BP SunONE Messaging Server
Transcript of BP SunONE Messaging Server
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 1/284
Send comments about this document to: [email protected]
Sun™ ONE Messaging ServerPractices and Techniques for
Enterprise Customers
Dave Pickens
Part No. 817-0763-10August 2003, Revision A
Sun Microsystems, Inc.4150 Network CircleSanta Clara, CA 95054 U.S.A.
650-960-1300
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 2/284
Copy right 2004 Sun Microsystems, Inc., 4150 Networ k Circle, Santa Clara, California 95054, U.S.A. All rights reser ved.
Sun Microsystems, Inc. has intellectual property rights relating to technology that is d escribed in this docum ent. In particular, and withoutlimitation, these intellectual property rights may include one or more of the U.S. patents listed at http:/ / ww w.sun.com/ patents and one ormore ad ditional patents or pend ing patent app lications in the U.S. and in other countries.
This document an d the produ ct to which it pertains are distributed u nd er licenses restricting their use, copying, distribution, anddecomp ilation. No part of the produ ct or of this docum ent may be reprodu ced in any form by any means without p rior written authorization of Sun an d its licensors, if any.
Third-party software, includ ing font technology, is copyrighted an d licensed from Sun supp liers.Parts of the prod uct may be d erived from Berkeley BSD systems, licensed from th e University of California. UNIX is a registered tradem ark inthe U.S. and in other coun tries, exclusively licensed through X/ Open Com pany, Ltd.
Sun, Sun Microsystem s, the Sun logo, docs.sun.com, StarOffice, AnswerBook2, BluePrints, N 1, Netr a, Sun Docs, Sun Solve, Sun Enterpr ise, SunFire, iPlanet, Java, JavaScript, Jump Start, and Solaris are trad emar ks, registered trad ema rks, or service marks of Sun M icrosystems, Inc. in theU.S. and in other countries.
Netscape is a tradem ark or registered tradema rk of Netscape Commu nications Corporation in the United States and other countries.
All SPARC tradem arks are u sed u nder license and are tradem arks or registered tradem arks of SPARC International, Inc. in the U.S. and in othercountries. Produ cts bearing SPARC tradema rks are based upon an a rchitecture developed by Sun Microsystems, Inc. The OPEN LOOK andSun™ Graph ical User Interface was develop ed by Sun Microsystems, Inc. for its users an d licensees. Sun acknowled ges the pioneering efforts
of Xerox in researching an d developing the concept of visual or gra phical user interfaces for the comp uter ind ustry. Sun holds a n on-exclusivelicense from Xerox to the Xerox Graphical User Inter face, wh ich license also covers Sun’s licensees w ho imp lement OP EN LOOK GUIs andotherwise comply w ith Sun’s wr itten license agreemen ts.
U.S. Government Rights—Commercial use. Government users are subject to th e Sun Microsystems, Inc. standard license agreement andapplicable provisions of the FAR and its sup plements.
DOCU MENTATION IS PROVIDED “AS IS” AN D ALL EXPRESS OR IMPLIED CON DITIONS, REPRESENTATION S AND WARRAN TIES,INCLUDING AN Y IMPLIED WARRANTY OF MERCHAN TABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON -INFRINGEMENT,ARE DISCLAIMED, EXCEPT TO TH E EXTENT TH AT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID.
Copy right 2004 Sun Microsystems, Inc., 4150 Networ k Circle, Santa Clara, California 95054, Etats-Unis. Tous droits réserv és.
Sun Microsystem s, Inc. a les droits de p rop riété intellectuels relatan ts à la technologie qui est décrit d ans ce docum ent. En particulier, et sans lalimitation, ces droits de propriété intellectuels peuvent inclure un ou p lus des brevets américains énumérés à http:/ / ww w.sun.com/ patents etun ou les brevets plus su pplémentaires ou les app lications de brevet en attente da ns les Etats-Unis et dans les autres pays.
Ce prod uit ou document est protégé pa r u n copyright et d istribué avec des licences qui en restreignent l’utilisation, la copie, la distribution, et ladécomp ilation. Aucune pa rtie de ce produ it ou document n e peut être reproduite sous aucune form e, par qu elque moyen que ce soit, sansl’au torisation p réalable et écrite de Sun et de ses b ailleur s de licence, s’il y ena.
Le logiciel déten u pa r des tiers, et qui compren d la technologie relative aux polices de cara ctères, est prot égé par u n copyright et licencié par d esfournisseurs de Sun.
Des par ties de ce produ it pour ront être dér ivées des systèm es Berkeley BSD licenciés par l’Université de Californie. UNIX est une ma rquedéposée au x Etats-Unis et dans d ’autres pays et licenciée exclusivement par X/ Open Compan y, Ltd.
Sun, Sun Microsystem s, the Sun logo, docs.sun.com, StarOffice, AnswerBook2, BluePrints, N 1, Netr a, Sun Docs, Sun Solve, Sun Enterpr ise, SunFire, iPlanet, Java, JavaScript, Jum pStart, et Solaris sont des m arqu es de fabrique ou d es marq ues dép osées de Sun Microsystem s, Inc. aux Etats-Unis et dans d’autres pays.
Netscape est une mar que de N etscape Comm unications Corporation aux Etats-Unis etdans d’autres pays.
Toutes les marqu es SPARC sont utilisées sous licence et sont d es m arques d e fabrique ou d es m arques d éposées de SPARC International, Inc.aux Etats-Unis et dan s d’autres pays. Les produits protan t les marqu es SPARC sont basés sur u ne architecture d éveloppée par SunMicrosystems, Inc.L’inter face d’utilisation grap hiqu e OPEN LOOK et Sun ™ a été développ ée par Sun Microsystem s, Inc. pour ses u tilisateu rset licenciés. Sun r econnaît les efforts de p ionniers d e Xerox pour la recherche et le dévelop pem ent d u concept d es interfaces d’utilisation visuelleou grap hiqu e pour l’indus trie de l’informa tique. Sun d étient un e license non exclusive de Xerox sur l’interface d’utilisation graphiqu e Xerox,cette licence couvran t égalemen t les licenciées de Sun qui met tent en p lace l’interface d ’utilisation grap hiqu e OPEN LOOK et qui en outre seconform ent aux licences écrites de Sun.
LA DOCUMENTATION EST FOURNIE “ EN L’ÉTAT” ET TOUTES AUTRES CONDITIONS, DECLARATIONS ET GARAN TIES EXPRESSESOU TACITES SONT FORMELLEMENT EXCLUES, DAN S LA MESURE AUTORISEE PAR LA LOI A PPLICABLE, Y COMP RIS NOTAMMEN TTOUTE GARAN TIE IMPLICITE RELATIVE A LA QUALITE MARCH ANDE, A L’APTITUDE A UN E UTILISATION PARTICULIERE OU AL’ABSENCE DE CON TREFAÇON .
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 3/284
iii
Contents
Acknowledgments xv
Preface xvii
Su n Blu ePrints Program xvii
Who Shou ld Use This Book xviii
Before You Read This Book xviii
H ow This Book Is Organized xix
Related Documentation xxiii
Shell Promp ts xxiii
Typograph ic Conventions xxiv
Ord ering Sun Docum ents xxiv
Accessing Sun Docum entation xxiv
Using UN IX Comm and s xxv
Contacting Sun Techn ical Su pp ort xxv
Su n Welcomes Your Com m ents xxv
1. Messaging Overview 1
Connectivity 2
N um ber of Devices 2
Nu mber of Messages 3
Averag e Message Size 4
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 4/284
iv Contents
Protocols 4
Secu rity and Privacy 5
Regulatory Issues 5
2. Messaging Services 7
Sun’s Messaging Strategy 7
Open Standards 7
Popular Clients 8
Messag ing Services Beyon d the Basics 8
Directory Services 9
Web Messaging 9
Add ress Book 10
Calendar 10
Portal 10
Web Serv ices 11
Any one, Anytime, An yw here, Any Device 11
Integrated Yet Op en—Project Or ion 11
SDN Con cept 12
Conclusion 13
3. Messaging Architectures 15
Directory 16
MTA 17
Mailstore 17
Proxy Servers 18
Simple Single-Layer Architecture 18
Simp le—Alternative Architectu re 20
Typical Architecture 23
Secur e—Basic Arch itecture 25
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 5/284
Contents v
H igh A vailability—Failover Architectu re 27
4. Installation Preparation 31
Prepar ation Process 31
Good Comp uting Practices 31
Differences Between Prod uctionand Non-production 32
Basic Solaris OE Installation 33
Network Connectivity 37
Host Name Resolution With / etc/ hostsand DNS 37
Nam ing Services Setup and Best Practices 38
Netw ork Load Balancing 39
DHCP 39Domain N ame 39
5. Sys tem S tartup 41
Basic System Status 41
Provisioning 52
Adm inistration Console 53
Web 54
Comm and -Line Interface 55
Lightw eigh t Directory A ccess Protocol 57
Methods Analysis 59
Issues 60
Au thoritative Sources 61
Data Feed s 62
User ID 64
Samp le Data File 65
Samp le Provisioning Script 66
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 6/284
vi Contents
Test User Generation Scrip t 66
6. Sof tware Installation
and Configuration 69
Simple Installation 71
M Creating UN IX User and Group Accounts 73
M Disabling Send Mail 74
M Installing a M aster Directory Server 75
M Prepar ing the M aster Directory Serverfor Messaging 77
M Installing the M essaging Server 81
M Installing the Delegated Ad min istrator Server 82
M Installing the Enterprise Web Server 82
MInstalling the Delegated Administrator 84
M Setting Up M essaging Accou ntsand Testing th e Server 85
M Creating a Postmaster User Accou nt 85
M Creating Test Account s 86
M Verifying You r Messaging Server Works Usin g WebMail 87
Au toma ted Installation Script 89
7. Message Transfer Age nt Confi guration 91
Changing the Mappings 93
Direct LDAP Looku p 94
M Testing LDAP Looku p 96Add ing New Dom ains to the MTA 97
M Modifying th e imta.cnf file 99
SMTP Au thentication 100
M Examining the imta.cnf File 100
8. Advanced Mess aging Client Confi guration 103
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 7/284
Contents vii
Wha t Is a Shar ed Folder? 104
Sup ported Standards 105
Limitations 107Setup Procedu res 107
M Letting You r Ad ministrator Read You r Inbox 107
M Sharin g Folders in MAP Clients 111
M Sharin g a Fold er in Mu lberry 111
M Sharin g a Fold er in Netscape Messenger 114M Using Ou tlook Express 119
9. Customization 123
Changing and Add ing a Logo 124
M Custom izing the Login Screen 126
M Chan ging th e Main Web Mail Screen Bann er 127
Remov ing and Ad ding Op tions on the Options Tab 130
M Remov ing Op tions 131
M Adding Op tions 133
Sing le Sign O n 138
M Enabling Sing le Sign ON 139
Setting the Initial Welcome Email 146
Over-Quota Limits and Warning Email 147
M Configuring Ov er-Quota Limits and Warn ing Email 148
Customizing Return Errors 151
10. Security 153
Network 154
System 157
Basics of Solaris OE Secur ity 157
Messaging Software Pro tocols 159
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 8/284
viii Contents
Directory 159
ACI 159
Search Limits 160Enabling SSL Sup por t 161
Non -standard Ports 161
Message Store 162
SMTP 162
MTA 162RDNS 162
Antivirus and Antispam 163
Secu ring the Message Conten ts 163
M Imp lementing PGP Signing 163
SMIME 165Conclusion 165
11. Migration 167
Basic Steps (Generic) 168
User Information 168
Why Are Password s Important? 168
Password Handling Options 168
Messages and Fold ers 169
M Letting Users Maintain Messages and Fold ers 169
Aliases and System-w ide Mailing Lists 170
Aliases File 171
Delegated Adm inistrator 171
M Creating Dyn amic Group s and Em ail Lists Using Direct LDAPManipu lation (Sun ONE Ad ministrator Console) 171
Personal Ad d ress Books, Lists, and Bookm arks 172
Send mail (UNIX Mail) 174
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 9/284
Contents ix
User Information 174
Mailbox Conten t 175
Mailing Lists (aliases) 175Personal Ad d ress Books 175
Exchan ge, No vell Grou pw ise,and Lotus Notes 175
User Information 175
Mailbox Conten t 176
Mailing Lists 177
Personal Ad d ress Books 177
12. Perfo rmance Tuni ng 179
Netscap e Directory Server 179
Solaris OE 180
M Setting TCP/ IP Parameters 180
M Setting tcp_local_option an dtcp_ internet_option File Par am eter s 181
M Setting /etc/system Para meters 181
MSetting configutil Pa ra meters 182
MMP 184
MTA Tu ning 184
Dispatcher 185
Job_Controller 185
ims_master ch an nel 185Message Dequeu e 185
ims-ms Channel-Specific Information 186
Option.dat 186
MAX_INTERNAL_BLOCKS 187
Reverse Databa se 187IMTA_TAILOR File 187
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 10/284
x Contents
Notices 187
Postmaster Mail 188
13. Advanced MTA Conf iguration 189
Conversion Chann el 189
M Add ing a Disclaim er 191
M Conver ting PostScript to Acrobat 197
Virus Scanning 198
Antispam 199
Other Possibilities 199
14. Highly Available Messaging D eployment 201
H igh Availability Architecting Differences 201
High Availability A rchitectures 203The Parts 203
Oth er Architectures 204
Alternative No. 1 205
Alternative No. 2 205
Differences in Plann ing for High Availability Messag ing 206Differences in Installing HA Messaging 206
Best Practices and Caveats 207
Installation Procedu re and Notes 207
Conclusions 207
15. Managing Mess aging S ervices
and Preven tive Maintenance 209
Periodic Mainten ance Checklists 209
Daily Checks 210
Weekly Ch ecks 212
Monthly Checks 212
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 11/284
Contents xi
Quarterly Checks 213
Annu al Checks 214
16. Monitoring a Sun ON E Messaging Server 215
SNMP 215
Alternative Tools 216
Wha t’s Up Gold 216
Sun Management Center 217
Orca 218
Big Brother 218
BMC Pat rol 219
A. Case Studies 221
Acme University 221Timeline 222
Lessons Learned 223
Baker Tech 224
Timeline 226
Lessons Learned 226Comm un ity City College 227
Timeline 228
Lessons Learned 228
B. Majordomo Integration 231
M Preparin g for Integration 231
Glossary 243
Bibliography 251
Index 253
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 12/284
xii
Figures
FIGURE 3-1 Messaging Server, Storage, and Firewall Messaging System 19
FIGURE 3-2 Alternate Configuration With SMTP Firewall 21
FIGURE 3-3 Alternate Configuration With SMTP Relays and Firewall 23
FIGURE 3-4 Proxy Configuration With SMTP Relays and Firewall 25
FIGURE 3-5 Simple Failover Configuration 27
FIGURE 3-6 Failover With Relays and Firewall 28
FIGURE 5-1 top Command Output 44
FIGURE 5-2 Administration Interfaces Architecture Overview 53
FIGURE 5-3 Delegated Administrator for Messaging 56
FIGURE 6-1 Simple Architecture With Administration Ports 70FIGURE 6-2 DC Tree and UG Organization Tree 88
FIGURE 8-1 Web Mail Shared Folder Permissions 104
FIGURE 8-2 Getting to the Permissions Screen 105
FIGURE 8-3 Sharing a Folder Other Than the Inbox 107
FIGURE 10-1 Security Layers 153
FIGURE 10-2 Secure Network Architecture for Messaging Environment 156
FIGURE 13-1 MTA Conversion Channel Diagram 190
FIGURE 14-1 High Availability Configuration Failover 205
FIGURE 14-2 Failover Using Both Nodes in a High Availability Configuration 206
FIGURE A-1 Acme University Architecture Diagram 222
FIGURE A-2 Baker Tech Architecture Diagram 225FIGURE A-3 Community City College Architecture Diagram 229
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 13/284
xiii
Tables
TABLE 6-1 Values Required for Installation 72
TABLE 8-1 Web Mail Permission and RFC2086 Rights 106
TABLE 10-1 Enterprise Messaging Access in a Typical Enterprise 154
TABLE 10-2 Enterprise Messaging Access in a University 155
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 14/284
xiv
Code Samples
CODE EXAMPLE 5-1 ps -ef Command Output 42
CODE EXAMPLE 5-2 configutil Output—Current Configuration Settings 45
CODE EXAMPLE 5-3 Sam ple CLI Show ing Creation of “testuser” Accou nt 57
CODE EXAMPLE 5-4 Samp le Temp late 59
CODE EXAMPLE 5-5 Test User Script Usage Exam ple 66
CODE EXAMPLE 5-6 Add Test User Script Error Message 67
CODE EXAMPLE 5-7 Add Test User Completion Message 67
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 15/284
xv
Acknowledgments
This book was certainly not a on e-person effort. There are ma ny p eople to thank an dI am sure I w ill miss a few.
First and foremost are the other contribu tors to th is effort: Portia Shao, ChadStewart, and Dan Liston. They all add ed significantly to this book in term s of content, technical review, and overall commen ts. This book w ould not be as g oodnor as complete without their contributions. Portia Shao contributed the Advanced
Messaging Client Configurat ion chapter, Chad Stewart contribu ted th e Perform anceTuning chapter, and Dan Liston contributed the Majordomo appendix.
As a technical product manager, Portia frequently provides answers and researchregarding the m essaging server to the engineers in the field. Chad is a SeniorConsu ltant at Sun Microsystems w orking in th e Professional Services Organization.Dan contributes to the free software environment by su pp orting m ajordomo.
Next, I w ould like to than k Kelly Caud hill for her time an d effort d ur ing the final
months of this project to review rough drafts and provide feedback.
I cann ot fail to men tion the best help th at a w riter at Su n could have—George Wood ,the writer/ editor who kept me on m y toes and pitched in to write some portionswhen words just would not come to mind; Billie Markim and Sue Blumenberg foradditional editing assistance; and Dany Galgani, the graphics designer who turnedmy scribbles into art .
I would also like to thank my manager, Casey Palowitch, for his support this pastyear an d for encoura ging me to tackle a project of this m agnitud e.
Last but n ot least, I would like to thank my wond erful wife and kids, who p ut u pwith me working m any long and late hours.
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 16/284
xvi Acknowledgments
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 17/284
xvii
Preface
Th e Sun™ ON E M essaging Server Practices and Techniques for Ent erprise Customers book is pu blished u nd er the au spices of the Sun BluePrints™ program . This book isa collection of practices and techniques for dep loying a messaging sy stem. Thesepractices and techniques have been gathered from many customers’ messagingsystem deployments and internal testing labs. The book covers some things thatadvanced users might believe is common knowledge but is not. The goal of thisbook is to make the administration of Sun™ Open Net Environment (Sun ONE)Messaging Server (form erly know n as iPlanet™ Messaging Server) easier bycollecting this knowledge and organizing it as you might encounter it during thedeployment of a messaging project, that is, from planning to day-to-day operation.
Sun BluePrints ProgramThe mission of the Sun BluePrints program is to empower Sun’s customers with thetechn ical know ledge requ ired to imp lement reliable, extensible, and secu reinformation systems within the d ata center u sing Sun produ cts. This programprovides a framework to identify, develop, and distribute preferred practicesinformation th at ap plies across the Sun p rodu ct lines. Experts in techn ical subjects invarious areas contribute to the p rogram and focus on the scop e and advan tages of
the information.
The Sun BluePrints p rogram includ es books, guides, and online articles. Throughthese vehicles, Sun can provid e guida nce, installation and imp lementationexperiences, real-life scenarios, and late-breaking technical information.
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 18/284
xviii Preface
The mon thly electronic magazine, Sun BluePrints OnLine, is located on the Web at:
http://www.sun.com/blueprints.
To be notified abou t up d ates to the Sun BluePrints progra m, please register on thissite.
Who Shou ld Use This BookThis book is intended for readers with varying degrees of experience with andknowledge of computer system and server technology, who are designing,deploying, and managing a Sun ONE Messaging Server within their organizations.Typically these ind ivid uals already have UN IX® knowledge, but have been given theadded responsibility for messaging too.
The book is targeted at enterprise customers deploying the Sun ONE MessagingServer software version 5.2 and later. An enterp rise custom er is an organ ization th at
is running m essaging for its own internal use an d is not providing messagingservices to other organizations; that is, it is not an app lications serv ice p rovider(ASP) or Internet Service Provider (ISP). The org anization could be sma ll (thou sand sof users), large (100,000 users), or anywhere in between. This book offers practicaladvice on design, architecture, deployment, and operation, with these customers inmind.
Before You Read This BookThis book covers some of the basics of messaging and the services such as Doma inName Service (DNS) or Lightweight Directory Access Protocol (LDAP) thatmessaging r elies up on, but cann ot ad d ress these services thorou ghly. You s hou ld
have some basic knowledge of messaging systems and architecture, and becomfortable with u sing GUI-based tools and the UN IX comm and line (shell). See oneor more of the following documents for this information.
I DN S and BIN D, 4th Edition, October 2002, O’Reillyhttp://www.oreilly.com/catalog/dns4/
I DN S & BIN D Cookbook , October 2002, O’Reillyhttp://www.oreilly.com/catalog/dnsbindckbk
I
LDA P Syst em Administration, Ma rch 2003, O’Reillyhttp://www.oreilly.com/catalog/ldapsa/
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 19/284
Preface xix
I Essent ial Systems Administration, 3rd Ed ition, Aug u st 2002, O’Reillyhttp://www.oreilly.com/catalog/esa3/
I Sun BluePrints on Na ming and Directory Services
http://www.sun.com/solutions/blueprints/browsesubject.html#nds
How This Book Is OrganizedThis book is mod eled after the typical pr ocess an enterp rise uses to dep loy itsmessaging infrastructure, from the initial planning steps to day-to-day operations.
It follows a basic systems d evelopm ent life cycle (SDLC) for an enterprise m essagingsystem—planning, testing, deployment, and maintenance. Each of these phasesad dresses p ractices and techn iques to enh ance availability, performan ce, and ease of use.
The book has 16 chapters and two ap pend ixes.
Chapter 1, “Messaging Overview,” on p age 1—This chap ter provid es an overview of the factors facing messaging implementations, how messaging systems are beingused, what the messaging trends within enterprises are, future uses of messagingcurrently being developed, and so forth. This chapter is designed to provide thebasis for establishing m essaging as a m ission-critical system w ithin the en terpr iseand expose readers to issues that they may not currently be considering.
Chap ter 2, “Messaging Services,” on p age 7—This chapter provides an overview of
the Sun ON E Messaging Server prod u ct as it fits into the softwa re delivery netw ork(SDN ) concept, along w ith brief d escriptions of the ind ivid ual comp onents tha t gointo makin g an enterp rise m essaging system w ork. It highlights specific strengths of the Messaging Server comp ared w ith other offerings in the m arket. The mainemp hasis of this chap ter is on covering the interoperability of prod u cts that su pp ortopen standard s and the advantages they bring.
Chap ter 3, “Messaging Architectu res,” on page 15—This chap ter describes thearchitectures of some of the m ore comm on configurations an d explains th at there arealmost infinite comb inations. It ou tlines th e pros and cons of each ar chitecture toprovide you with information to determine w hich architectures m eet your enterprisemessaging requirements.
Chapter 4, “Installation Preparation,” on p age 31—This chapter outlines som e issuesand practices that are important during the pre-installation. These issues can havesignificant imp act on installation, op erations, and recovery capability. It p rovidesinsight into situations that norm ally cause consternation. References are mad e to
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 20/284
xx Preface
specific sections of manu als or add itional sup plem ental mater ials. Think of thischapter as a remind er regarding op erating system best pr actices that can be foun d inother BluePrints and elsewhere.
Chapter 5, “System Startup,” on p age 41—This chap ter covers the b asics of gettingthe system started and provisioning users once the system is operational. It isdesigned to p rovide an und erstanding of the various m echanisms for provisioningas w ell as the p ros and cons of each method . You can easily autom ate provisioning,but there are tim es when m anual entry is required too.
Chap ter 6, “Software Installation an d Configura tion,” on pag e 69—This chap terprovides information and caveats that you m ay need d uring the installation p hase of the overa ll messaging environm ent. It also d iscusses scalability issues. For add itionaldetails, refer to the iPlanet M essaging Server Installation Guide for UNIX .
The chapter discusses the pros and cons of various answers to configurationqu estions an d installation options so that you can avoid p ost-installation p itfalls,wh ether they ar e related t o flexibility (that is, top d omain nam e selection indirectory), scalability, availability, performance, or ease of use. Thus, this chaptercovers items not found in the current docum entation an d conveys information thatcan only be learned through experience
Chap ter 7, “Message Transfer Agent Configuration,” on page 91—This chapterprovides best practices and techniques regarding the setup and configuration of theMessage Transfer Agent (MTA) compon ent w ithin the Sun ON E Messaging Server.Due to its complexity, this is an a rea that can cause significant issues related tosecurity as well as basic functionality. This section dissects the default “out-of-the-box” MTA configur ation file to provide a star ting p oint for the reader. Many u sers of the p revious v ersions, Sun Internet Mail Server (SIMS) or N etscape MessagingServer (NMS) had never seen an Inn osoft PMDF produ ct MTA configu ration file.Therefore, this area is very intimid ating and confusing . This chap ter add resses sometypical changes in plain language.
Chap ter 8, “Ad van ced Messaging Client Configu ration,” on page 103—This chap tercovers the following key concepts and topics for u sing shared folders: wh at a sharedfolder is, sup ported standard s, limitations, how to let your ad ministrator read yourmailbox, and how to share a folder in an Intern et Message Access Protocol (IMAP)client, Netscap e Messenger, and O utlook Express.
Chapter 9, “Customization,” on p age 123—This chapter d escribes how to customizethe Messaging Server. Customers typ ically m ake several customizations right afterinstalling the basic Messaging Server (Sun ONE Directory Server, Sun ONE WebServer, Sun ONE Delegated Administration, email, and perhaps even Sun ONECalendar Server). The most comm on of these includ e chan ging th e look and feel of the w eb mail interface (Sun One Messenger Express and pr oviding a single sign on(SSO) between the w eb m ail, web-based calend ar, and Delegated Ad ministrationinterfaces. Some of the other comm on custom izations th at are don e alm ost
immediately include defining the welcome message for new accounts, along with
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 21/284
Preface xxi
the over-quota m essage for p eople about to go over qu ota or already over quota.Some customers would also like to customize some of the return errors that themessage system sends back to u sers.
Chap ter 10, “Secu rity,” on p age 153—This chap ter d iscusses in d etail the sp ecificissues sur roun d ing the security of the Messaging Server, includ ing the serverplatform, the various protocols and their impact, and securing the contents of themessages. This chap ter d ivides the top ic of secu rity as it relates to th e MessagingServer into th ree different layers or topics—netwo rk, system, and messaging systemprotocols.
Chap ter 11, “Migration,” on p age 167—This chap ter d escribes the best p ractices formigration an d identifies potential problems that m ay occur du ring the m igrationph ase. After th e basic Messaging Server is installed, one of th e m ore d ifficult tasks isto m igrate the existing user base and mailbox contents. Different techniqu es can beused , but only sp ecific techniques are valid for specific migrations, Exchan ge forexamp le. Ad d itionally, other p arts of the m igration hav e specific issues, such asusing the m igration as an opp ortunity to standardize mail address formats whilemaintaining legacy ad dresses that can be ad dressed.
Chap ter 12, “Performan ce Tun ing,” on page 179—As with any system, performance
is a key element to getting the most return on investment, as well as maintaininghap py u sers. This chapter contains pr actices and p rinciples specifically related toperform ance tun ing of the Messaging Server, wh ich m ay d iffer or contrad ictconventional tuning wisdom. This chapter points out the areas on which aMessaging Server administrator should concentrate.
Chap ter 13, “Ad vanced MTA Configur ation,” on page 189—This chap ter containsexamp les of the conversion chan nel feature of the MTA, includ ing some sam plescripts. It also d iscusses som e of the ot her possibilities for ad vanced MTAconfiguration.
Chap ter 14, “Highly Available Messaging Deploymen t,” on p age 201—Someorganizations d o n ot see messaging as a m ission-critical service or, for w hateverreason, they decide not to imp lement high ly available messaging. This chap ter re-enforces w hy m essaging is mission critical and needs high a vailability. It ad d ressesspecific issues (p ros and cons) with v arious high-availability architectures th atcustomers h ave implemented as well as some of the caveats to keep in mind wh en
plann ing and installing messag ing in a high-availability environm ent. These lessonshave been learned the hard way at various cu stomer sites and are foun d n owhereelse in the docu men tation or technical notes.
Chap ter 15, “Mana ging Messaging Services and Preventive Mainten ance,” on page209—As with any system , your m essaging server requires routine maintenan ce. Thischapter outlines the best p ractices and issues surrou nd ing da y-to-day and routinemain tenance involved in m anaging a m essaging server, sp ecifically the Sun ON E
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 22/284
xxii Preface
Messaging Server. While the current d ocumen tation explains the basic comm and s, itdoes not address automation or scripting of these functions, nor does it adequatelycover techniques that can improve backup and recovery time.
Chap ter 16, “Monitoring a Sun ON E Messaging Server,” on pag e 215—This chap terexplains h ow to m onitor your systems an d the Messaging Server software thatcomprises your email infrastructure. System monitoring is an important part of theoverall manag ement effort. Tools can range from simple m onitoring of the basichardw are and n etwork infrastructure to m ore comp lex monitoring such as responsetime and error logging. They can be homegrown, open source, or commercialprod ucts. You can implem ent one or m any.
App end ix A ,“Case Stu dies,” on pa ge 221—This app end ix contains a series of casestud ies to illustrate several points mad e throug hou t this book as well as to highlightsome sp ecific lessons learned . Architecture d iagram s and time lines are p rovided forreference. These cases occu rred ov er the p ast few years an d a re actually a comp ositeof the case stud ies of several d ifferent customers.
App end ix B, “Majordom o Integration,” on page 231—This app end ix containsprocedu res for integrating all of the fun ctionality of m ajordom o with send mail intothe M essaging Server.
This book is based on the followin g software:
I Solaris™ 8 or Solaris 9 Operating Environment (Solaris OE)
I Sun ONE Messaging Server 5.2
I Sun ONE Directory Server 5.1
I Sun ON E Web Server 6.0
I Sun ON E Calend ar Server 5.1.1
It does n ot cover in d etail basic UNIX ad ministration, DNS or LDAP services,command reference information, or other information that is normally found in theproduct manuals. Moreover, the book does not address older versions of messagingsoftware such as Sun™ Internet Mail Server (SIMS v3.x or SIMS v4.x) software orNetscape Messaging Server (NMS v3.x or NMS v4.x) software.
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 23/284
Preface xxiii
Related DocumentationThe following table lists manu als that prov ide ad ditional useful information. TheSun ONE prod ucts were form erly know n as iPlanet p rod ucts so the titles of man y of the ma nu als listed con tain iPlanet instead of Sun ONE.
These man uals are located at:
http://docs.sun.com/db/prod/sunone.
Shell Prompts
Title Author and Publisher Part Number
iPlanet Messaging S erver 5.2 A dministration Guide Sun Microsyst ems 816-6009
iPlanet Messaging Server Installation Guide for UN IX Sun Microsyst ems 816-6014
iPlanet Directory Server Installation Guide Sun Microsyst ems 816-5610
Sun ON E Calender Server 5.1.1 Installation Guide Sun Microsyst ems 816-6414
iPlanet Messaging Server Reference M anual Sun Microsyst ems 816-6020
iPlanet Messenger Express 5.2 Customization Guide Sun Microsyst ems 816-6010
Solaris 8 (SPARC Platform Edition) Installation Guide Sun Microsyst ems 806-0955Solaris 9 Installation Guide Sun Microsyst ems 816-7171
Solaris System A dministrators Guide on S ecurity
Services
Sun Microsyst ems 806-4078
Shell Prompt
C shell machine-name%
C shell sup eruser machine-name#
Bourne shell and Korn shell $
Bourne sh ell and Korn shell sup eruser #
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 24/284
xxiv Preface
Typographic Conventions
Ordering Sun DocumentsThe SunDocsSM program provides m ore than 250 manu als from Sun Microsystems,Inc. If you live in the Un ited States, Canada, Europ e, or Japa n, you can p urchasedocum entation sets or individu al manuals through this program .
Accessing Sun DocumentationYou can v iew, print, or p urchase a broa d selection of Su n d ocumen tation, includ inglocalized versions, at:
http://docs.sun.com/.
Typeface Meaning Examples
AaBbCc123 The nam es of comman ds, files,and directories; on-screencompu ter outpu t
Edit your.login file.
Use ls -a to list all files.
% You have mail.
AaBbCc123 What you typ e, wh en contrasted
with on-screen computer output
% su
Password:
A aBbCc123 Book titles, new w ords or terms,words to be emp hasized.Command-line variables; replacewith real names or va lues.
Read Chap ter 6 in the User’s Guide.
These are called class options.
You must be superuser to do this.
To delete a file, type rm filename.
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 25/284
Preface xxv
Using UNIX Comm and sThis document does not contain information on basic UNIX command s andprocedures such as shu tting d own the system, booting the system, and configuringdevices. See one or mor e of the following for th is inform ation:
I Solaris Handbook for Sun Peripherals
I AnswerBook2™ online docum entation for the Solaris OEI Other software d ocumentation th at you received with you r system
Contacting Sun Technical SupportIf you have technical questions about this product that are not answered in thisdocum ent, go to:
http://www.sun.com/service/contacting.
Sun Welcom es Your CommentsSun is interested in imp roving its d ocum entation an d welcomes your comm ents andsuggestions. You can submit your comments by going to:
http://www.sun.com/hwdocs/feedback.
Su n ON E Messaging Server Practices and Techniques for Enterprise Customers,
ISBN number 0-13-145496-X, part number 817-0763-10.
Please includ e the title, ISBN nu mber, and part n um ber of your docum ent w ith yourfeedback.
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 26/284
xxvi Preface
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 27/284
1
CHAPTER 1
Messaging Overview
This chap ter provid es an overview of the factors facing messaging im plem entationstoday, how messaging systems are being u sed, wh at m essaging trends withinenterprises are, future uses of messaging currently being developed, and so forth.This chap ter p rovides th e basis for establishing m essaging as a mission-criticalsystem within the enterprise and exposes you to issues that you m ay not currentlybe considering. This chap ter contains the following top ics:
I Connectivity
I Number of Devices
I Nu mber of Messages
I Average Message Size
I Protocols
I Secur ity and Privacy
I Regulatory Issues
Electronic messaging, or em ail as it is more comm only referred to, is becoming m oreof a mission-critical network service every year. It is d oub tful if any per son in anorganization can identify everyone or everything that relies upon the messagingsystem. Typ ically, the only time it becomes clear wh o and w hat actu ally relies up onthe messaging system is when there is a major outage or problem. Many factors arebehind this trend, driving messaging to becoming more and more mission critical.Some of these factors are:
I Conn ectivity is getting better.I Nu m ber of devices is increasing.
I Nu m ber of m essages (traffic) is increasing.
I Size of the messages (attachments) is getting larger.
I Protocols to access email are changing.
I Security is more of a concern.
I Regulatory issues
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 28/284
2 Messaging Overview
ConnectivityToday m ore band wid th is available than at an ytime before. It is no longerun comm on in an environm ent to find 10BASE-T switched n etwork access, and inman y cases n ow 100BASE-T, throu ghou t an organ ization. In u niversities, it iscomm on to find network p orts in the d orm rooms (sometimes m ore than one port),facu lty offices, stud y room s, the library, and other p laces across campu s. Som ecampu ses are de ploying Gigabit Ethernet in labs an d select faculty offices. Corporateorganizations a re also d eploying ban d wid th like never before, w ith 100BASE-T to
offices and Gigabit Ethernet in the data center and select facilities. Wires are nolonger a constraint either. Band w idth is even av ailable from th in air as man yorganizations are deploying w ireless netw orks (802.11a/ b/ g) or have plans in placeto do so in the n ear future.
This access to bandw idth anytime an d anywh ere results in m ore messaging u sagethat n ow com es from a diverse p opu lation of clients (d evices). N o longer do u sershave to return t o their base of operations, also know n as a d esk or cubicle, to send andreceive email.
Older methods of modeling and u nd erstand ing of messaging systems w ere basedup on dial-up connections, low bandw idth , and limited access assum ptions. Intoday’s environment, these assumptions no longer apply.
Number of DevicesCheap er electronics, personal d igital assistants (PDAs), cell ph ones, and compu tershave resulted in a plethora of devices on the network, many of which are emailenabled by d efault or can be quickly messaging en abled. It is no longer safe toassu me a r atio of one person p er d evice (access point ). It is, given tod ay’s pen chantfor connectivity and alw ays-on mod els, p ossible to have tw o or three access pointsper p erson. This can, in fact, lead to situa tions wh ere users are generating tw o or
three connections simu ltaneously. It is not that hu man s (or the softwa re for tha tmat ter) have learned to mu ltitask so well, but ra ther that hu ma ns are not logical.Thescenario of a stud ent runn ing to class wh ile leaving a d esktop comp uter ru nning(and checking em ail in the backgrou nd ), accessing email from class or across campu swith a PDA or laptop, is not far fetched. In th e corp orate wor ld, an equivalentscenar io wou ld be J. Q. Manag er leaving an office desktop ru nning (an d checkingemail) w hile leaving for a meeting and checking ema il on a PDA d ur ing the m eeting.This means that you can no longer simply say one user equals one connection
(device), and must plan for more connections in the future.
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 29/284
Number of Messages 3
Number of MessagesIn many ways, email has taken over what the telephone used to do. Today it is notun comm on for someon e wh o is an active ema il user to receive over 100 messagesper day or m ore. Try to th ink of the last tim e you h ad 100 voice ma il messageswaiting in y our voice m ail box. Some say that instan t messaging (IM) is going toovertake email and email will be obsolete. There is no d oub t that instant m essagingwill affect email in some m ann er, but IM is a real-time commu nication m ethod akinto actually talking on the p hon e. Email is like calling som eone w ho is no t there or is
busy, and leaving a m essage on th eir answ ering mach ine or voice m ail. Email isasynchronous and does not require the user’s immediate attention like instantmessaging d oes, althou gh m any p eople leave email running all the time and use itlike IM in som e ways.
Anoth er issue w ith IM is interop erability. IM is an im matu re techn ology wh encompar ed w ith email. It is hard to bridge across Yahoo! and A OL or MSN u sing IM,for examp le. The situ ation is getting better w ith the ad vent of new p rotocols such asSimple Internet Protocol (SIP) and SIMPLE, but IM is not there yet—and it is not
quite as universal as email.
Another issue driving up the quantity of messages being sent and received is thatother systems are becoming more integrated with email. Today many organizationsare looking for unified messaging, provid ing a single p oint for ema il, faxes, and v oicemail. Unified me ssaging allows integration betw een an or ganization’s voice mailsystem (or fax system) and an em ail (messaging) system in such a w ay that th e voicemail system a ctually stores the voice m ail messages in a p erson’s em ail inbox (or
other folder). That way you can read your email and listen to you r voice mail (or seeyour faxes) without h aving to check two separ ate systems. This capability add s yetanoth er factor in term s of volum e as well as size, since aud io attachments can belarge depend ing u pon the samp ling rate.
At some p oint in the future, IM m ight actually pa rticipate in this unified messagingenvironment. Imagine that email becomes the answering machine or recordingdevice for IM sessions—for example, you are not able to participate in the 11:00 a.m.IM session to discuss the n ew m arketing camp aign, but the conference (includ ing all
the attachm ents an d collaboration) gets saved in you r inbox. How exactly has IMreduced your messaging requirements? IM might, in fact, add more traffic to yourmessaging system.
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 30/284
4 Messaging Overview
Average Message SizePartly because of the increase in band w idth bu t also as a result of the desire forfuller, richer mu ltimed ia exp eriences (for examp le, singing and d ancing Pow erPointpresentation s), the average em ail is getting bigger. Wh ere three or four years ago itwas norm al to hav e 10-kilobyte messages w ith occasional 100-kilobyte m essagestraversing th e messaging system , today those figures are noticeablylarger—somewh ere aroun d 25 to 30 kilobytes average message size, with occasionalmultimegabyte (one megabyte plus) messages appearing more frequently. Older
mod els for messaging systems that were fine d uring the days of dial-up Internetwh ere a 10-kilobyte email would take a m inute to send ju st do n ot app ly today.
Protocols
Older m odels for architecture an d sizing generally based everything on Post OfficeProt ocol (POP) an d Simp le Mail Tran sfer Protocol (SMTP) only. POP wa s forretrieving m ail, and SMTP wa s for transferring ma il betw een systems. Prior to POP,there w as no protocol even to read email; rather, email clients like Pine andelectronic m ail (elm) really just brow sed the inbox d irectly via the N etwork FileServer (NFS) or t he file system . These were typ ically sized as generic or lightw eightinteractive logins.
Today, Internet Message Access Protocol (IMAP) and web mail hav e taken over PO Pin enterp rise accoun ts, and wh ile SMTP is still the transfer pr otocol, other transferprotocols such as Short M essaging Service (SMS) for pagers and PDAs h ave beenadded too. SMS does not carry the same overhead in terms of headers, signatures,and attachments that SMTP does, but it does not do attachments either. Oneadv antag e that SMS offers beyond being lightw eight is the ability to embed shortresponses such as Y ES an d N O w ithin the message for qu ick reply by th e recipient.Environmen ts such as hosp itals that rely up on p agers typically use SMS to allow fora m essage with response.
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 31/284
Security and Privacy 5
Security and PrivacyThis is a hu ge topic on wh ich an entire book could be written. As we h ave increasedreliance upon email, increased bandwidth, increased access to bandwidth, andincreased th e num ber of devices on the netw ork, we have also increased the need forsecurity a nd pr ivacy. More and mor e customer s are u sing Secure Sockets Layer (SSL)meth od s to secure the commu nication pr otocol wheth er it is POP, IMAP, SMTP, orHTTP (web m ail).
Many customers are ad ding virus scanning to their messaging layer—wha t used to
be uncommon (virus-scanning messages in the messaging system) is now common.In reality, this was not a comp lete sur p rise or a giant step. Man y organizations beganwith scann ing just m essages com ing into their system from th e Intern et. Tw o orthree years ago, when customers asked about virus scanning, that was it. Then, itbecame necessary or d esirable to scan out going em ail (being a g ood Internet citizenand all that) and to scan everything betw een users too. So, nowad ays it more likelyto scan everything due to issues of viruses within the enterprise.
In add ition to virus scanning, man y organ izations also wan t to eliminate spam , alsocalled unsolicited bulk email (UBE) or unsolicited commercial email (UCE). Thisadd s yet an ad ditional workload to the messaging system that was not th ere fiveyears ago.
Regulatory IssuesNew regulatory issues beyond those on privacy are facing institutions these days.One of th e more recent interp retations of existing law s (the Freedom of InformationAct or their state-level equiv alents) classifies em ail as official wr itten corresp ond encefor schools and govern men t entities. In other cases, email is becoming a legal issuedu e to the Enron-type accoun ting scandals. And so email regarding official mattersmu st be archived or retained for a set nu mb er of years. Therein lies the p roblem.
How exactly can you pinp oint w hich emails are related to official matters an darchive only those emails?. Many times th e answ er is that you cannot. Therefore,archiving ever ything is requ ired. Archiving increases the requirement for storage aswell as the need for solid backu p an d recovery procedu res. At Sun , the term “infinitemailbox” is being used to describe ju st such a m essage system.
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 32/284
6 Messaging Overview
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 33/284
7
CHAPTER 2
Messaging Services
This chapter provides an overview of the Sun ONE Messaging Server product as itfits into the softwar e d elivery n etwork (SDN) concept, along w ith brief descriptionsof the individ ual compon ents that go into m aking an enterprise messaging systemwor k. It highlights specific strength s of the Messaging Server p rodu ct com paredwith oth er offerings on th e mar ket. The main em ph asis of this chapter is on coveringthe interoperability of produ cts that sup port open standard s, and the adv antagesthey offer.
Sun’s Messaging StrategySun Microsystems, Inc. was founded on the philosophy of open systems, openstandards. The mantra at Sun is “agree on standa rds and comp ete onimp lementation.” This philosophy is no different w hether it is the Solaris OE or theSun ONE Messaging Server p rod uct. In fact, the “ON E” in Sun ON E stands for OpenNetwork Environment, in respect of open standards.
Open Standards
One of the nice things abou t messaging is that it is a matu re area in the Intern etspace and has been aroun d for more than 25 years. Thus, there are many m ature,open protocols for messag ing, unlike some of the other Internet protocols such asinstant m essaging (IM) or calendar ing w hich still d o not offer truly u biquitou sprotocols althou gh som e are emerging like SIP/ SIMPLE and iCAL. The currentmessaging protocols are:
I Internet Message Access Protocol (IMAP)
I Post O ffice Protocol (POP)
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 34/284
8 Messaging Services
I Simple Mail Transfer Protocol (SMTP) and Extended Simple Mail TransferProtocol (ESMTP)
I Lightweight Directory Access Protocol (LDAP)
I
HyperText Transfer Protocol (HTTP)I Secure Sockets Layer (SSL)
Popu lar Clients
By sup por ting stand ards, the Sun O NE Messaging Server is client agn ostic, so Sun
does n ot offer a thick (native) client for the v arious op erating systems such asWind ow s, Mac OS, or Linux. Some of the m ore pop ular clients are:
I Netscape™ 7.0
I Mozilla
I Outlook
I Eudora
I Ximian
Any client that su pp orts IMAP or POP along w ith SMTP should wor k just fine. Mostmod ern clients go beyond this basic supp ort, adding LDAP for add ress book lookupand SSL for secu rity.
For a good technical overview of the Sun ON E Messaging Server p rod uct, includ inga list of supported open standards, obtain “Sun ONE Messaging Server version5.2—A Technical Whitepaper” from your local Sun Sales Representative or SystemEngineer.
Messaging Services Beyond the BasicsBeyond the basics of prov iding m essaging services, the issue is how th ese services
are provided. Can the produ ct scale? Is the p rodu ct secure? How hard is the produ ctto install and manage? How easily can users be provisioned? How flexible is theprod uct? There are many messaging p rodu cts out th ere, and each of them isarchitected and designed slightly differently. One p rodu ct may store user nam es andpassw ords in a flat file, while others leverage LDAP. One prod u ct m ay p rovideintegrated antivirus measures but not allow you to integrate a slightly better third-party product for antivirus protection.
Th l k i
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 35/284
Messaging Services Beyond the Basics 9
There are several key items:
I Directory Serv ices
I Web Messaging
I Address BookI Calendar
I Portal
I Web Services
I Anyone, Anytime, Anywhere, Any Device
Directory Services
The directory is the brain or m emor y of the Sun ON E Messaging Server. It is usedacross the various produ cts within the Sun ON E produ ct line to provide u serinformation, auth entication, storage of policies and ru les, configuration inform ation,and registration of web services—for examp le, u niversal description, discovery, andintegration (UDDI). It plays a central role in being able to easily pr ovision accoun ts
and services without managing separate user data for each application in anenvironm ent. By leveraging a d irectory as th e central rep ository for userinformation, provisioning is a matter of granting privileges to the user or group of users to sp ecific resources (services) by configuring attributes ap prop riately—bychanging an attribute an d access to a service. This eliminates the n eed to p rovisionusers in man y separate systems.
Web MessagingWhen the Web first started becoming a popular way to provide some abstractionregarding wh ere you w ere located, the compu ter you w ere using, and the resource(for examp le, email) you w ere trying to access, ad ding an ad ditional softw arepackage to prov ide this web m ail interface was the nor m. How ever, as time went b y,this became a feature d emand ed b y customers as part of the base m essagingsoftware, to eliminate the n eed to select, dep loy, and man age som ething sep arate. By
offering w eb mail as pa rt of the m essaging server, yet prov iding th e ability tocustom ize the “look and feel” of it for your u sers plu s control wh ich u sers haveaccess to web m ail, the Sun ON E Messaging Server offers savings over having tointegrate a separate w eb ma il software utility too. The n ice part th ough is thatshou ld you decide, either for legacy or other reasons, to select and integr ate anotherweb ma il interface—for examp le, IMP—you still hav e that op tion.
Ad d B k
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 36/284
10 Messaging Services
Ad d ress Book
A core requirement of m essaging is being a ble to store and retrieve contactinformation. The Sun ON E Messaging Server leverages the u nd erlying directory to
provide p ersonal address books. A new feature coming to the a dd ress bookfunctionality is shared address books, which allow you to share your address bookentries with other people and applications in a secure manner (for example, onlythose people and applications you wish to have access).
Calendar
As par t of the overall Sun ON E prod uct line, Sun offers a we b-based calend arproduct called the Sun ONE Calendar Server. By providing calendar managementfor peop le, resources, and events, calend aring can b e offered as a service to an entireorganization and beyond.
The main issue regarding calendar technology adoption is lack of widely adoptedcalend ar stand ard s. iCal, SyncML, and vCal have been a vailable for some time now ;however, there is no single calendar standard that all vendors use.
Portal
Portals are very hot these days, but people rarely think beyond the basics to whatlies behind t he port al or makes a good portal. Simp ly pu t, a por tal is technology thataggregates services and content together in a secure m ann er for a particular
commu nity of users. The services behind t he scenes are things such as m essagingand calend ar services, wh ile the content can be a variety of things, from sta tic HTMLcontent to true web applications and services.
A por tal really brings to life the concept that the su m of the p arts is greater than th ewhole. Without quality services and applications provided to the right people at theright time, a por tal is just an other p retty interface.
Sun’s philosophy is to leverage network identity management and scalable services
like the Sun O NE Messaging Server, along w ith wor ld-class partn ers such as A ltioand FatWire, to provide a best-of-breed approach to meet customer portal needswith the Sun ONE Portal Server prod uct.
By combining th ese things and leveraging w eb services for rolling ou t new services,the Sun ONE Portal Server provides a solid portal platform, today and tomorrow.
Web Services
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 37/284
Integrated Yet Open—Project Orion 11
Web Services
By m aking m essaging a w eb service, or at least a service that it is always on andalways there m uch like d ial tone, the p ossibilities for u se become significantly
greater—now it can truly become the asynchronous messaging backbone for morethan just person-to-person communication. Messaging can become integrated intoworkflow and business processing, becoming the transport of choice.
Anyon e, Anytime, Anyw here, Any Device
Since early 1996 and before Sun released Java™ to th e w orld, Sun ’s m otto has been“Anyon e, Anytime, Anyw here, and Any Device.” This is d efinitely true w ith the SunON E Messaging Server.
By thinking “ service” and pr oviding d evice- and locale-neutral m essaging, thenumber of nodes that can take advantage of such a messaging service (system) isenorm ous. Metcalf’s law (formu lated by Robert Metcalf, found er of 3COM andregarded as the inventor of Ethern et) states that the “value” or “pow er” of a netwo rkincreases in proportion to the squ are of the n um ber of nodes on the network.
Marc And reesen, one of the found ers of the Web, said :
“A network in general behaves in su ch a way th at the more nod es thatare added to it, the whole thing gets more valuable for everyone on itbecause all of a sudd en there is all this new stu ff that w as not therebefore. You saw it with the p hon e system. The m ore ph ones that are onthe netw ork, the more valu able it is to everyon e because then you can callthese peop le. Federal Express, in ord er to grow their bu siness, wou ld ad da nod e in Topeka an d b usiness in N ew York w ould spike. You see it onthe Internet all the tim e. Every new nod e, every new server, every newuser exp and s the p ossibilities for everyone else wh o is already there.”
Reference: http://www.si.edu/resource/tours/comphist/ma1.html.
Integrated Yet Open—Project OrionProject Orion is a new a nd innova tive initiative w ith the goal of making enterp riseinfrastructure software predictable in its delivery, more freely accessible forevaluation, and even more affordable to purchase.
Project Orion is d esigned to take a v iew of the entire enterpr ise infrastru cture
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 38/284
12 Messaging Services
Project Orion is d esigned to take a v iew of the entire enterpr ise infrastru cturesoftware life cycle process, from development through production and ongoingoperation, identifying and reducing the complexity and cost associated with eachstep.
Project Orion leverages Su n’s proven comp etency in developing and releasing large-scale systems software, best dem onstrated by its m ulti-platform Solaris OE. Theeffort will align the integration, testing, and release of all of the comp any’s softwar eprod ucts and pr icing m odels. One of the biggest changes in Sun ’s software releasestrategy h as been to create a sp ecific release mod el whe re ma jor Solaris OE releasesare only done every two years, providing stability for customers, and predictableminor releases are schedu led like clockw ork on a qu arterly basis. This is sometim esreferred to as the Solaris train . All new software or features that are ready a reallowed on boa rd an d released as p art of the Solaris OE. Any software or featuresthat miss the train catch the next one the following quarter, assuming the boardingcriteria have been m et. This allow s for both qu ality an d rap id release of features.
Project Orion brin gs this release model to the Sun ON E softwa re pa ckages, ju st asthe Sun Solaris train model does. As each individual Sun ONE software componentprod uct satisfies th e Project Orion criteria, it boards the softw are train. Each softwaretrain leaves on a regular qu arterly schedu le. New comp onent p rodu ct features or
versions that are not ready for board ing catch th e next software tra in if they areready. Each software train goes th rough extensive end -to-end testing based oncustomer use scenarios p rior to shipping. Comp onent p rodu cts m ust su ccessfullycomplete testing p rior to shippin g on a qu arterly-release softwa re train.
Project Orion also allows custom ers to select best-of-breed comp onents from Sun ’spar tners if they so choose. If you already have a sp ecific Java App lication Server,continue to u se it—Sun ONE is integrated, yet open.
SDN ConceptToday’s migration towards “always-on” services requires a new type of networkarchitecture, one th at is built from the top dow n w ith the goal of delivering software
as “services” regardless of the final d elivery technology (such as wireless orbroad band ) or w hat sp ecific “service” is being d elivered (for examp le, w eb servicesversus messaging). These solutions require optimal architectures that can supportubiqu itous service access.
The emp hasis on service delivery is the heart of the SDN, a service-based netw orkarchitecture for data center d eploym ents. The SDN architecture services provid e afound ation for scalable e-services, such as those offered by Sun ON E, while helpingcustomers meet demands for reliability and performance.
Several growth areas affect futur e comp uting p latform s and the services delivered
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 39/284
Conclusion 13
g p g pby organizations tod ay:
I Growth an d availability of network band width
I
Growth of data-intense w ireless servicesI The need for d isaster recovery and m ission-critical service d elivery
I Growth of computer processing, taking advantage of rich content
These factors significantly en han ce the need for scalable, highly secure, an d high -performance network topologies that can support high-velocity change. The SunProfessional Services Software Delivery Network architecture service offerings havebeen developed to help cu stomers meet these needs w hile sup porting future
technology requirements.The SDN architecture is a h ighly scalable, maintainable, sup por table networ karchitecture that can be d eployed in Internet d ata centers (IDCs), service providernetworks (SPNs), and other areas and projects that are designed, integrated, andsup p orted b y Sun Professional Services and Enterprise Services as Su nToneCertified, w here p ossible.
The ma jority of SDN architecture sales are m ade in conjun ction w ith a fairly large
infrastructure solution p roject such as Messaging or Directory design an dimp lementation. Man y of these are for large service p rovider (SP) organizations, butthe concepts, availability, and security issues ap ply to m ost organizations.
SDN architecture is project based, u sua lly coup led w ith a d ata centerimp lementation similar to the business m odel already seen in EMEA, often includ ingWeb services an d Sun ONE or Wireless. It will be an essential comp onent of theseimp lementations to enable achievement of ou r custom ers’ Qua lity of Service (QoS)requirements.
For more information see:
http://www.sun.com/service/sunps/architect/delivery/.
ConclusionBy sticking w ith open s tand ards, thinking of messaging as a “service,” and lookingat futu re possibilities for u se (for examp le, por tals) w hen evaluating or architecting amessaging infrastructure, the resu lt will be a solid , scalable, open a rchitecture w ithflexibility to meet futu re needs n ot yet d efined .
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 40/284
14 Messaging Services
CHAPTER 3
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 41/284
15
CHAPTER 3
Messaging Architectu res
This chap ter describes the architectures of some of the more comm on configurationsand explains that there are almost infinite com binations. It outlines the pr os andcons of each architecture to provide you with information to determine whicharchitectures meet your enterprise messaging requirements. Chap ter 10, “Security,”on p age 153 ad dresses security in detail, bu t a secure architecture is discus sed in th ischapter t o ind icate the u se of firew alls in m ultiple layers, that is, a dem ilitarizedzone (DMZ) as not all messaging system s actually are behind firewalls.
This chap ter covers the follow ing top ics:
I Directory
I MTA
I Mailstore
I Proxy Servers
I Simple Single-Layer Architecture
I Simp le—Alternative Architecture
I Typ ical Architecture
I Secure—Basic Architectu re
I High Availability—Failover Architecture
Often there is more than one method of doing things. Designing and installing amessaging system is no different. Depending upon your organization’s specific
goals, skills, and netw orking env ironmen t, one architecture m ay be more relevantthan another.
Generally, the architectu res can be organized into several categories or comb inationsof categories:
I Simple Single Layer
I Multitiered
I Secure
I High ly available
To help you understand more about messaging architecture, this chapter reviewsf h b i f h i fi
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 42/284
16 Messaging Architectures
some of the ba sic part s of the messaging sy stem first.
Four basic parts of a messaging system are important or can be sized.
I DirectoryI Gateway, also called message transfer agent (MTA)
I Mail server, also called mailstore
I Proxy server
DirectoryThe directory or user store in th e messaging ar chitecture stores user informationsuch as ID, password, and email address. The software of many messaging serversutilizes the u ser store mechanism of the host, such as /etc/hosts on the SolarisOE. Oth ers, such as the Sun ON E Messaging Server, utilize a d irectory or LDAPservice to store and access user informa tion.
The Sun ONE Messaging Server ships w ith and requ ires a fully comp liant LDAPdirectory that contains d irectory objects sp ecific to the Su n O NE Messaging Serversoftware. These directory objects extend the defau lt Internet Engineering Task Force(IETF) schema w ith add itional attributes. A comp lete gu ide to the Su n ON EMessaging Schema is part of the existing d ocum entation.
These add itional attributes contain information such as an alternate ad dress, or aliasas it is sometimes called . Other attributes are used to store user p references for w eb
mail and configur ation information abou t email services, as well as groupinformation (mailing lists) and person al add ress books. In the Messaging Serversoftware, information regard ing processing a user ’s inboun d email such as vacationmessages, server side filters, and forward ing is also stored in the d irectory.
The directory is a lot like a d atabase—a very sm all, fast d atabase. One thin g to n oteis that wh en d irectories or LDAP were originally d eveloped, they w ere prima rilydesigned to be mainly read oriented, say a 90 percent read and 10 percent write
ratio. Today’s usage of the directory has changed significantly. Things likemessaging, calend ar, and por tal all store preferences and information in a d irectoryserver. The read/ wr ite ratio is now closer to 80 percent read an d 20 percent w rite. Soit is critical that th e directory is available and perform ance of the d irectory is good orbetter than good.
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 43/284
MTA 17
MTAThe MTA, wh ich is som etimes referred to as th e m ail gateway or SMTP server,routes th e mail to its destination or rejects it if not prop erly format ted or ad d ressed,or simp ly not for th is messaging system. This is typically don e via SMTP or relatedprotocols such as the Extended Simple Mail Transfer Protocol (ESMTP) and LocalMail Tran sfer Proto col (LMTP). Basically, the M TA is to ema il wh at a Cisco rou ter isto Ethernet packets.
The MTA is also wh at d etermines how m essages are handled for specific users based
on th eir preferences stored in th e directory (for examp le, a vacation message). And,it is the p lace w here expa nsion of m ail lists, grou ps, an d aliases occurs. The MTA istypically w here advanced p rocessing gets done an d how integration w ith third-partysoftware packages such as virus scanning and antispam functionality occurs.
MailstoreThe basic fun ction of th e m ailstore, sometimes incorrectly referred to as th e m ailserver, is to store and send email to u sers via IMAP, POP, and w eb ma il. The SunONE Messaging Server software is somewhat unique among the messaging systemson th e market. Most messaging system s store email in a file system on ly or within ada tabase only. The Messaging Server system offers a hy brid app roach, storingmessages in a file system, but also storing a copy of the head er information (date,
time, subject, sender, and so forth) in a d atabase. This improv es performa nce so thatwh en u sers log in or sort ema il in their client, very little if any file system interactionis necessary. The informat ion all comes from t he d atabase, which shou ld be m ostlyin memory.
Mailstores can often be hu nd reds of gigabytes du e to requirements for archiving an dthe volum e and size of email messages these d ays, as outlined in th e first chapter. Itis not un common to find terabyte-sized mail stores, for exam ple:
50,000 mailboxes ∗ 20-megabyte quota = 1,000,000 megabytes = 1000 gigaby tes = 1 terabyte
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 44/284
18 Messaging Architectures
Proxy ServersTo allow for flexibility, redu nd ancy, and abstraction and to pr ovide a layer of security, organizations often u tilize a concept kn own as p roxy servers. They arefairly stand ard w ithin the web s erver side of the infrastru cture, but less so formessaging.
The Sun ONE Messaging Server software en vironmen t offers two proxy servers:
I messaging multiplexer proxy (MMP)
I messenger express mu ltiplexer (MEM)MMP p roxies POP and IMAP conn ections, wh ereas the MEM off-loads th e web m ailclient from the mailstore, so in a tru e sense MEM is a front-end, not a p roxy.
Why a p roxy fu nction? Well, in a large Internet Service Provider or in environm entsthat have grown beyond a single mailstore, the proxy hides the fact you havemu ltip le back-end ser vers, allowing a single client configuration (for examp le,smtp.company.com an d imap.company.com) regardless of wh ich m ail server the
user ’s ph ysical inbox is on.
Sometimes network security requirements dictate the use of a proxy mechanism aswell so the serv ice, such as POP or IMAP, can b e exposed wh ile the content server(mailstore) is not.
Simple Single-Layer Architectu reIn the simp lest form, som etimes referred to as m essaging in a box, all thecomponents of the m essaging server run on a single system (FIGURE 3-1) and noproxy is involved.
The comp onents are:
I DirectoryI MTA
I Mailstore
Internet or WAN
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 45/284
Simple Single-Layer Architecture 19
FIGURE 3-1 Messaging Server, Storage, an d Firew all Messaging System
The benefits and draw backs to this type of architecture are:
I Simple
I Easy to man age
I Easy to troubleshoot
I Low total cost of own ership (TCO)
I Limited scalability—This architecture is obviously limited in scalability to thecompu ter system’s size (CPU an d mem ory) and opera ting system’s scalability. Donot let this fool you into thinking th at it cann ot scale at all. In som e messagingarchitectures, servers utilizing Sun hard w are and the Solaris OE have scaled ashigh as 16 CPUs and are sup porting thou sands of concurrent users.
I No h igh availability—With everythin g in a single server, you have n o redu nd ancy
beyond wh at is provided with th at single system. You can get som e availabilitythrough redundant components such as:
I Power sup plies
I Network interfaces
I CPU/ Memory boards
I RAID p rotected storag e
Internet or WAN
Firewall
Storage
Server
I Secur ity—Just b ecause it is a simp le configuration d oes not m ean th at it is entirelywithout security or that you cannot secure the system. Standard practices of
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 46/284
20 Messaging Architectures
y y y pturning off unused services, for example telnet, and replacing them withalternatives like ssh still apply, as does the use of firewall technology. However,
withou t som e form of relay or p roxy for SMTP traffic from the Intern et, thissystem will be accessible throu gh SMTP d irectly from th e Internet.
So, while a simp le configuration is less secure than other configurations, it is notcompletely insecu re. Overall this simp le configuration ten ds to w ork for labs,training facilities, and very sm all systems w here simp licity is the foremostrequirement.
Simple—Alternative Architectu reThe preceding configuration or a rchitecture is very sim ple. One of the m ost comm onadd itions to the simp le configu ration is viru s scann ing in som e man ner. There arevarious methods of adding virus scanning to the messaging architecture including:
I Add ing a virus ap pliance such as Borderware or SymantecI Adding a virus firewall such as Trend Micro’s VirusWall
I Add ing viru s scann ing software on th e messaging server itself. Each of theseapp roaches has pros and cons.
As many organizations are well aware, relying only on desktop virus-scanningsoftware d oes not eliminate all viruses for m any reason s. Since viruses spreadthrough email in add ition to other methods, add ing virus scanning to the m essaging
environment is a natural choice.
By combining a simple m essaging install with an SMTP firewall prod uct (FIGURE 3-2)offering antiviru s (and p otentially antisp am) pr otection, the system accomplishesseveral things:
I Off-load s antivirus scanning from th e messaging system—Often scanning tak essignificant p rocessing pow er du e to the requirement to examine all attachm ents aswell as uncompressed attachments that are stored in compressed formats, such as
zip files. It is not u ncomm on to h ave comp ressed files within comp ressed files.The level to wh ich you scan is configurable, but each level takes m ore pow er.
I Isolates the Sun ON E Messaging Server from d irect Internet a ccess—Manyhackers are w ell aware of exploits via SMTP and use th e SMTP protocol to hackinto peop le’s netw orks or system s. By p lacing a firew all between t he Internet an dthe mail server, a level of security is added. However, firewalls that offer SMTPrelaying fun ction are often not nearly as secure as the Sun O NE Messaging Serverrelay—careful consideration is requ ired .
I Reduces the messaging workload—In addition to off-loading the antivirus andantispam wor kload, it also off-loads the rejection of email not destined for your
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 47/284
Simple —Alternative Architecture 21
messaging s erver.
I Maintains overall simplicity—Still maintains most of the benefits of simplicity
while adding additional security.
FIGURE 3-2 Alternate Configuration With SMTP Firewall
Typically th e m ain d raw backs of this configuration a re:
I Add ed server requirement—The need to n ow m anage two p hysical servers add sslightly more workload for the system administrator.
I Messaging head ers—To scan all m essages, som etim es messaging head ers mu st berewritten an d forward ed to the scanning virus w all from the messaging server.
Internet or WAN
SMTP firewall
Server
Storage
I Lack of flexibility—There are not a whole lot of optional configurations with afirewall and virus scann er in p lace; sometimes, this is the only su ch op tion
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 48/284
22 Messaging Architectures
available.
I Little, if any, redu nd ancy—Since there is only on e m essaging system , there is no
redu nd ancy, or little beyond that w hich the single system p rovides (that is, RAIDstorage or redun dan t power su pp lies). Messages may or may not qu eue up on thevirus w all server, dep end ing u pon its capabilities.
Although man y sites use a virus firewall in front of the m essaging server, there aredisadvantages w hen p utting another SMTP server in front of the Sun ONEMessaging Server ’s MTA as the outer m ost SMTP server in you r organization. Hereis a p artial list of the major reasons:
I First and foremost, the vend ors sp ecialize in v irus filtering. They are not expertsin MTA technology, so their SMTP server is basic and not a s full featu red a s th eSun ON E Messaging Server
I Lim ited if any SMTP extensions su pp ort. Which m eans:
I No SMTP AUTH
I No NOTARY (for example, delivery receipt requests)
I Deliver By (certain date)
I Size-based extensions
I Pipelining
I SSL/ TLS
I MIME support is minimal, no support for other messaging formats (for example,RFC1154, wh ich is wh at M icrosoft u sed before Exchang e, NeXT Mail, BINH EX orUUENCODE)
I Limited if any realtime blackhole list (RBL) support
I Han dling of very long head er lines (a comm on techniqu e to exploit bufferoverflow errors in v arious m ail clients)
I Tools for blocking m ail based on various p ieces of originator inform ation
I No MMP
I Lim ited m ail routing capabilities
How ever, for sim plicity sake, man y org anizations still elect to u se this alternativearchitecture.
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 49/284
Typical Architecture 23
Typ ical Architectu reA slightly m ore typ ical architecture (FIGURE 3-3) more comm only foun d ad ds acouple of SMTP relays to the sim ple configu ration.
FIGURE 3-3 Alternate Configuration With SMTP Relays and Firewall
Internet or WAN
Firewall
Firewall
Storage
Server
SMTP relay SMTP relay
Often one relay is configured as inbound and the other outbound. These relays off-load the rou ting and rejecting of messaging. These relays can also ru n an tiviru s andantispam softw are This configura tion assum es that the only p rotocol coming from
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 50/284
24 Messaging Architectures
antispam softw are. This configura tion assum es that the only p rotocol coming fromthe Internet or going out t o the Internet is SMTP. Users access the m essaging system
internally only, through a virtual p rivate netw ork (VPN) or throu gh th e firewall.Com bining a simp le messaging installation w ith a pa ir of MTAs (SMTP routers) anda firewall accomp lishes severa l things:
I Redu ces routing w orkload for messaging —Some of the routing work load is beingoff-loaded , so messages d estined for other m ail servers internally or externally donot u se the m ain messaging server.
I Isolates the m essaging server from d irect Internet access—Many h ackers are well
awar e of exploits via SMTP and use th e SMTP p rotocol to h ack into peop le’snetwo rks or system s. By p lacing a firewall between the Intern et and the m ailserver, a level of secur ity is add ed. By no m eans is this 100 percent secure, bu t itdoes add some security.
I Off-loads antivirus scanning from the messaging system—Antivirus scannerssuch as Sophos Sweep or Symantec for UNIX can be loaded and integrated withthe MTA of the Sun ONE Messaging Server.
I Du plicate MTAs—Wh ile th ey are typ ically configured as one MTA, with one MTA
hand ling inboun d messages and the other hand ling outbou nd messages, they canbe configured identically and used as redun dant systems with one MTA han dling(but not exclusively) inbound messages and the other p rimarily hand lingoutbound messages. This is accomp lished via round -robin DNS and maileXchanger record (MX) configuration.
The main d raw backs of this configuration are:
I Add ed server requirements—The need to m anage more p hysical servers ad ds
more w orkload for the system adm inistrator.I The need to main tain two MTAs—The need t o edit and maintain both MTAs and
keep them configured and synchronized w ith one another ad ds som e complexity.
I Little, if any, redu nd ancy—Since there is only on e m essaging system , there is noredu nd ancy, or little beyond that w hich the single system p rovides (that is, RAIDstorage or red un d ant pow er su pp lies). If one of the MTAs fails, messages w ill stillqu eue u p for d elivery on the MTAs (for u sers) and ou tgoing m essages will still
get sent to the Internet, but n o users w ill be able to read th em.
S B i A hit t
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 51/284
Secure —Basic Architecture 25
Secure—Basic ArchitectureThis architecture (FIGURE 3-4) continu es to build up on the typ ical architectu re,ad ding the p roxy servers for user access (that is, IMAP or POP).
FIGURE 3-4 Proxy Configuration With SMTP Relays and Firewall
The addition of these proxy servers extends the protocols through the firewallsecurely. Users mu st au thenticate to these servers first, then they are p roxied to themessaging server and only the messaging server.
Internet or WAN
Firewall
Firewall
Storage
Server
SMTP relay SMTP relay
Proxy Proxy
Note – This configura tion does no t ad dress all aspects of messaging security such asSSL, Secure Multipurpose Internet Mail Extensions (SMIME), or encrypted file
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 52/284
26 Messaging Architectures
, p p ( ), ypsystem. Som e of these m ethod s are discussed in m ore detail later in this book. Thisarchitecture only addresses the physical and basic network layout.
Add ing the p roxy servers for IMAP, POP, and web m ail:
I Extends the messaging server externally without requiring a virtual privatenetwork (VPN).
I Redu ces routing w orkload for messaging —Some of the routing work load is beingoff-loaded , so messages d estined for other m ail servers internally or externally do
not u se the m ain messaging server.I Provides d up licate MMP and MEM servers which add s redun dan cy—Using
round-robin DNS or a network-based load balancer, redundancy for this type of server can be accomp lished .
I Isolates messaging server from direct Internet access—Many h ackers are wellawar e of exploits via SMTP and use th e SMTP p rotocol to h ack into peop le’snetwo rks or system s. By p lacing a firewall between the Intern et and the m ailserver, a level of secur ity is add ed. By no m eans is this 100 percent secure, bu t it
does add some security.I Off-loads antivirus scanning from the messaging system—Antivirus scanners
such as Sophos Sweep or Symantec for UNIX can be loaded and integrated withthe MTA of the Messaging Server.
The main d raw backs of this configuration are:
I Add ed server requirements—The need to m anage more p hysical servers ad dsmore w orkload for the system adm inistrator.
I Need to maintain two MTAs—The need to edit and maintain both MTAs andkeep the configurations synchronized with one another adds some complexity.
I Add itional firewa ll configura tion required—Du e to all the por ts and servers, thefirewall mu st be configur ed ap prop riately.
I Little, if any redu nd ancy—since there is only one m essaging system, there is noredu nd ancy or little beyond that w hich the single system p rovides (that is, RAIDstorage or red un d ant pow er su pp lies). If one of the MTAs fails, messages w ill still
qu eue u p for d elivery on the MTAs (for u sers) and ou tgoing m essages will stillget sent to the Intern et, but no u sers w ill be able to read em ail. Web m ail userswill not h ave anything.
High Availability Failover Architectu re
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 53/284
High Availability —Failover Architecture 27
High Availability—Failover Architectu reOne of th e easiest and simp lest w ays of architecting a h igh-availability configu rationis to cluster, using the Sun ™ Cluster 3.0 software for examp le (FIGURE 3-5).
FIGURE 3-5 Simple Failover Configuration
This architectu re provid es a highly available yet sim ple configu ration. As you wou ldexpect, the ben efits and dr aw backs of this architectu re closely mirror th ose of thesimple configuration, with th e exception being it is now h ighly available.
The clustering software not only handles hardware failures but in may cases,software issues as w ell, trying to restart failed d aemon s or p rocesses first, thentriggering a com plete restart or failover of the entire system.
Failover itself can vary between minutes to as mu ch as an hou r d epend ing up on thespecific configu ration, settings, and storage statu s. Shou ld a catastrophic storagefailure occu r, p arity and sanity checks on th e storage subsystem can add significantto the norm ally fast (that is, less than 10 minutes) failover time.
Firewall
NetworkBackup net connection
Shared
storage
Server
Cluster
interconnect
Server
A m ore complex high av ailability configu ration (FIGURE 3-6) com bines the por tions of the secure architectu re with that of the simple failover.
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 54/284
28 Messaging Architectures
FIGURE 3-6 Failover With Relays and Firewa ll
By comb ining th e failover of the secure configuration with parts of the simple failover, you can obtain availability for the routing (MTA), access (proxy), and mailstore, yethave th e ability to extend services such a s w eb m ail, IMAP, and POP access to u sersexternal to the internal network.
One asp ect of availability that w ill be add ressed furth er in Chapter 14, “HighlyAvailable Messaging Dep loyment,” on page 201,” is Directory Serv er av ailability.
Curr ently there are two mod els for p roviding availability of LDAP (directory)
Internet or WAN
Firewall
Firewall
SMTP relay SMTP relay
Proxy Proxy
NetworkBackup net connection
Sharedstorage
Server
Cluster
interconnect
Server
services—the trad itional failover u sing Sun C luster or VERITAS prod ucts and theMultiple Master Replication feature of the Sun ONE Directory Server. Each has itsown benefits and dr awbacks, with m any people looking at Multiple Master
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 55/284
High Availability —Failover Architecture 29
Replication as the new d efacto meth od for add ressing availability of the d irectory
server.Sun has a Reference Architecture program that defines the hardware and softwarecomponents needed to build end-to-end solutions that meet specific business needs.Each Reference Architecture has been d esigned, tested, and d ocum ented , so userscan redu ce the comp lexity, costs, and risks of deploying n ew technology in th eirenterprises. Sun’s Reference Architectures combine:
I A documented multitiered architecture
I Recomm ended technology produ cts from Sun and other vendorsI Architecture, sizing, and implementation guides
For m ore d etails on the Messaging Reference Architecture, see:
http://www.sun.com/products/architectures-platforms/refarch/specs.html#g1_5.1.
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 56/284
30 Messaging Architectures
CHAPTER 4
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 57/284
31
Installation Preparation
To continue in further chap ters, it is recommen ded that a fun ctional messagin gsystem be available to the reader for hands-on work. This chapter outlines someissues and pr actices that are imp ortant d urin g the p re-installation. These issues canhave significant imp act on ins tallation, operations, an d recovery capability. Itprov ides insight into situations th at norm ally cause constern ation. References aremad e to specific sections of manu als or add itional sup p lemental materials. Think of this chapter as a reminder regarding operating system best practices that can befound in other BluePrints and elsewhere.
This chap ter contains the following top ics:
I Preparation Pr ocess
I Network Connectivity
Preparation ProcessThis section p rovides an overview of the p reparation p rocess. It covers the followingtopics:
I Good Computing Practices
I Differences Between Production and Non-production
I Basic Solaris OE Installation
Good Computing Practices
A very w ise system en gineer at Sun once gave me p erhap s the best piece of ad viceever: “Prior planning prevents poor performance.”
The general idea is to start w ith a solid foun dat ion (the Solaris OE) and bu ild a solidstructure (the Sun ON E Messaging Server) on it. If an incomp lete or poor Solaris OEinstallation is don e, do not exp ect ap p lications su ch as the Messaging Server tooperat e correctly or efficiently It all starts w ith good compu ting p ractices and
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 58/284
32 Installation Preparation
operat e correctly or efficiently. It all starts w ith good compu ting p ractices andpreparation.
In some organizations, standards and practices regarding system installation andconfigur ation exist. While most organizations agree that stand ard s are a good thin g,man y simp ly do n ot go to this level of detail or effort. If you r organization ha s suchstand ard s and p ractices, that is the p lace to start. Then incorp orate or ad just (if absolutely necessary) anyth ing sp ecific to the messaging en vironm ent.
For those organizations that have n o standa rds or perhaps only basic system
administration knowledge, there are definitely things that will make the overallprocess smooth er. This chap ter outlines some of th e basic issues th at m ight interferewith getting the messaging system operational.
Differences Between Productionand Non-production
There is a distinct difference between a production and a non-productionenvironment or system. In many situations, it goes way beyond the issue of simplybeing able to reboot the system at w ill. Oth er issues such as chan ge controlprocedures, security requirements, patching, disk layout, upgrades, anddocumentation are all different for a production environment than for a non-production environment. Standards and practices typically address these issueswithin an organization.
One issue that th is chap ter ad dresses specifically is the d isk layout or pa rtitioning.To simp lify the pr ocess of creating a p rototyp e or test system for m essaging, thesystem hard drive configuration has only three partitions:
I swap has at least 256 megaby tes minimu m, up to 1x ph ysical memor y.
I / has four gigabytes or more.
I /export/home uses the remainder of the d rive.
In a production environment, you would definitely create additional partitions tosegregate specific d ata and app lications (some of th is is also discussed in Chapter 12,“Performan ce Tun ing,” on p age 179. In add ition to the p receding p artitions, youwould have partitions for the following functions:
I queues—Used to temporarily store the m essages wh en rou ting
I store—Also referred to w ithin the messag ing server as a p artition. There mightbe mu ltip le stores, d epend ing u pon the nu mber of m ailboxes or specific policies.
I var—/var d irectory in the Solaris OE where logs and som e temp files are stored
I usr—/usr directory in the Solaris OE
I logs—Sometimes d epend ing up on sp ecific needs or volum e of logs, it is a goodidea to have a separate volume or partition to write to.
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 59/284
Preparation Process 33
I opt—Where optional prog ram b inaries are stored. Messaging software can be
installed here if desired.
Your organ ization m ight h ave sp ecific p ractices regard ing d isk layout. Start w ith thisand mod ify or incorporate the messaging requ irements.
Note – Do not take the AUTO LAYOUT defaults of the Solaris installation program.This will typically und ersize the root and ot her p artitions.
For some basic system (Solaris OE) install practices, the following resources arerecommended:
I Solaris System Administrator’s Guide, 3rd Edition, Janice Winsor
I Sun Blueprint book, Operating Environment: Solaris 8 Installation and Boot Disk
Layout , March 2000, Richard Elling
I Sun Bluep rint book Configuring Boot Disks, December 2001, John S. Howard and
David DeethsI Solaris Docum entation Set
Basic Solar is OE Installation
Some a d vice regard ing th e initial Solaris OE installation that can p revent issues in
the future:I Install the latest upd ate.
I Install the en tire distribution.
The Solaris 8 OE will be installed on ou r p rototype sy stem. As a gen eral practice, itis good to star t w ith the m ost recent u pd ate. Currently, this is Solaris 8 OE 02/ 02.You cou ld also ins tall the latest Solaris 9 OE 04/ 03, ho w ever, som e installationinstructions m ay be slightly different. Using the latest release will redu ce the am oun t
of patching required.One of the areas that can sometimes create problems is th e specific installation of th eSolaris OE. Those familiar w ith the overall install p rocess kn ow that the Solaris OEinstallation program provides five options when performing an interactive install:
I Entire distribution with OEM Support
I Entire distribution
I Developer
I End-user
I Custom
The mistake that is often m ade is to install someth ing less than the entire
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 60/284
34 Installation Preparation
gdistribution w ithout sp ecifically know ing that you r ap plications will work correctlyin this configu ration. The entire d istribution load s libraries and other files that areoften required by applications for various reasons such as dynamic linking. Nothaving access to th ese libraries or files w ill create some interesting issues th at m ayappear only after the program has been installed and operational for some time. Soun less your organization has a specific stand ard regard ing wh at is installed, use theentire distribution. If you begin to have problems or the software runs strangely(sometimes thing s like char acter sets missing can cause issues), investigate w hichload of the Solaris OE was installed. For the d emo or prototy pe system , the Entire
Distribu tion of Solaris 8 OE 02/ 02 is used .
For details regardin g installing the Solaris OE, refer to th e Solaris Installation Guide.
Now that Solaris is installed, the next step is to p atch the system . Begin bydow nload ing the latest Solaris Recom men ded Patch Cluster for the specific versionof the Solaris OE from the SunSolveSM web site at:
http://sunsolve.sun.com.
In our case, the Solaris 8 Patch cluster contains the latest security an d recommen d edpatches for Solaris 8 OE. Follow th e installation instru ctions p rovided with theSolaris Recommen ded Patch Cluster.
Now check the Release Notes for the Sun ONE Messaging Server, or any ot herapp lication th at you p lan on installing, for any ad ditional required pa tches that maynot be in clud ed as par t of the Solaris Recomm end ed Patch Clu ster. You can retrieveind ivid ual p atches from the SunSolve w eb site as well. These p atches are generally
available, how ever, in som e rare situations they m ay only be ava ilable to customerswith sup port contracts.
Now is the time to consider how best to maintain your system patch level. Severaltools or utilities can help you d o this:
I Patch Manager—Automates patch management and patch analysis accuracy.Provides configuration -specific patch analysis, au tomated pat ch dow nload , p atchdependency resolution, and install. Available for Solaris OE 2.6 through Solaris
OE 9, Sun Cluster, Network Storage, Sun Enterprise™ 10000, and Sun Fire™systems.
I PatchPro/ PatchPro Expert—PatchPro Interactive generates a custom p atch listthat can be d own loaded in a single tar file. This file is based on selections of various Sun hard ware and software p roducts. PatchPro Expert is a signed ap pletthat analyzes your system and generates a custom patch list. The applet willattemp t to detect software in all categories listed for PatchPro Interactive.PatchPro Expe rt requ ires a Java -enabled Net scape™ brow ser. Available for Solaris
OE 2.6 through Solaris OE 9.
I PatchCh eck—Replaces PatchDiag. Determines th e pa tch levels on y our systemagainst Sun’s Recom men ded and Security patch list. Add itionally, it op eratesfrom inpu t files and lists all patches that p ertain to packages installed on thesystem. This tool is sim ilar to the Pa tchDiag Tool that you may have u sed in the
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 61/284
Preparation Process 35
past, with the add ed ad vantage of produ cing reports in H TML format that allowyou to select and receive you r d esired p atches.
Why go to this degree of effort to patch th e system?
In man y cases, this will be the only chance to patch to this d egree of thorou ghn ess.Once a system is in p rod uction, it becomes m ore difficult to obtain m aintenancewindows.
There are several Su n technologies to assist an organ ization in installation an d
man agemen t of the Solaris OE:
I Ju mp Start—The Jum pStart™ system is useful for mu ch more than installing theSolaris OE. Solaris JumpStart is an automatic installation (auto-install) processavailable in the Solaris OE and comes free with Solaris. It allows systemadministrators to categorize machines on their network, and automaticallyinstalls systems based on th e category (Class) to wh ich a m achine belongs. Inman y w ays, Jum pStart is similar to th e RedH at Linux KickStart fun ctionality.
The Jum pStart system is like a scripting langu age; the Jum pStart framewor kprovides a toolkit of operators that can be used individually or combined. Theseoperators function well individually, but their true power is realized when theyare combined .
You can even perform JumpStart over a wide area network (WAN) in the newerversions of the Solaris OE. With the boot comm and , you can specify the locationof the Jum pStart p rofile and sysidcfg information to use to p erform th einstallation. You can sp ecify a p ath t o an H TTP server, an N FS serv er, or a file tha t
is available on local med ia.For a comp lete list of Su n BluePrints on the Jump start Flash Archive, see:
http://www.sun.com/solutions/blueprints/browsesubject.html#jumpstart.
I Solaris Flash—The Solaris Flash featu re p rovides n ew installation a ndprovisioning fun ctionality. System ad m inistrators can captu re a snap shot image of a comp lete server—includ ing th e Solaris OE, the ap plications stack, and th e
system configuration—into a new Flash Archive format. Using this system im age,ad ministrators can then replicate reference server configur ations onto m ultipleservers or cloned. Solaris Flash images can be deployed using standard media or
over the n etwork via HTTP and NFS. Solaris Flash images can be installed u singcustom Solaris JumpStart scripts, the Solaris Web Start graphical interface, orSolaris OE interactive installation.
Solaris Flash technology provides the ability to layer Flash Archives. You can
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 62/284
36 Installation Preparation
gy p y y
create p artial Flash Archives to install in a variety of w ays. This feature increasesthe flexibility for rapid modular deployment.
For examp le, you can create one archive th at contains th e Solaris OE files, asecond archive tha t contains the files necessary to ru n a Web server, and a thirdarchive that contains the files for an NFS server. You can then install the first andsecond archives to one m achine to create a web server, and the first and th irdarchives to create an NFS server.
For more details, see:
http://wwws.sun.com/software/solaris/webstartflash/ an dhttp://wwws.sun.com/software/whitepapers/wpsolarisinst/solaris_installation_deployment.pdf.
I Change Manager—Change Manager is part of the Sun™ Management Centerprodu ct family. Change Man ager is a provisioning and change m anagementsoftware product that delivers a fast and easy way to install, configure, update,provision, and audit the software stacks running on Sun systems. It can
significantly im prov e IT staff efficiency and pr odu ctivity in a comp utingenvironm ent that relies on replicated server s to provid e softw are services. Chan geManag er software utilizes Solaris Flash, Solaris Live Upgr ade, an d SolarisJu mp Start technologies to p rovision serv ers. It can leverage existing Jum pstar tscripts an d Flash Archive files to a d egree.
Chan ge Manager w orks on Solaris 8 OE platform 2/ 02 or later as well as theSolaris 9 OE. It is not b un d led w ith the Solaris OE, but r ather is a separ atepackage av ailable for p urchase.
For more details, see:
http://wwws.sun.com/software/solaris/sunmanagementcenter/ds/ds-smccm/index.html.
I N1™ for Blades—Due to their specific nature, Blade servers are som ewh atdifferent than oth er types of servers when it comes to p rovisioning the opera tingenvironmen t and configuring the un derlying hardw are. Sun recently introducedthe N 1 Provisioning Server 3.0 Blades Ed ition softwa re to ad d ress the
provisioning issue for their Blade servers. This software prov ides a pow erfulmanagement environment for Sun Fire Blades and Shelves. Running on one ormore dedicated servers, this software performs many of its managementfun ctions through an out-of-band manag ement netw ork. The N 1 ProvisioningServer 3.0 Blades Ed ition softw are enables system ad ministrators to r ap idlydesign, configu re, provision, and scale blade-based logical server farmsautom atically. The software m anages th is pool, along w ith other netw orkingresources to qu ickly reconfigure, d eploy, and decomm ission large collections of
blades whether they are in the same data center or are geographically dispersed.
As the requ ired testing and certification of the Sun ON E Messaging Server an drelated software take p lace on these Sun Fire Blade servers, the N 1 ProvisioningServer 3.0 Blades Edition software w ill und oubt edly be very useful.
For more details, see:
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 63/284
Network Connectivity 37
,
http://wwws.sun.com/software/products/provisioning_server/.
Network Connectivity
Some qu ick caveats regarding netw ork connectivity. It goes withou t saying tha tnetw ork conn ectivity is required. There are, how ever, a coup le of items that cancause issues or confusion in this area, either d urin g the installation of the op eratingsystem or d uring the installation of the Messaging Server.
The issues tend to fall into on e of five areas within n etworking :
I Host Name Resolution With / etc/ hosts and DNS
I Nam ing Services Setup and Best Practices
I Netw ork Load Balancing
I DHCP
I Domain Nam e
Host Name Resolution With /etc/hosts
and DNSYou can d o two things to avoid p roblems.
First, pu t all critical hosts th at are abs olutely, positively requ ired for op eration intoth e /etc/hosts file. Second, pu t the fully qu alified host nam e (FQN ) in the/etc/hosts file in add ition t o the short n ame.
Dur ing som e par ts of the installation p rocess, the Messaging Server installationprogram needs fully qualified host names. If it cannot resolve the FQN, manualentry is required. Unfortunately humans are not as accurate as computers, so errorscan occur. Following this ad vice allows th e installation p rogram to au tom aticallyobtain th e FQN d irectly.
Example:
root@sparc5-1# cat /etc/hosts#
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 64/284
38 Installation Preparation
This exam ple p rovides for resolution of both th e fully qu alified an d non -qualifiednames if the normal naming service, such as NIS, XX NIS+, or DNS becomesun available or slow. This can prev ent som e out ages or p roblems. You r organ ization’sstandards may dictate otherwise—after all, this does add some maintenance over
relying upon the naming service for everything.
N am ing Services Setup and Best Practices
A number of options for naming services are available, including /etc/hosts,DNS, NIS, NIS+, and LDAP. The k ey here is to m ake su re that an y n aming servicebeing used is accurate and available. If you u se /etc/hosts, you mu st maintain it
and keep it up to date. If you are using DN S, you mu st make sure that it is properlyconfigured and is fun ctional for each on e of the name servers listed in the/etc/resolv.conf file. Why ? If you simply test th at the DN S is w orking p roperly,you will only be testing t hat the server listed first resolves correctly, not th e secondor other servers listed:
So in the ev ent of an issue w ith 10.0.62.1, 10.0.62.14 will be u sed . How ever, if wenever tested 10.0.62.14, it may not work either.
# Internet host table#127.0.0.1 localhost loghost10.0.0.171 demo demo.test.sun.com# Directory Server node#10.0.0.172ldap ldap.test.sun.com# SunCluster nodes#
10.0.0.173node0 node0.test.sun.com10.0.0.174node1 node1.test.sun.com
root@sparc5-1# cat /etc/resolv.conf
domainname test.sun.comnameserver 10.0.62.1nameserver 10.0.62.14root@sparc5-1#
N etwork Load Balancing
Netw ork-based load balancing allows for failover of IP ad d resses and services. Thiscan be done several ways:
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 65/284
Network Connectivity 39
I Round -robin DN S feature of newer revisions of DNS (bind).I Layer 3/ 4 switches—Alteon is an examp le.
I Software—Resonate is an examp le.
There are pros and cons to each of these ways, how ever. While roun d-robin DN S isinexpensive, it also takes several minu tes or longer to fail over. Layer 3/ 4 switchesand software operat e quickly, within second s or even faster, but they ar e expen sive.Depending on your av ailability requirements and bud get, you m ust begin planning
your netw orking ava ilability strategy u p front. Otherw ise, this will im pact theinstallation and configuration of the messaging systems. Renaming and re-addressing the systems is not a simple task.
DHCP
The Dynamic Host Configuration Protocol (DHCP) for a server running theMessaging Software is not sup p orted. There are places within the software th at theIP add ress of the server, for security reasons, is cod ed.
Domain Nam e
It is generally a good id ea to set or configure the d efault dom ain nam e, eitherthrough the comman d line or the /etc/defaultdomain. Not having this set cansometimes cause problems. H owever, the default does not hav e to match u p to anyspecific d omain nam e of the Messaging Server, DNS, or Netw ork Informa tionService (N IS).
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 66/284
40 Installation Preparation
CHAPTER 5
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 67/284
41
System Startu p
This chap ter covers the basics of getting the system started and prov isioning u sersonce the system is op erational. It is d esigned to provide you an u nd erstanding of thevarious m echanisms for p rovisioning as w ell as the p ros and cons of each m ethod.You can easily automate provisioning, but there are times when manual entry isrequired too.
First, this chapter reviews the daem ons run ning on a test or dem o system so you cansee wh at a correctly installed system shou ld look like from top or ps -ef
commands and utilities. Then, the chapter describes the various options forad ministration of the system , includ ing pr ovisioning. Som e specific ad m inistrativeactions are only available using one m ethod or anoth er. There are others you reallyshould do one way and not anoth er. A sim ple example of provisioning accoun ts andusers by using a Perl script is provided, plus a script for generating test users.
This chap ter covers the follow ing top ics:
I To check on th e status of th e test system installed for th is book, use the ps -ef
command: (should be op erational)I Provisioning
I Sample Data File
I Samp le Provisioning Script
I Test User Generation Script
Basic System Statu sFirst, the system sh ould be installed an d operational. If you h ad difficu lties or areun sure th at the system is operational, there are several ways to check the systemstatus using either the start and stop scripts from the p revious chapter or m orefamiliar UNIX comm and s and ut ilities such as top an d ps -ef.
To check on th e status of th e test system installed for th is book, use the ps -ef command:
CODE EXAMPLE 5-1 ps -ef Command Output
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 68/284
42 System Startup
UID PID PPID C STIME TTY TIME CMD
root 0 0 0 Apr 11 ? 0:01 sched
root 1 0 0 Apr 11 ? 0:01 /etc/init -
root 2 0 0 Apr 11 ? 0:00 pageout
root 3 0 0 Apr 11 ? 35:08 fsflush
root 482 1 0 Apr 11 ? 0:00 /usr/lib/saf/sac -t 300
root 487 456 0 Apr 11 ? 0:00 /usr/dt/bin/dtlogin -daemon
root 176 1 0 Apr 11 ? 0:00 /usr/sbin/rpcbind
root 57 1 0 Apr 11 ? 0:00 /usr/lib/sysevent/syseventd
root 59 1 0 Apr 11 ? 0:00 /usr/lib/sysevent/syseventconfdroot 202 1 0 Apr 11 ? 0:01 /usr/lib/autofs/automountd
root 343 341 0 Apr 11 ? 0:00 /usr/sadm/lib/smc/bin/smcboot
root 217 1 0 Apr 11 ? 0:00 /usr/sbin/syslogd
root 232 1 0 Apr 11 ? 0:02 /usr/sbin/nscd
root 238 1 0 Apr 11 ? 0:00 /usr/lib/lpsched
root 486 456 0 Apr 11 ? 0:01 /usr/openwin/bin/Xsun :0 -nobanner -auth /var/dt/A:0-lcaa5a
root 27697 1 0 Apr 14 ? 0:00 /A1000/demo6789/ims52/bin/msg/admin/bin/enpd
root 476 1 0 Apr 11 ? 0:00 /usr/lib/dmi/snmpXdmid -s sparc5-1
nobody 27822 1 0 Apr 14 ? 0:00 /A1000/demo6789/ims52/bin/msg/imta/bin/dispatcher
root 370 1 0 Apr 11 ? 0:00 /usr/sbin/ifbdaemon /dev/fbs/ifb0
root 251 1 0 Apr 11 ? 0:00 /usr/lib/utmpdroot 199 1 0 Apr 11 ? 0:00 /usr/sbin/inetd -s
root 296 1 0 Apr 11 ? 0:10 /usr/lib/osa/bin/arraymon
root 311 1 0 Apr 11 ? 0:00 /usr/lib/osa/bin/sparcv9/rdaemon 29 203 5
root 372 1 0 Apr 11 ? 0:00 /usr/sbin/vold
root 446 1 0 Apr 11 ? 0:00 /usr/lib/nfs/nfsd -a 16
root 485 482 0 Apr 11 ? 0:00 /usr/lib/saf/ttymon
root 456 1 0 Apr 11 ? 0:00 /usr/dt/bin/dtlogin -daemon
root 340 311 0 Apr 11 ? 0:00 /usr/lib/osa/bin/sparcv9/rdaemon 29 203 5
root 341 1 0 Apr 11 ? 0:00 /usr/sadm/lib/smc/bin/smcboot
root 466 1 0 Apr 11 ? 0:00 /usr/lib/snmp/snmpdx -y -c /etc/snmp/confroot 483 1 0 Apr 11 console 0:00 /usr/lib/saf/ttymon -g -h -p sparc5-1 console login: -T
sun -d /dev/console -l
root 440 1 0 Apr 11 ? 0:00 /usr/lib/nfs/mountd
root 471 1 0 Apr 11 ? 0:02 /usr/lib/inet/xntpd
root 475 1 0 Apr 11 ? 0:00 /usr/lib/dmi/dmispd
root 426 1 0 Apr 11 ? 0:28 /usr/local/sbin/prngd /var/spool/prngd/pool
root 489 1 0 Apr 11 ? 0:00 /usr/openwin/bin/fbconsole -d :0
root 502 487 0 Apr 11 ? 0:00 dtgreet -display :0
root 501 466 0 Apr 11 ? 1:18 mibiisa -r -p 32787
root 27601 1 0 Apr 14 ? 0:00 ./ns-admin -d /A1000/demo6789/ims52/admin-serv/config
nobody 27664 1 0 Apr 14 ? 0:04 /A1000/demo6789/ims52/bin/msg/store/bin/mshttpd -d 5 -D 6nobody 27821 1 0 Apr 14 ? 0:00 /A1000/demo6789/ims52/bin/msg/imta/bin/job_controller
nobody 27635 1 0 Apr 14 ? 0:01 /A1000/demo6789/ims52/bin/msg/store/bin/popd -d 5
root 29899 29897 0 13:27:35 pts/3 0:00 ps -ef
root 27709 1 0 Apr 14 ? 0:00 ./uxwdog -d /A1000/demo6789/iws60/https-sparc5-1.central.sun.com/config
root 27700 1 0 Apr 14 ? 0:00 ./uxwdog -d /A1000/demo6789/iws60/https-admserv/config
nobody 27622 1 0 Apr 14 ? 0:02 /A1000/demo6789/ims52/bin/msg/admin/bin/stored -d
nobody 29608 1 0 09:32:28 ? 0:00 /A1000/demo6789/ims52/bin/msg/imta/bin/tcp_smtp_server
root 27710 27709 0 Apr 14 ? 0:00 ns-httpd -d /A1000/demo6789/iws60/https-sparc5-1.central.sun.com/config
root 29890 29888 0 13:27:21 pts/3 0:00 -sh
root 29888 199 0 13:27:21 ? 0:00 in.telnetd
root 29897 29890 0 13:27:24 pts/3 0:00 bash
root 27594 1 0 Apr 14 ? 0:00 ./uxwdog -d /A1000/demo6789/ids51/admin-serv/config
CODE EXAMPLE 5-1 ps -ef Command Output (Continued)
UID PID PPID C STIME TTY TIME CMD
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 69/284
Basic System Status 43
As you can see, several things are running on the system in addition to theMessaging Server. You could filter the results looking only for th e m essagingcomponents by user or group, but that requires that you know that all the daemon sare proper ly installed an d oper ating as the messaging user or group . For diagn ostics,sometimes it is better to review everything running.
Anoth er UNIX ut ility that you can use is top, w hich presents a nicer view of theprocesses running on the system as well as the ability to sort and organize theoutput (FIGURE 5-1).
Regardless of the method used to view the current processes on the system, youshould h ave the following d aemons ru nning at this point wh en everything isinstalled on the same server:
I mshttpd—Web ma il daem on
I stored—Mailstore daemonI ns-slapd—LDAP daemon
I ns-httpd—web server for delegated administration and administration servers;you should h ave three
I enpd—event notification d aemon
I dispatcher—Dispatcher
I tcp_smtp_server—SMTP da emon
I job_controller—Job controller d aemon
I popd—POP d aemon
I imapd—IMAP daemon
p g g
nobody 27711 27710 0 Apr 14 ? 0:01 ns-httpd -d /A1000/demo6789/iws60/https-sparc5-1.central.sun.com/config
nobody 27649 1 0 Apr 14 ? 0:00 /A1000/demo6789/ims52/bin/msg/store/bin/imapd -d 5 -D 6
root 27595 27594 0 Apr 14 ? 0:01 ns-httpd -d /A1000/demo6789/ids51/admin-serv/config
root 27703 27701 0 Apr 14 ? 0:01 ns-httpd -d /A1000/demo6789/iws60/https-admserv/config
root 20075 1 0 Apr 13 ? 0:00 /usr/sbin/cron
root 27597 27595 0 Apr 14 ? 0:01 ns-httpd -d /A1000/demo6789/ids51/admin-serv/config
nobody 29609 1 0 09:32:28 ? 0:00 /A1000/demo6789/ims52/bin/msg/imta/bin/tcp_smtp_server
nobody 27587 1 0 Apr 14 ? 0:09 ./ns-slapd -D /A1000/demo6789/ids51/slapd-sparc5-1 -i/A1000/demo6789/ids51/sla
root 27701 27700 0 Apr 14 ? 0:00 ns-httpd -d /A1000/demo6789/iws60/https-admserv/config]
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 70/284
44 System Startup
FIGURE 5-1 top Command Output
If the directory server w ere running on a separate system, you would not hav e thens-slapd daem on run ning on this server or one of the ns-httpd for the DirectoryAdm inistrator. If you tu rned off w eb mail, the ms-httpd daemon wou ld not beru nn ing, and so forth. So you really mu st know the sp ecifics of your installation,otherw ise you w ill think som ething shou ld be there that is not, or vice versa. Since
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 71/284
Basic System Status 45
we installed everything on the same server, all the daemons appear.
Keep in m ind that this is a d efault installation on a sm all server. For larger,production servers, it is possible to have multiple daemons running too. Forexample, depending on the configuration parameters, there might be multiple ms-httpd daemon s to supp ort many w eb mail users.
To get a list of the current configur ation settings, execute the following comm and :
This comm and lists the curren t configura tion of the Messaging Server, wh ichinclud es inform ation such as p ort nu mbers, protocol status (off/ on), log file location,process settings, and so forth. It is a good id ea to maintain an archive or repositoryof this informa tion so wh en p roblem s or issues arise, the current settings can becompared with the last know n g ood settings. Print th ese settings out for futurereference as you go th rou gh the rem aining sections an d exercises in th is book.
# configutil
CODE EXAMPLE 5-2 configutil Outp ut—Current Con figuration Settings
alarm.createtimestamp = 20030414042706Z
alarm.creatorsname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"
alarm.diskavail.createtimestamp = 20030414042706Z
alarm.diskavail.creatorsname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"
alarm.diskavail.modifiersname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"alarm.diskavail.modifytimestamp = 20030414042706Z
alarm.diskavail.msgalarmdescription = "percentage mail partition diskspace available"
alarm.diskavail.msgalarmstatinterval = 3600
alarm.diskavail.msgalarmthreshold = 10
alarm.diskavail.msgalarmthresholddirection = -1
alarm.diskavail.msgalarmwarninginterval = 24
alarm.diskavail.objectclass = nsmsgCfgAlarm,top
alarm.modifiersname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"
alarm.modifytimestamp = 20030414042706Z
alarm.msgalarmnoticeport = 25alarm.msgalarmnoticercpt = postmaster
alarm.msgalarmnoticesender = postmaster
alarm.objectclass = nsmsgCfgAlarmContainer ,top
alarm.serverresponse.createtimestamp = 20030414042706Z
alarm.serverresponse.creatorsname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"
alarm.serverresponse.modifiersname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"
alarm.serverresponse.modifytimestamp = 20030414042706Z
alarm.serverresponse.msgalarmdescription = "server response time in seconds"
alarm.serverresponse.msgalarmstatinterval = 600
alarm.serverresponse.msgalarmthreshold = 10
alarm.serverresponse.msgalarmthresholddirection = 1
alarm.serverresponse.msgalarmwarninginterval = 24
l bj t l Cf Al t
CODE EXAMPLE 5-2 configutil Outp ut—Current Con figuration Settings (Continued)
alarm.createtimestamp = 20030414042706Z
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 72/284
46 System Startup
alarm.serverresponse.objectclass = nsmsgCfgAlarm ,top
createtimestamp = 20030414042706Z
creatorsname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"
encryption.createtimestamp = 20030414042706Z
encryption.creatorsname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"
encryption.fortezza.createtimestamp = 20030414042706Z
encryption.fortezza.creatorsname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"
encryption.fortezza.modifiersname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"
encryption.fortezza.modifytimestamp = 20030414042706Z
encryption.fortezza.nssslactivation = offencryption.fortezza.objectclass = nsEncryptionModule,top
encryption.modifiersname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"
encryption.modifytimestamp = 20030414042706Z
encryption.nscertfile = alias/msg-sparc5-1-cert7.db
encryption.nskeyfile = alias/msg-sparc5-1-key3.db
encryption.nsssl2 = off
encryption.nsssl3 = on
encryption.nsssl3ciphers = rsa_rc4_40_md5
,rsa_rc2_40_md5
,rsa_des_sha
,rsa_rc4_128_md5,rsa_3des_sha
encryption.nsssl3sessiontimeout = 0
encryption.nssslclientauth = 0
encryption.nssslsessiontimeout = 0
encryption.objectclass = nsEncryptionConfig,top
encryption.rsa.createtimestamp = 20030414042707Z
encryption.rsa.creatorsname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"
encryption.rsa.modifiersname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"
encryption.rsa.modifytimestamp = 20030414042707Z
encryption.rsa.nssslactivation = onencryption.rsa.nssslpersonalityssl = Server-Cert
encryption.rsa.nsssltoken = internal
encryption.rsa.objectclass = nsEncryptionModule,top
gen.accounturl = http://%[email protected]:55555/bin/user/admin/bin/enduser
gen.configversion = 4.0
gen.createtimestamp = 20030414042707Z
gen.creatorsname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"
gen.folderurl = http://%[email protected]:55555/bin/user/admin/bin/mailacl.cgi?folder=%M
gen.installedlanguages = en
gen.modifiersname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"
gen.modifytimestamp = 20030414042707Zgen.objectclass = nsmsgCfgGen,top
gen.sitelanguage = en
local.defdomain = sparc5-1.central.sun.com
local.enduseradmincred = }3:0R77?xB
local.enduseradmindn = "uid=msg-admin-sparc5-1.central.sun.com-20020710153937, ou=People, o=sparc5-1.central.sun.com, o=isp"
local.hostname = sparc5-1.central.sun.com
local.imta.imta_tailor = /A1000/demo6789/ims52/msg-sparc5-1/imta/config/imta_tailor
local.imta.ssrenabled = yes
local.installeddir = /A1000/demo6789/ims52/bin/msg
local.instancedir = /A1000/demo6789/ims52/msg-sparc5-1
local.lastconfigfetch = 1050433755
local.ldapbasedn = o=NetscapeRoot
local ldapcachefile = /A1000/demo6789/ims52/msg-sparc5-1/config/local conf
CODE EXAMPLE 5-2 configutil Outp ut—Current Con figuration Settings (Continued)
alarm.createtimestamp = 20030414042706Z
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 73/284
Basic System Status 47
local.ldapcachefile = /A1000/demo6789/ims52/msg sparc5 1/config/local.conf
local.ldaphost = sparc5-1.central.sun.com
local.ldapport = 389
local.ldapsiecred = VCk3UUl38W
local.ldapsiedn = "cn=msg-sparc5-1, cn=iPlanet Messaging Suite, cn=Server Group (2), cn=sparc5-1.central.sun.com, ou=sparc5-1.central.sun.com, o=NetscapeRoot"
local.ldapusessl = False
local.servergid = nobody
local.servername = sparc5-1
local.serverroot = /A1000/demo6789/ims52
local.servertype = msglocal.serveruid = nobody
local.service.pab.attributelist = pabattrs
local.service.pab.enabled = 1
local.service.pab.ldapbasedn = o=pab
local.service.pab.ldapbinddn = "uid=msg-admin-sparc5-1.central.sun.com-20020710153937, ou=People, o=sparc5-1.central.sun.com, o=isp"
local.service.pab.ldaphost = sparc5-1.central.sun.com
local.service.pab.ldappasswd = }3:0R77?xB
local.service.pab.ldapport = 389
local.service.pab.maxnumberofentries = 500
local.supportedlanguages = "[en,de,fr,es,af,ca,da,nl,fi,gl,ga,is,it,no,pt,sv,ja,ko,zh-CN,zh-TW]"local.tmpdir = /A1000/demo6789/ims52/msg-sparc5-1/tmp
local.ugldapbasedn = o=isp
local.ugldapbindcred = }3:0R77?xB
local.ugldapbinddn = "uid=msg-admin-sparc5-1.central.sun.com-20020710153937, ou=People, o=sparc5-1.central.sun.com, o=isp"
local.ugldapdeforgdn = "o=sparc5-1.central.sun.com, o=isp"
local.ugldaphost = sparc5-1.central.sun.com
local.ugldapport = 389
local.ugldapuselocal = yes
local.webmail.da.host = sparc5-1.central.sun.com
local.webmail.da.port = 88
local.webmail.sso.enable = 0
local.webmail.sso.singlesignoff = 0
logfile.admin.buffersize = 0
logfile.admin.createtimestamp = 20030414042707Z
logfile.admin.creatorsname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"
logfile.admin.expirytime = 604800
logfile.admin.flushinterval = 60
logfile.admin.logdir = /A1000/demo6789/ims52/msg-sparc5-1/log/admin
logfile.admin.loglevel = Notice
logfile.admin.logtype = NscpLoglogfile.admin.maxlogfiles = 10
logfile.admin.maxlogfilesize = 2097152
logfile.admin.maxlogsize = 20971520
logfile.admin.minfreediskspace = 5242880
logfile.admin.modifiersname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"
logfile.admin.modifytimestamp = 20030414042707Z
logfile.admin.objectclass = nsmsgCfgLog ,top
logfile.admin.rollovertime = 86400
logfile.createtimestamp = 20030414042707Z
logfile.creatorsname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"
logfile.default.buffersize = 0
logfile.default.createtimestamp = 20030414042707Z
logfile.default.creatorsname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"
logfile.default.expirytime = 604800
CODE EXAMPLE 5-2 configutil Outp ut—Current Con figuration Settings (Continued)
alarm.createtimestamp = 20030414042706Z
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 74/284
48 System Startup
g p y
logfile.default.flushinterval = 60
logfile.default.logdir = /A1000/demo6789/ims52/msg-sparc5-1/log/default
logfile.default.loglevel = Notice
logfile.default.logtype = NscpLog
logfile.default.maxlogfiles = 10
logfile.default.maxlogfilesize = 2097152
logfile.default.maxlogsize = 20971520
logfile.default.minfreediskspace = 5242880
logfile.default.modifiersname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"
logfile.default.modifytimestamp = 20030414042707Zlogfile.default.objectclass = nsmsgCfgLog ,top
logfile.default.rollovertime = 86400
logfile.http.buffersize = 0
logfile.http.createtimestamp = 20030414042710Z
logfile.http.creatorsname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"
logfile.http.expirytime = 604800
logfile.http.flushinterval = 60
logfile.http.logdir = /A1000/demo6789/ims52/msg-sparc5-1/log/http
logfile.http.loglevel = Notice
logfile.http.logtype = NscpLog
logfile.http.maxlogfiles = 10
logfile.http.maxlogfilesize = 2097152
logfile.http.maxlogsize = 20971520
logfile.http.minfreediskspace = 5242880
logfile.http.modifiersname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"
logfile.http.modifytimestamp = 20030414042710Z
logfile.http.objectclass = nsmsgCfgLog ,top
logfile.http.rollovertime = 86400
logfile.imap.buffersize = 0
logfile.imap.createtimestamp = 20030414042710Z
logfile.imap.creatorsname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"logfile.imap.expirytime = 604800
logfile.imap.flushinterval = 60
logfile.imap.logdir = /A1000/demo6789/ims52/msg-sparc5-1/log/imap
logfile.imap.loglevel = Notice
logfile.imap.logtype = NscpLog
logfile.imap.maxlogfiles = 10
logfile.imap.maxlogfilesize = 2097152
logfile.imap.maxlogsize = 20971520
logfile.imap.minfreediskspace = 5242880
logfile.imap.modifiersname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"
logfile.imap.modifytimestamp = 20030414042710Z
logfile.imap.objectclass = nsmsgCfgLog ,top
logfile.imap.rollovertime = 86400
logfile.imta.buffersize = 0
logfile.imta.createtimestamp = 20030414042710Z
logfile.imta.creatorsname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"
logfile.imta.expirytime = 604800
logfile.imta.flushinterval = 60
logfile.imta.logdir = /A1000/demo6789/ims52/msg-sparc5-1/log/imta
logfile.imta.loglevel = Notice
logfile.imta.logtype = NscpLog
logfile.imta.maxlogfiles = 10
logfile.imta.maxlogfilesize = 2097152
logfile.imta.maxlogsize = 20971520
logfile.imta.minfreediskspace = 5242880
CODE EXAMPLE 5-2 configutil Outp ut—Current Con figuration Settings (Continued)
alarm.createtimestamp = 20030414042706Z
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 75/284
Basic System Status 49
logfile.imta.modifiersname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"
logfile.imta.modifytimestamp = 20030414042710Z
logfile.imta.objectclass = nsmsgCfgLog ,top
logfile.imta.rollovertime = 86400
logfile.modifiersname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"
logfile.modifytimestamp = 20030414042707Z
logfile.objectclass = nsmsgCfgContainer ,top
logfile.pop.buffersize = 0
logfile.pop.createtimestamp = 20030414042710Z
logfile.pop.creatorsname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"logfile.pop.expirytime = 604800
logfile.pop.flushinterval = 60
logfile.pop.logdir = /A1000/demo6789/ims52/msg-sparc5-1/log/pop
logfile.pop.loglevel = Notice
logfile.pop.logtype = NscpLog
logfile.pop.maxlogfiles = 10
logfile.pop.maxlogfilesize = 2097152
logfile.pop.maxlogsize = 20971520
logfile.pop.minfreediskspace = 5242880
logfile.pop.modifiersname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"
logfile.pop.modifytimestamp = 20030414042710Z
logfile.pop.objectclass = nsmsgCfgLog ,top
logfile.pop.rollovertime = 86400
logfiles.admin.alias = |logfile|admin
logfiles.admin.createtimestamp = 20030414042707Z
logfiles.admin.creatorsname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"
logfiles.admin.modifiersname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"
logfiles.admin.modifytimestamp = 20030414042707Z
logfiles.admin.objectclass = nsmsgCfgAlias ,top
logfiles.createtimestamp = 20030414042707Z
logfiles.creatorsname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"logfiles.default.alias = |logfile|default
logfiles.default.createtimestamp = 20030414042708Z
logfiles.default.creatorsname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"
logfiles.default.modifiersname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"
logfiles.default.modifytimestamp = 20030414042708Z
logfiles.default.objectclass = nsmsgCfgAlias ,top
logfiles.http.alias = |logfile|http
logfiles.http.createtimestamp = 20030414042710Z
logfiles.http.creatorsname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"
logfiles.http.modifiersname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"
logfiles.http.modifytimestamp = 20030414042710Zlogfiles.http.objectclass = nsmsgCfgAlias ,top
logfiles.imap.alias = |logfile|imap
logfiles.imap.createtimestamp = 20030414042710Z
logfiles.imap.creatorsname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"
logfiles.imap.modifiersname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"
logfiles.imap.modifytimestamp = 20030414042710Z
logfiles.imap.objectclass = nsmsgCfgAlias ,top
logfiles.imta.alias = |logfile|imta
logfiles.imta.createtimestamp = 20030414042710Z
logfiles.imta.creatorsname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"
logfiles.imta.modifiersname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"
logfiles.imta.modifytimestamp = 20030414042710Z
logfiles.imta.objectclass = nsmsgCfgAlias ,top
logfiles.modifiersname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"
CODE EXAMPLE 5-2 configutil Outp ut—Current Con figuration Settings (Continued)
alarm.createtimestamp = 20030414042706Z
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 76/284
50 System Startup
logfiles.modifytimestamp = 20030414042707Z
logfiles.objectclass = nsmsgCfgContainer ,top
logfiles.pop.alias = |logfile|pop
logfiles.pop.createtimestamp = 20030414042710Z
logfiles.pop.creatorsname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"
logfiles.pop.modifiersname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"
logfiles.pop.modifytimestamp = 20030414042710Z
logfiles.pop.objectclass = nsmsgCfgAlias ,top
modifiersname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"
modifytimestamp = 20030414042706Znsclassname = "[email protected]@cn=admin-serv-sparc5-1, cn=Netscape Administration Server, cn=Server Group (2), cn=sparc5-1.central.sun.com, ou=sparc5-1.central.sun.com, o=NetscapeRoot"
objectclass = top
,nsConfig
,nsAdminObject
pipeprograms.createtimestamp = 20030414042708Z
pipeprograms.creatorsname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"
pipeprograms.modifiersname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"
pipeprograms.modifytimestamp = 20030414042708Z
pipeprograms.objectclass = nsmsgCfgContainer ,topservice.authcachesize = 10000
service.authcachettl = 900
service.createtimestamp = 20030414042708Z
service.creatorsname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"
service.dcroot = o=internet
service.defaultdomain = sparc5-1.central.sun.com
service.dnsresolveclient = no
service.http.allowadminproxy = no
service.http.allowanonymouslogin = no
service.http.createtimestamp = 20030414042710Zservice.http.creatorsname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"
service.http.enable = yes
service.http.enablesslport = yes
service.http.fullfromheader = no
service.http.idletimeout = 3
service.http.ipsecurity = yes
service.http.maxmessagesize = 5242880
service.http.maxpostsize = 5242880
service.http.maxsessions = 6000
service.http.maxthreads = 250
service.http.modifiersname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"service.http.modifytimestamp = 20030414042711Z
service.http.numprocesses = 1
service.http.objectclass = nsmsgCfgHttp ,top
service.http.plaintextmincipher = 0
service.http.port = 80
service.http.resourcetimeout = 900
service.http.sessiontimeout = 7200
service.http.smtpport = 25
service.http.spooldir = /A1000/demo6789/ims52/msg-sparc5-1/http
service.http.sslcachesize = 0
service.http.sslport = 443
service.http.sslusessl = yes
service.imap.allowanonymouslogin = no
service.imap.banner = "%h %p service (%P %V)"
i i i
CODE EXAMPLE 5-2 configutil Outp ut—Current Con figuration Settings (Continued)
alarm.createtimestamp = 20030414042706Z
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 77/284
Basic System Status 51
service.imap.createtimestamp = 20030414042710Z
service.imap.creatorsname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"
service.imap.enable = yes
service.imap.enablesslport = yes
service.imap.idletimeout = 30
service.imap.maxsessions = 4000
service.imap.maxthreads = 250
service.imap.modifiersname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"
service.imap.modifytimestamp = 20030414042711Z
service.imap.numprocesses = 1service.imap.objectclass = nsmsgCfgImap
service.imap.plaintextmincipher = 0
service.imap.port = 143
service.imap.sslcachesize = 0
service.imap.sslport = 993
service.imap.sslusessl = yes
service.ldapmemcache = no
service.ldapmemcachesize = 131072
service.ldapmemcachettl = 30
service.listenaddr = INADDR_ANY
service.loginseparator = @service.modifiersname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"
service.modifytimestamp = 20030414042708Z
service.objectclass = nsmsgCfgService ,top
service.plaintextloginpause = 0
service.pop.allowanonymouslogin = no
service.pop.banner = "%h %p service (%P %V)"
service.pop.createtimestamp = 20030414042710Z
service.pop.creatorsname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"
service.pop.enable = yes
service.pop.idletimeout = 10service.pop.maxsessions = 600
service.pop.maxthreads = 250
service.pop.modifiersname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"
service.pop.modifytimestamp = 20030414042711Z
service.pop.numprocesses = 1
service.pop.objectclass = nsmsgCfgPop ,top
service.pop.plaintextmincipher = 0
service.pop.popminpoll = 0
service.pop.port = 110
service.pop.sslusessl = yes
service.readtimeout = 10store.admins = admin
store.cleanupage = 1
store.createtimestamp = 20030414042710Z
store.creatorsname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"
store.dbcachesize = 16777216
store.defaultacl = "anyone lrs"
store.defaultmailboxquota = -1
store.defaultmessagequota = -1
store.defaultpartition = primary
store.diskflushinterval = 15
store.expirerule.createtimestamp = 20030414042710Z
store.expirerule.creatorsname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"
store.expirerule.modifiersname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"
store.expirerule.modifytimestamp = 20030414042710Zstore expirerule objectclass nsmsgCfgContainer top
CODE EXAMPLE 5-2 configutil Outp ut—Current Con figuration Settings (Continued)
alarm.createtimestamp = 20030414042706Z
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 78/284
52 System Startup
ProvisioningOnce you kn ow th e system is installed and operational, the next major tasks is mostlikely how to best add and remove users, sometimes also called accounts or otherterms. In th e ISP w orld, the term u sed to describe this process is called provisioning.As with m any things, there is often more than one way or m ethod of provisioningaccomp lishing the task. Provisioning u sers or accounts is no different. Provisioningsometimes assum es starting a n ew u ser from scratch, but it may in fact be one of the
steps in th e migration p rocess of an organ ization’s older m ail system. This chap terapp roaches it from the new user perspective, though the approach is not totallydifferent wh en d oing this as part of a m igration. Som e add itional issues arediscussed in Chap ter 11, “Migration,” on pa ge 167.”
store.expirerule.objectclass = nsmsgCfgContainer ,top
store.modifiersname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"
store.modifytimestamp = 20030414042710Z
store.objectclass = nsmsgCfgStore ,top
store.partition.createtimestamp = 20030414042710Z
store.partition.creatorsname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"
store.partition.modifiersname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"
store.partition.modifytimestamp = 20030414042710Z
store.partition.objectclass = nsmsgCfgContainer ,top
store.partition.primary.createtimestamp = 20030414042710Zstore.partition.primary.creatorsname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"
store.partition.primary.modifiersname = "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"
store.partition.primary.modifytimestamp = 20030414042710Z
store.partition.primary.objectclass = nsmsgCfgPartition ,top
store.partition.primary.path = /A1000/demo6789/ims52/msg-sparc5-1/store/partition/primary
store.quotaenforcement = on
store.quotaexceededmsginterval = 7
store.quotagraceperiod = 120
store.quotanotification = offstore.quotawarn = 90
store.serviceadmingroupdn = "cn=Service Administrators, ou=Groups, o=isp"
store.umask = 077
Techn ically there m ay be m any w ays of provisioning, bu t there are really four m ainmethods:
I Administration Console—Sun ONE Administration Console
I Web—delegated administration for messaging and collaboration or identity
serverI CLI com man d line interface for the iPlanet Directory A dm inistrator
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 79/284
Provisioning 53
I CLI—com man d-line interface for the iPlanet Directory A dm inistrator
I LDAP—direct interaction w ith the d irectory server via LDAP
Ultima tely, these m ethod s (FIGURE 5-2) all interact with the Messaging serv er in tw oplaces—the d irectory server an d the m ailstore. One thing to n ote is that creating userinformation in th e directory does not create the ph ysical mailbox in the m ailstore nordoes creating th e mailbox (folder ) in th e m ailstore create the u ser information in the
directory. The tricky par t is creating the u ser information in th e d irectory w ith theappropriate attributes (fields) and having the users authenticate with the messagingsystem.
FIGURE 5-2 Administration Interfaces Architecture Overview
The followin g sections examine each of the four p rovisioning m ethod s and outlinesome of the pros and cons of each m ethod.
Ad ministration Console
The Sun ON E Adm inistration Con sole is a Java p rogram that can be executed locallyon the mail system or in a distributed (remote) fashion on any system sup porting theJava™ Runtime Environment (JRE) 1.1.8. It connects to an administration process(daemon) through HTTP or HTTPS. The ad ministration console provides a very lowlevel access to m ost p arts of the m essage system, includ ing th e Messaging Server,Directory Server, and Web Server. This access includes configuration data, user data,log data, and so forth. As such, it is primarily used for configura tion and debu ggingpu rposes, not as a day-to-day way of administering the system.
Browser Web CLI
Administrationconsole
(Java application)
Administrationdaemon
HTTP
HTTP
Directory
Note – Occasionally p roblems exist w hen starting the Messaging ServerAdministration Console and remotely displaying the results. The splash logo canblock the login entry box. To wor k arou nd this issue you can start the MessagingServer Adm inistration Console without th e splash graph ic by u sing th e command
startconsole -x nologo.
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 80/284
54 System Startup
While it is possible to add users or change user information by using theadm inistration console, it is typically reserved for configuration an d d iagnosticfunctions by the high est- level ad ministrators.
An example of an ap propriate use w ould be to configure the messaging server toaccept IMAP over SSL conn ections. An examp le of poor u sage for the ad ministration
console would be to ad d tw enty user accoun ts or even one user account for thatmatter.
I Speed—Not zipp y
I Ease of use—Good
I Access to functions—Very low level, most of the system
I Input checking—Little, if any
I Not customizable
You sh ould equat e the adm inistration console to root or highest-level adm inistrationaccess, and as such it should be reserved for use by only those persons performingthese duties on the messaging system.
Web
Anoth er w ay to adm inister the Messaging System is via the Web. Actually, there aretwo ways to use the Web to administer the system—the Administration WebInterface and th e Delegated Ad min istrator for Messaging. The two method s are verydifferent.
The Ad m inistration Web Interface p rovides basic adm inistration fu nction a ccesssuch as starting, stopp ing, restarting, backing up , and restoration fun ctions for someof the services of the Messaging Server. It is p rimarily d esigned for help d esk
personnel with m inimum training and limited d uties, as well as remoteadministration work when using the Java-based administration console is notpossible.
The Delegated Administrator for Messaging (FIGURE 5-3)provides more u ser anddomain management functionality for help desk and self-service end users.Functions for help desk p ersonnel includ e add ing, removing, and changing userinformation (if permitted ). The functionality of the Delegated Ad min istrator for
Messaging can be restricted to p rovide sp ecific help d esk ad ministrators for each
dom ain within the m essaging system as well as user ad ministrators for each d omain,which can ultimately reduce the burden of administration for the mainad ministrators. For end us ers, this interface can be used to access functions such asmailing list man agemen t, vacation messages, ma il filters, user inform ation, and soforth, if perm itted.
Overall these web interfaces are aimed at the h elp d esk and end user p opulation.
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 81/284
Provisioning 55
They are not the fastest methods of administration, but they provide easy-to-useinterfaces for occasional use. These interfaces can be customized because th ey areweb pages (HTML, JavaScript™, and servlets) for your specific organization. So if you d o not w ant p eople to be able to change their password or basic information viathe Delegated Ad ministrator interface, it can b e mod ified to remove th ese options.
I Speed—Good
I Ease of use—Very goodI Access to fun ctions—Help d esk and basic ad ministrator fun ctions, end us er self
service
I Inpu t checking—Some, bu t can be extended easily
I Customizable
Command-Line Interface
The fun ctions to p rovision users and ma il accoun ts in the Messaging Server areavailable from the command-line interface (CLI). This interface provides the abilityto automate and program (script) your organization’s business rules regarding userand m ail accoun t pr ovisioning.
Note – The comm and line interface is really an interface into th e DelegatedAdministrator, not directly into the Directory Server or the Messaging Server. Youmay see the terms CLI, N etscap e delegated ad m inistrator (NDA) CLI, and IPlanetdelegated ad ministrator (IDA) CLI used interchan geably in this section.
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 82/284
56 System Startup
FIGURE 5-3 Delegated A dm inistrator for Messaging
This low-level interface is not d esigned for end u sers at all, and is typically reservedfor the highest level of administrators or for help desk personnel via automation(scripts) only. It is very pos sible to ad d and delete thousan ds of u sers or accoun ts inminu tes by using th e CLI. It has the capabilities to quickly add and delete orotherw ise mess up the Messaging Server, so treat it as you w ould root access on the
server. This includ es security issues su ch as ensurin g to install the p rodu ction serverwith app ropriate users and groups a s well as applying other security p recautions.
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 83/284
Provisioning 57
Another use of the CLI is to perform debugging and diagnostic work. There areseveral commands as well as options that provide the ability to trace email pathsand routing and look at the fun ctioning of the various d aemons. For m oreinformation, see Chap ter 14 of the iPlanet M essaging Server Administrators Gu ide or goto :
http://docs.sun.com/source/816-6009-10/trblesho.htm#13833.
Overall, the command-line interface provides the one of the best ways to automateand perform bulk adds, deletes, and modifications quickly, plus implement anorganization’s po licy regarding m essaging.
I Speed—GoodI Ease of use—Good
I Access to fun ctions—Very low level, scripts an d senior ad ministrators o nly
I Inpu t checking—Some, but comp letely customizable
I Very customizable
Lightweight Directory Access Protocol
Ultima tely, everything—the ad ministration console, the web interfaces, and theCLI—interacts with th e directory in som e man ner. So p erforming p rovisioning w orkby interacting w ith the directory by using th e LDAP is not only p ossible, bu t verymu ch like the N DA CLI in term s of capabilities.
CODE EXAMPLE 5-3 Sample CLI Showing Creation of “testuser” Account
root@sparc5-1:/A1000/demo6789/ims52/ndacli/bin> ./imadmin usercreate -l testuser -W password -F Test -L User [email protected] -w bacon -nsparc5-1.central.sun.com -H [email protected]: create user succeeded.root@sparc5-1:/A1000/demo6789/ims52/ndacli/bin>
Direct interaction u sing LDAP prov ides m ost of the benefits of the CLI withoutaccess to the very low level utilities and comma nd s. It is also one of the best w ays toautomate and perform bu lk add s, deletes, and mod ifications along w ith the CLI.And , just like the CLI, it can be us ed to en force and imp lement an organ ization’spolicy regard ing m essaging. Direct interaction w ith the LDAP directory and its
contents also mean s ad d itional security precautions a re necessary. Directmanipulation or access should be reserved for the highest- level administrators.A f h l d k l l l l d i i h ld b d l
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 84/284
58 System Startup
Access for help desk personnel or lower-level administrators should be done onlythrough scripts or other method s that can add add itional checking an d precautions.For more information see Chap ter 10, “Security,” on pag e 153.”
I Speed—Excellent
I Ease of use—Good
I Access to fun ctions—not a s low level as th e CLI, but still for script s an d senioradm inistrators only
I Inpu t checking—Some, bu t comp letely customizable
I Very customizable
User Commands ldapmodify(1)
NAMEldapmodify, ldapadd - ldap entry addition and modification tools
SYNOPSISldapmodify [ -a ] [ -b ] [ -c ] [ -r ] [ -n ] [ -v ][-F ] [ -d debuglevel ] [ -D binddn ] [ -w passwd ][-h ldaphost ] [ -M authentication ] [ -p ldapport ]
[-f file ] [ -l nb-ldap-connections ]
/opt/SUNWconn/ldap/bin/ldapadd [ -b ] [ -c ] [ -n ][ -v ] [ -F ] [ -d debuglevel ] [ -D binddn ] [ -w passwd ][ -h ldaphost ] [ -p ldapport ] [ -f file ][ -l nb-ldap-connections ]
DESCRIPTIONldapmodify opens a connection to an LDAP server, binds, and
modifies or adds entries. The entry information is read fromstandard input or from file, specified using the -f option. ldapaddis implemented as a hard link to the ldapmodify tool. When invokedas ldapadd the -a (add new entry) option is turned onautomatically.
CODE EXAMPLE 5-4 Sample Template
dn: uid=<uid>, ou=people, o=<hostname_fqdn>, o=isp
objectClass: topobjectClass: person
objectClass: organizationalPerson
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 85/284
Provisioning 59
Method s Analysis
After discussing th e four m ethod s of provisioning at a high level, the qu estion“What is the one way to do p rovisioning?” still remains. The answ er is that it depen dson the sp ecific needs of your organ ization, includ ing the end users, thead ministration staff, and the organ ization as a w hole. Several factors, includ ingwh ich features such as va cation m essage or mailing list, may requ ire the use of theDelegated Ad min istrator for Messaging interface to some d egree. Other factorsinclud e accou nt turn over, skills of th e ad m inistration staff, organizational p olicies,and so forth.
objectClass: organizationalPersonobjectClass: inetOrgPerson
objectClass: inetUser
objectClass: ipUserobjectClass: nsManagedPerson
objectClass: userPresenceProfileobjectClass: inetMailUser
objectClass: inetLocalMailRecipient
mail: <uid>@<hostname_fqdn>mailUserStatus: active
dataSource: NDA 4.5 Delegated AdministratormailHost: <hostname_fqdn>
givenName: Historycn: <first_name> <last_name>
uid: <uid>
sn: <last_name>mailDeliveryOption: mailbox
inetUserStatus: active
userPassword: <password>creatorsName: uid=serviceadmin,ou=people,o=<hostname_fqdn>,o=isp
modifiersName: uid=msg-admin-<hostname_fqdn>-20020710153937,ou=people ,o=<hostname_fqdn>,o=isp
createTimestamp: 20030414044513ZmodifyTimestamp: 20030414051012Z
nsUniqueId: d5cba701-1dd111b2-80cac302-81db34e7
nswmExtendedUserPrefs: meDraftFolder=DraftsnswmExtendedUserPrefs: meSentFolder=Sent
nswmExtendedUserPrefs: meTrashFolder=Trash
nswmExtendedUserPrefs: meInitialized=truepabURI: ldap://<hostname_fqdn>:389/ou=<uid>, ou=people, o=<hostname_fqdn>, o=isp,o=pab
As a gen eral rule, the best p ractices are:
Administrators console
I Top ad min istrators only—for configuration
I Diagnostics and tuning only
Web
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 86/284
60 System Startup
I Help desk and end-user self service
I Customize or write your own scripts. Use those provided as examp les.
I Excep tions to bu lk add and delete scripts. (There w ill always be exceptions.)
I Main p rovisioning interface for small organizations or others w ith minim alaccount add itions and deletions—approximately one add ition and deletion per
day. (3,000 accoun ts w ith a on e-percent change p er year equals 300 accou ntsadd ed or deleted p er year.)
CLI/ LDAP
I Automate as m uch as p ossible.
I Should handle 99+ percent of the work
I Exceptions handled by web or help desk personnel. (There will always be
exceptions.)
Issues
There are many issues beyond which method is best or wh ich m ethod to u se forprovisioning. The remainder of this chapter uses the example of a university tryingto automate their provisioning of the messaging system. Once automation has been
decided upon, the most significant issues are:
I Auth oritative Sour ces
I Data Feeds
I User ID
Each of these issues mu st be add ressed an d docum ented for the smoothprov isioning of the messaging system. The follow ing sections exam ine each of these
issues in more detail and provide an example scripts to show how this all comestogether.
Authoritative Sources
When p rovisioning u sers or accoun ts, som e basic information is required—at aminimum , user ID, password , and email ad dress to be u sed. The Messaging Serverinclud es a directory server, so man y organizations also use this to prov ide basic
directory services to var ious LDAP-enabled ap plications su ch as Microsoft Outlookor N etscape C omm un icator. Realistically, you m ay w ant more informat ion, such asf ll d h b
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 87/284
Provisioning 61
full name and a ph one num ber.
So, what is an au thoritative source? An au thoritative source is a source wh ere theinformation or d ata is known to be accurate and up to date, and is m ost likelylocated w here the information or iginates within the organ ization. In some cases it isnot p ossible to integrate d irectly with th e original source, bu t if someth ing contains
the same information and is as up to date, it can be said to be authoritative too.Simply p ut, information or d ata just d oes not sud denly ap pear from th in air; rather,it is the end result of a business p rocess or p art of a bus iness process. A goodexample is the human resources (HR) system within an organization as anauthoritative source on em ployees. Since you mu st go throu gh th e various H Rprocesses and p rocedu res to be an emp loyee, it is highly likely that th e HR system(database) is an au thoritative source for emp loyee informa tion. Why? Legal andregulatory requ iremen ts as w ell as accounting (payroll). So it is pretty safe to saythat a p erson w ho is not in the H R d atabase is not an em ployee. Is this always true?No, bu t it does ad d ress at least 99 percent of the cases.
Regardless, think of th is as a business wor kflow exercise, and ask the qu estion “H owdoes the organ ization g et someon e’s identity, be they an emp loyee, contractor, orwh atever, before pr oviding n etwork or comp uting a ccess?” Is it simply a m atter of an em ail coming from a m anager, or is it more forma l, requiring tha t the per son be inthe payroll system too?
Typical author itative sou rces might be:I Human resource system (HRS)
I Stud ent inform ation system (SIS)
I Directory Server d atabase
I Information systems database
I Contractor/ vendor d atabase
I Visiting gu est d atabase
In some organ izations, there may a ctually be mu ltip le sou rces from w hichinformation is available. Wh ich sou rce is valid dep end s up on a p erson’s function orduties. Depending upon security requirements, you may also be required to checkmultiple sources to ensure that the person appears in all of them.
Data Feeds
Now that the auth oritative d ata sources and their owners h ave been identified, thenext issue faced wh en au tomatin g the p rovision process either via the CLI or d irectLDAP integration is getting the d ata from the au thoritative data sou rces. This
requires input and agreement from the authoritative d ata source own ers.
In a few situations, these au thoritative systems or d ata sources can be directly
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 88/284
62 System Startup
, y yintegrated with the Messaging Server ’s d irectory v ia LDAP, to au toma ticallyprovision accounts w hen new users are add ed to the p ayroll system or d elete themwhen they are removed from the system. This requires some scripting orconfigura tion on th e auth oritative source app lication. An examp le of this might bePeopleSoft 8’s LDAP integration capab ilities. How ever, in mos t organ izations these
dat a sou rces are no t generally accessible, and so d irect d ata extracts or integration isnot p ossible.
Typically, though , there is a separ ation between the grou ps w ho control thesesystems and the group that adm inistrates the m essaging system. So m any timestying th e systems tog ether d irectly is ju st not p ractical or possible. In thesesituations, the most p ractical integration is throug h a comm a d elimited file form atsometimes referred to as a comma separ ated v ariable-length (CSV) file. Then, wh atinformation is needed an d how this file is to be obtained a nd transferred and how
often mu st be determined.
This file contains the informa tion necessary to create the messaging accoun t. It alsotyp ically contains a flag to ind icate the action to be taken, wh ether th is is a n ewaccoun t (add ), or an e xisting accoun t requiring d eletion (delete) or u pd ating(mod ify). There are also tw o other typ es of actions p ossible with th e MessagingServer—activate and d eactivate. One of the features of the Messaging Server is theability to d eactivate an accoun t or entire d omain wh ile ma intaining all of its
associated information, including passwords, forwarding, address book entries, andso forth. This is a very u seful feature in th e University setting, wh ere the p olicymigh t be to cut off services su ch as email if accoun ts are in arrears u ntil such time aspar king tickets or library fines are paid. Using this feature, an organization cansimply d eactivate an accoun t and then easily reactivate the account w ithout causingsignificant amounts of work such as adding the entire account back into the system.
So, the action flag or field in the CSV file m ight contain som ething to indicate thefollowing actions:
I AD D
I DELETE
I MODIFY
I ACTIVATE
I DEACTIVATE
Our example u ses the following d esignations to simp lify this a bit, yet still representall the actions:
I AD D
I DEL
I MODI ON
OFF
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 89/284
Provisioning 63
I OFF
Generally the file contains the basic information n eeded to create the record , asstated p reviously, plus some other inform ation desired to m ake the directory useful.Often it is not n ecessary to be too literal, as some inform ation or fields can beder ived m any times. An examp le might be full name w here it is really a combin ation
of first and last n ame. Every organization and au thoritative data sou rce is different,though. One thing to look for when using multiple authoritative data sources isfields that are comm on betw een them . Use the same fields consistently across all theda ta sou rces, if possible.
Since the pu rp ose of this process is to autom ate the p rovisioning, the simplestmethod that does not require hum an intervention seems to work th e best. In m anyorganizations this could be a sha red file system or u sing someth ing such as FileTransfer Protocol (FTP). This meth od is something th at is worke d out b etween th eauthoritative da ta source owner an d the messaging ad ministration group.
How frequently provisioning is done d epend s up on several factors. How quickly doyou need messaging provisioned? Is there adequate CPU pow er to generate the CSVfile as frequen tly as needed or d esired ? Som e organizations do th is nightly so that allnew m essaging accoun ts are created som etime between 10 p.m. and 4 a.m. forexample. Other organizations desire more frequent updates, thus generating andprocessing the CVS hourly. Som e mod ification of the schedu ling can be do ne once
the basics are wor king. Perhap s the biggest issue in this area is man aging the end -user expectations. Were they informed that email accoun ts are created tw ice d aily, orare they un der th e assum ption th at this is d one in real time? Sometimes this issue isinfluen ced by existing policy, wh ile other t imes new policies mu st be set.
One final issue to consider regarding schedu le or frequ ency is that not all functionshave th e same requ irements. For examp le, if the p olicy is that new accoun ts arecreated on ce daily sometime between 10 p.m. and 4 a.m., that does not m eanmod ifications or d eletions m ust w ait 24 hou rs. In som e organizations, policy d ictatesthat account deletions mus t happ en w ithin a sh ort period of time for securityreasons. So a policy such as this might d rive the sched uling to someth ing shorterthan once d aily.
User ID
Now that the issues of authoritative d ata sources and data feeds have beenaddressed, the next issue in provisioning is the user ID and everything thatsurrounds it. In some ways this is more difficult than the other issues to address
because it is more of a policy issue. In some cases, it is necessary to maintain(grand father) an existing stand ard for u ser ID creation for existing us ers wh ileimplementing a new policy for all new users.
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 90/284
64 System Startup
p g p y
Some points to consider when addressing the user ID issue are:
I User IDs mu st be unique.
This can be w ithin the entire messaging system or within each d om ain, that is,acme.edu. How ever, if IDs are uniqu e only within each d omain , us ers will berequired to log in with their user ID plus domain, for example,[email protected], whereas if user IDs are un ique across the entire messagingsystem u sers can log in u sing only their u ser ID, for example, jsmith. This canaffect other issues, thoug h.
How do you ensure uniqueness?
That can be difficu lt. Very few pieces of information abou t som eone arecompletely uniqu e. First nam e? No. Last nam e? No. First name p lus last nam e?
No. Social Security nu m ber? Pretty m uch, bu t there is a pr ivacy issue.One p ossible answ er is to make the u ser ID a derivative of the u niqu e field fromthe au thoritative source. This cou ld be based on the social security n um ber oremp loyee ID num ber, bu t not actually u se the nu mb er itself. Perhap s the person ’sfirst and last initials plus employee ID number could be used.
I Does not have to be tied to em ail add ress or name
One comm on m isconception is that a user ’s email add ress and u ser ID are the
sam e thing. This is not necessarily tru e. Wh ile the two a re linked together, they d onot hav e to contain even th e remotely the same inform ation. For examp le, theuser ID could be a12345 w hile the em ail ad dr ess associated w ith that could b [email protected]. The Messaging Server has th e ability to assign m ultiplead dresses to a single user ID. You mu st configur e a prima ry email add ress at aminimum , but you can assign num erous alternate email add resses. So w hile userID is a12345 and th e prima ry em ail ad d ress is [email protected], it is qu itepossible to also assign [email protected], [email protected], and
[email protected]. While there are other meth ods w ithin the Messaging Server todo this, often a way to provide backward compatibility to older messagingenvironments is needed. An example might be that Acme University isconsolidating tw o messaging ser vers into a single server. One was for faculty andstaff ([email protected]) and one was for stud ents([email protected]). Using the altern ate ad dress cap abilities, it ispossible assign [email protected] as the primary email address [email protected] as the alternate ad d ress, so that em ail sent to the old
ad dress still arrives in the u ser’s inbox.
I Organization’s single sign on (SSO) strategy
Since one par t of the system is an LDAP-comp liant directory server, it can b eleveraged as the beginning of an organization-wide directory and authenticationserver. In som e organ izations, efforts to consolidate sign on and au thenticationsources are alread y u nd erw ay. In still others, consolidat ion is only a notion, and
in others, it is not even being considered. Rather than implement a messagingsystem w ith one set of user IDs tod ay, only to have to renam e the user IDs a shorttime later, it m ight be good to figu re out if there is an SSO strategy o r p roject
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 91/284
Sample Data File 65
, g g g gy p junderway.
I Goal and overall design of email system
There is a significant d ifference between an em ail system designed for an ISP an done designed for an enterprise. One goal in some organizations might be email
ad dress for life. This mean s that the us er ID and p rimary em ail ad d ress can ne verbe reused . This very close to the next and final issue.
I Turn over (chu rn) in u ser pop ulation
As with ph one com panies or cell ph one companies, churn or tu rnover in u serpop ulation is a key factor in operations in several w ays. For a m essaging system ,it is not only an issue regarding provisioning method determination (that is, webinterface versus CLI batch) but also reuse and pr ovisioning of user ID and emailaddresses. Consider whether or not your organization has a 25 percent change inuser population each year. That means in four years almost every user ID andemail add ress in th e messaging system will no longer be valid . If you have a
jsm ith use r ID th at is [email protected] email add ress, how soon w ill it bebefore you reuse this ad dress and user ID?
Sam ple Data FileFor the samp les, the u ser ID is derived from th e person’s first and last nam e—usinga p erson’s first initial plu s their last nam e, so John B. Smith gets the u ser ID of
jsm ith . Sh ou ld th at u ser ID alread y exist in th e syste m, yo u must ad d th e per so n’smiddle initial. So, the user ID would be jbsmith if jsmith already exists. If this fails,the help d esk can manu ally create the user ID in the system from th e exception log.
This exam ple can easily be extended further w ith the first two initials of the firstname, plus the middle initial, plus the last name, but we kept the example short tomake it easier to und erstand .
So now you kn ow th at you need th e action flags, the person’s first nam e, the m idd leinitial, and the last name. You can also add the person’s phone number to thedirectory for the u ser to mak e the directory slightly more u seful. As for the u ser ’s
email address, use a simple view here and configure the email address with th e userID. So user jsmith’s email address is [email protected]. This could as easily h avebeen set to [email protected].
ADD,Dave,,Pickens ADD,Steve,D,Thomas ADD,Steve,B,Thomas ADD,Paul,B,Smith
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 92/284
66 System Startup
You must know the person’s user ID when the person already exists in themessaging s ystem, for operations su ch as DEL, ON or O FF. Assum e that th e user IDis available as p art of the comm a-delimited file in these cases.
Sam ple Provisioning Scrip tA p rovisioning script that actually au tomates everything based on the samp le datafile is located at:
http://ims.balius.com/.
Test User Gen eration ScriptThis script generates a sample user file that can be used as input in the previousprov isioning s cript. It differs from th e samp le data file in th at it will create anynum ber of unique u sers from 1 to n. This script can be u sed to create hun dr eds orthousand s of test accoun ts as needed.
OFF,pbunyanON,bblueoxDEL,ssimon
CODE EXAMPLE 5-5 Test User Script Usag e Examp le
# !/bin/csh## This script adds demo accounts# password set same as user_idif ( $#argv != 1 ) then
echo "Wrong number of arguments"
echo "Usage: $0 {number}"
echo ""echo "where {number} is the number of test accounts to add"exit 1
endif
set INSTALL_DIR=/A1000/demo6789/ims52set mailhost=sparc5-1.central.sun.comset passwd=baconset x $1
CODE EXAMPLE 5-5 Test User Script Usag e Examp le (Continued)
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 93/284
Test User Generation Script 67
Edit the code for you r sp ecific installation. Rep lace the following variable:
I IN STA LL_DIR is the install d irectory w here you installed the Messaging Serverinto the m ailhost. This is the fully qu alified nam e of the Messaging Server.
set x=$1cd $INSTALL_DIR/ndacli/binwhile ( $x > 0 )
./imadmin user create -l test${x} -W test${x} \-F Test${x} -L User -D serviceadmin@$mailhost \-w $passwd -n $mailhost -H $mailhostset x = ‘expr $x - 1‘
end
CODE EXAMPLE 5-6 Add Test User Script Error Messagesparc5-1# root@sparc5-1:/> ./add_demo_users.cshWrong number of argumentsUsage: ./add_demo_users.csh {number}
CODE EXAMPLE 5-7 Add Test User Comp letion M essage
root@sparc5-1:/> ./add_demo_users.csh 10
[email protected]: create user [email protected]: create user [email protected]: create user [email protected]: create user [email protected]: create user [email protected]: create user [email protected]: create user [email protected]: create user succeeded.
[email protected]: create user [email protected]: create user succeeded.root@sparc5-1:/>
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 94/284
68 System Startup
CHAPTER 6
Softw are Installation
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 95/284
69
Softw are Installationand Configuration
This chap ter provides information and caveats that you m ay need d uring theinstallation p hase of th e overall messaging environm ent. It also discusses scalabilityissues. For ad ditional d etails, refer to the iPlanet Messaging Server Installation Guide
for UN IX . The chapter discusses the pros and cons of various answers toconfiguration questions and installation options so that you can avoid post-installation p itfalls, whether they are related to flexibility (that is, top d oma in nam e
selection in d irectory ), scalability, availability, per form ance, or ease of use . Thu s, thischapter covers items n ot foun d in the current docum entation and conveysinformation that can only be learned through experience.
Now that the system or system s have been p repared by following th e instructions inChap ter 4, “Installation Preparation,” on page 31,” you can start the actualinstallation of the m essaging server software. This p rocess is relatively q uick—mor etime is actually spent during configuration than installation.
Curr ently, the latest version of the Messaging Server software is 5.2, wh ich w ill m ostlikely change by th e time you read th is book. The Messaging Server softwarecontains everythin g necessary to do a va lid installation (Messaging Server, DirectoryServer, and Web Server softw are); ho w ever, it is advisab le to insta ll the latest ver sionof the Directory Server software because th e Messaging Server version 5.2 softwarecontains an old er version of the Directory Server. This ad ds a st ep or two to t heinstall process, but it is not any m ore com plicated th an a n orm al installation.
This chap ter covers the follow ing top ics:
I Simple Installation
I Autom ated Installation Script
Performing the p roced ur es in th is chap ter installs the following software:
I Sun ONE Messaging Server 5.2 software
I Sun ONE Directory Server 5.1 Patch 1 software
I Sun ONE Web Server 6.0 software
I Sun ONE Messaging Server 5.2 Patch 1 software
I Sun ON E Calend ar Server 5.1.1 software (optional)
I You can d own load this software from the Sun ON E web site at:
http://wwws.sun.com.
Follow the link for downloads.
Note – Read the release notes for an y last-min ute oper ating patches required for the
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 96/284
70 Software Installation and Configuration
y p g p qsoftware. Then d own load and app ly these to the system.
The simp lest configur ation, as outlined in the Chap ter 3, “Messaging Architectu res,”on page 15,” is the “m essaging in a box” or everything-all-on-one server
architecture.
The Messaging Server software d iffers slightly from the p receding list du e to theaddition of several administration ports, as you can see from the diagram inFIGURE 6-1.
FIGURE 6-1 Simple Architecture With Administration Ports
One of the first steps in the installation p rocess is to plan w hich ports w ill be usedfor the var ious connections. It is likely that you w ill elect to use th e d efault ports for:
I SMTP—25
I POP—110
I IMAP—143
WebMail
SMTP
POP
IMAP
LDAP
Directory administrator
Messaging administratorDelegated administrator
Web server administrator
Calendar server
80
25
110
143
389
55555
5432188
8888
81
Function Port
Server
Storage
I LDAP—389
And it is likely that you will want to u se:
I Webmail—80
The default port of 80 m ay be in use on you r system for a w eb server. Often, webservers such as Apache are installed and configured by default.
However, several administrator ports must be configured:
Di t Ad i i t t C l J b d GUI d i i t t f th
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 97/284
Simple Installation 71
I Directory Adm inistrator Console—Java-based GUI ad ministrator for themessaging directory
I Messaging Administrator Console—Java-based GUI Administrator for messaging
I Delegated Administrator—web-based GUI for messaging
I Web Server Ad ministrator Console—web-based GUI for the Web Server
You can u se any p ort that is not curren tly in use and does n ot conflict with theothers listed p reviously. For the procedu re in this chap ter u se:
I Messaging Ad ministrator Server—55555
I Directory Administrator Server—54321
I Delegated Ad ministrator Server—88
I Web Server Ad ministrator Port—8888
If you a re unsu re of whether a p ort is in u se, on UN IX systems you can check usingth e netstat command:
Now that you h ave selected the p orts and d etermined that they are not in u se, theactual installation process can begin.
Simple InstallationSimp le installation installs a messaging serv er on a single system an d m akes itfunctional for other p rocedu res in later chapters. The p roced ures are:
I Creating UNIX User and Group Accounts
I Disabling Send Mail
I Installing a Master Directory Server
I Preparing the Master Directory Server for Messaging
# netstat -an
I Installing th e Messaging Server
I Installing the Delegated A dm inistrator Server
I Setting Up Messaging Accounts an d Testing t he Server
TABLE 6-1 lists the va lues required for installation.
TABLE 6-1 Values Requ ired for Installation
D i N
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 98/284
72 Software Installation and Configuration
Dom ain Na m e _____________________________
Ma chin e N am e _____________________________
Machine IP ad dress _____________________________
install-binaries /temp/binaries— Create a subdirectory for eachpackage.
/ temp / bin aries/ iMS Messag in g Ser ver 5.2
/ temp / bin aries/ iDS Directo ry Server 5.1p 1
/ temp / binaries/ p at ch Messaging Server 5.2 Pa tch 1
<server-root> /opt/SunONE/ims52
<webserver-root> /opt/SunONE/web4ida
<iDA-Root> /opt/SunONE/ida4msg
Directory
Server User and Group
Directory
SunONE
Messaging Server User andPassword
SunONE
Web Server for D elegatedAdm inistrator GUI User
Password
web4ida
SunONE
Configuration Adm inistrator IDPassword
Administrator
adminpass
Directory Manager DN
Password
cn=Directory Manager
adminpass
Messaging Server ServiceAdm inistrator User ID
Password
Service Administrator
adminpass
Postmaster User Accoun t pm a@domainname
Directory Server p ort 389
Messaging Server p orts
SMTP
HTTP
POP3IMAP4
25
80
110143
Adm inistration Server p ort for 55555
TABLE 6-1 Values Requ ired for Installation (Continued)
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 99/284
Simple Installation 73
M Creating U N IX User and Group Accou ntsA best pr actice is to set up a UN IX u ser accoun t and grou p for all Sun ON E servers,and then set the permissions appropriately for the directories and files owned bythat user.
1. Log in as root.
2. Issue the follo wing command to create the Sun ON E Server group fo r the Solaris
OE:
3. Issue the fo llow ing commands to create the me ssaging se rver user (for Solaris):
pMessaging Server
Adm inistration Server p ort forDirectory Server
54321
Delegated Adm inistratorrun ning on Enterprise Serverport
88
Adm inistration Server p ort forEnterprise Server
8888
# groupadd SunONE
# useradd mail# usermod -g SunONE mail# passwd mailNew password: SunONERe-enter new password: SunONE
4. Issue the fol low ing comm ands to create the D irectory Server user for the Solaris
OE:
The following examples assume csh:
# useradd directory# usermod -g SunONE directory# passwd directoryNew password: SunONERe-enter new password: SunONE
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 100/284
74 Software Installation and Configuration
5. Issue the follow ing commands to create the w eb server user for the Solaris OE:
If your system is experiencing d ifficulty using th ese new accoun ts, you ma y hav e to
create and specify hom e directories for them .
M Disabling Send Mail
A best practice is to stop and disable any p rograms run ning on needed p orts beforebeginning a server installation. On m ost UN IX Solaris OE systems, the messagingprogram SendMail is running by default, which will interfere with the messagingserver installation becau se both prod ucts w ant to use p ort 25 for SMTP. The SunONE Messaging Server installation program may or may not be able to disableSend Mail for you . So you m us t man u ally stop Send Mail and d isable it from startingup on reboot.
1. Log in as root.
2. Type the following:
p
# useradd web# usermod -g SunONE web4ida# passwd web4idaNew password: SunONERe-enter new password: SunONE
# /etc/init.d/sendmail stop# ps -ef | grep sendmail
3. Determine if the sendmail daemon is running by typing:
This comm and sequen ce return s a process ID followed by the file path.Example:
# cat /etc/mail/sendmail.pid
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 101/284
Simple Installation 75
4. Kill the sendmail daemon process by typing the command:
5. Issue the follow ing command (Solaris OE) to move the SendMail configuration
file to a safe place and prevent it from starting on the next system boot:
M Installing a Master Directory Server
In this section, you install a master d irectory server that you r Messaging Serversoftware will use to store the configuration and user account information.
The prod u cts you w ill install are the Sun ONE Directory Server 5.1 software an d t heSun ON E Server Core Com pon ents software. Messaging Server 5.2 ships w ithDirectory Server 4.16 Patch 1, which is an old er version. It is recomm end ed that thelatest version of Directory Server 5.x be used.
You w ill install the n ew Directory Server, which is separa te from the on e that ispackaged w ith the Messaging Server software. That Directory Server softwa re has
reached en d of life (EOL) as d iscus sed previou sly.This procedu re assum es you have dow nloaded, uncompressed, and u np acked theinstallation do w nload files in th e install-binaries directory.
In the instructions that follow, you mu st enter the values th at app ear in boldface. Forall other values, ju st accept the d efaults by p ressing Enter.
xx x /usr/lib/sendmail -bd -q15m
# kill -9 xx x
Where xx x is the PID returned in Step 3.
# mv /etc/rc2.d/S88sendmail /etc/rc2.d/disabled.S88sendmail
1. Change directories to the lo cation of the d irectory server softw are:
Example:
# cd install-binaries/iDS
# cd /temp/binaries/iDS
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 102/284
76 Software Installation and Configuration
2. Run the installer executable from the command line:
3. Install the directory server for messaging by answ ering the prompts as fol low s:
# ./setup
Would you like to continue with installation? [Yes]:
Select the component you want to install [1]:Choose an installation type [2]: 3
Install location [/usr/iplanet/servers]: /opt/SunONE/ldap
Specify the components you wish to install [All]:Specify the components you wish to install [1, 2, 3]:Specify the components you wish to install [1, 2]:
Specify the components you wish to install [1, 2]:
Computer name [hostname.yourdomain.com]:System User [nobody]: directory
System Group [nobody]: SunONEDo you want to register this software with an existing
iPlanet configuration directory server? [No]:
Do you want to use another directory to store your data? [No]:
Directory server network port [389]:Directory server identifier [hostname]: hostname
administrator ID admin:
Password: adminpass
Password (again): adminpassSuffix [dc=foo, dc=com]: o=isp
Directory Manager DN [cn=Directory Manager]:Password: adminpass
Password (again): adminpass Do you want to install the sample entries? [No]:
Type the full path and filename, the word suggest, or the word none [suggest]:Do you want to disable schema checking? [No]:
Administration port [33530]: 54321
IP address [ ]: your_ip_address
Run Administration Server as [root]:
4. You should see the following output:
5. Go to the /opt/SunONE/ldap directory and type startconsole to begin
managing you r servers.
Extracting Sun One core components...[......]
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 103/284
Simple Installation 77
M Preparing the Master Directory Serverfor Messaging
In this section, you will run th e ims_dssetup.pl utility to prepare the masterdirectory server for messaging. This perl script a dd s the ad d itional d irectory objectsnecessary for the m essaging server to store user preferences and so forth in th edirectory. Withou t th is, the m essaging serv er cannot opera te correctly.
To pr epare th e Master Directory for messaging:
1. Change directories to the location of the messaging server software:
Example:
2. Run the ims_dssetup utility from the command line:
# cd install-binaries/iMS
cd /temp/binaries/iMS
# ./ims_dssetup
3. Prepare the directory server for messaging by answ ering the promp ts as follo ws :
Do you want to continue [y]:yDirectory server root [/usr/netscape/server4] : /opt/SunONE/ldap
Please select a directory server instance from the following list:Which instance do you want [1]: 1
Will this directory server be used for users/groups for iMS [Yes]:Yes
Please enter the DC Tree base suffix [o=internet]:Please enter the Users/Groups base suffix [o=your.domain.com] : o=isp
Do you want to update the schema files [yes]: yesDo you want to configure new indexes [yes]: yes
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 104/284
78 Software Installation and Configuration
You should see the following output:
Please enter the schema directory [ msg/config]:
Please enter the directory manager DN [cn=Directory Manager]:Password: adminpass
Do you want to continue [y]:y
Welcome to the iMS Directory Server preparation tool.
This tool prepares your directory server for iPlanet Messaging Server install.
Here is a summary of the settings that you chose:
Server Root : /sunone/demo/ids51Server Instance : slapd-sparc5-3
Users/Groups Directory : yesUpdate Schema : yes
DC Root : o=internet
User/Group Root : o=isp
Add New Indexes : yes
Schema Directory : ./config
Directory Manager DN : cn=Directory Manager
Stopping Directory Server
Updating Schema files...
Starting Directory Server
Adding Suffixes... and turning off uid uniqueness plugins
Adding naming context o=internet
adding new entry cn="o=internet",cn=mapping tree,cn=config
adding new entry cn=internetdb,cn=ldbm database,cn=plugins,cn=config
Adding naming context o=pab
adding new entry cn="o=pab",cn=mapping tree,cn=config
adding new entry cn=pabdb,cn=ldbm database,cn=plugins,cn=config
Adding Indexes...
adding new entry cn=inetUserStatus,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
adding new entry cn=db2index_2003_4_15_16_6_4, cn=index, cn=tasks, cn=config
modifying entry cn=mail,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
adding new entry cn=db2index_2003_4_15_16_6_7, cn=index, cn=tasks, cn=config
modifying entry cn=mailHost,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
adding new entry cn=db2index_2003_4_15_16_6_10, cn=index, cn=tasks, cn=config
Welcome to the iMS Directory Server preparation tool.
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 105/284
Simple Installation 79
adding new entry cn=inetMailGroupStatus,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
adding new entry cn=db2index_2003_4_15_16_6_13, cn=index, cn=tasks, cn=config
adding new entry cn=modifytimestamp,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
adding new entry cn=db2index_2003_4_15_16_6_17, cn=index, cn=tasks, cn=config
adding new entry cn=mailUserStatus,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
adding new entry cn=db2index_2003_4_15_16_6_20, cn=index, cn=tasks, cn=config
adding new entry cn=createtimestamp,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
adding new entry cn=db2index_2003_4_15_16_6_23, cn=index, cn=tasks, cn=config
adding new entry cn=ou,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
adding new entry cn=db2index_2003_4_15_16_6_26, cn=index, cn=tasks, cn=config
adding new entry cn=cosspecifier,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
adding new entry cn=db2index_2003_4_15_16_6_29, cn=index, cn=tasks, cn=config
adding new entry cn=mailEquivalentAddress,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
adding new entry cn=db2index_2003_4_15_16_6_32, cn=index, cn=tasks, cn=config
modifying entry cn=mailAlternateAddress,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
adding new entry cn=db2index_2003_4_15_16_6_35, cn=index, cn=tasks, cn=config
adding new entry cn=dc,cn=index,cn=internetdb,cn=ldbm database,cn=plugins,cn=config
adding new entry cn=db2index_2003_4_15_16_6_38, cn=index, cn=tasks, cn=config
adding new entry cn=modifytimestamp,cn=index,cn=internetdb,cn=ldbm database,cn=plugins,cn=config
adding new entry cn=db2index_2003_4_15_16_6_42, cn=index, cn=tasks, cn=config
adding new entry cn=createtimestamp,cn=index,cn=internetdb,cn=ldbm database,cn=plugins,cn=config
adding new entry cn=db2index_2003_4_15_16_6_45, cn=index, cn=tasks, cn=config
adding new entry cn=inetDomainBaseDN,cn=index,cn=internetdb,cn=ldbm database,cn=plugins,cn=config
adding new entry cn=db2index_2003_4_15_16_6_48, cn=index, cn=tasks, cn=config
adding new entry cn=inetCanonicalDomainName,cn=index,cn=internetdb,cn=ldbm database,cn=plugins,cn=config
adding new entry cn=db2index_2003_4_15_16_6_51, cn=index, cn=tasks, cn=config
adding new entry cn=mailDomainStatus,cn=index,cn=internetdb,cn=ldbm database,cn=plugins,cn=config
adding new entry cn=db2index_2003_4_15_16_6_54, cn=index, cn=tasks, cn=config
Welcome to the iMS Directory Server preparation tool.
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 106/284
80 Software Installation and Configuration
adding new entry cn=mailRoutingHosts,cn=index,cn=internetdb,cn=ldbm database,cn=plugins,cn=config
adding new entry cn=db2index_2003_4_15_16_6_58, cn=index, cn=tasks, cn=config
adding new entry cn=inetDomainStatus,cn=index,cn=internetdb,cn=ldbm database,cn=plugins,cn=config
adding new entry cn=db2index_2003_4_15_16_7_1, cn=index, cn=tasks, cn=config
adding new entry cn=modifytimestamp,cn=index,cn=pabdb,cn=ldbm database,cn=plugins,cn=config
adding new entry cn=db2index_2003_4_15_16_7_4, cn=index, cn=tasks, cn=config
adding new entry cn=createtimestamp,cn=index,cn=pabdb,cn=ldbm database,cn=plugins,cn=config
adding new entry cn=db2index_2003_4_15_16_7_7, cn=index, cn=tasks, cn=config
adding new entry cn=memberOfPAB,cn=index,cn=pabdb,cn=ldbm database,cn=plugins,cn=config
adding new entry cn=db2index_2003_4_15_16_7_10, cn=index, cn=tasks, cn=config
adding new entry cn=memberOfManagedGroup,cn=index,cn=pabdb,cn=ldbm database,cn=plugins,cn=config
adding new entry cn=db2index_2003_4_15_16_7_13, cn=index, cn=tasks, cn=config
adding new entry cn=memberOfPABGroup,cn=index,cn=pabdb,cn=ldbm database,cn=plugins,cn=config
adding new entry cn=db2index_2003_4_15_16_7_17, cn=index, cn=tasks, cn=config
adding new entry cn=un,cn=index,cn=pabdb,cn=ldbm database,cn=plugins,cn=config
adding new entry cn=db2index_2003_4_15_16_7_20, cn=index, cn=tasks, cn=config
Adding PAB and DC root...
adding new entry o=pab
adding new entry o=internet
root@sparc5-3:/stuff/test/messaging/solaris/iMS/msg #
M Installing the Messaging Server
To install the Messaging Server:
1. Change directories to the location of the Mess aging Server softw are:
Example:
# cd install-binaries/iMS
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 107/284
Simple Installation 81
2. Run the installer executable from the command line:
3. Install the Messaging Server by answering the prompts as follows :
# cd /temp/binaries/iMS
# ./setup
Would you like to continue with setup? [Yes]:
Do you agree to the license terms? [No]: yesPlease select the component you want to install [1]:
Choose your installation type [2]:
Server root [/usr/iplanet/server5]: /opt/SunONE/ims52Specify the components you wish to install [All]: 1,3,4
Specify the components you wish to install [1, 2, 3]:Specify the components you wish to install [1, 2]:
Specify the components you wish to install [1, 2]:
Specify the components you wish to install [1, 2, 5]:Computer name [<hostname>.<netscape.com>]: hostname.<groupdomain>
System User [nobody]: mailSystem Group [nobody]: SunONE
Do you want to register this software with an existing Netscape configuration directory server?[No]:
Password (again): admin
Suffix [o=<domainname>]: o=ispDirectory Manager DN [cn=Directory Manager]:
Password: adminpass
Password (again): adminpass Administration Domain [<domainname>]: Administration port [25640]: 55555
Run Administration Server as [root]:
User Name [SunONE]: mailDefault Domain [<domainname>]: <groupdomain>
Default Organization DN [o=<domainname>, o=isp]: o=groupdomain, o=ispHost Name [hostname.domainname]:
Port [80]:80
Will the Messaging Server use a Smart Host [2]:
The following messages are displayed:
User ID [ServiceAdmin]:
User Password: adminpassConfirm Password: adminpass
Email Address: pma@groupdomain
Extracting Netscape core components...Extracting Netscape Server Family Core components
Would you like to continue with setup? [Yes]:
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 108/284
82 Software Installation and Configuration
4. G o to /opt/SunONE/ims52 and type startconsole to begin managing your
Messaging Server.
M Installing the Delegated Administrator Server
To install the Delegated Ad min istrator Server, per form the following procedu res:
I Installing the Enterprise Web Server
I Installing the Delegated Administrator
M Installing the Enterprise Web Server
You will install Sun ONE Enterprise Web Server 6.0 software. This software isrequired to run the Delegated Ad ministrator.
Make sure the webserver-root value you use in th e following p rocedu re is d ifferentfrom th e server-root you used previously for the messaging an d directory servers.
1. Change directories to the location of the Sun O NE Enterprise Web Se rver 6.0
software installation binaries:
Example:
Extracting Netscape Server Family Core components...
[......]
Press Return to continue...
# cd install-binaries/ES
# cd /temp/binaries/iMS/solaris/ES
2. Run the setup program:
3. Install the Web Server by answering the prompts as fol lows :
# ./setup
Would you like to continue with installation? [Yes]:
Do you agree to the license terms? [No]: yesChoose an installation type [2]:
Install location [/usr/netscape/server4] /opt/SunONE/web4ida
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 109/284
Simple Installation 83
4. Start the Administration Server by typing:
Example:
5. Start the Web Server by typing:
Install location [/usr/netscape/server4]: /opt/SunONE/web4ida
Specify the components you wish to install [All]:
Specify the components you wish to install [1, 2, 3, 4, 5, 6, 8]:
Computer name [<hostname>.<domain>]:
System User [nobody]: web4idaSystem Group [nobody]: SunONERun iWS Administration Server as [root]:
iWS Admin Server User Name [admin]:iWS Admin Server Password: adminpass
iWS Admin Server Password (again): adminpass
iWS Admin Server Port [8888]: 8888Web Server Port [80]: 88
Do you want to register this with an existing Directory Server [No]:Web Server Content Root [/opt/SunONE/web4ida/docs]:
Do you want to use your own JDK [No]:Extracting Server Core...[......]
Press Return to continue...
#webserver-root
/https-admserv/start
# /opt/SunONE/web4ida/https-admserv/start
# webserver-root/https-hostname.domain/start
Example:
M Installing the Delegated AdministratorYou can n ow in stall the Delegated Ad m inistrator.
1. Change the directory to the location of the Del egated Admini strator ins tallation
binaries:
# /opt/SunONE/web4dia/https-acme.edu/start
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 110/284
84 Software Installation and Configuration
Example:
2. Run the setup program:
3. Install the D eleg ated Adm inistrator graphical user interface (GUI) by answ ering
the prompts as follow:.
# cd install-binaries/iDA
# cd /temp/binaries/iMS/solaris/iDA
# ./setup
Would you like to continue with installation? [Yes]:
Do you agree to the license terms? [No]: yesInstall location [/usr/netscape/ida10]: /opt/SunONE/ida4msgManage Messaging Server [No]: yes
Specify Host Name [hostname.domainname]:Specify Admin URL: http://hostname.domain:88/
Specify CGI Path [ msg-<hostname>/Tasks/operation]:
Manage Calendar Server [No]:Specify Enterprise server config directory:
<webserver-root>/https-hostname.domain/configSpecify LDAP URL: ldap://hostname.domain:389
Specify Directory Manager [cn=Directory Manager]:Password: adminpass
Specify Suffix: o=isp
This suffix is already present in the directory.Continue without installing iDA information in the directory? [No]: yes
Specify DC Suffix [o=internet]:Specify Suffix [o=isp]:
The followin g messages w ill be displayed:
Your Netscape browser m ay or may not actually start d epend ing up on y our sp ecificinstallation If it does not start open your browser and manually enter the URL
Extracting Netscape core components...
Extracting iPlanet Delegated Administrator for Messaging...Restarting Enterprise Server
Connecting netscape browser tohttp://<hostname>.<domainname>:88/nda/start.htm
Press Return to continue...<Return>
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 111/284
Simple Installation 85
installation. If it does not start, open your browser and manually enter the URLlisted in the outp ut.
M Setting Up Messaging Accountsand Testing the Server
The pu rp ose of this section is to test your M essaging Server. To d o this, perform th efollowing procedures:
I Creating a Postmaster User Account
I Creating Test Accounts
I Verifying Your Messaging Server Works Using WebMail
You m ust ad d a nd man age users through the Delegated Adm inistrator, which youshou ld now be run ning on port 88. You can either u ser the w eb interface, or thecommand-line utilities that ship with the messaging product.
Here, you w ill use the comm and -line utility imadmin. The minimum format foradding messaging users to specific messaging hosts is:
M
Creating a Postm aster User AccountWhen you installed the Messaging Server, a postmaster group was automaticallycreated in th e directory for you . During installation, you sp ecified a u niqu e mem berof the group (pma@domainname) that w ill receive errors and other n otices from theMessaging Server. Now you mu st actually create this user so these not ices can b edelivered and read. To set up this user account:
# imadmin user create -D admin_id -w admin_password -l users_uid -nusers_domain -W users_password -F users_firstname -L users_lastname -Husers_messaging_server
1. From a shell w indow of any of your messaging machines, change to the D elegated
Admi nistrator command-lin e utilities directory:
Example:
# cd server-root /ndacli/bin
# cd /opt/SunONE/web4ida/ndacli/bin
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 112/284
86 Software Installation and Configuration
2. Create the pos tmaster user accoun t:
Example:
You s hou ld see a message like the following :
M Creating Test Accounts
Using the comm and -line utility as in th e previou s section, create some test accountsthat you can u se to test your m essaging system.
1. From a shell, change directories to the Del egated Admin istrator command-line
utilities:
Example:
# ./imadmin user create -D serviceadmin@domainname -w adminpass -lpma -n domainname -W adminpass -F Postal -L Worker -Hhostname.domainname
# ./imadmin user create -D [email protected] -w adminpass
-l pma -n mail.acme.edu -W adminpass -F Postal -L Worker -Hacme.edu
[email protected]: create user succeeded.
# cd server-root /ndacli/bin
# cd /opt/SunONE/web4ida/ndacli/bin
2. Create a user account (test1):
Example:
# ./imadmin user create -D serviceadmin@domainname -w adminpass -ltest1 -n <groupdomain> -W testpass -F Test -L Account1 -Hhostname.domainname
# ./imadmin user create -D [email protected] -w AdminPass -ltest1-n acme.edu -W userpasswd -F Test -L Account1 -H mail.acme.edu
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 113/284
Simple Installation 87
You s hou ld see a confirmation messag e like the following:
3. Repeat the preceding process fo r test2 throug h test 5.
4. Create a us er accoun t (calmaster):
You h ave created this test user accoun t for a sup plemen tal lesson on installing a SunON E Calend ar Server. The calmaster account is required for Ca lendar Serverinstallation at a later time.
M Verifying You r M essaging Server Works Using WebMail
You sh ou ld now be able to log into th e Messaging Server u sing the test accoun ts andsend m essages.
1. Launch your web brows er or bring up a new brow ser wind ow.
2. Go to your server’s w eb mail location:
3. Enter the U sername (test1, test2, test3, test4, or test5) and Passwo rd (testpass) for
each server’s test account and press return or click Login.
test ac e.edu use pass d est ccou t a .ac e.edu
[email protected]: create user succeeded.
# ./imadmin user create -D serviceadmin@domainname -w adminpass -lcalmaster -n domainname -W adminpass -F Calendar -L Account -Hhostname.domainname
http://hostname.domainname
4. Click Compose and compos e a mess age to test1, test2, test3, test4, and test5. Click
Send w hen you are done.
5. Read the messages by clicking Get Mail.
When you have successfully sent and retrieved messages from each messaging
account on each server, you are done.Congratulations, your Messaging Server works. For information regardingconfigurin g you r new Messaging Server, see Chapter 8, “Ad vanced MessagingClient Con figur ation,” on p age 103,”.
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 114/284
88 Software Installation and Configuration
Note – Referring to FIGURE 6-2, w hy w ere the organizations o=Internet for the DCtree and o=isp u sed as part of the User/ Group tree? Using o=Internet at the top level
allows you to host unrelated dom ains such as both acme.edu and baker.com.Includ ing o=isp as part of the User/ Group tree allows a flat nam e space (if d esired)so Joe Smith’s user ID of jsmith is used only once across all domains.
FIGURE 6-2 DC Tree and UG Organization Tree
Autom ated Installation ScriptTo short cut th e preceding p rocess and ma ke things consistent, an installation script
that au tomates th e install process is available from the Sun. You can obtain th isscript and instructions from:
http://ims.balius.com/.
Note – No warranty is given; by downloading you accept this script as is
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 115/284
Automated Installation Script 89
Note No warranty is given; by downloading you accept this script as is.
You still mu st dow nload the directory and m essaging server binaries separately, anduncompress and unpack them.
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 116/284
90 Software Installation and Configuration
CHAPTER 7
Message Transfer Agen tConfiguration
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 117/284
91
g
This chapter provides best practices and techniques regarding the setup andconfigur ation of the Message Tran sfer Agen t (MTA) compo nent within t heMessaging Server. Due to its complexity, this is an area that can cause significantissues related to security as well as basic functionality. This section dissects thedefau lt “out-of-the-box” MTA configuration file to p rovide a starting p oint for thereader. Many u sers of the p revious v ersions of Su n Internet Mail Server (SIMS) orNetscape Messaging Server (NMS) had never seen an Inn osoft PMDF pro du ct MTA
configura tion file. Therefore, this area is v ery intimid ating an d confusing. Thischapter ad d resses some typical chan ges in plain English. For a m ore d etaileddiscussion of issues su ch as antivirus checking an d a ntispam processing, refer to and“Virus Scanning” on p age 198 an d “Antispam” on p age 199.
This chap ter contains a brief overview of th e MTA and covers the follow ing top ics:
I Changing the Mappings
I Direct LDAP Lookup
I Add ing New Domains to the MTA
I SMTP Authentication
First, a little history of the MTA that is within the Messaging Server. In March 2000,Sun Microsystems purchased a software company called Innosoft International.Innosoft International was t he ven dor of a mail prod u ct called PMDF. PMDF ran ona variety of platforms includin g the Solaris OE and VMS and was well respectedwith regard to performance, stability, scalability, and security.
Dur ing the course of the next two years, Sun integrated PMDF into the currentversion of the m essaging p rodu ct, starting w ith Messaging Server v 5.0. Bu t evenbefore that Sun h ad O EMed t he MTA portion of the PMDF prod uct and it is used inSIMS version 3.5 and 4.0. So people have seen some of the PMDF configuration filesin disgu ise. Adm inistrators wh o are familiar w ith PMDF will feel right at hom e.Those wh o are not familiar w ith PMDF will have a little bit of a learning curve toclimb.
PMDF was more than just t he MTA, it had a m essage store (it wa s actually twomessage stores on VMS, and tw o on UN IX, one native, and one also based on theCarnegie Mellon Un iversity Cyru s m ail program ). It is a mail interconnect that talksman y p rotocols, such as X.400, and talks to ma ny PC m ail systems. The MTA iswh ere 50 percent of the configura tion and options are w ithin the m ail system—ittouches every single message that comes into or goes out of the messaging system.
Now for some basics.. .
Some peop le may be familiar with the term MTA. In reality, this is fancy terminologyfor message rou ter.
According to the Telecom Glossary 2000:
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 118/284
92 Message Transfer Agent Configuration
message tran sfer agen t (MTA): An O SI app lication p rocess u sed to store
and forward messages as described in the X.400 message handlingsystem synonym Internet, also known as a mail agent.
Just as an Ethernet router m akes sure packets go wh ere they are sup posed to go andkeeps them from going where they are not su pp osed to go, the MTA performs thisfunction for messaging systems. One of the key poin ts to note in the definition is“store and forward.” The MTA does not simply forward or route, but stores a copylocally until it is sure that it has pass ed the messag e along or rejected it.
The basic MTA fun ction of receiving and forward ing m essages is performed inconjun ction w ith information foun d in the d irectory. The MTA is a stand alonedaem on, and wh ile required on the mail store, it can actually run by itself on aseparate server. See Chap ter 3, “Messaging Architectures,” on p age 15.
Out of the box the M TA is pretty plain, yet secure, in its configu ration. How ever,there are several changes that organizations frequently make.
Typical changes include:
I Changing the definition (mapping) of what is local and what is not local
I Enabling d irect LDAP lookup
I Accepting alternative domains
I Requiring SMTP au then tication
I Rewriting dom ains
Changing the Mapp ingsThis change opens up what is considered local and what is not local:
where msgHome is the d irectory w here the m essaging software w as installed, and Instance is the nam e of the m essaging instance (install), often the hostn ame (short
/msgHome/msg- Instance/imta/config/mappings
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 119/284
Changing the Mappings 93
host nam e).
If you look at the file, one section d etermines w hich IP add resses are to beconsidered internal:
This file prevent s peop le from u sing this server to relay messages v ia SMTP withou tauthenticating as valid users.
Note – Mapp ing and other MTA configu ration files are very picky regardingformatting, including line spacing and indentation. Consult the documentation fordetails.
The three lines indicate that:
I The subnet 129.152.159.131 with a bitmask of 32 (255.255.255.255) isconsidered internal, so nothing is on that subnet.
I The IP address 127.0.0.1 is considered internal ($Y = YES)
I Anything else (* wildcard) is not internal ($N = NO)
By changing th e line for the subn et, you can open t he ability to relay through thisserver. This change is useful for small environments and demonstrations, but mustbe carefully examined in large env ironment s.
INTERNAL_IP
$(129.152.159.131/32) $Y127.0.0.1 $Y* $N
$(129.152.159.131/24) $Y
The MTA m ust be restarted to p ick u p or initialize this chan ge:
Now the entire subnet of 129.152.159. xxx can use this MTA for relayingmessages.
Note – Alternatively you cou ld u se imsimta refresh which combines the
# su root# cd /<msg-Home>/msg-<Instance># ./imsimta cnbuild
# ./imsimta restart dispatcher
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 120/284
94 Message Transfer Agent Configuration
Note Alternatively, you cou ld u se imsimta refresh, which combines theimsimta cnbuild an d imsimta restart comm ands into a single comm and.
Direct LDAP Looku pPrior to version 5.1 of the messaging software, the MTA d id n ot hav e the ability to
directly look up information in the Directory Server via LDAP. Rather, the MTA hada small cache of informa tion, such as u ser IDs and m ail ad dr esses, that w asperiod ically synchronized against the Directory Server. This w as originally donewhen Directory Server performance was not as good as it is today. Now that theDirectory Server is able to keep u p with th e requests from th e Message Server, theMTA’s cache is redu nd ant a nd becomes a bottleneck, as well as add ingadm inistrative overhead . You m ay also hear the term dirsync used to describe theprocess or the daemon that is run to synchronize the data between the Directory
Server an d MTA’s cache. One reason the use of th e MTA cache was aband oned isthat in som e situations the information in th e cache w ould become stale, causingsome interesting p roblems—for example, users add ed to the system w ould notapp ear in the M TA cache u ntil the next dirsync was run . Password changes wou ldnot necessarily be immediately reflected either. By using direct LDAP access, theseproblems are avoided.
So, it is highly recomm end ed that th e MTA be configured to u tilize direct LDAPlookups.
Why is it so d esirable to mo ve to d irect LDAP looku ps?
Dirsync was u sed in iPlanet Message Server and in SIMS before that for a nu mber of reasons that were good at the time. Dirsync provides a decoup ling of the me ssagingserver from the directory infrastructure, wh ich, in th e d ays of SIMS 3.5, wasimm atu re (by which w e mean slow and not en tirely reliable). It also reflected th eancestry of the product, which had been entirely independent of LDAP.
Dirsync represented a technical comp romise. Given that LDAP w as slow andunreliable, the approach taken was to predigest the directory information intoda tabases for use by th e MTA. In theory, this shou ld give better p erformance andind epend ence from th e directory. In p ractice, how ever, these databases have been thebane of our lives. Wherever you have p ersistent stru ctured d ata, there is always theconcern that it can become inconsistent. And when you have a long update process
like dirsync, you have a very unpleasant window where a failure can lead veryquickly into a situation where manual intervention is required for a restart.
Dirsync also im poses a v ery abn orma l load on th e directory. Both th e incremen taldirsyn c and full dirsync qu eries are d ifficult for the d irectory server, very u nlike thesort of query for w hich the directory w as d esigned, wh ich is “here is aattribute/ value pair, find m e the mat ching entry.”
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 121/284
Direct LDAP Lookup 95
p , g y
Since the days of SIMS, the directory technology has improved significantly. Now,the d irectory is very robust an d m uch faster. The behav ior of the d irectory is mu chbetter than the beh avior of the d atabases used by th e MTA. So the balan ce of thecompr omise is now v ery different. The sp eed of looking u p a u ser in th e directory isstill too slow for the MTA to u se the d irectory in a simp listic w ay, but w ith theinclusion of a p re-process cache for read ing the d irectory information, we hav efound that the throughput in general goes up. To be fair, we can construct loadswh ere the throughp ut goes way u p or w ay dow n, but with a realistic load there is anet gain in throughpu t.
Bu t the real win is in robu stness. By going to th e direct LDAP m ode, you elim inate awh ole set of complicated persistent data structu res, replacing them with tran sparenteph emeral d ata structu res. This not only eliminates a set of failure m od es, but (andthis is probably more imp ortant) means that the p robability of needing man ualintervention after an y sort of incident is significantly red u ced.
When Sun first introdu ced the d irect LDAP mod e, they d id so more tentatively thanwas wise. Initial thoughts were to err on the side of caution by making dirsync the
defau lt mod e for version 5.2 of the M essaging Server. In retrospect that w as an error.The direct LDAP mod e, after Sun had cleaned up a cou ple of weird corner cases, hasproven far more robust and easy to deploy than they had ever hoped .
In the next release, Sun intend s to make d irect LDAP mod e the only mod e of operation n ow that it is known to w ork well. We are that satisfied w ith its behav ior.It makes the directory d eploym ent easier and the MTA mu ch more stable, and m akesit mu ch easier to recover from an y sort of hardw are or softw are failu re.
Already there is fu nctionality in the area of mailing grou ps th at is only sup ported indirect LDAP mod e. Given that d irsync is now code with a ve ry lim ited lifeexpectancy, you can expect the d evelopers to concentrat e their efforts in the d irectLDAP mode. Thus, dirsync is now more or less in maintenance mode only.
Beginning with version 5.1 of the M essaging Server, the ability to directly look u pinformation from the Directory Server is available, thou gh it w as not w elldocu men ted u ntil version 5.2. The d efault, however, is that the MTA still cachesinformation u nless explicitly configu red to p erform th is direct LDAP lookup. In futu reversions of the Messaging Server, the d efault will be direct LDAP lookup .
Four MTA configur ation files mu st be m od ified to en able direct LDAP lookup:I mappings
I job_controller.cnf
I option.dat
I imta.cnf
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 122/284
96 Message Transfer Agent Configuration
All of these files are in the config d irectory for th e MTA:
where msgHome is the directory wh ere the Messaging Server softwar e was installed,and Instance is the nam e of the messaging in stance (install), often th e hostna me (shorthost name)
M Testing LDAP Looku p
A simple experiment can be done to demonstrate the value and verify that directLDAP lookup works:
1. With the mess aging system running, add a user via the imadmin command.
See Chap ter 6, “Software Installation an d Con figu ration,” on page 69.
2. Send a message to this user from another user’s account.
You sh ould get a “us er not found ” m essage, or som ething to that effect.
3. Sync the MTA w ith the directory:
a. To initialize the Messaging Server MTA’s databases with information from the
directory, issu e the commands:
/msgHome/msg- Instance/imta/config/
# su root# cd /msg-Home/msg- Instance
# ./imsimta dirsync -F# ./imsimta restart dispatcher
where msg-Home is the directory w here the m essaging software wa s installed, and Instance is the nam e of the messaging instan ce (install), often th e hostnam e (shorthost nam e).
b. Try to se nd a me ssage again.
This attempt should be successful.
c. Stop the messaging system.
d. Edit the four MTA confi guration file s.
Before you edit the following embedded instructions, make backup copies.
Exam ple (options.dat):
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 123/284
Adding New Domains to the MTA 97
e. Restart the messaging system.
f. Add a user using the imadmin command.
g. Send a test message as above.
This should now work w ithout requiring the dirsync command.
Adding N ew Domains to the MTA
There are several w ays to add new dom ains beyond the initial dom ain configureddu ring the installation pro cess. Each of these method s offers its own ad vant age anddisadvantages. The recomm ended method to man age add itional domains is via theLDAP directory as per the documentation. This provides the advantage that allMTAs in your messaging env ironm ent get the same information w ith one up daterather than having go to each and every MTA to manually edit the files. Additionalbenefits include red u cing the risk of typos (for examp le, one of you r four MTAs has
! VERSION=1.0! Modified by IMS administration server on: Tue Nov 12 15:08:15 EST 2002!! Uncomment out the next 5 lines to enable Direct LDAP mode! ALIAS_MAGIC=8764! ALIAS_URL0=ldap:///$V?*?sub?$R! USE_REVERSE_DATABASE=4! REVERSE_URL=ldap:///$V?mail?sub?$Q! USE_DOMAIN_DATABASE=0
MISSING_RECIPIENT_POLICY=1ALIAS_DOMAINS=6
a typo of edfg.com rather than defg.com) and having t o restart the MTA torecognize the chang e. So it pays to learn to use LDAP to man age you r d omainnames.
The followin g section prov ides some basic lessons regard ing man ually editing theMTA configur ation files for new d omains. One other chan ge that m ay be necessary
wh en configu ring a stan dalon e MTA is the ability to accep t m essages destined formu ltip le dom ains. By d efault, the MTA is configured to accept m ail for the d om ainthat w as entered at th e time of install. To get th e MTA to accept m ail destined forother d oma ins, either interna lly or perh ap s as a legacy comp atibility issue, you m u stmod ify the imta.cnf file in the /msgHome/msg- Instance/imta/config directory.
Assuming the messaging system was originally installed for domain abcd.com, butyou wan t it to also accep t messages for efgh com because that is the old name of
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 124/284
98 Message Transfer Agent Configuration
you wan t it to also accep t messages for efgh.com because that is the old name of the comp any, you can configu re the MTA to recognize efgh.com as a domain name
it owns. Otherwise, the MTA thinks that addresses in this domain are remote add resses and it just sends them back out to the Internet rather than looking themup in the LDAP directory. The real problem is that the ad d resses are not beingrecognized as local. To get the ad dr esses recognized a s local (and looked up inLDAP), they m ust ma tch the local (l) channel.
There are several ways to get new dom ain nam es to be recognized includ ing simplyusing the Delegated Administrator interface to add a domain into the system. We
will look at an other w ay to d o this m anu ally at the MTA configuration file level forthose situations w here you either do not wan t to add the dom ain by using theDelegated Adm inistrator or you cannot use th e Delegated Ad ministrator for somereason.
A rewrite rule must be add ed to the imta.cnf file (towards the top, among theother rew rite rules), such as:
wh ere name-of-your-l-channel is the official host nam e (also know n as channel tag )on your local (l) channel (for examp le, mail.abcd.com).
Make sure to issue the command s imsimta, cnbuild, and imsimta restartdispatcher to m ake this chan ge take effect.
One alternate op tion is to completely rewrite the ad dr esses. The local parts of theaddresses must be identical (for example, [email protected] [email protected]). The upside to this option is that you do n ot have to havetwo add resses or use the alternate ad dress field for Dave Pickens in LDAP, just th enormal [email protected]. The d own side to this is that you lose the information(data) regarding w hat d omain this ema il was originally sent to (for examp le, you d onot know if it was sent to [email protected] or [email protected]).
efgh.com $U%$D@name-of-your-l-channel
The MTA can easily rewrite efgh.com to abcd.com. So, instead of the precedingrewrite rule it would look something like:
If you w ant to change the efgh.com add resses even in th e headers, or if you w antto leave efgh.com visible in head ers, use:
efgh.com $U%abcd.com
efgh.com $E$F$U%abcd.com
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 125/284
Adding New Domains to the MTA 99
M Mod ifying the imta.cnf fileTake a look at this in action:
1. Edit the imta.cnf file in the / msg-Home /msg- Instance /config directory.
Make a backup copy first.
2. Rewrite the domain abcd.com to the default domain you have installed:
3. Restart the MTA.
Alternatively, you could u se imsimta refresh, w hich combines the imsimta cnbuild an d imsimta restart comm and s into a single comm and.
4. Send a test message to an existing user, but use the abcd.com domain now, and
examine the m essage in the user’s mailbox
abcd.com $U%name-of-your-l-channel
# su root# cd /<msg-Home>/msg-<Instance>
# ./imsimta cnbuild# ./imsimta restart dispatcher
SMTP AuthenticationBy d efault on the Messaging Server, users need n ot submit a p assword w hen they
connect to the SMTP service of the Messaging Server to send a m essage. (We do n otforce SMTP A UTH.)
Auth enticated SMTP is an extension to the SMTP pro tocol that allows clients toauth enticate to the server. The auth entication accom pan ies the m essage. The prim aryuse of au then ticated SMTP is to allow local users w ho are tra veling (or u sing theirhom e ISP) to submit m ail (relay m ail) withou t creating an open relay that others canabus e. The AUTH com man d is used by th e client to auth enticate to the server.
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 126/284
100 Message Transfer Agent Configuration
y
You can use a uth enticated SMTP w ith or w ithout SSL encryption.
Th e maysaslserver, mustsaslserver, nosasl, nosaslserver,switchchannel, and saslswitchchannel channel keyword s are used toconfigur e Simp le Authen tication an d Secu rity Layer (SASL) SMTP AUTH d urin g th eSMTP protocol by SMTP chan nels such as Tran smission Control Protocol/ InternetProtocol (TCP/ IP) channels. The nosasl keyword is the default and means thatSASL authentication is not permitted or attempted. It subsumes nosaslserver,wh ich m eans th at SASL auth entication is not p ermitted. Specifying maysaslserver causes the SMTP server to perm it clients to attemp t to u se SASL auth entication.Specifying mustsaslserver causes the SMTP server to insist that clients use SASLauth entication; the SMTP server d oes not accept m essages unless the rem ote clientsuccessfully aut henticates.
M Examining th e imta.cnf File
Exam ine the imta.cnf file found in the/msgHome/msg Instance/imta/config/d irectory as follows:
1. Locate the section titled “! part II : channel blo cks.”
2. Look f or the“! tcp_local channel.”
You might think that mustsaslserver wou ld be approp riate to lock dow n the
messaging s ystem a nd requ ire SMTP AUTH. How ever, this is not qu ite the case. Letus examine this from the Internet side of things. Do other messaging systemssending email to you have logins and password s? No. So mustsaslserver willrequire everyone u sing the MTA to au thenticate.
So, wh y is the MTA configured w ith the maysaslserver, and wou ld that not leavethe MTA open for relaying?
The keyword maysaslserver allows for both un authenticated an d authenticatedSMTP conn ections and traffic. The key h ere is w hat h ap pen s after someonesuccessfully au thenticates. Previously, we d iscussed the concept of w hat isconsidered internal and wh at is not when looking at the mappings file. Byauth enticating, the MTA now treats this conn ection as internal. Unau thenticatedconnections an d tr affic are considered external un less somethin g in the mappings
file indicates otherwise (for examp le, they ar e on a sp ecific su bnet or from a specificIP address).
Does this leave the MTA op en for relaying? No, you mu st be subm itting a messagefor a v alid user on the system or you mu st have au thenticated to relay to externalmail systems.
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 127/284
SMTP Authentication 101
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 128/284
102 Message Transfer Agent Configuration
CHAPTER 8
Ad vanced Messaging ClientConfiguration
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 129/284
103
One of the m ost overlooked features of IMAP-based m essaging system s is the abilityto share folders between u sers. This feature p rovides the solution to several issuesfaced in organizations:
I Adm inistrator need s access to boss’s m ailbox w hile his boss is traveling.
I Email must be covered w hile someone is on vacation.
I Group need s to coordinate files and emails for a project.
I System-wid e temp late fold ers and miscellaneous mailboxes must b e accessible byeveryone.
The Messaging Server provid es the ability to sha re folders. This featu re can be usedby m ost IMAP clients such as N etscap e Comm u nicator or Ou tlook Express. Thenative w eb m ail interface that is part of the Messaging Server also provides theability to u se and access shared folder s.
One interesting point is that d irect d elivery to a shared fold er or us er folder isperm itted u nd er the mail standards. The format for this is:
Example:
This comm and d elivers th e em ail directly to Steve Stud ent’s folder called math101.
The shared folders feature is enabled by d efau lt within the Messaging Server.How ever, m any u sers are not familiar enou gh w ith their client program to configurethem appropriately.
user_email_address+folder_name@domain_name
This chapter provides the necessary steps and procedures for configuring sharedfolders for some of the more pop ular m ail programs.
Note – Cur rently the Messaging Server on ly sup ports th e ability to share folderswithin th e same server and does n ot have the ability to share across mu ltiple servers.
Sharing across multiple servers is being considered for futu re releases.
This chap ter covers the following k ey concepts a nd topics:
I What Is a Shared Folder?
I Supported Standards
I Limitations
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 130/284
104 Advanced Messaging Client Configuration
What Is a Shared Folder?A sh ared fold er is one that y ou allow other s to access. Several level of access controlare available. For examp le, in w eb mail, you can allow others Read only; R ead and
write; Read, write, and manage access; or N one to you r folder. N one is the default.FIGURE 8-1 shows the “Permissions” you can set in web mail.
FIGURE 8-1 Web Mail Shared Folder Permissions
I Read only : Allow s users to on ly read the m essages in the shar ed folder.
I Read and write: Allows u sers to read an d set flags on messages in the sharedfold er. It also allows users to d elete messages and subfolders.
I Read, write, and manage: Allow s users to read messages, set flags (setg) on themessages in the shared folder, create subfolders u nd er the shared folder, d eletethe subfolders, and share the folder with others.
Note tha t wh en a su bfolder is created, it inherits the p erm issions of its p arent folder.Once the subfolder is created, changing th e perm issions of its paren t folder h as no
effect on the subfolder. FIGURE 8-2 shows that you can d isplay the folder list byclicking Folders, then selecting a folder and clicking Share.
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 131/284
Supported Standards 105
FIGURE 8-2 Getting to the Permissions Screen
Supported StandardsThe In tern et RFC 2086, IM A P4 ACL Ext ension,
http://www.ietf.org/rfc/rfc2086.txt?number=2086,
is the stand ard that d efines the access control lists (ACLs) used in th e IMAP4protocol. The Message Server has sup ported RFC2086 since version 5.0.
RFC2086 d escribes the ACL as a set of iden tifier and rights p airs. For ou r p urp oses,the u ser ID for the IMAP u ser is the iden tifier.
The standard r ights defined are:
I l - lookup (mailbox is visible to LIST an d LSUB commands)
I r - read (SELECT the m ailbox, perform CHECK, FETCH, PARTIAL, SEARCH, COPY from m ailbox)
I s - keep seen/ un seen information across sessions (STORE SEEN flag)
I w - write (STORE flags other th an SEEN and DELETED)
I i - insert (perform DELETED, COPY into m ailbox)
I p - post (send ma il to subm ission ad dress for mailbox, not enforced by IMAP4itself)
I c - create (CREATE new sub-mailboxes in any implementation-defined hierarchy)
I d - delete (STORE DELETED flag, perform EXPUNGE)
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 132/284
106 Advanced Messaging Client Configuration
I a - adm inister (perform SETACL)The web m ail perm issions correspon d t o the preceding as follow s. The own er of themail folder by d efault has all the rights (lrswipcda). Granting som eone Read Onlypermissions gives that person the rights lrs. Read and Write permissionscorresponds to lrswid; Read, Write, and Manage corresponds to lrswicda. TABLE 8-1 lists the map ping.
If you ar e sharing a folder other tha n the Inbox, you w ill see an ad d itional check boxEnable direct delivery of em ail to folder, at the top of the p ermissions screen(FIGURE 8-3). Wh en checked, this enables the post (p) pr ivilege by anyon e, so thatmail add ressed to username+ folder @host.domain is d elivered d irectly into th is folder.
TABLE 8-1 Web M ail Permission and RFC2086 Righ ts
Web Mail RFC2086
Owner gets these by
defaultlrswipcda
Read Only lrs
Read and Write lrsw id
Read, Write, andManage
lrswicda
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 133/284
Limitations 107
FIGURE 8-3 Sharing a Folder Oth er Than the Inbox
LimitationsYou can on ly share a fold er with an other u ser wh o is on the same m ailstore as you
are.
Setup Procedures
This section contains the following setu p procedu res:I Letting You r Ad ministrator Read Your Inbox
I Shar ing Folders in MAP Clients
I Shar ing a Fold er in Mulberry
I Sharing a Fold er in N etscap e Messenger
I Using Ou tlook Express
M Lettin g You r A d m inistrator Read You r Inbox
Using web mail is pretty simple. We are assuming you (portia) and youradministrator (misha) are on the same mailstore.
1. Set the permiss ion on yo ur inbox to Read by you r admini strator.
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 134/284
108 Advanced Messaging Client Configuration
Note – The following steps are done as the administrator (misha). Ask youradministrator to subscribe to your folder.
2. Click the Subs cribe button, then fill in the name. In this case, enter portia, w ho is
sharing the folder with misha.
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 135/284
Setup Procedures 109
3. Click the Search button next to the name to find the righ t user and select the
correct user.
You w ill be back on th is screen w here you will see the list of folder s being shar ed.
4. Click the Subscribe button to su bscribe.
You sh ould see the new ly shared fold er show ing u p in your list. If it doe s not, clickUpd ate to refresh th e list.
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 136/284
110 Advanced Messaging Client Configuration
5. Dou ble-click portia’s inbox.
You see it as follow s:
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 137/284
Setup Procedures 111
M Sharing Fold ers in MAP Client s
Several IMAP clients allow you to share a folder with others, and allow y ou to viewshared folders. Som e examp les includ e: Mulberry (ww w.cyrus.com), Netscape (4.7x
show n h ere, bu t later versions also wor k), Mozilla, and O utlook Express. How ever,not all mail clients sup por t this feature. Eud ora 5.1 has its ow n v ersion of sharedfolders.
M Sharing a Folder in Mulberry
1. To share one o f your folders, right-click on the fol der you w ant to share.
2. Select Properties to bring up the follow ing w indow to edit the mailbox properties.
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 138/284
112 Advanced Messaging Client Configuration
3. Click the Access Control List tab.
4. Click the N ew User button and type in the login iden tifier. In this case, misha, the
adminis trator, of the user w ho w ill b e sharing you r fol der.
5. Select the appropriate check boxes fo r the access privileg es you are granting.
The keys to the icons are show n on the sam e screen. (N ote they are in the same ord eras d escribed in RFC2086.)
When you first log in, you can tell Mulberry to show you the shared folders foundon th e server by selecting the Shared Folders/User/ ma ilboxes on th e left side of the following window.
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 139/284
Setup Procedures 113
Now you will automat ically see other p eople’s shared fold ers.
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 140/284
114 Advanced Messaging Client Configuration
M Sharing a Folder in Netscape Messenger
To share your folder with someone using Netscape Messenger:1. Right-click on the folder to be shared to bring up the pop-up menu.
2. Select Privileges.
Note – The little people icon on the fold er show s that the fold er is shared.
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 141/284
Setup Procedures 115
3. If Privile ges i s grayed ou t, click on Fold er Properties directly below it to bring up
the Folder Properties w indo w, then click o n the S haring tab and Privil eges .
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 142/284
116 Advanced Messaging Client Configuration
This brings up a separate Netscape browser w indow that asks you to login to theadministration server.
4. Use the same user name and password as for your mail account.
This window may not work well prior to Messenger Server version 5.2.
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 143/284
Setup Procedures 117
5. After logging in, you will be show n a brow ser window where you can set the
permissions for the folder.
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 144/284
118 Advanced Messaging Client Configuration
a. Type in the user ID of the person w ho w ill share your folder. In this case type
misha, and click the Add button.
Misha is shown as a user in the middle of the screen.
b. Us e the pull-dow n m enu to select the permission you are granting.
c. Click OK to close the window whe n you are done.
Now the ad m inistrator, misha, can log in u sing Netscape Messenger. Misha w ill seethe following :
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 145/284
Setup Procedures 119
M Using Outlook ExpressWith Ou tlook Exp ress (2002), you can view folders others op ted to share w ith youautom atically if you have su bscribed to them . H owever, there is no mechan ism inOut look Express to m ake a folder shar eable, nor to subscribe to a shared fold er. Soyou can either have the administrator subscribe to the folders using some otherprogram, or the ad ministrator can p erform the following procedure.
Assuming you h ave made you r folder readable by your ad ministrator by using someother means, your administrator can set up an Outlook Express mail account asfollows:
1. Right-click on the m ail server in question and sele ct IMAP folders to d isplay the
dialog box.
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 146/284
120 Advanced Messaging Client Configuration
2. Uncheck the bo x that determines wh ether only s ubscribed fo lders are see n, and
click OK to close the window.
3. Exit Outlook Express and restart it to see the shared folders.
Now your administrator should see something like the following screen. Note thatthe Shared Folders hierarchy show s up in the mid d le of the folders list inalpha betical ord er.
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 147/284
Setup Procedures 121
This section of the book d escribes how to share a folder from an end user ’s point of view. It does not describe how to us e the comm and s in RFC2086 directly. If you w ant
to type the comm ands using Telnet, or are writing a p rogram to do th is, you shou ldread t he RFC2086 in its entirety. How ever, a very short dialog w ou ld look like this:
telnet hostname 143a login username password b getacl inbox to see the acl on the inboxc setacl inbox misha lrs to give misha “lrs” priv to my inboxd deleteacl inbox misha to remove the acl set for misha on my inbox
z logout to log out when you are done
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 148/284
122 Advanced Messaging Client Configuration
CHAPTER 9
Customization
Custom ers typ ically ma ke several custom izations right a fter getting the basic
Messaging Server (Directory Server, Web Server, Delegated Administration, email,and perhaps even Calendar Server) installed. The most common of these include
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 149/284
123
changing th e “look and feel” of the w eb m ail (IPlanet Messen ger Express) interfaceand pr oviding a single sign on (SSO) between th e web m ail, w eb-based calend ar,and Delegated A d ministration interfaces. Some of the other comm on custom izationsthat are done almost immediately include defining the welcome message for newaccounts along with the over quota message for people about to go or already overquota. Some customers would also like to customize some of the return errors that
the message system sends back to users.The comp lete custom ization of the look and feel for Messenger Express is availablein the manual (see http://docs.sun.com/source/816-6010-10/index.html for the iPlanet Messenger Express 5.2 Customization Guide). Most customers w ant toperform some very sim ple customizations for the look and feel of the MessengerExpress:
I Changing and Ad ding a Logo
I
Custom izing the Login ScreenI Chan ging the Main Web Mail Screen Bann er
I Removing an d Ad ding Op tions on the Options Tab
I Single Sign O n
I Setting the In itial Welcom e Email
I Over-Quota Limits and Warning Email
I
Customizing Return ErrorsFor add itional d etails related to these changes, refer to the iPlanet M essenger Express
5.2 Customization Guide.
Changing and Add ing a LogoMost of the Sun ON E Messaging Express look and feel is controlled t hrou gh H TMLand JavaScript (also know n as ECMA script), w hich is located in the follow ingdirectory:
where msg-Home is the directory w here the m essaging software wa s installed, and Instance is the n ame of th e messaging instance (install), often th e hostname (short hostname).
A qu ick look at the directory will tell you w hy th e iPlanet M essenger Express 5.2
/msg-Home/msg- Instance/html
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 150/284
124 Customization
Customization Guide is necessary and a good thing.
The first thing to note is the tw o-letter d irectories such as “en ” or “d e.” These arelangu age- specific directories, so “en ” is English w hile “de” is German . TheMessaging Server ’s Messenger Express in terface is fully internation alized,supporting 20 or more different languages. Depending upon the customizationsmad e and your au d ience, each of these locales, as they are called, will hav e to hav ethe same customizations performed to them. This book only describes the main
directory and the English (en) locale:
root@sparc5-1:/A1000/demo6789/ims52/msg-sparc5-1/html> ls
applet_fs.html* en/ lookup.js* searchmsg_fs.html* spelltools.html*
ar/ es/ lower2.html* searchusers.js* spellword.html*
attach_fs.html* fldr_fs.html* main.js setpermission_fs.html*
srchresults_fs.html*collect_fs.html* form.js* main.orig* sk/ subscribe_fs.html*
colors.html* fr/ master-style.css* sl/ th/
comp_fs.html* frame.html* mbox_fs.html* spell.html* tr/
compRecipient.js* he/ msg_fs.html* spell.js* upper.html*
cs/ hr/ opts_fs.html* spell2.html* util.js*
de/ hu/ pab.js* spell2.js* zh-CN/
editPabEntry.js* imx/ pl/ spellchange.html* zh-TW/
editPabGroup.js* ja/ receipt_fs.html* spellresults.html*
el/ ko/ ro/ spellSend.html*
emoticons.html* ldap_fs.html* sample.html* spellsuggestions.html*
root@sparc5-1:/A1000/demo6789/ims52/msg-sparc5-1/html/en> ls
compRecipient_fs.html* help.htm* iplanet.jpg* messageView.html* searchusers_fs.html*
The cu stomization gu ide p rovides solid information, but it often takes a verythorough and complete approach. This section provides a more practical and quick
view of the chan ges, for several reasons:1. I generally d o not like to do more work than necessary.
2. Many of the changes in the cu stomization gu ide require not only edits of thegraphic files, but also of the HTML and JavaScript.
3. Every tim e a patch or up da te to the Messaging Server software is applied, yourcustomizations m ust be red one because the u pd ate carries new H TML orJavaScript files for the Messenger Express. The method outlined here tend s tosurv ive better or at least is easier to apply after an u pd ate.
default.html* help2.htm* ix.htm* pab_fs.html* topics.htm*
editPabEntry_fs.html* helpix.htm* lookup_fs.html* searchMessage.html*
editPabGroup_fs.html* i18n.js* mail.html* searchOnly.html*
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 151/284
Changing and Adding a Logo 125
4. Size matters. Copying an d ed iting the original graph ics (gifs), rather th an creatingthem from scratch or using something different, avoids issues where dimensionsare hard -coded in the HTML or JavaScript, wh ich av oids hav ing to change thesedimensions.
The downside to this approach is that the ALT tag fields do not get changed.
How ever, these are fairly easy edits that even the m ost basic HTML coders canperform.
Only th ree optional grap hics and on e HTML file or one JavaScript file mu st bechanged or custom ized. It is imp ortant th at good change p ractices are followed —forexamp le, keeping backup s of the original files (versioning). While som ething likeCSV is not qu ite necessary, if you are familiar w ith it and are u sing it for otherprogramm ing p rojects, why n ot?
Graphics files that should be customized:I /msg-Home/msg- Instance/html/imx/iplanet_logo.gif
I /<msg-Home>/msg- Instance/html/imx/WebMail_splash.gif
I /<msg-Home>/msg- Instance/html/imx/iplanetBanner.gif
Add itional grap hic files for the login p age (the abstract graph ic in the mid dle of thepage):
I
/msg-Home/msg- Instance/html/imx/left_strip_consumer_1.gifI /msg-Home/msg- Instance/html/imx/center_strip_consumer_1.gif
I /msg-Home/msg- Instance/html/imx/right_strip_consumer_1.gif
HTML or JavaScrip t files that m ust be custom ized:
I /msg-Home/msg- Instance/html/en/default.html
I /msg-Home/msg- Instance/html/en/i18n.js
where msg-Home is the directory w here the Messaging Server softwa re was installed,and Instance is the nam e of the m essaging instance (install), often the hostname (shorthost nam e).
M
Custom izin g th e Login Screen1. Make backup copies of the original files you are going to edit:
# cd /msg-Home/msg- Instance/html/imx/# cp iplanet_logo.gif iplanet_logo.gif.orig# cp WebMail_splash.gif WebMail_splash.gif.orig# cp iplanetBanner.gif iplanetBanner.gif.orig
# cp left_strip_consumer_1.gif left_strip_consumer_1.gif.orig# cp center_strip_consumer_1.gif center_strip_consumer_1.gif.orig# cp right strip consumer 1.gif right strip consumer 1.gif.orig
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 152/284
126 Customization
2. Edit the three main g raphics file s usin g yo ur favorite editor, such as GIMP.
Be carefu l to note that som e of these files have tran sparen t backgroun ds, wh ileothers d o not. You can ea sily transfer these files to your d esktop by u sing ftp.
a. Th e iplanet_logo.gif is an im age 96 pixels wide x 66 pixels high on awh ite (255,255,255 RGB) ba ckgrou nd .
b. The WebMail_splash.gif is an image of 450 pixels wide x 50 pixels high ona w hite (255,255,255 RGB) backgro u nd .
c. The iplanetBanner.gif is an ima ge of 273 pixels w ide x 27 pixels high on atransparent background.
For consistency, you could h ave all of your new g rap hics on transp arentbackgrounds.
Now that th e files are ed ited , you can change som e of the text; you can also edit thismanually.
3. Stop the Messaging Server before you make any changes.You d o not h ave to d o this, but it is generally a good idea. You mu st restart theservices (server) to recognize the changes.
p g _ p_ _ g g _ p_ _ g g# cd ../en# cp default.html default.html.orig# cp i18n.js i18n.js.orig
# cd /msg-Home/msg- Instance
# ./stop-msg
4. Copy the default.html file to a scratch fil e:
5. Using either an editor or a program lik e sed, change the occurrences of iPlanet to
your organization. For examp le, the code fo r Acme U niversity w ould be:
# cd /msg-Home/msg- Instance/html/en# cp default.html default.tmp# cp i18n.js i18n.tmp
# sed -e "s|www.iplanet.com|www.it.acme.edu|g" \
-e "s|iPlanet e-commerce solutions|Acme University IT Group|g" \
-e "s|iplanet.com|www.it.acme.edu|g" \-e "s|iPlanet Messenger Express|Acme University Web eMail Service|g" \
-e "s|iPlanet Messaging Server|Acme University Web eMail Service|g" \default.tmp default.html
# sed -e "s|iPlanet Messenger Express|Acme University Webmail|g" \-e "s|Messenger Express|Webmail|g" < i18n.tmp > i18n.j
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 153/284
Changing and Adding a Logo 127
You cha nged a coup le of URLs that refer to either www.iplanet.com oriplanet.com to th e IT depa rtmen t’s w eb site at Acme University. You also changedthe title bar, the grap hic ALT tag, and the m ain screen.
Note – The copyright notice must be changed manually.
6. Restart the Mess aging Server:
M Chang ing th e Main Web Mail Screen Banner
One often-requested item is an additional space on the main web mail screen—thescreen you get once you hav e successfu lly logged in. Custom ers use this space tointrodu ce their logos, banners, colors, and so forth. An easy w ay to include su chinformation is to extend the basic frame set by add ing an ad ditional frame on top of
the existing w eb mail frame.
A good examp le of this might be a partly transparent graphic that could be u sed inconjun ction with coloring the frame’s background in Acme Un iversity’s schoolcolors. Navigation buttons can be added too.
# cd /msg-Home/msg- Instance
# ./start-msg
To add an extra frame, edit the mail.html file that contains the m ain layou t of theweb m ail interface. This mu st be d one in all versions of lang/mail.html. For theexample, stick with the ‘en’ locale.
Th e mail.html is a very small file that plays a critical role because it controls theentire web mail interface.
1. Stop the Message Server before you make any changes.You d o not h ave to d o this, but it is generally a good idea. You mu st restart theservices (server) for th e system to recognize the chang es.
2. Back up the mail.html file:
# cd /msg-Home/msg- Instance
# ./stop-msg
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 154/284
128 Customization
3. Edit the mail.html file wi th your favorite editor, such as vi:
These are the lines that a re of interest:
# cd /msg-Home/msg- Instance/html/en# cp mail.html mail.html.orig
# vi mail.html
'<frameset border="0" frameborder="no" rows="0,*,0" onLoad="start()" onUnload="end()" onResize"change()">'+
'<frameset border="0" frameborder="no" cols="*,*,*,*,*">'+'<frame name="cfgFrame" noresize scrolling="no" src="../frame.html?' + main.clientargs + '">'+
'<frame name="mboxFrame" noresize scrolling="no" src= "../frame.html?' + main.clientargs + '">'+
'<frame name="cmdFrame" noresize scrolling="no" src="../frame.html?' + main.clientargs + '">'+'<frame name="msgFrame" noresize scrolling="no" src="../frame.html?' + main.clientargs + '">'+
'<frame name="pabFrame" noresize scrolling="no" src="../frame.html?' + main.clientargs + '">'+'</frameset>'+
'<frame name="mailFrame" marginwidth="0" marginheight="0" noresize src="../frame.html?' +
main.clientargs + '">'+'<frame name="appletFrame" marginwidth="0" marginheight="0" noresize src="../frame.html?' +
main.clientargs + '">'+'</frameset>'
To add an additional frame at the top of the page, add the following line orsomething similar:
where !-- frame_name -- is the name you w ant to add to the frame and !-- html source-- is the HTML file you w ant th is fram e to includ e. So if you w ant to call the newframe “AcmeFrame” an d its sou rce is in the sam e directory but called acme.html,the additional line would look like:
This cod e is inserted right after the initial frame is d efined , so the edited port ion of the file looks like:
'frame name="!-- frame_name --" marginwidth="0" marginheight="0" noresize src="!-- html source --">'+
'<frame name="acmeFrame" marginwidth="0" marginheight="0" noresize src="../acme.html">'+
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 155/284
Changing and Adding a Logo 129
Note that you mu st mod ify the “rows” value on the initial frame so that you canactually see the top frame. A nom inal value sh ould w ork, though som e testing todetermine the best value is warranted.
Once you have your changes saved and your n ew frame content “acme.html”completed, you can restart the messaging server:
'<frameset border="0" frameborder="no" rows="20,*,0" onLoad="start()" onUnload="end()"
onResize="change()">'+'<frame name="acmeFrame" marginwidth="0" marginheight="0" noresize src="./acme.html">'+
'<frameset border="0" frameborder="no" cols="*,*,*,*,*">'+'<frame name="cfgFrame" noresize scrolling="no" src="../frame.html?' + main.clientargs + '">'+
'<frame name="mboxFrame" noresize scrolling="no" src="../frame.html?' + main.clientargs + '">'+
'<frame name="cmdFrame" noresize scrolling="no" src="../frame.html?' + main.clientargs + '">'+'<frame name="msgFrame" noresize scrolling="no" src="../frame.html?' + main.clientargs + '">'+
'<frame name="pabFrame" noresize scrolling="no" src="../frame.html?' + main.clientargs + '">'+'</frameset>'+
'<frame name="mailFrame" marginwidth="0" marginheight="0" noresize src="../frame.html?' +main.clientargs + '">'+
'<frame name="appletFrame" marginwidth="0" marginheight="0" noresize src="../frame.html?' +
main.clientargs + '">'+'</frameset>'
# cd /msg-Home/msg- Instance
# ./start-msg
Caution – Often there are problems w ith loading p ages (for examp le, blank screenonce logged in) and other errors due to incorrect ownership and file permissions.Make sure the “ow ner” an d “g roup ” for the files you just mod ified or created are thesame as the other files in th e / msg-Home/ msg- Instance / htm l an d ot her d irector ies(for exam p le, chown iplanet:email mail.html). The perm issions shou ld be setto 750 by using the chmod comm and (for example, chmod 750 mail.html).
Tip – A good d iagnostic is to turn off caching in you r brow ser so you alwa ys receivethe latest changes from the serv er. Logging ou t of the web interface and back inagain works som etimes. Stopp ing and restarting the m essaging server w orkssometimes too.
Note – The HTTP engine that is bund led as par t of the Messaging Server is not afull-fledged web serv er. So som e of the adv anced H TML and JavaScript server side
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 156/284
130 Customization
g pdirectives are not supported or can lead to strange results. When in doubt, keep itsimple—things that work with the older browsers such as Netscape 4.78 tend towor k just fine.
Removing and Add ing Op tions on theOp tions TabRemoving and add ing and options on the Op tions Tab and the ability to change the
URL for th e passw ord change fun ction ar e very closely related . Why is the ability toadd or remove options important? Occasionally, institutions do not want users tochange their personal information in the system directory; there may be a businessor official p rocess in the H R d epartm ent or Registrar ’s Office to accomp lish t his sothat the information gets updated everywhere. Ideally, applications and othersoftware wou ld rely up on th e directory. H owever, that is not always the case.
M Removing Options
Removing (comm enting ou t) the existing op tions is the easiest of all the changes tomak e. To remove options from t he op tions tab, find the fun ction toggleFrameHTML (starts around line 150) in opts_fs.html file which is in:
where msg-Home is the directory w here the m essaging software was installed, and Instance is the na me of the messaging instance (install), often the hostname (shor t hostname).
Comment out the getToggle() statement for each of the follow ing op tionsshown—the comm ent characters (//) start each line of the code th at is to becommented out, for example:
/msg-Home/msg- Instance/html/
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 157/284
Removing and Adding Options on the Options Tab 131
The removable options within the JavaScript code that can be commented outinclude:
// comment ** Copyright 2003 Sun Microsystems, Inc.
Account Summary:
getToggle(main.i18n['account summary'], 'summary','javascript:parent.toggle(\'summary\')') +
Personal Information:
getToggle(main.i18n['personal'], 'personal','javascript:parent.toggle(\'personal\')') +
Change Password:getToggle(main.i18n['password'], 'password','javascript:parent.toggle(\'password\')') +
Settings:
getToggle(main.i18n['settings'], 'settings',
'javascript:parent.toggle(\'settings\')') +
Appearance:
getToggle(main.i18n['appearance'], 'appearance','javascript:parent.toggle(\'appearance\')') +
For examp le, to commen t out th e ability to chan ge person al informa tion:
1. Stop the Messaging Server before you make any changes.
You d o not h ave to d o this, but it is generally a good idea. You mu st restart theservices (server) to recognize the changes.
2. Back up the opts fs.html file:
Vacation Message:
getToggle(main.i18n['vacation'], 'vacation','javascript:parent.toggle(\'vacation\')') +
# cd /msg-Home/msg- Instance
# ./stop-msg
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 158/284
132 Customization
p p _
3. Edit the opts_fs.html file wi th your favorite editor, such as vi:
The lines of interest are:
Which w ill chan ge to:
# cd /msg-Home/msg- Instance/html# cp opts_fs.html opts_fs.html.orig
# vi opts_fs.html
getToggle(main.i18n['personal'], 'personal','javascript:parent.toggle(\'personal\')') +
// commented out 01/09/03 by dbp
//// getToggle(main.i18n['personal'], 'personal',// 'javascript:parent.toggle(\'personal\')') +//
Note – You d o not ha ve to go into a language directory such as “en” to change theoptions p age. That is because this page is fully internationalized and uses var iablesthat are set w hen a person logs in. So the actual text of Personal Inform ation is notset within th is JavaScript or H TML, it is set to wh atever langu age you hav econfigured for the default or a particular user. This also means you do not have tomod ify this page over and over again for each language that you use.
Once you hav e saved your u pd ated opts_fs.html, you can restart the messagingserver:
Add i O i
# cd /msg-Home/msg- Instance
# ./start-msg
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 159/284
Removing and Adding Options on the Options Tab 133
M Add ing Op tions
Now that you h ave successfully removed (commented out) an option from theOptions Tab, the next customization that many customers like to do is to add anoption. Unfortu nately it is not q uite as easy as comm enting ou t a few lines, bu t it is
not difficult either.
1. Stop the Messaging Server:
2. Back up the opts_fs.html file. You must be careful as you have already madesome changes:
This is where good chang e control manag emen t and u sing somethin g like CSV p ays
off and really adds value.3. Edit the opts_fs.html file w ith your favorite edi tor, such as vi:
# cd /msg-Home/msg- Instance
# ./stop-msg
# cd /msg-Home/msg- Instance/html# cp opts_fs.html opts_fs.html.orig
# vi opts_fs.html
a. Concentrate on tw o areas: the toggleFrameHTML function around line 150 and
adding a custom action to be trigge red by the toggleFrameHTML.
Here is the toggleFrameHTML function after the previous edit:
function toggleFrameHTML() {return main.getBody(main.chrome2, true, main.black, main.link0,main.link1, main.chrome2) +'<center>\n<table border=0 cellspacing=7 cellpadding=0 width=100%>\n' +
getToggle(main.i18n['account summary'], 'summary','javascript:parent.toggle(\'summary\')') +// getToggle(main.i18n['personal'], 'personal',// 'javascript:parent.toggle(\'personal\')') +getToggle(main.i18n['password'], 'password','javascript:parent.toggle(\'password\')') +
(main.cfgFrame.mbox.length == 0 ? '' :getToggle(main.i18n['settings'], 'settings','javascript:parent.toggle(\'settings\')')) +getToggle(main i18n['appearance'] 'appearance'
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 160/284
134 Customization
b. A dd an opti on called Yahoo.
This option opens u p a separate browser window by using JavaScript w ith theURL http://www.yahoo.com:
getToggle(main.i18n['appearance'], 'appearance','javascript:parent.toggle(\'appearance\')') +getToggle(main.i18n['vacation'], 'vacation','javascript:parent.toggle(\'vacation\')') +getToggle(main.i18n['NDA'], 'NDA','javascript:parent.toggle(\'NDA\')') +
'</table>\n</center>\n'}
function toggleFrameHTML() {
return main.getBody(main.chrome2, true, main.black, main.link0,main.link1, main.chrome2) +'<center>\n<table border=0 cellspacing=7 cellpadding=0 width=100%>\n' +getToggle(main.i18n['account summary'], 'summary','javascript:parent.toggle(\'summary\')') +
// getToggle(main.i18n['personal'], 'personal',
// 'javascript:parent.toggle(\'personal\')') +getToggle(main.i18n['password'], 'password','javascript:parent.toggle(\'password\')') +(main.cfgFrame.mbox.length == 0 ? '' :getToggle(main.i18n['settings'], 'settings','javascript:parent.toggle(\'settings\')')) +getToggle(main.i18n['appearance'], 'appearance',javascript:parent.toggle(\'appearance\')') +
You could hav e just as easily done th is to point to the m ain institution web p age oreven a change password application (more on that later).
Note th e three fields:
1. The label of the op tion as it app ears—“Yahoo!”
2 The nam e of the option for tracking—“yahoo”
getToggle(main.i18n['vacation'], 'vacation','javascript:parent.toggle(\'vacation\')') +
// added the following optiongetToggle('Yahoo!', 'yahoo','javascript:parent.toggle(\'yahoo\')') +
//getToggle(main.i18n['NDA'], 'NDA',
'javascript:parent.toggle(\'NDA\')') +'</table>\n</center>\n'
}
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 161/284
Removing and Adding Options on the Options Tab 135
2. The nam e of the option for tracking yahoo
3. Action to take w hen clicked—javascript:parent:toggle(\'yahoo'\), which is normally passed to the following function which eventually runs theyahooHTML() function within opts_fs.html.
c. Modify the listFrameHTML() function to trigge r the cho ice:
function listFrameHTML() {var s = main.getBody(main.white, true, main.black, main.link0,main.link1, main.link2, 6, 8)
if (main.option_page == 'appearance') {s += appearanceHTML()
} else if (main.option_page == 'password') {s += passwordHTML()
} else if (main.option_page == 'personal') {s += personalHTML()
} else if (main.option_page == 'settings') {s += settingsHTML()
} else if (main.option_page == 'summary') {s += summaryHTML()
} else if (main.option_page == 'vacation') {s += vacationHTML()//} else if (main.option_page == 'yahoo') {s += yahooHTML()
//} else if (main.option_page == 'NDA') {
s = ndaHTML()
d. Build a yahooHTML() function. The easiest way is to copy the ndaHTML()
function and mo dify it:
This function becomes:
}return s
}
function ndaHTML() {return '<HTML><HEAD></HEAD><BODY ONLOAD=\"location.href = \'' +main.NDAStartPage + '\'\"></BODY></HTML>'}
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 162/284
136 Customization
Note the u se of the backslash (\ ) character wh ich allows an escape so th at JavaScriptdoes not think the // part of http://www.yahoo.com is a comment as well as thebackslashes(\ ) preceding the straight quotes (' and "). You could h ave just as easily mad e thisany URL or web ap plication.
This fun ction w ill pu ll the w eb pa ge into th e existing frame if p ossible—for examp le,it will d o this if the port or prot ocol chan ges, such as https instead of http. To getthe w eb page in a separate window, you m ust u se the JavaScript open.window command.
After you save your up dated opts_fs.html, you can restart the messaging serverand check your changes.
For a pop-up w indow:
// added for yahoo by dbpfunction yahooHTML() {return '<HTML><HEAD></HEAD><BODY ONLOAD=\"location.href = \
'http:\/\/www.yahoo.com\'\"></BODY></HTML>'}
// added to do popup window by dbpfunction yahooHTML() {
return '<HTML><HEAD></HEAD><BODY ONLOAD=\"window.open(\'http:\/\/www.yahoo.com\', \'test\', \'scrollbars=yes,menubar=yes,toolbar=yes,status=yes\')\"></BODY></HTML>'
}
As you can see, mod ifying th ese options is fairly easy. The last custom ization is tochange how the change password functionality works—so rather than p ut u p a pageto change the p assword , you can call an external app lication.
The easiest way to d o this is to comm ent out (//) the existing passwordHTML() function:
// function passwordHTML() {
// return '<form name="form">' +// '<table border=0 cellpadding=3 cellspacing=0>' +
// '\n<tr>\n<td colspan=2>' +// main.font(3) + '<b>' + i18n['password'] +
// '</b></font>' +// '<br>' + main.font() + i18n['passwd exp'] +
// '</td>\n</tr>' +
// '\n<tr>\n<td colspan=2>' +
// '<table border=0 cellpadding=0 cellspacing=0 width=100% ' +// main.cellBgString + '><tr><td>' +// '<img src="imx/spacer.gif" width=1 height=2>' +
// '</td></tr></table>' +
// ' /td \n /tr ' +
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 163/284
Removing and Adding Options on the Options Tab 137
// '</td>\n</tr>' +// '\n<tr>\n<td' + main.base_line + ' width=1% nowrap>' +
// main.font() + i18n['passwd old'] + nbsp +// '</td>\n<td>' +
// '<input type="password" name="old">' +// '</td>\n</tr>' +
// '\n<tr>\n<td' + main.base_line + ' width=1% nowrap>' +// main.font() + i18n['passwd new'] + nbsp +// '</td>\n<td>' +
// '<input type="password" name="newpass">' +// '</td>\n</tr>' +
// '\n<tr>\n<td' + main.base_line + ' width=1% nowrap>' +
// main.font() + i18n['passwd confirm'] + nbsp +// '</td>\n<td>' +
// '<input type="password" name="confirm"> ' +// '</td>\n</tr>' +
// '\n<tr>\n<td colspan=2>' + nbsp +// '</td></tr>' +// '<tr align=center width=100%><td colspan=2>' +
// '<table border=0 cellpadding=4 cellspacing=0><tr>' +// main.button(i18n['passwd submit'], 'parent.validate()') +
// main.button(i18n['clear'], 'parent.clear()') + '</tr></table>' +// '</td></tr>' +
// '</td>\n</tr>' +
// '</table></form>'// '</td>\n<td>' +
// '<input type="password" name="newpass">' +// '</td>\n</tr>' +
// '\n<tr>\n<td' + main.base_line + ' width=1% nowrap>' +
// main.font() + i18n['passwd confirm'] + nbsp +// '</td>\n<td>' +
// '<input type="password" name="confirm"> ' +// '</td>\n</tr>' +
// '\n<tr>\n<td colspan=2>' + nbsp +// '</td></tr>' +
Substitute you r ow n passwordHTML() function:
// '<tr align=center width=100%><td colspan=2>' +
// '<table border=0 cellpadding=4 cellspacing=0><tr>' +// main.button(i18n['passwd submit'], 'parent.validate()') +
// main.button(i18n['clear'], 'parent.clear()') + '</tr></table>' +// '</td></tr>' +
// '</td>\n</tr>' +// '</table></form>'
// }
// added to call external password update-change webpage
function passwordHTML() {
return '<HTML><HEAD></HEAD><BODY ONLOAD=\"window.open(\'http:\/\/changepwd.acme.edu\', \'chgpwd\', \'scrollbars=yes\')\"></BODY></HTML>'
}
// function passwordHTML() {
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 164/284
138 Customization
Beyond the basic modifications of the Options menu, customers also provideadd itional validation criteria for p assw ords (for examp le, not in d ictionary, mu stcontain sp ecial char acters). This custom ization inv olves mod ifying th e validate() function—perhap s calling a sp ecial JavaScript fun ction th at you wa nt to u se overand over (see main.js).
Single Sign OnOne chang e that most cust omers m ake initially is to enable single sign on betweenthe Messenger Express (web m ail) and the Delegated Ad ministrator fun ction. Theout-of-the-box functionality is that the Delegated Ad m inistrator link from th eOptions Tab in web m ail pops up a separate window with the login box.Configuring the messaging server for SSO still pops up a separate window, butbypasses the login screen because the server know s w ho the u ser is and th at the u serhas been prop erly auth enticated . The SSO is achieved by u sing cookies and session
IDs generated by th e Messaging Server or oth er app lication su ch as DelegatedAdministrator or even the Calendar Server.
M Enabling Single Sign ON
The following steps are required when the Messaging Server is running:
1. Use the su command to go to mailsrv, where mailsrv is the UN IX or system us er ID
under which the Messaging Server is running.
Since you used “nobody” as the system user ID during the install:
2. Change to the messaging instance for wh ich you want to enable SSO, /msg-
Home/msg- Instance/:
where msg-Home is the directory w here the m essaging software was installed, and
# su - nobody
# cd /msg-Home/msg- Instance/
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 165/284
Single Sign On 139
g y g g Instance is the na me of the messaging instance (install), often the hostname (shor t hostname).
3. Check the existing settings for web mail:
4. Enable SSO and single sign off.
Single sign off cancels the SSO so th at w hen someon e clicks the logout link on anySSO-enabled ap plication, the u ser’s session ID and cookie go away.
# ./configutil | grep webmaillocal.webmail.da.host = sparc5-1.central.sun.comlocal.webmail.da.port = 88local.webmail.sso.enable = 0local.webmail.sso.singlesignoff = 0
# ./configutil -o local.webmail.sso.enable -v 1OK SET
# ./configutil -o local.webmail.sso.singlesignoff -v 1OK SET
5. Configure the SSO prefix or group.
The SSO prefix or grou p provid es a wa y for mu ltip le SSO grou ps to all resid e on thesame system , which becom es part of the brow ser cookie.
Th e ssogrp1 is the default for the Delegated Administrator and other applications,so you can u se that, but you could also use something like foobar , however, youwou ld hav e to change the d efault in th e other Sun ONE prod ucts.
6. Configure the application ID.
The app lication ID iden tifies the web m ail to other ap plications.
# ./configutil -o local.webmail.sso.prefix -v ssogrp1 OK SET
# ./configutil -o local.webmail.sso.id -v ims5 OK SET
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 166/284
140 Customization
7. Configure the domain of the cookie.
This dom ain mu st match the d omain nam e used by the browser or client to access
the web mail system—it must start with the period (.) and be a real domain, not ahosted or virtual domain.
8. Configure the URL for verification of SSO for IDA.The IDA is the ap plication nam e, much like ims5.
9. Configure SSO for calendar (optional).
It will be called “ics50”—plus the p ort for calend ar.
# ./configutil -o local.webmail.sso.cookiedomain -v ".central.central.com"OK SET
# ./configutil -o local.sso.ida.verifyurl -v "http://sparc5-1.central.sun.com:88/VerifySSO?"
OK SET
# ./configutil -o local.sso.ics50.verifyurl -v "http://sparc5 1.central.sun.com:81/VerifySSO?"
OK SET
10. Check the settings again:
# ./configutil | grep webmaillocal.webmail.da.host = sparc5-1.central.sun.comlocal.webmail.da.port = 88local.webmail.sso.cookiedomain = .central.central.com
local.webmail.sso.enable = 1local.webmail.sso.id = ims5local.webmail.sso.prefix = ssogrp1local.webmail.sso.singlesignoff = 1
# ./configutil | grep ssolocal.sso.ics50.verifyurl = http://sparc5-
1.central.sun.com:81/VerifySSO?local.sso.ida.verifyurl = http://sparc5-1.central.sun.com:88/VerifySSO?local.webmail.sso.cookiedomain = .central.central.comlocal.webmail.sso.enable = 1
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 167/284
Single Sign On 141
11. Restart the w eb m ail Messaging Server as root.:
12. Add a proxy user to the directory s o SSO can loo k up users:
local.webmail.sso.id = ims5local.webmail.sso.prefix = ssogrp1local.webmail.sso.singlesignoff = 1
# su -# cd /msg-Home/msg- Instance/# ./stop-msg http# ./start-msg http
# ldapadd -h sparc5-1.central.sun.com -D "cn=Directory Manager" -w eatbeef -v-f proxy.ldif
add objectclass:top
personorganizationalpersoninetorgperson
add uid:proxy
add givenname:Proxy
where sparc5-1.central.sun.com is the host on w hich the d irectory server isrunning;
where eatbeef is the directory ma nager password ;
where proxy.ldif is a file w ith the following:
add sn:
Authadd cn:
Proxy Authadd userpassword:
proxypassword
adding new entry uid=proxy, ou=people, o=sparc5-1.central.sun.com, o=ispmodify complete
dn: uid=proxy, ou=people, o=sparc5-1.central.sun.com, o=ispobjectclass: top
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 168/284
142 Customization
where proxypassword is the password for this user.
13. Add the access control inf ormation (ACI) for the proxy auth user:
objectclass: topobjectclass: personobjectclass: organizationalpersonobjectclass: inetorgpersonuid: proxygivenname: Proxysn: Authcn: Proxy Authuserpassword: proxy password
# ldapmodify -h sparc5-1.central.sun.com -D "cn=Directory Manager" -w eatbeef-v -f aci1.ldif
add aci:(target="ldap:///o=isp")(targetattr="*")(version 3.0; acl
"proxy";allow (proxy) userdn="ldap:///uid=proxy, ou=people, o=sparc5-1.central.sun.com, o=isp";)
modifying entry o=ispmodify complete
wh ere the file aci1.ldif contains the following :
dn: o=ispchangetype: modifyadd: aciaci: (target="ldap:///o=isp")(targetattr="*")(version 3.0; acl
"proxy";allow (proxy) userdn="ldap:///uid=proxy, ou=people, o=sparc5-1.central.sun.com, o=isp";)
# ldapmodify -h sparc5-1.central.sun.com -D "cn=Directory Manager" -weatbeef -v -f aci2.ldif
add aci:(target="ldap:///o=internet")(targetattr="*")(version 3.0; acl
"Allow iDA User Proxy";allow (proxy) userdn="ldap:///uid=proxy, ou=people, o=sparc5-1.central.sun.com, o=isp";)
modifying entry o=internetmodify complete
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 169/284
Single Sign On 143
wh ere the file aci2.ldif contains the following :
14. Go to the directory w here the D eleg ated Adminis trator resou rce file is located.
where ida-Home is the location wh ere Delegated Ad ministrator w as installed, for thedemo system it is:
dn: o=internet
changetype: modifyadd: aciaci: (target="ldap:///o=internet")(targetattr="*")(version 3.0; acl
"proxy";allow (proxy) userdn="ldap:///uid=proxy, ou=people, o=sparc5-1.central.sun.com, o=isp";)
# cd /ida-Home/nda/classes/netscape/nda/servlet
# cd /A1000/demo6789/ida12/nda/classes/netscape/nda/servlet
15. Edit the resource.properties files as follows:
Several changes m u st be mad e in this file:
# cp resource.properties resource.properties.orig# vi resource.properties
> #LDAPDatabaseInterface-ldapauthdn=
# diff resource.properties resource.properties.orig
514c514< NDAAuth-applicationId=ida
---
> NDAAuth-applicationId=nda45
526,528c526< verificationurl-ssogrp1-ida=http://sparc5-1.central.sun.com:88/VerifySSO?
< verificationurl-ssogrp1-ims5=http://sparc5-1.central.sun.com:80/VerifySSO?< verificationurl-ssogrp1-ics50=http://sparc5-1.central.sun.com:81/VerifySSO?
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 170/284
144 Customization
The first chan ge is the nam e to which the Delegated Ad min istrator is referred w ithinthe SSO context—from nd a45 to the value you gave it by using t he configutil comma nd (see Step 8).
Next, you ad ded verification URLs for each of the app lications you wou ld like SSO
enabled—m ail (ims5), calend ar (ics50), and d elegated ad min istrator (id a), as youcalled th em in Steps 6, 8, and 9. These m ust m atch!
Finally, you un comm ented ou t the ldapauthdn an d ldapauthpw variables and u sed theuser th at you created in Step 12.
16. Change the properties for the web se rver.
You m ust m ake the change because the Delegated Ad m inistator is really a w ebapplication.
---
> #verificationurl-ssogrp1-nda45=http://localhost:80/VerifySSO?
542,543c540,541< LDAPDatabaseInterface-ldapauthdn=uid=proxy,ou=people,o=sparc5-1.central.sun.com,o=isp
< LDAPDatabaseInterface-ldapauthpw= proxypassword
---
# cd /web-HOME / IN STA N CE /config
where web-HOME is the install d irectory for the w eb server and IN STA NCE is thespecific web server instance you are configu ring. This is likely to contain th e fullyqu alified n ame of the host. In th e dem o system it is:
17. Edit the servlets.properties and the context.properties files:
a. Uncomment (remo ve the begin ning # character from) each line in the
servlets.properties file that contains servlet.*.context=ims50.
There should about 16 of these lines:
# cd /A1000/demo6789/iws60/https-sparc5-1.central.sun.com/config
# cp servlets.properties servlets.properties.orig# cp context.properties context.properties.orig
# vi servlets.properties
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 171/284
Single Sign On 145
#grep =ims50 servlets.properties#To enable single signon uncomment all the servlet.*.context=ims50
lines#servlet.Debug.context=ims50#servlet.Version.context=ims50#servlet.auth.context=ims50#servlet.cauth.context=ims50#servlet.getPage.context=ims50#servlet.getBin.context=ims50#servlet.cosMgr.context=ims50#servlet.userCosMgr.context=ims50
#servlet.getLocation.context=ims50#servlet.TaskManager.context=ims50#servlet.logout.context=ims50#servlet.CLIMap.context=ims50#servlet.CLISearch.context=ims50#servlet.userSsrMgr.context=ims50#servlet.ssoauth.context=ims50#servlet.VerifySSO.context=ims50
b. Edit the context.properties file:
Ad d th is line near th e end of the file, just before the #IDACONF-Start:
The ssogrp1-ida, must match the prefix and the name set in Steps 5 and 8.
18. Restart the w eb server:
# vi context.properties
context.ims50.sessionCookie=ssogrp1-ida
# cd /web-HOME / IN STAN CE # ./stop
shutdown: server shut down# ./start
iPlanet-WebServer-Enterprise/6.0SP2 B11/13/2001 00:49
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 172/284
146 Customization
Setting the Initial Welcom e EmailOften you want to have an email that contains some basic information waiting for anew us er. While this feature is available from bot h the comm and line and the
administrator’s console, the documentation often only provides examples for theadm inistrator ’s console, as it is mu ch easier to do from the console. Many customer swan t to configure this from the comman d line.
For more d etails, refer to Chap ter 2 of the Sun ONE Messaging Server Administration
Guide.
The following steps are required when the Messaging Server is running:
1. Use su to go to mailsrv, where mailsrv is the UNIX or system user ID under whichthe Messaging Server is running. Since you used “nobody” during the install:
[LS ls1] http://sparc5-1.central.sun.com, port 88 ready to accept requestsstartup: server started successfully
# su - nobody
2. Change to the messaging instance for wh ich you want to enable SSO, /msg-
Home/msg- Instance/:
where msg-Home is the directory w here the m essaging software was installed, and Instance is the na me of the messaging instance (install), often the hostname (shor t hostname).
3. Check the existing settings for the w elcome message:
4. Edit or create a w elcome mes sage (email format including headers—minimum of
subject):
# cd /msg-Home/msg- Instance/# cd /A1000/demo6789/ims5/msg-sparc5-1
# ./configutil | grep gen.newuserforms
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 173/284
Over-Quota Limits and Warning Email 147
You m u st at least h ave a “ Sub ject: {sub ject}” h ead er.
Example:
“Subject: Welcome!
This is a w elcome message.”
is OK, bu t not:
“This is a w elcome message.”
5. Set the welcome message.
Over-Qu ota Limits and Warning EmailOften, an administrator wants to set a limit on users for how much storage themessages can consume and how many messages they can retain. This is referred toas qu ota. The Messaging Server offers the ability to limit a u ser on both how mu chstorage (for example, bytes) and how many (quantity) messages are allowed. Thesystem also p rovides a m ethod for notifying users that they are ru nning ou t of quota
# vi welcome.txt
# ./configutil -o gen.newuserforms -v < welcome.txt
or are in da nger of going over th e limit, as well as provid ing a grace period so th ateven th ough they are ov er, they can still receive a little bit over their qu ota u ntil suchtime as they log in and d elete email.
You can s et these limits by u sing the console or from th e comma nd line. Using theadm inistration console is easier, but som e customers p refer to d o everything fromthe comm and line.
For d etails, refer to Cha pter 11 of th e Sun ONE Messaging Server Administration Guide.
M Configu ring Ov er-Qu ota Lim its and Warn ingEmail
The following steps are required when the Messaging Server is running to beginconfiguring the quota, warning message, and grace period:
1. Use su to go to mailsrv, where mailsrv is the UNIX or system user ID under which
the Messaging Server is running.
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 174/284
148 Customization
Since you used “nobody” as the system user ID during the install:
2. Change to the me ssaging instance for which you want to change the user quota,
/msg-Home/msg- Inst ance/:
where msg-Home is the directory w here the m essaging software was installed, and Instance is the na me of the messaging instance (install), often the hostname (shor t hostname).
3. Check the existing settings for the quota:
# su - nobody
# cd /msg-Home/msg-Instance/# cd /A1000/demo6789/ims5/msg-sparc5-1
# ./configutil | grep quota
4. Configure a default user quota in terms of space:
where quota is the quota expressed in bytes.
I
To set a de fault limit of 10 mega bytes o r 10,240,000 bytes:
I To configu re a default user qu ota for the total num ber of messages:
where quota indicates the maximu m n um ber of messages.
I To set a default limit of 100 messages:
# ./configutil -o store.defaultmailboxquota -v quota
# ./configutil -o store.defaultmailboxquota -v 10240000OK SET
# ./configutil -o store.defaultmessagequota -v quota
/
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 175/284
Over-Quota Limits and Warning Email 149
5. Verify changes:
6. Configure quota enforcement and notification:
This step turns on the quota and the messages to users that they are exceeding thequota.
# ./configutil -o store.defaultmessagequota -v 100 OK SET
# ./configutil | grep quota
# ./configutil -o store.quotaenforcement -v yes OK SET# ./ configutil -o store.quotanotification -v yes OK SET
7. Configure the actual message:
where msg is the email message to the users when quota is exceeded. The messagemu st have at least a subject line:
To configu re how often a remind er is sent to the users:
where days is the number of days between reminders.
To configu re a d aily remin der:
# ./configutil -o store.quotaexceededmsg -v msg
# ./configutil -o store.quotaexceededmsg -v < msg.txt
# ./configutil -o store.quotaexceedmsginterval -v days
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 176/284
150 Customization
8. Notify users in advance of the upcoming quota limit.
Notification depends upon your company’s protocol.
where percent is that threshold for the warning.
To configu re a wa rning m essage at 90 percent of qu ota:
# ./configutil -o store.quotaexceedmsginterval -v 1
# ./configutil -o store.quotawarn -v percent
# ./configutil -o store.quotawarn -v 90
9. Set the grace period—how long messages are held f or users that are ove r quota.
Dur ing the grace period, the messages are held in th e queu e. They are not deliveredto the m ailboxes.
where hours is the nu mber of hou rs over-quota m essages will be held.
To configu re a grace per iod of three d ays:
10. Check the existing settings for the quotas:
# ./configutil -o store.quotagraceperiod -v hours
# ./configutil -o store.quotagraceperiod -v 72
# ./configutil | grep quota
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 177/284
Customizing Return Errors 151
Custom izing Return ErrorsOccasionally, custom ers like to configu re or custom ize the return errors p rovided toother SMTP servers. While this is generally frow ned up on, legitimate reasons d oexist—to provide additional information, to provide system administrator contactinformation, and so forth.
The return messages are localized to a point—depending upon which version of themessaging software was installed and the level of customization, you might have
German , Span ish, French, and English, so you may hav e to m od ify several files. Thisbook only describes the English (en) locale.
The return cod es are stored in the following d irectory:
where msg-Home is the directory w here the m essaging software wa s installed, and Instance is the n ame of th e messaging instance (install), often th e hostname (short hostname).
/msg-HOME /msg- Instance/imta/config/locale/C/LC_MESSAGES
# cd /A1000/demo6780/ims52/msg-sparc5-1/imta/config/locale/C/LC_MESSAGES
If you look at this d irectory, you can see the files for the va rious respon ses:
# ls
return_bounced.txt* return_delayed.txt* return_failed.txt* return_header.opt*
return_suffix.txt*return_deferred.txt* return_delivered.txt* return_forwarded.txt* return_prefix.txt*
return_timedout.txt*
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 178/284
152 Customization
CHAPTER 10
Security
Security is integral to an y m ission-critical enterp rise-wid e system. To p arap hrase arecent a nimated hit m ovie, “Security is like an on ion...it h as layers.” Whether th e
system is a messaging system or a database system, there are many layers(FIGURE 10-1) when addressing security—each and every layer is integral to theoverall security of the system . The qu estion is how m uch effort is really app ropriatefor the level of security requ ired .
This chap ter discusses in d etail the sp ecific issues surrou nd ing the security of a
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 179/284
153
This chap ter discusses in d etail the sp ecific issues surrou nd ing the security of amessaging serv er, includ ing the server p latform , the various p rotocols and theirimpact, and securing the contents of the messages.
This chap ter divid es the topic of security as it relates to a messag ing system intothree d ifferent layers or top ics:
I Network
I System
I Messaging Software Protocols
FIGURE 10-1 Security Lay ers
Client
Network
Application
Operating system
Hardware
NetworkThe networ k layer is the layer that is extern al to the phy sical host and operatin gsystem on wh ich th e Messaging Server or one of its com pon ents is runn ing. It is
surp rising to see in this day and age of reasonable paran oia regarding basic netw orksecurity how many customers are not actually d eploying even the m ost basicnetw ork security measu res such as firewalls. You may b e saying, “of course w e havea firew all!” OK, but is it just there for traffic between the Internet and you rorganization’s netw ork? Or d o you have several layers of firewalls, including a layerprotecting mission-critical systems such as your messaging system?
Why u se firewalls for the Messaging Server? Even u nd er the most comp lexconfigurations, roughly half a dozen ports must be exposed to users. Why allow
users to access ports the y d o not h ave to access in the first place?
Some customers ask, “Why must I protect against my internal users?” Manycompu ter security experts say that internal u sers pose a significant risk too.
Looking at the individual components of the Messaging Server such as the message
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 180/284
154 Security
store, MTA, directory, and pr oxies su ch as th e MMP and MME, there are d efinitelycompon ents to which only internal users need access and then on ly on specific ports.In a typ ical enterprise, TABLE 10-1 shows what access might be required formessaging:
Corpor ations often use virtu al private netw orks (VPN s) to allow external users to act
as thou gh they w ere part of the internal networ k, therefore lim iting access from theInternet is fairly straightforward .
TABLE 10-1 Enterprise Messaging Access in a Typical Enterprise
Internal Internet
Directory Y N
Mail Store Y NMTA-IN BOUN D Y Y
MTA-OUTBOUN D Y N
MMP Y N
MME Y N
The same char t can look d ram atically d ifferent for organ izations such as u niversities(TABLE 10-2), m any of w hich d o not d ifferentiate significantly betw een internalnetworks and Internet networks (although this is rapidly changing).
In some organizations, the concept known as a demilitarized zone (DMZ)(FIGURE 10-2) is used to establish systems w ith access to both internal and external
k i hi d d ll d i f h
TABLE 10-2 Enterprise Messaging Access in a University
Internal Internet*
* All Internet access except MTA-INBOUND—only authorized users and in a secure man ner.
Directory Y Y
Mail Store Y Y
MTA-IN BOUN D Y Y
MTA-OUTBOUN D Y Y
MMP Y Y
MME Y Y
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 181/284
Network 155
networks—within reason and und er very controlled circum stances. Many of theservers inside the DMZ are stateless and are limited to functions such as relays andproxies. Firewall rules can be explicitly configured to allow only specific internalnetw ork or Internet conn ections. Add itional ru les control how the p roxies or relaysare allowed to connect.
In reality, a significant degree of planning an d forethou ght m ust be p ut into n etworksecurity, inclu ding ad d ressing issues such as n etwork access to m ission-criticalsystems such as messaging. This book does not address the issue of networksecurity—the purpose is to make you aware of its requirements.
Some points on network security:
1. Put you r server behind a firewall with packet filtering—stateful packet inspection(SPI) cap abilities. Configure th e firewall insp ection p ackets to d rop externalpackets with an internal source IP ad d ress, and forbid all connections fromoutsid e except th ose ports you explicitly n eed.
2. Do not pu t any Wind ows m achines (especially Wind ows m achines runn ing XP,Outlook, or the Windows scripting host) on the network with your server.
3. The better the prot ection at the n etwork level, the less the system secur ity levelhas to d eal with. Conversely, the poorer th e protection at the n etwork level, themore the system security has to d eal with.
Internet or WAN
Firewall
Firewall
Proxy MTA MTA Proxy
D
M Z
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 182/284
156 Security
FIGURE 10-2 Secure Netw ork Architecture for Messaging Environm ent
Server Server
SystemThere are m any aspects to system security. This book focuses on the Solaris OE.How ever, man y of the concepts are easily ap plied to other UN IX oper ating
environments, including derivatives such as Linux.
Basics of Solaris OE Security
Perhaps th e easiest way to secure or ha rden t he Solaris OE system is by u sing theSolaris™ Security Toolkit, informally know n as th e Jump Start Architecture an dSecurity Scripts (JASS) toolkit. It provides a flexible and extensible mechanism to
minim ize, hard en, and secu re Solaris OE systems. The p rimary g oal behind th edevelop men t of these toolkits is to simplify an d autom ate the process of securingSolaris OE systems.
The Solaris Security Toolkit focuses on Solaris OE security modifications to hardenand minimize a system. Hardening is the mod ification of Solaris OE con figu ration s to
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 183/284
System 157
improve the security of the system. M inimization is the removal of unn ecessarySolaris OE packages from the system. This removal redu ces the nu mber of
components to be p atched and mad e secure, which, in turn, has the p otential toredu ce entry points av ailable to a possible intrud er.
The Solaris Security Toolkit p rovides tw o meth od s for securing systems d uringinitial Solaris OE installs by using Jum p Start software technology or from thecomma nd line, wh ich is called standalone mode. This standalone mode allows theSolaris Security Toolkit to be u sed on systems th at requ ire security m odifications orup dates. The stand alone m ode is particularly u seful wh en rehardening a systemafter patches hav e been installed. The Solaris Security Toolkit can be run any n um ber
of times on a system w ith no ill effects. Patches can overw rite or mod ify files theSolaris Security Toolkit has also modified; by rerunning the Solaris Security Toolkit,any security modifications undone by the patch installation can be reimplemented.In prod uction environments, patches should always be staged in test anddevelopment environments before installation.
The Solaris Secur ity Toolkit is located at:
http://wwws.sun.com/software/security/jass/.
Other security r elated Sun BluePrints are located at:
http://www.sun.com/solutions/blueprints/browsesubject.html#security.
Note – The toolkit locks dow n the “n obody ” accou nt, so if you are us ing thisaccount to ru n a p rototype or d emo messaging system, you m ust edit the
/etc/passwd file and d elete the /sbin/noshell at the end of the “nobody” entry.Alternatively, create a new group and u sers for the m essaging system, asrecomm ended in the iPlanet Messaging Server Installation Guide.
Additional system security measures include solid intrusion detection andmon itoring. While the toolkit prov ides som e hard ening of the Solaris OE, it d oes notdo intrusion detection.
A variety of comm ercial and open -source offerings are available for system intru siondetection and monitoring. Network intrusion detection and monitoring packages arealso available. An example of this type of software is TripWire.
Some points on system security:
1 Start by installing the most recent Solaris OE security p atch clusters and setting
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 184/284
158 Security
1. Start by installing the most recent Solaris OE security p atch clusters and settingup a procedu re to upd ate the patches once every few m onths and in response tosecurity alerts from the ven d or.
2. Turn off all opera ting system services that listen on a por t that you d o not u se.The toolkit d oes some of th is.
3. Replace telnet, ftp, and so forth with sshd. The toolkit also does som e of this—sshd is part of the install by default u nd er the Solaris 9 OE.
4. Do not pro vide u sers with interactive accoun ts on the Messaging Server—onlyadm inistrators should h ave accounts.
5. Do not chan ge the d efault configuration of Solaris OE regarding the console;require adm inistrators to log in and then become su peruser and change thedirectory to root u nless they are actually on a console port.
6. Implement sudo or its equivalent for administrators or the equivalentfunctionality (role-based access control), wh ich is includ ed w ithin the SolarisOper ating Environm ent. For m ore details, see the Solaris System Administrators
Guide on Security Services at :
http://docs.sun.com/db/doc/806-4078.
7. Read an d u nd erstand th e Sun BluePrints related to system security at:
http://www.sun.com/solutions/blueprints/browsesubject.html#security.
8. Install intrusion detection an d mon itoring software, for examp le TripWire. Su n, inconjuction with Syman tec, recently introd uced a new intrusion d etectionapp liance. For m ore inform ation, go to:
http://www.sun.com/smi/Press/2003-04/sunflash.20030414.1.html.
Messaging Softw are ProtocolsAs w ith the sy stem security, the m essaging software security also has layers o f itsown , which can be separated into the following comp onents:
I Directory
I Message Store
I MTA
I Proxy
Directory
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 185/284
Messaging Software Protocols 159
Directory
There are several aspects of securin g the d irectory beyond securing the b asic serverand operating system. These aspects are:
I ACI—limiting permissions as to what people can see and do
I Search lim its—how man y responses and how mu ch time can be sp ent searching
I SSL—enabling SSL support
I Non -stand ard ports —not using ports 389 or 636 for LDAP or LDAP over SSL
This is not an exhaustive list of directory security issues, bu t it covers most of theoptions to secure the Directory Server p rotocols and access using t hese pr otocols.
ACI
Access control instructions (ACIs) are basically permissions. The Directory Serverprov ides a mechan ism by w hich you d efine access. Wh en the server receives arequest, it uses the authentication information provided by the user in the bindoperation a nd the ACIs defined in the server to allow or d eny access to directoryinformation. The server can allow or d eny p erm issions su ch as read, wr ite, search,and comp are. The permission level granted to a user may be depend ent on theauthentication information provided.
Using access control, you can control access to the entire directory, a subtree of thedirectory, specific entries in th e d irectory (includ ing entries d efining configu rationtasks), or a sp ecific set of entr y attr ibute s. You can set p erm issions for a specific user,all users belonging to a specific group or role, or all users of the directory. Finally,you can define access for a specific location su ch as an IP ad dress or a D N S nam e.
Chap ter 6 of the iPlanet Directory Server Administration Guide provides details onconfigurin g and establishing ACIs.
The two or three most common changes or customizations are for customers tochange perm issions (ACIs) for:
I Self
I Anonymous
I General access
Some customers, for example, do not want anyone to be able to change their ownentry inform ation. For th is, an ACI can be created to restrict (deny ) chan ge pr ivilegesto “ self.”
Other customers want an onymou s (anyone) to see only the person’s nam e, phon enu m ber, and email add ress—nothing else. Again, an ACI can b e created for“anyone” to be able to only see the comm on n ame, phone n um ber, and email
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 186/284
160 Security
address.
General access can control auth enticated users’ access to the d irectory, so even if they su ccessfully log in, they can see m ore than “anyon e” but less than “self,” forexamp le. An AC I mod ification or creation can d o this too.
Other conditions that can be taken into consideration when creating ACIs includetime of day, d ay of week, IP ad dress, and DN S nam e.
ACIs are a p ow erful way to control access to the d irectory, if prop erly configured ,but can also be a prob lem if poorly d one since they can imp ede oth er software from
working correctly.
Search Limits
One of th e new er features of the Directory Server is th e ability to limit search limitsand time spen t searching for d ifferent typ es of user s. Previous versions onlyprov ided for one overall limit, not mu ltiple lim its.
These limit features provid e the ability to configure both size lim it (nu m ber of entries retu rned ) and time limit (maximu m am oun t of real time in second s the servershould spend performing a search request) as not only a system default, but also ata finer-grained level. For exam ple, you can configu re the Directory Server so that
“anyone” or unauthenticated users can only retrieve five entries and spend 20second s searching, while “general access” user s (for examp le, those w ho h aveauth enticated s uccessfully) can retrieve 50 entries and spen d 180 second s searching.
The Directory Server allows you to sp ecify resource limits, inclu din g sizelimit,timelimit, lookthroughlimit, and idletimeout down to the per-user level.This is documented online at:
http://docs.sun.com/source/816-5606-10/password.htm#1085603.
Enabling SSL Support
Enabling SSL sup por t for the Directory Server is the first step in p roviding secureaccess using LDAP over SSL for queries and responses. Enabling SSL by itself doesnot configure the other servers to take ad vant age of it, however. Ad d itional
configura tion typ ically m ust be d one. Enabling SSL simp ly turn s on th e DirectoryServer ’s ability to encryp t LDAP us ing SSL over the n etwork , so wh ere LDAP isnor m ally on p ort 389, LDAP over SSL is typ ically on p ort 636 (either of wh ich can b echanged).
The caveat on enabling SSL for anything is certificate management. A certificate(key) m ust be gen erated a nd imp orted in to the server. For specific instru ctions, see
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 187/284
Messaging Software Protocols 161
(key) m ust be gen erated a nd imp orted in to the server. For specific instru ctions, seeChap ter 11 of the Sun ONE Directory Server Administrators Guide. Also, the person al
identification nu m ber (PIN) or p assword for the certificate must be ent ered to startthe server. This PIN can b e stored w ithin a file, but it is don e in cleartext, whichprovides some security issues and risks that m ust be assessed prior to d oing so.
For d etails on man aging SSL, see Chap ter 11 of the Sun ONE Directory Server
A dmin istrators Guide.
Enabling SSL on the Directory Server will have som e perform ance impa ct that mu stbe taken into consider ation wh en sizing. This dep end s specifically on the n um ber of
transactions and usage of the SSL-enabled LDAP ports. For examp le, if only tenp ercent of the tran sactions requ ire SSL, u se SSL only for these ten p ercent if po ssible.The Directory Server sup por ts hard war e acceleration of SSL wor kload, bu t this canadd some additional configuration requirements and complexity.
Non-stand ard Ports
The Directory Server an d Messaging Server p rovide the ability to use no n-stand ardpor ts for LDAP an d LDAP over SSL. While this prevents som e basic default portscanning, it also m eans that all the software tha t access the d irectory m us t beconfigured to use the non-standard port numbers too, so this becomes slightly moredifficult to man age and configure.
Message Store
From the Messaging Server software p oint of view, the secur ity aspects on them essage stor e are limited to th e basic email pr otocols—POP, IMAP, SMTP, and H TTP(web m ail), plu s th e ad ministrative interfaces over HTTP.
SMTP
Configure the SMTP daemon on th e mailstore (it is required to d eliver m ail tomailboxes) to only accept connections from the “official” MTAs. The MTA that onthe m ailstore is there just to deliver mail to mailboxes and users. The exception tothis rule is for sm aller configur ations that w ant to h ave a consolid ated or “a ll-in-one” m essaging system wh ere the MTA on th e m ailstore is the “official” MTA andthe on ly MTA.
MTA
Several things can be d one to m ake the MTA more secu re, although this is reallymore of a configuration issue and depend s up on the environment.
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 188/284
162 Security
The biggest security feature for th e MTA is to require auth entication p rior to send ing
an email. This is know n as SMTP auth entication or SMTP AUTH for short. Thisauth entication requires that the send er have a valid login and passw ord (account) onthe messaging system, thu s preventing users from sending em ail from anywh ere,regardless of wheth er they are local (on n et) or not. This also preven ts peop le fromsend ing thou sand s of emails out to the Internet using you r MTA as a relay, thou gh itdoes n ot prevent forged head ers (see RDN S).
RDNSReverse DNS (RDNS) validates that th e dom ain nam e from wh ich th e mail ispurported to have been sent (sender’s domain name) is at least registered, that is,valid. The setting w ithin the Messaging Server tha t p rovides this capab ility is calledmailfromdnsverify. This lookup only verifies the existence of the d omain n ame inthe DNS registry nothing else. Spam m ers and others can easily forge headers an dthe d omain nam es can be registered/ churned quickly. So, the debate is how usefulRDNS really is at this point. In fact, it is only on e feature of m any that slow s dow nspam an d so forth.
Antivirus and Antispam
“Virus Scanning” on p age 198 an d “Antispam” on p age 199 cover antivirus andantispam in m ore detail. Providing these services at the MTA level greatly enhan cesthe overall security of the messaging environment.
Securing the Message ContentsSecurin g the m essage contents is usu ally the final step along the w ay in securing th email system, and naturally the most difficult to implement for many reasons. PGPsigning allow s for the non -repu d iation of a message—that is you can validate w ho itis from and the contents. SMIME is secure MIME, wh ich a ctually encryp ts thecontents of the message.
While adding these options to your messaging system offers additional levels of security, it also add s significant levels of sup port and ad ministration as well. Extraconsideration m ust be given when imp lementing digital signing or messageencryption.
M Imp lementing PGP Signing
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 189/284
Messaging Software Protocols 163
Pretty good protection (PGP) signing (d igital signing) is simpler to d o than m essage
encryption (som etim es referred to as SMIME) by far, but it does n ot p revent access tothe contents. It d oes allow you to confirm the iden tity (signatu re) of the send er andverify that the contents of the message (but not headers) have not been tamperedwith (non-repud iation).
The Online help for Mozilla v1.3a states:
digital signatu re. A code created from both th e data to be signed an d th epr ivate key of the signer. This code is un ique for each new p iece of data.
Even a single comm a add ed to a m essage changes the digital signaturefor that m essage. Successful validation of you r d igital signature byapp ropriate software not only p rovides evidence that you app roved thetransaction or message, but also provides evidence that the data has notchanged since you digitally signed it.
PGP is a pu blic-private k ey system. That is, there are two keys, one private key thatonly the user knows an d on e pu blic key that anyon e can find out by looking it up ina d irectory. By u sing the combinat ion of these keys, you can encryp t and signdocuments meant for either public consumption or just one other individual. PGPsigning op erates slightly differently for each p latform su ch as Window s, Solaris OE,or Linux and so forth, but overall it operates in a very similar m ann er.
For an overview of PGP, see:
http://www.pgpi.org/doc/overview/.
To imp lement P GP signing:
1. Obtain PGP software.
2. Install PGP utility.
3. Gene rate key pair—you r publi c and private key.
4. Create email.
5. Cut and paste email into PGP utility to generate PGP sign ature (checksum).
6. Cut and paste PGP signature to bottom of email.
7. Send email.
A good tutorial on the w hole process is available at:
http://www.haltabuse.org/pgp/index.shtml.
Some email clients support PGP signing natively, basically calling a PGP utility andperform ing the op eration for the user. Some exam ples includ e:
I Ximian (http://www.ximian.org), KMail (http://devel-home.kde.org/~kmail/index.html),
I Postilion (http://www.postilion.org/) and
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 190/284
164 Security
I Arrow (http://www.newplanetsoftware.com/arrow/).
These utilities may be slightly ou t of dat e. Plug-ins for Mozilla an d N etscap e 7, suchas Enigmail, are also available.
A m ore complete list is located at:
http://email.about.com/cs/openpgpsoftware/.
The Messaging Server w eb ma il interface can be customized to p erform PGP signingautom atically, but th is takes some effort and requires that th e PGP keys be stored
inside th e Directory Server so they can be accessible for both th e w eb m ail client andthe public.
PGP or d igital signing has little imp act on the serv er itself becau se the client ma inlyperform s the w ork. An exception is if the w eb mail is customized to perform th e keycalculation, this added workload must be considered when sizing the server. It doesadd some additional length to each message signed—roughly 512 characters or so.While this is not very much, it can increase the overall storage and throughput
requiremen ts if every m essage is signed.
SMIME
SMIME goes beyond simply compu ting a checksum based up on the m essage contentand you r pr ivate key. This includ es encrypting the en tire message so it cannot beread. Again, this requires encrypt ion softw are and often a thick client, thou gh th eMessaging Server web ma il client can be mod ified to p erform SMIME (see alsoImp lementing PGP Signing).
The main issue w ith SMIME versus signatures is that you must unencrypt themessage and attachments to be useful with SMIME, whereas with signatures youmay on ly have to validate the send er if you suspect the message has been tamp eredwith or the source is not genuine.
SMIME has a significant imp act on the s izing of the server if the w eb m ail client iscustomized . If thick clients perform m ost of the wor k of encryp tion and decryp tion,the imp act is typ ically w ith the overall increase in the size of the m essage.
SMIME or encryp ted m essages are the only method s of ensuring pr ivacy from evensystem ad m inistrators—as mu ch as possible, since no en cryption is completelyunb reakable given enough time and comp uting pow er.
This book refers to PGP or Open PGP, but th e m essage contents can also be securedby us ing X.509 Certificates.
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 191/284
Conclusion 165
ConclusionSome points on messaging server software security:
1. Require SMTP AUTH for mail subm ission and turn on app ropriate logging, soabuse can be traced.
2. Set ACIs in the directory ap prop riately for your env ironment.
3. Enable SSL for LDAP, IMAP, POP, an d w eb m ail to prov ide secu re tran sm ission.
4. Con figure and sup port PGP/ digital signatures if non-repud iation and send ervalidation are required.
5. Con figu re and su pp ort SMIME or encrypted messages if absolute privacy
required.6. Keep in m ind th at each layer of secu rity at this level ad ds ad ministrative and
support overhead.
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 192/284
166 Security
CHAPTER 11
Migration
After you install the basic Messaging Server, one of the more difficult tasks is tomigrate th e existing u ser base and m ailbox contents. Different techniques can be
used , but only sp ecific techniques are valid for specific migrations, Exchan ge forexamp le. Ad d itionally, other p arts of the m igration hav e specific issues, such asusing the m igration as an opp ortunity to standardize mail address formats whilemaintaining legacy addresses that can be addressed. This chapter describes the bestpractices for migration and identifies potential problems that may occur during themigration p hase. The items that m ust be m igrated are:
I Directory
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 193/284
167
I Mailbox (content)
I Mail list (aliases)
I Personal address books
This chap ter covers the follow ing top ics:
I Basic Steps (Generic)
I Sendmail (UNIX Mail)
I Exchange, Novell Groupwise, and Lotus Notes
The process of installing a new messaging system can be divided into three phases:
I Installation
I Provisioning and maintenance of users
I Migration from the old system
Previous chap ters covered the basic installation of the Messaging Server an d the
main tenance and pro visioning of users. This chap ter covers th e final stage—gettingusers off the old system and onto the new system.
Few, if any, organizations w ill be starting a br and new dep loyment of messaging.Migration of an existing em ail system is not t rivial. Migration often consum es half of the overall project effort, bu t you can m inimize the tim e you spen d b y plann ing andusing the know ledge this chapter provides.
Decisions regarding whether to migrate everything at once or user by user (self service) mu st be mad e. Each method has its pros and cons.
Basic Step s (Generic)Migrating a messaging system has three steps:
I User Information—user ID, password, name, and so forth
I Messages and Folders—content
I Aliases and System-w ide Mailing Lists—content an d a liases
The techniques and method s used for migration of m essage and folder contents are
different than those u sed for aliases or system m ailing lists contents.
User Information
At first glance, the issue of migration of user inform ation seems pretty tr ivial.How ever much dep ends u pon th e format and source of the old mailing system
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 194/284
168 Migration
How ever, much dep ends u pon th e format and source of the old mailing system.Some m ailing sy stems u se basic u ser stores such as text files, /etc/password forexamp le. H owever, others m ight u se an actual d atabase. No p roblem, correct? To apoint, yes, but the real issue lies in w hat inform ation is there that you really cannotget to—sp ecifically pa ssword s.
Typically, gaining access to basic user in formation su ch as first n ame, last n ame, u serID, email addresses, and so forth is done easily enough. However, passwords areoften stored in hashed or encrypted format.
Why Are Passwords Important?
Dur ing the m igration of the actual content, system u tilities may h ave to actually login and act as if they w ere the u ser, unless they can read the m ail d irectly off the filesystem or there is an adm inistrative password option.
Password Hand ling Op tions1. Temporarily reset the password to something known .
This is easily enou gh d one in m any cases, but wh at else will it affect? Can you setit back to the previous password w hen you are done?
2. Decrypt (break) the passw ord.
This does n ot w ork in all cases. It is slow an d not r eally feasible.
3. Use the adm inistrator passwo rd (root or equivalent).
This is not possible in all system s; m ay n ot actually act as user.
4. Set the passw ord in cleartext.
This is ideal if possible. It can be d one throu gh a w eb pag e if need ed.
Messages and Fold ers
In many ways, populating the user information is the easiest part of the migration.At wor st, you can simply p rovision all existing users in the sam e man ner as if they
were new users. This, however, leaves you with an empty inbox.
There are several w ays of migrating the actual contents from the old m essagingsystem to th e Sun ON E messaging system. Ideally, the fastest meth od is that wh ichcan directly access the data on d isk. How ever, du e to the varied format s in wh ichmessaging software stores data, this is not always possible or recommended.
In most cases, the lowest common denominator provides the solution—POP or
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 195/284
Basic Steps (Generic) 169
IMAP and perhap s SMTP. Why? Because the vast m ajority of messaging systems
supp ort these protocols and they are platform an d operating system neu tral.
Note – If you are using on ly POP3 on you r m ail server (that is, no folders orad vanced fu nctions), consider using th e built-in feature of the web m ail interface of the Sun ONE Messaging Server that provides the ability to check other mail. Thisallows u sers to simp ly configure the information su ch as user ID and password andthen click the button .
One of the easiest and most overlooked methods for migrating existing content issimply n ot to do it. Rather, let the users m aintain their old accounts for som e periodof time and, should they d esire to, simp ly drag and drop between the old an d n ewaccoun ts. Most of today’s messaging clients, such a s N etscap e or Moz illa, have theability to be configu red for m ultiple messaging serv ers.
M Letting Users Maintain Messages and Folders
Overall, the p rocedure is this:
1. Install the Messaging Server.
2. Provision all existing users as though they w ere new users.
3. Configure the software so that all mail is delivered into new accounts.
4. Place instructions o n configu ring N etscape (or other browser) on the Web or in the
old email account.
5. Provide instructions f or movin g email by using drag and drop.
6. Provide a deadline for moving o ff the old messaging system.
7. Decommission the old messaging system.
This procedure avoids all password issues.
A variation on this procedure p rovides continued delivery to the existing messagingsystem until the customer wants to cut over, and eliminates the need for drag anddrop. This procedure is:
1. Install the Sun ON E Mess aging Server software.
2. Provision all existing users as if they w ere new users.
3. Configu re the MTA and directory to continue to route mail to the existing
messaging system.
4. Create a simple web page that:
I Auth enticates the user, captu ring their pas sword in cleartext
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 196/284
170 Migration
I Sets the Messaging Server password to the captured passwordI Executes the MoveUser u tility or someth ing similar like fetchmail
For MoveUser syntax d etails, see the iPlanet M essaging Server Reference Manual at:
http://docs.sun.com/source/816-6020-10/ms_cmds.htm#15794.
I Configures any additional settings required
5. Allow the users to mi grate at their leisure (within reason).
Aliases and System-wide Mailing Lists
Unfortun ately there is no a utomatic method of doing aliases and system-widemailing lists. How ever, there are some significant op portu nities to red uce futureadm inistrative workloads.
The three ways to m igrate system w ide mailing lists are:I Aliases FileI Delegated AdministratorI Creating Dynam ic Group s and Email Lists Using Direct LDAP Manipu lation (Sun
ONE Administrator Console)
Aliases File
As discussed in Ch apter 6 of the Sun ONE Messaging Server Administration Guide, thealiases file is u sed to set aliases that are not set in the d irectory. In p articular, thepostm aster alias is a good examp le. Aliases set in th is file are ignored if the sam ealiases exist in the d irectory. One d raw back in us ing the aliases file is that theMTA m ust be restarted for an y chan ges to take effect.
A significant u se of the aliases file is for expan sion of large me mbersh ip (qu antity)aliases, such as b y ISPs tha t mu st d istribu te ind ivid ual m essages to all 10,000,000users q uickly. An alias is created th at expand s into m ore aliases, and s o forth. In away this use is like throwing off threads during program execution, and it allowsqu icker p rocessing of large mass m ailings.
How ever, it is also a good way to easily imp ort existing aliases (w ith somemodification) during the initial migration. Once that is done, additional and more
appropriate methods of mail list creation can be used.
Delegated Ad ministrator
Most users and administrators create and administer aliases using the DelegatedAdministrator web-based user interface. Administrators can determine who, if anyon e, has the ab ility to create m ailing lists. A person with the ability to create and
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 197/284
Basic Steps (Generic) 171
y , y g p y
man age m ailing lists has control over several things regard ing a sp ecific list:I Add itional owners
I Internal m embers
I External members
I Mod erators (if any)
I Who can join the mailing list
I
Who can see w ho is in the m ailing listI Whether a m ailing list can b e seen
Unfortun ately, you cannot enter d ynam ic list criteria using th e DelegatedAdministrator interface because these are not dynamic lists—either the user mustsubscribe to the list throu gh th e Delegated A dm inistrator interface or the listadministrator must add the person’s email address to the list.
M
Creating Dy nam ic Groups an d Email Lists Using DirectLDAP Manipulation (Sun ONE Administrator Console)
One feature th at d irect LDAP man ipu lation p rovides is the ability to create dynamic
groups or em ail lists. This feature is based on LDAP qu eries that are then expand edup on at ru ntime. For examp le, a ma iling list of Dave cou ld be created sp ecifying that
anyone w ith “d ave” or “david” as part of their common nam e (cn) in the directorywou ld be pa rt of the m ailing list. Then, as users are add ed to the m essaging system’sdirectory, there is no n eed to adm inister this list because it is always u p to date.
Unfortunately, the option to create a dynamic group-based mailing list through theDelegated A dm inistrator interface or the aliases file is not po ssible. To d o th is,you must either access the Messaging Server through the Sun ONE AdministratorConsole or by direct LDAP manipulation.
The overall p rocess is fairly simp le:
1. In the Adm inistrator Conso le, access the Create Group o r Edit Entry w indow, then
click on the Mail and the Email-only Members tabs.
2. Click on the Add button unde r the Dynamic Criteria field.
Dynam ic criteria are really ju st LDAP query strings, mu ch like those you can enter
against the directory from Netscape or other browsers.The following is an exam ple of an LDAP search URL that filters for u sers wh o have“dave” or “d avid” as part of their comm on nam e:
ldap:///o=isp??sub?(&(objectclass=person)(|(cn=*dave*)(cn=*david*)))
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 198/284
172 Migration
3. Enter an LD AP search URL in the f ield or click the Cons truct button to o pen theConstruct LDAP Search URL window.
Constru ct LDAP Search URL is a u tility that a ids in construction of the search URL.
4. Click OK to add your entry to the “D ynamic criteria for email-onl y membership”
field and dism iss the A dd D ynamic Criterion w indow.
For more detailed information, see Appen d ix D, “Managing Users and Mailing Lists
of the Sun ON E Messaging Server,” in th e iPlanet Messaging Server AdministrationGuide.
Personal Address Books, Lists, and Bookmarks
The final step in the migration p rocess tend s to be the migra tion of each individu al’sown Personal Add ress books, lists, bookma rks, and so forth. This step is highly
dep endent up on the m ail client people are using and to wh at client they aremigrating . In m ost cases, there are at least a coup le of ways to actually convert thecontent of one messaging client’s add ress book and lists to the new o ne.
Migration Ut ility
Many of the new er email clients such as Eud ora, Mozilla, and N etscap e provide n ewclients the ability to read existing ad d ress books from oth er pr ogram s such asOutlook and Outlook Express. The email clients will often prompt you during theinitial install to imp ort any existing ad dress books , and in some cases actuallyalready kn ow that they are there.
Export to N eutral Format From Old Client
and Import Using New Client
In situations wh ere an email client m ay not p rovide an im por t utility to directly readthe ad dress book of your old em ail client, man y times you can simp ly export th e oldclient and impor t the new client. It is imp ortant to look for a neutr al form at such as
Lightw eight Data Interchang e Format (LDIF), comm a sep arated variable-length file(CSV), or tab-de limited file. Ch eck in the old em ail client an d th e new ema il client tosee wh at format is available to both.
It is also imp ortant to kn ow th at in some cases the fields being exported from the oldemail client address book do not align directly or the same with what the addressbook in the new email client expects. Most impor t functions prov ide the ab ility tomap fields u pon imp ort.
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 199/284
Basic Steps (Generic) 173
If your new email client does not do this, a good idea is to use a spreadsheetprog ram such as the StarOffice™ softwar e to imp ort th e CSV file, change the orderof the fields, and save the file.
You can a lso write a script if you h ave a lot of users d oing the m igration.
Other Utilities to Convert Format Directly
Several comp anies and web sites have simp le utilities for migration of add ress booksfrom one format to another. A good web-based example is:
http://www.interguru.com/mailconv.htm.
Other comp anies that specialize in migration betw een p roprietary m ail systems (forexamp le, Exchan ge) offer u tilities as p art of th eir services or migration utilitysoftware. For m ore information see “Exchange, Novell Grou pw ise, and Lotus Notes”on page 175.
Sendmail (UN IX Mail)Send m ail is an MTA. It d oes not sp ecifically provid e meth ods for mail storage orretrieval (reading ma il). However, it is often configured to u se /var/mail typestorage. Then additional programs such as the Washington University IMAP server(WashU IMAP) or Carneg ie Mellon University’s Cyru s POP server are ad ded sousers can retrieve their mail from /var/mail. This section deals with this specifictype of generic configuration m ost often found when dealing w ith sendm ail.
As stated p reviously, Send m ail is an MTA and as such m uch of the w ork is don e atthe MTA conver ting aliases, rules, and so forth. Converting u sers (see “UserInformation” on page 174) and /var/mail mailbox content (see“Mailbox Content”on page 175) is fairly straightforward .
Unfortun ately there are no tools to migrate th e MTA configurat ion from Send m ail tothe Sun ON E Messaging Server ’s MTA—it is a m anu al process. Migration from th etraditional Sendmail can be done by using the preceding generic method, but thereare some ad van tages in doing a m ore direct (that is, not IMAP to IMAP) migration of content. Also, user information tends to be stored in /etc/password files, so it iseasy to access.
Unfortun ately, Su n ON E Messaging Server 5.2 does n ot come w ith as m uch
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 200/284
174 Migration
assistance in m igrating from Send mail as previous v ersions did. Some of theappendixes in the Netscape Messaging Server 4.x documentation contain goodinformation.
A good w hite pap er specifically on this topic is “iPlanet Messaging Server Migrationfrom UNIX® Sendmail” by John Twomey, dated July 2001. It is 31 pages, covers thissubject in d etail, and includ es samp le scripts. To obtain a cop y of this white p ap er,contact your local Sun Sales Representative or System Engin eer.
Some u pd ating of the information in the wh ite pap er is required for use w ith SunON E Messaging v ersion 5.2, thou gh.
User Information
User information an be converted d irectly from /etc/password by using a simple
Perl script called unix2ldif.pl. This script creates a p roperly form atted ldif filewh ich can th en be imp orted directly into the M essaging Directory. See the temp latein “User Information” on p age 175.
Mailbox Content
Using ad ditional scripts foun d in th e John Twom ey wh ite paper, mailbox conten t canbe imported via the imsimport utility. These scripts ensu re prop er formatting of thecommand as well as reiteration through the various mailboxes and folders. Thewh ite pa per also includ es details on Pine-forma tted folders. To obtain a copy of thiswh ite pap er, contact your local Sun Sales Representative or System Engineer.
Mailing Lists (aliases)
One could easily use th e aliases file, as stated previou sly. How ever, the wh ite pap erprov ides a script to create mailing lists in th e directory, which is a more ap prop riateand better w ay of doing things.
Personal Add ress Books
Only the p reviously described generic or general method s are available. Theinterguru.com web site link p rovides a good utility to m igrate add ress lists fromprograms like Pine and elm used by interactive users in Sendmail environments.
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 201/284
Exchange, Novell Groupwise, and Lotus Notes 175
Exchange, Novell Groupwise,and Lotus Notes
Given the proprietary nature of these messaging solutions both on the server sideand on the messaging client side, migration away from them is somewhat difficult.Seek pr ofessional help. Several organizations h ave sp ecialized m igration software toassist in migrating away from Exchange, Groupwise, and Lotus Notes, includingSun Professional Services and a comp any called Wingra.
User Information
You m ust expor t the native forma t to someth ing m ore ma lleable such as CSV or tabdelimited files. Then , you can w rite a script to take this information an d create aproperly formatted LDIF file for import into the Directory Server.
A basic template to create a u ser in LDIF form at is:
dn: uid=<uid>, ou=people, o=<hostname_fqdn>, o=ispobjectClass: topobjectClass: personobjectClass: organizationalPerson
objectClass: inetOrgPersonobjectClass: inetUserobjectClass: ipUserobjectClass: nsManagedPersonobjectClass: userPresenceProfileobjectClass: inetMailUserobjectClass: inetLocalMailRecipientmail: <uid>@<hostname_fqdn>mailUserStatus: activedataSource: NDA 4.5 Delegated AdministratormailHost: <hostname_fqdn>givenName: Historycn: <first_name> <last_name>uid: <uid>sn: <last_name>mailDeliveryOption: mailboxinetUserStatus: active
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 202/284
176 Migration
Mailbox Content
Mailbox content migration is mostly limited to the generic method through POP orIMAP. See “Basic Steps (Generic)” on pag e 168.
userPassword: <password>creatorsName: uid=serviceadmin,ou=people,o=<hostname_fqdn>,o=ispmodifiersName: uid=msg-admin-<hostname_fqdn>-20020710153937,ou=people,o=<hostname_fqdn>,o=isp
createTimestamp: 20030414044513ZmodifyTimestamp: 20030414051012ZnsUniqueId: d5cba701-1dd111b2-80cac302-81db34e7nswmExtendedUserPrefs: meDraftFolder=Drafts
nswmExtendedUserPrefs: meSentFolder=SentnswmExtendedUserPrefs: meTrashFolder=TrashnswmExtendedUserPrefs: meInitialized=truepabURI: ldap://<hostname_fqdn>:389/ou=<uid>, ou=people, o=<hostname_fqdn>,o=isp,o=pab
Mailing Lists
See “Basic Steps (Generic)” on page 168.
Personal Add ress Books
See “Send mail (UNIX Mail)” on p age 174 and seek professional help.
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 203/284
Exchange, Novell Groupwise, and Lotus Notes 177
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 204/284
178 Migration
CHAPTER 12
Perform ance Tuning
As with any system, performance is a key element to getting the most return oninvestment as well as maintaining happy users. This chapter contains practices and
pr inciples specifically related to p erforman ce tuning of a Sun ON E Messaging Serverwh ich can differ from or contrad ict conv entional tuning w isdom . This chapter p ointsout the areas on w hich a Su n ON E Messaging Server ad ministrator shouldconcentrate.
This chap ter covers the follow ing top ics:
I Netscape Directory Server
I Solaris O E
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 205/284
179
I MMPI MTA Tunin g
I Notices
I Postmaster Mail
Netscap e Directory ServerG If you are using Ne tscape D irectory Server 4.1x softw are, set the fo llow ing (as
root) on e ach o f the servers runnin g the LDAP server:
The Solaris OE introdu ces a 100 ms d elay in TCP/ IP. This p aram eter tells th e SolarisOE that any w rite that is sm aller than N w ill be delayed. In Su n ON E DirectoryServer 5.0 software it is configurable, using the TCP_NODELAY flag, which is set bydefault.
/usr/sbin/ndd -set /dev/tcp tcp_naglim_def 1
Solar is OEThis section covers the following topics:
I Setting TCP/ IP Param eters
I Setting tcp_local_option an d tcp_ internet_option File Param etersI Setting /etc/system Parameters
I Setting configutil Parameters
M Setting TCP/ IP Param eters
G Apply the following TCP/IP tuning settings to all mail servers.
These settings m ay also be app ropr iate for LDAP servers. The valu es of thesesettings are for high-speed networ ks with lots of traffic to and from the servers.
# ** Performance related **/usr/sbin/ndd -set /dev/tcp tcp_recv_hiwat 65536/usr/sbin/ndd -set /dev/tcp tcp_xmit_hiwat 65536
/ / bi / dd /d /
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 206/284
180 Performance Tuning
/usr/sbin/ndd -set /dev/tcp tcp_conn_req_max_q 4096/usr/sbin/ndd -set /dev/tcp tcp_conn_req_max_q0 8192/usr/sbin/ndd -set /dev/tcp tcp_smallest_anon_port 8192/usr/sbin/ndd -set /dev/ip ip_ignore_redirect 1/usr/sbin/ndd -set /dev/tcp tcp_keepalive_interval 30000/usr/sbin/ndd -set /dev/tcp tcp_naglim_def 1# ** Security related **/usr/sbin/ndd -set /dev/tcp tcp_mss_min 108/usr/sbin/ndd -set /dev/ip ip_respond_to_echo_broadcast 0/usr/sbin/ndd -set /dev/ip ip_forward_directed_broadcasts 0/usr/sbin/ndd -set /dev/ip ip_strict_dst_multihoming 1/usr/sbin/ndd -set /dev/ip ip_forwarding 0/usr/sbin/ndd -set /dev/ip ip_forward_src_routed 0/usr/sbin/ndd -set /dev/ip ip_respond_to_timestamp 0/usr/sbin/ndd -set /dev/ip ip_respond_to_timestamp_broadcast 0## Solaris guide says not to set lower than 60 seconds
# should investigate further, but the following has worked/usr/sbin/ndd -set /dev/tcp tcp_time_wait_interval 15000## Set according to local specifics.#/usr/sbin/ndd -set /dev/tcp tcp_mss_def 1460
M Setting tcp_local_option andtcp_ internet_option File Param eters
To prevent D OS attacks and p rotect overall system health, you shou ld enable thefollowing parameters in the msg instance/imta/config/tcp_local_option and msg instance/imta/config/tcp_intranet_option files. (They do not exist bydefault.)
The last two p aram eters shou ld be set according to site policy. They are listed here soyou know they exist. Check the reference guid e for more options.
!
!
DISABLE_ADDRESS=1
DISABLE_CIRCUIT=1
DISABLE_EXPAND=1
DISABLE_GENERAL=1
DISABLE_STATUS=1HIDE_VERIFY=1
ALLOW_RECIPIENTS_PER_TRANSACTION=
ALLOW_REJECTIONS_BEFORE_DEFERRAL=
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 207/284
Solaris OE 181
M Setting /etc/system Parameters
To set t he /etc/system parameters:
1. Set tcp_conn_hash_size to:
2. Set the file descriptors to:
set tcp_conn_hash_size=262144
# set hard limit on file descriptorsset rlim_fd_max=4096
# set soft limit on file descriptorsset rlim_fd_cur=4096
3. Set maxusers to:
Ideally you d o not h ave to set ncsize. Setting maxu sers to the m aximum value (2048)shou ld allow the system to au tom atically tu ne itself. You can u se the comm and
vmstat -s | grep cache to see the percentage of hits against the d irectory n amelookup cache (DNLC). You wan t this to be as high as possible.
If, after settin g maxusers, the cache hit rate against DNLC is not high en ough , setncsize using the following guidelines:
ncsize = (4 ∗ (max_nprocs + maxusers)) +320
max_nprocs = 10 +(16 ∗ maxusers)
maxusers = physmem – 2
I If you r system is using a VERITAS file system, you m ay h ave to ad just twoimportant variables:
vxfs:vxfs_ninode—VxFS inod e structures held in m emor y
vxfs:vx_bc_bughwm—the high water m ark of the b uffer cache’s bu ffer
I If your system uses VERITAS Volume Manager (VxVM), you should look atvxio:vol_maxio. This variable controls the maximu m size of I/ O requests that
are sent down the SCSI chain without breaking the request up This tunable
set maxusers=2048
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 208/284
182 Performance Tuning
are sent down the SCSI chain without breaking the request up. This tunableparameter should not exceed 20 percent of kernel memory or physical memory(whichever is smaller), wh ich sh ould match th e size of your w idest stripe.
4. Increase maximum physical I/O size. The follow ing value shou ld w ork for nearly
all controllers:
M Setting configutil Parameters
To set t he configutil parameters:
1. Set the number of processes (service.[POP|IMAP|HTTP.numprocesses).
The default is 1. You want to set this high enough to support your user load butnever higher than the total number of CPUs in the system.
set maxphys=8388608
2. Set the store database cache size (store.dbcachesize) equal to the sum of the
*.db files in the msg-instance/store/mboxlist directory.
This is not a p aram eter that you set once and forget. You sh ould ad just thisparam eter as your user base changes.
Note – This p arameter has an up p er limit of two gigabytes.
3. Set the store database temp orary directory (store.dbtmpdir) equal to
/tmp/msg-instance.
This param eter and store.dbcachesize are related. Make su re the /tmp/ par tition h as enoug h free space to hold t he d atabase cache, that is, the value of thestore.dbcachesize set in step 2.
Note – Do not u se ju st / tmp as the temp orary d irectory. Be specific (for exam ple / tmp/msg- IN STA NCE /) as the file nam es placed in this location are the sam e asthose used with the MTA p arameters IMTA_SCRATCH and IMTA_TMP. Using asubdirectory underneath (for example, / tmp/msg- IN STA N CE /) avoids thiscollision.
4. Set authentication cache size (service.authcachesize) equal to a number
larger than the maximum concurrency of your user base.
Setting this nu mber higher than wha t your hardw are can sup port opens up a denial
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 209/284
Solaris OE 183
Setting this nu mber higher than wha t your hardw are can sup port opens up a denialof service (DOS) attack.
5. Set authentication cache TTL (service.authcachettl) equal to the number of
seconds you want entries kept in cache.
You must weigh the problem of user password changes being seen against theperform ance hit of the mail system q ueries against LDAP.
6. Set user and group bind DN (local.ugldapbinddn equal to cn=DirectoryManager).
This setting w ill imp rove the resp onse time of qu eries.
Note – This logic has chan ged in Sun ONE Directory Server 5.0 software, so thatbinding as a n ormal user should have similar performance as bind ing as cn=Directory M anager in N etscape Directory Server 4.1x software.
7. Set LDAP hosts (local.ugldaphost) equal to at least tw o ded icated LDAP
consumers.
If the first host is recognized as d own , new connections will be created. The newconnections w ill be m ade to the first good host in th e list.
8. Set local.ldapconnecttimeout to a value in seconds. This w ill enable a
diffe rent connect function i n the LDAP l ibrary. Choose the timeo ut value
carefully.
Shou ld an LDAP connection fail, the d efault LDAP timeou t is three m inutes. Thiscan create a large overhead in failovers.
The web m ail spool d irectory is the directory wh ere web m ail places out goingmessages from clients. If you ha ve lots of w eb mail users you m ay wa nt to considersetting this variable to a fast file system.
MMP
In add ition to app lying the TCP/ IP param eters listed previou sly in the AService.cfgfile you shou ld adjust the param eter default:NumThreads. That section of th econfiguration file is:
## number of worker threads allocated for the AService daemon.# Optimally, it should be equal to the number of processors on the# machine, unless an AService DLL does synchronous handling of
# connections (Imap and Pop Proxy do not).
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 210/284
184 Performance Tuning
MTA TuningThis section covers the following topics:
I Dispatcher
I Job_Controller
I Option.dat
I IMTA_TAILOR File
# ( p p y )#default:NumTeads 2
Dispatcher
You want to allow enough connections to support your load, while not allowing somany concurrent connections that your system is not able to respond quickly andprevent a DOS attack. The maximum concurrency number is equal to MAX_PROCS *MAX_CONNS, defaults are 10 and 20, respectively. Once you kn ow the m axim umconcurrency rate for you r configu ration, you can d etermine the nu m ber of processes
required to sup port your total load.
Job_Controller
You m ust be concerned with t wo files, imta.cnf an d job_controll.cnf. Thejob_controll.cnf file defines the pools and the maximum number of jobs thatcan be run at a given time in those p ools. The imta.cnf file defines wh at p ool a
channel uses and the m aximu m n um ber of processes the channel can ru n in thatpool at a given time.
In large d eploym ents, ma chines are d edicated to specific roles. On a MTA-INmach ine you can configu re more jobs to the tcp_intranet channel, and thu sdeliver mail faster to your m ailstores.
Large sites may want to adjust MAX_MESSAGES. Set in the global section of thejob_controll.cnf file, this variable is not p resent by d efau lt. The d efau lt value is100,000.
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 211/284
MTA Tuning 185
00,000.
ims_master channel
If the m ail store is han d ling lots of m ailboxes and m essages per second , you m aywan t to increase the nu mber of ims_master processes that the job_controller willstart to process the ims-ms qu eue. To increase the nu mber of processes you m ustmake tw o changes, one in the imta.cnf file and the other in th ejob_controller.cnf file. In th e imta.cnf file you must change the maxjobs keyword, in the job_controller.cnf file you m ust ad just the job_limit for theIMS_POOL.
Message Dequeue
Four parameters are related and interact together to tell the job_controller thenu m ber of processes that are respon sible for d elivery of messages.
job_limit—This is the m aximu m nu mber of processes that can run in a given poolsimu ltaneously. There is no m ethod to view the n u mber of processes in pool Aversus pool B. To view all SMTP client processes use the following:
maxjobs—This is a chan nel keyw ord. You can a pp ly this param eter to each chann elto set the maximu m n um ber of processes (tcp_smtp_client) thatjob_controller w ill start to process messages in th is chan nel.
MAX_CLIENT_THREADS—The default value is 10. This option is set in tcp_channel-
name_option thou gh th ese files are not present by default. This option controls thenum ber of threads p er process.
threaddepth—The m aximu m nu mber of messages per thread. To view the n um ber
of threads that a tcp_smtp_client process is cu rrently using, you can u se thecommand top. The d efault value is 128. This only ap plies to m ultithreadedchannels. Chann els like reprocess and conversion are single threaded . You sh ouldmake ad justments to these param eters slowly and gradu ally un til you find the rightcombination for your environment.
ims-ms Channel-Specific Information
The ims-ms channel is a multithreaded channel but does not respect the
CODE box = ps -aef | grep tcp_smtp_client
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 212/284
186 Performance Tuning
The ims ms channel is a multithreaded channel, but does not respect thethreaddepth channel keyword. Instead this channel u ses a hard -coded valu e of five (m aximum of five messages han dled p er thread). The ims-ms channel does hav ea channel option to control how many threads w ill be used w ithin the p rocessDELIVER_THREADS. This option would be placed in msg-instance/imta/config/ims-ms_option. The default value for this chan neloption is 15. Like other chan nels the chann el option file is not p resent by d efault.
If you need to d ecrease the amou nt of time it takes for d elivery of m essages fromyour MTA, you shou ld ad just the p receding p arameters.
Option.dat
The max_internal_blocks setting controls how m u ch mem ory th e SMTP server uses
to store a message before it creates files in IMTA_SCRATCH. If you h ave enoughmemory in your server, you might consider setting this variable to a value thatallows th e SMTP server to store your avera ge message size or more in mem ory.
MAX_INTERNAL_BLOCKS
This setting controls how much memory the SMTP server uses to store a messagebefore it creates files in IMTA_SCRATCH. If you have enou gh m emory in your server,you migh t consider setting th is variable to a value that a llow s the SMTP server tostore your average message size or more in memory.
Reverse Database
If the MTA does not need to rewrite backward pointing addresses then you can setUSE_REVERSE_DATABASE=0 in the option.dat file. Use this parameter when tryingto get every last millisecond of p erformance out of an MTA while working w ith apoten tial custom er. Most ISPs w ill not r equire the MTAs to rewrite backw ardpointing add resses.
IMTA_TAILOR File
You can set the IMTA_TCP_FLAG_RETENTION option in your imta_tailor file to1 so that the old *.data-failed files get pu rged after a d ay. You can find thesefiles in msginstance/imta/queue/channel-name/spool/.
Note – This directory will only exist if the MTA needed to w rite files to it. Many
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 213/284
Notices 187
sites w ill never see this directory on their system s.
If you ar e using d irect LDAP lookup s instead of dirsyn c, you can set the IMTA_TMP variable to a value that map s to a m emory m app ed file system, like /tmp/. Also,you can set the IMTA_SCRATCH variable to a value that m aps to a mem ory map pedfile sys tem, like/tmp/.
NoticesThe default values for notices in the Message Server software are 1 2 4 7. In largedep loyments, you m ay want to reduce these defaults.
Postmaster MailThe defaults for d elivery statu s notifications (DSNs ) for p ostmaster a recopywarnpost an d copysendpost. In large dep loyments or environments wh erethe postm aster d oes not w ant to get DSNs a bout u sers’ mail, these keywords sh ould
be changed . For a comp lete explanation of the valu es, see the Su n ON E MessagingServer documentation. The possible keywords are XY Z warnpost an d
X YZ sendpost, where XY Z is either copy, warn, or err.
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 214/284
188 Performance Tuning
CHAPTER 13
Ad vanced MTA Configu ration
One of the m ost pow erful compon ents of the Messaging Server is its MTA ormessage tran sfer agent. As described in the first part of this book, the m essagetransfer agent is basically a rou ter for email. If you are familiar w ith the PM DFprod uct by Innosoft, the Messaging Server’s MTA is basically th e sam e p rodu ct. Sunpurchased Innosoft and its PMDF product in early 2000 and incorporated thistechn ology into v ersion 5.x of the M essaging Server, provid ing a high ly scalable,reliable, and featu re-rich MTA. This chap ter d oes not g o into d etails regarding theapp lications p rogram ming int erfaces (APIs) available to p rogram mers t o access thelowest and m ost detailed portions of the messaging system. How ever, Sun preservedthe app lications p rogram min g interfaces from both PDM F and SIMS, so they areboth available, should your installation require advance customization that goes to
that level.
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 215/284
189
The MTA is so feature r ich th at an entire week-long course could be tau ght or a nentire BluePrint article wr itten on configuration an d integration alone.
Conversion ChannelThe conv ersion channel featur e of the MTA p rovides a m ethod of processing amessage an d its attachmen ts. By defau lt, noth ing is configured in th e conversionchannel (FIGURE 13-1) and nothing is configured to route through the conversionchannel.
When y ou w ork with the conversion chann el, it is important to h ave a good
un d erstand ing of Mu ltipu rpose Internet Mail Extensions (MIME) messages and th eirstructure. The setup and implementation of conversion routines require that youaccess the MIME-type information of message p arts as they are p resented to you rconversion rou tines, so a genera l description of a MIME message is required t ound erstand h ow to do this. Consider the following analogy.
A train is m ade u p of one or m ore engines coup led to a series of railcars. The railcarson the train are of d ifferent shapes an d sizes and hold d ifferent kind s of cargo. Thewh ole assemb ly is thou ght of as a single train.
FIGURE 13-1 MTA Conv ersion Ch annel Diagram
You can describe a MIME message in a similar way. A MIME message consists of aheader and one or more message parts. Each part can be of a different MIME type,and the parts are joined together to form a single message
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 216/284
190 Advanced MTA Configuration
and the parts are joined together to form a single message.
Each p art of a MIME message has conten t-type information w hich id entifies thenature of that message part, perhaps the name that was given to that m essage partwh en it was created, and p erhaps information on h ow to d ispose of that messagepar t (inline or as an attachm ent).
The content-type header identifies the major type and subtype of the message part.The m ajor typ e d escribes a family of related MIME types, such as IMAGE,APPLICATION , or AUDIO. The subty pe describes the sp ecific mem ber of th atfamily su ch as JPEG, WORDPERFECT5.1 or WAV. Comm on con tent-typ es areIMAGE/ JPEG, APPLICATION/ WORDPERFECT5.1, an d AUDIO/ WAV.
A list of comm on MIME types is located at:
http://www.isi.edu/in-notes/iana/assignments/media-types/media-
types, http://hostutopia.com/support/s058.html,orhttp://www.bc.edu/bc_org/tvp/email/helpers.shtml.
When the m essage enters the conversion chan nel, it is like a train tha t has all of itsrailcars and engines decoupled from each other. Each decoupled component is heldin a temporary holding area and its MIME information is catalogued.
The function of the conversion chann el is to reassemble a m essage from itscomponents and, during that reassembly, apply site-supplied criteria to decidewhether or not that component should be altered before it is recoupled.
The level of examination of each m essage part is determ ined by th e setup of theIMTA_CONVERSION_FILE, where the system ad ministrator can set criteria as towhich message parts should be examined. Such criteria can include, but are notlimited to, the content-type of the m essage part.
Note – Any of the features and functions of the messaging server rely upon properformatting an d playing by the ru les, so to speak. If, for examp le, you hav econfigured the conversion to virus scan only executable documents such asapplication/zip or application/* files, nothing p revents the send er frommisapp ropriating or oth erwise disguising the attachment from an application/* to a video/mpeg file. So app lications, m ail clients, or oth er m essaging system s tha tdo not correctly format MIME messages can cau se issues.
The following paragraphs contain some easy examples of what you can accomplishwith the conversion channel.
M Ad d ing a Disclaim er
One thing that customers often w ant to d o is append a disclaimer to every messagesent from th e messaging system This cou ld be for legal reasons (for example this
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 217/284
Conversion Channel 191
sent from th e messaging system. This cou ld be for legal reasons (for example, thisemail message is not a legal docu men t...) or adv ertisemen t (for examp le, emaildelivered by TED—the electronic delivery guy!).
As previously described, the conversion channel can be used to perform arbitraryprocessing on m essages dow n to the atta chment level. In this case, the p rocessingappends a disclaimer to text messages passing through the conversion channel.
The TCP chann els han d le mail coming in from or go ing out to external mail servers.Thus, you mu st mod ify the MTA configu ration files so that all the ma il routedthrough the main TCP channels passes through the conversion channel. Then, youmu st configu re the conversion chan nel to select only the first part of a mu ltipartmessage and only append the disclaimer if the message part is text.
To accomp lish th is, you mu st edit tw o of the messagin g configu ration files:
I th e mappings file, which is located at / INSTALL_DIR/msg- IN STA NCE /imta/config/mappings; where IN STA LL_DIR is the d irectorywh ere you installed messaging a nd IN STA NCE is the nam e of the sp ecificmessaging server, most likely the host n ame. The map ping table in the mappings file, wh ich is also know n as th e IMTA_MAPPING_FILE, tells th e MTA w hichmessages shou ld d etour throu gh the conversion channel.
I th e CONVERSIONS file, wh ich is located in / IN STALL_DIR/msg- INSTANCE /imta/config/ d irectory an d is called conversions.
In a new install, the mappings file w ill no t exist. The conversions file, which isalso known as the IMTA_CONVERSION_FILE, contains instructions as to wh atcommand s are executed w hen m essages pass through the conversion channel.
For more information regard ing chann els, see:
http://docs.sun.com/source/816-6009-10/mtacncpt.htm#22760 an dhttp://docs.sun.com/source/816-6009-10/channel.htm#43150.
The specific steps to make th e conversion channel app end a d isclaim er are:
1. Create a scripts d irectory, for example, / install_dir / scripts.
Make sure that it is owned by the user that the Messaging Server runs as. For theexercise, “nobody” was used as the user for the server:
2. Create a she ll script that appends the d isclaimer.
Create a script called append_disclaimer.sh and make su re that the script is
executable (for example, chmod +x append_disclaimer.sh).
# mkdir -p /install_dir/scripts# chown nobody:nobody /install_dir/scripts
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 218/284
192 Advanced MTA Configuration
The append_disclaimer.sh migh t look like:
# !/bin/sh## File: append_disclaimer.sh## Usage:
## append_disclaimer.sh [-debug] "name-of-disclaimer-text-file"## References:## http://docs.sun.com/source/816-6009-10/channel2.htm#42323# http://docs.sun.com/source/816-6009-10/channel2.htm#42402if [ "$1" = "-debug" ]then
shiftset -x
fi
DISCLAIMER_FILE=$1DISCLAIMER_FILE=/install_dir/scripts/${DISCLAIMER_FILE}
TAG="Standard Disclaimer Appended 'date'"
cp $INPUT_FILE $OUTPUT_FILE # copy original message part to
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 219/284
Conversion Channel 193
3. Put a text file containing the disclaimer in the /install_dir /scripts directory.
outputdestination.
# See if the message was already tagged.grep "Comments: Standard Disclaimer Appended" $MESSAGE_HEADERS>/dev/null
if [ $? -ne 0 ]then# add a blank lineecho "" >> $OUTPUT_FILE
# append the disclaimercat $DISCLAIMER_FILE >> $OUTPUT_FILE
# Set a directive so the message will be tagged
echo "OUTPUT_DIAGNOSTIC=\"${TAG}\"" > $OUTPUT_OPTIONSfi
# end script.
For this exercise, call it footer.txt.
4. Modify or create the mappings file to trigg er a trip through the conversion
channel.
Unlike the conversions file, the map p ings file is there from the initial install. TheIMTA_MAPPING_FILE is install_dir / imta/config/mappings on UN IX systems.
5. Create a backup of the origi nal file prior to making any changes:
6. Add a section to this file that says to run both in and out messages through the
conversion channel:
The opinions expressed above are those of the individual and notnecessarily Sun Microsystems, Inc.This email is not a legal document.
# cd / INSTA LL_DIR/msg- IN STA N CE /imta/config
# cp mappings mappings.bak
!CONVERSION
IN-CHAN=tcp_*;OUT-CHAN=tcp_*;CONVERT Yes
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 220/284
194 Advanced MTA Configuration
Note – Mapp ing and other MTA configu ration files are very picky regardingformatting including line spacing and indentation. Consult the documentation fordetails.
7. Modify or create the conversions file to include e ntries that call the
append_disclaimer.sh script.
This file does not exist upon initial installation. It only exists if the conversionchannel has been configu red a lread y. The IMTA_CONVERSION_FILE isinstall_dir /imta/config/conversions on UN IX. In th e follow ing examp le youcan see where you can further identify where the message came from or is to be
!! Make all messages going from any tcp channel going to any tcpchannel take a! detour through the conversion channel.!
routed to (for examp le, in-chan nel or ou t-chan nel), as well as the typ e (for examp le,text) and subtyp e (for examp le, every su btyp e), and the m essage part (for examp le, 1or 1.1).
Why do you need two entries? Well, you must append the disclaimer to either asingle-p art m essage (for example, no attachmen ts) or the first part (for example,main bod y) of a multipart message (m essage with attachments). If you had pu t onlythe first entry, MTA would not append the disclaimer to anything that had
attachments.
!in-channel=tcp_*; out-channel=tcp_*;in-type=text; in-subtype=*; part-number=1;parameter-symbol-0=APPARENT_NAME; parameter-copy-0=*;dparameter-symbol-0=APPARENT_FILENAME; dparameter-copy-0=*;message-header-file=2; original-header-file=1;
override-header-file=1;command="/install_dir/scripts/append_disclaimer.sh footer.txt"
!! Append disclaimer only to the first part of a multipart message! if that part is a text message part. (part-number=1.1 is the! first part of a multipart message).!
in-channel=tcp_*; out-channel=tcp_*;in-type=text; in-subtype=*; part-number=1.1;parameter-symbol-0=APPARENT_NAME; parameter-copy-0=*;
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 221/284
Conversion Channel 195
! Append disclaimer to single part messages if the body part is text.
!in-channel=tcp_*; out-channel=tcp_*;in-type=text; in-subtype=*; part-number=1;parameter-symbol-0=APPARENT_NAME; parameter-copy-0=*;
dparameter-symbol-0=APPARENT_FILENAME; dparameter-copy-0=*;message-header-file=2; original-header-file=1;override-header-file=1;
! Append disclaimer only to the first part of a multipart messagecommand="/install_dir/scripts/append_disclaimer.sh footer.txt"! if that part is a text message part. (part-number=1.1 is the! first part of a multipart message).!!
in-channel=tcp_*; out-channel=tcp_*;
in-type=text; in-subtype=*; part-number=1.1;parameter-symbol-0=APPARENT_NAME; parameter-copy-0=*;dparameter-symbol-0=APPARENT_FILENAME; dparameter-copy-0=*;message-header-file=2; original-header-file=1;override-header-file=1;command="/install_dir/scripts/append_disclaimer.sh footer.txt"
! if that part is a text message part. (part-number=1.1 is the! first part of a multipart message).
!in-channel=tcp_*; out-channel=tcp_*;in-type=text; in-subtype=*; part-number=1.1;parameter-symbol-0=APPARENT_NAME; parameter-copy-0=*;dparameter-symbol-0=APPARENT_FILENAME; dparameter-copy-0=*;message-header-file=2; original-header-file=1;override-header-file=1;command="/install_dir/scripts/append_disclaimer.sh footer.txt"
!
!
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 222/284
196 Advanced MTA Configuration
8. After you have made the changes to the MAPPINGS and CONVERSIONS files, you
must rebuil d the config uration fil es and restart the d ispatcher.
Note – On large systems with lots of messages in queue restarting thejob_controller u nnecessarily causes a load on the system. Avoid restarting th ejob_controller if possible.
# cd / INSTA LL_DIR/msg- IN STA N CE
# ./imsimta cnbuild
# ./imsimta restart dispatcher
M Converting PostScrip t to A crobatAdd a PostScript (PS)-to-Acrobat conversion u tility that takes all incom ing m essages(those actually delivered to the m essage store) with PS attachmen ts and converts thePS attachm ents to PDF (Acrobat) format, replacing the original PS attachment .
There are a couple of things to n ote:
1. You have already configured the conversion channel to p rocess incoming andoutgoing m essages and created a m app ings file, bu t this file is not quite right forwh at you w ill do here.
2. Since you are calling a read y-mad e utility, you d o not have to create a script.
To create the PS-to-Acrobat conversion utility:
1. Modify the mappings file first. Here is the section you modified from before .
!CONVERSION!
IN-CHAN=tcp_*;OUT-CHAN=tcp_*;CONVERT Yes!! Make all messages going from any tcp channel going to any tcpchannel take a detour through the conversion channel.
!
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 223/284
Conversion Channel 197
2. Add a section to route anything stored to the local mailstore:
!IN-CHAN=tcp_*;OUT-CHAN=ims-ms;CONVERT Yes
!! make all messages being stored to the mailstore go through theconversion channel.!
3. Add an entry in the conversions file which is IN STA LL_DIR/msg- IN STAN CE / imta/config/conversions.
The entry might look something like:
This entry assum es that your system has the ps2pdf u tility loaded from the Sunfreeware CD. Be careful with the quoting here: INPUT_FILE is encased in single
straight quotes('), as is OUTPUT_FILE, while the entire command is enclosed indou ble straight qu otes (").
4. Rebuild the confi guration files and restart the dispatcher.
!! convert postscript to pdf!
out-chan=ims-ms; in-type=application; in-subtype=postscript;out-type=application; out-subtype=pdf; out-mode=block;command="/opt/sfw/bin/ps2pdf 'INPUT_FILE' 'OUTPUT_FILE'"
!
# cd / INSTA LL_DIR/msg- IN STA N CE
# ./imsimta cnbuild# ./imsimta restart dispatcher
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 224/284
198 Advanced MTA Configuration
Note – Restarting th e job_controller un necessarily causes a load on th e system.Avoid restarting t he job_controller if possible.
Virus ScanningThe Sun ONE Messaging Server h as a facility for allowing sites to h ook in th irdparty software to perform arbitrary body-part processing. Examples could includesoftware that performs document conversion from text to Postscript, contentfiltering, or ot her desired p rocessing. This facility can a lso be used in conju nctionwith a third party virus scanning software to conduct email virus screening. Theonly typical requirement is that the virus scanning engine provide a command line
interface so th e Messaging Server can p ass content an d receive result codes back.
For add itional d etails see:
http://docs.sun.com/source/816-6092-10/index.html.
AntispamThe Sun ONE Messaging Server p rovides th e ability to integrate with third partysoftware to p erform special processing of messages. This includ es uses su ch as virusscanning as w ell as antispam scanning. The Messaging Server has been tested in alab environment with both SpamAssissin, an open source software for antispamprocessing, and Brightm ail, which is a comm ercial antispam scanning offering. It isanticipated that many of the antivirus vendors such as Symantec, Interscan, and soon, will begin offering an tispam capabilities or add ons in th e near fu ture. Forad ditional details see:
http://docs.sun.com/source/816-6829-10/index.html.
Other PossibilitiesThere are almost lim itless possibilities for w hat the MTA can be configur ed toaccomp lish. Som e ad ditional functions that custom ers and Sun Professional Serviceshave ad ded includ e integration with fax gateways, which require documentconversion to TIFF format, as well as the ad d ition of a custom channel (for exam ple,FAX).
Other functions include outbound paging and support for Blackberry RIM devices.
As you wou ld expect, using the conversion channel and performing advan ced MTAfi i i ifi b f ibili i i h h M i
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 225/284
Other Possibilities 199
configur ation can open u p a significant nu mber of p ossibilities with the MessagingServer. The caveat here is that an ything y ou ad d to th e process requires add itionalCPU and m emory resources, and potentially ad ditional storage. As w ith anyprog ram or scripting, interpreted langu ages such as sh ell scripts or Perl w ill not beas efficient as low-level progr amm ing langu ages such as C, but th ey offer the a bilityto easily change and modify things without recompiling the source. Count onspending a good portion of time testing and d ebugging anything you d o, as a smallmistake such as the wrong quote mark or incorrect channel name (for example,ims_ms versus ims-ms) can create a non -fun ctioning conver sion chan nel routine.
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 226/284
200 Advanced MTA Configuration
CHAPTER 14
Highly Available MessagingDeployment
Not all organizations see m essaging as a m ission-critical service or for som e reason
decide not to imp lement highly ava ilable messaging. This chapter reinforces wh ymessaging is mission-critical and need s high availability. It ad d resses specific issues(pros and cons) w ith various high -availability architectu res that customers h aveimp lemented as w ell as some of the caveats wh en plann ing and in stalling messagingin a high availability environm ent. These lessons have been learned th e hard w ay atvarious customer ’s sites and are foun d n owh ere else in the d ocum entation ortechn ical n otes.
Every year w e seem to rely more and more up on our email systems. Many of thereasons w ere outlined in th e beginning of this book. Typ ically the only time itbecomes clear tha t ema il is mission critical is wh en th ere is a major outage orproblem If you d o not th ink em ail is m ission critical try either p ulling the p lug on
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 227/284
201
problem . If you d o not th ink em ail is m ission critical, try either p ulling the p lug onthe messaging system or n ot add ing new accoun ts when requested. Today w e areusing em ail systems to store mor e than em ail. They are becoming th e storage folderfor fax and voice m ail traffic too. Around the corner are ad d itional u sages formessaging systems that we have not yet begun to imagine. So not planning for highavailability (H A) seems to be ask ing for troub le, if not t oday then certainly in thefuture.
High Availability Architecting
DifferencesOne of th e biggest m isconceptions regard ing failover software, also sometimesreferred to as clusterin g or hig h ava ilability, is that it gu aran tees availability. Failoversoftware cannot eliminate all outages or problems, but it can provide additionalavailability wh en it comes to h ardw are failu res.
There are two m ain asp ects to architecting a h igh av ailability solution:
MTBF—Mean Time Between Failures—How mu ch time elapses on average betw eeneach failure.
MTTR—Mean Time To Repair (or Recover)—How qu ickly the system comes back u pand is available for users after a failure occurs.
Unfortunately, many people put too much emphasis on the MTBF figure at the
expense of the MTTR figure. Take for example two scenarios where the MTBF isthree m onth s, meaning th e system is likely to experience a failure four times eachyear. In th e first scenario the MTTR is one hou r, w hile in th e second scenario theMTTR is eight hou rs. In scenario one, the total d own time for the year is four hou rswh ile the second scenario resu lts in 32 hou rs of d own time. Red ucing the MTBF to 12months still results in eight hours of downtime per year, which is more than in thefirst scenario.The key to availability is addressing both MTBF and MTTR, andsometimes focu sing m ore in reality on MTTR than MTBF.
What d oes failover software gu ard against? The failover software ad dresses serverhardware-related issues such as failed network adapters, CPUs, and so on. Somefailover software goes further and protects against hung or non-responsive softwareprocesses (for example, the LDAP daemon) by querying the process every now andthen. Should it be no n-responsive, the failover software th en restarts the d aemon . If this fails a set number of times, a complete failover is then triggered. Both VERITASand Sun Cluster software p erform th e p rocess restart attempt.
What d oes failover softw are not p rotect against? Failover softwa re does n ot p rotectagainst everything , and sp ecifically does not ad dr ess:
I Operator error (for example, rm -rf *)
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 228/284
202 Highly Available Messaging Deployment
I Software p roblems (for example, bugs)
I Storage failures (for example, drive failures or controller failures)
You can p ut a cluster in place and actually have m ore dow ntime du e to op eratorerror if you do n ot adequately provide for system adm inistrator training on theclustering software. You can hav e d own time d u e to d efective software. You can havea cluster th at w ill not failover because the storag e system, wh ich is a sha redresource, fails catastrophically or b ecause it was not p rotected (for exam ple, not on aUPS like the server w as—yes, this has hap pen ed to custom ers). Failures can stilloccur. Even after addressing issues such as operator errors through training andformal procedures, software problems by an internal testing process and storagefailures by h aving p rotected the storage (for example, RAID 5e and UPS, and so on).
What th en? It is really a m atter of planning t o fail, that is, how you will handle afailure, even with a clustered environm ent. As the old comm ercials for Amer icanExpress Traveler’s Checks said, “What w ill you d o, wha t w ill you d o?” By closelyexamining the restoration process for your messaging env ironmen t, you can d evelop
specific steps that w ill result in th e fastest restoration of service time. They m ayinclud e everything from the basics of re-ind exing th e mail contents to a comp leterestore, including the Solaris OE.
Questions that m ust be asked in you r environment are:
I What is the procedure for doing this?
I How can it be imp roved?
Each en vironm ent is slightly d ifferent, but t here are some basic techn iques su ch asJu mp Start and Flash Archive usage for rapid restoration of the op erating system an dsoftware, as well as period sna psh ots of the d atabase and d irectory, to complete mailcontent backup s. For m ore details, refer to Chapter 15, “Managing MessagingServices and Preventive Maintenan ce,” on p age 209.”
High Availability ArchitecturesTh e iPlanet Messaging Server Installation Guide for UNIX outlines several HAarchitectures and discusses a few of the pros an d cons of each. The installation gu idecan be found at:
http://docs.sun.com/source/816-6014-10/.
This manu al lists the following H A architectures:
I Symmetric (hot standby)I Symmetric (Active-Active)
I N + 1 (N servers + one standby)
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 229/284
High Availability Architecting Differences 203
I N + 1 (N servers + one standby)
How ever, there are other HA architectures to be considered once you u nd erstand allof the parts of the architecture and how (or wheth er) HA affects them . As discussedearlier in the book, sometimes there are advantages to keeping things simple.
The PartsI Directory—can be protected b y u sing failover or m u ltiple m aster replication
I Mail Store—stateful and requires failover
I MEM—stateless, requires m ultiple p hysical servers, no failover agen t av ailable
I MMP—stateless, requires mu ltiple p hysical servers, no failover a gent a vailable
I MTA—stateless, can be m ad e available by either failover or m ultiple p hysicalservers. MTA is considered s tateless because, du e to the n ature of store-and-forward , there is noth ing stateful in mem ory, it is all written to d isk—soapp ropr iate storage p rotection (for examp le, RAID 5e or RAID 0+1) is a goodidea.
Directory
With th e ad vent of Multiple Master replication technology in the Directory Server 5.1and higher, customers have the option of making their directory server highlyavailable. They can use th e tried-and -true m ethod of using Sun Cluster or VERITASCluster software. Or, they can u se Multiple Master replication that is now built intothe Sun ON E Directory Server.
Mailstore
The ma ilstore provid es the basic storage of messages as well as the n ative HTTP,IMAP, and POP services. Du e to the stateful storage of the head er information in adat abase, it becomes necessary to u se failover software such a s Sun Cluster orVERITAS to o btain high ava ilability.
MEM and MMP
The MEM and MM P function as proxy servers. So long as the configu rations andfiles are the sam e on all system s, you can have as m ultiple servers perform ing thesame fun ction. This does require a netw ork- based load balancer such as Resonate,Cisco Load Director or F5, or Alteon to w ork.
MTA
Since messaging by n ature is a store-and-forward architecture, it allows for some
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 230/284
204 Highly Available Messaging Deployment
g g yflexibility regarding availability. That is, should an MTA be unavailable, otherpar ties will hold th eir messages for som e period of time, period ically retrying.Typically most env ironment s can easily configure m ultiple MTAs and app ropr iateDNS entries to p rovide for red un d ancy at th e MTA level. The failover time, how ever,is not instantaneous, so many organizations also provide a virtual IP and network-level failover as you wou ld for MEM or M MP. So w hile the MTA h as som einformation, it can generally start up and continue where it left off without manyissues—forwarding the mail it has in the queue, albeit somewhat delayed.
Other Architectures
When y ou consider w hat items w ithin the messaging architecture requ ire failover orcan take adv antage of failover, plus any a d dition services (such as the CalendarServer) that are often integrated into such an environment, the possible number of architectures increases.
Alternative No. 1In any environment, having to provide a server for a hot standby architecture iswasteful u se of com pu ting resources. The alternative configu ration (FIGURE 14-1) thatsome customers have implemented has the Sun ONE Messaging Server environment(mailstore and MTA) runn ing on one system and the main LDAP server runn ing onthe other n ode. This configuration p rovides for high availability of both m essagingand d irectory, wh ile allow ing indep end ent failover of each, plus u tilizes both nod es.
Additional directory replicas, called consumers, can be configured to replicate fromthe m ain LDAP server.
Sharedstorage
Server 1Active
messaging
Server 2Stand by
Cluster
interconnect
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 231/284
High Availability Architecting Differences 205
FIGURE 14-1 High Availability Configuration Failover
Alternative No. 2Customers often implement the Sun ONE Calendar Server in addition to the SunON E Messaging Server, since they can be p urchased in a m oney-saving p ackagecalled th e Web Comm un ication Bund le. This alternative configuration (FIGURE 14-2)prov ides for a highly available calend ar system in ad dition to the messaging system .As in Alternative No. 1, the d irectory server is mad e highly ava ilable on the secondserver, but now the calendar server is add ed to th e system. This configu rationprov ides for high ava ilability for messaging, calend ar, and d irectory w hile allowing
ind epend ent failover of each, plu s it utilizes both n od es. As in Alternative N o. 1,ad ditional d irectory rep licas can be configu red off the m ain LDAP server.
storage
FIGURE 14-2 Failover Using Both Nodes in a High Availability Configuration
Differences in Planning for High AvailabilityMessaging
Planning for u se of failover software involves obtaining an d m anaging ad d itional IPaddresses and hostnames.
Shared
storage
Server 1
Activemessaging
Server 2
Active calendar
Cluster
interconnect
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 232/284
206 Highly Available Messaging Deployment
Differences in Installing HA Messaging
The obvious d ifference is that you hav e to install, configure, and ma nage th e failoversoftware such as Sun Cluster or VERITAS. Beyond that, the largest differences ininstalling messaging on a clustered system involving d ealing w ith the logical host.
A lways use the fully qualified logical host name and IP address. Do not use theph ysical host. You mu st also us e the logical storage d evices. The d ifferences includereferences to things such as the LDAP server w hen installing messaging. Do notrefer to t he p hysical host of the LDAP server, but r ather t o the logical host. There arealso some edits to configur ation files that m u st be performed as you will see.
Best Practices and CaveatsCaveat—While everything w orks w ell w ith Sun Cluster for failover on an ACTIVE-ACTIVE clu ster configu rat ion, there is one sligh t issu e. Sp ecifically, the SimpleNetwork Management Protocol (SNMP) monitoring daemon is not able tound erstand that you now have two message servers running on the same ph ysicalhost, and it goes away so you no longer have a mon itoring daemon.
Installation Proced ure and Notes
For comp lete d etails, see Chapter 4, “High Availability” in th e iPlanet Messaging
Server Installation Guide for UNIX located at:
http://docs.sun.com/source/816-6014-10/ha.htm#11284.
This section came about from a situation where one of our customers was havingsignificant d ifficulty getting th e Sun ON E Messaging Server installed with SunCluster 3.0 softw are and the EMC storage un its. The custom er we w ere doing th islab work for spent about four weeks dealing with hardware installation issues thatwere related to their EMC storage system. So do n ot u nd erestim ate the time it takesto install and physically configure the hardware.
Note – When installing the Solaris OE you m us t select the Entire Distribu tion, andyou really shou ld select NO NE for nam ing service and man ually configure DN S. Forexample, edit the /etc/nsswitch.conf file and configu re the/etc/resolv.conf file.
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 233/284
Conclusions 207
Conclusions1. Verifying that the hard wa re configu ration is correct and su pp orted is very critical.
The fact that a fiber chann el card or d river is not qu ite correct can lead tosignificant delays and errors. Messages like “SCSI resets” or “SCSI reservation”problems are ind icative of storage issues. Check, recheck, and escalate wh en allelse fails.
I Check Sun for the latest supported configurations.I If using EMC, check with EMC local technical resources to verify that specific
interface cards and d rivers are sup ported . EMC does th e certification w ork forSun Cluster hardware, not Sun.
2. It is critical to d o a comp lete install of the operating system, us ing the latestversion of Solaris OE available.
In our case, this w as Solaris 8 OE Upd ate 10/ 01. We discovered this the h ard w ayon the customer site, where they had used the JumpStart feature to load their“standard” data center load. This was a mistake for two separate reasons—theirJu mp Start image u sed an older version of Solaris 8, Upd ate 01/ 01, w hich evenwith p atches is not the same as starting w ith Solaris 8 OE Upd ate 10/ 01; and theirJu mp Start image , while containing innocuou s settings for things like DNS, host
tables, and so forth, was not th e full install of Solaris OE—they h ad removedpackages to “tighten” security and save space. So we lost about a day and a half struggling with some issues, eventually reloading the operating systems on bothcluster n odes from a Solaris 8 OE Upd ate 10/ 01 CD.
3. Overall, the software installation process is not difficult.
In our lab, we completed the whole installation in roughly nine hours, includingbreaks for lunch, other m eetings, and conference calls. But th is was w ith two
people, one with Sun Cluster 3.0 software knowledge and one with iPlanetMessaging Server kn owled ge, both of w hom know the Solaris OE well.
Once EMC hard war e issues w ere resolved at the cu stomer site, after a total of fiveweeks of diagn ostic and trou bleshooting efforts, the installation of the Sun Clustersoftware and iPlanet Messaging 5.1 proceeded n orm ally.
4. The Delegated Ad ministrator can d efinitely be m ade p art of the resource groupfor messaging, using the Sun Clu ster Netscape Webserver agent .
In our lab, we installed the Webserver agent and mad e it dep endent u pon themessaging server being up and ru nning (which also made it dependent u ponLDAP and storage being there). It wo rked just fine.
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 234/284
208 Highly Available Messaging Deployment
5. The Sun Cluster 3.0 software is significantly different (in m any way s better an deasier) than Su n Cluster 2.2, so there are some thing s wh en architecting it thatmust be taken into consideration.
While at least two interconn ect links are still required, storage is abstr acted fromthe actual ap plications, meaning th at the ap plication can failover to the oth ernod es, but storage may not actu ally m igrate. Therefore, it is critical to ensu re thatyou h ave sufficient band w idth between the nod es to hand le the situation wh erethe messaging server might failover but for some reason storage continues towork on the original node.
Get the regional Sun Cluster pre-sales engineer and post-sales support engineerinvolved in app roving the configu ration. Be extremely detailed about h ow thin gs
will be configured . Little m istakes can ta ke w eeks to correct, and wa ste weeks of time. Planning how things are architected before you b egin saves considerabletime and reduces the num ber of situations w here you m ight have to start over orhave ad d itional logical hosts. This includ es decid ing wh ether you are ru nn ing theLDAP w ithin the m essaging resource group , or wh ether it is an ind epend entresource group by itself.
CHAPTER 15
Managing Messaging Servicesand Preventive Maintenance
As with an y system, you r Messaging Server requ ires routine m aintenan ce. This
chapter outlines the best p ractices and issues surrou nd ing da y-to-day and routinemain tenance involved in m anaging a m essaging server, sp ecifically the Sun ON EMessaging Server. While the current d ocumen tation explains the basic comm and s, itdoes not address automation or scripting of these functions, nor does it adequatelycover techniques that can improve backup and recovery time.
Periodic main tenance is a necessary part of the operation of a messaging system , andthe Su n ON E Messaging Server is no exception. By keeping u p w ith maintena ncetasks, you can avoid issu es that wou ld otherw ise occu r. This benefit was allud ed toin Chap ter 14, “H ighly Available Messaging Dep loyment,” on pag e 201.”
Keep in mind also that the following are only su ggestions. Each organization m ustdevelop its own checklists and schedu les according to its specific requ irem ents.
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 235/284
209
Add itionally, new best p ractices and main tenance utilities will be develop ed fromtime to time, so d o n ot expect your checklists to be comp letely static either—youmust periodically revisit your checklists to take advantage of new developments.
Period ic Maintenance ChecklistsIt is a good id ea to create and m aintain checklists for your p eriodic maintenan ce.Docume nted procedu res, policies, and checklists are always m ore consistent thantrying to recall wh ether the system has been p atched or backed up .
This section contains d escriptions of d aily, weekly, mon thly, quar terly, and ann ualchecks.
Daily ChecksThe items that you should check daily are:
I Review log files for abnormalities.
Yes, lots of data is logged and it is a pain to review the log files. It is very easy toskip th is, but r eviewing the log files is also one of the easiest w ays to d etect errorsor abn orm alities before they become p roblems. Often, errors or abn orm alities can
get bu ried in the log. The key is to look for specific keywor ds or filter out linesthat are n orm al. Som e peop le simp ly write a Perl script or shell script to filter logfiles for the exceptions. Som e organizations ha ve a log scannin g u tility that th eyuse for other p u rp oses (for examp le, operating system log file scanning). Someeven go to the ad d itional step of add ing notification (for examp le, pagin g) for amore robust and active method of pr oblem d etection.
By reviewing the log files daily or au toma ting it, you can catch abn orma lities orsecu rity issues before they cause m ajor p roblems.
Do not let autom ation m ake you comp lacent—look yourself sometimes. There isno su bstitute for the best pattern recognition system—you. No u tility or script canbe as adaptive as the human brain.
I Check for core files.
A core file is an ind ication that a fatal error h as ha pp ened on th e server. Aprogr am or p rocess could g enerate a core file, or if the problem is very serious,the ope rating system itself could generate a core file. One issue that m any sys tem
ad ministrators d o not ad d ress is the space necessary to store a system core of amachine (server) that has four gigabytes or m ore mem ory—if the d efault is kept,often a s ystem core will not be captur ed d ue to lack of disk sp ace. It is generally agood idea to configure a separate volume with enough disk space for 2.5 to 3
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 236/284
210 Managing Messaging Services and Preventive Maintenance
times the amount of physical memory. There are other settings that usually mustbe mad e to enable large files greater that tw o gigabytes and tell the op eratingsystem where to put system cores. See your operating system administrator’sman ual for specific details.
Core files for program s and processes generally are not a s large as system coresand w ind up where the program or process resides.
I Review queues.
You w ant to examin e all the queu es in the system, both on th e MTA and themailstore, to ensu re that all the m ail is being d elivered (p assing throu gh) ratherthan being stuck. This means all the queues—not just the ones you normally use,but every queue that is configured. A configuration change or a strangely
formatted em ail may cause one or two messages to be diverted to a qu eue that isnot norm ally u sed. A significant n um ber of messages stacked up in the norm alqu eues migh t also indicate that there is a problem. So by checking all the qu euesda ily, you can get an indication of any p roblems before they cause ma jor issues.
I Back up the messaging database online.One of the nice features of version 5.2 of the Sun ONE Messaging Server is thatthe adm inistrator now has the ability to perform an online backup of themessaging d atabase. This d atabase stores the head er inform ation and folder indexinformation for messag es in a particular m ailstore (each m ailstore has oneda tabase). Wh ile you can re-create this entire database from m essaging contents,this backup can take a significant am ou nt of time.
To avoid havin g to re-create the d atabase from scratch, performing a p eriodicbackup (daily or several times p er da y) can red uce the recovery time imm ensely.The system can then simp ly perform an up date to the d atabase, which is manytimes faster than perform ing even a p arallel re-create (re-ind ex).
I Back up the m ailstore.
Depending up on you r sp ecific environment and p olicies, backing up themailstore (messag es) is a good thing. The utilities provided as pa rt of the Su nONE Messaging Server product can perform a complete backup or a backup
based by grou ps of mailboxes. It can back up to tape or to d isk, and it can beintegrated with t hird-pa rty backu p u tilities su ch as Legato or VERITAS.
Keep in m ind t hat th e backup u tilities maintain single message copy integrity.
I Back u p the d irectory.
It is necessary to back up the d irectory (LDAP server) contents separ ately at thesam e tim e. Utilities provid ed as p art of the directory server to d o this backup .Since the directory is generally mu ch smaller than the backup of the mailstore, itis rather quick to perform a directory backup. Often the backup is made to diskand then copied onto tape since it does not take up a lot of space.
There is some d ebate as to the best m ethod of backu p. Two utilities are providedwith th e directory server db2bak an d db2ldif The db2bak utility creates a
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 237/284
Periodic Maintenance Checklists 211
with th e directory server, db2bak an d db2ldif. The db2bak utility creates abackup in the backup format, and the db2ldif creates a b ackup in LDIF format.The reason for usin g db2bak for backup s is that it is qu icker to restore; the reasonfor using db2ldif is that it is a neutral, hum an-readable format so you can
impor t it into most d irectory servers an d d irectly m anip ulate it if necessary. Som eorganizations actually perform backups using both methods, just in case.
I Review new OS or program security patches.
It is very important to keep up to date regarding security patches for both theoperating system and programs (messaging, directory, and so on), even aboveother recommen ded patches. I pu t this in the d aily category because you shouldsubscribe to the CERT mailing list for security (http://www.cert.org/) toreceive notices regarding security-related issues. Then read and understand how
each applies to your messaging environm ent—man y m ay not, but there is alwaysthe one that will. You can also find the latest Solaris OE security bulletin forSolaris OE-specific secur ity issu es at:
http://sunsolve.sun.com/pub-cgi/secBulletin.pl?mode=latest.
Weekly ChecksThe items that you should check weekly are:
I Back up the operating system.
Ideally, the operating system d oes not change very m u ch from d ay to day or evenfrom w eek to week w ith a Sun ONE Messaging System installation. Userinformation is not stored at th e operating system level, nor is m ost configuration
information, so gen erally a weekly full backup is sufficient.I Do a full backu p of the m ailstore.
Notice that this is listed tw ice. Many times, customers p erform an incrementalbackup of the mailstore nightly and then only perform full backups weekly. Andyes, some custom ers d o n ot back u p email at all. Im agine 1,000,000 mailboxeseach with 10 megabytes of mail. That is 10,000,000 megabytes or 10 terabytes of data to back up. Also, some customers believe that backing up their email opensthe door for search warrants and sets expectations with customers of individualemail recovery.
I Review new OS recommended clusters.
Sun releases recomm end ed op erating system patches in a bu nd le or clusterroughly once every two weeks. This includes any security patches, plus kerneland other system programs. It is a good idea to review the report for the latestRecomm end ed an d Secur ity Patch Report file for you r p articular version of Solaris. This report is located at:
http://sunsolve.sun.com/pub-cgi/show.pl?target=patches/patch-license&nav=pub-patches.
You can also be notified of pat ches and g et add itional up d ates emailed to youweekly This service is called the Patch Club subscribe at:
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 238/284
212 Managing Messaging Services and Preventive Maintenance
weekly. This service is called the Patch Club—subscribe at:
http://www.sun.com/newsletters/.
You can also sign u p for Sun Alert Weekly wh ich p rovides alerts regardin g
ad ditional issues that m ay affect the availability of you r system.
Month ly Checks
The items that you should check m onthly are:
I Review h otfixes and p atches for m essaging.
There are two different typ es of patches for the m essaging and directory software.One is called a hotfix and the other is called a patch. Hotfixes are designed toad dress one sp ecific issue or problem that a p articular custom er or small group of
customers is experiencing. H otfixes are not tested against on e anoth er—so hotfix12 is not tested with hotfix 11, for example. This is not always the case, but ingeneral is w hat hap pens.
Hotfixes m ay also ad d ress any sp ecific secur ity or corrup tion issues, so it isimportant to un d erstand wh y the latest hotfix has been developed and wh at itfixes. N ote that th e description w ill ind icate also wheth er this migh t be acumu lative h otfix.
Patches are cum ulative of most of th e hotfixes since the last patch or release of themessaging and directory software. They have gone through the entire QA cycleand are designed for general application and usage by all customers.
Both hotfixes and patches are applied in the same way, and both change themessaging or directory binaries. A read me file that d etails the n ecessaryinstallation steps is available. Details regarding post-installation steps andbackout are in this read me file. The installation script creates a backup of anybinary rep laced
Caution – Hotfixes and patches can u nd o customizations and changes that havebeen made. This is especially prevalent when customers have made customizationsor chang es to the w eb m ail GUI. Reconciling these custom izations (redoing ) with theup d ated files can tak e effort and tim e—it is not something to be ru shed . It is a goodidea to ap ply hot fixes and p atches to a test system, determine an y reconciliationrequired, redo the customizations on the test system and thoroughly test them, andthen m ove the reconciled files onto the prod u ction m ail server.
I Expor t th e d irectory.
Directory export (for examp le, u sing the db2ldif utility) is listed as a m onthlychecklist item because it is a good idea overall and shou ld be d one p eriodically if
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 239/284
Periodic Maintenance Checklists 213
g p yyou are not u sing this m ethod for backup s.
I Review sum of database file sizes
You shou ld p eriodically review the su m of the databas e file sizes so you canproperly tune the store.dbcachesize pa ram eter. See Chapter 12, “PerformanceTun ing,” on p age 179” for more d etails.
Qu arterly Checks
The items that you should check quarterly are:
I Practice recovery of the messaging system from scratch.
Practicing t he recovery of the m essaging system from scratch is often overlooked .Yet as stated before, it is often th e time t hat it takes to recover th at really impactsdow ntime, not the actual hard ware failover. Often the first time an organizationactually does this is d uring a real outage—not the best time to be trying n ewprocedures or not knowing exactly what you shou ld be doing.
One argu men t mad e against this p ractice is always th e lack of time. Well, wou ldyou rather spend eight hou rs practicing and wh en something happ ens be able torecover in two h ours, or would you rather skip th e practicing an d sp end 16 hou rs
recovering the messaging system?
Another argum ent mad e is: We have one terabyte of email and do not have a testsystem with enou gh storage. OK, well what about u sing a subset of themailboxes? Create a specific test backup tape with every tenth m ailbox so youonly need 100 gigabytes of storage.
Yet another arg um ent is not havin g enou gh servers. Fine. Put everything all onthe sam e system, directory, MTA and m ailstore; at least it is better than noth ing.
You will lose somethin g in the tran slation but th e majority of the steps andprocedu res will still have to be d one.
On you r practice system, intentionally corrup t or d rop the d atabase on themailstore. N ow try sp ecifically to re-ind ex or recover from a backu p of the da ta topractice this p art of the recovery. The d atabase on th e m ailstore will be corru ptedmore frequen tly than th e entire system, so practice recovery an d rebuild of justthe database and figure out where to reduce time (for example, using backups of the database and/ or parallel rebuilds).
By d oing a recovery of the messaging s ystem from scratch qu arterly, you w illunderstand the overall process and be comfortable executing the necessary steps.
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 240/284
214 Managing Messaging Services and Preventive Maintenance
Annual Checks
The items th at you should check ann ually are:
I Review p roced ures an d checklists.
I Evalua te the latest version of the messaging softw are for p ossible up grad e.
CHAPTER 16
Monitoring a Sun ON E MessagingServer
Monitoring your systems and the Sun ONE Messaging Server software that
comprises your email infrastructure is an important part of the overall managementeffort. Tools can ran ge from simp le mon itoring of the basic hard w are and netw orkinfrastructure to more complex monitoring such as response time and error logging.They can be homeg rown , open sou rce, or comm ercial produ cts. You can im plemen tone or many.
The important part of the management effort is to understand that such tools exist,map out your sp ecific needs with regard to wh at you want to mon itor and w hat datayou w ant to keep or g rap h over X per iod of time, then exam ine the tools available tosee what m eets your n eed s (or m ost of your n eeds).
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 241/284
215
SNMP
Since version 5.1 of the Sun ON E Messaging Server p rod uct, sup port for th e SNMPprotocol has been available. Using an SNM P client (sometimes called a n etworkman ager) such as Su n N et Manager or HP Op enView (not provided as part of themessaging server p rod uct), you can m onitor certain part s of the Sun ONE MessagingServer.
The Messaging Server imp lements tw o stand ardized m anagement information bases(MIBs), the Network Services Monitoring MIB (RFC 2788) and the Mail MonitoringMIB (RFC 2789). The Network Services Monitoring MIB provides for the monitoring
of network services such as POP, IMAP, HTTP, and SMTP servers. The MailMonitoring M IB prov ides for the m onitoring of MTAs. The Mail Mon itoring MIBallows mon itoring of the active and historical state of each MTA chan nel. The activeinformation focuses on currently qu eued messages and open network connections
(for example, counts of queued messages or source IP addresses of open networkconnections), wh ile the historical information prov ides cum ulative totals (forexamp le, total messages p rocessed, total inbou nd connections).
SNMP is not enabled by default and must be configured. See “Appendix A” of the
Sun ON E Messaging Server Administrator’s Guide at :
http://docs.sun.com/source/816-6009-10/snmp.htm#23526.
SNMP mon itoring is fine for organizations that alread y hav e this in place, but it canbe awfully burdensome to implement SNMP just for monitoring a singleapplication—though it does perform a most valuable service.
Some of the following app lications are listed as alternatives or ad ditions to th eSNMP method of system and application monitoring.
Alternative ToolsThis section describes the following alternative tools:
I What’s Up Gold
I Sun Management Center
I OrcaI Big Brother
I BMC Patrol
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 242/284
216 Monitoring a Sun ONE Messaging Server
What’s Up Gold
What’s Up Gold is a very basic comm ercial monitoring t ool with som e nice features.Its main ad vant age is that it is easy to install, configu re, and get wor king veryqu ickly. It m onitors w heth er a server (via TCP or UDP) is available via thenetwork—in other words, “what’s up?” Another thing in its favor is that it requiresno agents or anyth ing loaded on to the servers themselves. A down side is that it hasno sp ecific hard w are or software know ledge, so it d oes not m onitor specificapp lications or hardw are—there is no p erformance or th roughp ut d ata. The biggestdow nside is that it requires a Window s system (98/ ME/ N T/ 2000/ XP).
With Sun ™ Manag ement Center 3.0 Basic being offered at no charge for Sunsystems, the need for something as basic as Wh at’s Up Gold h as been greatlydiminished.
There might also be som e usable op en-source offerings in lieu of What’s Up Gold,wh ich is located at:
http://www.ipswitch.com/Products/WhatsUp/index.html.
Sun Management Center
Sun Management Center software is an open, extensible system monitoring andman agement solution th at u ses the Java software p rotocol and SNMP to provide anintegrated and comp rehensive enterprise-wide man agement of Sun prod ucts andtheir subsystems, components, and peripheral devices. Sun Management Centertechnology provides a solution to extend and enhance the management capability of Sun ’s h ardware and software solutions.
Sun Manag ement Center Basic Edition is available at no charge, and prov ides basic
mon itoring features for a single server. The Sun Ma nagem ent Center Enterpr iseEdition provides the ability to monitor a large number of servers and systems in aclient-server configuration, with an agent running on each server and system to bemon itored. The d ata gathered by these agents is then collected by a central serverand viewed by th e Sun Management Center main m anagement console. Add itionalcomponents can be ad ded on to the Sun Management Center Enterprise Edition forvarious enhanced capabilities and applications.
Sun Management Center works with accompanying software packages: Service
Availability Man ager, a set of mod ules that test an d measu re the ava ilability of netw ork services, as w ell as a System Reliability Man ager—a comp onent thatenhan ces reliability, helping to increase service levels and d ecrease ad m inistrativecosts, and a Performance Reporting Manager—software that adds analysis,reporting, and graphing capabilities.
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 243/284
Alternative Tools 217
The newest add ition to the Sun Management Center componen t list is ChangeManager. Based on the concept of managing and provisioning entire software
configura tions as a single, integrated s oftw are stack, the Sun Mana gement C enterChan ge Manager softwar e delivers a fast and easy way to install, configure,up grade, provision, and aud it the integrated software ap plication p ayloads run ningon your systems.
An important point to note is that there are application specific modules that pluginto the Sun Manag ement C enter. These mod ules are developed by H alcyon Inc. andare compatible with the Sun ONE Management Center 3.0 product. The modules of interest are:
I PrimeAlert for Sun ONE Directory Server
I PrimeAlert for Sun ONE Messaging Server
I PrimeAlert for Sun ONE Web Server
If you are using the VERITAS Cluster Server for failover, you might be interested in:
I PrimeAlert for Veritas Cluster ServerFor details see:
http://wwws.sun.com/software/solaris/sunmanagementcenter/index.html and
http://www.halcyoninc.com/downloads/home.html.
Orca
Orca is a general web-based graphing package. However, combined with the SEToolkit (wh ich collects system d ata) it is a nice found ation for keep ing track of overall system p erformance data over a period of time. Performance and throughp utdata from the Sun ONE Messaging Server can be easily incorporated and graphedusing Orca.
While Orca (Orcallator) migh t not be flashy, it does p rovide a good start for simp lemonitoring of the system an d a pp lication data.
For details see:
http://www.orcaware.com/orca/ and
http://www.setoolkit.com/.
Big Brother
Big Brother m onitors system and services for availability It is a web based tool with
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 244/284
218 Monitoring a Sun ONE Messaging Server
Big Brother m onitors system and services for availability. It is a web-based tool withthe status of your various systems an d services displayed on a color-coded web p agein near-real time. When p roblems are d etected, adm inistrators can be notified by
email, pager, or text messaging. Big Brother h as a p retty good following for ma nyreasons, includ ing th eir licensing policy and availability of sou rce. The or iginal BigBrother is free for non-commercial use, as defined by its license. Big Brother isprovided in source code format for UN IX and Linux, and p recomp iled for Wind owsNT and Windows 2000.
Big Brother extensions for Su n ON E Messaging and Sun ON E Calend ar are availablefrom Su n “as is” up on requ est from Sun . Other extensions can be foun d at th e BigBrother archive site. For details see:
http://bb4.com/ and
http://www.deadcat.net/.
BMC PatrolBMC Patrol is a comm ercial softw are app lication mon itoring p rodu ct. While it canbe configured to mon itor some of the basic system fun ctions, to get the most ou t of BMC Patrol imp lementation you m ust have two knowledge modules. KnowledgeModu les are add itional extensions and pre-configured thresholds for warnings andalerts for the BMC Patrol software. The two specific mod ules of value in a Sun ON Emessaging environment are:
I Solaris Knowledge Module
I Sun ONE Messaging Server Knowledge Module
The Sun ONE Messaging Server Knowled ge Mod u le specifically provid es proactivemon itoring of key messaging server comp onent s includ ing LDAP Server, MessagingServer in clu d ing SMTP Server, IMAP/ POP Serve r, WebMail Server, Ad m inistrationServer, and the underlying message store.
Add itional m od ules for some specific hard ware (for examp le, Su n Fire™ F15K) andconfigura tions (for Sun Cluster softwar e) are also available.
Information abou t these Sun -specific mod ules is located at:
http://www.sun.com/service/sunps/systemsandnetworkmanagement/bmcpatrol/ and
http://www.bmc.com/.
or contact you r local Sun Sales Representative.
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 245/284
Alternative Tools 219
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 246/284
220 Monitoring a Sun ONE Messaging Server
APPENDIX A
Case Stud ies
It is alway s useful for customers to see real-world examp les of Su n O NE MessagingServer imp lementations an d architectures. Sometimes th is is critical du e toimp lementation time constraints or it may be simp ly a matter of gathering reference
points. The case studies in this appendix serve this purpose.The following sections contain a series of case stu dies to illustrate sever al pointsmade throughout this book as well as highlight some specific lessons learned.Architecture d iagrams and timelines are provided for reference. These casesoccurred over th e past few years an d are actu ally a composite of the case stud ies of several different custom ers.
This app end ix contains the following case studies:
I Acme University
I Baker Tech
I Community City College
Additional case studies will be gathered in the future.
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 247/284
221
Acm e UniversityAcme University wanted to replace their existing sendmail system running on asmall Sun system. It had been in place for app roxim ately five years. They wan ted amore secure system with room for growth while maintaining the same level of ad ministration effort. The sendm ail system leveraged files (for exam ple,
/etc/passwd) for user information. There was no system redundancy other thanbasic protection (for example, RAID 0+1) for d isks. The custome r w ou ld like to ha vemost u sers (studen ts) use w eb mail wh ile reserving IMAP for faculty an d staff.Ultima tely they w ould like to eliminate POP if possible. They are satisfied w ith theircurrent backup method of direct-attached tape backup.
Acme University has:I 5,500 students
I 1,000 faculty, staff, and oth er em ploye es
A single Su n Enterp rise 450 server w ith four CPUs, four gigabytes of mem ory an d 12internal disk drives configured for RAID 0+1 was purchased along with a smallNetra ™ server (single CPU, du al network interfaces) for an SMTP firewall prod uct(Interscan) for wh ich th e customer prev iously pu rchased a licence. Professional
services from a local reseller assisted the custom er in the setup of the hard ware an dthe initial installation of the Messaging Server. A single DLT 7000 was directlyattached to th e Sun Enterprise 450 server for backu p. No special software wa s to beused for backups. User information and mail was migrated en m asse during thesum m er break and semester. Figur e A-1 show s the Acme University architectureconfiguration.
Internet
Firewall
Internal disks
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 248/284
222 Case Studies
FIGURE A-1 Acme University Architecture Diagram
TimelineThe pu rchase and implementation of the n ew m essaging system took app roximatelyfour m onths from initial contact with Sun to the first produ ction login. The initialarchitecture and pu rchase w as done in four w eeks and the equ ipm ent w as on site
Sun Enterprise 450 server(4 CPUs, 4-gigabyte
memory)Externaltape unit
app roximately two w eeks after tha t. Installation work began in w eek six. The basicmessaging system installation w as don e in about tw o w eeks The remaining twomonth s was u sed to m igrate existing u sers and m ail and develop scripts to autom atethe provisioning of the user information.
Lessons Learned
The followin g lessons were learned in th is case stud y:
I Do not sh ort storage.
One of the original assumptions made by the customer was that 30 gigabytes of space was sufficient for their environm ent. Unfortuna tely they d id not tak e intoconsideration issues such as spindle count and file system requirements. Unlikeman y servers, messaging servers tend to n eed qu ick transactional storage as w ellas bu lk storage. In th is case, the specific issue w as that n o separa te volum e or
spindle set was allocated to their message queues. This introduced someperform ance issues. Once a ded icated v olum e wa s configured for their MTAqu eues, the performan ce issue abated . Luckily the performan ce issue was n oticedearly on and did not turn into a m ajor issue.
I Keep it simp le is a good idea.
In one of the initial discussions, the custom er expressed an interest to keep thing sto a m inimalist architecture because ad ministrative staff was scarce and they d id
not w ant to ad d an ad ministrative burden. By keeping the configuration simp lewith n orm al hardw are availability efforts such as du al power su pp lies, RAID-0+1protected storage, and a solid backup device, the custom er received severalbenefits:
I Mu ch faster installation an d configu ration
I Easier ad ministration an d mana gement
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 249/284
Case Studies 223
I Easier ad ministration an d mana gement
I Only one server to deal with when issues arose, like the performance issue
I Lowest possible costI Availability w ithout extraordinary measu res or comp lications
I Training is imp ortant
Initially the customer was reluctant to send their only administrator throughtraining, even though they had paid for th e class. Som e of this app rehension w asdue to their limited staff and already busy workload, plus the additional costs of travel. Initially some of the u p-front training wa s don e by using w eb-based
courses. How ever, it became very clear w hen exam ining the Sun Service Sup portcall log about th ree mon ths after installation that it w as time to take th e class,because some of the questions and issues could have been easily avoided. Whilethere is no su bstitute for han d s-on experience, getting the b asics of installation,configur ation, and oper ation is critical.
I Installation assistance makes th ings sm oother.The local Sun Reseller pr ovided experienced help to assist the custom er in theinstallation and d eploym ent of the new Sun ON E Messaging Server. This wascritical in tran sferring kn ow ledge and getting the system u p an d r un ning initially.
Baker TechThis large university had nu merous m ail servers across the camp us and w anted toconsolid ate their infrastru cture. They had some experience with d irectorytechn ology (LDAP), but no single cam pu s-wide d irectory y et. A singleauthentication system w as being d eveloped around Kerberos. They had no w eb mailor it varied between the m ail systems on campus as to w hether it was offered or not.They would like a central mail system with web mail that had failover and used
directory techn ology for user informa tion, but can u se their Kerberos servers forauth entication. Good Sun and Solaris expertise existed in th e IT depar tmen t as wellas throughout the campus, but they had little or no experience with clusteringtechn ology. It w as necessary to sup port the custom er's existing EMC Sym metricstorage system. The customer would use existing SNMP tools to monitor themessaging system.
Baker Tech has:
I 40,000 studentsI 10,000 faculty, staff, and oth er em ploy ees
A pa ir of Sun Enterprise 4500 servers w ith eight CPUs and eight gigabytes of memory was configured as the main mailstores and a pair of Sun Enterprise 280Rservers was used for MTA and virus scanning. The architecture was designed to
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 250/284
224 Case Studies
g gleverage about 1.2 terabytes of the custom er ’s existing EMC storage subsystem andutilize Sun’s Sun Cluster 3.0 software for high availability (clustering or failover).
Unfortun ately the custom er still did n ot hav e a centralized ent erprise Directory, butthere were pockets of directory on camp us. Add itional Netra servers w ere added toone of their existing d irectory installations (island s) to sup port t he m essagingserver’s LDAP workload. An open source plug in to the Sun ONE Directory wasused to prov ide Kerberos authen tication out th e back end of the d irectory. Figure A-2 show s the Baker Tech architecture configur ation.
User information w as already p artially available, so the m essaging server objectsneeded to be ad ded to the directory and app lied to the users.
They decided to add all new accounts to this system beginning with the nextsemester after going live, wh ile allowing all other users th e option to m igrate. Thispolicy wou ld be revisited each year. Backup s were integrated w ith their existingdat a center backu p infrastru cture using Legato Backup and a tape library. They
elected to do th e majority of the imp lementation them selves du e to their experiencelevel with Sun an d Solaris, even thou gh th ey had n o experience with th e messagingprod uct. This implementation method was not recomm ended by Sun.
Internet
Firewall
MTA MTA
EMC
Backup
server
Private
network
Mailstore
Mailstore
Multipleconnectionsto shared
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 251/284
Case Studies 225
FIGURE A-2 Baker Tech Ar chitectur e Diagra m
LAN LAN failover
EMC
Additional
LDAP servers
Tape
library
storage
Messaging Directory PTALDAP
DirectoryLDAP
Messaging Directory Plugin
Kerberosdomain
controller
Kerberosv4, v5
LDAP
Ticket
TimelineThe overall project took eight m onth s from start to finish w hile the initial plan calledfor an aggressive three-month w ind ow. Several factors that contributed to the p rojectdelays are ou tlined the “Lessons Learned” section. The initial pu rchase from theinitial contact to p lacement of the order took ap proximately eight w eeks eventhough the customer’s internal project plan w as designed around a two w eekpu rchase cycle. The main delay was d ue to issues within the pu rchasing dep artment
and the requirements of their p rocedures an d processes. Equipm ent was delivered tothe customer in three weeks once the purchasing issues were resolved.
The initial equip men t installation and Solaris set up took app roximately a w eeksince the custom er h ad significant Solaris and Sun exp erience. Then , the installationof the Sun Cluster 3.0 software was started. However, something that should havetaken approximately two weeks took almost six weeks due to EMC Symmetricstorage u nit integration issu es. Incorrect adap ter cards for the Sun system an dincorrect drivers were recomm ended by EMC and pu rchased from the customer.
After com pletely swap pin g ou t all 10 interface cards an d installing the absolu telatest driver from EMC for the cards, the EMC storage w as able to be attached an dfailed over w ithout issues. That m eans that just to get the basic hard w are, operatingsystem, and cluster software working took 18 weeks.
Once these initial obstacles and delays w ere overcom e, the actual imp lementation of the messaging software took approximately two weeks. Load testing, backuprestoration testing, and ad ditional testing of the failover p rocess took anoth er three
mon ths. This process was started in May a nd targeted January of the following year,but this schedu le was not m et and prod uction w as delayed u ntil Spring Break of thefollowing year.
Lessons Learned
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 252/284
226 Case Studies
Lessons Learned
The followin g lessons were learned in h is case stud y:
I SNMP has a failure issue.
During the failover testing with the messaging product, once the failover wasworking, an issue existed during failover condition where both messaginginstances were operating on the sam e host and SNMP visibility wen t away. Thiswas not an major issue for the custom er as this is a failover condition. Failu re of the SNMP monitoring would further enforce the fact that the systems requiredattention. This ma y or m ay not be the case for all cu stomers.
I
Instrumenting and monitoring is key.During the initial testing of failover and load testing, no mon itoring was en abledand m any statistics were n ot being collected. Decisions regard ing tu ning sp ecificparam eters later on w as d ifficult d ue to lack of d ata. This mean t that som e loadtests had to be rerun once monitoring w as enabled.
I Allow additional time for third-party storage.
Due to the difficulty and issues encountered, additional time when dealing with
third-party hardw are or software involved sh ould be ad ded to the projectschedu le. This can vary w idely based up on th e prod uct and relationshipsinvolved.
I For complex installations Sun Professional Services can make a difference.
During the installation issues, using Sun Professional Services wa s brough t upagain and recommended to the customer. Some of the issues the customerexperienced h ad already been en countered a nd add ressed using Sun ProfessionalServices. Many of the issues tha t caused sign ificant d elays wou ld h ave beenadd ressed q uickly and wou ld not have caused p roject time slipp age.
Comm unity City College
The customer was large community college system with 18 campuses distributedthrou ghou t the state. Each camp us had at least one mail system an d var ious levels of directory infrastructu re, if any at all. The Chan cellor ’s office d ecided that recentfund ing cutbacks required con solidat ion of IT services, includ ing d irectory andmessaging. There were p ockets of UN IX ad m inistration experience with ev en lessdirectory expertise and no clustering or failover experience. The use of th e existingthird-party enterprise storage and backup system (library and software) was
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 253/284
Case Studies 227
third party enterprise storage and backup system (library and software) wasrequired.
The initial thou ghts w ere that 90 percent of the users w ould be using IMAP w hilethe other 10 percent w ould use w eb mail.
Community City College has:
I 120,000 students
I 20,000 faculty, staff, and oth er em p loyees
Prior to any sp ecific solution, the d ecision w as ma de to locate the new m essaging
system at one of the larger, more advanced campuses that had messaging anddirectory experience. Due to lack of h igh av ailability experience, the d ecision goinginto the architecture phase was to not use failover technology. Availability would beachieved throu gh the use of mu ltiple servers at each level of the architecture. Due tothe large num ber of users, stress and load testing w as critical. Migration w ould be
initially only for faculty and staff, plus any new accou nts created after th e go-livedate. No existing students would be migrated during the initial year. Establishingprovisioning from the existing centralized student information and HR systems wasrequired. The customer had existing license for antivirus but wanted to implementantispam at a later d ate.
The proposed configuration consisted of a directory master server using a SunEnterprise 420R server, four back-end mail servers (mailstores) using Sun Fire V480servers, each w ith four CPUs an d eight gigabytes of mem ory. The MTA layer
consisted of fou r Sun Fire 280R servers, each w ith tw o CPUs and four gigabytes of mem ory. To establish the d irectory environm ent, a combination of existing systems(old servers) and new was used. The master directory servers were Sun Enterprise420R w ith two CPU s and four gigabytes of main m emory, wh ile the replicas wereSun Enterpr ise 220R servers w ith two CPUs and two gigabytes of mem ory. Loadbalancing among the servers was accomplished using the existing CiscoLoadDirectors. Figure A-3 show s the Com m un ity City College architectureconfiguration.
Timeline
This project took abou t one year from start to finish with the p urchase of thesoftware and h ardw are taking app roximately tw o month s from d ate of initial contactwith Sun to the d elivery of the h ardw are on site. The initial architectu re, sizing, an dtraining w ere done in p arallel once the pu rchase order w as given to Su n and tookapproximately three to four months. Load testing, instrumenting using Orca andBigBrother, verification of sizing, and practice migration of faculty staff took anadd itional three mon ths du ring wh ich scripts to migrate users and integrate thedirectory provision w ith th e camp us student information system w ere done.
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 254/284
228 Case Studies
Lessons Learned
The followin g lessons were learned in th is case stud y:
I PAB size
The initial architecture an d plan ning called for web mail to be a m inor factor, butmost of the stud ents used web m ail almost exclusively. The actual w eb mailworkload on th e main m essaging stores was n ot an issue because IMAP and w ebmail are close in terms of w orkload. The main issue w as Personal Add ress Book
(PAB) entries. Nine percent of the initial 40,000 accounts used web mail. Eachaccoun t had an average of 15 entries in th e PAB. This situation resu lted in over600,000 directory entries in the PAB portion of the directory. After the initial year
of prod uction operation, the decision w as mad e to separate the PAB port ion of theDirectory onto separate LDAP servers so that they could be tuned and man agedseparately.
MTA MTA
Mailstore
MTA
MailstoreMailstore
Directorymaster
Loadbalancers
Loadbalancers
MTA
Replica Replica ReplicaReplica
MailstoreSun FireV480 server
Sun Fire280R server
Sun Enterprise
220R server
Sun Enterprise420R server
St
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 255/284
Case Studies 229
FIGURE A-3 Comm un ity City College Architecture Diagram
I Recovery
Unfortun ately recovery procedu res were not p racticed an d were necessary d ue to
a storage subsystem failure within the first three months of operation. However,since no on e at the custom er site had pra cticed recovery or w as aw are of specificsteps w hich that could m inimize recovery time, recovery took eight times longerthan w ould have otherw ise been necessary. Sun Professional Services w as called
Multiple connectionsto shared storagefor redundancy
Storage
in after this incident to p rovide a w orkshop a nd guidan ce on d eveloping recoveryprocedu res tailored to th e cu stomer ’s specific environm ent, so as to red uce therecovery time.
I Appropriate partition sizing
Initial plans called for a m inimum of two pa rtitions to hand le m ailboxes on eachof the messag e stores, based u pon initial plann ing of 20,000 m ailboxes perpart ition. Due to the backup and recovery issues explained p reviously, it wa sdetermined that even though the Messaging Server is quite capable of managing
tens of thousa nd s of mailboxes per p artition, it is not necessarily an issue of function of the n um ber of mailboxes, but rather a fu nction of amou nt of storageper partition in gigabytes. It was decided to repartition the server into a moremanageable and recoverable size equivalent to what a single backup tape orimage w ould hold —in th is case, roughly 200 gigabytes.
I Load testing
Load testing in this large environm ent w as critical to tuning of variou s
par am eters in each layer of the m essaging architecture, and particularly valuablein testing the configuration of the Cisco LoadDirectors. It w as d iscovered thatspecific settings w ere not qu ite correct and need ed t o be fixed. If the entirepathw ay had not been load tested, prod uction issues would have occurred if oneof the LoadDirectors h ad failed.
I Periodic maintenance
During the initial year of oper ation, little attention was p aid to the system s un lessdictated by the m onitoring tools or help desk ticket system. Upon examination of the d irectory and messaging system d ur ing the PAB m igration, it was clear thatspecific tables in the directory had grow n larger tha n originally anticipat ed,wh ich necessitated tu ning of par ameters. Exam ination of the messaging statisticsalso ind icated some tu ning w as necessary. In reality, the system had not beenperiodically m aintained other than basic patches or issues surrou nd ing ou tages.Qu arterly exam ination of data and statistics, table sizes, and so forth could h ave
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 256/284
230 Case Studies
avoided some slowdowns and outages. This is especially important in largeenvironments wh ere growth is qu ick.
APPENDIX B
Majordom o Integration
This appen dix describes the p rocedu re for integration wor king w ith a single test list.It is tedious, but it d oes work, and has all of the functionality of majordomo w ithsendmail. These instructions are for a single domain, but with some minor tweaksthey should also work fine in a mu ltidomain environment.
Assumptions:
1. Your m essaging server is already installed and functioning correctly.
2. You have gcc installed, or you can comp ile the wr app er on a m achine where it isinstalled.
M Preparing for Integration
To p repare for int egration:
1. Make sure your mailsrv user is assi gned to a $HOME directory and that it has
write permissions to server-root /msg-hostname.
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 257/284
231
p g
2. Create /etc/passwd, /etc/shadow, and /etc/group entries for the majordomo
user.
Examp le password entries:
iplanet:x:1002:101:iPlanet Servers:/opt/iplanet:/bin/kshldapsrv:x:1003:101:Directory Server User:/opt/iplanet:/bin/kshmailsrv:x:1004:101:Messaging Server User:/opt/iplanet/msg-maxima:/bin/ksh
icsuser:x:1005:101:Calendar ServerUser:/opt/iplanet/SUNWics5:/bin/kshlistsrv:x:1006:101:Mailing List Manager:/opt/iplanet:/usr/bin/cshmajordom:x:91:91:Mailing List Manager:/opt/majordom:/usr/bin/bash
Shadow entry:
Group entries:
3. Create the $HOME directory fo r majordom o.
We used /opt/majordomwith 775 perm issions. We will probably tighten th is up t o755 or 751 later.
a. Extract the majordomo tarball in a w ork directory.
This is wh ere you will ed it the Makefile to fit the environm ent you created formajordomo.
majordom:*LK*:::::::
majordom::91:mailsrv
iplanet::101:iplanet,ldapsrv,mailsrv,icsuser,listsrv,majordom
Makefile <snippet of interest>#------------- Configure these items ----------------##
# Put the location of your Perl binary here:PERL = /usr/bin/perl
# What do you call your C compiler?CC = gcc
# Where do you want Majordomo to be installed? This CANNOT be the# current directory (where you unpacked the distribution)W HOME = /opt/majordom.
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 258/284
232 Majordomo Integration
y y p _ p j
# Where do you want man pages to be installed?MAN = /usr/local/man
# You need to have or create a user and group which majordomo will run as.# Enter the numeric UID and GID (not their names!) here:W_USER = 91W_GROUP = 91
# These set the permissions for all installed files and executables
# (except the wrapper), respectively. Some sites may wish to make these morelenient, or more restrictive.
FILE_MODE = 644EXEC_MODE = 755
HOME_MODE = 775
# If your system is POSIX (e.g. Sun Solaris, SGI Irix 5 and 6, Dec Ultrix MIPS,BSDI or other 4.4-based BSD, Linux) use the following four lines. Do not changethese values!
WRAPPER_OWNER = rootWRAPPER_GROUP = $(W_GROUP)
WRAPPER_MODE = 4755POSIX = -DPOSIX_UID=$(W_USER) -DPOSIX_GID=$(W_GROUP)# Otherwise, if your system is NOT POSIX (e.g. SunOS 4.x, SGI Irix 4,# HP DomainOS) then comment out the above four lines and uncomment# the following four lines.
# WRAPPER_OWNER = $(W_USER)# WRAPPER_GROUP = $(W_GROUP)# WRAPPER_MODE = 6755# POSIX =
# Define this if the majordomo programs should *also* be run in the same# group as your MTA, usually sendmail. This is rarely needed, but some# MTAs require certain group memberships before allowing the message sender tobe set arbitrarily.
# MAIL_GID = numeric_gid_of_MTA
# This is the environment that (along with LOGNAME and USER inherited from the# parent process, and without the leading "W_" in the variable names) gets# passed to processes run by "wrapper"W_SHELL = /usr/bin/bashW_PATH = /bin:/usr/bin:/usr/local/binW_MAJORDOMO_CF = $(W_HOME)/majordomo.cf
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 259/284
Majordomo Integration 233
# A directory for temp files..
TMPDIR = /var/tmp
# -----YOU SHOULDN'T HAVE TO CHANGE ANYTHING BELOW THIS LINE.-----
Now you can:make wrappermake install-wrappermake install
# Once the wrapper and all the perl scripts are installed in /opt/majordom,there are some edits required to get Y2K compliance and squash a couple smallboogs. I will address them in a different format where possible.
***archive2.pl
155c155,159&open_archive($FH, $year % 100, $MoY{$moy}, $dom);---if ($year =~ /\d{4}/) {&open_archive($FH, $year -1900, $MoY{$moy}, $dom);} else {&open_archive($FH, $year % 100, $MoY{$moy}, $dom);}
***digest176c176foreach (@files) {---foreach (sort @files) {
***majordomo.pl59c59,60s/\n\s+/ /g;---s/\015//g; # strip DOS <CR>/^M from end of liness/\n\s+/ /g; # unfold wrapped headers
# Note, the ^M is a single character created by typing ctrl-v then ctrl-m.
***resend
591c591
---s/\015//g; # strip DOS <CR>/^M from end of lines
***majordomo.cf9c9$whereami = "example.com";
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 260/284
234 Majordomo Integration
$whereami example.com ;---
$whereami = "sonny.org";25c25$homedir = "/usr/test/majordomo";---$homedir = "/opt/majordom";27a28$datadir = "$homedir/data";30c31
$listdir = "$homedir/lists";---$listdir = "$datadir/lists";38c39$digest_work_dir = "/usr/local/mail/digest";---
b. You must create som e su bdirectories for majordomo to us e in its $HOME
directory to match the entries in the majordomo.cf file.
While you are at it, you can consider creating a link to majordomo.cf in /etc.This is good preven tive med icine.
As root, execute these commands, in order:
$digest_work_dir = "$datadir/digests";42c43$log = "$homedir/Log";---$log = "$datadir/Log";101a103$config'default_unsubscribe_policy = "open+confirm";137,138c139,140
$filedir = "$listdir";$filedir_suffix = ".archive";---$filedir = "$datadir/archives";$filedir_suffix = "";159c161$majordomo_request = 0;---$majordomo_request = 1;167c169max_which_hits = 0;---$max_which_hits = 1;193c195$TMPDIR = $ENV{'TMPDIR'} || "/var/tmp";---$TMPDIR = $ENV{'TMPDIR'} || "$datadir/tmp";
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 261/284
Majordomo Integration 235
su majordomcd /opt/majordom mkdir -m 775 datacd data mkdir -m 775 archives digests lists tmpcd archives mkdir -m 775 test test-digestcd ../digests
mkdir -m 775 test-digestcd ../data/liststouch test test-digestexitcd /etc
Th e test* sub d irectories are the beginnings of a test mailing list setup and
configuration. Majordomo still does not work with the messaging server until youcreate methods for program delivery, the proper u sers in LDAP, and ap prop riate entriesin the imta/config/aliases file. Start with the program methods.
c. If you are still root, change directories to the server-root /msg-hostname directory
(in our case /opt/iplanet/msg-maxima).
The imsimta program utility adds the methods you need to LDAP. This one isfor the majordomo administrative user:
d. Create a set of these for each l ist you create:
The last entry could also be w ritten as follows if the majordomo.cf used$majordomo request = 0:
ln -s /opt/majordom/majordomo.cf majordomo.cfcd /opt/iplanet/msg-maxima/imta/programssu mailsrvln -s /opt/majordom/wrapper wrapperexit
./imsimta program -a -m mjwrapper -p wrapper -g "majordomo" -e postmaster
./imsimta program -a -m testr -p wrapper -g "resend -l test test-outgoing" -e user`
./imsimta program -a -m testa -p wrapper -g "archive2.pl -f
/opt/majordom/data/archives/test/test -a M" -e postmaster`./imsimta program -a -m testd -p wrapper -g "digest -r -C -l test-digest test-digest-outgoing"
-e postmaster`
./imsimta program -a -m testq -p wrapper -g "majordomo -l test" -e postmaster`
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 262/284
236 Majordomo Integration
$majordomo_request = 0:
Make sur e to refresh the MTA after making ad d itions and changes like these, butsince you are also going to mo dify the aliases and ad d user en tries to LDAP, you canhold off on th e refresh for a bit.
./imsimta program -a -m testq -p wrapper -g "request-send test" -e postmaster
An ./imsimta program -l should now prod uce outpu t like the following:
We were n ot able to get -l test passed to the mjwrapper method correctly, or wemigh t have been ab le to save one p iece of w ork here too. We do n ot have a p ercent
==================================================Method_name : mjwrapperProgram_name : /opt/iplanet/msg-maxima/imta/programs/wrapper
Argument_list : majordomoExecute Permission : User
==================================================Method_name : testrProgram_name : /opt/iplanet/msg-maxima/imta/programs/wrapper
Argument_list : resend -l test test-outgoingExecute Permission : Postmaster==================================================Method_name : testaProgram_name : /opt/iplanet/msg-maxima/imta/programs/wrapper
Argument_list : archive2.pl -f /opt/majrdomo/data/archives/test/test -a -M
Execute Permission : Postmaster==================================================Method_name : testdProgram_name : /opt/iplanet/msg-maxima/imta/programs/wrapper
Argument_list : digest -r -C -l test-digest test-digest-outgoingExecute Permission : Postmaster==================================================Method_name : testq
Program_name : /opt/iplanet/msg-maxima/imta/programs/wrapper Argument_list : majordomo -l testExecute Permission : Postmaster==================================================
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 263/284
Majordomo Integration 237
g p pvariable to use for that. Otherwise, everywhere in the argument_list that the word“test” exists could be an argument passed from the mailprogramdeliveryinfo attribute.
The add itional entries you w ill need in msg-maxima/imta/config/aliases are:
[email protected]: dliston@[email protected]: dliston@ims-ms-daemon
[email protected]: dliston@[email protected]: </opt/majordom/data/lists/[email protected]: </opt/majordom/data/lists/test-digest
These are the LDAP user entries you will need to p ull it all together. Non e of theLDAP entries need mailListCreate nsda capability, but the attribute m ight behandy as part of an ACL if majordomo ever becomes LDAP aware.
dn: uid=majordom,ou=people,o=sonny.org,o=ispobjectclass: topobjectclass: personobjectclass: organizationalPerson
objectclass: inetOrgPersonobjectclass: inetUserobjectclass: ipUserobjectclass: nsManagedPersonobjectclass: userPresenceProfileobjectclass: inetMailUserobjectclass: inetLocalMailRecipient mailuserstatus: activeinetuserstatus: active
datasource: NDA 4.5 Delegated Administratornsdacapability: mailListCreateuserpassword: {crypt}4/Y1B.C4RmLnUuid: majordomgivenname: Majordomosn: List Managercn: Majordomo List Managerpreferredlanguage: en
maildeliveryoption: program mailprogramdeliveryinfo: mjwrapper mailhost: maxima.liston.nu mail: [email protected] mailalternateaddress: [email protected]
dn: uid=test,ou=people,o=sonny.org,o=ispobjectclass: topbj t l
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 264/284
238 Majordomo Integration
objectclass: person
objectclass: organizationalPersonobjectclass: inetOrgPersonobjectclass: inetUserobjectclass: ipUserobjectclass: nsManagedPersonobjectclass: userPresenceProfileobjectclass: inetMailUserobjectclass: inetLocalMailRecipient mailuserstatus: activeinetuserstatus: activedatasource: NDA 4.5 Delegated Administratornsdacapability: mailListCreateuserpassword: {crypt}RI6GKwuXEifxAuid: test
givenname: testsn: resend
cn: test resendpreferredlanguage: en maildeliveryoption: program mailprogramdeliveryinfo: testr mailhost: maxima.liston.nu mail: [email protected]
dn: uid=test-archive,ou=people,o=sonny.org,o=ispobjectclass: topobjectclass: personobjectclass: organizationalPersonobjectclass: inetOrgPersonobjectclass: inetUserobjectclass: ipUserobjectclass: nsManagedPerson
objectclass: userPresenceProfileobjectclass: inetMailUserobjectclass: inetLocalMailRecipient mailuserstatus: activeinetuserstatus: activedatasource: NDA 4.5 Delegated Administratornsdacapability: mailListCreateuserpassword: {crypt}tcCW8XBsV.AB.
uid: test-archivegivenname: testsn: archivecn: test archivepreferredlanguage: en maildeliveryoption: program mailprogramdeliveryinfo: testa mailhost: maxima.liston.numail: test archiver@sonny org
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 265/284
Majordomo Integration 239
mail: [email protected]
dn: uid=test-digest,ou=people,o=sonny.org,o=ispobjectclass: topobjectclass: personobjectclass: organizationalPersonobjectclass: inetOrgPersonobjectclass: inetUserobjectclass: ipUserobjectclass: nsManagedPersonobjectclass: userPresenceProfileobjectclass: inetMailUserobjectclass: inetLocalMailRecipient mailuserstatus: activeinetuserstatus: active
datasource: NDA 4.5 Delegated Administratornsdacapability: mailListCreate
userpassword: {crypt}qvSQMcsoYwR5Quid: test-digestgivenname: testsn: digestcn: test digestpreferredlanguage: en
maildeliveryoption: program mailprogramdeliveryinfo: testd mailhost: maxima.liston.nu mail: [email protected]
dn: uid=test-request,ou=people,o=sonny.org,o=ispobjectclass: topobjectclass: personobjectclass: organizationalPerson
objectclass: inetOrgPersonobjectclass: inetUserobjectclass: ipUserobjectclass: nsManagedPersonobjectclass: userPresenceProfileobjectclass: inetMailUserobjectclass: inetLocalMailRecipient mailuserstatus: active
inetuserstatus: activedatasource: NDA 4.5 Delegated Administratornsdacapability: mailListCreateuserpassword: {crypt}RIMZpTZBydwqwuid: test-requestgivenname: testsn: requestcn: test requestpreferredlanguage: en
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 266/284
240 Majordomo Integration
No end user shou ld ever write directly to the *-outgoing aliases, or to th e *-test or *-archive add resses. Subscriptions and removals are handled a t the m ajordomo
add resses, but to activate the archive or d igest for the list, just ad d their ad dress(es)as m embers of the “test” mailing list (/opt/majordom/data/lists/test) or asnorm al email comm and s to majordomo.
preferredlanguage: en
maildeliveryoption: program mailprogramdeliveryinfo: testq mailhost: maxima.liston.nu mail: [email protected]
4. Refresh the MTA, and perhaps even run stop-msg and start-msg for good
measure.
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 267/284
Majordomo Integration 241
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 268/284
242 Majordomo Integration
Glossary
access control
information A single item of information from an access control list within an LDAPdirectory.
access control list A set of data associated w ith a directory that d efines the perm issions that usersand group s have for accessing it.
ACI See access contro l information .
ACL See access control list.
API app lications p rogramm ing interface.
APOP See Au then ticated Post Office Protocol.
applications service
provider An ap plication service provider is a comp any th at offers individu als orenterprises access over the Internet to ap plications and related services thatwou ld otherw ise have to be located in their own p ersonal or enterprisecomputers.
AS P See applications service provider.
Authenticated Post
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 269/284
243
Authenticated Post
Office Protocol Similar to the Post Office Protocol, but instead of using a plaintext passwordfor au thentication, it uses an encoding of the passwo rd together w ith achallenge string.
CLI See command-line interface.
cn LDAP alias for common nam e.
command-line
interface Text driven interface as opposed to a GUI; can easily be used to script orautom ate repetitive processes.
comment character A character that, w hen p laced at the beginning of a line, tur ns the line into anonexecutable com ment.
CSV comm a separ ated var iable-length file.
DC Tree Domain Com pon ent tree. A directory information tree that mirrors the DNSnetwork syntax. An examp le of a distinguished nam e in a DC Tree is: cn=billbob,dc=bridge,dc=net,o=internet.
DHCP Dynam ic Host Configuration Protocol.
D MZ dem ilitarized zone.
DNLC directory name lookup cache.D N S See Domain Name Service.
domain name The unique nam e that identifies an Internet website. Domain names h ave twoor more p arts, separated by p eriods (dots).
D omain Name
Service A distributed n ame resolution software tha t allows comp uters to locate othercompu ters on a network or the Internet by d omain nam e. The system
associates stand ard IP add resses with host nam es (such as www.siroe.com).Machines norm ally get th is information from a DN S server. DNS serversprovide a distributed, replicated, data query service for translating h ostnam es.
D OS den ial of service.
D SN delivery status notification.
el m Originally an a cronym to refer to ELectronic Mail, but it is also a p rogram used
to read mail on terminals using a text interface (that is, not a GUI).EOL end of life.
ESMTP See Extended Simp le Mail Tran sfer Protocol.
Extended Simple Mail
Transfer Protocol An Internet m essage transp ort protocol. ESMTP add s optional comm and s tothe SMTP command set for enhanced functionality, including the ability forESMTP servers to d iscover wh ich comm and s are implemented by the remote
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 270/284
244 Glossary
p y
site.
FQN fully qu alified h ost nam e.
FTP File Transfer Protocol.
GUI graphical user interface.
HRS human resource system.
HTTP See H yp erText Tran sfer Protocol.
HTTPS Hy per text Tran sfer Protocol, Secure.
Hyp erText Transf er
Protocol A standard protocol that allows the transfer of hypertext d ocum ents over theWeb. The iPlanet Messaging Server p rovides an HTTP service to sup port web-based email. See also Messenger Express.
IDA iPlanet d elegated ad ministrator.
IDC internet data center.
IETF Internet Engineering Task Force.
IM instant messaging.
IMAP See Intern et Messag e Access Protocol Version 4.
IMAP4 See Intern et Messag e Access Protocol Version 4.
IMP inpu t message processing.
Internet Message
Access ProtocolVersion 4 A standar d p rotocol that allows u sers to be disconnected from the m ain
messaging system and still be able to process their mail. The IMAPspecification allows for Administrative control for these disconnected usersand for the synchronization of the u sers’ m essage store once they reconnect tothe messaging system.
Internet Protocol The basic network-layer protocol on wh ich the Internet and intranets are based.
Internet S erviceProvider A compan y that p rovides Internet services to its custom ers including e mail,
electronic calend aring, access to the w orld w ide w eb, and w eb hosting.
IP See Intern et Protocol.
ISP See Intern et Service Prov ider.
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 271/284
Glossary 245
JASS Jumpstart Architecture and Security Scripts.
LDAP See Lightw eight D irectory Access Protocol.
LDIF See Lightweight Data Interchange Format.
Lightweig ht D ata
Interchange Format The format u sed to represent Directory Server entries in text form.
Lightweight Directory
Access Protocol Directory service protocol designed to run over TCP/ IP and across mu ltipleplatform s. A simp lification of th e X.500 Directory Access Protocol (DAP) thatallow s a single point of m anagem ent for storage, retrieval, and d istribution of information, including user profiles, mail lists, and configuration data acrossiPlanet servers. The iPlanet Directory Server uses the LDAP protocol.
LMTP See Local Mail Transfer Protocol.
Local Mail Transfer
Protocol A de rivative of the SMTP and E/ SMTP protocols that is nearly iden tical. LMTPis designed to provide a status rep ly per m essage recipient versu s SMTP’ssingle reply code per m essage transaction.
Mail eXchanger
record A ma il eXchanger record is an en try in you r DNS table that controls w hereemail is sent for a particular or given d omain na me.
MEM messenger express multiplexer.
message-handling
system A group of conn ected MTAs, their user agents, and message stores.
Message Transfer
Agent A specialized p rogram for routing and d elivering messages. MTAs worktogether to transfer messages and deliver them to the intend ed recipient. The
MTA d etermines wh ether a m essage is delivered to the local message store orrouted to another MTA for remote delivery.
messaging multiplexer
proxy A specialized messaging server that acts as a single point of connection tomu ltiple m essaging servers.
Messaging Server
administrator The adm inistrator w hose privileges include in stallation an d adm inistration of an iPlanet Messaging Server instance.
Messenger Express A m ail client th at enables users to access their mailboxes through a brow ser-based (HTTP) interface. Messages, folders, and other mailbox information aredisplayed in H TML in a brow ser wind ow. See also w eb m ail.
MH S See message-hand ling system. See also Simple N etwork Managem ent Protocol.
MIB management information base.
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 272/284
246 Glossary
MIME See Multipurpose Internet Mail Extension.MM P See messaging multiplexer proxy.
MTA See Message Trans fer Agent.
MTA configu ration
file The file (imta.cnf) that contains all channel definitions for the MessagingServer plus th e rewrite rules that d etermine how ad dresses are rewr itten forrouting.
MTBF mean time between failures.
MTTR mean time to rep air (or recover).
Multipurpose Internet
Mail Extension A protocol you can u se to includ e multimedia in email messages by app end ingthe multimedia file in the message. This protocol that allows for thetransmission of data in m any forms, such as aud io, binary, or video. See alsoSMIME.
MX See Mail eXchang er record .
N DA Netscape d elegated ad ministrator.
NFS Network File Server or Network File System.N IS Netw ork Information Service.
N MS Netscape Messaging Server.
PAB personal address book.
password
authentication Verifies that the user’s password is valid.
PD A personal d igital assistant.
PGP pretty good p rotection.
PIN personal id entification n um ber.
Pine Program for Internet N ews an d Email. See also elm.
plaintext Refers to a m ethod for transmitting d ata. The definition d epend s on the
context. For examp le, with SSL plaintext pa sswords are encrypted and aretherefore not sent as cleartext. With SASL, plain text passw ord s are hash ed, andonly a hash of the password is sent as text. See also Secure Sockets Layer andSimple Authentication and Security Layer.
plaintext
authentication See password au thentication.
POP See Post Office Protocol Version 3.
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 273/284
Glossary 247
POP3 See Post Office Protocol Version 3.
Post Offi ce Protocol
Version 3 A protocol that provid es a stand ard d elivery method an d that d oes not requirethe m essage transfer agent to hav e access to the u ser’s mail folders. Notrequiring access is an ad vantage in a netw orked env ironm ent.
PS PostScript.
QoS Qu ality of Service.
RDNS reverse DNS.
SASL See Simple Authentication and Security Layer.
SDLC Systems development life cycle.
SDN See Software Delivery Network.
Secure Sockets Layer The Secure Sockets Layer is a comm only u sed p rotocol for m anaging thesecurity of a message transmission on the Internet. SSL has recently beensucceeded by Tran spor t Layer Security (TLS) wh ich is b ased on SSL. SSL uses aprogram layer located between th e HTTP and TCP layers.
Short Messaging
Service A service for sen ding me ssages of up to 160 characters (224 char acters if u singa 5-bit mod e) to m obile ph ones and other d evices that u se Global System forMobile comm un ication. Due to th e length restriction, it is adva ntageous tostrip off attachmen ts and certain heade r information from nor mal em ail wh enbeing delivered to an SMS device.
Simple Authentication
and Security Layer A means for controlling the mechanisms by which POP, IMAP or SMTP clientsidentify themselves to the server. iPlanet Messaging Server support for SMTP
SASL use complies with RFC 2554 (ESMTP AUTH). SASL is defined in RFC2222.
Simple Mail Transfer
Protocol The email protocol most comm only used by the Internet and the protocolsupported by the iPlanet Messaging Server. Defined in RFC 821, withassociated message format descriptions in RFC 822.
Simple N etwork
Management Protocol The protocol governing network management and the monitoring of networkdevices and their functions. It is not n ecessarily limited to TCP/ IP networks.SNM P is d escribed form ally in th e Intern et Engine ering Task Force (IETF) 1157and in a nu mb er of other related RFCs.
SIMS Sun Internet Mail Server.
SIP Simple Internet Protocol.
SIS student information system.
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 274/284
248 Glossary
SMIME Secure Multipurp ose Internet M ail Extension.
SMS See Short Messaging Service.
SMTP See Simple Mail Transfer Protocol.
SNMP See Simple N etwork M anagem ent Protocol.
Software D elivery
Network Software Delivery Network, sometimes referred to as Service DeliveryNetw ork, is a term used by Sun to d escribe and d efine an infrastructuredesigned to provide a foun d ation for scalable network-based services, such asthe Sun ONE Messaging Server and Sun ON E Directory Server, while meetingdem and s for reliability and p erforma nce.
SPI stateful packet inspection.
SPN Service prov ider netw orks.
SS L See Secure Sockets Layer.
SSO single sign on .
TCO total cost of ownership.
TCP See Tran smission C ontrol P rotocol.
TCP/IP See Tran smission Control Protocol/ Internet Protocol.
TLS See Tran spor t Layer security.
Transmission Control
Protocol The basic transport protocol in the Internet protocol suite that p rovidesreliable, connection-oriented stream service between two hosts—the TransportLayer Protocol, Internet Protocol, and the Network Layer Protocol.
Transmission Control
Protocol/Internet
Protocol The name given to the collection of network protocols used by th e Internetprotocol suite. The n ame refers to the two p rimary n etwork p rotocols of thesuite—the Internet Protocol and th e N etwork Layer Protocol.
Transport Layer
security The stan d ard ized form of SSL. See also Secure Sockets Layer.
UBE See unsolicited bulk email.
UCE unsolicited commercial email. See unsolicited bulk email.
UDDI un iversal description, d iscovery, and integration.
unsolicited bulk
email Unrequ ested and u nw anted em ail, sent from bulk d istributors, usu ally forcommercial pu rp oses.
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 275/284
Glossary 249
user agent The client comp onent, such as N etscape Comm un icator, that a llows u sers tocreate, send, and receive mail messages.
VPN virtual private network.
WAN wide area network.
web mail A generic term for browser-based email services. A browser-basedclient—know n as a thin client because more p rocessing is done on the
server—accesses mail that is always stored on a server. See also MessengerExpress.
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 276/284
250 Glossary
Bibliography
Abitz, Paul an d Liu, Cricket, DN S and BIN D, 4th Ed ition, Ap ril 2001, O’Reilly.
Auth or u nkn own , “Su n O NE Messaging Server Version 5.2 - A Techn icalWhitepap er,” Sun Microsystems.
Bialaski, Tom, “Understanding Solaris 9 Operating Environment Directory Services,”Sun Blueprints, December 2002.
Bialaski, Tom, “Run ning Mu ltiple Solaris Op erating Environm ent N amin g Serviceson a Client,” Sun BluePrints, May 2001.
Bialaski, Tom, “Automating LDAP Client Installations,” July 2001, Sun BluePrints.
Carter, Gerald, LDAP S ystem A dministration and M anaging IMAP, March 2003,O’Reilly.
Deeths, David, and H oward , John S., Configuring Boot Disks, Decemb er 2001, PrenticeHall.
Elling, Richard, Operating Environment: Solaris 8 Installation and Boot Disk Layout ,March 2000, Prentice H all.
John son Kevin Internet Email Protocols: A Developer’s Guide 2000 Ad d ison-WesleyPublishing Co
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 277/284
251
John son, Kevin, v p , 2000, Ad d ison WesleyPublishing Co.
Liu, Cricket, DNS & BIND Cookbook, October 2002, O’Reilly.
Lopez, Steve, “Solaris Operating Environm ent LDAP Cap acity Planning andPerformance Tuning,” May 2002, Sun BluePrints
Twom ey, John , “iPlanet M essaging Server Migration from UNIX® Sendmail,” July2002, Sun Microsystem s.
Vend itti, Nicola, “Writing an Auth entication Plug -in for a Sun ONE DirectoryServer,” Mar ch 2003, Sun BluePr ints.
Weber, Stefan, “Secu ring LDAP Thro ug h TLS/ SSL--A Cookb ook,” Jun e 2002, Sun
BluePrints.
Winsor, Janice, Solaris System A dmin istrator’s Guide, 4th Edition, May 2003, PrenticeHall.
Wood, David, Programming Internet EM ail, Septem ber 2000, O’Reilly.
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 278/284
252 Bibliography
Index
A
access contro linstruction, 159lists, 105
additional attributes, 16
administrat ion ports, 70
adm inistration w eb interface, 54
alias , 16
aliases file, 171
alternate address, 16
annual checks, 214antispam, 91, 163, 199
applications programming interfaces, 189
app lications service provider, xviii
architecting, h igh availability differences, 201
architecturecategories, 15high availability, 27, 203
messaging, 15secure 25
B
Big Brother, 218
BMC Patrol, 219
C
calenda r, web-based, 10
checklists, periodic maintenance, 209
checksannual, 214
daily , 210monthly, 212quarterly, 213weekly, 212
clients, popular , 8
comma separated variable-length file, 173
comman d -line interfaceprovisioning, 55
common name, 172
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 279/284
253
g gsecure, 25secure with failover, 28single layer, 18typical, 23
authentication cache sizeDOS, 183tuning, 183
auth entication cache TTL, tun ing, 183
configurationcurrent settings, 45Message Transfer Agent, 91MTA directory, 96MTA files, 96shared folders, 103
connectivity, network, 37
console, adm inistration, 53
conversion chann el
append disclaimer, 192message p rocessing, 189
conversion utility, PS to Acrobat, 197
CONVERSIONS file, 192
CSV file, 62
customizing, m essenger express, 123
D
daemons, multiple, 45
daily checks, 210
data feeds , 62
database temp orary d irectory, tuning, 183
delegated administratorcreating an d ad ministrating aliases, 171
GUI installation, 84server installing, 82
delivery status notifications, tun ing, 188
demilitarized zone, 15, 155
denial of service, 183
denial of service, prevention tuning, 181
dequeue message, 185
DH C P, 39
direct delivershared folders, 103user folder, 103
direct LDAPlookups, tuning, 187manipulation, 171
direct lookup, LDAP, 94
directory, high availability, 204
di rsync, 94
E
electronic messaging, 1elm , 4, 175
e ma il, 1
email system, overall design, 65
enterprise web server, installing, 82
etc/ system, tuning, 181
Extend ed Simp le Mail Transfer Protocol, 17
F
failover software, 202
fully qualified host name, 37
Hhigh availability
architectures, 203best practices and caveats, 207conclusions, 207configuration, 27directory, 204installation procedure and notes, 207mailstore, 204messaging deployment, 201other architectures, 204
host name, fully qualified, 37
hosts, critical, 37
I
identifier and rights pairs, shared folders, 105A 1
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 280/284
254 Index
disclaimer, adding a, 191
disk layout , 32
dispatcher, tuning, 185
domain name, 39
Domain Name Service, xviii
Dynam ic Host Configuration Protocol, 39
IMAP, xx, 17client, shared folders, 111
ims_master p rocesses, tuning, 185
ims-ms channel, tuning, 186
IMTA, 187
imta_tailor file, tun ing, 187
installation
scr ipt , 89s imple , 71software, 69values , 72
instant m essaging, 3, 7
Internet data center, 13
Internet Engineering Task Force, 16
Internet Service Provider, xviii, 18
JJava, 11, 53
JavaScript, 133
job con trol ler, t uning, 185
job_lim it
tuning, 186JumpStar t, 35
Jum pStart Architecture an d Security Scripts, 157
L
layers, security, 153
LDAPhosts, tuning, 183timeout, tuning, 184
Lightweight Data Interchange Format, 173
Lightw eight Directory Access Protocol, xviii, 57
load balancing, network, 38
Local Mail Tran sfer Protocol, 17
log file location, 45
login screen, customizing, 126logos, changing and adding, 124
master d irectory server
installing, 75preparing for messaging, 77
MAX_CLIENT_THREADS, tu ning, 186
MAX_INTERNA L_BLOCKS, tu ning, 187
message dequeue, 185
message processing, conversion channel, 189
message transfer agent, 17
Message Transfer Agent, configuration, 91
messages, number of, 3messaging
devices, 2electronic, 1high availability deployment, 201high a vailability, differences in p lanning, 206implementations, 1in a box, 18, 70
managing and preventive maintenance, 209strategy, 7system testing, 85system verification, 87unified, 3
messaging m ultiplexer proxy, 18
messaging servercurrent configuration, 45
installing, 81messaging servicesbeyond the basics, 8
messaging systembasic parts, 16
messaging, web, 9
messenger express, customizing, 123
migration
aliases and system-wide m ailing lists, 170basic steps, 167
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 281/284
Index 255
logos, changing and adding, 124
M
mail eXchanger record, 24
mail gateway, 17
mailstore, 17
mailstore, high availability, 204
management information bases, 215
MAPPINGS file, 191
mappings, changing, 93
pexport and import, 173messages and folders, 169password importance, 168per sonal add ress books, lists, and
bookmarks, 172sendmail, 174sendm ail mailbox content, 175
sendm ail mailing lists, 175sendm ail personal add ress books, 175sendm ail user information, 174specialized software, 175user information, 168
utilities, other, 173
utility, 173MIME messages, parts, 189
MMP, tuning, 184
monitoringSNMP, 215
monthly checks, 212
MTA, 17, 215basics, 92
history, 91possibilities, 199tuning, 185
Mulberry, shared fold ers, 111
N
naming services, 38ncsize, tuning, 182
Netscape Messaging Server, 91, 247
Netscape Messenger, shared folders, 114
network connectivity, issues, 37
Network Information Service, 39
notices, tuning, 187
num ber of processes, tuning and limitation, 182
O
option.dat, tuning, 186
options tabadding options, 133removing options, 130
Orca, 218outlook express, shared folders, 119
P ine, 4, 175
por t numbers, 45port al, 10
Post Office Protocol, 4
postmastermail, tuning, 188user account, creating, 85
practices, good computing, 31
pretty good protection (encryption), 163
process settings, 45produ ction an d a non-produ ction en vironment,
differences, 32
production environment, 32
produ ction versus non-production, 32
project Orion, 11
protocol status, 45
provisioningadm inistration console, 53authoritative sources, 61command -line interface, 55data feeds, 62delegated adm inistrator for messaging, 54issues , 60Lightw eight Directory Access Protocol, 57methods, 53
sample script, 66script , 66user ID, 64w eb, 54
proxy serversbenefits, 26drawbacks, 25
Q
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 282/284
256 Index
over-quota limits, configuring, 147
P
part it ioning, 32
passwords, options for handling, 168
personal address book, 10
personal digital assistants, 2
Q
Quality of Service, 13
quarterly checks, 213
R
return errors, customizing, 151reverse database, tuning, 187
reverse DNS, 162
S
sample provisioning script, 66Secure Multipu rpose Internet Mail Extensions, 26
Secure Socket Layer, 5
securityantivirus and antispam, 163digital signing, 163directory, 159enabling SSL, 161
layers, 153message contents, 163message store, 162messaging server software points, 165messaging software protocols, 159MTA, 162network layer, 154non-standard ports, 161PGP signing, 163reverse DNS lookup, 162search limits, 160SMTP, 162Solaris OE, 157system, 157
sendmail, disabling, 74
servers, proxy, 18
service provider networks, 13
services, directory, 9
shared foldersconfiguration, 103description, 104direct d eliver, 103identifier and rights pairs, 105IMAP client, 111limitations, 106
Mulberry, 111Netscape Messenger, 114
single layer architecture
benefits, 19drawbacks, 19
single sign on, 65, 138enabling, 138
SMTPrelays, 23security, 162
software
down load location, 70installation and configuration, 69
software delivery network, 7concept, 12
Solaris OEbasic installation, 33tuning, 180
spam, 5
standardsop en, 7supported for shared folders, 105
stateful packet inspection, 155
store database cache size, tuning, 183
Sun Internet Mail Server, 91
Sun Management Center, 216, 217
system
star tup, 41s ta tus, 41
system security points, 158
systems developmen t life cycle, xix
T
TCP/ IP, tuning, 179, 180
tcp_local_*_option files, tu ning, 181
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 283/284
Index 257
p g ,outlook express, 119permission, 107
Short Messaging Service, 4
Simple Authentication and Security Layer, 100
Simple Internet Protocol, 3
Simple Mail Transfer Protocol, 4
simple messaging installation with MTAbenefits, 24drawbacks, 24
SIMS, 91, 94
test accoun ts, creating, 86
threaddepth, tuning, 186
tools, alternative, 216
total cost of ownership, 19
Transm ission Control Protocol/ InternetProtocol, 100
tuningau thentication cache TTL, 183delivery status n otification, 188direct LDAP lookups, 187
dispatcher, 185
etc/ system, 181ims_master processes, 185ims-ms channel, 186imta_tailor file, 187
job con troller , 185 job_limit , 186LDAP hosts, 183LDAP timeout, 184MAX_CLIENT_THREADS, 186MAX_INTERNAL_BLOCKS, 187M MP, 184MTA, 185ncsize, 182notices, 187option.dat , 186postmaster mail, 188reverse d atabase, 187
Solaris OE, 180store database cache size, 183TCP/ IP , 179, 180tcp_local_*_option files, 181threaddepth, 186user and group bind, 183web mail spool directory, 184
typical architecture, benefits, 23
U
unified messaging, 3
unique user ID, 64
UNIX user account and group, creating, 73
unsolicited bulk email, 5user and group bind, tuning, 183
user folder, direct deliver, 103
user IDdata file samp le, 65email address, 64
user populat ion turnover, 65
user store, 16
V
virtual private network, 24, 154
virus scanning, 198
Wwarning Email, configuring, 147
web mail permissions, 106
web ma il spool directory, tun ing, 184
web service, 11
web-based calendar, 10
weekly checks, 212
welcome email, setting initial, 146What’s Up Gold, 216
5/17/2018 BP SunONE Messaging Server - slidepdf.com
http://slidepdf.com/reader/full/bp-sunone-messaging-server 284/284
258 Index