Sun Java logo     Previous      Contents      Index      Next     

Sun logo
Sun Java System Messaging Server 6 2004Q2 Administration Guide 

Chapter 5
Configuring POP, IMAP, and HTTP Services

Messaging Server supports the Post Office Protocol 3 (POP3), the Internet Mail Access Protocol 4 (IMAP4), and the HyperText Transfer Protocol (HTTP) for client access to mailboxes. IMAP and POP are both Internet-standard mailbox protocols. Messenger Express, a web-enabled electronic mail program, lets end users access their mailboxes using a browser running on an Internet-connected computer system using HTTP.

This chapter describes how to configure your server to support one or more of these services by using the Sun ONE Console or by using command-line utilities.

For information on configuring Simple Mail Transfer Protocol (SMTP) services, see Chapter 10, "About MTA Services and Configuration".    

This chapter contains the following sections:

General Configuration

Configuring the general features of the Messaging Server POP, IMAP, and HTTP services includes enabling or disabling the services, assigning port numbers, and optionally modifying service banners sent to connecting clients. This section provides background information; for the steps you follow to make these settings, see To Configure POP Services, To Configure IMAP Services, and To Configure HTTP Services.

Enabling and Disabling Services

You can control whether any particular instance of Messaging Server makes its POP, IMAP, or HTTP service available for use. This is not the same as starting and stopping services (see Starting and Stopping Services); to function, POP, IMAP, or HTTP must be both enabled and started.

Enabling a service is a more “global” process than starting or stopping a service. For example, the Enable setting persists across system reboots, whereas you must restart a previously “stopped” service after a reboot.

There is no need to enable services that you do not plan to use. For example, if a Messaging Server instance is used only as a message transfer agent (MTA), you should disable POP, IMAP, and HTTP. If it is used only for POP services, you should disable IMAP and HTTP. If it used only for web-based email, you should disable both POP and IMAP.

You can enable or disable services at the server level. This process is described in this chapter. To Specify What Services are Started also describes this process. You can also enable or disable services at the user level by setting specified LDAP attribute mailAllowedServiceAccess.

Specifying Port Numbers

For each service, you can specify the port number that the server is to use for service connections:

You might need to specify a port number other than the default if you have, for example, two or more IMAP server instances on a single host machine, or if you are using the same host machine as both an IMAP server and a Messaging Multiplexor server. (For information about the Multiplexor, see Chapter 7, "Configuring and Administering Multiplexor Services".”)

Keep the following in mind when you specify a port:

Ports for Encrypted Communications

Messaging Server supports encrypted communications with IMAP and HTTP clients by using the Secure Sockets Layer (SSL) protocol. For general information on support for SSL in Messaging Server, see Configuring Encryption and Certificate-Based Authentication.

IMAP Over SSL

You can accept the default IMAP over SSL port number (993) or you can specify a separate port for IMAP over SSL.

Messaging Server provides the option of using separate ports for IMAP and IMAP over SSL because most current IMAP clients require separate ports for them. Same-port communication with both IMAP and IMAP over SSL is an emerging standard; as long as your Messaging Server has an installed SSL certificate (see Obtaining Certificates), it can support same-port IMAP over SSL.

HTTP Over SSL

You can accept the default HTTP over SSL port number (443) or you can specify a separate port for HTTP.

Service Banner

When a client first connects to the Messaging Server POP or IMAP port, the server sends an identifying text string to the client. This service banner (not normally displayed to the client’s user) identifies the server as Sun Java System Messaging Server, and gives the server’s version number. The banner is most typically used for client debugging or problem-isolation purposes.

You can replace the default banner for the POP or IMAP service if you want a different message sent to connecting clients.

You can use Sun ONE Console or the configutil utility (service.imap.banner, service.pop.banner) to set service banners. For detailed syntax information about configutil, see the Sun Java System Messaging Server Administration Reference (http://docs.sun.com/doc/817-6267).

Login Requirements

You can control how users are permitted to log in to the POP, IMAP, or HTTP service to retrieve mail. You can allow password-based login (for all services), and certificate-based login (for IMAP or HTTP services). This section provides background information; for the steps you follow to make these settings, see To Configure POP Services, To Configure IMAP Services, or To Configure HTTP Services. In addition, you can specify the valid login separator for POP logins.

To Set the Login Separator for POP Clients

The messaging server will not accept @ as the login separator for some POP mail clients (that is, the @ in an address like uid@domain). Examples of these clients are Netscape Messenger 4.76, Netscape Messenger 6.0, and Microsoft Outlook Express on Windows 2000. The workaround is as follows:

  1. Make + a valid separator with the following command:

    2. configutil -o service.loginseparator -v "@+"

  2. Inform POP client users that they should login with + as the login separator, not @.

Password-Based Login

In typical messaging installations, users access their POP, IMAP, or HTTP mailboxes by entering a password into their mail client. The client sends the password to the server, which uses it to authenticate the user. If the user is authenticated, the server decides, based on access-control rules, whether or not to grant the user access to certain mailboxes stored on that server.

If you allow password login, users can access POP, IMAP, or HTTP by entering a password. (Password-based login is the only authentication method for POP services.) Passwords are stored in an LDAP directory. Directory policies determine what password policies, such as minimum length, are in effect.

If you disallow password login for IMAP or HTTP services, password-based authentication is not permitted. Users are then required to use certificate-based login, as described in the next section.

To increase the security of password transmission for IMAP and HTTP services, you can require that passwords be encrypted before they are sent to your server. You do this by selecting a minimum cipher-length requirement for login.

If the client is configured to require encryption with key lengths greater than the maximum your server supports, or if your server is configured to require encryption with key lengths greater than what the client supports, password-based login cannot occur. For information on setting up your server to support various ciphers and key lengths, see To Enable SSL and Selecting Ciphers.

Certificate-Based Login

In addition to password-based authentication, Sun Java System servers support the authentication of users through examination of their digital certificates. Instead of presenting a password, the client presents the user’s certificate when it establishes an SSL session with the server. If the certificate is validated, the user is considered authenticated.

For instructions on setting up Messaging Server to accept certificate-based user login to the IMAP or HTTP service, see To Set Up Certificate-Based Login.

You don’t need to uncheck the “Allow password login” box in the IMAP or HTTP System form to enable certificate-based login. If the box is checked (its default state), and if you have performed the tasks required to set up certificate-based login, both password-based and certificate-based login are supported. Then, if the client establishes an SSL session and supplies a certificate, certificate-based login is used. If the client does not use SSL or does not present a client certificate, it will send a password instead.

Performance Parameters

You can set some of the basic performance parameters for the POP, IMAP, and HTTP services of Messaging Server. Based on your hardware capacity and your user base, you can adjust these parameters for maximum efficiency of service. This section provides background information; for the steps you follow to make these settings, see To Configure POP Services, To Configure IMAP Services, or To Configure HTTP Services.

Number of Processes

Messaging Server can divide its work among several executing processes, which in some cases can increase efficiency. This capability is especially useful with multiprocessor server machines, in which adjusting the number of server processes can allow more efficient distribution of multiple tasks among the hardware processors.

There is a performance overhead, however, in allocating tasks among multiple processes and in switching from one process to another. The advantage of having multiple processes diminishes with each new one added. A simple rule of thumb for most configurations is to have one process per hardware processor on your server machine, up to a maximum of perhaps 4 processes. Your optimum configuration may be different; this rule of thumb is meant only as a starting point for your own analyses.

Note: On some platforms you might also want to increase the number of processes to get around certain per-process limits (such as the maximum number of file descriptors), specific to that platform, that may affect performance.

The default number of processes is 1 each for the POP, IMAP, or HTTP service.

Number of Connections per Process

The more simultaneous client connections your POP, IMAP, or HTTP service can maintain, the better it is for clients. If clients are denied service because no connections are available, they must then wait until another client disconnects.

On the other hand, each open connection consumes memory resources and makes demands on the I/O subsystem of your server machine, so there is a practical limit to the number of simultaneous sessions you can expect the server to support. (You might be able to increase that limit by increasing server memory or I/O capacity.)

IMAP, HTTP, and POP have different needs in this regard:

Thus, at a given moment for a given user demand, Messaging Server may be able to support many more open IMAP or HTTP connections than POP connections.

The default value for IMAP is 4000; the default value for HTTP is 6000 connections per process; the default value for POP is 600. These values represent roughly equivalent demands that can be handled by a typically configured server machine. Your optimum configuration may be different; these defaults are meant only as general guidelines.

Number of Threads per Process

Besides supporting multiple processes, Messaging Server further improves performance by subdividing its work among multiple threads. The server’s use of threads greatly increases execution efficiency, because commands in progress are not holding up the execution of other commands. Threads are created and destroyed, as needed during execution, up to the maximum number you have set.

Having more simultaneously executing threads means that more client requests can be handled without delay, so that a greater number of clients can be serviced quickly. However, there is a performance overhead to dispatching among threads, so there is a practical limit to the number of threads the server can make use of.

For POP, IMAP, and HTTP, the default maximum value is 250 threads per process. The numbers are equal despite the fact that the default number of connections for IMAP and HTTP is greater than for POP. It is assumed that the more numerous IMAP and HTTP connections can be handled efficiently with the same maximum number of threads as the fewer, but busier, POP connections. Your optimum configuration may be different, but these defaults are high enough that it is unlikely you would ever need to increase them; the defaults should provide reasonable performance for most installations.

Dropping Idle Connections

To reclaim system resources used by connections from unresponsive clients, the IMAP4, POP3, and HTTP protocols permit the server to unilaterally drop connections that have been idle for a certain amount of time.

The respective protocol specifications require the server to keep an idle connection open for a minimum amount of time. The default times are 10 minutes for POP, 30 minutes for IMAP, 3 minutes for HTTP. You can increase the idle times beyond the default values, but you cannot make them less.

If a POP or IMAP connection is dropped, the user must reauthenticate to establish a new connection. In contrast, if an HTTP connection is dropped, the user need not reauthenticate because the HTTP session remains open. For more information about HTTP session security, see About HTTP Security.

Idle POP connections are usually caused by some problem (such as a crash or hang) that makes the client unresponsive. Idle IMAP connections, on the other hand, are a normal occurrence. To keep IMAP users from being disconnected unilaterally, IMAP clients typically send a command to the IMAP server at some regular interval that is less than 30 minutes.

Logging Out HTTP Clients

An HTTP session can persist across multiple connections. HTTP clients are not logged out when a connection is dropped. However, if an HTTP session remains idle for a specified time period, the server will automatically drop the HTTP session and the client is logged out (the default time period is 2 hours). When the session is dropped, the client’s session ID becomes invalid and the client must reauthenticate to establish another session. For more information about HTTP security and session ID’s, see About HTTP Security.

Client Access Controls

Messaging Server includes access-control features that allow you to determine which clients can gain access to its POP, IMAP, or HTTP messaging services (and SMTP as well). You can create flexible access filters that allow or deny access to clients based on a variety of criteria.

Client access control is an important security feature of Messaging Server. For information on creating client access-control filters and examples of their use, see Configuring Client Access to POP, IMAP, and HTTP Services and Configuring Client Access to SMTP Services.

To Configure POP Services

You can perform basic configuration of the Messaging Server POP service by using the configutil command or by using Sun ONE Console. Some of the more common POP services options are given in this chapter. A complete listing can be found in the Sun Java System Messaging Server Administration Reference.

For more information, see also:

Console     To configure the POP service using Console:

  1. From Sun ONE Console, open the Messaging Server you want to configure.
  2. Click the Configuration tab and open the Services folder in the left pane.
  3. Select POP.
  4. Click the System tab in the right pane.
  5. To enable the service, check the box labeled “Enable POP service at port” and assign a port number.
  6. Specify connection settings as follows:
  7. Specify process settings as follows:
  8. If desired, in the POP service banner field, specify a service banner.
  9. Click Save.

    Note

    For the POP service, password-based login is automatically enabled.

Command Line     You can set values for POP attributes at the command line as follows:

To enable or disable the POP service:

configutil -o service.pop.enable -v [ yes | no ]

To specify the port number:

configutil -o service.pop.port -v number

To set the maximum number of network connections per process:

configutil -o service.pop.maxsessions -v number

To set the maximum idle time for connections:

configutil -o service.pop.idletimeout -v number

To set the maximum number of threads per process:

configutil -o service.pop.maxthreads -v number

To set the maximum number of processes:

configutil -o service.pop.numprocesses -v number

To enable POP over SSL:

configutil -o service.pop.enablesslport -v 1
configutil -o service.pop.sslport -v 995

To specify a protocol welcome banner:

configutil -o service.pop.banner -v banner

To Configure IMAP Services

You can perform basic configuration of the Messaging Server IMAP service by using the configutil command or by using Sun ONE Console. Some of the more common IMAP services options are given in this section. A complete listing can be found in the Sun Java System Messaging Server Administration Reference.For more information, see also:

Console     To configure the IMAP service from the Console:

  1. From Sun ONE Console, open the Messaging Server you want to configure.
  2. Click the Configuration tab and open the Services folder in the left pane.
  3. Select IMAP.
  4. Click the System tab in the right pane.
  5. To enable the service, check the box labeled “Enable IMAP service at port” and assign a port number.
  6. If desired, enable password-based login.
  7. Specify connection settings as follows:
  8. Specify process settings as follows:
  9. If desired, in the IMAP service banner field, specify a service banner.
  10. Click Save.

Command Line     You can set values for the IMAP attributes at the command line as follows:

To enable or disable the IMAP service:

configutil -o service.imap.enable -v [ yes | no ]

To specify the port number:

configutil -o service.imap.port -v number

To enable a separate port for IMAP over SSL:

configutil -o service.imap.enablesslport -v [ yes | no ]

To specify a port number for IMAP over SSL:

configutil -o service.imap.sslport -v number

To enable or disable password login to the IMAP service:

configutil -o service.imap.plaintextmincipher -v value

where value is one of the following:

 -1 - Disables password login
  0 - Enables password login without encryption
 40 - Enables password login and specifies an encryption strength
128 - Enables password login and specifies an encryption strength

To set the maximum number of network connections per process:

configutil -o service.imap.maxsessions -v number

To set the maximum idle time for connections:

configutil -o service.imap.idletimeout -v number

To set the maximum number of threads per process:

configutil -o service.imap.maxthreads -v number

To set the maximum number of processes:

configutil -o service.imap.numprocesses -v number

To specify a protocol welcome banner:

configutil -o service.imap.banner -v banner

To Configure HTTP Services

POP and IMAP clients send mail directly to Messaging Server MTA for routing or delivery. In contrast, HTTP clients send mail to a specialized web server that is part of Messaging Server. The HTTP service then sends the message to the local MTA or to a remote MTA for routing or delivery, as shown in Figure 5-1. If Messaging Server is used only for web-based email, disable both POP and IMAP.

Figure 5-1  HTTP Service Components

Graphics shows http routing in Messaging Server.

Many of the HTTP configuration parameters are similar to the parameters available for the POP and IMAP services. These include parameters for connection settings and process settings. Some of the more common HTTP service options are given in this section. A complete listing can be found in the Sun Java System Messaging Server Administration Reference. For more information, see also:

Some parameters are specific to the HTTP service; these include parameters for message settings and MTA settings.

Message Settings     When an HTTP client constructs a message with attachments, the attachments are uploaded to the server and stored in a file. The HTTP service retrieves the attachments and constructs the message before sending the message to an MTA for routing or delivery. You can accept the default attachment spool directory or specify an alternate directory. You can also specify a maximum size allowed for attachments.

MTA Settings     By default, the HTTP service sends outgoing web mail to the local MTA for routing or delivery. You might want to configure the HTTP service to send mail to a remote MTA, for example, if your site is a hosting service and most recipients are not in the same domain as the local host machine. To send web mail to a remote MTA, you need to specify the remote host name and the SMTP port number for the remote host.

Console     To configure your HTTP service by using Sun ONE Console:

  1. From Sun ONE Console, open the Messaging Server you want to configure.
  2. Click the Configuration tab and open the Services folder in the left pane.
  3. Select HTTP.
  4. Click the System tab in the right pane.
  5. To enable the service, check the box labeled “Enable HTTP service at port” and assign a port number.
  6. If desired, enable password-based login.
  7. Specify connection settings as follows:
  8. Specify process settings as follows:
  9. Specify Message settings as follows:
    • If desired, specify the attachment spool directory.
    • If desired, specify the maximum outgoing mail size. Note that this includes all the attachments encoded in base64, and that base64 encoding requires an extra 33% more space. Thus a 5 megabyte limit in the console results in the maximum size of one message and attachments being about 3.75M.

      • For more information, see Message Settings.

  10. Specify MTA settings as follows:
    • If desired, specify an alternate MTA host name.
    • If required, specify an alternate MTA port.

      • For more information, see MTA Settings.

  11. Click Save.

Command Line     You can set values for the HTTP attributes at the command line as follows (see Sun Java System Messaging Server Administration Reference at http://docs.sun.com/doc/817-6267 for more info):

To enable or disable the HTTP service:

configutil -o service.http.enable -v [ yes | no ]

To specify the port number:

configutil -o service.http.port -v number

To enable a separate port for HTTP over SSL:

configutil -o service.http.enablesslport -v [ yes | no ]

To specify a port number for HTTP over SSL:

configutil -o service.http.sslport -v number

To enable or disable password login:

configutil -o service.http.plaintextmincipher -v value

where value is one of the following:

 -1 - Disables password login
  0 - Enables password login without encryption
 40 - Enables password login and specifies an encryption strength
128 - Enables password login and specifies an encryption strength

To set the maximum number of network connections per process:

configutil -o service.http.maxsessions -v number

To set the maximum idle time for connections:

configutil -o service.http.idletimeout -v number

To set the maximum idle time for client sessions:

configutil -o service.http.sessiontimeout -v number

To set the maximum number of threads per process:

configutil -o service.http.maxthreads -v number

To set the maximum number of processes:

configutil -o service.http.numprocesses -v number

To specify the attachment spool directory for client outgoing mail:

configutil -o service.http.spooldir -v dirpath

To specify the maximum message size:

configutil -o service.http.maxmessagesize -v size

where size is a number in bytes. Note that this includes all the attachments encoded in base64, and that base64 encoding requires an extra 33% more space. Thus a 5 megabyte limit in the console results in the maximum size of one message and attachments being about 3.75M.

To specify an alternate MTA host name:

configutil -o service.http.smtphost -v hostname

To specify the port number for the alternate MTA host name:

configutil -o service.http.smtpport -v portnum



Previous      Contents      Index      Next     

Copyright 2004 Sun Microsystems, Inc. All rights reserved.