default.rollovertime = 86400

logfile.http.buffersize = 0

logfile.http.createtimestamp = 20030414042710Z

logfile.http.creatorsname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"

logfile.http.expirytime = 604800

logfile.http.flushinterval = 60

logfile.http.logdir = /A1000/demo6789/ims52/msg-sparc5-1/log/http

logfile.http.loglevel = Notice

logfile.http.logtype = NscpLog

logfile.http.maxlogfiles = 10

logfile.http.maxlogfilesize = 2097152

logfile.http.maxlogsize = 20971520

logfile.http.minfreediskspace = 5242880

logfile.http.modifiersname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"

logfile.http.modifytimestamp = 20030414042710Z

logfile.http.objectclass = nsmsgCfgLog ,top

logfile.http.rollovertime = 86400

logfile.imap.buffersize = 0

logfile.imap.createtimestamp = 20030414042710Z

logfile.imap.creatorsname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"logfile.imap.expirytime = 604800

logfile.imap.flushinterval = 60

logfile.imap.logdir = /A1000/demo6789/ims52/msg-sparc5-1/log/imap

logfile.imap.loglevel = Notice

logfile.imap.logtype = NscpLog

logfile.imap.maxlogfiles = 10

logfile.imap.maxlogfilesize = 2097152

logfile.imap.maxlogsize = 20971520

logfile.imap.minfreediskspace = 5242880

logfile.imap.modifiersname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"

logfile.imap.modifytimestamp = 20030414042710Z

logfile.imap.objectclass = nsmsgCfgLog ,top

logfile.imap.rollovertime = 86400

logfile.imta.buffersize = 0

logfile.imta.createtimestamp = 20030414042710Z

logfile.imta.creatorsname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"

logfile.imta.expirytime = 604800

logfile.imta.flushinterval = 60

logfile.imta.logdir = /A1000/demo6789/ims52/msg-sparc5-1/log/imta

logfile.imta.loglevel = Notice

logfile.imta.logtype = NscpLog

logfile.imta.maxlogfiles = 10

logfile.imta.maxlogfilesize = 2097152

logfile.imta.maxlogsize = 20971520

logfile.imta.minfreediskspace = 5242880






logfile.imta.modifiersname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"

logfile.imta.modifytimestamp = 20030414042710Z

logfile.imta.objectclass = nsmsgCfgLog ,top

logfile.imta.rollovertime = 86400

logfile.modifiersname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"

logfile.modifytimestamp = 20030414042707Z

logfile.objectclass = nsmsgCfgContainer ,top

logfile.pop.buffersize = 0

logfile.pop.createtimestamp = 20030414042710Z

logfile.pop.creatorsname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"logfile.pop.expirytime = 604800

logfile.pop.flushinterval = 60

logfile.pop.logdir = /A1000/demo6789/ims52/msg-sparc5-1/log/pop

logfile.pop.loglevel = Notice

logfile.pop.logtype = NscpLog

logfile.pop.maxlogfiles = 10

logfile.pop.maxlogfilesize = 2097152

logfile.pop.maxlogsize = 20971520

logfile.pop.minfreediskspace = 5242880

logfile.pop.modifiersname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"

logfile.pop.modifytimestamp = 20030414042710Z

logfile.pop.objectclass = nsmsgCfgLog ,top

logfile.pop.rollovertime = 86400

logfiles.admin.alias = |logfile|admin

logfiles.admin.createtimestamp = 20030414042707Z

logfiles.admin.creatorsname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"

logfiles.admin.modifiersname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"

logfiles.admin.modifytimestamp = 20030414042707Z

logfiles.admin.objectclass = nsmsgCfgAlias ,top

logfiles.createtimestamp = 20030414042707Z

logfiles.creatorsname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"logfiles.default.alias = |logfile|default

logfiles.default.createtimestamp = 20030414042708Z

logfiles.default.creatorsname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"

logfiles.default.modifiersname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"

logfiles.default.modifytimestamp = 20030414042708Z

logfiles.default.objectclass = nsmsgCfgAlias ,top

logfiles.http.alias = |logfile|http

logfiles.http.createtimestamp = 20030414042710Z

logfiles.http.creatorsname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"

logfiles.http.modifiersname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"

logfiles.http.modifytimestamp = 20030414042710Zlogfiles.http.objectclass = nsmsgCfgAlias ,top

logfiles.imap.alias = |logfile|imap

logfiles.imap.createtimestamp = 20030414042710Z

logfiles.imap.creatorsname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"

logfiles.imap.modifiersname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"

logfiles.imap.modifytimestamp = 20030414042710Z

logfiles.imap.objectclass = nsmsgCfgAlias ,top

logfiles.imta.alias = |logfile|imta

logfiles.imta.createtimestamp = 20030414042710Z

logfiles.imta.creatorsname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"

logfiles.imta.modifiersname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"

logfiles.imta.modifytimestamp = 20030414042710Z

logfiles.imta.objectclass = nsmsgCfgAlias ,top

logfiles.modifiersname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"





50 System Startup

logfiles.modifytimestamp = 20030414042707Z

logfiles.objectclass = nsmsgCfgContainer ,top

logfiles.pop.alias = |logfile|pop

logfiles.pop.createtimestamp = 20030414042710Z

logfiles.pop.creatorsname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"

logfiles.pop.modifiersname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"

logfiles.pop.modifytimestamp = 20030414042710Z

logfiles.pop.objectclass = nsmsgCfgAlias ,top

modifiersname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"

modifytimestamp = 20030414042706Znsclassname = "[email protected]@cn=admin-serv-sparc5-1, cn=Netscape Administration Server, cn=Server Group (2), cn=sparc5-1.central.sun.com, ou=sparc5-1.central.sun.com, o=NetscapeRoot"

objectclass = top

,nsConfig

,nsAdminObject

pipeprograms.createtimestamp = 20030414042708Z

pipeprograms.creatorsname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"

pipeprograms.modifiersname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"

pipeprograms.modifytimestamp = 20030414042708Z

pipeprograms.objectclass = nsmsgCfgContainer ,topservice.authcachesize = 10000

service.authcachettl = 900

service.createtimestamp = 20030414042708Z

service.creatorsname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"

service.dcroot = o=internet

service.defaultdomain = sparc5-1.central.sun.com

service.dnsresolveclient = no

service.http.allowadminproxy = no

service.http.allowanonymouslogin = no

service.http.createtimestamp = 20030414042710Zservice.http.creatorsname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"

service.http.enable = yes

service.http.enablesslport = yes

service.http.fullfromheader = no

service.http.idletimeout = 3

service.http.ipsecurity = yes

service.http.maxmessagesize = 5242880

service.http.maxpostsize = 5242880

service.http.maxsessions = 6000

service.http.maxthreads = 250

service.http.modifiersname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"service.http.modifytimestamp = 20030414042711Z

service.http.numprocesses = 1

service.http.objectclass = nsmsgCfgHttp ,top

service.http.plaintextmincipher = 0

service.http.port = 80

service.http.resourcetimeout = 900

service.http.sessiontimeout = 7200

service.http.smtpport = 25

service.http.spooldir = /A1000/demo6789/ims52/msg-sparc5-1/http

service.http.sslcachesize = 0

service.http.sslport = 443

service.http.sslusessl = yes

service.imap.allowanonymouslogin = no

service.imap.banner = "%h %p service (%P %V)"

i i i






service.imap.createtimestamp = 20030414042710Z

service.imap.creatorsname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"

service.imap.enable = yes

service.imap.enablesslport = yes

service.imap.idletimeout = 30

service.imap.maxsessions = 4000

service.imap.maxthreads = 250

service.imap.modifiersname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"

service.imap.modifytimestamp = 20030414042711Z

service.imap.numprocesses = 1service.imap.objectclass = nsmsgCfgImap

service.imap.plaintextmincipher = 0

service.imap.port = 143

service.imap.sslcachesize = 0

service.imap.sslport = 993

service.imap.sslusessl = yes

service.ldapmemcache = no

service.ldapmemcachesize = 131072

service.ldapmemcachettl = 30

service.listenaddr = INADDR_ANY

service.loginseparator = @service.modifiersname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"

service.modifytimestamp = 20030414042708Z

service.objectclass = nsmsgCfgService ,top

service.plaintextloginpause = 0

service.pop.allowanonymouslogin = no

service.pop.banner = "%h %p service (%P %V)"

service.pop.createtimestamp = 20030414042710Z

service.pop.creatorsname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"

service.pop.enable = yes

service.pop.idletimeout = 10service.pop.maxsessions = 600

service.pop.maxthreads = 250

service.pop.modifiersname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"

service.pop.modifytimestamp = 20030414042711Z

service.pop.numprocesses = 1

service.pop.objectclass = nsmsgCfgPop ,top

service.pop.plaintextmincipher = 0

service.pop.popminpoll = 0

service.pop.port = 110

service.pop.sslusessl = yes

service.readtimeout = 10store.admins = admin

store.cleanupage = 1

store.createtimestamp = 20030414042710Z

store.creatorsname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"

store.dbcachesize = 16777216

store.defaultacl = "anyone lrs"

store.defaultmailboxquota = -1

store.defaultmessagequota = -1

store.defaultpartition = primary

store.diskflushinterval = 15

store.expirerule.createtimestamp = 20030414042710Z

store.expirerule.creatorsname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"

store.expirerule.modifiersname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"

store.expirerule.modifytimestamp = 20030414042710Zstore expirerule objectclass nsmsgCfgContainer top





52 System Startup

ProvisioningOnce you kn ow th e system is installed and operational, the next major tasks is mostlikely how to best add and remove users, sometimes also called accounts or otherterms. In th e ISP w orld, the term u sed to describe this process is called provisioning.As with m any things, there is often more than one way or m ethod of provisioningaccomp lishing the task. Provisioning u sers or accounts is no different. Provisioningsometimes assum es starting a n ew u ser from scratch, but it may in fact be one of the

steps in th e migration p rocess of an organ ization’s older m ail system. This chap terapp roaches it from the new user perspective, though the approach is not totallydifferent wh en d oing this as part of a m igration. Som e add itional issues arediscussed in Chap ter 11, “Migration,” on pa ge 167.”

store.expirerule.objectclass = nsmsgCfgContainer ,top

store.modifiersname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"

store.modifytimestamp = 20030414042710Z

store.objectclass = nsmsgCfgStore ,top

store.partition.createtimestamp = 20030414042710Z

store.partition.creatorsname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"

store.partition.modifiersname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"

store.partition.modifytimestamp = 20030414042710Z

store.partition.objectclass = nsmsgCfgContainer ,top

store.partition.primary.createtimestamp = 20030414042710Zstore.partition.primary.creatorsname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"

store.partition.primary.modifiersname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"

store.partition.primary.modifytimestamp = 20030414042710Z

store.partition.primary.objectclass = nsmsgCfgPartition ,top

store.partition.primary.path = /A1000/demo6789/ims52/msg-sparc5-1/store/partition/primary

store.quotaenforcement = on

store.quotaexceededmsginterval = 7

store.quotagraceperiod = 120

store.quotanotification = offstore.quotawarn = 90

store.serviceadmingroupdn = "cn=Service Administrators, ou=Groups, o=isp"

store.umask = 077

Techn ically there m ay be m any w ays of provisioning, bu t there are really four m ainmethods:

I Administration Console—Sun ONE Administration Console

I Web—delegated administration for messaging and collaboration or identity

serverI CLI com man d line interface for the iPlanet Directory A dm inistrator



Provisioning 53

I CLI—com man d-line interface for the iPlanet Directory A dm inistrator

I LDAP—direct interaction w ith the d irectory server via LDAP

Ultima tely, these m ethod s (FIGURE 5-2) all interact with the Messaging serv er in tw oplaces—the d irectory server an d the m ailstore. One thing to n ote is that creating userinformation in th e directory does not create the ph ysical mailbox in the m ailstore nordoes creating th e mailbox (folder ) in th e m ailstore create the u ser information in the

directory. The tricky par t is creating the u ser information in th e d irectory w ith theappropriate attributes (fields) and having the users authenticate with the messagingsystem.

FIGURE 5-2 Administration Interfaces Architecture Overview

The followin g sections examine each of the four p rovisioning m ethod s and outlinesome of the pros and cons of each m ethod.

Ad ministration Console

The Sun ON E Adm inistration Con sole is a Java p rogram that can be executed locallyon the mail system or in a distributed (remote) fashion on any system sup porting theJava™ Runtime Environment (JRE) 1.1.8. It connects to an administration process(daemon) through HTTP or HTTPS. The ad ministration console provides a very lowlevel access to m ost p arts of the m essage system, includ ing th e Messaging Server,Directory Server, and Web Server. This access includes configuration data, user data,log data, and so forth. As such, it is primarily used for configura tion and debu ggingpu rposes, not as a day-to-day way of administering the system.

Browser Web CLI

Administrationconsole

(Java application)

Administrationdaemon

HTTP

HTTP

Directory

Note – Occasionally p roblems exist w hen starting the Messaging ServerAdministration Console and remotely displaying the results. The splash logo canblock the login entry box. To wor k arou nd this issue you can start the MessagingServer Adm inistration Console without th e splash graph ic by u sing th e command

startconsole -x nologo.



54 System Startup

While it is possible to add users or change user information by using theadm inistration console, it is typically reserved for configuration an d d iagnosticfunctions by the high est- level ad ministrators.

An example of an ap propriate use w ould be to configure the messaging server toaccept IMAP over SSL conn ections. An examp le of poor u sage for the ad ministration

console would be to ad d tw enty user accoun ts or even one user account for thatmatter.

I Speed—Not zipp y

I Ease of use—Good

I Access to functions—Very low level, most of the system

I Input checking—Little, if any

I Not customizable

You sh ould equat e the adm inistration console to root or highest-level adm inistrationaccess, and as such it should be reserved for use by only those persons performingthese duties on the messaging system.

Web

Anoth er w ay to adm inister the Messaging System is via the Web. Actually, there aretwo ways to use the Web to administer the system—the Administration WebInterface and th e Delegated Ad min istrator for Messaging. The two method s are verydifferent.

The Ad m inistration Web Interface p rovides basic adm inistration fu nction a ccesssuch as starting, stopp ing, restarting, backing up , and restoration fun ctions for someof the services of the Messaging Server. It is p rimarily d esigned for help d esk

personnel with m inimum training and limited d uties, as well as remoteadministration work when using the Java-based administration console is notpossible.

The Delegated Administrator for Messaging (FIGURE 5-3)provides more u ser anddomain management functionality for help desk and self-service end users.Functions for help desk p ersonnel includ e add ing, removing, and changing userinformation (if permitted ). The functionality of the Delegated Ad min istrator for

Messaging can be restricted to p rovide sp ecific help d esk ad ministrators for each

dom ain within the m essaging system as well as user ad ministrators for each d omain,which can ultimately reduce the burden of administration for the mainad ministrators. For end us ers, this interface can be used to access functions such asmailing list man agemen t, vacation messages, ma il filters, user inform ation, and soforth, if perm itted.

Overall these web interfaces are aimed at the h elp d esk and end user p opulation.



Provisioning 55

They are not the fastest methods of administration, but they provide easy-to-useinterfaces for occasional use. These interfaces can be customized because th ey areweb pages (HTML, JavaScript™, and servlets) for your specific organization. So if you d o not w ant p eople to be able to change their password or basic information viathe Delegated Ad ministrator interface, it can b e mod ified to remove th ese options.

I Speed—Good

I Ease of use—Very goodI Access to fun ctions—Help d esk and basic ad ministrator fun ctions, end us er self

service

I Inpu t checking—Some, bu t can be extended easily

I Customizable

Command-Line Interface

The fun ctions to p rovision users and ma il accoun ts in the Messaging Server areavailable from the command-line interface (CLI). This interface provides the abilityto automate and program (script) your organization’s business rules regarding userand m ail accoun t pr ovisioning.

Note – The comm and line interface is really an interface into th e DelegatedAdministrator, not directly into the Directory Server or the Messaging Server. Youmay see the terms CLI, N etscap e delegated ad m inistrator (NDA) CLI, and IPlanetdelegated ad ministrator (IDA) CLI used interchan geably in this section.



56 System Startup

FIGURE 5-3 Delegated A dm inistrator for Messaging

This low-level interface is not d esigned for end u sers at all, and is typically reservedfor the highest level of administrators or for help desk personnel via automation(scripts) only. It is very pos sible to ad d and delete thousan ds of u sers or accoun ts inminu tes by using th e CLI. It has the capabilities to quickly add and delete orotherw ise mess up the Messaging Server, so treat it as you w ould root access on the

server. This includ es security issues su ch as ensurin g to install the p rodu ction serverwith app ropriate users and groups a s well as applying other security p recautions.



Provisioning 57

Another use of the CLI is to perform debugging and diagnostic work. There areseveral commands as well as options that provide the ability to trace email pathsand routing and look at the fun ctioning of the various d aemons. For m oreinformation, see Chap ter 14 of the iPlanet M essaging Server Administrators Gu ide or goto :

http://docs.sun.com/source/816-6009-10/trblesho.htm#13833.

Overall, the command-line interface provides the one of the best ways to automateand perform bulk adds, deletes, and modifications quickly, plus implement anorganization’s po licy regarding m essaging.

I Speed—GoodI Ease of use—Good

I Access to fun ctions—Very low level, scripts an d senior ad ministrators o nly

I Inpu t checking—Some, but comp letely customizable

I Very customizable

Lightweight Directory Access Protocol

Ultima tely, everything—the ad ministration console, the web interfaces, and theCLI—interacts with th e directory in som e man ner. So p erforming p rovisioning w orkby interacting w ith the directory by using th e LDAP is not only p ossible, bu t verymu ch like the N DA CLI in term s of capabilities.

CODE EXAMPLE 5-3 Sample CLI Showing Creation of “testuser” Account

root@sparc5-1:/A1000/demo6789/ims52/ndacli/bin> ./imadmin usercreate -l testuser -W password -F Test -L User [email protected] -w bacon -nsparc5-1.central.sun.com -H [email protected]: create user succeeded.root@sparc5-1:/A1000/demo6789/ims52/ndacli/bin>

Direct interaction u sing LDAP prov ides m ost of the benefits of the CLI withoutaccess to the very low level utilities and comma nd s. It is also one of the best w ays toautomate and perform bu lk add s, deletes, and mod ifications along w ith the CLI.And , just like the CLI, it can be us ed to en force and imp lement an organ ization’spolicy regard ing m essaging. Direct interaction w ith the LDAP directory and its

contents also mean s ad d itional security precautions a re necessary. Directmanipulation or access should be reserved for the highest- level administrators.A f h l d k l l l l d i i h ld b d l

http://docs.sun.com/source/816-6009-10/trblesho.htm#13833



58 System Startup

Access for help desk personnel or lower-level administrators should be done onlythrough scripts or other method s that can add add itional checking an d precautions.For more information see Chap ter 10, “Security,” on pag e 153.”

I Speed—Excellent

I Ease of use—Good

I Access to fun ctions—not a s low level as th e CLI, but still for script s an d senioradm inistrators only

I Inpu t checking—Some, bu t comp letely customizable

I Very customizable

User Commands ldapmodify(1)

NAMEldapmodify, ldapadd - ldap entry addition and modification tools

SYNOPSISldapmodify [ -a ] [ -b ] [ -c ] [ -r ] [ -n ] [ -v ][-F ] [ -d debuglevel ] [ -D binddn ] [ -w passwd ][-h ldaphost ] [ -M authentication ] [ -p ldapport ]

[-f file ] [ -l nb-ldap-connections ]

/opt/SUNWconn/ldap/bin/ldapadd [ -b ] [ -c ] [ -n ][ -v ] [ -F ] [ -d debuglevel ] [ -D binddn ] [ -w passwd ][ -h ldaphost ] [ -p ldapport ] [ -f file ][ -l nb-ldap-connections ]

DESCRIPTIONldapmodify opens a connection to an LDAP server, binds, and

modifies or adds entries. The entry information is read fromstandard input or from file, specified using the -f option. ldapaddis implemented as a hard link to the ldapmodify tool. When invokedas ldapadd the -a (add new entry) option is turned onautomatically.

CODE EXAMPLE 5-4 Sample Template

dn: uid=<uid>, ou=people, o=<hostname_fqdn>, o=isp

objectClass: topobjectClass: person

objectClass: organizationalPerson



Provisioning 59

Method s Analysis

After discussing th e four m ethod s of provisioning at a high level, the qu estion“What is the one way to do p rovisioning?” still remains. The answ er is that it depen dson the sp ecific needs of your organ ization, includ ing the end users, thead ministration staff, and the organ ization as a w hole. Several factors, includ ingwh ich features such as va cation m essage or mailing list, may requ ire the use of theDelegated Ad min istrator for Messaging interface to some d egree. Other factorsinclud e accou nt turn over, skills of th e ad m inistration staff, organizational p olicies,and so forth.

objectClass: organizationalPersonobjectClass: inetOrgPerson

objectClass: inetUser

objectClass: ipUserobjectClass: nsManagedPerson

objectClass: userPresenceProfileobjectClass: inetMailUser

objectClass: inetLocalMailRecipient

mail: <uid>@<hostname_fqdn>mailUserStatus: active

dataSource: NDA 4.5 Delegated AdministratormailHost: <hostname_fqdn>

givenName: Historycn: <first_name> <last_name>

uid: <uid>

sn: <last_name>mailDeliveryOption: mailbox

inetUserStatus: active

userPassword: <password>creatorsName: uid=serviceadmin,ou=people,o=<hostname_fqdn>,o=isp

modifiersName: uid=msg-admin-<hostname_fqdn>-20020710153937,ou=people ,o=<hostname_fqdn>,o=isp

createTimestamp: 20030414044513ZmodifyTimestamp: 20030414051012Z

nsUniqueId: d5cba701-1dd111b2-80cac302-81db34e7

nswmExtendedUserPrefs: meDraftFolder=DraftsnswmExtendedUserPrefs: meSentFolder=Sent

nswmExtendedUserPrefs: meTrashFolder=Trash

nswmExtendedUserPrefs: meInitialized=truepabURI: ldap://<hostname_fqdn>:389/ou=<uid>, ou=people, o=<hostname_fqdn>, o=isp,o=pab

As a gen eral rule, the best p ractices are:

Administrators console

I Top ad min istrators only—for configuration

I Diagnostics and tuning only

Web



60 System Startup

I Help desk and end-user self service

I Customize or write your own scripts. Use those provided as examp les.

I Excep tions to bu lk add and delete scripts. (There w ill always be exceptions.)

I Main p rovisioning interface for small organizations or others w ith minim alaccount add itions and deletions—approximately one add ition and deletion per

day. (3,000 accoun ts w ith a on e-percent change p er year equals 300 accou ntsadd ed or deleted p er year.)

CLI/ LDAP

I Automate as m uch as p ossible.

I Should handle 99+ percent of the work

I Exceptions handled by web or help desk personnel. (There will always be

exceptions.)

Issues

There are many issues beyond which method is best or wh ich m ethod to u se forprovisioning. The remainder of this chapter uses the example of a university tryingto automate their provisioning of the messaging system. Once automation has been

decided upon, the most significant issues are:

I Auth oritative Sour ces

I Data Feeds

I User ID

Each of these issues mu st be add ressed an d docum ented for the smoothprov isioning of the messaging system. The follow ing sections exam ine each of these

issues in more detail and provide an example scripts to show how this all comestogether.

Authoritative Sources

When p rovisioning u sers or accoun ts, som e basic information is required—at aminimum , user ID, password , and email ad dress to be u sed. The Messaging Serverinclud es a directory server, so man y organizations also use this to prov ide basic

directory services to var ious LDAP-enabled ap plications su ch as Microsoft Outlookor N etscape C omm un icator. Realistically, you m ay w ant more informat ion, such asf ll d h b



Provisioning 61

full name and a ph one num ber.

So, what is an au thoritative source? An au thoritative source is a source wh ere theinformation or d ata is known to be accurate and up to date, and is m ost likelylocated w here the information or iginates within the organ ization. In some cases it isnot p ossible to integrate d irectly with th e original source, bu t if someth ing contains

the same information and is as up to date, it can be said to be authoritative too.Simply p ut, information or d ata just d oes not sud denly ap pear from th in air; rather,it is the end result of a business p rocess or p art of a bus iness process. A goodexample is the human resources (HR) system within an organization as anauthoritative source on em ployees. Since you mu st go throu gh th e various H Rprocesses and p rocedu res to be an emp loyee, it is highly likely that th e HR system(database) is an au thoritative source for emp loyee informa tion. Why? Legal andregulatory requ iremen ts as w ell as accounting (payroll). So it is pretty safe to saythat a p erson w ho is not in the H R d atabase is not an em ployee. Is this always true?No, bu t it does ad d ress at least 99 percent of the cases.

Regardless, think of th is as a business wor kflow exercise, and ask the qu estion “H owdoes the organ ization g et someon e’s identity, be they an emp loyee, contractor, orwh atever, before pr oviding n etwork or comp uting a ccess?” Is it simply a m atter of an em ail coming from a m anager, or is it more forma l, requiring tha t the per son be inthe payroll system too?

Typical author itative sou rces might be:I Human resource system (HRS)

I Stud ent inform ation system (SIS)

I Directory Server d atabase

I Information systems database

I Contractor/ vendor d atabase

I Visiting gu est d atabase

In some organ izations, there may a ctually be mu ltip le sou rces from w hichinformation is available. Wh ich sou rce is valid dep end s up on a p erson’s function orduties. Depending upon security requirements, you may also be required to checkmultiple sources to ensure that the person appears in all of them.

Data Feeds

Now that the auth oritative d ata sources and their owners h ave been identified, thenext issue faced wh en au tomatin g the p rovision process either via the CLI or d irectLDAP integration is getting the d ata from the au thoritative data sou rces. This

requires input and agreement from the authoritative d ata source own ers.

In a few situations, these au thoritative systems or d ata sources can be directly



62 System Startup

, y yintegrated with the Messaging Server ’s d irectory v ia LDAP, to au toma ticallyprovision accounts w hen new users are add ed to the p ayroll system or d elete themwhen they are removed from the system. This requires some scripting orconfigura tion on th e auth oritative source app lication. An examp le of this might bePeopleSoft 8’s LDAP integration capab ilities. How ever, in mos t organ izations these

dat a sou rces are no t generally accessible, and so d irect d ata extracts or integration isnot p ossible.

Typically, though , there is a separ ation between the grou ps w ho control thesesystems and the group that adm inistrates the m essaging system. So m any timestying th e systems tog ether d irectly is ju st not p ractical or possible. In thesesituations, the most p ractical integration is throug h a comm a d elimited file form atsometimes referred to as a comma separ ated v ariable-length (CSV) file. Then, wh atinformation is needed an d how this file is to be obtained a nd transferred and how

often mu st be determined.

This file contains the informa tion necessary to create the messaging accoun t. It alsotyp ically contains a flag to ind icate the action to be taken, wh ether th is is a n ewaccoun t (add ), or an e xisting accoun t requiring d eletion (delete) or u pd ating(mod ify). There are also tw o other typ es of actions p ossible with th e MessagingServer—activate and d eactivate. One of the features of the Messaging Server is theability to d eactivate an accoun t or entire d omain wh ile ma intaining all of its

associated information, including passwords, forwarding, address book entries, andso forth. This is a very u seful feature in th e University setting, wh ere the p olicymigh t be to cut off services su ch as email if accoun ts are in arrears u ntil such time aspar king tickets or library fines are paid. Using this feature, an organization cansimply d eactivate an accoun t and then easily reactivate the account w ithout causingsignificant amounts of work such as adding the entire account back into the system.

So, the action flag or field in the CSV file m ight contain som ething to indicate thefollowing actions:

I AD D

I DELETE

I MODIFY

I ACTIVATE

I DEACTIVATE

Our example u ses the following d esignations to simp lify this a bit, yet still representall the actions:

I AD D

I DEL

I MODI ON

OFF



Provisioning 63

I OFF

Generally the file contains the basic information n eeded to create the record , asstated p reviously, plus some other inform ation desired to m ake the directory useful.Often it is not n ecessary to be too literal, as some inform ation or fields can beder ived m any times. An examp le might be full name w here it is really a combin ation

of first and last n ame. Every organization and au thoritative data sou rce is different,though. One thing to look for when using multiple authoritative data sources isfields that are comm on betw een them . Use the same fields consistently across all theda ta sou rces, if possible.

Since the pu rp ose of this process is to autom ate the p rovisioning, the simplestmethod that does not require hum an intervention seems to work th e best. In m anyorganizations this could be a sha red file system or u sing someth ing such as FileTransfer Protocol (FTP). This meth od is something th at is worke d out b etween th eauthoritative da ta source owner an d the messaging ad ministration group.

How frequently provisioning is done d epend s up on several factors. How quickly doyou need messaging provisioned? Is there adequate CPU pow er to generate the CSVfile as frequen tly as needed or d esired ? Som e organizations do th is nightly so that allnew m essaging accoun ts are created som etime between 10 p.m. and 4 a.m. forexample. Other organizations desire more frequent updates, thus generating andprocessing the CVS hourly. Som e mod ification of the schedu ling can be do ne once

the basics are wor king. Perhap s the biggest issue in this area is man aging the end -user expectations. Were they informed that email accoun ts are created tw ice d aily, orare they un der th e assum ption th at this is d one in real time? Sometimes this issue isinfluen ced by existing policy, wh ile other t imes new policies mu st be set.

One final issue to consider regarding schedu le or frequ ency is that not all functionshave th e same requ irements. For examp le, if the p olicy is that new accoun ts arecreated on ce daily sometime between 10 p.m. and 4 a.m., that does not m eanmod ifications or d eletions m ust w ait 24 hou rs. In som e organizations, policy d ictatesthat account deletions mus t happ en w ithin a sh ort period of time for securityreasons. So a policy such as this might d rive the sched uling to someth ing shorterthan once d aily.

User ID

Now that the issues of authoritative d ata sources and data feeds have beenaddressed, the next issue in provisioning is the user ID and everything thatsurrounds it. In some ways this is more difficult than the other issues to address

because it is more of a policy issue. In some cases, it is necessary to maintain(grand father) an existing stand ard for u ser ID creation for existing us ers wh ileimplementing a new policy for all new users.



64 System Startup

p g p y

Some points to consider when addressing the user ID issue are:

I User IDs mu st be unique.

This can be w ithin the entire messaging system or within each d om ain, that is,acme.edu. How ever, if IDs are uniqu e only within each d omain , us ers will berequired to log in with their user ID plus domain, for example,[email protected], whereas if user IDs are un ique across the entire messagingsystem u sers can log in u sing only their u ser ID, for example, jsmith. This canaffect other issues, thoug h.

How do you ensure uniqueness?

That can be difficu lt. Very few pieces of information abou t som eone arecompletely uniqu e. First nam e? No. Last nam e? No. First name p lus last nam e?

No. Social Security nu m ber? Pretty m uch, bu t there is a pr ivacy issue.One p ossible answ er is to make the u ser ID a derivative of the u niqu e field fromthe au thoritative source. This cou ld be based on the social security n um ber oremp loyee ID num ber, bu t not actually u se the nu mb er itself. Perhap s the person ’sfirst and last initials plus employee ID number could be used.

I Does not have to be tied to em ail add ress or name

One comm on m isconception is that a user ’s email add ress and u ser ID are the

sam e thing. This is not necessarily tru e. Wh ile the two a re linked together, they d onot hav e to contain even th e remotely the same inform ation. For examp le, theuser ID could be a12345 w hile the em ail ad dr ess associated w ith that could b [email protected]. The Messaging Server has th e ability to assign m ultiplead dresses to a single user ID. You mu st configur e a prima ry email add ress at aminimum , but you can assign num erous alternate email add resses. So w hile userID is a12345 and th e prima ry em ail ad d ress is [email protected], it is qu itepossible to also assign [email protected], [email protected], and

[email protected]. While there are other meth ods w ithin the Messaging Server todo this, often a way to provide backward compatibility to older messagingenvironments is needed. An example might be that Acme University isconsolidating tw o messaging ser vers into a single server. One was for faculty andstaff ([email protected]) and one was for stud ents([email protected]). Using the altern ate ad dress cap abilities, it ispossible assign [email protected] as the primary email address [email protected] as the alternate ad d ress, so that em ail sent to the old

ad dress still arrives in the u ser’s inbox.

I Organization’s single sign on (SSO) strategy

Since one par t of the system is an LDAP-comp liant directory server, it can b eleveraged as the beginning of an organization-wide directory and authenticationserver. In som e organ izations, efforts to consolidate sign on and au thenticationsources are alread y u nd erw ay. In still others, consolidat ion is only a notion, and

in others, it is not even being considered. Rather than implement a messagingsystem w ith one set of user IDs tod ay, only to have to renam e the user IDs a shorttime later, it m ight be good to figu re out if there is an SSO strategy o r p roject



Sample Data File 65

, g g g gy p junderway.

I Goal and overall design of email system

There is a significant d ifference between an em ail system designed for an ISP an done designed for an enterprise. One goal in some organizations might be email

ad dress for life. This mean s that the us er ID and p rimary em ail ad d ress can ne verbe reused . This very close to the next and final issue.

I Turn over (chu rn) in u ser pop ulation

As with ph one com panies or cell ph one companies, churn or tu rnover in u serpop ulation is a key factor in operations in several w ays. For a m essaging system ,it is not only an issue regarding provisioning method determination (that is, webinterface versus CLI batch) but also reuse and pr ovisioning of user ID and emailaddresses. Consider whether or not your organization has a 25 percent change inuser population each year. That means in four years almost every user ID andemail add ress in th e messaging system will no longer be valid . If you have a

jsm ith use r ID th at is [email protected] email add ress, how soon w ill it bebefore you reuse this ad dress and user ID?

Sam ple Data FileFor the samp les, the u ser ID is derived from th e person’s first and last nam e—usinga p erson’s first initial plu s their last nam e, so John B. Smith gets the u ser ID of

jsm ith . Sh ou ld th at u ser ID alread y exist in th e syste m, yo u must ad d th e per so n’smiddle initial. So, the user ID would be jbsmith if jsmith already exists. If this fails,the help d esk can manu ally create the user ID in the system from th e exception log.

This exam ple can easily be extended further w ith the first two initials of the firstname, plus the middle initial, plus the last name, but we kept the example short tomake it easier to und erstand .

So now you kn ow th at you need th e action flags, the person’s first nam e, the m idd leinitial, and the last name. You can also add the person’s phone number to thedirectory for the u ser to mak e the directory slightly more u seful. As for the u ser ’s

email address, use a simple view here and configure the email address with th e userID. So user jsmith’s email address is [email protected]. This could as easily h avebeen set to [email protected].

ADD,Dave,,Pickens ADD,Steve,D,Thomas ADD,Steve,B,Thomas ADD,Paul,B,Smith



66 System Startup

You must know the person’s user ID when the person already exists in themessaging s ystem, for operations su ch as DEL, ON or O FF. Assum e that th e user IDis available as p art of the comm a-delimited file in these cases.

Sam ple Provisioning Scrip tA p rovisioning script that actually au tomates everything based on the samp le datafile is located at:

http://ims.balius.com/.

Test User Gen eration ScriptThis script generates a sample user file that can be used as input in the previousprov isioning s cript. It differs from th e samp le data file in th at it will create anynum ber of unique u sers from 1 to n. This script can be u sed to create hun dr eds orthousand s of test accoun ts as needed.

OFF,pbunyanON,bblueoxDEL,ssimon

CODE EXAMPLE 5-5 Test User Script Usag e Examp le

# !/bin/csh## This script adds demo accounts# password set same as user_idif ( $#argv != 1 ) then

echo "Wrong number of arguments"

echo "Usage: $0 {number}"

echo ""echo "where {number} is the number of test accounts to add"exit 1

endif

set INSTALL_DIR=/A1000/demo6789/ims52set mailhost=sparc5-1.central.sun.comset passwd=baconset x $1

CODE EXAMPLE 5-5 Test User Script Usag e Examp le (Continued)

http://ims.balius.com/




Test User Generation Script 67

Edit the code for you r sp ecific installation. Rep lace the following variable:

I IN STA LL_DIR is the install d irectory w here you installed the Messaging Serverinto the m ailhost. This is the fully qu alified nam e of the Messaging Server.

set x=$1cd $INSTALL_DIR/ndacli/binwhile ( $x > 0 )

./imadmin user create -l test${x} -W test${x} \-F Test${x} -L User -D serviceadmin@$mailhost \-w $passwd -n $mailhost -H $mailhostset x = ‘expr $x - 1‘

end

CODE EXAMPLE 5-6 Add Test User Script Error Messagesparc5-1# root@sparc5-1:/> ./add_demo_users.cshWrong number of argumentsUsage: ./add_demo_users.csh {number}

CODE EXAMPLE 5-7 Add Test User Comp letion M essage

root@sparc5-1:/> ./add_demo_users.csh 10

[email protected]: create user [email protected]: create user [email protected]: create user [email protected]: create user [email protected]: create user [email protected]: create user [email protected]: create user [email protected]: create user succeeded.

[email protected]: create user [email protected]: create user succeeded.root@sparc5-1:/>



68 System Startup

CHAPTER 6

Softw are Installation



69

Softw are Installationand Configuration

This chap ter provides information and caveats that you m ay need d uring theinstallation p hase of th e overall messaging environm ent. It also discusses scalabilityissues. For ad ditional d etails, refer to the iPlanet Messaging Server Installation Guide

for UN IX . The chapter discusses the pros and cons of various answers toconfiguration questions and installation options so that you can avoid post-installation p itfalls, whether they are related to flexibility (that is, top d oma in nam e

selection in d irectory ), scalability, availability, per form ance, or ease of use . Thu s, thischapter covers items n ot foun d in the current docum entation and conveysinformation that can only be learned through experience.

Now that the system or system s have been p repared by following th e instructions inChap ter 4, “Installation Preparation,” on page 31,” you can start the actualinstallation of the m essaging server software. This p rocess is relatively q uick—mor etime is actually spent during configuration than installation.

Curr ently, the latest version of the Messaging Server software is 5.2, wh ich w ill m ostlikely change by th e time you read th is book. The Messaging Server softwarecontains everythin g necessary to do a va lid installation (Messaging Server, DirectoryServer, and Web Server softw are); ho w ever, it is advisab le to insta ll the latest ver sionof the Directory Server software because th e Messaging Server version 5.2 softwarecontains an old er version of the Directory Server. This ad ds a st ep or two to t heinstall process, but it is not any m ore com plicated th an a n orm al installation.


I Simple Installation

I Autom ated Installation Script

Performing the p roced ur es in th is chap ter installs the following software:

I Sun ONE Messaging Server 5.2 software

I Sun ONE Directory Server 5.1 Patch 1 software

I Sun ONE Web Server 6.0 software

I Sun ONE Messaging Server 5.2 Patch 1 software

I Sun ON E Calend ar Server 5.1.1 software (optional)

I You can d own load this software from the Sun ON E web site at:

http://wwws.sun.com.

Follow the link for downloads.

Note – Read the release notes for an y last-min ute oper ating patches required for the

http://wwws.sun.com/





70 Software Installation and Configuration

y p g p qsoftware. Then d own load and app ly these to the system.

The simp lest configur ation, as outlined in the Chap ter 3, “Messaging Architectu res,”on page 15,” is the “m essaging in a box” or everything-all-on-one server

architecture.

The Messaging Server software d iffers slightly from the p receding list du e to theaddition of several administration ports, as you can see from the diagram inFIGURE 6-1.

FIGURE 6-1 Simple Architecture With Administration Ports

One of the first steps in the installation p rocess is to plan w hich ports w ill be usedfor the var ious connections. It is likely that you w ill elect to use th e d efault ports for:

I SMTP—25

I POP—110

I IMAP—143

WebMail

SMTP

POP

IMAP

LDAP

Directory administrator

Messaging administratorDelegated administrator

Web server administrator

Calendar server

80

25

110

143

389

55555

5432188

8888

81

Function Port

Server

Storage

I LDAP—389

And it is likely that you will want to u se:

I Webmail—80

The default port of 80 m ay be in use on you r system for a w eb server. Often, webservers such as Apache are installed and configured by default.

However, several administrator ports must be configured:

Di t Ad i i t t C l J b d GUI d i i t t f th




I Directory Adm inistrator Console—Java-based GUI ad ministrator for themessaging directory

I Messaging Administrator Console—Java-based GUI Administrator for messaging

I Delegated Administrator—web-based GUI for messaging

I Web Server Ad ministrator Console—web-based GUI for the Web Server

You can u se any p ort that is not curren tly in use and does n ot conflict with theothers listed p reviously. For the procedu re in this chap ter u se:

I Messaging Ad ministrator Server—55555

I Directory Administrator Server—54321

I Delegated Ad ministrator Server—88

I Web Server Ad ministrator Port—8888

If you a re unsu re of whether a p ort is in u se, on UN IX systems you can check usingth e netstat command:

Now that you h ave selected the p orts and d etermined that they are not in u se, theactual installation process can begin.

Simple InstallationSimp le installation installs a messaging serv er on a single system an d m akes itfunctional for other p rocedu res in later chapters. The p roced ures are:

I Creating UNIX User and Group Accounts

I Disabling Send Mail

I Installing a Master Directory Server

I Preparing the Master Directory Server for Messaging

# netstat -an

I Installing th e Messaging Server

I Installing the Delegated A dm inistrator Server

I Setting Up Messaging Accounts an d Testing t he Server

TABLE 6-1 lists the va lues required for installation.

TABLE 6-1 Values Requ ired for Installation

D i N




Dom ain Na m e _____________________________

Ma chin e N am e _____________________________

Machine IP ad dress _____________________________

install-binaries /temp/binaries— Create a subdirectory for eachpackage.

/ temp / bin aries/ iMS Messag in g Ser ver 5.2

/ temp / bin aries/ iDS Directo ry Server 5.1p 1

/ temp / binaries/ p at ch Messaging Server 5.2 Pa tch 1

<server-root> /opt/SunONE/ims52

<webserver-root> /opt/SunONE/web4ida

<iDA-Root> /opt/SunONE/ida4msg

Directory

Server User and Group

Directory

SunONE

Messaging Server User andPassword

Mail

SunONE

Web Server for D elegatedAdm inistrator GUI User

Password

web4ida

SunONE

Configuration Adm inistrator IDPassword

Administrator

adminpass

Directory Manager DN

Password

cn=Directory Manager

adminpass

Messaging Server ServiceAdm inistrator User ID

Password

Service Administrator

adminpass

Postmaster User Accoun t pm a@domainname

Directory Server p ort 389

Messaging Server p orts

SMTP

HTTP

POP3IMAP4

25

80

110143

Adm inistration Server p ort for 55555

TABLE 6-1 Values Requ ired for Installation (Continued)




M Creating U N IX User and Group Accou ntsA best pr actice is to set up a UN IX u ser accoun t and grou p for all Sun ON E servers,and then set the permissions appropriately for the directories and files owned bythat user.

1. Log in as root.

2. Issue the follo wing command to create the Sun ON E Server group fo r the Solaris

OE:

3. Issue the fo llow ing commands to create the me ssaging se rver user (for Solaris):

pMessaging Server

Adm inistration Server p ort forDirectory Server

54321

Delegated Adm inistratorrun ning on Enterprise Serverport

88

Adm inistration Server p ort forEnterprise Server

8888

# groupadd SunONE

# useradd mail# usermod -g SunONE mail# passwd mailNew password: SunONERe-enter new password: SunONE

4. Issue the fol low ing comm ands to create the D irectory Server user for the Solaris

OE:

The following examples assume csh:

# useradd directory# usermod -g SunONE directory# passwd directoryNew password: SunONERe-enter new password: SunONE




5. Issue the follow ing commands to create the w eb server user for the Solaris OE:

If your system is experiencing d ifficulty using th ese new accoun ts, you ma y hav e to

create and specify hom e directories for them .

M Disabling Send Mail

A best practice is to stop and disable any p rograms run ning on needed p orts beforebeginning a server installation. On m ost UN IX Solaris OE systems, the messagingprogram SendMail is running by default, which will interfere with the messagingserver installation becau se both prod ucts w ant to use p ort 25 for SMTP. The SunONE Messaging Server installation program may or may not be able to disableSend Mail for you . So you m us t man u ally stop Send Mail and d isable it from startingup on reboot.

1. Log in as root.

2. Type the following:

p

# useradd web# usermod -g SunONE web4ida# passwd web4idaNew password: SunONERe-enter new password: SunONE

# /etc/init.d/sendmail stop# ps -ef | grep sendmail

3. Determine if the sendmail daemon is running by typing:

This comm and sequen ce return s a process ID followed by the file path.Example:

# cat /etc/mail/sendmail.pid




4. Kill the sendmail daemon process by typing the command:

5. Issue the follow ing command (Solaris OE) to move the SendMail configuration

file to a safe place and prevent it from starting on the next system boot:

M Installing a Master Directory Server

In this section, you install a master d irectory server that you r Messaging Serversoftware will use to store the configuration and user account information.

The prod u cts you w ill install are the Sun ONE Directory Server 5.1 software an d t heSun ON E Server Core Com pon ents software. Messaging Server 5.2 ships w ithDirectory Server 4.16 Patch 1, which is an old er version. It is recomm end ed that thelatest version of Directory Server 5.x be used.

You w ill install the n ew Directory Server, which is separa te from the on e that ispackaged w ith the Messaging Server software. That Directory Server softwa re has

reached en d of life (EOL) as d iscus sed previou sly.This procedu re assum es you have dow nloaded, uncompressed, and u np acked theinstallation do w nload files in th e install-binaries directory.

In the instructions that follow, you mu st enter the values th at app ear in boldface. Forall other values, ju st accept the d efaults by p ressing Enter.

xx x /usr/lib/sendmail -bd -q15m

# kill -9 xx x

Where xx x is the PID returned in Step 3.

# mv /etc/rc2.d/S88sendmail /etc/rc2.d/disabled.S88sendmail

1. Change directories to the lo cation of the d irectory server softw are:

Example:

# cd install-binaries/iDS

# cd /temp/binaries/iDS




2. Run the installer executable from the command line:

3. Install the directory server for messaging by answ ering the prompts as fol low s:

# ./setup

Would you like to continue with installation? [Yes]:

Select the component you want to install [1]:Choose an installation type [2]: 3

Install location [/usr/iplanet/servers]: /opt/SunONE/ldap

Specify the components you wish to install [All]:Specify the components you wish to install [1, 2, 3]:Specify the components you wish to install [1, 2]:

Specify the components you wish to install [1, 2]:

Computer name [hostname.yourdomain.com]:System User [nobody]: directory

System Group [nobody]: SunONEDo you want to register this software with an existing

iPlanet configuration directory server? [No]:

Do you want to use another directory to store your data? [No]:

Directory server network port [389]:Directory server identifier [hostname]: hostname

administrator ID admin:

Password: adminpass

Password (again): adminpassSuffix [dc=foo, dc=com]: o=isp

Directory Manager DN [cn=Directory Manager]:Password: adminpass

Password (again): adminpass Do you want to install the sample entries? [No]:

Type the full path and filename, the word suggest, or the word none [suggest]:Do you want to disable schema checking? [No]:

Administration port [33530]: 54321

IP address [ ]: your_ip_address

Run Administration Server as [root]:

4. You should see the following output:

5. Go to the /opt/SunONE/ldap directory and type startconsole to begin

managing you r servers.

Extracting Sun One core components...[......]




M Preparing the Master Directory Serverfor Messaging

In this section, you will run th e ims_dssetup.pl utility to prepare the masterdirectory server for messaging. This perl script a dd s the ad d itional d irectory objectsnecessary for the m essaging server to store user preferences and so forth in th edirectory. Withou t th is, the m essaging serv er cannot opera te correctly.

To pr epare th e Master Directory for messaging:

1. Change directories to the location of the messaging server software:

Example:

2. Run the ims_dssetup utility from the command line:

# cd install-binaries/iMS

cd /temp/binaries/iMS

# ./ims_dssetup

3. Prepare the directory server for messaging by answ ering the promp ts as follo ws :

Do you want to continue [y]:yDirectory server root [/usr/netscape/server4] : /opt/SunONE/ldap

Please select a directory server instance from the following list:Which instance do you want [1]: 1

Will this directory server be used for users/groups for iMS [Yes]:Yes

Please enter the DC Tree base suffix [o=internet]:Please enter the Users/Groups base suffix [o=your.domain.com] : o=isp

Do you want to update the schema files [yes]: yesDo you want to configure new indexes [yes]: yes




You should see the following output:

Please enter the schema directory [ msg/config]:

Please enter the directory manager DN [cn=Directory Manager]:Password: adminpass

Do you want to continue [y]:y

Welcome to the iMS Directory Server preparation tool.

This tool prepares your directory server for iPlanet Messaging Server install.

Here is a summary of the settings that you chose:

Server Root : /sunone/demo/ids51Server Instance : slapd-sparc5-3

Users/Groups Directory : yesUpdate Schema : yes

DC Root : o=internet

User/Group Root : o=isp

Add New Indexes : yes

Schema Directory : ./config

Directory Manager DN : cn=Directory Manager

Stopping Directory Server

Updating Schema files...

Starting Directory Server

Adding Suffixes... and turning off uid uniqueness plugins

Adding naming context o=internet

adding new entry cn="o=internet",cn=mapping tree,cn=config

adding new entry cn=internetdb,cn=ldbm database,cn=plugins,cn=config

Adding naming context o=pab

adding new entry cn="o=pab",cn=mapping tree,cn=config

adding new entry cn=pabdb,cn=ldbm database,cn=plugins,cn=config

Adding Indexes...

adding new entry cn=inetUserStatus,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config

adding new entry cn=db2index_2003_4_15_16_6_4, cn=index, cn=tasks, cn=config

modifying entry cn=mail,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config


modifying entry cn=mailHost,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config






adding new entry cn=inetMailGroupStatus,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config


adding new entry cn=modifytimestamp,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config


adding new entry cn=mailUserStatus,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config


adding new entry cn=createtimestamp,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config


adding new entry cn=ou,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config


adding new entry cn=cosspecifier,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config


adding new entry cn=mailEquivalentAddress,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config


modifying entry cn=mailAlternateAddress,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config


adding new entry cn=dc,cn=index,cn=internetdb,cn=ldbm database,cn=plugins,cn=config


adding new entry cn=modifytimestamp,cn=index,cn=internetdb,cn=ldbm database,cn=plugins,cn=config


adding new entry cn=createtimestamp,cn=index,cn=internetdb,cn=ldbm database,cn=plugins,cn=config


adding new entry cn=inetDomainBaseDN,cn=index,cn=internetdb,cn=ldbm database,cn=plugins,cn=config


adding new entry cn=inetCanonicalDomainName,cn=index,cn=internetdb,cn=ldbm database,cn=plugins,cn=config


adding new entry cn=mailDomainStatus,cn=index,cn=internetdb,cn=ldbm database,cn=plugins,cn=config






adding new entry cn=mailRoutingHosts,cn=index,cn=internetdb,cn=ldbm database,cn=plugins,cn=config


adding new entry cn=inetDomainStatus,cn=index,cn=internetdb,cn=ldbm database,cn=plugins,cn=config


adding new entry cn=modifytimestamp,cn=index,cn=pabdb,cn=ldbm database,cn=plugins,cn=config


adding new entry cn=createtimestamp,cn=index,cn=pabdb,cn=ldbm database,cn=plugins,cn=config


adding new entry cn=memberOfPAB,cn=index,cn=pabdb,cn=ldbm database,cn=plugins,cn=config


adding new entry cn=memberOfManagedGroup,cn=index,cn=pabdb,cn=ldbm database,cn=plugins,cn=config


adding new entry cn=memberOfPABGroup,cn=index,cn=pabdb,cn=ldbm database,cn=plugins,cn=config


adding new entry cn=un,cn=index,cn=pabdb,cn=ldbm database,cn=plugins,cn=config


Adding PAB and DC root...

adding new entry o=pab

adding new entry o=internet

root@sparc5-3:/stuff/test/messaging/solaris/iMS/msg #

M Installing the Messaging Server

To install the Messaging Server:

1. Change directories to the location of the Mess aging Server softw are:

Example:

# cd install-binaries/iMS




2. Run the installer executable from the command line:

3. Install the Messaging Server by answering the prompts as follows :

# cd /temp/binaries/iMS

# ./setup

Would you like to continue with setup? [Yes]:

Do you agree to the license terms? [No]: yesPlease select the component you want to install [1]:

Choose your installation type [2]:

Server root [/usr/iplanet/server5]: /opt/SunONE/ims52Specify the components you wish to install [All]: 1,3,4

Specify the components you wish to install [1, 2, 3]:Specify the components you wish to install [1, 2]:

Specify the components you wish to install [1, 2]:

Specify the components you wish to install [1, 2, 5]:Computer name [<hostname>.<netscape.com>]: hostname.<groupdomain>

System User [nobody]: mailSystem Group [nobody]: SunONE

Do you want to register this software with an existing Netscape configuration directory server?[No]:

Password (again): admin

Suffix [o=<domainname>]: o=ispDirectory Manager DN [cn=Directory Manager]:

Password: adminpass

Password (again): adminpass Administration Domain [<domainname>]: Administration port [25640]: 55555

Run Administration Server as [root]:

User Name [SunONE]: mailDefault Domain [<domainname>]: <groupdomain>

Default Organization DN [o=<domainname>, o=isp]: o=groupdomain, o=ispHost Name [hostname.domainname]:

Port [80]:80

Will the Messaging Server use a Smart Host [2]:

The following messages are displayed:

User ID [ServiceAdmin]:

User Password: adminpassConfirm Password: adminpass

Email Address: pma@groupdomain

Extracting Netscape core components...Extracting Netscape Server Family Core components

Would you like to continue with setup? [Yes]:




4. G o to /opt/SunONE/ims52 and type startconsole to begin managing your

Messaging Server.

M Installing the Delegated Administrator Server

To install the Delegated Ad min istrator Server, per form the following procedu res:

I Installing the Enterprise Web Server

I Installing the Delegated Administrator

M Installing the Enterprise Web Server

You will install Sun ONE Enterprise Web Server 6.0 software. This software isrequired to run the Delegated Ad ministrator.

Make sure the webserver-root value you use in th e following p rocedu re is d ifferentfrom th e server-root you used previously for the messaging an d directory servers.

1. Change directories to the location of the Sun O NE Enterprise Web Se rver 6.0

software installation binaries:

Example:

Extracting Netscape Server Family Core components...

[......]

Press Return to continue...

# cd install-binaries/ES

# cd /temp/binaries/iMS/solaris/ES

2. Run the setup program:

3. Install the Web Server by answering the prompts as fol lows :

# ./setup


Do you agree to the license terms? [No]: yesChoose an installation type [2]:

Install location [/usr/netscape/server4] /opt/SunONE/web4ida




4. Start the Administration Server by typing:

Example:

5. Start the Web Server by typing:

Install location [/usr/netscape/server4]: /opt/SunONE/web4ida

Specify the components you wish to install [All]:

Specify the components you wish to install [1, 2, 3, 4, 5, 6, 8]:

Computer name [<hostname>.<domain>]:

System User [nobody]: web4idaSystem Group [nobody]: SunONERun iWS Administration Server as [root]:

iWS Admin Server User Name [admin]:iWS Admin Server Password: adminpass

iWS Admin Server Password (again): adminpass

iWS Admin Server Port [8888]: 8888Web Server Port [80]: 88

Do you want to register this with an existing Directory Server [No]:Web Server Content Root [/opt/SunONE/web4ida/docs]:

Do you want to use your own JDK [No]:Extracting Server Core...[......]

Press Return to continue...

#webserver-root

/https-admserv/start

# /opt/SunONE/web4ida/https-admserv/start

# webserver-root/https-hostname.domain/start

Example:

M Installing the Delegated AdministratorYou can n ow in stall the Delegated Ad m inistrator.

1. Change the directory to the location of the Del egated Admini strator ins tallation

binaries:

# /opt/SunONE/web4dia/https-acme.edu/start




Example:

2. Run the setup program:

3. Install the D eleg ated Adm inistrator graphical user interface (GUI) by answ ering

the prompts as follow:.

# cd install-binaries/iDA

# cd /temp/binaries/iMS/solaris/iDA

# ./setup


Do you agree to the license terms? [No]: yesInstall location [/usr/netscape/ida10]: /opt/SunONE/ida4msgManage Messaging Server [No]: yes

Specify Host Name [hostname.domainname]:Specify Admin URL: http://hostname.domain:88/

Specify CGI Path [ msg-<hostname>/Tasks/operation]:

Manage Calendar Server [No]:Specify Enterprise server config directory:

<webserver-root>/https-hostname.domain/configSpecify LDAP URL: ldap://hostname.domain:389

Specify Directory Manager [cn=Directory Manager]:Password: adminpass

Specify Suffix: o=isp

This suffix is already present in the directory.Continue without installing iDA information in the directory? [No]: yes

Specify DC Suffix [o=internet]:Specify Suffix [o=isp]:

The followin g messages w ill be displayed:

Your Netscape browser m ay or may not actually start d epend ing up on y our sp ecificinstallation If it does not start open your browser and manually enter the URL

Extracting Netscape core components...

Extracting iPlanet Delegated Administrator for Messaging...Restarting Enterprise Server

Connecting netscape browser tohttp://<hostname>.<domainname>:88/nda/start.htm

Press Return to continue...<Return>




installation. If it does not start, open your browser and manually enter the URLlisted in the outp ut.

M Setting Up Messaging Accountsand Testing the Server

The pu rp ose of this section is to test your M essaging Server. To d o this, perform th efollowing procedures:

I Creating a Postmaster User Account

I Creating Test Accounts

I Verifying Your Messaging Server Works Using WebMail

You m ust ad d a nd man age users through the Delegated Adm inistrator, which youshou ld now be run ning on port 88. You can either u ser the w eb interface, or thecommand-line utilities that ship with the messaging product.

Here, you w ill use the comm and -line utility imadmin. The minimum format foradding messaging users to specific messaging hosts is:

M

Creating a Postm aster User AccountWhen you installed the Messaging Server, a postmaster group was automaticallycreated in th e directory for you . During installation, you sp ecified a u niqu e mem berof the group (pma@domainname) that w ill receive errors and other n otices from theMessaging Server. Now you mu st actually create this user so these not ices can b edelivered and read. To set up this user account:

# imadmin user create -D admin_id -w admin_password -l users_uid -nusers_domain -W users_password -F users_firstname -L users_lastname -Husers_messaging_server

1. From a shell w indow of any of your messaging machines, change to the D elegated

Admi nistrator command-lin e utilities directory:

Example:

# cd server-root /ndacli/bin

# cd /opt/SunONE/web4ida/ndacli/bin




2. Create the pos tmaster user accoun t:

Example:

You s hou ld see a message like the following :

M Creating Test Accounts

Using the comm and -line utility as in th e previou s section, create some test accountsthat you can u se to test your m essaging system.

1. From a shell, change directories to the Del egated Admin istrator command-line

utilities:

Example:

# ./imadmin user create -D serviceadmin@domainname -w adminpass -lpma -n domainname -W adminpass -F Postal -L Worker -Hhostname.domainname

# ./imadmin user create -D [email protected] -w adminpass

-l pma -n mail.acme.edu -W adminpass -F Postal -L Worker -Hacme.edu

[email protected]: create user succeeded.

# cd server-root /ndacli/bin

# cd /opt/SunONE/web4ida/ndacli/bin

2. Create a user account (test1):

Example:

# ./imadmin user create -D serviceadmin@domainname -w adminpass -ltest1 -n <groupdomain> -W testpass -F Test -L Account1 -Hhostname.domainname

# ./imadmin user create -D [email protected] -w AdminPass -ltest1-n acme.edu -W userpasswd -F Test -L Account1 -H mail.acme.edu




You s hou ld see a confirmation messag e like the following:

3. Repeat the preceding process fo r test2 throug h test 5.

4. Create a us er accoun t (calmaster):

You h ave created this test user accoun t for a sup plemen tal lesson on installing a SunON E Calend ar Server. The calmaster account is required for Ca lendar Serverinstallation at a later time.

M Verifying You r M essaging Server Works Using WebMail

You sh ou ld now be able to log into th e Messaging Server u sing the test accoun ts andsend m essages.

1. Launch your web brows er or bring up a new brow ser wind ow.

2. Go to your server’s w eb mail location:

3. Enter the U sername (test1, test2, test3, test4, or test5) and Passwo rd (testpass) for

each server’s test account and press return or click Login.

test ac e.edu use pass d est ccou t a .ac e.edu

[email protected]: create user succeeded.

# ./imadmin user create -D serviceadmin@domainname -w adminpass -lcalmaster -n domainname -W adminpass -F Calendar -L Account -Hhostname.domainname

http://hostname.domainname

4. Click Compose and compos e a mess age to test1, test2, test3, test4, and test5. Click

Send w hen you are done.

5. Read the messages by clicking Get Mail.

When you have successfully sent and retrieved messages from each messaging

account on each server, you are done.Congratulations, your Messaging Server works. For information regardingconfigurin g you r new Messaging Server, see Chapter 8, “Ad vanced MessagingClient Con figur ation,” on p age 103,”.




Note – Referring to FIGURE 6-2, w hy w ere the organizations o=Internet for the DCtree and o=isp u sed as part of the User/ Group tree? Using o=Internet at the top level

allows you to host unrelated dom ains such as both acme.edu and baker.com.Includ ing o=isp as part of the User/ Group tree allows a flat nam e space (if d esired)so Joe Smith’s user ID of jsmith is used only once across all domains.

FIGURE 6-2 DC Tree and UG Organization Tree

Autom ated Installation ScriptTo short cut th e preceding p rocess and ma ke things consistent, an installation script

that au tomates th e install process is available from the Sun. You can obtain th isscript and instructions from:

http://ims.balius.com/.

Note – No warranty is given; by downloading you accept this script as is





Automated Installation Script 89

Note No warranty is given; by downloading you accept this script as is.

You still mu st dow nload the directory and m essaging server binaries separately, anduncompress and unpack them.




CHAPTER 7

Message Transfer Agen tConfiguration



91

g

This chapter provides best practices and techniques regarding the setup andconfigur ation of the Message Tran sfer Agen t (MTA) compo nent within t heMessaging Server. Due to its complexity, this is an area that can cause significantissues related to security as well as basic functionality. This section dissects thedefau lt “out-of-the-box” MTA configuration file to p rovide a starting p oint for thereader. Many u sers of the p revious v ersions of Su n Internet Mail Server (SIMS) orNetscape Messaging Server (NMS) had never seen an Inn osoft PMDF pro du ct MTA

configura tion file. Therefore, this area is v ery intimid ating an d confusing. Thischapter ad d resses some typical chan ges in plain English. For a m ore d etaileddiscussion of issues su ch as antivirus checking an d a ntispam processing, refer to and“Virus Scanning” on p age 198 an d “Antispam” on p age 199.

This chap ter contains a brief overview of th e MTA and covers the follow ing top ics:

I Changing the Mappings

I Direct LDAP Lookup

I Add ing New Domains to the MTA

I SMTP Authentication

First, a little history of the MTA that is within the Messaging Server. In March 2000,Sun Microsystems purchased a software company called Innosoft International.Innosoft International was t he ven dor of a mail prod u ct called PMDF. PMDF ran ona variety of platforms includin g the Solaris OE and VMS and was well respectedwith regard to performance, stability, scalability, and security.

Dur ing the course of the next two years, Sun integrated PMDF into the currentversion of the m essaging p rodu ct, starting w ith Messaging Server v 5.0. Bu t evenbefore that Sun h ad O EMed t he MTA portion of the PMDF prod uct and it is used inSIMS version 3.5 and 4.0. So people have seen some of the PMDF configuration filesin disgu ise. Adm inistrators wh o are familiar w ith PMDF will feel right at hom e.Those wh o are not familiar w ith PMDF will have a little bit of a learning curve toclimb.

PMDF was more than just t he MTA, it had a m essage store (it wa s actually twomessage stores on VMS, and tw o on UN IX, one native, and one also based on theCarnegie Mellon Un iversity Cyru s m ail program ). It is a mail interconnect that talksman y p rotocols, such as X.400, and talks to ma ny PC m ail systems. The MTA iswh ere 50 percent of the configura tion and options are w ithin the m ail system—ittouches every single message that comes into or goes out of the messaging system.

Now for some basics.. .

Some peop le may be familiar with the term MTA. In reality, this is fancy terminologyfor message rou ter.

According to the Telecom Glossary 2000:



92 Message Transfer Agent Configuration

message tran sfer agen t (MTA): An O SI app lication p rocess u sed to store

and forward messages as described in the X.400 message handlingsystem synonym Internet, also known as a mail agent.

Just as an Ethernet router m akes sure packets go wh ere they are sup posed to go andkeeps them from going where they are not su pp osed to go, the MTA performs thisfunction for messaging systems. One of the key poin ts to note in the definition is“store and forward.” The MTA does not simply forward or route, but stores a copylocally until it is sure that it has pass ed the messag e along or rejected it.

The basic MTA fun ction of receiving and forward ing m essages is performed inconjun ction w ith information foun d in the d irectory. The MTA is a stand alonedaem on, and wh ile required on the mail store, it can actually run by itself on aseparate server. See Chap ter 3, “Messaging Architectures,” on p age 15.

Out of the box the M TA is pretty plain, yet secure, in its configu ration. How ever,there are several changes that organizations frequently make.

Typical changes include:

I Changing the definition (mapping) of what is local and what is not local

I Enabling d irect LDAP lookup

I Accepting alternative domains

I Requiring SMTP au then tication

I Rewriting dom ains

Changing the Mapp ingsThis change opens up what is considered local and what is not local:

where msgHome is the d irectory w here the m essaging software w as installed, and Instance is the nam e of the m essaging instance (install), often the hostn ame (short

/msgHome/msg- Instance/imta/config/mappings



Changing the Mappings 93

host nam e).

If you look at the file, one section d etermines w hich IP add resses are to beconsidered internal:

This file prevent s peop le from u sing this server to relay messages v ia SMTP withou tauthenticating as valid users.

Note – Mapp ing and other MTA configu ration files are very picky regardingformatting, including line spacing and indentation. Consult the documentation fordetails.

The three lines indicate that:

I The subnet 129.152.159.131 with a bitmask of 32 (255.255.255.255) isconsidered internal, so nothing is on that subnet.

I The IP address 127.0.0.1 is considered internal ($Y = YES)

I Anything else (* wildcard) is not internal ($N = NO)

By changing th e line for the subn et, you can open t he ability to relay through thisserver. This change is useful for small environments and demonstrations, but mustbe carefully examined in large env ironment s.

INTERNAL_IP

$(129.152.159.131/32) $Y127.0.0.1 $Y* $N

$(129.152.159.131/24) $Y

The MTA m ust be restarted to p ick u p or initialize this chan ge:

Now the entire subnet of 129.152.159. xxx can use this MTA for relayingmessages.

Note – Alternatively you cou ld u se imsimta refresh which combines the

# su root# cd /<msg-Home>/msg-<Instance># ./imsimta cnbuild

# ./imsimta restart dispatcher




Note Alternatively, you cou ld u se imsimta refresh, which combines theimsimta cnbuild an d imsimta restart comm ands into a single comm and.

Direct LDAP Looku pPrior to version 5.1 of the messaging software, the MTA d id n ot hav e the ability to

directly look up information in the Directory Server via LDAP. Rather, the MTA hada small cache of informa tion, such as u ser IDs and m ail ad dr esses, that w asperiod ically synchronized against the Directory Server. This w as originally donewhen Directory Server performance was not as good as it is today. Now that theDirectory Server is able to keep u p with th e requests from th e Message Server, theMTA’s cache is redu nd ant a nd becomes a bottleneck, as well as add ingadm inistrative overhead . You m ay also hear the term dirsync used to describe theprocess or the daemon that is run to synchronize the data between the Directory

Server an d MTA’s cache. One reason the use of th e MTA cache was aband oned isthat in som e situations the information in th e cache w ould become stale, causingsome interesting p roblems—for example, users add ed to the system w ould notapp ear in the M TA cache u ntil the next dirsync was run . Password changes wou ldnot necessarily be immediately reflected either. By using direct LDAP access, theseproblems are avoided.

So, it is highly recomm end ed that th e MTA be configured to u tilize direct LDAPlookups.

Why is it so d esirable to mo ve to d irect LDAP looku ps?

Dirsync was u sed in iPlanet Message Server and in SIMS before that for a nu mber of reasons that were good at the time. Dirsync provides a decoup ling of the me ssagingserver from the directory infrastructure, wh ich, in th e d ays of SIMS 3.5, wasimm atu re (by which w e mean slow and not en tirely reliable). It also reflected th eancestry of the product, which had been entirely independent of LDAP.

Dirsync represented a technical comp romise. Given that LDAP w as slow andunreliable, the approach taken was to predigest the directory information intoda tabases for use by th e MTA. In theory, this shou ld give better p erformance andind epend ence from th e directory. In p ractice, how ever, these databases have been thebane of our lives. Wherever you have p ersistent stru ctured d ata, there is always theconcern that it can become inconsistent. And when you have a long update process

like dirsync, you have a very unpleasant window where a failure can lead veryquickly into a situation where manual intervention is required for a restart.

Dirsync also im poses a v ery abn orma l load on th e directory. Both th e incremen taldirsyn c and full dirsync qu eries are d ifficult for the d irectory server, very u nlike thesort of query for w hich the directory w as d esigned, wh ich is “here is aattribute/ value pair, find m e the mat ching entry.”



Direct LDAP Lookup 95

p , g y

Since the days of SIMS, the directory technology has improved significantly. Now,the d irectory is very robust an d m uch faster. The behav ior of the d irectory is mu chbetter than the beh avior of the d atabases used by th e MTA. So the balan ce of thecompr omise is now v ery different. The sp eed of looking u p a u ser in th e directory isstill too slow for the MTA to u se the d irectory in a simp listic w ay, but w ith theinclusion of a p re-process cache for read ing the d irectory information, we hav efound that the throughput in general goes up. To be fair, we can construct loadswh ere the throughp ut goes way u p or w ay dow n, but with a realistic load there is anet gain in throughpu t.

Bu t the real win is in robu stness. By going to th e direct LDAP m ode, you elim inate awh ole set of complicated persistent data structu res, replacing them with tran sparenteph emeral d ata structu res. This not only eliminates a set of failure m od es, but (andthis is probably more imp ortant) means that the p robability of needing man ualintervention after an y sort of incident is significantly red u ced.

When Sun first introdu ced the d irect LDAP mod e, they d id so more tentatively thanwas wise. Initial thoughts were to err on the side of caution by making dirsync the

defau lt mod e for version 5.2 of the M essaging Server. In retrospect that w as an error.The direct LDAP mod e, after Sun had cleaned up a cou ple of weird corner cases, hasproven far more robust and easy to deploy than they had ever hoped .

In the next release, Sun intend s to make d irect LDAP mod e the only mod e of operation n ow that it is known to w ork well. We are that satisfied w ith its behav ior.It makes the directory d eploym ent easier and the MTA mu ch more stable, and m akesit mu ch easier to recover from an y sort of hardw are or softw are failu re.

Already there is fu nctionality in the area of mailing grou ps th at is only sup ported indirect LDAP mod e. Given that d irsync is now code with a ve ry lim ited lifeexpectancy, you can expect the d evelopers to concentrat e their efforts in the d irectLDAP mode. Thus, dirsync is now more or less in maintenance mode only.

Beginning with version 5.1 of the M essaging Server, the ability to directly look u pinformation from the Directory Server is available, thou gh it w as not w elldocu men ted u ntil version 5.2. The d efault, however, is that the MTA still cachesinformation u nless explicitly configu red to p erform th is direct LDAP lookup. In futu reversions of the Messaging Server, the d efault will be direct LDAP lookup .

Four MTA configur ation files mu st be m od ified to en able direct LDAP lookup:I mappings

I job_controller.cnf

I option.dat

I imta.cnf




All of these files are in the config d irectory for th e MTA:

where msgHome is the directory wh ere the Messaging Server softwar e was installed,and Instance is the nam e of the messaging in stance (install), often th e hostna me (shorthost name)

M Testing LDAP Looku p

A simple experiment can be done to demonstrate the value and verify that directLDAP lookup works:

1. With the mess aging system running, add a user via the imadmin command.

See Chap ter 6, “Software Installation an d Con figu ration,” on page 69.

2. Send a message to this user from another user’s account.

You sh ould get a “us er not found ” m essage, or som ething to that effect.

3. Sync the MTA w ith the directory:

a. To initialize the Messaging Server MTA’s databases with information from the

directory, issu e the commands:

/msgHome/msg- Instance/imta/config/

# su root# cd /msg-Home/msg- Instance

# ./imsimta dirsync -F# ./imsimta restart dispatcher

where msg-Home is the directory w here the m essaging software wa s installed, and Instance is the nam e of the messaging instan ce (install), often th e hostnam e (shorthost nam e).

b. Try to se nd a me ssage again.

This attempt should be successful.

c. Stop the messaging system.

d. Edit the four MTA confi guration file s.

Before you edit the following embedded instructions, make backup copies.

Exam ple (options.dat):



Adding New Domains to the MTA 97

e. Restart the messaging system.

f. Add a user using the imadmin command.

g. Send a test message as above.

This should now work w ithout requiring the dirsync command.

Adding N ew Domains to the MTA

There are several w ays to add new dom ains beyond the initial dom ain configureddu ring the installation pro cess. Each of these method s offers its own ad vant age anddisadvantages. The recomm ended method to man age add itional domains is via theLDAP directory as per the documentation. This provides the advantage that allMTAs in your messaging env ironm ent get the same information w ith one up daterather than having go to each and every MTA to manually edit the files. Additionalbenefits include red u cing the risk of typos (for examp le, one of you r four MTAs has

! VERSION=1.0! Modified by IMS administration server on: Tue Nov 12 15:08:15 EST 2002!! Uncomment out the next 5 lines to enable Direct LDAP mode! ALIAS_MAGIC=8764! ALIAS_URL0=ldap:///$V?*?sub?$R! USE_REVERSE_DATABASE=4! REVERSE_URL=ldap:///$V?mail?sub?$Q! USE_DOMAIN_DATABASE=0

MISSING_RECIPIENT_POLICY=1ALIAS_DOMAINS=6

a typo of edfg.com rather than defg.com) and having t o restart the MTA torecognize the chang e. So it pays to learn to use LDAP to man age you r d omainnames.

The followin g section prov ides some basic lessons regard ing man ually editing theMTA configur ation files for new d omains. One other chan ge that m ay be necessary

wh en configu ring a stan dalon e MTA is the ability to accep t m essages destined formu ltip le dom ains. By d efault, the MTA is configured to accept m ail for the d om ainthat w as entered at th e time of install. To get th e MTA to accept m ail destined forother d oma ins, either interna lly or perh ap s as a legacy comp atibility issue, you m u stmod ify the imta.cnf file in the /msgHome/msg- Instance/imta/config directory.

Assuming the messaging system was originally installed for domain abcd.com, butyou wan t it to also accep t messages for efgh com because that is the old name of




you wan t it to also accep t messages for efgh.com because that is the old name of the comp any, you can configu re the MTA to recognize efgh.com as a domain name

it owns. Otherwise, the MTA thinks that addresses in this domain are remote add resses and it just sends them back out to the Internet rather than looking themup in the LDAP directory. The real problem is that the ad d resses are not beingrecognized as local. To get the ad dr esses recognized a s local (and looked up inLDAP), they m ust ma tch the local (l) channel.

There are several ways to get new dom ain nam es to be recognized includ ing simplyusing the Delegated Administrator interface to add a domain into the system. We

will look at an other w ay to d o this m anu ally at the MTA configuration file level forthose situations w here you either do not wan t to add the dom ain by using theDelegated Adm inistrator or you cannot use th e Delegated Ad ministrator for somereason.

A rewrite rule must be add ed to the imta.cnf file (towards the top, among theother rew rite rules), such as:

wh ere name-of-your-l-channel is the official host nam e (also know n as channel tag )on your local (l) channel (for examp le, mail.abcd.com).

Make sure to issue the command s imsimta, cnbuild, and imsimta restartdispatcher to m ake this chan ge take effect.

One alternate op tion is to completely rewrite the ad dr esses. The local parts of theaddresses must be identical (for example, [email protected] [email protected]). The upside to this option is that you do n ot have to havetwo add resses or use the alternate ad dress field for Dave Pickens in LDAP, just th enormal [email protected]. The d own side to this is that you lose the information(data) regarding w hat d omain this ema il was originally sent to (for examp le, you d onot know if it was sent to [email protected] or [email protected]).

efgh.com $U%$D@name-of-your-l-channel

The MTA can easily rewrite efgh.com to abcd.com. So, instead of the precedingrewrite rule it would look something like:

If you w ant to change the efgh.com add resses even in th e headers, or if you w antto leave efgh.com visible in head ers, use:

efgh.com $U%abcd.com

efgh.com $E$F$U%abcd.com



Adding New Domains to the MTA 99

M Mod ifying the imta.cnf fileTake a look at this in action:

1. Edit the imta.cnf file in the / msg-Home /msg- Instance /config directory.

Make a backup copy first.

2. Rewrite the domain abcd.com to the default domain you have installed:

3. Restart the MTA.

Alternatively, you could u se imsimta refresh, w hich combines the imsimta cnbuild an d imsimta restart comm and s into a single comm and.

4. Send a test message to an existing user, but use the abcd.com domain now, and

examine the m essage in the user’s mailbox

abcd.com $U%name-of-your-l-channel

# su root# cd /<msg-Home>/msg-<Instance>

# ./imsimta cnbuild# ./imsimta restart dispatcher

SMTP AuthenticationBy d efault on the Messaging Server, users need n ot submit a p assword w hen they

connect to the SMTP service of the Messaging Server to send a m essage. (We do n otforce SMTP A UTH.)

Auth enticated SMTP is an extension to the SMTP pro tocol that allows clients toauth enticate to the server. The auth entication accom pan ies the m essage. The prim aryuse of au then ticated SMTP is to allow local users w ho are tra veling (or u sing theirhom e ISP) to submit m ail (relay m ail) withou t creating an open relay that others canabus e. The AUTH com man d is used by th e client to auth enticate to the server.




y

You can use a uth enticated SMTP w ith or w ithout SSL encryption.

Th e maysaslserver, mustsaslserver, nosasl, nosaslserver,switchchannel, and saslswitchchannel channel keyword s are used toconfigur e Simp le Authen tication an d Secu rity Layer (SASL) SMTP AUTH d urin g th eSMTP protocol by SMTP chan nels such as Tran smission Control Protocol/ InternetProtocol (TCP/ IP) channels. The nosasl keyword is the default and means thatSASL authentication is not permitted or attempted. It subsumes nosaslserver,wh ich m eans th at SASL auth entication is not p ermitted. Specifying maysaslserver causes the SMTP server to perm it clients to attemp t to u se SASL auth entication.Specifying mustsaslserver causes the SMTP server to insist that clients use SASLauth entication; the SMTP server d oes not accept m essages unless the rem ote clientsuccessfully aut henticates.

M Examining th e imta.cnf File

Exam ine the imta.cnf file found in the/msgHome/msg Instance/imta/config/d irectory as follows:

1. Locate the section titled “! part II : channel blo cks.”

2. Look f or the“! tcp_local channel.”

You might think that mustsaslserver wou ld be approp riate to lock dow n the

messaging s ystem a nd requ ire SMTP AUTH. How ever, this is not qu ite the case. Letus examine this from the Internet side of things. Do other messaging systemssending email to you have logins and password s? No. So mustsaslserver willrequire everyone u sing the MTA to au thenticate.

So, wh y is the MTA configured w ith the maysaslserver, and wou ld that not leavethe MTA open for relaying?

The keyword maysaslserver allows for both un authenticated an d authenticatedSMTP conn ections and traffic. The key h ere is w hat h ap pen s after someonesuccessfully au thenticates. Previously, we d iscussed the concept of w hat isconsidered internal and wh at is not when looking at the mappings file. Byauth enticating, the MTA now treats this conn ection as internal. Unau thenticatedconnections an d tr affic are considered external un less somethin g in the mappings

file indicates otherwise (for examp le, they ar e on a sp ecific su bnet or from a specificIP address).

Does this leave the MTA op en for relaying? No, you mu st be subm itting a messagefor a v alid user on the system or you mu st have au thenticated to relay to externalmail systems.



SMTP Authentication 101




CHAPTER 8

Ad vanced Messaging ClientConfiguration



103

One of the m ost overlooked features of IMAP-based m essaging system s is the abilityto share folders between u sers. This feature p rovides the solution to several issuesfaced in organizations:

I Adm inistrator need s access to boss’s m ailbox w hile his boss is traveling.

I Email must be covered w hile someone is on vacation.

I Group need s to coordinate files and emails for a project.

I System-wid e temp late fold ers and miscellaneous mailboxes must b e accessible byeveryone.

The Messaging Server provid es the ability to sha re folders. This featu re can be usedby m ost IMAP clients such as N etscap e Comm u nicator or Ou tlook Express. Thenative w eb m ail interface that is part of the Messaging Server also provides theability to u se and access shared folder s.

One interesting point is that d irect d elivery to a shared fold er or us er folder isperm itted u nd er the mail standards. The format for this is:

Example:

This comm and d elivers th e em ail directly to Steve Stud ent’s folder called math101.

The shared folders feature is enabled by d efau lt within the Messaging Server.How ever, m any u sers are not familiar enou gh w ith their client program to configurethem appropriately.

user_email_address+folder_name@domain_name

[email protected]

This chapter provides the necessary steps and procedures for configuring sharedfolders for some of the more pop ular m ail programs.

Note – Cur rently the Messaging Server on ly sup ports th e ability to share folderswithin th e same server and does n ot have the ability to share across mu ltiple servers.

Sharing across multiple servers is being considered for futu re releases.

This chap ter covers the following k ey concepts a nd topics:

I What Is a Shared Folder?

I Supported Standards

I Limitations



104 Advanced Messaging Client Configuration

What Is a Shared Folder?A sh ared fold er is one that y ou allow other s to access. Several level of access controlare available. For examp le, in w eb mail, you can allow others Read only; R ead and

write; Read, write, and manage access; or N one to you r folder. N one is the default.FIGURE 8-1 shows the “Permissions” you can set in web mail.

FIGURE 8-1 Web Mail Shared Folder Permissions

I Read only : Allow s users to on ly read the m essages in the shar ed folder.

I Read and write: Allows u sers to read an d set flags on messages in the sharedfold er. It also allows users to d elete messages and subfolders.

I Read, write, and manage: Allow s users to read messages, set flags (setg) on themessages in the shared folder, create subfolders u nd er the shared folder, d eletethe subfolders, and share the folder with others.

Note tha t wh en a su bfolder is created, it inherits the p erm issions of its p arent folder.Once the subfolder is created, changing th e perm issions of its paren t folder h as no

effect on the subfolder. FIGURE 8-2 shows that you can d isplay the folder list byclicking Folders, then selecting a folder and clicking Share.



Supported Standards 105

FIGURE 8-2 Getting to the Permissions Screen

Supported StandardsThe In tern et RFC 2086, IM A P4 ACL Ext ension,

http://www.ietf.org/rfc/rfc2086.txt?number=2086,

is the stand ard that d efines the access control lists (ACLs) used in th e IMAP4protocol. The Message Server has sup ported RFC2086 since version 5.0.

RFC2086 d escribes the ACL as a set of iden tifier and rights p airs. For ou r p urp oses,the u ser ID for the IMAP u ser is the iden tifier.

The standard r ights defined are:

I l - lookup (mailbox is visible to LIST an d LSUB commands)

I r - read (SELECT the m ailbox, perform CHECK, FETCH, PARTIAL, SEARCH, COPY from m ailbox)

I s - keep seen/ un seen information across sessions (STORE SEEN flag)

I w - write (STORE flags other th an SEEN and DELETED)

I i - insert (perform DELETED, COPY into m ailbox)

I p - post (send ma il to subm ission ad dress for mailbox, not enforced by IMAP4itself)

I c - create (CREATE new sub-mailboxes in any implementation-defined hierarchy)

I d - delete (STORE DELETED flag, perform EXPUNGE)

http://www.ietf.org/rfc/rfc2086.txt?number=2086




I a - adm inister (perform SETACL)The web m ail perm issions correspon d t o the preceding as follow s. The own er of themail folder by d efault has all the rights (lrswipcda). Granting som eone Read Onlypermissions gives that person the rights lrs. Read and Write permissionscorresponds to lrswid; Read, Write, and Manage corresponds to lrswicda. TABLE 8-1 lists the map ping.

If you ar e sharing a folder other tha n the Inbox, you w ill see an ad d itional check boxEnable direct delivery of em ail to folder, at the top of the p ermissions screen(FIGURE 8-3). Wh en checked, this enables the post (p) pr ivilege by anyon e, so thatmail add ressed to username+ folder @host.domain is d elivered d irectly into th is folder.

TABLE 8-1 Web M ail Permission and RFC2086 Righ ts

Web Mail RFC2086

Owner gets these by

defaultlrswipcda

Read Only lrs

Read and Write lrsw id

Read, Write, andManage

lrswicda



Limitations 107

FIGURE 8-3 Sharing a Folder Oth er Than the Inbox

LimitationsYou can on ly share a fold er with an other u ser wh o is on the same m ailstore as you

are.

Setup Procedures

This section contains the following setu p procedu res:I Letting You r Ad ministrator Read Your Inbox

I Shar ing Folders in MAP Clients

I Shar ing a Fold er in Mulberry

I Sharing a Fold er in N etscap e Messenger

I Using Ou tlook Express

M Lettin g You r A d m inistrator Read You r Inbox

Using web mail is pretty simple. We are assuming you (portia) and youradministrator (misha) are on the same mailstore.

1. Set the permiss ion on yo ur inbox to Read by you r admini strator.




Note – The following steps are done as the administrator (misha). Ask youradministrator to subscribe to your folder.

2. Click the Subs cribe button, then fill in the name. In this case, enter portia, w ho is

sharing the folder with misha.



Setup Procedures 109

3. Click the Search button next to the name to find the righ t user and select the

correct user.

You w ill be back on th is screen w here you will see the list of folder s being shar ed.

4. Click the Subscribe button to su bscribe.

You sh ould see the new ly shared fold er show ing u p in your list. If it doe s not, clickUpd ate to refresh th e list.




5. Dou ble-click portia’s inbox.

You see it as follow s:




M Sharing Fold ers in MAP Client s

Several IMAP clients allow you to share a folder with others, and allow y ou to viewshared folders. Som e examp les includ e: Mulberry (ww w.cyrus.com), Netscape (4.7x

show n h ere, bu t later versions also wor k), Mozilla, and O utlook Express. How ever,not all mail clients sup por t this feature. Eud ora 5.1 has its ow n v ersion of sharedfolders.

M Sharing a Folder in Mulberry

1. To share one o f your folders, right-click on the fol der you w ant to share.

2. Select Properties to bring up the follow ing w indow to edit the mailbox properties.




3. Click the Access Control List tab.

4. Click the N ew User button and type in the login iden tifier. In this case, misha, the

adminis trator, of the user w ho w ill b e sharing you r fol der.

5. Select the appropriate check boxes fo r the access privileg es you are granting.

The keys to the icons are show n on the sam e screen. (N ote they are in the same ord eras d escribed in RFC2086.)

When you first log in, you can tell Mulberry to show you the shared folders foundon th e server by selecting the Shared Folders/User/ ma ilboxes on th e left side of the following window.




Now you will automat ically see other p eople’s shared fold ers.




M Sharing a Folder in Netscape Messenger

To share your folder with someone using Netscape Messenger:1. Right-click on the folder to be shared to bring up the pop-up menu.

2. Select Privileges.

Note – The little people icon on the fold er show s that the fold er is shared.




3. If Privile ges i s grayed ou t, click on Fold er Properties directly below it to bring up

the Folder Properties w indo w, then click o n the S haring tab and Privil eges .




This brings up a separate Netscape browser w indow that asks you to login to theadministration server.

4. Use the same user name and password as for your mail account.

This window may not work well prior to Messenger Server version 5.2.




5. After logging in, you will be show n a brow ser window where you can set the

permissions for the folder.




a. Type in the user ID of the person w ho w ill share your folder. In this case type

misha, and click the Add button.

Misha is shown as a user in the middle of the screen.

b. Us e the pull-dow n m enu to select the permission you are granting.

c. Click OK to close the window whe n you are done.

Now the ad m inistrator, misha, can log in u sing Netscape Messenger. Misha w ill seethe following :




M Using Outlook ExpressWith Ou tlook Exp ress (2002), you can view folders others op ted to share w ith youautom atically if you have su bscribed to them . H owever, there is no mechan ism inOut look Express to m ake a folder shar eable, nor to subscribe to a shared fold er. Soyou can either have the administrator subscribe to the folders using some otherprogram, or the ad ministrator can p erform the following procedure.

Assuming you h ave made you r folder readable by your ad ministrator by using someother means, your administrator can set up an Outlook Express mail account asfollows:

1. Right-click on the m ail server in question and sele ct IMAP folders to d isplay the

dialog box.




2. Uncheck the bo x that determines wh ether only s ubscribed fo lders are see n, and

click OK to close the window.

3. Exit Outlook Express and restart it to see the shared folders.

Now your administrator should see something like the following screen. Note thatthe Shared Folders hierarchy show s up in the mid d le of the folders list inalpha betical ord er.




This section of the book d escribes how to share a folder from an end user ’s point of view. It does not describe how to us e the comm and s in RFC2086 directly. If you w ant

to type the comm ands using Telnet, or are writing a p rogram to do th is, you shou ldread t he RFC2086 in its entirety. How ever, a very short dialog w ou ld look like this:

telnet hostname 143a login username password b getacl inbox to see the acl on the inboxc setacl inbox misha lrs to give misha “lrs” priv to my inboxd deleteacl inbox misha to remove the acl set for misha on my inbox

z logout to log out when you are done




CHAPTER 9

Customization

Custom ers typ ically ma ke several custom izations right a fter getting the basic

Messaging Server (Directory Server, Web Server, Delegated Administration, email,and perhaps even Calendar Server) installed. The most common of these include



123

changing th e “look and feel” of the w eb m ail (IPlanet Messen ger Express) interfaceand pr oviding a single sign on (SSO) between th e web m ail, w eb-based calend ar,and Delegated A d ministration interfaces. Some of the other comm on custom izationsthat are done almost immediately include defining the welcome message for newaccounts along with the over quota message for people about to go or already overquota. Some customers would also like to customize some of the return errors that

the message system sends back to users.The comp lete custom ization of the look and feel for Messenger Express is availablein the manual (see http://docs.sun.com/source/816-6010-10/index.html for the iPlanet Messenger Express 5.2 Customization Guide). Most customers w ant toperform some very sim ple customizations for the look and feel of the MessengerExpress:

I Changing and Ad ding a Logo

I

Custom izing the Login ScreenI Chan ging the Main Web Mail Screen Bann er

I Removing an d Ad ding Op tions on the Options Tab

I Single Sign O n

I Setting the In itial Welcom e Email

I Over-Quota Limits and Warning Email

I

Customizing Return ErrorsFor add itional d etails related to these changes, refer to the iPlanet M essenger Express

5.2 Customization Guide.

Changing and Add ing a LogoMost of the Sun ON E Messaging Express look and feel is controlled t hrou gh H TMLand JavaScript (also know n as ECMA script), w hich is located in the follow ingdirectory:

where msg-Home is the directory w here the m essaging software wa s installed, and Instance is the n ame of th e messaging instance (install), often th e hostname (short hostname).

A qu ick look at the directory will tell you w hy th e iPlanet M essenger Express 5.2

/msg-Home/msg- Instance/html

http://docs.sun.com/source/816-6010-10/index.html






124 Customization

Customization Guide is necessary and a good thing.

The first thing to note is the tw o-letter d irectories such as “en ” or “d e.” These arelangu age- specific directories, so “en ” is English w hile “de” is German . TheMessaging Server ’s Messenger Express in terface is fully internation alized,supporting 20 or more different languages. Depending upon the customizationsmad e and your au d ience, each of these locales, as they are called, will hav e to hav ethe same customizations performed to them. This book only describes the main

directory and the English (en) locale:

root@sparc5-1:/A1000/demo6789/ims52/msg-sparc5-1/html> ls

applet_fs.html* en/ lookup.js* searchmsg_fs.html* spelltools.html*

ar/ es/ lower2.html* searchusers.js* spellword.html*

attach_fs.html* fldr_fs.html* main.js setpermission_fs.html*

srchresults_fs.html*collect_fs.html* form.js* main.orig* sk/ subscribe_fs.html*

colors.html* fr/ master-style.css* sl/ th/

comp_fs.html* frame.html* mbox_fs.html* spell.html* tr/

compRecipient.js* he/ msg_fs.html* spell.js* upper.html*

cs/ hr/ opts_fs.html* spell2.html* util.js*

de/ hu/ pab.js* spell2.js* zh-CN/

editPabEntry.js* imx/ pl/ spellchange.html* zh-TW/

editPabGroup.js* ja/ receipt_fs.html* spellresults.html*

el/ ko/ ro/ spellSend.html*

emoticons.html* ldap_fs.html* sample.html* spellsuggestions.html*

root@sparc5-1:/A1000/demo6789/ims52/msg-sparc5-1/html/en> ls

compRecipient_fs.html* help.htm* iplanet.jpg* messageView.html* searchusers_fs.html*

The cu stomization gu ide p rovides solid information, but it often takes a verythorough and complete approach. This section provides a more practical and quick

view of the chan ges, for several reasons:1. I generally d o not like to do more work than necessary.

2. Many of the changes in the cu stomization gu ide require not only edits of thegraphic files, but also of the HTML and JavaScript.

3. Every tim e a patch or up da te to the Messaging Server software is applied, yourcustomizations m ust be red one because the u pd ate carries new H TML orJavaScript files for the Messenger Express. The method outlined here tend s tosurv ive better or at least is easier to apply after an u pd ate.

default.html* help2.htm* ix.htm* pab_fs.html* topics.htm*

editPabEntry_fs.html* helpix.htm* lookup_fs.html* searchMessage.html*

editPabGroup_fs.html* i18n.js* mail.html* searchOnly.html*



Changing and Adding a Logo 125

4. Size matters. Copying an d ed iting the original graph ics (gifs), rather th an creatingthem from scratch or using something different, avoids issues where dimensionsare hard -coded in the HTML or JavaScript, wh ich av oids hav ing to change thesedimensions.

The downside to this approach is that the ALT tag fields do not get changed.

How ever, these are fairly easy edits that even the m ost basic HTML coders canperform.

Only th ree optional grap hics and on e HTML file or one JavaScript file mu st bechanged or custom ized. It is imp ortant th at good change p ractices are followed —forexamp le, keeping backup s of the original files (versioning). While som ething likeCSV is not qu ite necessary, if you are familiar w ith it and are u sing it for otherprogramm ing p rojects, why n ot?

Graphics files that should be customized:I /msg-Home/msg- Instance/html/imx/iplanet_logo.gif

I /<msg-Home>/msg- Instance/html/imx/WebMail_splash.gif

I /<msg-Home>/msg- Instance/html/imx/iplanetBanner.gif

Add itional grap hic files for the login p age (the abstract graph ic in the mid dle of thepage):

I

/msg-Home/msg- Instance/html/imx/left_strip_consumer_1.gifI /msg-Home/msg- Instance/html/imx/center_strip_consumer_1.gif

I /msg-Home/msg- Instance/html/imx/right_strip_consumer_1.gif

HTML or JavaScrip t files that m ust be custom ized:

I /msg-Home/msg- Instance/html/en/default.html

I /msg-Home/msg- Instance/html/en/i18n.js

where msg-Home is the directory w here the Messaging Server softwa re was installed,and Instance is the nam e of the m essaging instance (install), often the hostname (shorthost nam e).

M

Custom izin g th e Login Screen1. Make backup copies of the original files you are going to edit:

# cd /msg-Home/msg- Instance/html/imx/# cp iplanet_logo.gif iplanet_logo.gif.orig# cp WebMail_splash.gif WebMail_splash.gif.orig# cp iplanetBanner.gif iplanetBanner.gif.orig

# cp left_strip_consumer_1.gif left_strip_consumer_1.gif.orig# cp center_strip_consumer_1.gif center_strip_consumer_1.gif.orig# cp right strip consumer 1.gif right strip consumer 1.gif.orig



126 Customization

2. Edit the three main g raphics file s usin g yo ur favorite editor, such as GIMP.

Be carefu l to note that som e of these files have tran sparen t backgroun ds, wh ileothers d o not. You can ea sily transfer these files to your d esktop by u sing ftp.

a. Th e iplanet_logo.gif is an im age 96 pixels wide x 66 pixels high on awh ite (255,255,255 RGB) ba ckgrou nd .

b. The WebMail_splash.gif is an image of 450 pixels wide x 50 pixels high ona w hite (255,255,255 RGB) backgro u nd .

c. The iplanetBanner.gif is an ima ge of 273 pixels w ide x 27 pixels high on atransparent background.

For consistency, you could h ave all of your new g rap hics on transp arentbackgrounds.

Now that th e files are ed ited , you can change som e of the text; you can also edit thismanually.

3. Stop the Messaging Server before you make any changes.You d o not h ave to d o this, but it is generally a good idea. You mu st restart theservices (server) to recognize the changes.

p g _ p_ _ g g _ p_ _ g g# cd ../en# cp default.html default.html.orig# cp i18n.js i18n.js.orig

# cd /msg-Home/msg- Instance

# ./stop-msg

4. Copy the default.html file to a scratch fil e:

5. Using either an editor or a program lik e sed, change the occurrences of iPlanet to

your organization. For examp le, the code fo r Acme U niversity w ould be:

# cd /msg-Home/msg- Instance/html/en# cp default.html default.tmp# cp i18n.js i18n.tmp

# sed -e "s|www.iplanet.com|www.it.acme.edu|g" \

-e "s|iPlanet e-commerce solutions|Acme University IT Group|g" \

-e "s|iplanet.com|www.it.acme.edu|g" \-e "s|iPlanet Messenger Express|Acme University Web eMail Service|g" \

-e "s|iPlanet Messaging Server|Acme University Web eMail Service|g" \default.tmp default.html

# sed -e "s|iPlanet Messenger Express|Acme University Webmail|g" \-e "s|Messenger Express|Webmail|g" < i18n.tmp > i18n.j




You cha nged a coup le of URLs that refer to either www.iplanet.com oriplanet.com to th e IT depa rtmen t’s w eb site at Acme University. You also changedthe title bar, the grap hic ALT tag, and the m ain screen.

Note – The copyright notice must be changed manually.

6. Restart the Mess aging Server:

M Chang ing th e Main Web Mail Screen Banner

One often-requested item is an additional space on the main web mail screen—thescreen you get once you hav e successfu lly logged in. Custom ers use this space tointrodu ce their logos, banners, colors, and so forth. An easy w ay to include su chinformation is to extend the basic frame set by add ing an ad ditional frame on top of

the existing w eb mail frame.

A good examp le of this might be a partly transparent graphic that could be u sed inconjun ction with coloring the frame’s background in Acme Un iversity’s schoolcolors. Navigation buttons can be added too.


# ./start-msg

To add an extra frame, edit the mail.html file that contains the m ain layou t of theweb m ail interface. This mu st be d one in all versions of lang/mail.html. For theexample, stick with the ‘en’ locale.

Th e mail.html is a very small file that plays a critical role because it controls theentire web mail interface.

1. Stop the Message Server before you make any changes.You d o not h ave to d o this, but it is generally a good idea. You mu st restart theservices (server) for th e system to recognize the chang es.

2. Back up the mail.html file:


# ./stop-msg



128 Customization

3. Edit the mail.html file wi th your favorite editor, such as vi:

These are the lines that a re of interest:

# cd /msg-Home/msg- Instance/html/en# cp mail.html mail.html.orig

# vi mail.html

'<frameset border="0" frameborder="no" rows="0,*,0" onLoad="start()" onUnload="end()" onResize"change()">'+

'<frameset border="0" frameborder="no" cols="*,*,*,*,*">'+'<frame name="cfgFrame" noresize scrolling="no" src="../frame.html?' + main.clientargs + '">'+

'<frame name="mboxFrame" noresize scrolling="no" src= "../frame.html?' + main.clientargs + '">'+

'<frame name="cmdFrame" noresize scrolling="no" src="../frame.html?' + main.clientargs + '">'+'<frame name="msgFrame" noresize scrolling="no" src="../frame.html?' + main.clientargs + '">'+

'<frame name="pabFrame" noresize scrolling="no" src="../frame.html?' + main.clientargs + '">'+'</frameset>'+

'<frame name="mailFrame" marginwidth="0" marginheight="0" noresize src="../frame.html?' +

main.clientargs + '">'+'<frame name="appletFrame" marginwidth="0" marginheight="0" noresize src="../frame.html?' +

main.clientargs + '">'+'</frameset>'

To add an additional frame at the top of the page, add the following line orsomething similar:

where !-- frame_name -- is the name you w ant to add to the frame and !-- html source-- is the HTML file you w ant th is fram e to includ e. So if you w ant to call the newframe “AcmeFrame” an d its sou rce is in the sam e directory but called acme.html,the additional line would look like:

This cod e is inserted right after the initial frame is d efined , so the edited port ion of the file looks like:

'frame name="!-- frame_name --" marginwidth="0" marginheight="0" noresize src="!-- html source --">'+

'<frame name="acmeFrame" marginwidth="0" marginheight="0" noresize src="../acme.html">'+




Note that you mu st mod ify the “rows” value on the initial frame so that you canactually see the top frame. A nom inal value sh ould w ork, though som e testing todetermine the best value is warranted.

Once you have your changes saved and your n ew frame content “acme.html”completed, you can restart the messaging server:

'<frameset border="0" frameborder="no" rows="20,*,0" onLoad="start()" onUnload="end()"

onResize="change()">'+'<frame name="acmeFrame" marginwidth="0" marginheight="0" noresize src="./acme.html">'+

'<frameset border="0" frameborder="no" cols="*,*,*,*,*">'+'<frame name="cfgFrame" noresize scrolling="no" src="../frame.html?' + main.clientargs + '">'+

'<frame name="mboxFrame" noresize scrolling="no" src="../frame.html?' + main.clientargs + '">'+

'<frame name="cmdFrame" noresize scrolling="no" src="../frame.html?' + main.clientargs + '">'+'<frame name="msgFrame" noresize scrolling="no" src="../frame.html?' + main.clientargs + '">'+

'<frame name="pabFrame" noresize scrolling="no" src="../frame.html?' + main.clientargs + '">'+'</frameset>'+

'<frame name="mailFrame" marginwidth="0" marginheight="0" noresize src="../frame.html?' +main.clientargs + '">'+

'<frame name="appletFrame" marginwidth="0" marginheight="0" noresize src="../frame.html?' +

main.clientargs + '">'+'</frameset>'


# ./start-msg

Caution – Often there are problems w ith loading p ages (for examp le, blank screenonce logged in) and other errors due to incorrect ownership and file permissions.Make sure the “ow ner” an d “g roup ” for the files you just mod ified or created are thesame as the other files in th e / msg-Home/ msg- Instance / htm l an d ot her d irector ies(for exam p le, chown iplanet:email mail.html). The perm issions shou ld be setto 750 by using the chmod comm and (for example, chmod 750 mail.html).

Tip – A good d iagnostic is to turn off caching in you r brow ser so you alwa ys receivethe latest changes from the serv er. Logging ou t of the web interface and back inagain works som etimes. Stopp ing and restarting the m essaging server w orkssometimes too.

Note – The HTTP engine that is bund led as par t of the Messaging Server is not afull-fledged web serv er. So som e of the adv anced H TML and JavaScript server side



130 Customization

g pdirectives are not supported or can lead to strange results. When in doubt, keep itsimple—things that work with the older browsers such as Netscape 4.78 tend towor k just fine.

Removing and Add ing Op tions on theOp tions TabRemoving and add ing and options on the Op tions Tab and the ability to change the

URL for th e passw ord change fun ction ar e very closely related . Why is the ability toadd or remove options important? Occasionally, institutions do not want users tochange their personal information in the system directory; there may be a businessor official p rocess in the H R d epartm ent or Registrar ’s Office to accomp lish t his sothat the information gets updated everywhere. Ideally, applications and othersoftware wou ld rely up on th e directory. H owever, that is not always the case.

M Removing Options

Removing (comm enting ou t) the existing op tions is the easiest of all the changes tomak e. To remove options from t he op tions tab, find the fun ction toggleFrameHTML (starts around line 150) in opts_fs.html file which is in:

where msg-Home is the directory w here the m essaging software was installed, and Instance is the na me of the messaging instance (install), often the hostname (shor t hostname).

Comment out the getToggle() statement for each of the follow ing op tionsshown—the comm ent characters (//) start each line of the code th at is to becommented out, for example:

/msg-Home/msg- Instance/html/



Removing and Adding Options on the Options Tab 131

The removable options within the JavaScript code that can be commented outinclude:

// comment ** Copyright 2003 Sun Microsystems, Inc.

Account Summary:

getToggle(main.i18n['account summary'], 'summary','javascript:parent.toggle(\'summary\')') +

Personal Information:

getToggle(main.i18n['personal'], 'personal','javascript:parent.toggle(\'personal\')') +

Change Password:getToggle(main.i18n['password'], 'password','javascript:parent.toggle(\'password\')') +

Settings:

getToggle(main.i18n['settings'], 'settings',

'javascript:parent.toggle(\'settings\')') +

Appearance:

getToggle(main.i18n['appearance'], 'appearance','javascript:parent.toggle(\'appearance\')') +

For examp le, to commen t out th e ability to chan ge person al informa tion:

1. Stop the Messaging Server before you make any changes.

You d o not h ave to d o this, but it is generally a good idea. You mu st restart theservices (server) to recognize the changes.

2. Back up the opts fs.html file:

Vacation Message:

getToggle(main.i18n['vacation'], 'vacation','javascript:parent.toggle(\'vacation\')') +


# ./stop-msg



132 Customization

p p _

3. Edit the opts_fs.html file wi th your favorite editor, such as vi:

The lines of interest are:

Which w ill chan ge to:

# cd /msg-Home/msg- Instance/html# cp opts_fs.html opts_fs.html.orig

# vi opts_fs.html

getToggle(main.i18n['personal'], 'personal','javascript:parent.toggle(\'personal\')') +

// commented out 01/09/03 by dbp

//// getToggle(main.i18n['personal'], 'personal',// 'javascript:parent.toggle(\'personal\')') +//

Note – You d o not ha ve to go into a language directory such as “en” to change theoptions p age. That is because this page is fully internationalized and uses var iablesthat are set w hen a person logs in. So the actual text of Personal Inform ation is notset within th is JavaScript or H TML, it is set to wh atever langu age you hav econfigured for the default or a particular user. This also means you do not have tomod ify this page over and over again for each language that you use.

Once you hav e saved your u pd ated opts_fs.html, you can restart the messagingserver:

Add i O i


# ./start-msg




M Add ing Op tions

Now that you h ave successfully removed (commented out) an option from theOptions Tab, the next customization that many customers like to do is to add anoption. Unfortu nately it is not q uite as easy as comm enting ou t a few lines, bu t it is

not difficult either.

1. Stop the Messaging Server:

2. Back up the opts_fs.html file. You must be careful as you have already madesome changes:

This is where good chang e control manag emen t and u sing somethin g like CSV p ays

off and really adds value.3. Edit the opts_fs.html file w ith your favorite edi tor, such as vi:


# ./stop-msg

# cd /msg-Home/msg- Instance/html# cp opts_fs.html opts_fs.html.orig

# vi opts_fs.html

a. Concentrate on tw o areas: the toggleFrameHTML function around line 150 and

adding a custom action to be trigge red by the toggleFrameHTML.

Here is the toggleFrameHTML function after the previous edit:

function toggleFrameHTML() {return main.getBody(main.chrome2, true, main.black, main.link0,main.link1, main.chrome2) +'<center>\n<table border=0 cellspacing=7 cellpadding=0 width=100%>\n' +

getToggle(main.i18n['account summary'], 'summary','javascript:parent.toggle(\'summary\')') +// getToggle(main.i18n['personal'], 'personal',// 'javascript:parent.toggle(\'personal\')') +getToggle(main.i18n['password'], 'password','javascript:parent.toggle(\'password\')') +

(main.cfgFrame.mbox.length == 0 ? '' :getToggle(main.i18n['settings'], 'settings','javascript:parent.toggle(\'settings\')')) +getToggle(main i18n['appearance'] 'appearance'



134 Customization

b. A dd an opti on called Yahoo.

This option opens u p a separate browser window by using JavaScript w ith theURL http://www.yahoo.com:

getToggle(main.i18n['appearance'], 'appearance','javascript:parent.toggle(\'appearance\')') +getToggle(main.i18n['vacation'], 'vacation','javascript:parent.toggle(\'vacation\')') +getToggle(main.i18n['NDA'], 'NDA','javascript:parent.toggle(\'NDA\')') +

'</table>\n</center>\n'}

function toggleFrameHTML() {

return main.getBody(main.chrome2, true, main.black, main.link0,main.link1, main.chrome2) +'<center>\n<table border=0 cellspacing=7 cellpadding=0 width=100%>\n' +getToggle(main.i18n['account summary'], 'summary','javascript:parent.toggle(\'summary\')') +

// getToggle(main.i18n['personal'], 'personal',

// 'javascript:parent.toggle(\'personal\')') +getToggle(main.i18n['password'], 'password','javascript:parent.toggle(\'password\')') +(main.cfgFrame.mbox.length == 0 ? '' :getToggle(main.i18n['settings'], 'settings','javascript:parent.toggle(\'settings\')')) +getToggle(main.i18n['appearance'], 'appearance',javascript:parent.toggle(\'appearance\')') +

You could hav e just as easily done th is to point to the m ain institution web p age oreven a change password application (more on that later).

Note th e three fields:

1. The label of the op tion as it app ears—“Yahoo!”

2 The nam e of the option for tracking—“yahoo”

getToggle(main.i18n['vacation'], 'vacation','javascript:parent.toggle(\'vacation\')') +

// added the following optiongetToggle('Yahoo!', 'yahoo','javascript:parent.toggle(\'yahoo\')') +

//getToggle(main.i18n['NDA'], 'NDA',

'javascript:parent.toggle(\'NDA\')') +'</table>\n</center>\n'

}




2. The nam e of the option for tracking yahoo

3. Action to take w hen clicked—javascript:parent:toggle(\'yahoo'\), which is normally passed to the following function which eventually runs theyahooHTML() function within opts_fs.html.

c. Modify the listFrameHTML() function to trigge r the cho ice:

function listFrameHTML() {var s = main.getBody(main.white, true, main.black, main.link0,main.link1, main.link2, 6, 8)

if (main.option_page == 'appearance') {s += appearanceHTML()

} else if (main.option_page == 'password') {s += passwordHTML()

} else if (main.option_page == 'personal') {s += personalHTML()

} else if (main.option_page == 'settings') {s += settingsHTML()

} else if (main.option_page == 'summary') {s += summaryHTML()

} else if (main.option_page == 'vacation') {s += vacationHTML()//} else if (main.option_page == 'yahoo') {s += yahooHTML()

//} else if (main.option_page == 'NDA') {

s = ndaHTML()

d. Build a yahooHTML() function. The easiest way is to copy the ndaHTML()

function and mo dify it:

This function becomes:

}return s

}

function ndaHTML() {return '<HTML><HEAD></HEAD><BODY ONLOAD=\"location.href = \'' +main.NDAStartPage + '\'\"></BODY></HTML>'}



136 Customization

Note the u se of the backslash (\ ) character wh ich allows an escape so th at JavaScriptdoes not think the // part of http://www.yahoo.com is a comment as well as thebackslashes(\ ) preceding the straight quotes (' and "). You could h ave just as easily mad e thisany URL or web ap plication.

This fun ction w ill pu ll the w eb pa ge into th e existing frame if p ossible—for examp le,it will d o this if the port or prot ocol chan ges, such as https instead of http. To getthe w eb page in a separate window, you m ust u se the JavaScript open.window command.

After you save your up dated opts_fs.html, you can restart the messaging serverand check your changes.

For a pop-up w indow:

// added for yahoo by dbpfunction yahooHTML() {return '<HTML><HEAD></HEAD><BODY ONLOAD=\"location.href = \

'http:\/\/www.yahoo.com\'\"></BODY></HTML>'}

// added to do popup window by dbpfunction yahooHTML() {

return '<HTML><HEAD></HEAD><BODY ONLOAD=\"window.open(\'http:\/\/www.yahoo.com\', \'test\', \'scrollbars=yes,menubar=yes,toolbar=yes,status=yes\')\"></BODY></HTML>'

}

As you can see, mod ifying th ese options is fairly easy. The last custom ization is tochange how the change password functionality works—so rather than p ut u p a pageto change the p assword , you can call an external app lication.

The easiest way to d o this is to comm ent out (//) the existing passwordHTML() function:

// function passwordHTML() {

// return '<form name="form">' +// '<table border=0 cellpadding=3 cellspacing=0>' +

// '\n<tr>\n<td colspan=2>' +// main.font(3) + '<b>' + i18n['password'] +

// '</b></font>' +// '<br>' + main.font() + i18n['passwd exp'] +

// '</td>\n</tr>' +

// '\n<tr>\n<td colspan=2>' +

// '<table border=0 cellpadding=0 cellspacing=0 width=100% ' +// main.cellBgString + '><tr><td>' +// '<img src="imx/spacer.gif" width=1 height=2>' +

// '</td></tr></table>' +

// ' /td \n /tr ' +




// '</td>\n</tr>' +// '\n<tr>\n<td' + main.base_line + ' width=1% nowrap>' +

// main.font() + i18n['passwd old'] + nbsp +// '</td>\n<td>' +

// '<input type="password" name="old">' +// '</td>\n</tr>' +

// '\n<tr>\n<td' + main.base_line + ' width=1% nowrap>' +// main.font() + i18n['passwd new'] + nbsp +// '</td>\n<td>' +

// '<input type="password" name="newpass">' +// '</td>\n</tr>' +

// '\n<tr>\n<td' + main.base_line + ' width=1% nowrap>' +

// main.font() + i18n['passwd confirm'] + nbsp +// '</td>\n<td>' +

// '<input type="password" name="confirm"> ' +// '</td>\n</tr>' +

// '\n<tr>\n<td colspan=2>' + nbsp +// '</td></tr>' +// '<tr align=center width=100%><td colspan=2>' +

// '<table border=0 cellpadding=4 cellspacing=0><tr>' +// main.button(i18n['passwd submit'], 'parent.validate()') +

// main.button(i18n['clear'], 'parent.clear()') + '</tr></table>' +// '</td></tr>' +

// '</td>\n</tr>' +

// '</table></form>'// '</td>\n<td>' +

// '<input type="password" name="newpass">' +// '</td>\n</tr>' +

// '\n<tr>\n<td' + main.base_line + ' width=1% nowrap>' +

// main.font() + i18n['passwd confirm'] + nbsp +// '</td>\n<td>' +

// '<input type="password" name="confirm"> ' +// '</td>\n</tr>' +

// '\n<tr>\n<td colspan=2>' + nbsp +// '</td></tr>' +

Substitute you r ow n passwordHTML() function:

// '<tr align=center width=100%><td colspan=2>' +

// '<table border=0 cellpadding=4 cellspacing=0><tr>' +// main.button(i18n['passwd submit'], 'parent.validate()') +

// main.button(i18n['clear'], 'parent.clear()') + '</tr></table>' +// '</td></tr>' +

// '</td>\n</tr>' +// '</table></form>'

// }

// added to call external password update-change webpage

function passwordHTML() {

return '<HTML><HEAD></HEAD><BODY ONLOAD=\"window.open(\'http:\/\/changepwd.acme.edu\', \'chgpwd\', \'scrollbars=yes\')\"></BODY></HTML>'

}

// function passwordHTML() {



138 Customization

Beyond the basic modifications of the Options menu, customers also provideadd itional validation criteria for p assw ords (for examp le, not in d ictionary, mu stcontain sp ecial char acters). This custom ization inv olves mod ifying th e validate() function—perhap s calling a sp ecial JavaScript fun ction th at you wa nt to u se overand over (see main.js).

Single Sign OnOne chang e that most cust omers m ake initially is to enable single sign on betweenthe Messenger Express (web m ail) and the Delegated Ad ministrator fun ction. Theout-of-the-box functionality is that the Delegated Ad m inistrator link from th eOptions Tab in web m ail pops up a separate window with the login box.Configuring the messaging server for SSO still pops up a separate window, butbypasses the login screen because the server know s w ho the u ser is and th at the u serhas been prop erly auth enticated . The SSO is achieved by u sing cookies and session

IDs generated by th e Messaging Server or oth er app lication su ch as DelegatedAdministrator or even the Calendar Server.

M Enabling Single Sign ON

The following steps are required when the Messaging Server is running:

1. Use the su command to go to mailsrv, where mailsrv is the UN IX or system us er ID

under which the Messaging Server is running.

Since you used “nobody” as the system user ID during the install:

2. Change to the messaging instance for wh ich you want to enable SSO, /msg-

Home/msg- Instance/:

where msg-Home is the directory w here the m essaging software was installed, and

# su - nobody

# cd /msg-Home/msg- Instance/



Single Sign On 139

g y g g Instance is the na me of the messaging instance (install), often the hostname (shor t hostname).

3. Check the existing settings for web mail:

4. Enable SSO and single sign off.

Single sign off cancels the SSO so th at w hen someon e clicks the logout link on anySSO-enabled ap plication, the u ser’s session ID and cookie go away.

# ./configutil | grep webmaillocal.webmail.da.host = sparc5-1.central.sun.comlocal.webmail.da.port = 88local.webmail.sso.enable = 0local.webmail.sso.singlesignoff = 0

# ./configutil -o local.webmail.sso.enable -v 1OK SET

# ./configutil -o local.webmail.sso.singlesignoff -v 1OK SET

5. Configure the SSO prefix or group.

The SSO prefix or grou p provid es a wa y for mu ltip le SSO grou ps to all resid e on thesame system , which becom es part of the brow ser cookie.

Th e ssogrp1 is the default for the Delegated Administrator and other applications,so you can u se that, but you could also use something like foobar , however, youwou ld hav e to change the d efault in th e other Sun ONE prod ucts.

6. Configure the application ID.

The app lication ID iden tifies the web m ail to other ap plications.

# ./configutil -o local.webmail.sso.prefix -v ssogrp1 OK SET

# ./configutil -o local.webmail.sso.id -v ims5 OK SET



140 Customization

7. Configure the domain of the cookie.

This dom ain mu st match the d omain nam e used by the browser or client to access

the web mail system—it must start with the period (.) and be a real domain, not ahosted or virtual domain.

8. Configure the URL for verification of SSO for IDA.The IDA is the ap plication nam e, much like ims5.

9. Configure SSO for calendar (optional).

It will be called “ics50”—plus the p ort for calend ar.

# ./configutil -o local.webmail.sso.cookiedomain -v ".central.central.com"OK SET

# ./configutil -o local.sso.ida.verifyurl -v "http://sparc5-1.central.sun.com:88/VerifySSO?"

OK SET

# ./configutil -o local.sso.ics50.verifyurl -v "http://sparc5 1.central.sun.com:81/VerifySSO?"

OK SET

10. Check the settings again:

# ./configutil | grep webmaillocal.webmail.da.host = sparc5-1.central.sun.comlocal.webmail.da.port = 88local.webmail.sso.cookiedomain = .central.central.com

local.webmail.sso.enable = 1local.webmail.sso.id = ims5local.webmail.sso.prefix = ssogrp1local.webmail.sso.singlesignoff = 1

# ./configutil | grep ssolocal.sso.ics50.verifyurl = http://sparc5-

1.central.sun.com:81/VerifySSO?local.sso.ida.verifyurl = http://sparc5-1.central.sun.com:88/VerifySSO?local.webmail.sso.cookiedomain = .central.central.comlocal.webmail.sso.enable = 1



Single Sign On 141

11. Restart the w eb m ail Messaging Server as root.:

12. Add a proxy user to the directory s o SSO can loo k up users:

local.webmail.sso.id = ims5local.webmail.sso.prefix = ssogrp1local.webmail.sso.singlesignoff = 1

# su -# cd /msg-Home/msg- Instance/# ./stop-msg http# ./start-msg http

# ldapadd -h sparc5-1.central.sun.com -D "cn=Directory Manager" -w eatbeef -v-f proxy.ldif

add objectclass:top

personorganizationalpersoninetorgperson

add uid:proxy

add givenname:Proxy

where sparc5-1.central.sun.com is the host on w hich the d irectory server isrunning;

where eatbeef is the directory ma nager password ;

where proxy.ldif is a file w ith the following:

add sn:

Authadd cn:

Proxy Authadd userpassword:

proxypassword

adding new entry uid=proxy, ou=people, o=sparc5-1.central.sun.com, o=ispmodify complete

dn: uid=proxy, ou=people, o=sparc5-1.central.sun.com, o=ispobjectclass: top



142 Customization

where proxypassword is the password for this user.

13. Add the access control inf ormation (ACI) for the proxy auth user:

objectclass: topobjectclass: personobjectclass: organizationalpersonobjectclass: inetorgpersonuid: proxygivenname: Proxysn: Authcn: Proxy Authuserpassword: proxy password

# ldapmodify -h sparc5-1.central.sun.com -D "cn=Directory Manager" -w eatbeef-v -f aci1.ldif

add aci:(target="ldap:///o=isp")(targetattr="*")(version 3.0; acl

"proxy";allow (proxy) userdn="ldap:///uid=proxy, ou=people, o=sparc5-1.central.sun.com, o=isp";)

modifying entry o=ispmodify complete

wh ere the file aci1.ldif contains the following :

dn: o=ispchangetype: modifyadd: aciaci: (target="ldap:///o=isp")(targetattr="*")(version 3.0; acl


# ldapmodify -h sparc5-1.central.sun.com -D "cn=Directory Manager" -weatbeef -v -f aci2.ldif

add aci:(target="ldap:///o=internet")(targetattr="*")(version 3.0; acl

"Allow iDA User Proxy";allow (proxy) userdn="ldap:///uid=proxy, ou=people, o=sparc5-1.central.sun.com, o=isp";)

modifying entry o=internetmodify complete



Single Sign On 143

wh ere the file aci2.ldif contains the following :

14. Go to the directory w here the D eleg ated Adminis trator resou rce file is located.

where ida-Home is the location wh ere Delegated Ad ministrator w as installed, for thedemo system it is:

dn: o=internet

changetype: modifyadd: aciaci: (target="ldap:///o=internet")(targetattr="*")(version 3.0; acl


# cd /ida-Home/nda/classes/netscape/nda/servlet

# cd /A1000/demo6789/ida12/nda/classes/netscape/nda/servlet

15. Edit the resource.properties files as follows:

Several changes m u st be mad e in this file:

# cp resource.properties resource.properties.orig# vi resource.properties

> #LDAPDatabaseInterface-ldapauthdn=

# diff resource.properties resource.properties.orig

514c514< NDAAuth-applicationId=ida

---

> NDAAuth-applicationId=nda45

526,528c526< verificationurl-ssogrp1-ida=http://sparc5-1.central.sun.com:88/VerifySSO?

< verificationurl-ssogrp1-ims5=http://sparc5-1.central.sun.com:80/VerifySSO?< verificationurl-ssogrp1-ics50=http://sparc5-1.central.sun.com:81/VerifySSO?



144 Customization

The first chan ge is the nam e to which the Delegated Ad min istrator is referred w ithinthe SSO context—from nd a45 to the value you gave it by using t he configutil comma nd (see Step 8).

Next, you ad ded verification URLs for each of the app lications you wou ld like SSO

enabled—m ail (ims5), calend ar (ics50), and d elegated ad min istrator (id a), as youcalled th em in Steps 6, 8, and 9. These m ust m atch!

Finally, you un comm ented ou t the ldapauthdn an d ldapauthpw variables and u sed theuser th at you created in Step 12.

16. Change the properties for the web se rver.

You m ust m ake the change because the Delegated Ad m inistator is really a w ebapplication.

---

> #verificationurl-ssogrp1-nda45=http://localhost:80/VerifySSO?

542,543c540,541< LDAPDatabaseInterface-ldapauthdn=uid=proxy,ou=people,o=sparc5-1.central.sun.com,o=isp

< LDAPDatabaseInterface-ldapauthpw= proxypassword

---

# cd /web-HOME / IN STA N CE /config

where web-HOME is the install d irectory for the w eb server and IN STA NCE is thespecific web server instance you are configu ring. This is likely to contain th e fullyqu alified n ame of the host. In th e dem o system it is:

17. Edit the servlets.properties and the context.properties files:

a. Uncomment (remo ve the begin ning # character from) each line in the

servlets.properties file that contains servlet.*.context=ims50.

There should about 16 of these lines:

# cd /A1000/demo6789/iws60/https-sparc5-1.central.sun.com/config

# cp servlets.properties servlets.properties.orig# cp context.properties context.properties.orig

# vi servlets.properties



Single Sign On 145

#grep =ims50 servlets.properties#To enable single signon uncomment all the servlet.*.context=ims50

lines#servlet.Debug.context=ims50#servlet.Version.context=ims50#servlet.auth.context=ims50#servlet.cauth.context=ims50#servlet.getPage.context=ims50#servlet.getBin.context=ims50#servlet.cosMgr.context=ims50#servlet.userCosMgr.context=ims50

#servlet.getLocation.context=ims50#servlet.TaskManager.context=ims50#servlet.logout.context=ims50#servlet.CLIMap.context=ims50#servlet.CLISearch.context=ims50#servlet.userSsrMgr.context=ims50#servlet.ssoauth.context=ims50#servlet.VerifySSO.context=ims50

b. Edit the context.properties file:

Ad d th is line near th e end of the file, just before the #IDACONF-Start:

The ssogrp1-ida, must match the prefix and the name set in Steps 5 and 8.

18. Restart the w eb server:

# vi context.properties

context.ims50.sessionCookie=ssogrp1-ida

# cd /web-HOME / IN STAN CE # ./stop

shutdown: server shut down# ./start

iPlanet-WebServer-Enterprise/6.0SP2 B11/13/2001 00:49



146 Customization

Setting the Initial Welcom e EmailOften you want to have an email that contains some basic information waiting for anew us er. While this feature is available from bot h the comm and line and the

administrator’s console, the documentation often only provides examples for theadm inistrator ’s console, as it is mu ch easier to do from the console. Many customer swan t to configure this from the comman d line.

For more d etails, refer to Chap ter 2 of the Sun ONE Messaging Server Administration

Guide.

The following steps are required when the Messaging Server is running:

1. Use su to go to mailsrv, where mailsrv is the UNIX or system user ID under whichthe Messaging Server is running. Since you used “nobody” during the install:

[LS ls1] http://sparc5-1.central.sun.com, port 88 ready to accept requestsstartup: server started successfully

# su - nobody

2. Change to the messaging instance for wh ich you want to enable SSO, /msg-

Home/msg- Instance/:


3. Check the existing settings for the w elcome message:

4. Edit or create a w elcome mes sage (email format including headers—minimum of

subject):

# cd /msg-Home/msg- Instance/# cd /A1000/demo6789/ims5/msg-sparc5-1

# ./configutil | grep gen.newuserforms




You m u st at least h ave a “ Sub ject: {sub ject}” h ead er.

Example:

“Subject: Welcome!

This is a w elcome message.”

is OK, bu t not:

“This is a w elcome message.”

5. Set the welcome message.

Over-Qu ota Limits and Warning EmailOften, an administrator wants to set a limit on users for how much storage themessages can consume and how many messages they can retain. This is referred toas qu ota. The Messaging Server offers the ability to limit a u ser on both how mu chstorage (for example, bytes) and how many (quantity) messages are allowed. Thesystem also p rovides a m ethod for notifying users that they are ru nning ou t of quota

# vi welcome.txt

# ./configutil -o gen.newuserforms -v < welcome.txt

or are in da nger of going over th e limit, as well as provid ing a grace period so th ateven th ough they are ov er, they can still receive a little bit over their qu ota u ntil suchtime as they log in and d elete email.

You can s et these limits by u sing the console or from th e comma nd line. Using theadm inistration console is easier, but som e customers p refer to d o everything fromthe comm and line.

For d etails, refer to Cha pter 11 of th e Sun ONE Messaging Server Administration Guide.

M Configu ring Ov er-Qu ota Lim its and Warn ingEmail

The following steps are required when the Messaging Server is running to beginconfiguring the quota, warning message, and grace period:

1. Use su to go to mailsrv, where mailsrv is the UNIX or system user ID under which

the Messaging Server is running.



148 Customization

Since you used “nobody” as the system user ID during the install:

2. Change to the me ssaging instance for which you want to change the user quota,

/msg-Home/msg- Inst ance/:


3. Check the existing settings for the quota:

# su - nobody

# cd /msg-Home/msg-Instance/# cd /A1000/demo6789/ims5/msg-sparc5-1

# ./configutil | grep quota

4. Configure a default user quota in terms of space:

where quota is the quota expressed in bytes.

I

To set a de fault limit of 10 mega bytes o r 10,240,000 bytes:

I To configu re a default user qu ota for the total num ber of messages:

where quota indicates the maximu m n um ber of messages.

I To set a default limit of 100 messages:

# ./configutil -o store.defaultmailboxquota -v quota

# ./configutil -o store.defaultmailboxquota -v 10240000OK SET

# ./configutil -o store.defaultmessagequota -v quota

/




5. Verify changes:

6. Configure quota enforcement and notification:

This step turns on the quota and the messages to users that they are exceeding thequota.

# ./configutil -o store.defaultmessagequota -v 100 OK SET


# ./configutil -o store.quotaenforcement -v yes OK SET# ./ configutil -o store.quotanotification -v yes OK SET

7. Configure the actual message:

where msg is the email message to the users when quota is exceeded. The messagemu st have at least a subject line:

To configu re how often a remind er is sent to the users:

where days is the number of days between reminders.

To configu re a d aily remin der:

# ./configutil -o store.quotaexceededmsg -v msg

# ./configutil -o store.quotaexceededmsg -v < msg.txt

# ./configutil -o store.quotaexceedmsginterval -v days



150 Customization

8. Notify users in advance of the upcoming quota limit.

Notification depends upon your company’s protocol.

where percent is that threshold for the warning.

To configu re a wa rning m essage at 90 percent of qu ota:

# ./configutil -o store.quotaexceedmsginterval -v 1

# ./configutil -o store.quotawarn -v percent

# ./configutil -o store.quotawarn -v 90

9. Set the grace period—how long messages are held f or users that are ove r quota.

Dur ing the grace period, the messages are held in th e queu e. They are not deliveredto the m ailboxes.

where hours is the nu mber of hou rs over-quota m essages will be held.

To configu re a grace per iod of three d ays:

10. Check the existing settings for the quotas:

# ./configutil -o store.quotagraceperiod -v hours

# ./configutil -o store.quotagraceperiod -v 72




Customizing Return Errors 151

Custom izing Return ErrorsOccasionally, custom ers like to configu re or custom ize the return errors p rovided toother SMTP servers. While this is generally frow ned up on, legitimate reasons d oexist—to provide additional information, to provide system administrator contactinformation, and so forth.

The return messages are localized to a point—depending upon which version of themessaging software was installed and the level of customization, you might have

German , Span ish, French, and English, so you may hav e to m od ify several files. Thisbook only describes the English (en) locale.

The return cod es are stored in the following d irectory:

where msg-Home is the directory w here the m essaging software wa s installed, and Instance is the n ame of th e messaging instance (install), often th e hostname (short hostname).

/msg-HOME /msg- Instance/imta/config/locale/C/LC_MESSAGES

# cd /A1000/demo6780/ims52/msg-sparc5-1/imta/config/locale/C/LC_MESSAGES

If you look at this d irectory, you can see the files for the va rious respon ses:

# ls

return_bounced.txt* return_delayed.txt* return_failed.txt* return_header.opt*

return_suffix.txt*return_deferred.txt* return_delivered.txt* return_forwarded.txt* return_prefix.txt*

return_timedout.txt*



152 Customization

CHAPTER 10

Security

Security is integral to an y m ission-critical enterp rise-wid e system. To p arap hrase arecent a nimated hit m ovie, “Security is like an on ion...it h as layers.” Whether th e

system is a messaging system or a database system, there are many layers(FIGURE 10-1) when addressing security—each and every layer is integral to theoverall security of the system . The qu estion is how m uch effort is really app ropriatefor the level of security requ ired .

This chap ter discusses in d etail the sp ecific issues surrou nd ing the security of a



153

This chap ter discusses in d etail the sp ecific issues surrou nd ing the security of amessaging serv er, includ ing the server p latform , the various p rotocols and theirimpact, and securing the contents of the messages.

This chap ter divid es the topic of security as it relates to a messag ing system intothree d ifferent layers or top ics:

I Network

I System

I Messaging Software Protocols

FIGURE 10-1 Security Lay ers

Client

Network

Application

Operating system

Hardware

NetworkThe networ k layer is the layer that is extern al to the phy sical host and operatin gsystem on wh ich th e Messaging Server or one of its com pon ents is runn ing. It is

surp rising to see in this day and age of reasonable paran oia regarding basic netw orksecurity how many customers are not actually d eploying even the m ost basicnetw ork security measu res such as firewalls. You may b e saying, “of course w e havea firew all!” OK, but is it just there for traffic between the Internet and you rorganization’s netw ork? Or d o you have several layers of firewalls, including a layerprotecting mission-critical systems such as your messaging system?

Why u se firewalls for the Messaging Server? Even u nd er the most comp lexconfigurations, roughly half a dozen ports must be exposed to users. Why allow

users to access ports the y d o not h ave to access in the first place?

Some customers ask, “Why must I protect against my internal users?” Manycompu ter security experts say that internal u sers pose a significant risk too.

Looking at the individual components of the Messaging Server such as the message



154 Security

store, MTA, directory, and pr oxies su ch as th e MMP and MME, there are d efinitelycompon ents to which only internal users need access and then on ly on specific ports.In a typ ical enterprise, TABLE 10-1 shows what access might be required formessaging:

Corpor ations often use virtu al private netw orks (VPN s) to allow external users to act

as thou gh they w ere part of the internal networ k, therefore lim iting access from theInternet is fairly straightforward .

TABLE 10-1 Enterprise Messaging Access in a Typical Enterprise

Internal Internet

Directory Y N

Mail Store Y NMTA-IN BOUN D Y Y

MTA-OUTBOUN D Y N

MMP Y N

MME Y N

The same char t can look d ram atically d ifferent for organ izations such as u niversities(TABLE 10-2), m any of w hich d o not d ifferentiate significantly betw een internalnetworks and Internet networks (although this is rapidly changing).

In some organizations, the concept known as a demilitarized zone (DMZ)(FIGURE 10-2) is used to establish systems w ith access to both internal and external

k i hi d d ll d i f h

TABLE 10-2 Enterprise Messaging Access in a University

Internal Internet*

* All Internet access except MTA-INBOUND—only authorized users and in a secure man ner.

Directory Y Y

Mail Store Y Y

MTA-IN BOUN D Y Y

MTA-OUTBOUN D Y Y

MMP Y Y

MME Y Y



Network 155

networks—within reason and und er very controlled circum stances. Many of theservers inside the DMZ are stateless and are limited to functions such as relays andproxies. Firewall rules can be explicitly configured to allow only specific internalnetw ork or Internet conn ections. Add itional ru les control how the p roxies or relaysare allowed to connect.

In reality, a significant degree of planning an d forethou ght m ust be p ut into n etworksecurity, inclu ding ad d ressing issues such as n etwork access to m ission-criticalsystems such as messaging. This book does not address the issue of networksecurity—the purpose is to make you aware of its requirements.

Some points on network security:

1. Put you r server behind a firewall with packet filtering—stateful packet inspection(SPI) cap abilities. Configure th e firewall insp ection p ackets to d rop externalpackets with an internal source IP ad d ress, and forbid all connections fromoutsid e except th ose ports you explicitly n eed.

2. Do not pu t any Wind ows m achines (especially Wind ows m achines runn ing XP,Outlook, or the Windows scripting host) on the network with your server.

3. The better the prot ection at the n etwork level, the less the system secur ity levelhas to d eal with. Conversely, the poorer th e protection at the n etwork level, themore the system security has to d eal with.

Internet or WAN

Firewall

Firewall

Proxy MTA MTA Proxy

D

M Z



156 Security

FIGURE 10-2 Secure Netw ork Architecture for Messaging Environm ent

Server Server

SystemThere are m any aspects to system security. This book focuses on the Solaris OE.How ever, man y of the concepts are easily ap plied to other UN IX oper ating

environments, including derivatives such as Linux.

Basics of Solaris OE Security

Perhaps th e easiest way to secure or ha rden t he Solaris OE system is by u sing theSolaris™ Security Toolkit, informally know n as th e Jump Start Architecture an dSecurity Scripts (JASS) toolkit. It provides a flexible and extensible mechanism to

minim ize, hard en, and secu re Solaris OE systems. The p rimary g oal behind th edevelop men t of these toolkits is to simplify an d autom ate the process of securingSolaris OE systems.

The Solaris Security Toolkit focuses on Solaris OE security modifications to hardenand minimize a system. Hardening is the mod ification of Solaris OE con figu ration s to



System 157

improve the security of the system. M inimization is the removal of unn ecessarySolaris OE packages from the system. This removal redu ces the nu mber of

components to be p atched and mad e secure, which, in turn, has the p otential toredu ce entry points av ailable to a possible intrud er.

The Solaris Security Toolkit p rovides tw o meth od s for securing systems d uringinitial Solaris OE installs by using Jum p Start software technology or from thecomma nd line, wh ich is called standalone mode. This standalone mode allows theSolaris Security Toolkit to be u sed on systems th at requ ire security m odifications orup dates. The stand alone m ode is particularly u seful wh en rehardening a systemafter patches hav e been installed. The Solaris Security Toolkit can be run any n um ber

of times on a system w ith no ill effects. Patches can overw rite or mod ify files theSolaris Security Toolkit has also modified; by rerunning the Solaris Security Toolkit,any security modifications undone by the patch installation can be reimplemented.In prod uction environments, patches should always be staged in test anddevelopment environments before installation.

The Solaris Secur ity Toolkit is located at:

http://wwws.sun.com/software/security/jass/.

Other security r elated Sun BluePrints are located at:

http://www.sun.com/solutions/blueprints/browsesubject.html#security.

Note – The toolkit locks dow n the “n obody ” accou nt, so if you are us ing thisaccount to ru n a p rototype or d emo messaging system, you m ust edit the

/etc/passwd file and d elete the /sbin/noshell at the end of the “nobody” entry.Alternatively, create a new group and u sers for the m essaging system, asrecomm ended in the iPlanet Messaging Server Installation Guide.

Additional system security measures include solid intrusion detection andmon itoring. While the toolkit prov ides som e hard ening of the Solaris OE, it d oes notdo intrusion detection.

A variety of comm ercial and open -source offerings are available for system intru siondetection and monitoring. Network intrusion detection and monitoring packages arealso available. An example of this type of software is TripWire.

Some points on system security:

1 Start by installing the most recent Solaris OE security p atch clusters and setting

http://wwws.sun.com/software/security/jass/

http://www.sun.com/solutions/blueprints/browsesubject.html#security



158 Security

1. Start by installing the most recent Solaris OE security p atch clusters and settingup a procedu re to upd ate the patches once every few m onths and in response tosecurity alerts from the ven d or.

2. Turn off all opera ting system services that listen on a por t that you d o not u se.The toolkit d oes some of th is.

3. Replace telnet, ftp, and so forth with sshd. The toolkit also does som e of this—sshd is part of the install by default u nd er the Solaris 9 OE.

4. Do not pro vide u sers with interactive accoun ts on the Messaging Server—onlyadm inistrators should h ave accounts.

5. Do not chan ge the d efault configuration of Solaris OE regarding the console;require adm inistrators to log in and then become su peruser and change thedirectory to root u nless they are actually on a console port.

6. Implement sudo or its equivalent for administrators or the equivalentfunctionality (role-based access control), wh ich is includ ed w ithin the SolarisOper ating Environm ent. For m ore details, see the Solaris System Administrators

Guide on Security Services at :

http://docs.sun.com/db/doc/806-4078.

7. Read an d u nd erstand th e Sun BluePrints related to system security at:

http://www.sun.com/solutions/blueprints/browsesubject.html#security.

8. Install intrusion detection an d mon itoring software, for examp le TripWire. Su n, inconjuction with Syman tec, recently introd uced a new intrusion d etectionapp liance. For m ore inform ation, go to:

http://www.sun.com/smi/Press/2003-04/sunflash.20030414.1.html.

Messaging Softw are ProtocolsAs w ith the sy stem security, the m essaging software security also has layers o f itsown , which can be separated into the following comp onents:

I Directory

I Message Store

I MTA

I Proxy

Directory

http://docs.sun.com/db/doc/806-4078

http://docs.sun.com/db/doc/806-4078

http://www.sun.com/solutions/blueprints/browsesubject.html#security

http://www.sun.com/smi/Press/2003-04/sunflash.20030414.1.html

http://www.sun.com/smi/Press/2003-04/sunflash.20030414.1.html



Messaging Software Protocols 159

Directory

There are several aspects of securin g the d irectory beyond securing the b asic serverand operating system. These aspects are:

I ACI—limiting permissions as to what people can see and do

I Search lim its—how man y responses and how mu ch time can be sp ent searching

I SSL—enabling SSL support

I Non -stand ard ports —not using ports 389 or 636 for LDAP or LDAP over SSL

This is not an exhaustive list of directory security issues, bu t it covers most of theoptions to secure the Directory Server p rotocols and access using t hese pr otocols.

ACI

Access control instructions (ACIs) are basically permissions. The Directory Serverprov ides a mechan ism by w hich you d efine access. Wh en the server receives arequest, it uses the authentication information provided by the user in the bindoperation a nd the ACIs defined in the server to allow or d eny access to directoryinformation. The server can allow or d eny p erm issions su ch as read, wr ite, search,and comp are. The permission level granted to a user may be depend ent on theauthentication information provided.

Using access control, you can control access to the entire directory, a subtree of thedirectory, specific entries in th e d irectory (includ ing entries d efining configu rationtasks), or a sp ecific set of entr y attr ibute s. You can set p erm issions for a specific user,all users belonging to a specific group or role, or all users of the directory. Finally,you can define access for a specific location su ch as an IP ad dress or a D N S nam e.

Chap ter 6 of the iPlanet Directory Server Administration Guide provides details onconfigurin g and establishing ACIs.

The two or three most common changes or customizations are for customers tochange perm issions (ACIs) for:

I Self

I Anonymous

I General access

Some customers, for example, do not want anyone to be able to change their ownentry inform ation. For th is, an ACI can be created to restrict (deny ) chan ge pr ivilegesto “ self.”

Other customers want an onymou s (anyone) to see only the person’s nam e, phon enu m ber, and email add ress—nothing else. Again, an ACI can b e created for“anyone” to be able to only see the comm on n ame, phone n um ber, and email



160 Security

address.

General access can control auth enticated users’ access to the d irectory, so even if they su ccessfully log in, they can see m ore than “anyon e” but less than “self,” forexamp le. An AC I mod ification or creation can d o this too.

Other conditions that can be taken into consideration when creating ACIs includetime of day, d ay of week, IP ad dress, and DN S nam e.

ACIs are a p ow erful way to control access to the d irectory, if prop erly configured ,but can also be a prob lem if poorly d one since they can imp ede oth er software from

working correctly.

Search Limits

One of th e new er features of the Directory Server is th e ability to limit search limitsand time spen t searching for d ifferent typ es of user s. Previous versions onlyprov ided for one overall limit, not mu ltiple lim its.

These limit features provid e the ability to configure both size lim it (nu m ber of entries retu rned ) and time limit (maximu m am oun t of real time in second s the servershould spend performing a search request) as not only a system default, but also ata finer-grained level. For exam ple, you can configu re the Directory Server so that

“anyone” or unauthenticated users can only retrieve five entries and spend 20second s searching, while “general access” user s (for examp le, those w ho h aveauth enticated s uccessfully) can retrieve 50 entries and spen d 180 second s searching.

The Directory Server allows you to sp ecify resource limits, inclu din g sizelimit,timelimit, lookthroughlimit, and idletimeout down to the per-user level.This is documented online at:

http://docs.sun.com/source/816-5606-10/password.htm#1085603.

Enabling SSL Support

Enabling SSL sup por t for the Directory Server is the first step in p roviding secureaccess using LDAP over SSL for queries and responses. Enabling SSL by itself doesnot configure the other servers to take ad vant age of it, however. Ad d itional

configura tion typ ically m ust be d one. Enabling SSL simp ly turn s on th e DirectoryServer ’s ability to encryp t LDAP us ing SSL over the n etwork , so wh ere LDAP isnor m ally on p ort 389, LDAP over SSL is typ ically on p ort 636 (either of wh ich can b echanged).

The caveat on enabling SSL for anything is certificate management. A certificate(key) m ust be gen erated a nd imp orted in to the server. For specific instru ctions, see

http://docs.sun.com/source/816-5606-10/password.htm#1085603

http://docs.sun.com/source/816-5606-10/password.htm#1085603




(key) m ust be gen erated a nd imp orted in to the server. For specific instru ctions, seeChap ter 11 of the Sun ONE Directory Server Administrators Guide. Also, the person al

identification nu m ber (PIN) or p assword for the certificate must be ent ered to startthe server. This PIN can b e stored w ithin a file, but it is don e in cleartext, whichprovides some security issues and risks that m ust be assessed prior to d oing so.

For d etails on man aging SSL, see Chap ter 11 of the Sun ONE Directory Server

A dmin istrators Guide.

Enabling SSL on the Directory Server will have som e perform ance impa ct that mu stbe taken into consider ation wh en sizing. This dep end s specifically on the n um ber of

transactions and usage of the SSL-enabled LDAP ports. For examp le, if only tenp ercent of the tran sactions requ ire SSL, u se SSL only for these ten p ercent if po ssible.The Directory Server sup por ts hard war e acceleration of SSL wor kload, bu t this canadd some additional configuration requirements and complexity.

Non-stand ard Ports

The Directory Server an d Messaging Server p rovide the ability to use no n-stand ardpor ts for LDAP an d LDAP over SSL. While this prevents som e basic default portscanning, it also m eans that all the software tha t access the d irectory m us t beconfigured to use the non-standard port numbers too, so this becomes slightly moredifficult to man age and configure.

Message Store

From the Messaging Server software p oint of view, the secur ity aspects on them essage stor e are limited to th e basic email pr otocols—POP, IMAP, SMTP, and H TTP(web m ail), plu s th e ad ministrative interfaces over HTTP.

SMTP

Configure the SMTP daemon on th e mailstore (it is required to d eliver m ail tomailboxes) to only accept connections from the “official” MTAs. The MTA that onthe m ailstore is there just to deliver mail to mailboxes and users. The exception tothis rule is for sm aller configur ations that w ant to h ave a consolid ated or “a ll-in-one” m essaging system wh ere the MTA on th e m ailstore is the “official” MTA andthe on ly MTA.

MTA

Several things can be d one to m ake the MTA more secu re, although this is reallymore of a configuration issue and depend s up on the environment.



162 Security

The biggest security feature for th e MTA is to require auth entication p rior to send ing

an email. This is know n as SMTP auth entication or SMTP AUTH for short. Thisauth entication requires that the send er have a valid login and passw ord (account) onthe messaging system, thu s preventing users from sending em ail from anywh ere,regardless of wheth er they are local (on n et) or not. This also preven ts peop le fromsend ing thou sand s of emails out to the Internet using you r MTA as a relay, thou gh itdoes n ot prevent forged head ers (see RDN S).

RDNSReverse DNS (RDNS) validates that th e dom ain nam e from wh ich th e mail ispurported to have been sent (sender’s domain name) is at least registered, that is,valid. The setting w ithin the Messaging Server tha t p rovides this capab ility is calledmailfromdnsverify. This lookup only verifies the existence of the d omain n ame inthe DNS registry nothing else. Spam m ers and others can easily forge headers an dthe d omain nam es can be registered/ churned quickly. So, the debate is how usefulRDNS really is at this point. In fact, it is only on e feature of m any that slow s dow nspam an d so forth.

Antivirus and Antispam

“Virus Scanning” on p age 198 an d “Antispam” on p age 199 cover antivirus andantispam in m ore detail. Providing these services at the MTA level greatly enhan cesthe overall security of the messaging environment.

Securing the Message ContentsSecurin g the m essage contents is usu ally the final step along the w ay in securing th email system, and naturally the most difficult to implement for many reasons. PGPsigning allow s for the non -repu d iation of a message—that is you can validate w ho itis from and the contents. SMIME is secure MIME, wh ich a ctually encryp ts thecontents of the message.

While adding these options to your messaging system offers additional levels of security, it also add s significant levels of sup port and ad ministration as well. Extraconsideration m ust be given when imp lementing digital signing or messageencryption.

M Imp lementing PGP Signing




Pretty good protection (PGP) signing (d igital signing) is simpler to d o than m essage

encryption (som etim es referred to as SMIME) by far, but it does n ot p revent access tothe contents. It d oes allow you to confirm the iden tity (signatu re) of the send er andverify that the contents of the message (but not headers) have not been tamperedwith (non-repud iation).

The Online help for Mozilla v1.3a states:

digital signatu re. A code created from both th e data to be signed an d th epr ivate key of the signer. This code is un ique for each new p iece of data.

Even a single comm a add ed to a m essage changes the digital signaturefor that m essage. Successful validation of you r d igital signature byapp ropriate software not only p rovides evidence that you app roved thetransaction or message, but also provides evidence that the data has notchanged since you digitally signed it.

PGP is a pu blic-private k ey system. That is, there are two keys, one private key thatonly the user knows an d on e pu blic key that anyon e can find out by looking it up ina d irectory. By u sing the combinat ion of these keys, you can encryp t and signdocuments meant for either public consumption or just one other individual. PGPsigning op erates slightly differently for each p latform su ch as Window s, Solaris OE,or Linux and so forth, but overall it operates in a very similar m ann er.

For an overview of PGP, see:

http://www.pgpi.org/doc/overview/.

To imp lement P GP signing:

1. Obtain PGP software.

2. Install PGP utility.

3. Gene rate key pair—you r publi c and private key.

4. Create email.

5. Cut and paste email into PGP utility to generate PGP sign ature (checksum).

6. Cut and paste PGP signature to bottom of email.

7. Send email.

A good tutorial on the w hole process is available at:

http://www.haltabuse.org/pgp/index.shtml.

Some email clients support PGP signing natively, basically calling a PGP utility andperform ing the op eration for the user. Some exam ples includ e:

I Ximian (http://www.ximian.org), KMail (http://devel-home.kde.org/~kmail/index.html),

I Postilion (http://www.postilion.org/) and

http://www.pgpi.org/doc/overview/

http://www.ximian.org/

http://devel-home.kde.org/~kmail/index.html




http://www.ximian.org/

http://www.haltabuse.org/pgp/index.shtml



164 Security

I Arrow (http://www.newplanetsoftware.com/arrow/).

These utilities may be slightly ou t of dat e. Plug-ins for Mozilla an d N etscap e 7, suchas Enigmail, are also available.

A m ore complete list is located at:

http://email.about.com/cs/openpgpsoftware/.

The Messaging Server w eb ma il interface can be customized to p erform PGP signingautom atically, but th is takes some effort and requires that th e PGP keys be stored

inside th e Directory Server so they can be accessible for both th e w eb m ail client andthe public.

PGP or d igital signing has little imp act on the serv er itself becau se the client ma inlyperform s the w ork. An exception is if the w eb mail is customized to perform th e keycalculation, this added workload must be considered when sizing the server. It doesadd some additional length to each message signed—roughly 512 characters or so.While this is not very much, it can increase the overall storage and throughput

requiremen ts if every m essage is signed.

SMIME

SMIME goes beyond simply compu ting a checksum based up on the m essage contentand you r pr ivate key. This includ es encrypting the en tire message so it cannot beread. Again, this requires encrypt ion softw are and often a thick client, thou gh th eMessaging Server web ma il client can be mod ified to p erform SMIME (see alsoImp lementing PGP Signing).

The main issue w ith SMIME versus signatures is that you must unencrypt themessage and attachments to be useful with SMIME, whereas with signatures youmay on ly have to validate the send er if you suspect the message has been tamp eredwith or the source is not genuine.

SMIME has a significant imp act on the s izing of the server if the w eb m ail client iscustomized . If thick clients perform m ost of the wor k of encryp tion and decryp tion,the imp act is typ ically w ith the overall increase in the size of the m essage.

SMIME or encryp ted m essages are the only method s of ensuring pr ivacy from evensystem ad m inistrators—as mu ch as possible, since no en cryption is completelyunb reakable given enough time and comp uting pow er.

This book refers to PGP or Open PGP, but th e m essage contents can also be securedby us ing X.509 Certificates.

http://ttp//www.newplanetsoftware.com/arrow/

http://email.about.com/cs/openpgpsoftware/

http://ttp//www.newplanetsoftware.com/arrow/



Conclusion 165

ConclusionSome points on messaging server software security:

1. Require SMTP AUTH for mail subm ission and turn on app ropriate logging, soabuse can be traced.

2. Set ACIs in the directory ap prop riately for your env ironment.

3. Enable SSL for LDAP, IMAP, POP, an d w eb m ail to prov ide secu re tran sm ission.

4. Con figure and sup port PGP/ digital signatures if non-repud iation and send ervalidation are required.

5. Con figu re and su pp ort SMIME or encrypted messages if absolute privacy

required.6. Keep in m ind th at each layer of secu rity at this level ad ds ad ministrative and

support overhead.



166 Security

CHAPTER 11

Migration

After you install the basic Messaging Server, one of the more difficult tasks is tomigrate th e existing u ser base and m ailbox contents. Different techniques can be

used , but only sp ecific techniques are valid for specific migrations, Exchan ge forexamp le. Ad d itionally, other p arts of the m igration hav e specific issues, such asusing the m igration as an opp ortunity to standardize mail address formats whilemaintaining legacy addresses that can be addressed. This chapter describes the bestpractices for migration and identifies potential problems that may occur during themigration p hase. The items that m ust be m igrated are:

I Directory



167

I Mailbox (content)

I Mail list (aliases)

I Personal address books


I Basic Steps (Generic)

I Sendmail (UNIX Mail)

I Exchange, Novell Groupwise, and Lotus Notes

The process of installing a new messaging system can be divided into three phases:

I Installation

I Provisioning and maintenance of users

I Migration from the old system

Previous chap ters covered the basic installation of the Messaging Server an d the

main tenance and pro visioning of users. This chap ter covers th e final stage—gettingusers off the old system and onto the new system.

Few, if any, organizations w ill be starting a br and new dep loyment of messaging.Migration of an existing em ail system is not t rivial. Migration often consum es half of the overall project effort, bu t you can m inimize the tim e you spen d b y plann ing andusing the know ledge this chapter provides.

Decisions regarding whether to migrate everything at once or user by user (self service) mu st be mad e. Each method has its pros and cons.

Basic Step s (Generic)Migrating a messaging system has three steps:

I User Information—user ID, password, name, and so forth

I Messages and Folders—content

I Aliases and System-w ide Mailing Lists—content an d a liases

The techniques and method s used for migration of m essage and folder contents are

different than those u sed for aliases or system m ailing lists contents.

User Information

At first glance, the issue of migration of user inform ation seems pretty tr ivial.How ever much dep ends u pon th e format and source of the old mailing system



168 Migration

How ever, much dep ends u pon th e format and source of the old mailing system.Some m ailing sy stems u se basic u ser stores such as text files, /etc/password forexamp le. H owever, others m ight u se an actual d atabase. No p roblem, correct? To apoint, yes, but the real issue lies in w hat inform ation is there that you really cannotget to—sp ecifically pa ssword s.

Typically, gaining access to basic user in formation su ch as first n ame, last n ame, u serID, email addresses, and so forth is done easily enough. However, passwords areoften stored in hashed or encrypted format.

Why Are Passwords Important?

Dur ing the m igration of the actual content, system u tilities may h ave to actually login and act as if they w ere the u ser, unless they can read the m ail d irectly off the filesystem or there is an adm inistrative password option.

Password Hand ling Op tions1. Temporarily reset the password to something known .

This is easily enou gh d one in m any cases, but wh at else will it affect? Can you setit back to the previous password w hen you are done?

2. Decrypt (break) the passw ord.

This does n ot w ork in all cases. It is slow an d not r eally feasible.

3. Use the adm inistrator passwo rd (root or equivalent).

This is not possible in all system s; m ay n ot actually act as user.

4. Set the passw ord in cleartext.

This is ideal if possible. It can be d one throu gh a w eb pag e if need ed.

Messages and Fold ers

In many ways, populating the user information is the easiest part of the migration.At wor st, you can simply p rovision all existing users in the sam e man ner as if they

were new users. This, however, leaves you with an empty inbox.

There are several w ays of migrating the actual contents from the old m essagingsystem to th e Sun ON E messaging system. Ideally, the fastest meth od is that wh ichcan directly access the data on d isk. How ever, du e to the varied format s in wh ichmessaging software stores data, this is not always possible or recommended.

In most cases, the lowest common denominator provides the solution—POP or




IMAP and perhap s SMTP. Why? Because the vast m ajority of messaging systems

supp ort these protocols and they are platform an d operating system neu tral.

Note – If you are using on ly POP3 on you r m ail server (that is, no folders orad vanced fu nctions), consider using th e built-in feature of the web m ail interface of the Sun ONE Messaging Server that provides the ability to check other mail. Thisallows u sers to simp ly configure the information su ch as user ID and password andthen click the button .

One of the easiest and most overlooked methods for migrating existing content issimply n ot to do it. Rather, let the users m aintain their old accounts for som e periodof time and, should they d esire to, simp ly drag and drop between the old an d n ewaccoun ts. Most of today’s messaging clients, such a s N etscap e or Moz illa, have theability to be configu red for m ultiple messaging serv ers.

M Letting Users Maintain Messages and Folders

Overall, the p rocedure is this:

1. Install the Messaging Server.

2. Provision all existing users as though they w ere new users.

3. Configure the software so that all mail is delivered into new accounts.

4. Place instructions o n configu ring N etscape (or other browser) on the Web or in the

old email account.

5. Provide instructions f or movin g email by using drag and drop.

6. Provide a deadline for moving o ff the old messaging system.

7. Decommission the old messaging system.

This procedure avoids all password issues.

A variation on this procedure p rovides continued delivery to the existing messagingsystem until the customer wants to cut over, and eliminates the need for drag anddrop. This procedure is:

1. Install the Sun ON E Mess aging Server software.

2. Provision all existing users as if they w ere new users.

3. Configu re the MTA and directory to continue to route mail to the existing

messaging system.

4. Create a simple web page that:

I Auth enticates the user, captu ring their pas sword in cleartext



170 Migration

I Sets the Messaging Server password to the captured passwordI Executes the MoveUser u tility or someth ing similar like fetchmail

For MoveUser syntax d etails, see the iPlanet M essaging Server Reference Manual at:

http://docs.sun.com/source/816-6020-10/ms_cmds.htm#15794.

I Configures any additional settings required

5. Allow the users to mi grate at their leisure (within reason).

Aliases and System-wide Mailing Lists

Unfortun ately there is no a utomatic method of doing aliases and system-widemailing lists. How ever, there are some significant op portu nities to red uce futureadm inistrative workloads.

The three ways to m igrate system w ide mailing lists are:I Aliases FileI Delegated AdministratorI Creating Dynam ic Group s and Email Lists Using Direct LDAP Manipu lation (Sun

ONE Administrator Console)

Aliases File

As discussed in Ch apter 6 of the Sun ONE Messaging Server Administration Guide, thealiases file is u sed to set aliases that are not set in the d irectory. In p articular, thepostm aster alias is a good examp le. Aliases set in th is file are ignored if the sam ealiases exist in the d irectory. One d raw back in us ing the aliases file is that theMTA m ust be restarted for an y chan ges to take effect.

A significant u se of the aliases file is for expan sion of large me mbersh ip (qu antity)aliases, such as b y ISPs tha t mu st d istribu te ind ivid ual m essages to all 10,000,000users q uickly. An alias is created th at expand s into m ore aliases, and s o forth. In away this use is like throwing off threads during program execution, and it allowsqu icker p rocessing of large mass m ailings.

How ever, it is also a good way to easily imp ort existing aliases (w ith somemodification) during the initial migration. Once that is done, additional and more

appropriate methods of mail list creation can be used.

Delegated Ad ministrator

Most users and administrators create and administer aliases using the DelegatedAdministrator web-based user interface. Administrators can determine who, if anyon e, has the ab ility to create m ailing lists. A person with the ability to create and

http://docs.sun.com/source/816-6020-10/ms_cmds.htm#15794




y , y g p y

man age m ailing lists has control over several things regard ing a sp ecific list:I Add itional owners

I Internal m embers

I External members

I Mod erators (if any)

I Who can join the mailing list

I

Who can see w ho is in the m ailing listI Whether a m ailing list can b e seen

Unfortun ately, you cannot enter d ynam ic list criteria using th e DelegatedAdministrator interface because these are not dynamic lists—either the user mustsubscribe to the list throu gh th e Delegated A dm inistrator interface or the listadministrator must add the person’s email address to the list.

M

Creating Dy nam ic Groups an d Email Lists Using DirectLDAP Manipulation (Sun ONE Administrator Console)

One feature th at d irect LDAP man ipu lation p rovides is the ability to create dynamic

groups or em ail lists. This feature is based on LDAP qu eries that are then expand edup on at ru ntime. For examp le, a ma iling list of Dave cou ld be created sp ecifying that

anyone w ith “d ave” or “david” as part of their common nam e (cn) in the directorywou ld be pa rt of the m ailing list. Then, as users are add ed to the m essaging system’sdirectory, there is no n eed to adm inister this list because it is always u p to date.

Unfortunately, the option to create a dynamic group-based mailing list through theDelegated A dm inistrator interface or the aliases file is not po ssible. To d o th is,you must either access the Messaging Server through the Sun ONE AdministratorConsole or by direct LDAP manipulation.

The overall p rocess is fairly simp le:

1. In the Adm inistrator Conso le, access the Create Group o r Edit Entry w indow, then

click on the Mail and the Email-only Members tabs.

2. Click on the Add button unde r the Dynamic Criteria field.

Dynam ic criteria are really ju st LDAP query strings, mu ch like those you can enter

against the directory from Netscape or other browsers.The following is an exam ple of an LDAP search URL that filters for u sers wh o have“dave” or “d avid” as part of their comm on nam e:

ldap:///o=isp??sub?(&(objectclass=person)(|(cn=*dave*)(cn=*david*)))



172 Migration

3. Enter an LD AP search URL in the f ield or click the Cons truct button to o pen theConstruct LDAP Search URL window.

Constru ct LDAP Search URL is a u tility that a ids in construction of the search URL.

4. Click OK to add your entry to the “D ynamic criteria for email-onl y membership”

field and dism iss the A dd D ynamic Criterion w indow.

For more detailed information, see Appen d ix D, “Managing Users and Mailing Lists

of the Sun ON E Messaging Server,” in th e iPlanet Messaging Server AdministrationGuide.

Personal Address Books, Lists, and Bookmarks

The final step in the migration p rocess tend s to be the migra tion of each individu al’sown Personal Add ress books, lists, bookma rks, and so forth. This step is highly

dep endent up on the m ail client people are using and to wh at client they aremigrating . In m ost cases, there are at least a coup le of ways to actually convert thecontent of one messaging client’s add ress book and lists to the new o ne.

Migration Ut ility

Many of the new er email clients such as Eud ora, Mozilla, and N etscap e provide n ewclients the ability to read existing ad d ress books from oth er pr ogram s such asOutlook and Outlook Express. The email clients will often prompt you during theinitial install to imp ort any existing ad dress books , and in some cases actuallyalready kn ow that they are there.

Export to N eutral Format From Old Client

and Import Using New Client

In situations wh ere an email client m ay not p rovide an im por t utility to directly readthe ad dress book of your old em ail client, man y times you can simp ly export th e oldclient and impor t the new client. It is imp ortant to look for a neutr al form at such as

Lightw eight Data Interchang e Format (LDIF), comm a sep arated variable-length file(CSV), or tab-de limited file. Ch eck in the old em ail client an d th e new ema il client tosee wh at format is available to both.

It is also imp ortant to kn ow th at in some cases the fields being exported from the oldemail client address book do not align directly or the same with what the addressbook in the new email client expects. Most impor t functions prov ide the ab ility tomap fields u pon imp ort.




If your new email client does not do this, a good idea is to use a spreadsheetprog ram such as the StarOffice™ softwar e to imp ort th e CSV file, change the orderof the fields, and save the file.

You can a lso write a script if you h ave a lot of users d oing the m igration.

Other Utilities to Convert Format Directly

Several comp anies and web sites have simp le utilities for migration of add ress booksfrom one format to another. A good web-based example is:

http://www.interguru.com/mailconv.htm.

Other comp anies that specialize in migration betw een p roprietary m ail systems (forexamp le, Exchan ge) offer u tilities as p art of th eir services or migration utilitysoftware. For m ore information see “Exchange, Novell Grou pw ise, and Lotus Notes”on page 175.

Sendmail (UN IX Mail)Send m ail is an MTA. It d oes not sp ecifically provid e meth ods for mail storage orretrieval (reading ma il). However, it is often configured to u se /var/mail typestorage. Then additional programs such as the Washington University IMAP server(WashU IMAP) or Carneg ie Mellon University’s Cyru s POP server are ad ded sousers can retrieve their mail from /var/mail. This section deals with this specifictype of generic configuration m ost often found when dealing w ith sendm ail.

As stated p reviously, Send m ail is an MTA and as such m uch of the w ork is don e atthe MTA conver ting aliases, rules, and so forth. Converting u sers (see “UserInformation” on page 174) and /var/mail mailbox content (see“Mailbox Content”on page 175) is fairly straightforward .

Unfortun ately there are no tools to migrate th e MTA configurat ion from Send m ail tothe Sun ON E Messaging Server ’s MTA—it is a m anu al process. Migration from th etraditional Sendmail can be done by using the preceding generic method, but thereare some ad van tages in doing a m ore direct (that is, not IMAP to IMAP) migration of content. Also, user information tends to be stored in /etc/password files, so it iseasy to access.

Unfortun ately, Su n ON E Messaging Server 5.2 does n ot come w ith as m uch

http://www.interguru.com/mailconv.htm

http://www.interguru.com/mailconv.htm



174 Migration

assistance in m igrating from Send mail as previous v ersions did. Some of theappendixes in the Netscape Messaging Server 4.x documentation contain goodinformation.

A good w hite pap er specifically on this topic is “iPlanet Messaging Server Migrationfrom UNIX® Sendmail” by John Twomey, dated July 2001. It is 31 pages, covers thissubject in d etail, and includ es samp le scripts. To obtain a cop y of this white p ap er,contact your local Sun Sales Representative or System Engin eer.

Some u pd ating of the information in the wh ite pap er is required for use w ith SunON E Messaging v ersion 5.2, thou gh.

User Information

User information an be converted d irectly from /etc/password by using a simple

Perl script called unix2ldif.pl. This script creates a p roperly form atted ldif filewh ich can th en be imp orted directly into the M essaging Directory. See the temp latein “User Information” on p age 175.

Mailbox Content

Using ad ditional scripts foun d in th e John Twom ey wh ite paper, mailbox conten t canbe imported via the imsimport utility. These scripts ensu re prop er formatting of thecommand as well as reiteration through the various mailboxes and folders. Thewh ite pa per also includ es details on Pine-forma tted folders. To obtain a copy of thiswh ite pap er, contact your local Sun Sales Representative or System Engineer.

Mailing Lists (aliases)

One could easily use th e aliases file, as stated previou sly. How ever, the wh ite pap erprov ides a script to create mailing lists in th e directory, which is a more ap prop riateand better w ay of doing things.

Personal Add ress Books

Only the p reviously described generic or general method s are available. Theinterguru.com web site link p rovides a good utility to m igrate add ress lists fromprograms like Pine and elm used by interactive users in Sendmail environments.



Exchange, Novell Groupwise, and Lotus Notes 175

Exchange, Novell Groupwise,and Lotus Notes

Given the proprietary nature of these messaging solutions both on the server sideand on the messaging client side, migration away from them is somewhat difficult.Seek pr ofessional help. Several organizations h ave sp ecialized m igration software toassist in migrating away from Exchange, Groupwise, and Lotus Notes, includingSun Professional Services and a comp any called Wingra.

User Information

You m ust expor t the native forma t to someth ing m ore ma lleable such as CSV or tabdelimited files. Then , you can w rite a script to take this information an d create aproperly formatted LDIF file for import into the Directory Server.

A basic template to create a u ser in LDIF form at is:

dn: uid=<uid>, ou=people, o=<hostname_fqdn>, o=ispobjectClass: topobjectClass: personobjectClass: organizationalPerson

objectClass: inetOrgPersonobjectClass: inetUserobjectClass: ipUserobjectClass: nsManagedPersonobjectClass: userPresenceProfileobjectClass: inetMailUserobjectClass: inetLocalMailRecipientmail: <uid>@<hostname_fqdn>mailUserStatus: activedataSource: NDA 4.5 Delegated AdministratormailHost: <hostname_fqdn>givenName: Historycn: <first_name> <last_name>uid: <uid>sn: <last_name>mailDeliveryOption: mailboxinetUserStatus: active



176 Migration

Mailbox Content

Mailbox content migration is mostly limited to the generic method through POP orIMAP. See “Basic Steps (Generic)” on pag e 168.

userPassword: <password>creatorsName: uid=serviceadmin,ou=people,o=<hostname_fqdn>,o=ispmodifiersName: uid=msg-admin-<hostname_fqdn>-20020710153937,ou=people,o=<hostname_fqdn>,o=isp

createTimestamp: 20030414044513ZmodifyTimestamp: 20030414051012ZnsUniqueId: d5cba701-1dd111b2-80cac302-81db34e7nswmExtendedUserPrefs: meDraftFolder=Drafts

nswmExtendedUserPrefs: meSentFolder=SentnswmExtendedUserPrefs: meTrashFolder=TrashnswmExtendedUserPrefs: meInitialized=truepabURI: ldap://<hostname_fqdn>:389/ou=<uid>, ou=people, o=<hostname_fqdn>,o=isp,o=pab

Mailing Lists

See “Basic Steps (Generic)” on page 168.

Personal Add ress Books

See “Send mail (UNIX Mail)” on p age 174 and seek professional help.



Exchange, Novell Groupwise, and Lotus Notes 177



178 Migration

CHAPTER 12

Perform ance Tuning

As with any system, performance is a key element to getting the most return oninvestment as well as maintaining happy users. This chapter contains practices and

pr inciples specifically related to p erforman ce tuning of a Sun ON E Messaging Serverwh ich can differ from or contrad ict conv entional tuning w isdom . This chapter p ointsout the areas on w hich a Su n ON E Messaging Server ad ministrator shouldconcentrate.


I Netscape Directory Server

I Solaris O E



179

I MMPI MTA Tunin g

I Notices

I Postmaster Mail

Netscap e Directory ServerG If you are using Ne tscape D irectory Server 4.1x softw are, set the fo llow ing (as

root) on e ach o f the servers runnin g the LDAP server:

The Solaris OE introdu ces a 100 ms d elay in TCP/ IP. This p aram eter tells th e SolarisOE that any w rite that is sm aller than N w ill be delayed. In Su n ON E DirectoryServer 5.0 software it is configurable, using the TCP_NODELAY flag, which is set bydefault.

/usr/sbin/ndd -set /dev/tcp tcp_naglim_def 1

Solar is OEThis section covers the following topics:

I Setting TCP/ IP Param eters

I Setting tcp_local_option an d tcp_ internet_option File Param etersI Setting /etc/system Parameters

I Setting configutil Parameters

M Setting TCP/ IP Param eters

G Apply the following TCP/IP tuning settings to all mail servers.

These settings m ay also be app ropr iate for LDAP servers. The valu es of thesesettings are for high-speed networ ks with lots of traffic to and from the servers.

# ** Performance related **/usr/sbin/ndd -set /dev/tcp tcp_recv_hiwat 65536/usr/sbin/ndd -set /dev/tcp tcp_xmit_hiwat 65536

/ / bi / dd /d /



180 Performance Tuning

/usr/sbin/ndd -set /dev/tcp tcp_conn_req_max_q 4096/usr/sbin/ndd -set /dev/tcp tcp_conn_req_max_q0 8192/usr/sbin/ndd -set /dev/tcp tcp_smallest_anon_port 8192/usr/sbin/ndd -set /dev/ip ip_ignore_redirect 1/usr/sbin/ndd -set /dev/tcp tcp_keepalive_interval 30000/usr/sbin/ndd -set /dev/tcp tcp_naglim_def 1# ** Security related **/usr/sbin/ndd -set /dev/tcp tcp_mss_min 108/usr/sbin/ndd -set /dev/ip ip_respond_to_echo_broadcast 0/usr/sbin/ndd -set /dev/ip ip_forward_directed_broadcasts 0/usr/sbin/ndd -set /dev/ip ip_strict_dst_multihoming 1/usr/sbin/ndd -set /dev/ip ip_forwarding 0/usr/sbin/ndd -set /dev/ip ip_forward_src_routed 0/usr/sbin/ndd -set /dev/ip ip_respond_to_timestamp 0/usr/sbin/ndd -set /dev/ip ip_respond_to_timestamp_broadcast 0## Solaris guide says not to set lower than 60 seconds

# should investigate further, but the following has worked/usr/sbin/ndd -set /dev/tcp tcp_time_wait_interval 15000## Set according to local specifics.#/usr/sbin/ndd -set /dev/tcp tcp_mss_def 1460

M Setting tcp_local_option andtcp_ internet_option File Param eters

To prevent D OS attacks and p rotect overall system health, you shou ld enable thefollowing parameters in the msg instance/imta/config/tcp_local_option and msg instance/imta/config/tcp_intranet_option files. (They do not exist bydefault.)

The last two p aram eters shou ld be set according to site policy. They are listed here soyou know they exist. Check the reference guid e for more options.

!

!

DISABLE_ADDRESS=1

DISABLE_CIRCUIT=1

DISABLE_EXPAND=1

DISABLE_GENERAL=1

DISABLE_STATUS=1HIDE_VERIFY=1

ALLOW_RECIPIENTS_PER_TRANSACTION=

ALLOW_REJECTIONS_BEFORE_DEFERRAL=



Solaris OE 181

M Setting /etc/system Parameters

To set t he /etc/system parameters:

1. Set tcp_conn_hash_size to:

2. Set the file descriptors to:

set tcp_conn_hash_size=262144

# set hard limit on file descriptorsset rlim_fd_max=4096

# set soft limit on file descriptorsset rlim_fd_cur=4096

3. Set maxusers to:

Ideally you d o not h ave to set ncsize. Setting maxu sers to the m aximum value (2048)shou ld allow the system to au tom atically tu ne itself. You can u se the comm and

vmstat -s | grep cache to see the percentage of hits against the d irectory n amelookup cache (DNLC). You wan t this to be as high as possible.

If, after settin g maxusers, the cache hit rate against DNLC is not high en ough , setncsize using the following guidelines:

ncsize = (4 ∗ (max_nprocs + maxusers)) +320

max_nprocs = 10 +(16 ∗ maxusers)

maxusers = physmem – 2

I If you r system is using a VERITAS file system, you m ay h ave to ad just twoimportant variables:

vxfs:vxfs_ninode—VxFS inod e structures held in m emor y

vxfs:vx_bc_bughwm—the high water m ark of the b uffer cache’s bu ffer

I If your system uses VERITAS Volume Manager (VxVM), you should look atvxio:vol_maxio. This variable controls the maximu m size of I/ O requests that

are sent down the SCSI chain without breaking the request up This tunable

set maxusers=2048




are sent down the SCSI chain without breaking the request up. This tunableparameter should not exceed 20 percent of kernel memory or physical memory(whichever is smaller), wh ich sh ould match th e size of your w idest stripe.

4. Increase maximum physical I/O size. The follow ing value shou ld w ork for nearly

all controllers:

M Setting configutil Parameters

To set t he configutil parameters:

1. Set the number of processes (service.[POP|IMAP|HTTP.numprocesses).

The default is 1. You want to set this high enough to support your user load butnever higher than the total number of CPUs in the system.

set maxphys=8388608

2. Set the store database cache size (store.dbcachesize) equal to the sum of the

*.db files in the msg-instance/store/mboxlist directory.

This is not a p aram eter that you set once and forget. You sh ould ad just thisparam eter as your user base changes.

Note – This p arameter has an up p er limit of two gigabytes.

3. Set the store database temp orary directory (store.dbtmpdir) equal to

/tmp/msg-instance.

This param eter and store.dbcachesize are related. Make su re the /tmp/ par tition h as enoug h free space to hold t he d atabase cache, that is, the value of thestore.dbcachesize set in step 2.

Note – Do not u se ju st / tmp as the temp orary d irectory. Be specific (for exam ple / tmp/msg- IN STA NCE /) as the file nam es placed in this location are the sam e asthose used with the MTA p arameters IMTA_SCRATCH and IMTA_TMP. Using asubdirectory underneath (for example, / tmp/msg- IN STA N CE /) avoids thiscollision.

4. Set authentication cache size (service.authcachesize) equal to a number

larger than the maximum concurrency of your user base.

Setting this nu mber higher than wha t your hardw are can sup port opens up a denial



Solaris OE 183

Setting this nu mber higher than wha t your hardw are can sup port opens up a denialof service (DOS) attack.

5. Set authentication cache TTL (service.authcachettl) equal to the number of

seconds you want entries kept in cache.

You must weigh the problem of user password changes being seen against theperform ance hit of the mail system q ueries against LDAP.

6. Set user and group bind DN (local.ugldapbinddn equal to cn=DirectoryManager).

This setting w ill imp rove the resp onse time of qu eries.

Note – This logic has chan ged in Sun ONE Directory Server 5.0 software, so thatbinding as a n ormal user should have similar performance as bind ing as cn=Directory M anager in N etscape Directory Server 4.1x software.

7. Set LDAP hosts (local.ugldaphost) equal to at least tw o ded icated LDAP

consumers.

If the first host is recognized as d own , new connections will be created. The newconnections w ill be m ade to the first good host in th e list.

8. Set local.ldapconnecttimeout to a value in seconds. This w ill enable a

diffe rent connect function i n the LDAP l ibrary. Choose the timeo ut value

carefully.

Shou ld an LDAP connection fail, the d efault LDAP timeou t is three m inutes. Thiscan create a large overhead in failovers.

The web m ail spool d irectory is the directory wh ere web m ail places out goingmessages from clients. If you ha ve lots of w eb mail users you m ay wa nt to considersetting this variable to a fast file system.

MMP

In add ition to app lying the TCP/ IP param eters listed previou sly in the AService.cfgfile you shou ld adjust the param eter default:NumThreads. That section of th econfiguration file is:

## number of worker threads allocated for the AService daemon.# Optimally, it should be equal to the number of processors on the# machine, unless an AService DLL does synchronous handling of

# connections (Imap and Pop Proxy do not).




MTA TuningThis section covers the following topics:

I Dispatcher

I Job_Controller

I Option.dat

I IMTA_TAILOR File

# ( p p y )#default:NumTeads 2

Dispatcher

You want to allow enough connections to support your load, while not allowing somany concurrent connections that your system is not able to respond quickly andprevent a DOS attack. The maximum concurrency number is equal to MAX_PROCS *MAX_CONNS, defaults are 10 and 20, respectively. Once you kn ow the m axim umconcurrency rate for you r configu ration, you can d etermine the nu m ber of processes

required to sup port your total load.

Job_Controller

You m ust be concerned with t wo files, imta.cnf an d job_controll.cnf. Thejob_controll.cnf file defines the pools and the maximum number of jobs thatcan be run at a given time in those p ools. The imta.cnf file defines wh at p ool a

channel uses and the m aximu m n um ber of processes the channel can ru n in thatpool at a given time.

In large d eploym ents, ma chines are d edicated to specific roles. On a MTA-INmach ine you can configu re more jobs to the tcp_intranet channel, and thu sdeliver mail faster to your m ailstores.

Large sites may want to adjust MAX_MESSAGES. Set in the global section of thejob_controll.cnf file, this variable is not p resent by d efau lt. The d efau lt value is100,000.



MTA Tuning 185

00,000.

ims_master channel

If the m ail store is han d ling lots of m ailboxes and m essages per second , you m aywan t to increase the nu mber of ims_master processes that the job_controller willstart to process the ims-ms qu eue. To increase the nu mber of processes you m ustmake tw o changes, one in the imta.cnf file and the other in th ejob_controller.cnf file. In th e imta.cnf file you must change the maxjobs keyword, in the job_controller.cnf file you m ust ad just the job_limit for theIMS_POOL.

Message Dequeue

Four parameters are related and interact together to tell the job_controller thenu m ber of processes that are respon sible for d elivery of messages.

job_limit—This is the m aximu m nu mber of processes that can run in a given poolsimu ltaneously. There is no m ethod to view the n u mber of processes in pool Aversus pool B. To view all SMTP client processes use the following:

maxjobs—This is a chan nel keyw ord. You can a pp ly this param eter to each chann elto set the maximu m n um ber of processes (tcp_smtp_client) thatjob_controller w ill start to process messages in th is chan nel.

MAX_CLIENT_THREADS—The default value is 10. This option is set in tcp_channel-

name_option thou gh th ese files are not present by default. This option controls thenum ber of threads p er process.

threaddepth—The m aximu m nu mber of messages per thread. To view the n um ber

of threads that a tcp_smtp_client process is cu rrently using, you can u se thecommand top. The d efault value is 128. This only ap plies to m ultithreadedchannels. Chann els like reprocess and conversion are single threaded . You sh ouldmake ad justments to these param eters slowly and gradu ally un til you find the rightcombination for your environment.

ims-ms Channel-Specific Information

The ims-ms channel is a multithreaded channel but does not respect the

CODE box = ps -aef | grep tcp_smtp_client




The ims ms channel is a multithreaded channel, but does not respect thethreaddepth channel keyword. Instead this channel u ses a hard -coded valu e of five (m aximum of five messages han dled p er thread). The ims-ms channel does hav ea channel option to control how many threads w ill be used w ithin the p rocessDELIVER_THREADS. This option would be placed in msg-instance/imta/config/ims-ms_option. The default value for this chan neloption is 15. Like other chan nels the chann el option file is not p resent by d efault.

If you need to d ecrease the amou nt of time it takes for d elivery of m essages fromyour MTA, you shou ld ad just the p receding p arameters.

Option.dat

The max_internal_blocks setting controls how m u ch mem ory th e SMTP server uses

to store a message before it creates files in IMTA_SCRATCH. If you h ave enoughmemory in your server, you might consider setting this variable to a value thatallows th e SMTP server to store your avera ge message size or more in mem ory.

MAX_INTERNAL_BLOCKS

This setting controls how much memory the SMTP server uses to store a messagebefore it creates files in IMTA_SCRATCH. If you have enou gh m emory in your server,you migh t consider setting th is variable to a value that a llow s the SMTP server tostore your average message size or more in memory.

Reverse Database

If the MTA does not need to rewrite backward pointing addresses then you can setUSE_REVERSE_DATABASE=0 in the option.dat file. Use this parameter when tryingto get every last millisecond of p erformance out of an MTA while working w ith apoten tial custom er. Most ISPs w ill not r equire the MTAs to rewrite backw ardpointing add resses.

IMTA_TAILOR File

You can set the IMTA_TCP_FLAG_RETENTION option in your imta_tailor file to1 so that the old *.data-failed files get pu rged after a d ay. You can find thesefiles in msginstance/imta/queue/channel-name/spool/.

Note – This directory will only exist if the MTA needed to w rite files to it. Many



Notices 187

sites w ill never see this directory on their system s.

If you ar e using d irect LDAP lookup s instead of dirsyn c, you can set the IMTA_TMP variable to a value that map s to a m emory m app ed file system, like /tmp/. Also,you can set the IMTA_SCRATCH variable to a value that m aps to a mem ory map pedfile sys tem, like/tmp/.

NoticesThe default values for notices in the Message Server software are 1 2 4 7. In largedep loyments, you m ay want to reduce these defaults.

Postmaster MailThe defaults for d elivery statu s notifications (DSNs ) for p ostmaster a recopywarnpost an d copysendpost. In large dep loyments or environments wh erethe postm aster d oes not w ant to get DSNs a bout u sers’ mail, these keywords sh ould

be changed . For a comp lete explanation of the valu es, see the Su n ON E MessagingServer documentation. The possible keywords are XY Z warnpost an d

X YZ sendpost, where XY Z is either copy, warn, or err.




CHAPTER 13

Ad vanced MTA Configu ration

One of the m ost pow erful compon ents of the Messaging Server is its MTA ormessage tran sfer agent. As described in the first part of this book, the m essagetransfer agent is basically a rou ter for email. If you are familiar w ith the PM DFprod uct by Innosoft, the Messaging Server’s MTA is basically th e sam e p rodu ct. Sunpurchased Innosoft and its PMDF product in early 2000 and incorporated thistechn ology into v ersion 5.x of the M essaging Server, provid ing a high ly scalable,reliable, and featu re-rich MTA. This chap ter d oes not g o into d etails regarding theapp lications p rogram ming int erfaces (APIs) available to p rogram mers t o access thelowest and m ost detailed portions of the messaging system. How ever, Sun preservedthe app lications p rogram min g interfaces from both PDM F and SIMS, so they areboth available, should your installation require advance customization that goes to

that level.



189

The MTA is so feature r ich th at an entire week-long course could be tau ght or a nentire BluePrint article wr itten on configuration an d integration alone.

Conversion ChannelThe conv ersion channel featur e of the MTA p rovides a m ethod of processing amessage an d its attachmen ts. By defau lt, noth ing is configured in th e conversionchannel (FIGURE 13-1) and nothing is configured to route through the conversionchannel.

When y ou w ork with the conversion chann el, it is important to h ave a good

un d erstand ing of Mu ltipu rpose Internet Mail Extensions (MIME) messages and th eirstructure. The setup and implementation of conversion routines require that youaccess the MIME-type information of message p arts as they are p resented to you rconversion rou tines, so a genera l description of a MIME message is required t ound erstand h ow to do this. Consider the following analogy.

A train is m ade u p of one or m ore engines coup led to a series of railcars. The railcarson the train are of d ifferent shapes an d sizes and hold d ifferent kind s of cargo. Thewh ole assemb ly is thou ght of as a single train.

FIGURE 13-1 MTA Conv ersion Ch annel Diagram

You can describe a MIME message in a similar way. A MIME message consists of aheader and one or more message parts. Each part can be of a different MIME type,and the parts are joined together to form a single message



190 Advanced MTA Configuration

and the parts are joined together to form a single message.

Each p art of a MIME message has conten t-type information w hich id entifies thenature of that message part, perhaps the name that was given to that m essage partwh en it was created, and p erhaps information on h ow to d ispose of that messagepar t (inline or as an attachm ent).

The content-type header identifies the major type and subtype of the message part.The m ajor typ e d escribes a family of related MIME types, such as IMAGE,APPLICATION , or AUDIO. The subty pe describes the sp ecific mem ber of th atfamily su ch as JPEG, WORDPERFECT5.1 or WAV. Comm on con tent-typ es areIMAGE/ JPEG, APPLICATION/ WORDPERFECT5.1, an d AUDIO/ WAV.

A list of comm on MIME types is located at:

http://www.isi.edu/in-notes/iana/assignments/media-types/media-

types, http://hostutopia.com/support/s058.html,orhttp://www.bc.edu/bc_org/tvp/email/helpers.shtml.

When the m essage enters the conversion chan nel, it is like a train tha t has all of itsrailcars and engines decoupled from each other. Each decoupled component is heldin a temporary holding area and its MIME information is catalogued.

The function of the conversion chann el is to reassemble a m essage from itscomponents and, during that reassembly, apply site-supplied criteria to decidewhether or not that component should be altered before it is recoupled.

The level of examination of each m essage part is determ ined by th e setup of theIMTA_CONVERSION_FILE, where the system ad ministrator can set criteria as towhich message parts should be examined. Such criteria can include, but are notlimited to, the content-type of the m essage part.

Note – Any of the features and functions of the messaging server rely upon properformatting an d playing by the ru les, so to speak. If, for examp le, you hav econfigured the conversion to virus scan only executable documents such asapplication/zip or application/* files, nothing p revents the send er frommisapp ropriating or oth erwise disguising the attachment from an application/* to a video/mpeg file. So app lications, m ail clients, or oth er m essaging system s tha tdo not correctly format MIME messages can cau se issues.

The following paragraphs contain some easy examples of what you can accomplishwith the conversion channel.

M Ad d ing a Disclaim er

One thing that customers often w ant to d o is append a disclaimer to every messagesent from th e messaging system This cou ld be for legal reasons (for example this

http://www.isi.edu/in-notes/iana/assignments/media-types/media-types


http://hostutopia.com/support/s058.html

http://www.bc.edu/bc_org/tvp/email/helpers.shtml



http://hostutopia.com/support/s058.html





Conversion Channel 191

sent from th e messaging system. This cou ld be for legal reasons (for example, thisemail message is not a legal docu men t...) or adv ertisemen t (for examp le, emaildelivered by TED—the electronic delivery guy!).

As previously described, the conversion channel can be used to perform arbitraryprocessing on m essages dow n to the atta chment level. In this case, the p rocessingappends a disclaimer to text messages passing through the conversion channel.

The TCP chann els han d le mail coming in from or go ing out to external mail servers.Thus, you mu st mod ify the MTA configu ration files so that all the ma il routedthrough the main TCP channels passes through the conversion channel. Then, youmu st configu re the conversion chan nel to select only the first part of a mu ltipartmessage and only append the disclaimer if the message part is text.

To accomp lish th is, you mu st edit tw o of the messagin g configu ration files:

I th e mappings file, which is located at / INSTALL_DIR/msg- IN STA NCE /imta/config/mappings; where IN STA LL_DIR is the d irectorywh ere you installed messaging a nd IN STA NCE is the nam e of the sp ecificmessaging server, most likely the host n ame. The map ping table in the mappings file, wh ich is also know n as th e IMTA_MAPPING_FILE, tells th e MTA w hichmessages shou ld d etour throu gh the conversion channel.

I th e CONVERSIONS file, wh ich is located in / IN STALL_DIR/msg- INSTANCE /imta/config/ d irectory an d is called conversions.

In a new install, the mappings file w ill no t exist. The conversions file, which isalso known as the IMTA_CONVERSION_FILE, contains instructions as to wh atcommand s are executed w hen m essages pass through the conversion channel.

For more information regard ing chann els, see:

http://docs.sun.com/source/816-6009-10/mtacncpt.htm#22760 an dhttp://docs.sun.com/source/816-6009-10/channel.htm#43150.

The specific steps to make th e conversion channel app end a d isclaim er are:

1. Create a scripts d irectory, for example, / install_dir / scripts.

Make sure that it is owned by the user that the Messaging Server runs as. For theexercise, “nobody” was used as the user for the server:

2. Create a she ll script that appends the d isclaimer.

Create a script called append_disclaimer.sh and make su re that the script is

executable (for example, chmod +x append_disclaimer.sh).

# mkdir -p /install_dir/scripts# chown nobody:nobody /install_dir/scripts

http://docs.sun.com/source/816-6009-10/mtacncpt.htm#22760

http://docs.sun.com/source/816-6009-10/channel.htm#43150

http://docs.sun.com/source/816-6009-10/channel.htm#43150

http://docs.sun.com/source/816-6009-10/mtacncpt.htm#22760




The append_disclaimer.sh migh t look like:

# !/bin/sh## File: append_disclaimer.sh## Usage:

## append_disclaimer.sh [-debug] "name-of-disclaimer-text-file"## References:## http://docs.sun.com/source/816-6009-10/channel2.htm#42323# http://docs.sun.com/source/816-6009-10/channel2.htm#42402if [ "$1" = "-debug" ]then

shiftset -x

fi

DISCLAIMER_FILE=$1DISCLAIMER_FILE=/install_dir/scripts/${DISCLAIMER_FILE}

TAG="Standard Disclaimer Appended 'date'"

cp $INPUT_FILE $OUTPUT_FILE # copy original message part to




3. Put a text file containing the disclaimer in the /install_dir /scripts directory.

outputdestination.

# See if the message was already tagged.grep "Comments: Standard Disclaimer Appended" $MESSAGE_HEADERS>/dev/null

if [ $? -ne 0 ]then# add a blank lineecho "" >> $OUTPUT_FILE

# append the disclaimercat $DISCLAIMER_FILE >> $OUTPUT_FILE

# Set a directive so the message will be tagged

echo "OUTPUT_DIAGNOSTIC=\"${TAG}\"" > $OUTPUT_OPTIONSfi

# end script.

For this exercise, call it footer.txt.

4. Modify or create the mappings file to trigg er a trip through the conversion

channel.

Unlike the conversions file, the map p ings file is there from the initial install. TheIMTA_MAPPING_FILE is install_dir / imta/config/mappings on UN IX systems.

5. Create a backup of the origi nal file prior to making any changes:

6. Add a section to this file that says to run both in and out messages through the

conversion channel:

The opinions expressed above are those of the individual and notnecessarily Sun Microsystems, Inc.This email is not a legal document.

# cd / INSTA LL_DIR/msg- IN STA N CE /imta/config

# cp mappings mappings.bak

!CONVERSION

IN-CHAN=tcp_*;OUT-CHAN=tcp_*;CONVERT Yes




Note – Mapp ing and other MTA configu ration files are very picky regardingformatting including line spacing and indentation. Consult the documentation fordetails.

7. Modify or create the conversions file to include e ntries that call the

append_disclaimer.sh script.

This file does not exist upon initial installation. It only exists if the conversionchannel has been configu red a lread y. The IMTA_CONVERSION_FILE isinstall_dir /imta/config/conversions on UN IX. In th e follow ing examp le youcan see where you can further identify where the message came from or is to be

!! Make all messages going from any tcp channel going to any tcpchannel take a! detour through the conversion channel.!

routed to (for examp le, in-chan nel or ou t-chan nel), as well as the typ e (for examp le,text) and subtyp e (for examp le, every su btyp e), and the m essage part (for examp le, 1or 1.1).

Why do you need two entries? Well, you must append the disclaimer to either asingle-p art m essage (for example, no attachmen ts) or the first part (for example,main bod y) of a multipart message (m essage with attachments). If you had pu t onlythe first entry, MTA would not append the disclaimer to anything that had

attachments.

!in-channel=tcp_*; out-channel=tcp_*;in-type=text; in-subtype=*; part-number=1;parameter-symbol-0=APPARENT_NAME; parameter-copy-0=*;dparameter-symbol-0=APPARENT_FILENAME; dparameter-copy-0=*;message-header-file=2; original-header-file=1;

override-header-file=1;command="/install_dir/scripts/append_disclaimer.sh footer.txt"

!! Append disclaimer only to the first part of a multipart message! if that part is a text message part. (part-number=1.1 is the! first part of a multipart message).!

in-channel=tcp_*; out-channel=tcp_*;in-type=text; in-subtype=*; part-number=1.1;parameter-symbol-0=APPARENT_NAME; parameter-copy-0=*;




! Append disclaimer to single part messages if the body part is text.

!in-channel=tcp_*; out-channel=tcp_*;in-type=text; in-subtype=*; part-number=1;parameter-symbol-0=APPARENT_NAME; parameter-copy-0=*;

dparameter-symbol-0=APPARENT_FILENAME; dparameter-copy-0=*;message-header-file=2; original-header-file=1;override-header-file=1;

! Append disclaimer only to the first part of a multipart messagecommand="/install_dir/scripts/append_disclaimer.sh footer.txt"! if that part is a text message part. (part-number=1.1 is the! first part of a multipart message).!!

in-channel=tcp_*; out-channel=tcp_*;

in-type=text; in-subtype=*; part-number=1.1;parameter-symbol-0=APPARENT_NAME; parameter-copy-0=*;dparameter-symbol-0=APPARENT_FILENAME; dparameter-copy-0=*;message-header-file=2; original-header-file=1;override-header-file=1;command="/install_dir/scripts/append_disclaimer.sh footer.txt"

! if that part is a text message part. (part-number=1.1 is the! first part of a multipart message).

!in-channel=tcp_*; out-channel=tcp_*;in-type=text; in-subtype=*; part-number=1.1;parameter-symbol-0=APPARENT_NAME; parameter-copy-0=*;dparameter-symbol-0=APPARENT_FILENAME; dparameter-copy-0=*;message-header-file=2; original-header-file=1;override-header-file=1;command="/install_dir/scripts/append_disclaimer.sh footer.txt"

!

!




8. After you have made the changes to the MAPPINGS and CONVERSIONS files, you

must rebuil d the config uration fil es and restart the d ispatcher.

Note – On large systems with lots of messages in queue restarting thejob_controller u nnecessarily causes a load on the system. Avoid restarting th ejob_controller if possible.

# cd / INSTA LL_DIR/msg- IN STA N CE

# ./imsimta cnbuild

# ./imsimta restart dispatcher

M Converting PostScrip t to A crobatAdd a PostScript (PS)-to-Acrobat conversion u tility that takes all incom ing m essages(those actually delivered to the m essage store) with PS attachmen ts and converts thePS attachm ents to PDF (Acrobat) format, replacing the original PS attachment .

There are a couple of things to n ote:

1. You have already configured the conversion channel to p rocess incoming andoutgoing m essages and created a m app ings file, bu t this file is not quite right forwh at you w ill do here.

2. Since you are calling a read y-mad e utility, you d o not have to create a script.

To create the PS-to-Acrobat conversion utility:

1. Modify the mappings file first. Here is the section you modified from before .

!CONVERSION!

IN-CHAN=tcp_*;OUT-CHAN=tcp_*;CONVERT Yes!! Make all messages going from any tcp channel going to any tcpchannel take a detour through the conversion channel.

!




2. Add a section to route anything stored to the local mailstore:

!IN-CHAN=tcp_*;OUT-CHAN=ims-ms;CONVERT Yes

!! make all messages being stored to the mailstore go through theconversion channel.!

3. Add an entry in the conversions file which is IN STA LL_DIR/msg- IN STAN CE / imta/config/conversions.

The entry might look something like:

This entry assum es that your system has the ps2pdf u tility loaded from the Sunfreeware CD. Be careful with the quoting here: INPUT_FILE is encased in single

straight quotes('), as is OUTPUT_FILE, while the entire command is enclosed indou ble straight qu otes (").

4. Rebuild the confi guration files and restart the dispatcher.

!! convert postscript to pdf!

out-chan=ims-ms; in-type=application; in-subtype=postscript;out-type=application; out-subtype=pdf; out-mode=block;command="/opt/sfw/bin/ps2pdf 'INPUT_FILE' 'OUTPUT_FILE'"

!

# cd / INSTA LL_DIR/msg- IN STA N CE

# ./imsimta cnbuild# ./imsimta restart dispatcher




Note – Restarting th e job_controller un necessarily causes a load on th e system.Avoid restarting t he job_controller if possible.

Virus ScanningThe Sun ONE Messaging Server h as a facility for allowing sites to h ook in th irdparty software to perform arbitrary body-part processing. Examples could includesoftware that performs document conversion from text to Postscript, contentfiltering, or ot her desired p rocessing. This facility can a lso be used in conju nctionwith a third party virus scanning software to conduct email virus screening. Theonly typical requirement is that the virus scanning engine provide a command line

interface so th e Messaging Server can p ass content an d receive result codes back.

For add itional d etails see:

http://docs.sun.com/source/816-6092-10/index.html.

AntispamThe Sun ONE Messaging Server p rovides th e ability to integrate with third partysoftware to p erform special processing of messages. This includ es uses su ch as virusscanning as w ell as antispam scanning. The Messaging Server has been tested in alab environment with both SpamAssissin, an open source software for antispamprocessing, and Brightm ail, which is a comm ercial antispam scanning offering. It isanticipated that many of the antivirus vendors such as Symantec, Interscan, and soon, will begin offering an tispam capabilities or add ons in th e near fu ture. Forad ditional details see:

http://docs.sun.com/source/816-6829-10/index.html.

Other PossibilitiesThere are almost lim itless possibilities for w hat the MTA can be configur ed toaccomp lish. Som e ad ditional functions that custom ers and Sun Professional Serviceshave ad ded includ e integration with fax gateways, which require documentconversion to TIFF format, as well as the ad d ition of a custom channel (for exam ple,FAX).

Other functions include outbound paging and support for Blackberry RIM devices.

As you wou ld expect, using the conversion channel and performing advan ced MTAfi i i ifi b f ibili i i h h M i







Other Possibilities 199

configur ation can open u p a significant nu mber of p ossibilities with the MessagingServer. The caveat here is that an ything y ou ad d to th e process requires add itionalCPU and m emory resources, and potentially ad ditional storage. As w ith anyprog ram or scripting, interpreted langu ages such as sh ell scripts or Perl w ill not beas efficient as low-level progr amm ing langu ages such as C, but th ey offer the a bilityto easily change and modify things without recompiling the source. Count onspending a good portion of time testing and d ebugging anything you d o, as a smallmistake such as the wrong quote mark or incorrect channel name (for example,ims_ms versus ims-ms) can create a non -fun ctioning conver sion chan nel routine.




CHAPTER 14

Highly Available MessagingDeployment

Not all organizations see m essaging as a m ission-critical service or for som e reason

decide not to imp lement highly ava ilable messaging. This chapter reinforces wh ymessaging is mission-critical and need s high availability. It ad d resses specific issues(pros and cons) w ith various high -availability architectu res that customers h aveimp lemented as w ell as some of the caveats wh en plann ing and in stalling messagingin a high availability environm ent. These lessons have been learned th e hard w ay atvarious customer ’s sites and are foun d n owh ere else in the d ocum entation ortechn ical n otes.

Every year w e seem to rely more and more up on our email systems. Many of thereasons w ere outlined in th e beginning of this book. Typ ically the only time itbecomes clear tha t ema il is mission critical is wh en th ere is a major outage orproblem If you d o not th ink em ail is m ission critical try either p ulling the p lug on



201

problem . If you d o not th ink em ail is m ission critical, try either p ulling the p lug onthe messaging system or n ot add ing new accoun ts when requested. Today w e areusing em ail systems to store mor e than em ail. They are becoming th e storage folderfor fax and voice m ail traffic too. Around the corner are ad d itional u sages formessaging systems that we have not yet begun to imagine. So not planning for highavailability (H A) seems to be ask ing for troub le, if not t oday then certainly in thefuture.

High Availability Architecting

DifferencesOne of th e biggest m isconceptions regard ing failover software, also sometimesreferred to as clusterin g or hig h ava ilability, is that it gu aran tees availability. Failoversoftware cannot eliminate all outages or problems, but it can provide additionalavailability wh en it comes to h ardw are failu res.

There are two m ain asp ects to architecting a h igh av ailability solution:

MTBF—Mean Time Between Failures—How mu ch time elapses on average betw eeneach failure.

MTTR—Mean Time To Repair (or Recover)—How qu ickly the system comes back u pand is available for users after a failure occurs.

Unfortunately, many people put too much emphasis on the MTBF figure at the

expense of the MTTR figure. Take for example two scenarios where the MTBF isthree m onth s, meaning th e system is likely to experience a failure four times eachyear. In th e first scenario the MTTR is one hou r, w hile in th e second scenario theMTTR is eight hou rs. In scenario one, the total d own time for the year is four hou rswh ile the second scenario resu lts in 32 hou rs of d own time. Red ucing the MTBF to 12months still results in eight hours of downtime per year, which is more than in thefirst scenario.The key to availability is addressing both MTBF and MTTR, andsometimes focu sing m ore in reality on MTTR than MTBF.

What d oes failover software gu ard against? The failover software ad dresses serverhardware-related issues such as failed network adapters, CPUs, and so on. Somefailover software goes further and protects against hung or non-responsive softwareprocesses (for example, the LDAP daemon) by querying the process every now andthen. Should it be no n-responsive, the failover software th en restarts the d aemon . If this fails a set number of times, a complete failover is then triggered. Both VERITASand Sun Cluster software p erform th e p rocess restart attempt.

What d oes failover softw are not p rotect against? Failover softwa re does n ot p rotectagainst everything , and sp ecifically does not ad dr ess:

I Operator error (for example, rm -rf *)



202 Highly Available Messaging Deployment

I Software p roblems (for example, bugs)

I Storage failures (for example, drive failures or controller failures)

You can p ut a cluster in place and actually have m ore dow ntime du e to op eratorerror if you do n ot adequately provide for system adm inistrator training on theclustering software. You can hav e d own time d u e to d efective software. You can havea cluster th at w ill not failover because the storag e system, wh ich is a sha redresource, fails catastrophically or b ecause it was not p rotected (for exam ple, not on aUPS like the server w as—yes, this has hap pen ed to custom ers). Failures can stilloccur. Even after addressing issues such as operator errors through training andformal procedures, software problems by an internal testing process and storagefailures by h aving p rotected the storage (for example, RAID 5e and UPS, and so on).

What th en? It is really a m atter of planning t o fail, that is, how you will handle afailure, even with a clustered environm ent. As the old comm ercials for Amer icanExpress Traveler’s Checks said, “What w ill you d o, wha t w ill you d o?” By closelyexamining the restoration process for your messaging env ironmen t, you can d evelop

specific steps that w ill result in th e fastest restoration of service time. They m ayinclud e everything from the basics of re-ind exing th e mail contents to a comp leterestore, including the Solaris OE.

Questions that m ust be asked in you r environment are:

I What is the procedure for doing this?

I How can it be imp roved?

Each en vironm ent is slightly d ifferent, but t here are some basic techn iques su ch asJu mp Start and Flash Archive usage for rapid restoration of the op erating system an dsoftware, as well as period sna psh ots of the d atabase and d irectory, to complete mailcontent backup s. For m ore details, refer to Chapter 15, “Managing MessagingServices and Preventive Maintenan ce,” on p age 209.”

High Availability ArchitecturesTh e iPlanet Messaging Server Installation Guide for UNIX outlines several HAarchitectures and discusses a few of the pros an d cons of each. The installation gu idecan be found at:

http://docs.sun.com/source/816-6014-10/.

This manu al lists the following H A architectures:

I Symmetric (hot standby)I Symmetric (Active-Active)

I N + 1 (N servers + one standby)

http://docs.sun.com/source/816-6014-10



High Availability Architecting Differences 203

I N + 1 (N servers + one standby)

How ever, there are other HA architectures to be considered once you u nd erstand allof the parts of the architecture and how (or wheth er) HA affects them . As discussedearlier in the book, sometimes there are advantages to keeping things simple.

The PartsI Directory—can be protected b y u sing failover or m u ltiple m aster replication

I Mail Store—stateful and requires failover

I MEM—stateless, requires m ultiple p hysical servers, no failover agen t av ailable

I MMP—stateless, requires mu ltiple p hysical servers, no failover a gent a vailable

I MTA—stateless, can be m ad e available by either failover or m ultiple p hysicalservers. MTA is considered s tateless because, du e to the n ature of store-and-forward , there is noth ing stateful in mem ory, it is all written to d isk—soapp ropr iate storage p rotection (for examp le, RAID 5e or RAID 0+1) is a goodidea.

Directory

With th e ad vent of Multiple Master replication technology in the Directory Server 5.1and higher, customers have the option of making their directory server highlyavailable. They can use th e tried-and -true m ethod of using Sun Cluster or VERITASCluster software. Or, they can u se Multiple Master replication that is now built intothe Sun ON E Directory Server.

Mailstore

The ma ilstore provid es the basic storage of messages as well as the n ative HTTP,IMAP, and POP services. Du e to the stateful storage of the head er information in adat abase, it becomes necessary to u se failover software such a s Sun Cluster orVERITAS to o btain high ava ilability.

MEM and MMP

The MEM and MM P function as proxy servers. So long as the configu rations andfiles are the sam e on all system s, you can have as m ultiple servers perform ing thesame fun ction. This does require a netw ork- based load balancer such as Resonate,Cisco Load Director or F5, or Alteon to w ork.

MTA

Since messaging by n ature is a store-and-forward architecture, it allows for some




g g yflexibility regarding availability. That is, should an MTA be unavailable, otherpar ties will hold th eir messages for som e period of time, period ically retrying.Typically most env ironment s can easily configure m ultiple MTAs and app ropr iateDNS entries to p rovide for red un d ancy at th e MTA level. The failover time, how ever,is not instantaneous, so many organizations also provide a virtual IP and network-level failover as you wou ld for MEM or M MP. So w hile the MTA h as som einformation, it can generally start up and continue where it left off without manyissues—forwarding the mail it has in the queue, albeit somewhat delayed.

Other Architectures

When y ou consider w hat items w ithin the messaging architecture requ ire failover orcan take adv antage of failover, plus any a d dition services (such as the CalendarServer) that are often integrated into such an environment, the possible number of architectures increases.

Alternative No. 1In any environment, having to provide a server for a hot standby architecture iswasteful u se of com pu ting resources. The alternative configu ration (FIGURE 14-1) thatsome customers have implemented has the Sun ONE Messaging Server environment(mailstore and MTA) runn ing on one system and the main LDAP server runn ing onthe other n ode. This configuration p rovides for high availability of both m essagingand d irectory, wh ile allow ing indep end ent failover of each, plus u tilizes both nod es.

Additional directory replicas, called consumers, can be configured to replicate fromthe m ain LDAP server.

Sharedstorage

Server 1Active

messaging

Server 2Stand by

Cluster

interconnect



High Availability Architecting Differences 205

FIGURE 14-1 High Availability Configuration Failover

Alternative No. 2Customers often implement the Sun ONE Calendar Server in addition to the SunON E Messaging Server, since they can be p urchased in a m oney-saving p ackagecalled th e Web Comm un ication Bund le. This alternative configuration (FIGURE 14-2)prov ides for a highly available calend ar system in ad dition to the messaging system .As in Alternative No. 1, the d irectory server is mad e highly ava ilable on the secondserver, but now the calendar server is add ed to th e system. This configu rationprov ides for high ava ilability for messaging, calend ar, and d irectory w hile allowing

ind epend ent failover of each, plu s it utilizes both n od es. As in Alternative N o. 1,ad ditional d irectory rep licas can be configu red off the m ain LDAP server.

storage

FIGURE 14-2 Failover Using Both Nodes in a High Availability Configuration

Differences in Planning for High AvailabilityMessaging

Planning for u se of failover software involves obtaining an d m anaging ad d itional IPaddresses and hostnames.

Shared

storage

Server 1

Activemessaging

Server 2

Active calendar

Cluster

interconnect




Differences in Installing HA Messaging

The obvious d ifference is that you hav e to install, configure, and ma nage th e failoversoftware such as Sun Cluster or VERITAS. Beyond that, the largest differences ininstalling messaging on a clustered system involving d ealing w ith the logical host.

A lways use the fully qualified logical host name and IP address. Do not use theph ysical host. You mu st also us e the logical storage d evices. The d ifferences includereferences to things such as the LDAP server w hen installing messaging. Do notrefer to t he p hysical host of the LDAP server, but r ather t o the logical host. There arealso some edits to configur ation files that m u st be performed as you will see.

Best Practices and CaveatsCaveat—While everything w orks w ell w ith Sun Cluster for failover on an ACTIVE-ACTIVE clu ster configu rat ion, there is one sligh t issu e. Sp ecifically, the SimpleNetwork Management Protocol (SNMP) monitoring daemon is not able tound erstand that you now have two message servers running on the same ph ysicalhost, and it goes away so you no longer have a mon itoring daemon.

Installation Proced ure and Notes

For comp lete d etails, see Chapter 4, “High Availability” in th e iPlanet Messaging

Server Installation Guide for UNIX located at:

http://docs.sun.com/source/816-6014-10/ha.htm#11284.

This section came about from a situation where one of our customers was havingsignificant d ifficulty getting th e Sun ON E Messaging Server installed with SunCluster 3.0 softw are and the EMC storage un its. The custom er we w ere doing th islab work for spent about four weeks dealing with hardware installation issues thatwere related to their EMC storage system. So do n ot u nd erestim ate the time it takesto install and physically configure the hardware.

Note – When installing the Solaris OE you m us t select the Entire Distribu tion, andyou really shou ld select NO NE for nam ing service and man ually configure DN S. Forexample, edit the /etc/nsswitch.conf file and configu re the/etc/resolv.conf file.

http://docs.sun.com/source/816-6014-10/ha.htm#11284

http://docs.sun.com/source/816-6014-10/ha.htm#11284



Conclusions 207

Conclusions1. Verifying that the hard wa re configu ration is correct and su pp orted is very critical.

The fact that a fiber chann el card or d river is not qu ite correct can lead tosignificant delays and errors. Messages like “SCSI resets” or “SCSI reservation”problems are ind icative of storage issues. Check, recheck, and escalate wh en allelse fails.

I Check Sun for the latest supported configurations.I If using EMC, check with EMC local technical resources to verify that specific

interface cards and d rivers are sup ported . EMC does th e certification w ork forSun Cluster hardware, not Sun.

2. It is critical to d o a comp lete install of the operating system, us ing the latestversion of Solaris OE available.

In our case, this w as Solaris 8 OE Upd ate 10/ 01. We discovered this the h ard w ayon the customer site, where they had used the JumpStart feature to load their“standard” data center load. This was a mistake for two separate reasons—theirJu mp Start image u sed an older version of Solaris 8, Upd ate 01/ 01, w hich evenwith p atches is not the same as starting w ith Solaris 8 OE Upd ate 10/ 01; and theirJu mp Start image , while containing innocuou s settings for things like DNS, host

tables, and so forth, was not th e full install of Solaris OE—they h ad removedpackages to “tighten” security and save space. So we lost about a day and a half struggling with some issues, eventually reloading the operating systems on bothcluster n odes from a Solaris 8 OE Upd ate 10/ 01 CD.

3. Overall, the software installation process is not difficult.

In our lab, we completed the whole installation in roughly nine hours, includingbreaks for lunch, other m eetings, and conference calls. But th is was w ith two

people, one with Sun Cluster 3.0 software knowledge and one with iPlanetMessaging Server kn owled ge, both of w hom know the Solaris OE well.

Once EMC hard war e issues w ere resolved at the cu stomer site, after a total of fiveweeks of diagn ostic and trou bleshooting efforts, the installation of the Sun Clustersoftware and iPlanet Messaging 5.1 proceeded n orm ally.

4. The Delegated Ad ministrator can d efinitely be m ade p art of the resource groupfor messaging, using the Sun Clu ster Netscape Webserver agent .

In our lab, we installed the Webserver agent and mad e it dep endent u pon themessaging server being up and ru nning (which also made it dependent u ponLDAP and storage being there). It wo rked just fine.




5. The Sun Cluster 3.0 software is significantly different (in m any way s better an deasier) than Su n Cluster 2.2, so there are some thing s wh en architecting it thatmust be taken into consideration.

While at least two interconn ect links are still required, storage is abstr acted fromthe actual ap plications, meaning th at the ap plication can failover to the oth ernod es, but storage may not actu ally m igrate. Therefore, it is critical to ensu re thatyou h ave sufficient band w idth between the nod es to hand le the situation wh erethe messaging server might failover but for some reason storage continues towork on the original node.

Get the regional Sun Cluster pre-sales engineer and post-sales support engineerinvolved in app roving the configu ration. Be extremely detailed about h ow thin gs

will be configured . Little m istakes can ta ke w eeks to correct, and wa ste weeks of time. Planning how things are architected before you b egin saves considerabletime and reduces the num ber of situations w here you m ight have to start over orhave ad d itional logical hosts. This includ es decid ing wh ether you are ru nn ing theLDAP w ithin the m essaging resource group , or wh ether it is an ind epend entresource group by itself.

CHAPTER 15

Managing Messaging Servicesand Preventive Maintenance

As with an y system, you r Messaging Server requ ires routine m aintenan ce. This

chapter outlines the best p ractices and issues surrou nd ing da y-to-day and routinemain tenance involved in m anaging a m essaging server, sp ecifically the Sun ON EMessaging Server. While the current d ocumen tation explains the basic comm and s, itdoes not address automation or scripting of these functions, nor does it adequatelycover techniques that can improve backup and recovery time.

Periodic main tenance is a necessary part of the operation of a messaging system , andthe Su n ON E Messaging Server is no exception. By keeping u p w ith maintena ncetasks, you can avoid issu es that wou ld otherw ise occu r. This benefit was allud ed toin Chap ter 14, “H ighly Available Messaging Dep loyment,” on pag e 201.”

Keep in mind also that the following are only su ggestions. Each organization m ustdevelop its own checklists and schedu les according to its specific requ irem ents.



209

Add itionally, new best p ractices and main tenance utilities will be develop ed fromtime to time, so d o n ot expect your checklists to be comp letely static either—youmust periodically revisit your checklists to take advantage of new developments.

Period ic Maintenance ChecklistsIt is a good id ea to create and m aintain checklists for your p eriodic maintenan ce.Docume nted procedu res, policies, and checklists are always m ore consistent thantrying to recall wh ether the system has been p atched or backed up .

This section contains d escriptions of d aily, weekly, mon thly, quar terly, and ann ualchecks.

Daily ChecksThe items that you should check daily are:

I Review log files for abnormalities.

Yes, lots of data is logged and it is a pain to review the log files. It is very easy toskip th is, but r eviewing the log files is also one of the easiest w ays to d etect errorsor abn orm alities before they become p roblems. Often, errors or abn orm alities can

get bu ried in the log. The key is to look for specific keywor ds or filter out linesthat are n orm al. Som e peop le simp ly write a Perl script or shell script to filter logfiles for the exceptions. Som e organizations ha ve a log scannin g u tility that th eyuse for other p u rp oses (for examp le, operating system log file scanning). Someeven go to the ad d itional step of add ing notification (for examp le, pagin g) for amore robust and active method of pr oblem d etection.

By reviewing the log files daily or au toma ting it, you can catch abn orma lities orsecu rity issues before they cause m ajor p roblems.

Do not let autom ation m ake you comp lacent—look yourself sometimes. There isno su bstitute for the best pattern recognition system—you. No u tility or script canbe as adaptive as the human brain.

I Check for core files.

A core file is an ind ication that a fatal error h as ha pp ened on th e server. Aprogr am or p rocess could g enerate a core file, or if the problem is very serious,the ope rating system itself could generate a core file. One issue that m any sys tem

ad ministrators d o not ad d ress is the space necessary to store a system core of amachine (server) that has four gigabytes or m ore mem ory—if the d efault is kept,often a s ystem core will not be captur ed d ue to lack of disk sp ace. It is generally agood idea to configure a separate volume with enough disk space for 2.5 to 3



210 Managing Messaging Services and Preventive Maintenance

times the amount of physical memory. There are other settings that usually mustbe mad e to enable large files greater that tw o gigabytes and tell the op eratingsystem where to put system cores. See your operating system administrator’sman ual for specific details.

Core files for program s and processes generally are not a s large as system coresand w ind up where the program or process resides.

I Review queues.

You w ant to examin e all the queu es in the system, both on th e MTA and themailstore, to ensu re that all the m ail is being d elivered (p assing throu gh) ratherthan being stuck. This means all the queues—not just the ones you normally use,but every queue that is configured. A configuration change or a strangely

formatted em ail may cause one or two messages to be diverted to a qu eue that isnot norm ally u sed. A significant n um ber of messages stacked up in the norm alqu eues migh t also indicate that there is a problem. So by checking all the qu euesda ily, you can get an indication of any p roblems before they cause ma jor issues.

I Back up the messaging database online.One of the nice features of version 5.2 of the Sun ONE Messaging Server is thatthe adm inistrator now has the ability to perform an online backup of themessaging d atabase. This d atabase stores the head er inform ation and folder indexinformation for messag es in a particular m ailstore (each m ailstore has oneda tabase). Wh ile you can re-create this entire database from m essaging contents,this backup can take a significant am ou nt of time.

To avoid havin g to re-create the d atabase from scratch, performing a p eriodicbackup (daily or several times p er da y) can red uce the recovery time imm ensely.The system can then simp ly perform an up date to the d atabase, which is manytimes faster than perform ing even a p arallel re-create (re-ind ex).

I Back up the m ailstore.

Depending up on you r sp ecific environment and p olicies, backing up themailstore (messag es) is a good thing. The utilities provided as pa rt of the Su nONE Messaging Server product can perform a complete backup or a backup

based by grou ps of mailboxes. It can back up to tape or to d isk, and it can beintegrated with t hird-pa rty backu p u tilities su ch as Legato or VERITAS.

Keep in m ind t hat th e backup u tilities maintain single message copy integrity.

I Back u p the d irectory.

It is necessary to back up the d irectory (LDAP server) contents separ ately at thesam e tim e. Utilities provid ed as p art of the directory server to d o this backup .Since the directory is generally mu ch smaller than the backup of the mailstore, itis rather quick to perform a directory backup. Often the backup is made to diskand then copied onto tape since it does not take up a lot of space.

There is some d ebate as to the best m ethod of backu p. Two utilities are providedwith th e directory server db2bak an d db2ldif The db2bak utility creates a



Periodic Maintenance Checklists 211

with th e directory server, db2bak an d db2ldif. The db2bak utility creates abackup in the backup format, and the db2ldif creates a b ackup in LDIF format.The reason for usin g db2bak for backup s is that it is qu icker to restore; the reasonfor using db2ldif is that it is a neutral, hum an-readable format so you can

impor t it into most d irectory servers an d d irectly m anip ulate it if necessary. Som eorganizations actually perform backups using both methods, just in case.

I Review new OS or program security patches.

It is very important to keep up to date regarding security patches for both theoperating system and programs (messaging, directory, and so on), even aboveother recommen ded patches. I pu t this in the d aily category because you shouldsubscribe to the CERT mailing list for security (http://www.cert.org/) toreceive notices regarding security-related issues. Then read and understand how

each applies to your messaging environm ent—man y m ay not, but there is alwaysthe one that will. You can also find the latest Solaris OE security bulletin forSolaris OE-specific secur ity issu es at:

http://sunsolve.sun.com/pub-cgi/secBulletin.pl?mode=latest.

Weekly ChecksThe items that you should check weekly are:

I Back up the operating system.

Ideally, the operating system d oes not change very m u ch from d ay to day or evenfrom w eek to week w ith a Sun ONE Messaging System installation. Userinformation is not stored at th e operating system level, nor is m ost configuration

information, so gen erally a weekly full backup is sufficient.I Do a full backu p of the m ailstore.

Notice that this is listed tw ice. Many times, customers p erform an incrementalbackup of the mailstore nightly and then only perform full backups weekly. Andyes, some custom ers d o n ot back u p email at all. Im agine 1,000,000 mailboxeseach with 10 megabytes of mail. That is 10,000,000 megabytes or 10 terabytes of data to back up. Also, some customers believe that backing up their email opensthe door for search warrants and sets expectations with customers of individualemail recovery.

I Review new OS recommended clusters.

Sun releases recomm end ed op erating system patches in a bu nd le or clusterroughly once every two weeks. This includes any security patches, plus kerneland other system programs. It is a good idea to review the report for the latestRecomm end ed an d Secur ity Patch Report file for you r p articular version of Solaris. This report is located at:

http://sunsolve.sun.com/pub-cgi/show.pl?target=patches/patch-license&nav=pub-patches.

You can also be notified of pat ches and g et add itional up d ates emailed to youweekly This service is called the Patch Club subscribe at:

http://www.cert.org/

http://sunsolve.sun.com/pub-cgi/secBulletin.pl?mode=latest

http://sunsolve.sun.com/pub-cgi/secBulletin.pl?mode=latest

http://www.cert.org/

http://sunsolve.sun.com/pub-cgi/show.pl?target=patches/patch-license&nav=pub-patches






weekly. This service is called the Patch Club—subscribe at:

http://www.sun.com/newsletters/.

You can also sign u p for Sun Alert Weekly wh ich p rovides alerts regardin g

ad ditional issues that m ay affect the availability of you r system.

Month ly Checks

The items that you should check m onthly are:

I Review h otfixes and p atches for m essaging.

There are two different typ es of patches for the m essaging and directory software.One is called a hotfix and the other is called a patch. Hotfixes are designed toad dress one sp ecific issue or problem that a p articular custom er or small group of

customers is experiencing. H otfixes are not tested against on e anoth er—so hotfix12 is not tested with hotfix 11, for example. This is not always the case, but ingeneral is w hat hap pens.

Hotfixes m ay also ad d ress any sp ecific secur ity or corrup tion issues, so it isimportant to un d erstand wh y the latest hotfix has been developed and wh at itfixes. N ote that th e description w ill ind icate also wheth er this migh t be acumu lative h otfix.

Patches are cum ulative of most of th e hotfixes since the last patch or release of themessaging and directory software. They have gone through the entire QA cycleand are designed for general application and usage by all customers.

Both hotfixes and patches are applied in the same way, and both change themessaging or directory binaries. A read me file that d etails the n ecessaryinstallation steps is available. Details regarding post-installation steps andbackout are in this read me file. The installation script creates a backup of anybinary rep laced

Caution – Hotfixes and patches can u nd o customizations and changes that havebeen made. This is especially prevalent when customers have made customizationsor chang es to the w eb m ail GUI. Reconciling these custom izations (redoing ) with theup d ated files can tak e effort and tim e—it is not something to be ru shed . It is a goodidea to ap ply hot fixes and p atches to a test system, determine an y reconciliationrequired, redo the customizations on the test system and thoroughly test them, andthen m ove the reconciled files onto the prod u ction m ail server.

I Expor t th e d irectory.

Directory export (for examp le, u sing the db2ldif utility) is listed as a m onthlychecklist item because it is a good idea overall and shou ld be d one p eriodically if

http://www.sun.com/newsletters/

http://www.sun.com/newsletters/



Periodic Maintenance Checklists 213

g p yyou are not u sing this m ethod for backup s.

I Review sum of database file sizes

You shou ld p eriodically review the su m of the databas e file sizes so you canproperly tune the store.dbcachesize pa ram eter. See Chapter 12, “PerformanceTun ing,” on p age 179” for more d etails.

Qu arterly Checks

The items that you should check quarterly are:

I Practice recovery of the messaging system from scratch.

Practicing t he recovery of the m essaging system from scratch is often overlooked .Yet as stated before, it is often th e time t hat it takes to recover th at really impactsdow ntime, not the actual hard ware failover. Often the first time an organizationactually does this is d uring a real outage—not the best time to be trying n ewprocedures or not knowing exactly what you shou ld be doing.

One argu men t mad e against this p ractice is always th e lack of time. Well, wou ldyou rather spend eight hou rs practicing and wh en something happ ens be able torecover in two h ours, or would you rather skip th e practicing an d sp end 16 hou rs

recovering the messaging system?

Another argum ent mad e is: We have one terabyte of email and do not have a testsystem with enou gh storage. OK, well what about u sing a subset of themailboxes? Create a specific test backup tape with every tenth m ailbox so youonly need 100 gigabytes of storage.

Yet another arg um ent is not havin g enou gh servers. Fine. Put everything all onthe sam e system, directory, MTA and m ailstore; at least it is better than noth ing.

You will lose somethin g in the tran slation but th e majority of the steps andprocedu res will still have to be d one.

On you r practice system, intentionally corrup t or d rop the d atabase on themailstore. N ow try sp ecifically to re-ind ex or recover from a backu p of the da ta topractice this p art of the recovery. The d atabase on th e m ailstore will be corru ptedmore frequen tly than th e entire system, so practice recovery an d rebuild of justthe database and figure out where to reduce time (for example, using backups of the database and/ or parallel rebuilds).

By d oing a recovery of the messaging s ystem from scratch qu arterly, you w illunderstand the overall process and be comfortable executing the necessary steps.




Annual Checks

The items th at you should check ann ually are:

I Review p roced ures an d checklists.

I Evalua te the latest version of the messaging softw are for p ossible up grad e.

CHAPTER 16

Monitoring a Sun ON E MessagingServer

Monitoring your systems and the Sun ONE Messaging Server software that

comprises your email infrastructure is an important part of the overall managementeffort. Tools can ran ge from simp le mon itoring of the basic hard w are and netw orkinfrastructure to more complex monitoring such as response time and error logging.They can be homeg rown , open sou rce, or comm ercial produ cts. You can im plemen tone or many.

The important part of the management effort is to understand that such tools exist,map out your sp ecific needs with regard to wh at you want to mon itor and w hat datayou w ant to keep or g rap h over X per iod of time, then exam ine the tools available tosee what m eets your n eed s (or m ost of your n eeds).



215

SNMP

Since version 5.1 of the Sun ON E Messaging Server p rod uct, sup port for th e SNMPprotocol has been available. Using an SNM P client (sometimes called a n etworkman ager) such as Su n N et Manager or HP Op enView (not provided as part of themessaging server p rod uct), you can m onitor certain part s of the Sun ONE MessagingServer.

The Messaging Server imp lements tw o stand ardized m anagement information bases(MIBs), the Network Services Monitoring MIB (RFC 2788) and the Mail MonitoringMIB (RFC 2789). The Network Services Monitoring MIB provides for the monitoring

of network services such as POP, IMAP, HTTP, and SMTP servers. The MailMonitoring M IB prov ides for the m onitoring of MTAs. The Mail Mon itoring MIBallows mon itoring of the active and historical state of each MTA chan nel. The activeinformation focuses on currently qu eued messages and open network connections

(for example, counts of queued messages or source IP addresses of open networkconnections), wh ile the historical information prov ides cum ulative totals (forexamp le, total messages p rocessed, total inbou nd connections).

SNMP is not enabled by default and must be configured. See “Appendix A” of the

Sun ON E Messaging Server Administrator’s Guide at :

http://docs.sun.com/source/816-6009-10/snmp.htm#23526.

SNMP mon itoring is fine for organizations that alread y hav e this in place, but it canbe awfully burdensome to implement SNMP just for monitoring a singleapplication—though it does perform a most valuable service.

Some of the following app lications are listed as alternatives or ad ditions to th eSNMP method of system and application monitoring.

Alternative ToolsThis section describes the following alternative tools:

I What’s Up Gold

I Sun Management Center

I OrcaI Big Brother

I BMC Patrol

http://docs.sun.com/source/816-6009-10/snmp.htm#23526

http://docs.sun.com/source/816-6009-10/snmp.htm#23526



216 Monitoring a Sun ONE Messaging Server

What’s Up Gold

What’s Up Gold is a very basic comm ercial monitoring t ool with som e nice features.Its main ad vant age is that it is easy to install, configu re, and get wor king veryqu ickly. It m onitors w heth er a server (via TCP or UDP) is available via thenetwork—in other words, “what’s up?” Another thing in its favor is that it requiresno agents or anyth ing loaded on to the servers themselves. A down side is that it hasno sp ecific hard w are or software know ledge, so it d oes not m onitor specificapp lications or hardw are—there is no p erformance or th roughp ut d ata. The biggestdow nside is that it requires a Window s system (98/ ME/ N T/ 2000/ XP).

With Sun ™ Manag ement Center 3.0 Basic being offered at no charge for Sunsystems, the need for something as basic as Wh at’s Up Gold h as been greatlydiminished.

There might also be som e usable op en-source offerings in lieu of What’s Up Gold,wh ich is located at:

http://www.ipswitch.com/Products/WhatsUp/index.html.

Sun Management Center

Sun Management Center software is an open, extensible system monitoring andman agement solution th at u ses the Java software p rotocol and SNMP to provide anintegrated and comp rehensive enterprise-wide man agement of Sun prod ucts andtheir subsystems, components, and peripheral devices. Sun Management Centertechnology provides a solution to extend and enhance the management capability of Sun ’s h ardware and software solutions.

Sun Manag ement Center Basic Edition is available at no charge, and prov ides basic

mon itoring features for a single server. The Sun Ma nagem ent Center Enterpr iseEdition provides the ability to monitor a large number of servers and systems in aclient-server configuration, with an agent running on each server and system to bemon itored. The d ata gathered by these agents is then collected by a central serverand viewed by th e Sun Management Center main m anagement console. Add itionalcomponents can be ad ded on to the Sun Management Center Enterprise Edition forvarious enhanced capabilities and applications.

Sun Management Center works with accompanying software packages: Service

Availability Man ager, a set of mod ules that test an d measu re the ava ilability of netw ork services, as w ell as a System Reliability Man ager—a comp onent thatenhan ces reliability, helping to increase service levels and d ecrease ad m inistrativecosts, and a Performance Reporting Manager—software that adds analysis,reporting, and graphing capabilities.

http://www.ipswitch.com/Products/WhatsUp/index.html

http://www.ipswitch.com/Products/WhatsUp/index.html




The newest add ition to the Sun Management Center componen t list is ChangeManager. Based on the concept of managing and provisioning entire software

configura tions as a single, integrated s oftw are stack, the Sun Mana gement C enterChan ge Manager softwar e delivers a fast and easy way to install, configure,up grade, provision, and aud it the integrated software ap plication p ayloads run ningon your systems.

An important point to note is that there are application specific modules that pluginto the Sun Manag ement C enter. These mod ules are developed by H alcyon Inc. andare compatible with the Sun ONE Management Center 3.0 product. The modules of interest are:

I PrimeAlert for Sun ONE Directory Server

I PrimeAlert for Sun ONE Messaging Server

I PrimeAlert for Sun ONE Web Server

If you are using the VERITAS Cluster Server for failover, you might be interested in:

I PrimeAlert for Veritas Cluster ServerFor details see:

http://wwws.sun.com/software/solaris/sunmanagementcenter/index.html and

http://www.halcyoninc.com/downloads/home.html.

Orca

Orca is a general web-based graphing package. However, combined with the SEToolkit (wh ich collects system d ata) it is a nice found ation for keep ing track of overall system p erformance data over a period of time. Performance and throughp utdata from the Sun ONE Messaging Server can be easily incorporated and graphedusing Orca.

While Orca (Orcallator) migh t not be flashy, it does p rovide a good start for simp lemonitoring of the system an d a pp lication data.

For details see:

http://www.orcaware.com/orca/ and

http://www.setoolkit.com/.

Big Brother

Big Brother m onitors system and services for availability It is a web based tool with

http://wwws.sun.com/software/solaris/sunmanagementcenter/index.html



http://www.halcyoninc.com/downloads/home.html

http://www.orcaware.com/orca/

http://www.setoolkit.com/

http://www.setoolkit.com/

http://www.orcaware.com/orca/

http://www.halcyoninc.com/downloads/home.html






Big Brother m onitors system and services for availability. It is a web-based tool withthe status of your various systems an d services displayed on a color-coded web p agein near-real time. When p roblems are d etected, adm inistrators can be notified by

email, pager, or text messaging. Big Brother h as a p retty good following for ma nyreasons, includ ing th eir licensing policy and availability of sou rce. The or iginal BigBrother is free for non-commercial use, as defined by its license. Big Brother isprovided in source code format for UN IX and Linux, and p recomp iled for Wind owsNT and Windows 2000.

Big Brother extensions for Su n ON E Messaging and Sun ON E Calend ar are availablefrom Su n “as is” up on requ est from Sun . Other extensions can be foun d at th e BigBrother archive site. For details see:

http://bb4.com/ and

http://www.deadcat.net/.

BMC PatrolBMC Patrol is a comm ercial softw are app lication mon itoring p rodu ct. While it canbe configured to mon itor some of the basic system fun ctions, to get the most ou t of BMC Patrol imp lementation you m ust have two knowledge modules. KnowledgeModu les are add itional extensions and pre-configured thresholds for warnings andalerts for the BMC Patrol software. The two specific mod ules of value in a Sun ON Emessaging environment are:

I Solaris Knowledge Module

I Sun ONE Messaging Server Knowledge Module

The Sun ONE Messaging Server Knowled ge Mod u le specifically provid es proactivemon itoring of key messaging server comp onent s includ ing LDAP Server, MessagingServer in clu d ing SMTP Server, IMAP/ POP Serve r, WebMail Server, Ad m inistrationServer, and the underlying message store.

Add itional m od ules for some specific hard ware (for examp le, Su n Fire™ F15K) andconfigura tions (for Sun Cluster softwar e) are also available.

Information abou t these Sun -specific mod ules is located at:

http://www.sun.com/service/sunps/systemsandnetworkmanagement/bmcpatrol/ and

http://www.bmc.com/.

or contact you r local Sun Sales Representative.

http://bb4.com/

http://www.deadcat.net/

http://www.deadcat.net/

http://bb4.com/

http://www.sun.com/service/sunps/systemsandnetworkmanagement/bmcpatrol/



http://www.bmc.com/

http://www.bmc.com/






APPENDIX A

Case Stud ies

It is alway s useful for customers to see real-world examp les of Su n O NE MessagingServer imp lementations an d architectures. Sometimes th is is critical du e toimp lementation time constraints or it may be simp ly a matter of gathering reference

points. The case studies in this appendix serve this purpose.The following sections contain a series of case stu dies to illustrate sever al pointsmade throughout this book as well as highlight some specific lessons learned.Architecture d iagrams and timelines are provided for reference. These casesoccurred over th e past few years an d are actu ally a composite of the case stud ies of several different custom ers.

This app end ix contains the following case studies:

I Acme University

I Baker Tech

I Community City College

Additional case studies will be gathered in the future.



221

Acm e UniversityAcme University wanted to replace their existing sendmail system running on asmall Sun system. It had been in place for app roxim ately five years. They wan ted amore secure system with room for growth while maintaining the same level of ad ministration effort. The sendm ail system leveraged files (for exam ple,

/etc/passwd) for user information. There was no system redundancy other thanbasic protection (for example, RAID 0+1) for d isks. The custome r w ou ld like to ha vemost u sers (studen ts) use w eb mail wh ile reserving IMAP for faculty an d staff.Ultima tely they w ould like to eliminate POP if possible. They are satisfied w ith theircurrent backup method of direct-attached tape backup.

Acme University has:I 5,500 students

I 1,000 faculty, staff, and oth er em ploye es

A single Su n Enterp rise 450 server w ith four CPUs, four gigabytes of mem ory an d 12internal disk drives configured for RAID 0+1 was purchased along with a smallNetra ™ server (single CPU, du al network interfaces) for an SMTP firewall prod uct(Interscan) for wh ich th e customer prev iously pu rchased a licence. Professional

services from a local reseller assisted the custom er in the setup of the hard ware an dthe initial installation of the Messaging Server. A single DLT 7000 was directlyattached to th e Sun Enterprise 450 server for backu p. No special software wa s to beused for backups. User information and mail was migrated en m asse during thesum m er break and semester. Figur e A-1 show s the Acme University architectureconfiguration.

Internet

Firewall

Internal disks



222 Case Studies

FIGURE A-1 Acme University Architecture Diagram

TimelineThe pu rchase and implementation of the n ew m essaging system took app roximatelyfour m onths from initial contact with Sun to the first produ ction login. The initialarchitecture and pu rchase w as done in four w eeks and the equ ipm ent w as on site

Sun Enterprise 450 server(4 CPUs, 4-gigabyte

memory)Externaltape unit

app roximately two w eeks after tha t. Installation work began in w eek six. The basicmessaging system installation w as don e in about tw o w eeks The remaining twomonth s was u sed to m igrate existing u sers and m ail and develop scripts to autom atethe provisioning of the user information.

Lessons Learned

The followin g lessons were learned in th is case stud y:

I Do not sh ort storage.

One of the original assumptions made by the customer was that 30 gigabytes of space was sufficient for their environm ent. Unfortuna tely they d id not tak e intoconsideration issues such as spindle count and file system requirements. Unlikeman y servers, messaging servers tend to n eed qu ick transactional storage as w ellas bu lk storage. In th is case, the specific issue w as that n o separa te volum e or

spindle set was allocated to their message queues. This introduced someperform ance issues. Once a ded icated v olum e wa s configured for their MTAqu eues, the performan ce issue abated . Luckily the performan ce issue was n oticedearly on and did not turn into a m ajor issue.

I Keep it simp le is a good idea.

In one of the initial discussions, the custom er expressed an interest to keep thing sto a m inimalist architecture because ad ministrative staff was scarce and they d id

not w ant to ad d an ad ministrative burden. By keeping the configuration simp lewith n orm al hardw are availability efforts such as du al power su pp lies, RAID-0+1protected storage, and a solid backup device, the custom er received severalbenefits:

I Mu ch faster installation an d configu ration

I Easier ad ministration an d mana gement



Case Studies 223

I Easier ad ministration an d mana gement

I Only one server to deal with when issues arose, like the performance issue

I Lowest possible costI Availability w ithout extraordinary measu res or comp lications

I Training is imp ortant

Initially the customer was reluctant to send their only administrator throughtraining, even though they had paid for th e class. Som e of this app rehension w asdue to their limited staff and already busy workload, plus the additional costs of travel. Initially some of the u p-front training wa s don e by using w eb-based

courses. How ever, it became very clear w hen exam ining the Sun Service Sup portcall log about th ree mon ths after installation that it w as time to take th e class,because some of the questions and issues could have been easily avoided. Whilethere is no su bstitute for han d s-on experience, getting the b asics of installation,configur ation, and oper ation is critical.

I Installation assistance makes th ings sm oother.The local Sun Reseller pr ovided experienced help to assist the custom er in theinstallation and d eploym ent of the new Sun ON E Messaging Server. This wascritical in tran sferring kn ow ledge and getting the system u p an d r un ning initially.

Baker TechThis large university had nu merous m ail servers across the camp us and w anted toconsolid ate their infrastru cture. They had some experience with d irectorytechn ology (LDAP), but no single cam pu s-wide d irectory y et. A singleauthentication system w as being d eveloped around Kerberos. They had no w eb mailor it varied between the m ail systems on campus as to w hether it was offered or not.They would like a central mail system with web mail that had failover and used

directory techn ology for user informa tion, but can u se their Kerberos servers forauth entication. Good Sun and Solaris expertise existed in th e IT depar tmen t as wellas throughout the campus, but they had little or no experience with clusteringtechn ology. It w as necessary to sup port the custom er's existing EMC Sym metricstorage system. The customer would use existing SNMP tools to monitor themessaging system.

Baker Tech has:

I 40,000 studentsI 10,000 faculty, staff, and oth er em ploy ees

A pa ir of Sun Enterprise 4500 servers w ith eight CPUs and eight gigabytes of memory was configured as the main mailstores and a pair of Sun Enterprise 280Rservers was used for MTA and virus scanning. The architecture was designed to



224 Case Studies

g gleverage about 1.2 terabytes of the custom er ’s existing EMC storage subsystem andutilize Sun’s Sun Cluster 3.0 software for high availability (clustering or failover).

Unfortun ately the custom er still did n ot hav e a centralized ent erprise Directory, butthere were pockets of directory on camp us. Add itional Netra servers w ere added toone of their existing d irectory installations (island s) to sup port t he m essagingserver’s LDAP workload. An open source plug in to the Sun ONE Directory wasused to prov ide Kerberos authen tication out th e back end of the d irectory. Figure A-2 show s the Baker Tech architecture configur ation.

User information w as already p artially available, so the m essaging server objectsneeded to be ad ded to the directory and app lied to the users.

They decided to add all new accounts to this system beginning with the nextsemester after going live, wh ile allowing all other users th e option to m igrate. Thispolicy wou ld be revisited each year. Backup s were integrated w ith their existingdat a center backu p infrastru cture using Legato Backup and a tape library. They

elected to do th e majority of the imp lementation them selves du e to their experiencelevel with Sun an d Solaris, even thou gh th ey had n o experience with th e messagingprod uct. This implementation method was not recomm ended by Sun.

Internet

Firewall

MTA MTA

EMC

Backup

server

Private

network

Mailstore

Mailstore

Multipleconnectionsto shared



Case Studies 225

FIGURE A-2 Baker Tech Ar chitectur e Diagra m

LAN LAN failover

EMC

Additional

LDAP servers

Tape

library

storage

Messaging Directory PTALDAP

DirectoryLDAP

Messaging Directory Plugin

Kerberosdomain

controller

Kerberosv4, v5

LDAP

Ticket

TimelineThe overall project took eight m onth s from start to finish w hile the initial plan calledfor an aggressive three-month w ind ow. Several factors that contributed to the p rojectdelays are ou tlined the “Lessons Learned” section. The initial pu rchase from theinitial contact to p lacement of the order took ap proximately eight w eeks eventhough the customer’s internal project plan w as designed around a two w eekpu rchase cycle. The main delay was d ue to issues within the pu rchasing dep artment

and the requirements of their p rocedures an d processes. Equipm ent was delivered tothe customer in three weeks once the purchasing issues were resolved.

The initial equip men t installation and Solaris set up took app roximately a w eeksince the custom er h ad significant Solaris and Sun exp erience. Then , the installationof the Sun Cluster 3.0 software was started. However, something that should havetaken approximately two weeks took almost six weeks due to EMC Symmetricstorage u nit integration issu es. Incorrect adap ter cards for the Sun system an dincorrect drivers were recomm ended by EMC and pu rchased from the customer.

After com pletely swap pin g ou t all 10 interface cards an d installing the absolu telatest driver from EMC for the cards, the EMC storage w as able to be attached an dfailed over w ithout issues. That m eans that just to get the basic hard w are, operatingsystem, and cluster software working took 18 weeks.

Once these initial obstacles and delays w ere overcom e, the actual imp lementation of the messaging software took approximately two weeks. Load testing, backuprestoration testing, and ad ditional testing of the failover p rocess took anoth er three

mon ths. This process was started in May a nd targeted January of the following year,but this schedu le was not m et and prod uction w as delayed u ntil Spring Break of thefollowing year.

Lessons Learned



226 Case Studies

Lessons Learned

The followin g lessons were learned in h is case stud y:

I SNMP has a failure issue.

During the failover testing with the messaging product, once the failover wasworking, an issue existed during failover condition where both messaginginstances were operating on the sam e host and SNMP visibility wen t away. Thiswas not an major issue for the custom er as this is a failover condition. Failu re of the SNMP monitoring would further enforce the fact that the systems requiredattention. This ma y or m ay not be the case for all cu stomers.

I

Instrumenting and monitoring is key.During the initial testing of failover and load testing, no mon itoring was en abledand m any statistics were n ot being collected. Decisions regard ing tu ning sp ecificparam eters later on w as d ifficult d ue to lack of d ata. This mean t that som e loadtests had to be rerun once monitoring w as enabled.

I Allow additional time for third-party storage.

Due to the difficulty and issues encountered, additional time when dealing with

third-party hardw are or software involved sh ould be ad ded to the projectschedu le. This can vary w idely based up on th e prod uct and relationshipsinvolved.

I For complex installations Sun Professional Services can make a difference.

During the installation issues, using Sun Professional Services wa s brough t upagain and recommended to the customer. Some of the issues the customerexperienced h ad already been en countered a nd add ressed using Sun ProfessionalServices. Many of the issues tha t caused sign ificant d elays wou ld h ave beenadd ressed q uickly and wou ld not have caused p roject time slipp age.

Comm unity City College

The customer was large community college system with 18 campuses distributedthrou ghou t the state. Each camp us had at least one mail system an d var ious levels of directory infrastructu re, if any at all. The Chan cellor ’s office d ecided that recentfund ing cutbacks required con solidat ion of IT services, includ ing d irectory andmessaging. There were p ockets of UN IX ad m inistration experience with ev en lessdirectory expertise and no clustering or failover experience. The use of th e existingthird-party enterprise storage and backup system (library and software) was



Case Studies 227

third party enterprise storage and backup system (library and software) wasrequired.

The initial thou ghts w ere that 90 percent of the users w ould be using IMAP w hilethe other 10 percent w ould use w eb mail.

Community City College has:

I 120,000 students

I 20,000 faculty, staff, and oth er em p loyees

Prior to any sp ecific solution, the d ecision w as ma de to locate the new m essaging

system at one of the larger, more advanced campuses that had messaging anddirectory experience. Due to lack of h igh av ailability experience, the d ecision goinginto the architecture phase was to not use failover technology. Availability would beachieved throu gh the use of mu ltiple servers at each level of the architecture. Due tothe large num ber of users, stress and load testing w as critical. Migration w ould be

initially only for faculty and staff, plus any new accou nts created after th e go-livedate. No existing students would be migrated during the initial year. Establishingprovisioning from the existing centralized student information and HR systems wasrequired. The customer had existing license for antivirus but wanted to implementantispam at a later d ate.

The proposed configuration consisted of a directory master server using a SunEnterprise 420R server, four back-end mail servers (mailstores) using Sun Fire V480servers, each w ith four CPUs an d eight gigabytes of mem ory. The MTA layer

consisted of fou r Sun Fire 280R servers, each w ith tw o CPUs and four gigabytes of mem ory. To establish the d irectory environm ent, a combination of existing systems(old servers) and new was used. The master directory servers were Sun Enterprise420R w ith two CPU s and four gigabytes of main m emory, wh ile the replicas wereSun Enterpr ise 220R servers w ith two CPUs and two gigabytes of mem ory. Loadbalancing among the servers was accomplished using the existing CiscoLoadDirectors. Figure A-3 show s the Com m un ity City College architectureconfiguration.

Timeline

This project took abou t one year from start to finish with the p urchase of thesoftware and h ardw are taking app roximately tw o month s from d ate of initial contactwith Sun to the d elivery of the h ardw are on site. The initial architectu re, sizing, an dtraining w ere done in p arallel once the pu rchase order w as given to Su n and tookapproximately three to four months. Load testing, instrumenting using Orca andBigBrother, verification of sizing, and practice migration of faculty staff took anadd itional three mon ths du ring wh ich scripts to migrate users and integrate thedirectory provision w ith th e camp us student information system w ere done.



228 Case Studies

Lessons Learned

The followin g lessons were learned in th is case stud y:

I PAB size

The initial architecture an d plan ning called for web mail to be a m inor factor, butmost of the stud ents used web m ail almost exclusively. The actual w eb mailworkload on th e main m essaging stores was n ot an issue because IMAP and w ebmail are close in terms of w orkload. The main issue w as Personal Add ress Book

(PAB) entries. Nine percent of the initial 40,000 accounts used web mail. Eachaccoun t had an average of 15 entries in th e PAB. This situation resu lted in over600,000 directory entries in the PAB portion of the directory. After the initial year

of prod uction operation, the decision w as mad e to separate the PAB port ion of theDirectory onto separate LDAP servers so that they could be tuned and man agedseparately.

MTA MTA

Mailstore

MTA

MailstoreMailstore

Directorymaster

Loadbalancers

Loadbalancers

MTA

Replica Replica ReplicaReplica

MailstoreSun FireV480 server

Sun Fire280R server

Sun Enterprise

220R server

Sun Enterprise420R server

St



Case Studies 229

FIGURE A-3 Comm un ity City College Architecture Diagram

I Recovery

Unfortun ately recovery procedu res were not p racticed an d were necessary d ue to

a storage subsystem failure within the first three months of operation. However,since no on e at the custom er site had pra cticed recovery or w as aw are of specificsteps w hich that could m inimize recovery time, recovery took eight times longerthan w ould have otherw ise been necessary. Sun Professional Services w as called

Multiple connectionsto shared storagefor redundancy

Storage

in after this incident to p rovide a w orkshop a nd guidan ce on d eveloping recoveryprocedu res tailored to th e cu stomer ’s specific environm ent, so as to red uce therecovery time.

I Appropriate partition sizing

Initial plans called for a m inimum of two pa rtitions to hand le m ailboxes on eachof the messag e stores, based u pon initial plann ing of 20,000 m ailboxes perpart ition. Due to the backup and recovery issues explained p reviously, it wa sdetermined that even though the Messaging Server is quite capable of managing

tens of thousa nd s of mailboxes per p artition, it is not necessarily an issue of function of the n um ber of mailboxes, but rather a fu nction of amou nt of storageper partition in gigabytes. It was decided to repartition the server into a moremanageable and recoverable size equivalent to what a single backup tape orimage w ould hold —in th is case, roughly 200 gigabytes.

I Load testing

Load testing in this large environm ent w as critical to tuning of variou s

par am eters in each layer of the m essaging architecture, and particularly valuablein testing the configuration of the Cisco LoadDirectors. It w as d iscovered thatspecific settings w ere not qu ite correct and need ed t o be fixed. If the entirepathw ay had not been load tested, prod uction issues would have occurred if oneof the LoadDirectors h ad failed.

I Periodic maintenance

During the initial year of oper ation, little attention was p aid to the system s un lessdictated by the m onitoring tools or help desk ticket system. Upon examination of the d irectory and messaging system d ur ing the PAB m igration, it was clear thatspecific tables in the directory had grow n larger tha n originally anticipat ed,wh ich necessitated tu ning of par ameters. Exam ination of the messaging statisticsalso ind icated some tu ning w as necessary. In reality, the system had not beenperiodically m aintained other than basic patches or issues surrou nd ing ou tages.Qu arterly exam ination of data and statistics, table sizes, and so forth could h ave



230 Case Studies

avoided some slowdowns and outages. This is especially important in largeenvironments wh ere growth is qu ick.

APPENDIX B

Majordom o Integration

This appen dix describes the p rocedu re for integration wor king w ith a single test list.It is tedious, but it d oes work, and has all of the functionality of majordomo w ithsendmail. These instructions are for a single domain, but with some minor tweaksthey should also work fine in a mu ltidomain environment.

Assumptions:

1. Your m essaging server is already installed and functioning correctly.

2. You have gcc installed, or you can comp ile the wr app er on a m achine where it isinstalled.

M Preparing for Integration

To p repare for int egration:

1. Make sure your mailsrv user is assi gned to a $HOME directory and that it has

write permissions to server-root /msg-hostname.



231

p g

2. Create /etc/passwd, /etc/shadow, and /etc/group entries for the majordomo

user.

Examp le password entries:

iplanet:x:1002:101:iPlanet Servers:/opt/iplanet:/bin/kshldapsrv:x:1003:101:Directory Server User:/opt/iplanet:/bin/kshmailsrv:x:1004:101:Messaging Server User:/opt/iplanet/msg-maxima:/bin/ksh

icsuser:x:1005:101:Calendar ServerUser:/opt/iplanet/SUNWics5:/bin/kshlistsrv:x:1006:101:Mailing List Manager:/opt/iplanet:/usr/bin/cshmajordom:x:91:91:Mailing List Manager:/opt/majordom:/usr/bin/bash

Shadow entry:

Group entries:

3. Create the $HOME directory fo r majordom o.

We used /opt/majordomwith 775 perm issions. We will probably tighten th is up t o755 or 751 later.

a. Extract the majordomo tarball in a w ork directory.

This is wh ere you will ed it the Makefile to fit the environm ent you created formajordomo.

majordom:*LK*:::::::

majordom::91:mailsrv

iplanet::101:iplanet,ldapsrv,mailsrv,icsuser,listsrv,majordom

Makefile <snippet of interest>#------------- Configure these items ----------------##

# Put the location of your Perl binary here:PERL = /usr/bin/perl

# What do you call your C compiler?CC = gcc

# Where do you want Majordomo to be installed? This CANNOT be the# current directory (where you unpacked the distribution)W HOME = /opt/majordom.



232 Majordomo Integration

y y p _ p j

# Where do you want man pages to be installed?MAN = /usr/local/man

# You need to have or create a user and group which majordomo will run as.# Enter the numeric UID and GID (not their names!) here:W_USER = 91W_GROUP = 91

# These set the permissions for all installed files and executables

# (except the wrapper), respectively. Some sites may wish to make these morelenient, or more restrictive.

FILE_MODE = 644EXEC_MODE = 755

HOME_MODE = 775

# If your system is POSIX (e.g. Sun Solaris, SGI Irix 5 and 6, Dec Ultrix MIPS,BSDI or other 4.4-based BSD, Linux) use the following four lines. Do not changethese values!

WRAPPER_OWNER = rootWRAPPER_GROUP = $(W_GROUP)

WRAPPER_MODE = 4755POSIX = -DPOSIX_UID=$(W_USER) -DPOSIX_GID=$(W_GROUP)# Otherwise, if your system is NOT POSIX (e.g. SunOS 4.x, SGI Irix 4,# HP DomainOS) then comment out the above four lines and uncomment# the following four lines.

# WRAPPER_OWNER = $(W_USER)# WRAPPER_GROUP = $(W_GROUP)# WRAPPER_MODE = 6755# POSIX =

# Define this if the majordomo programs should *also* be run in the same# group as your MTA, usually sendmail. This is rarely needed, but some# MTAs require certain group memberships before allowing the message sender tobe set arbitrarily.

# MAIL_GID = numeric_gid_of_MTA

# This is the environment that (along with LOGNAME and USER inherited from the# parent process, and without the leading "W_" in the variable names) gets# passed to processes run by "wrapper"W_SHELL = /usr/bin/bashW_PATH = /bin:/usr/bin:/usr/local/binW_MAJORDOMO_CF = $(W_HOME)/majordomo.cf



Majordomo Integration 233

# A directory for temp files..

TMPDIR = /var/tmp

# -----YOU SHOULDN'T HAVE TO CHANGE ANYTHING BELOW THIS LINE.-----

Now you can:make wrappermake install-wrappermake install

# Once the wrapper and all the perl scripts are installed in /opt/majordom,there are some edits required to get Y2K compliance and squash a couple smallboogs. I will address them in a different format where possible.

***archive2.pl

155c155,159&open_archive($FH, $year % 100, $MoY{$moy}, $dom);---if ($year =~ /\d{4}/) {&open_archive($FH, $year -1900, $MoY{$moy}, $dom);} else {&open_archive($FH, $year % 100, $MoY{$moy}, $dom);}

***digest176c176foreach (@files) {---foreach (sort @files) {

***majordomo.pl59c59,60s/\n\s+/ /g;---s/\015//g; # strip DOS <CR>/^M from end of liness/\n\s+/ /g; # unfold wrapped headers

# Note, the ^M is a single character created by typing ctrl-v then ctrl-m.

***resend

591c591

---s/\015//g; # strip DOS <CR>/^M from end of lines

***majordomo.cf9c9$whereami = "example.com";




$whereami example.com ;---

$whereami = "sonny.org";25c25$homedir = "/usr/test/majordomo";---$homedir = "/opt/majordom";27a28$datadir = "$homedir/data";30c31

$listdir = "$homedir/lists";---$listdir = "$datadir/lists";38c39$digest_work_dir = "/usr/local/mail/digest";---

b. You must create som e su bdirectories for majordomo to us e in its $HOME

directory to match the entries in the majordomo.cf file.

While you are at it, you can consider creating a link to majordomo.cf in /etc.This is good preven tive med icine.

As root, execute these commands, in order:

$digest_work_dir = "$datadir/digests";42c43$log = "$homedir/Log";---$log = "$datadir/Log";101a103$config'default_unsubscribe_policy = "open+confirm";137,138c139,140

$filedir = "$listdir";$filedir_suffix = ".archive";---$filedir = "$datadir/archives";$filedir_suffix = "";159c161$majordomo_request = 0;---$majordomo_request = 1;167c169max_which_hits = 0;---$max_which_hits = 1;193c195$TMPDIR = $ENV{'TMPDIR'} || "/var/tmp";---$TMPDIR = $ENV{'TMPDIR'} || "$datadir/tmp";




su majordomcd /opt/majordom mkdir -m 775 datacd data mkdir -m 775 archives digests lists tmpcd archives mkdir -m 775 test test-digestcd ../digests

mkdir -m 775 test-digestcd ../data/liststouch test test-digestexitcd /etc

Th e test* sub d irectories are the beginnings of a test mailing list setup and

configuration. Majordomo still does not work with the messaging server until youcreate methods for program delivery, the proper u sers in LDAP, and ap prop riate entriesin the imta/config/aliases file. Start with the program methods.

c. If you are still root, change directories to the server-root /msg-hostname directory

(in our case /opt/iplanet/msg-maxima).

The imsimta program utility adds the methods you need to LDAP. This one isfor the majordomo administrative user:

d. Create a set of these for each l ist you create:

The last entry could also be w ritten as follows if the majordomo.cf used$majordomo request = 0:

ln -s /opt/majordom/majordomo.cf majordomo.cfcd /opt/iplanet/msg-maxima/imta/programssu mailsrvln -s /opt/majordom/wrapper wrapperexit

./imsimta program -a -m mjwrapper -p wrapper -g "majordomo" -e postmaster

./imsimta program -a -m testr -p wrapper -g "resend -l test test-outgoing" -e user`

./imsimta program -a -m testa -p wrapper -g "archive2.pl -f

/opt/majordom/data/archives/test/test -a M" -e postmaster`./imsimta program -a -m testd -p wrapper -g "digest -r -C -l test-digest test-digest-outgoing"

-e postmaster`

./imsimta program -a -m testq -p wrapper -g "majordomo -l test" -e postmaster`




$majordomo_request = 0:

Make sur e to refresh the MTA after making ad d itions and changes like these, butsince you are also going to mo dify the aliases and ad d user en tries to LDAP, you canhold off on th e refresh for a bit.

./imsimta program -a -m testq -p wrapper -g "request-send test" -e postmaster

An ./imsimta program -l should now prod uce outpu t like the following:

We were n ot able to get -l test passed to the mjwrapper method correctly, or wemigh t have been ab le to save one p iece of w ork here too. We do n ot have a p ercent

==================================================Method_name : mjwrapperProgram_name : /opt/iplanet/msg-maxima/imta/programs/wrapper

Argument_list : majordomoExecute Permission : User

==================================================Method_name : testrProgram_name : /opt/iplanet/msg-maxima/imta/programs/wrapper

Argument_list : resend -l test test-outgoingExecute Permission : Postmaster==================================================Method_name : testaProgram_name : /opt/iplanet/msg-maxima/imta/programs/wrapper

Argument_list : archive2.pl -f /opt/majrdomo/data/archives/test/test -a -M

Execute Permission : Postmaster==================================================Method_name : testdProgram_name : /opt/iplanet/msg-maxima/imta/programs/wrapper

Argument_list : digest -r -C -l test-digest test-digest-outgoingExecute Permission : Postmaster==================================================Method_name : testq

Program_name : /opt/iplanet/msg-maxima/imta/programs/wrapper Argument_list : majordomo -l testExecute Permission : Postmaster==================================================




g p pvariable to use for that. Otherwise, everywhere in the argument_list that the word“test” exists could be an argument passed from the mailprogramdeliveryinfo attribute.

The add itional entries you w ill need in msg-maxima/imta/config/aliases are:

[email protected]: dliston@[email protected]: dliston@ims-ms-daemon

[email protected]: dliston@[email protected]: </opt/majordom/data/lists/[email protected]: </opt/majordom/data/lists/test-digest

These are the LDAP user entries you will need to p ull it all together. Non e of theLDAP entries need mailListCreate nsda capability, but the attribute m ight behandy as part of an ACL if majordomo ever becomes LDAP aware.

dn: uid=majordom,ou=people,o=sonny.org,o=ispobjectclass: topobjectclass: personobjectclass: organizationalPerson

objectclass: inetOrgPersonobjectclass: inetUserobjectclass: ipUserobjectclass: nsManagedPersonobjectclass: userPresenceProfileobjectclass: inetMailUserobjectclass: inetLocalMailRecipient mailuserstatus: activeinetuserstatus: active

datasource: NDA 4.5 Delegated Administratornsdacapability: mailListCreateuserpassword: {crypt}4/Y1B.C4RmLnUuid: majordomgivenname: Majordomosn: List Managercn: Majordomo List Managerpreferredlanguage: en

maildeliveryoption: program mailprogramdeliveryinfo: mjwrapper mailhost: maxima.liston.nu mail: [email protected] mailalternateaddress: [email protected]

dn: uid=test,ou=people,o=sonny.org,o=ispobjectclass: topbj t l




objectclass: person

objectclass: organizationalPersonobjectclass: inetOrgPersonobjectclass: inetUserobjectclass: ipUserobjectclass: nsManagedPersonobjectclass: userPresenceProfileobjectclass: inetMailUserobjectclass: inetLocalMailRecipient mailuserstatus: activeinetuserstatus: activedatasource: NDA 4.5 Delegated Administratornsdacapability: mailListCreateuserpassword: {crypt}RI6GKwuXEifxAuid: test

givenname: testsn: resend

cn: test resendpreferredlanguage: en maildeliveryoption: program mailprogramdeliveryinfo: testr mailhost: maxima.liston.nu mail: [email protected]

dn: uid=test-archive,ou=people,o=sonny.org,o=ispobjectclass: topobjectclass: personobjectclass: organizationalPersonobjectclass: inetOrgPersonobjectclass: inetUserobjectclass: ipUserobjectclass: nsManagedPerson

objectclass: userPresenceProfileobjectclass: inetMailUserobjectclass: inetLocalMailRecipient mailuserstatus: activeinetuserstatus: activedatasource: NDA 4.5 Delegated Administratornsdacapability: mailListCreateuserpassword: {crypt}tcCW8XBsV.AB.

uid: test-archivegivenname: testsn: archivecn: test archivepreferredlanguage: en maildeliveryoption: program mailprogramdeliveryinfo: testa mailhost: maxima.liston.numail: test archiver@sonny org




mail: [email protected]

dn: uid=test-digest,ou=people,o=sonny.org,o=ispobjectclass: topobjectclass: personobjectclass: organizationalPersonobjectclass: inetOrgPersonobjectclass: inetUserobjectclass: ipUserobjectclass: nsManagedPersonobjectclass: userPresenceProfileobjectclass: inetMailUserobjectclass: inetLocalMailRecipient mailuserstatus: activeinetuserstatus: active

datasource: NDA 4.5 Delegated Administratornsdacapability: mailListCreate

userpassword: {crypt}qvSQMcsoYwR5Quid: test-digestgivenname: testsn: digestcn: test digestpreferredlanguage: en

maildeliveryoption: program mailprogramdeliveryinfo: testd mailhost: maxima.liston.nu mail: [email protected]

dn: uid=test-request,ou=people,o=sonny.org,o=ispobjectclass: topobjectclass: personobjectclass: organizationalPerson

objectclass: inetOrgPersonobjectclass: inetUserobjectclass: ipUserobjectclass: nsManagedPersonobjectclass: userPresenceProfileobjectclass: inetMailUserobjectclass: inetLocalMailRecipient mailuserstatus: active

inetuserstatus: activedatasource: NDA 4.5 Delegated Administratornsdacapability: mailListCreateuserpassword: {crypt}RIMZpTZBydwqwuid: test-requestgivenname: testsn: requestcn: test requestpreferredlanguage: en




No end user shou ld ever write directly to the *-outgoing aliases, or to th e *-test or *-archive add resses. Subscriptions and removals are handled a t the m ajordomo

add resses, but to activate the archive or d igest for the list, just ad d their ad dress(es)as m embers of the “test” mailing list (/opt/majordom/data/lists/test) or asnorm al email comm and s to majordomo.

preferredlanguage: en

maildeliveryoption: program mailprogramdeliveryinfo: testq mailhost: maxima.liston.nu mail: [email protected]

4. Refresh the MTA, and perhaps even run stop-msg and start-msg for good

measure.




Glossary

access control

information A single item of information from an access control list within an LDAPdirectory.

access control list A set of data associated w ith a directory that d efines the perm issions that usersand group s have for accessing it.

ACI See access contro l information .

ACL See access control list.

API app lications p rogramm ing interface.

APOP See Au then ticated Post Office Protocol.

applications service

provider An ap plication service provider is a comp any th at offers individu als orenterprises access over the Internet to ap plications and related services thatwou ld otherw ise have to be located in their own p ersonal or enterprisecomputers.

AS P See applications service provider.

Authenticated Post



243

Authenticated Post

Office Protocol Similar to the Post Office Protocol, but instead of using a plaintext passwordfor au thentication, it uses an encoding of the passwo rd together w ith achallenge string.

CLI See command-line interface.

cn LDAP alias for common nam e.

command-line

interface Text driven interface as opposed to a GUI; can easily be used to script orautom ate repetitive processes.

comment character A character that, w hen p laced at the beginning of a line, tur ns the line into anonexecutable com ment.

CSV comm a separ ated var iable-length file.

DC Tree Domain Com pon ent tree. A directory information tree that mirrors the DNSnetwork syntax. An examp le of a distinguished nam e in a DC Tree is: cn=billbob,dc=bridge,dc=net,o=internet.

DHCP Dynam ic Host Configuration Protocol.

D MZ dem ilitarized zone.

DNLC directory name lookup cache.D N S See Domain Name Service.

domain name The unique nam e that identifies an Internet website. Domain names h ave twoor more p arts, separated by p eriods (dots).

D omain Name

Service A distributed n ame resolution software tha t allows comp uters to locate othercompu ters on a network or the Internet by d omain nam e. The system

associates stand ard IP add resses with host nam es (such as www.siroe.com).Machines norm ally get th is information from a DN S server. DNS serversprovide a distributed, replicated, data query service for translating h ostnam es.

D OS den ial of service.

D SN delivery status notification.

el m Originally an a cronym to refer to ELectronic Mail, but it is also a p rogram used

to read mail on terminals using a text interface (that is, not a GUI).EOL end of life.

ESMTP See Extended Simp le Mail Tran sfer Protocol.

Extended Simple Mail

Transfer Protocol An Internet m essage transp ort protocol. ESMTP add s optional comm and s tothe SMTP command set for enhanced functionality, including the ability forESMTP servers to d iscover wh ich comm and s are implemented by the remote



244 Glossary

p y

site.

FQN fully qu alified h ost nam e.

FTP File Transfer Protocol.

GUI graphical user interface.

HRS human resource system.

HTTP See H yp erText Tran sfer Protocol.

HTTPS Hy per text Tran sfer Protocol, Secure.

Hyp erText Transf er

Protocol A standard protocol that allows the transfer of hypertext d ocum ents over theWeb. The iPlanet Messaging Server p rovides an HTTP service to sup port web-based email. See also Messenger Express.

IDA iPlanet d elegated ad ministrator.

IDC internet data center.

IETF Internet Engineering Task Force.

IM instant messaging.

IMAP See Intern et Messag e Access Protocol Version 4.

IMAP4 See Intern et Messag e Access Protocol Version 4.

IMP inpu t message processing.

Internet Message

Access ProtocolVersion 4 A standar d p rotocol that allows u sers to be disconnected from the m ain

messaging system and still be able to process their mail. The IMAPspecification allows for Administrative control for these disconnected usersand for the synchronization of the u sers’ m essage store once they reconnect tothe messaging system.

Internet Protocol The basic network-layer protocol on wh ich the Internet and intranets are based.

Internet S erviceProvider A compan y that p rovides Internet services to its custom ers including e mail,

electronic calend aring, access to the w orld w ide w eb, and w eb hosting.

IP See Intern et Protocol.

ISP See Intern et Service Prov ider.



Glossary 245

JASS Jumpstart Architecture and Security Scripts.

LDAP See Lightw eight D irectory Access Protocol.

LDIF See Lightweight Data Interchange Format.

Lightweig ht D ata

Interchange Format The format u sed to represent Directory Server entries in text form.

Lightweight Directory

Access Protocol Directory service protocol designed to run over TCP/ IP and across mu ltipleplatform s. A simp lification of th e X.500 Directory Access Protocol (DAP) thatallow s a single point of m anagem ent for storage, retrieval, and d istribution of information, including user profiles, mail lists, and configuration data acrossiPlanet servers. The iPlanet Directory Server uses the LDAP protocol.

LMTP See Local Mail Transfer Protocol.

Local Mail Transfer

Protocol A de rivative of the SMTP and E/ SMTP protocols that is nearly iden tical. LMTPis designed to provide a status rep ly per m essage recipient versu s SMTP’ssingle reply code per m essage transaction.

Mail eXchanger

record A ma il eXchanger record is an en try in you r DNS table that controls w hereemail is sent for a particular or given d omain na me.

MEM messenger express multiplexer.

message-handling

system A group of conn ected MTAs, their user agents, and message stores.

Message Transfer

Agent A specialized p rogram for routing and d elivering messages. MTAs worktogether to transfer messages and deliver them to the intend ed recipient. The

MTA d etermines wh ether a m essage is delivered to the local message store orrouted to another MTA for remote delivery.

messaging multiplexer

proxy A specialized messaging server that acts as a single point of connection tomu ltiple m essaging servers.

Messaging Server

administrator The adm inistrator w hose privileges include in stallation an d adm inistration of an iPlanet Messaging Server instance.

Messenger Express A m ail client th at enables users to access their mailboxes through a brow ser-based (HTTP) interface. Messages, folders, and other mailbox information aredisplayed in H TML in a brow ser wind ow. See also w eb m ail.

MH S See message-hand ling system. See also Simple N etwork Managem ent Protocol.

MIB management information base.



246 Glossary

MIME See Multipurpose Internet Mail Extension.MM P See messaging multiplexer proxy.

MTA See Message Trans fer Agent.

MTA configu ration

file The file (imta.cnf) that contains all channel definitions for the MessagingServer plus th e rewrite rules that d etermine how ad dresses are rewr itten forrouting.

MTBF mean time between failures.

MTTR mean time to rep air (or recover).

Multipurpose Internet

Mail Extension A protocol you can u se to includ e multimedia in email messages by app end ingthe multimedia file in the message. This protocol that allows for thetransmission of data in m any forms, such as aud io, binary, or video. See alsoSMIME.

MX See Mail eXchang er record .

N DA Netscape d elegated ad ministrator.

NFS Network File Server or Network File System.N IS Netw ork Information Service.

N MS Netscape Messaging Server.

PAB personal address book.

password

authentication Verifies that the user’s password is valid.

PD A personal d igital assistant.

PGP pretty good p rotection.

PIN personal id entification n um ber.

Pine Program for Internet N ews an d Email. See also elm.

plaintext Refers to a m ethod for transmitting d ata. The definition d epend s on the

context. For examp le, with SSL plaintext pa sswords are encrypted and aretherefore not sent as cleartext. With SASL, plain text passw ord s are hash ed, andonly a hash of the password is sent as text. See also Secure Sockets Layer andSimple Authentication and Security Layer.

plaintext

authentication See password au thentication.

POP See Post Office Protocol Version 3.



Glossary 247

POP3 See Post Office Protocol Version 3.

Post Offi ce Protocol

Version 3 A protocol that provid es a stand ard d elivery method an d that d oes not requirethe m essage transfer agent to hav e access to the u ser’s mail folders. Notrequiring access is an ad vantage in a netw orked env ironm ent.

PS PostScript.

QoS Qu ality of Service.

RDNS reverse DNS.

SASL See Simple Authentication and Security Layer.

SDLC Systems development life cycle.

SDN See Software Delivery Network.

Secure Sockets Layer The Secure Sockets Layer is a comm only u sed p rotocol for m anaging thesecurity of a message transmission on the Internet. SSL has recently beensucceeded by Tran spor t Layer Security (TLS) wh ich is b ased on SSL. SSL uses aprogram layer located between th e HTTP and TCP layers.

Short Messaging

Service A service for sen ding me ssages of up to 160 characters (224 char acters if u singa 5-bit mod e) to m obile ph ones and other d evices that u se Global System forMobile comm un ication. Due to th e length restriction, it is adva ntageous tostrip off attachmen ts and certain heade r information from nor mal em ail wh enbeing delivered to an SMS device.

Simple Authentication

and Security Layer A means for controlling the mechanisms by which POP, IMAP or SMTP clientsidentify themselves to the server. iPlanet Messaging Server support for SMTP

SASL use complies with RFC 2554 (ESMTP AUTH). SASL is defined in RFC2222.

Simple Mail Transfer

Protocol The email protocol most comm only used by the Internet and the protocolsupported by the iPlanet Messaging Server. Defined in RFC 821, withassociated message format descriptions in RFC 822.

Simple N etwork

Management Protocol The protocol governing network management and the monitoring of networkdevices and their functions. It is not n ecessarily limited to TCP/ IP networks.SNM P is d escribed form ally in th e Intern et Engine ering Task Force (IETF) 1157and in a nu mb er of other related RFCs.

SIMS Sun Internet Mail Server.

SIP Simple Internet Protocol.

SIS student information system.



248 Glossary

SMIME Secure Multipurp ose Internet M ail Extension.

SMS See Short Messaging Service.

SMTP See Simple Mail Transfer Protocol.

SNMP See Simple N etwork M anagem ent Protocol.

Software D elivery

Network Software Delivery Network, sometimes referred to as Service DeliveryNetw ork, is a term used by Sun to d escribe and d efine an infrastructuredesigned to provide a foun d ation for scalable network-based services, such asthe Sun ONE Messaging Server and Sun ON E Directory Server, while meetingdem and s for reliability and p erforma nce.

SPI stateful packet inspection.

SPN Service prov ider netw orks.

SS L See Secure Sockets Layer.

SSO single sign on .

TCO total cost of ownership.

TCP See Tran smission C ontrol P rotocol.

TCP/IP See Tran smission Control Protocol/ Internet Protocol.

TLS See Tran spor t Layer security.

Transmission Control

Protocol The basic transport protocol in the Internet protocol suite that p rovidesreliable, connection-oriented stream service between two hosts—the TransportLayer Protocol, Internet Protocol, and the Network Layer Protocol.

Transmission Control

Protocol/Internet

Protocol The name given to the collection of network protocols used by th e Internetprotocol suite. The n ame refers to the two p rimary n etwork p rotocols of thesuite—the Internet Protocol and th e N etwork Layer Protocol.

Transport Layer

security The stan d ard ized form of SSL. See also Secure Sockets Layer.

UBE See unsolicited bulk email.

UCE unsolicited commercial email. See unsolicited bulk email.

UDDI un iversal description, d iscovery, and integration.

unsolicited bulk

email Unrequ ested and u nw anted em ail, sent from bulk d istributors, usu ally forcommercial pu rp oses.



Glossary 249

user agent The client comp onent, such as N etscape Comm un icator, that a llows u sers tocreate, send, and receive mail messages.

VPN virtual private network.

WAN wide area network.

web mail A generic term for browser-based email services. A browser-basedclient—know n as a thin client because more p rocessing is done on the

server—accesses mail that is always stored on a server. See also MessengerExpress.



250 Glossary

Bibliography

Abitz, Paul an d Liu, Cricket, DN S and BIN D, 4th Ed ition, Ap ril 2001, O’Reilly.

Auth or u nkn own , “Su n O NE Messaging Server Version 5.2 - A Techn icalWhitepap er,” Sun Microsystems.

Bialaski, Tom, “Understanding Solaris 9 Operating Environment Directory Services,”Sun Blueprints, December 2002.

Bialaski, Tom, “Run ning Mu ltiple Solaris Op erating Environm ent N amin g Serviceson a Client,” Sun BluePrints, May 2001.

Bialaski, Tom, “Automating LDAP Client Installations,” July 2001, Sun BluePrints.

Carter, Gerald, LDAP S ystem A dministration and M anaging IMAP, March 2003,O’Reilly.

Deeths, David, and H oward , John S., Configuring Boot Disks, Decemb er 2001, PrenticeHall.

Elling, Richard, Operating Environment: Solaris 8 Installation and Boot Disk Layout ,March 2000, Prentice H all.

John son Kevin Internet Email Protocols: A Developer’s Guide 2000 Ad d ison-WesleyPublishing Co



251

John son, Kevin, v p , 2000, Ad d ison WesleyPublishing Co.

Liu, Cricket, DNS & BIND Cookbook, October 2002, O’Reilly.

Lopez, Steve, “Solaris Operating Environm ent LDAP Cap acity Planning andPerformance Tuning,” May 2002, Sun BluePrints

Twom ey, John , “iPlanet M essaging Server Migration from UNIX® Sendmail,” July2002, Sun Microsystem s.

Vend itti, Nicola, “Writing an Auth entication Plug -in for a Sun ONE DirectoryServer,” Mar ch 2003, Sun BluePr ints.

Weber, Stefan, “Secu ring LDAP Thro ug h TLS/ SSL--A Cookb ook,” Jun e 2002, Sun

BluePrints.

Winsor, Janice, Solaris System A dmin istrator’s Guide, 4th Edition, May 2003, PrenticeHall.

Wood, David, Programming Internet EM ail, Septem ber 2000, O’Reilly.



252 Bibliography

Index

A

access contro linstruction, 159lists, 105

additional attributes, 16

administrat ion ports, 70

adm inistration w eb interface, 54

alias , 16

aliases file, 171

alternate address, 16

annual checks, 214antispam, 91, 163, 199

applications programming interfaces, 189

app lications service provider, xviii

architecting, h igh availability differences, 201

architecturecategories, 15high availability, 27, 203

messaging, 15secure 25

B

Big Brother, 218

BMC Patrol, 219

C

calenda r, web-based, 10

checklists, periodic maintenance, 209

checksannual, 214

daily , 210monthly, 212quarterly, 213weekly, 212

clients, popular , 8

comma separated variable-length file, 173

comman d -line interfaceprovisioning, 55

common name, 172



253

g gsecure, 25secure with failover, 28single layer, 18typical, 23

authentication cache sizeDOS, 183tuning, 183

auth entication cache TTL, tun ing, 183

configurationcurrent settings, 45Message Transfer Agent, 91MTA directory, 96MTA files, 96shared folders, 103

connectivity, network, 37

console, adm inistration, 53

conversion chann el

append disclaimer, 192message p rocessing, 189

conversion utility, PS to Acrobat, 197

CONVERSIONS file, 192

CSV file, 62

customizing, m essenger express, 123

D

daemons, multiple, 45

daily checks, 210

data feeds , 62

database temp orary d irectory, tuning, 183

delegated administratorcreating an d ad ministrating aliases, 171

GUI installation, 84server installing, 82

delivery status notifications, tun ing, 188

demilitarized zone, 15, 155

denial of service, 183

denial of service, prevention tuning, 181

dequeue message, 185

DH C P, 39

direct delivershared folders, 103user folder, 103

direct LDAPlookups, tuning, 187manipulation, 171

direct lookup, LDAP, 94

directory, high availability, 204

di rsync, 94

E

electronic messaging, 1elm , 4, 175

e ma il, 1

email system, overall design, 65

enterprise web server, installing, 82

etc/ system, tuning, 181

Extend ed Simp le Mail Transfer Protocol, 17

F

failover software, 202

fully qualified host name, 37

Hhigh availability

architectures, 203best practices and caveats, 207conclusions, 207configuration, 27directory, 204installation procedure and notes, 207mailstore, 204messaging deployment, 201other architectures, 204

host name, fully qualified, 37

hosts, critical, 37

I

identifier and rights pairs, shared folders, 105A 1



254 Index

disclaimer, adding a, 191

disk layout , 32

dispatcher, tuning, 185

domain name, 39

Domain Name Service, xviii

Dynam ic Host Configuration Protocol, 39

IMAP, xx, 17client, shared folders, 111

ims_master p rocesses, tuning, 185

ims-ms channel, tuning, 186

IMTA, 187

imta_tailor file, tun ing, 187

installation

scr ipt , 89s imple , 71software, 69values , 72

instant m essaging, 3, 7

Internet data center, 13

Internet Engineering Task Force, 16

Internet Service Provider, xviii, 18

JJava, 11, 53

JavaScript, 133

job con trol ler, t uning, 185

job_lim it

tuning, 186JumpStar t, 35

Jum pStart Architecture an d Security Scripts, 157

L

layers, security, 153

LDAPhosts, tuning, 183timeout, tuning, 184

Lightweight Data Interchange Format, 173

Lightw eight Directory Access Protocol, xviii, 57

load balancing, network, 38

Local Mail Tran sfer Protocol, 17

log file location, 45

login screen, customizing, 126logos, changing and adding, 124

master d irectory server

installing, 75preparing for messaging, 77

MAX_CLIENT_THREADS, tu ning, 186

MAX_INTERNA L_BLOCKS, tu ning, 187

message dequeue, 185

message processing, conversion channel, 189

message transfer agent, 17

Message Transfer Agent, configuration, 91

messages, number of, 3messaging

devices, 2electronic, 1high availability deployment, 201high a vailability, differences in p lanning, 206implementations, 1in a box, 18, 70

managing and preventive maintenance, 209strategy, 7system testing, 85system verification, 87unified, 3

messaging m ultiplexer proxy, 18

messaging servercurrent configuration, 45

installing, 81messaging servicesbeyond the basics, 8

messaging systembasic parts, 16

messaging, web, 9

messenger express, customizing, 123

migration

aliases and system-wide m ailing lists, 170basic steps, 167



Index 255

logos, changing and adding, 124

M

mail eXchanger record, 24

mail gateway, 17

mailstore, 17

mailstore, high availability, 204

management information bases, 215

MAPPINGS file, 191

mappings, changing, 93

pexport and import, 173messages and folders, 169password importance, 168per sonal add ress books, lists, and

bookmarks, 172sendmail, 174sendm ail mailbox content, 175

sendm ail mailing lists, 175sendm ail personal add ress books, 175sendm ail user information, 174specialized software, 175user information, 168

utilities, other, 173

utility, 173MIME messages, parts, 189

MMP, tuning, 184

monitoringSNMP, 215

monthly checks, 212

MTA, 17, 215basics, 92

history, 91possibilities, 199tuning, 185

Mulberry, shared fold ers, 111

N

naming services, 38ncsize, tuning, 182

Netscape Messaging Server, 91, 247

Netscape Messenger, shared folders, 114

network connectivity, issues, 37

Network Information Service, 39

notices, tuning, 187

num ber of processes, tuning and limitation, 182

O

option.dat, tuning, 186

options tabadding options, 133removing options, 130

Orca, 218outlook express, shared folders, 119

P ine, 4, 175

por t numbers, 45port al, 10

Post Office Protocol, 4

postmastermail, tuning, 188user account, creating, 85

practices, good computing, 31

pretty good protection (encryption), 163

process settings, 45produ ction an d a non-produ ction en vironment,

differences, 32

production environment, 32

produ ction versus non-production, 32

project Orion, 11

protocol status, 45

provisioningadm inistration console, 53authoritative sources, 61command -line interface, 55data feeds, 62delegated adm inistrator for messaging, 54issues , 60Lightw eight Directory Access Protocol, 57methods, 53

sample script, 66script , 66user ID, 64w eb, 54

proxy serversbenefits, 26drawbacks, 25

Q



256 Index

over-quota limits, configuring, 147

P

part it ioning, 32

passwords, options for handling, 168

personal address book, 10

personal digital assistants, 2

Q

Quality of Service, 13

quarterly checks, 213

R

return errors, customizing, 151reverse database, tuning, 187

reverse DNS, 162

S

sample provisioning script, 66Secure Multipu rpose Internet Mail Extensions, 26

Secure Socket Layer, 5

securityantivirus and antispam, 163digital signing, 163directory, 159enabling SSL, 161

layers, 153message contents, 163message store, 162messaging server software points, 165messaging software protocols, 159MTA, 162network layer, 154non-standard ports, 161PGP signing, 163reverse DNS lookup, 162search limits, 160SMTP, 162Solaris OE, 157system, 157

sendmail, disabling, 74

servers, proxy, 18

service provider networks, 13

services, directory, 9

shared foldersconfiguration, 103description, 104direct d eliver, 103identifier and rights pairs, 105IMAP client, 111limitations, 106

Mulberry, 111Netscape Messenger, 114

single layer architecture

benefits, 19drawbacks, 19

single sign on, 65, 138enabling, 138

SMTPrelays, 23security, 162

software

down load location, 70installation and configuration, 69

software delivery network, 7concept, 12

Solaris OEbasic installation, 33tuning, 180

spam, 5

standardsop en, 7supported for shared folders, 105

stateful packet inspection, 155

store database cache size, tuning, 183

Sun Internet Mail Server, 91

Sun Management Center, 216, 217

system

star tup, 41s ta tus, 41

system security points, 158

systems developmen t life cycle, xix

T

TCP/ IP, tuning, 179, 180

tcp_local_*_option files, tu ning, 181



Index 257

p g ,outlook express, 119permission, 107

Short Messaging Service, 4

Simple Authentication and Security Layer, 100

Simple Internet Protocol, 3

Simple Mail Transfer Protocol, 4

simple messaging installation with MTAbenefits, 24drawbacks, 24

SIMS, 91, 94

test accoun ts, creating, 86

threaddepth, tuning, 186

tools, alternative, 216

total cost of ownership, 19

Transm ission Control Protocol/ InternetProtocol, 100

tuningau thentication cache TTL, 183delivery status n otification, 188direct LDAP lookups, 187

dispatcher, 185

etc/ system, 181ims_master processes, 185ims-ms channel, 186imta_tailor file, 187

job con troller , 185 job_limit , 186LDAP hosts, 183LDAP timeout, 184MAX_CLIENT_THREADS, 186MAX_INTERNAL_BLOCKS, 187M MP, 184MTA, 185ncsize, 182notices, 187option.dat , 186postmaster mail, 188reverse d atabase, 187

Solaris OE, 180store database cache size, 183TCP/ IP , 179, 180tcp_local_*_option files, 181threaddepth, 186user and group bind, 183web mail spool directory, 184

typical architecture, benefits, 23

U

unified messaging, 3

unique user ID, 64

UNIX user account and group, creating, 73

unsolicited bulk email, 5user and group bind, tuning, 183

user folder, direct deliver, 103

user IDdata file samp le, 65email address, 64

user populat ion turnover, 65

user store, 16

V

virtual private network, 24, 154

virus scanning, 198

Wwarning Email, configuring, 147

web mail permissions, 106

web ma il spool directory, tun ing, 184

web service, 11

web-based calendar, 10

weekly checks, 212

welcome email, setting initial, 146What’s Up Gold, 216



258 Index

BP SunONE Messaging Server

Documents

Transcript of BP SunONE Messaging Server