Sun Java System Messaging Server 6.3 Administration Guide

7.2 About Messaging Multiplexor

The Sun Java System Messaging Multiplexor (MMP) is a specialized messaging server that acts as a single point of connection to multiple back-end messaging servers. With Messaging Multiplexor, large-scale messaging service providers can distribute POP and IMAP user mailboxes across many machines to increase message store capacity. All users connect to the single Multiplexor server, which redirects each connection to the appropriate messaging server.

If you provide electronic mail service to many users, you can install and configure the Messaging Multiplexor so that an entire array of messaging servers will appear to your mail users to be a single host.

The Messaging Multiplexor is provided as part of Messaging Server. You can install the MMP at the same time you install the Messaging Server or other Sun Java System servers, or you can install the MMP separately at a later time. The MMP supports:

This section consists of the following subsections:

7.2.1 How the Messaging Multiplexor Works

The MMP is a multithreaded server that facilitates distributing mail users across multiple server machines. The MMP handles incoming client connections destined for other server machines (the machines on which user mailboxes reside). Clients connect to the MMP itself, which determines the correct server for the users, connects to that server, and then passes data between the client and server. This capability allows Internet service providers and other large installations to spread message stores across multiple machines (to increase capacity) while providing the appearance of a single mail host for users (to increase efficiency) and for external clients (to increase security). 7.2.1 How the Messaging Multiplexor Works shows how servers and clients relate to each other in an MMP installation.

Figure 7–1 Clients and Servers in an MMP Installation

This graphic depicts clients and servers in an MMP installation.

All POP, IMAP, and SMTP clients work with the Messaging Multiplexor. The MMP accepts connections, performs LDAP directory lookups, and routes the connections appropriately. As is typical with other mail server installations, each user is assigned a specific address and mailbox on a specific Messaging Server. However, all connections are routed through the MMP.

In more detail, these are the steps involved in establishing a user connection:

  1. A user’s client connects to the MMP, which accepts preliminary authentication information (user name).

  2. The MMP queries the Directory Server to determine which Messaging Server contains that user’s mailbox.

  3. The MMP connects to the proper Messaging Server, replays authentication, then acts as a pass-through pipe for the duration of the connection.

7.2.2 Encryption (SSL) Option

Messaging Multiplexor supports both unencrypted and encrypted (SSL) communications between the Messaging Server(s) and their mail clients. The current version of Messaging Server supports the new certificate database format (cert8.db).

When SSL is enabled, the MMP supports STARTTLS and the MMP can also be configured to listen on additional ports for SSL IMAP, POP, and SMTP connections.

To enable SSL encryption for your IMAP, POP, and SMTP services, edit the ImapProxyAService.cfg, PopProxyAService.cfg, and SmtpProxyAService.cfg files, respectively. You must also edit the default:ServiceList option in the AService.cfg file to include the list of all IMAP, POP, and SMTP server ports regardless of whether or not they are secure. See 7.4 Configuring MMP with SSL for details.

By default, SSL is not enabled since the SSL configuration parameters are commented out. To enable SSL, you must install an SSL server certificate. Then, you should uncomment and set the SSL parameters. For a list of the SSL parameters, see the Encryption (SSL) Option in Sun Java System Messaging Server 6.3 Administration Reference.

7.2.3 Certificate-Based Client Authentication

The MMP can use a certificate mapping file (certmap.conf) to match a client’s certificate to the correct user in the Users/Groups Directory Server.

In order to use certificate-based client authentication, you must also enable SSL encryption as described in 7.2.2 Encryption (SSL) Option.

You also have to configure a store administrator. You can use the mail administrator, but it is recommended that you create a unique user ID, such as mmpstore for this purpose so that you can set permissions as needed.

Note that the MMP does not support certmap plug-ins. Instead, the MMP accepts enhanced DNComps and FilterComps property value entries in the certmap.conf file. These enhanced format entries use the form:

mapname:DNComps FROMATTR=TOATTRmapname:FilterComps FROMATTR=TOATTR

So that a FROMATTR value in a certificate’s subjectDN can be used to form an LDAP query with the TOATTR=value element. For example, a certificate with a subjectDN of “cn=Pilar Lorca, ou=pilar,” could be mapped to an LDAP query of “(uid=pilar)” with the line:

mapname:FilterComps ou=uid

ProcedureTo Enable Certificate-based Authentication for Your IMAP or POP Service

  1. Decide on the user ID you intend to use as store administrator.

    While you can use the mail administrator for this purpose, it is recommended that you create a unique user ID for store administrator (for example, mmpstore).

  2. Make sure that SSL encryption is (or will be) enabled as described in 7.2.2 Encryption (SSL) Option.

  3. Configure the MMP to use certificate-based client authentication by specifying the location of the certmap.conf file in your configuration files.

  4. Install at least one trusted CA certificate, as described in To Install Certificates of Trusted CAs

7.2.4 User Pre-Authentication

The MMP provides you with the option of pre-authenticating users by binding to the directory as the incoming user and logging the result.

Note –

Enabling user pre-authentication will reduce server performance

The log entries are in the format:

date time (sid 0xhex) user name pre-authenticated - client 
IP address, server IP address

Where date is in the format yyyymmdd, time is in the time configured on the server in the format hhmmss, hex is the session identifier (sid) represented as a hexidecimal number, the user name includes the virtual domain (if any), and the IP address is in dot-quad format.

7.2.5 MMP Virtual Domains

An MMP virtual domain is a set of configuration settings associated with a server IP address. The primary use of this feature is to provide different default domains for each server IP address.

A user can authenticate to MMP with either a short-form userID or a fully qualified userID in the form user@domain. When a short-form userID is supplied, the MMP will append the DefaultDomain setting, if specified. Consequently, a site which supports multiple hosted domains can permit the use of short-form user IDs simply by associating a server IP address and MMP virtual domain with each hosted domain.

The recommended method for locating the user subtree for a given hosted domain is via the inetDomainBaseDN attribute in the LDAP domain tree entry for that domain. The MMP’s LdapUrl setting is not suitable for this purpose since the back-end mail store servers will also need to look up the user in LDAP and do not support virtual domains.

When Sun LDAP Schema 2 is enabled (see the Sun Java Enterprise System 5 Installation Guide for UNIX and Sun Java Communications Suite 5 Schema Reference), the user subtree for the specified domain will be all the users in the subtree below the organization node for that domain.

To enable virtual domains, edit the ImapProxyAService.cfg, PopProxyAService.cfg, or SmtpProxyAService.cfg file(s) in the instance directory such that the VirtualDomainFile setting specifies the full path to the virtual domain mapping file.

Each entry of a virtual domain file has the following syntax:

vdmap name IPaddr
name:parameter value

Where name is simply used to associate the IP address with the configuration parameters and can be any name you choose to use, IPaddr is in dot-quad format, and parameter and value pairs configure the virtual domain. When set, virtual domain configuration parameter values override global configuration parameter values.

Listed below are the configuration parameters you can specify for a virtual domain:

AuthCacheSize and AuthCacheSizeTTL
BindDN and BindPass
LdapCacheSize and LdapCacheTTL
StoreAdmin and StoreAdminPass

Note –

Unless the LdapURL is correctly set, the BindDN, BindPass, LdapCacheSize and LdapCacheTTL settings will be ignored.

For detailed descriptions of these configuration parameters, see the Sun Java System Messaging Server 6.3 Administration Reference

7.2.6 About SMTP Proxy

The MMP includes an SMTP proxy which is disabled by default. Most sites do not need the SMTP proxy because Internet Mail standards already provide an adequate mechanism for horizontal scalability of SMTP (DNS MX records).

The SMTP proxy is useful for the security features it provides. First, the SMTP proxy is integrated with the POP proxy to implement the POP before SMTP authorization facility required by some legacy POP clients. For more information, see Using the MMP SMTP Proxy in Sun Java Communications Suite 5 Deployment Planning Guide and 23.8 Enabling POP Before SMTP. In addition, an investment in SSL acceleration hardware can be maximized by using the SMTP proxy. See 23.5.4 How to Optimize SSL Performance Using the SMTP Proxy.