Chapter 5 Configuring and Administering Multiplexor Services

This chapter describes two multiplexors that are included with Messaging Server: the Messaging Multiplexor (MMP) for standard mail protocols (POP, IMAP and SMTP) and the Messenger Express Multiplexor used for the Messenger Express web interface.

Multiplexor Services

A multiplexor is necessary to achieve horizontal scalability (the ability to support more users by adding more machines), because it provides a single domain name that can be used to connect indirectly to multiple mail stores. A multiplexor can also provide security benefits.

While MMP is managed separately from Messaging Server, the Messenger Express Multiplexor is built-in to the HTTP service (mshttpd) that is included with the Message Store and Message Access installation.

Multiplexor Benefits

Message stores on heavily used messaging servers can grow quite large. Spreading user mailboxes and user connections across multiple servers can therefore improve capacity and performance. In addition, it may be more cost-effective to use several small server machines than one large, high-capacity, multiprocessor machine.

If the size of your mail-server installation requires the use of multiple message stores, your organization can benefit in several ways from using the multiplexors. The indirect connection between users and their message stores, coupled with the ease of reconfiguration of user accounts among messaging servers allows for the following benefits:

Simplified User Management

Because all users connect to one server (or more, if you have separate Multiplexor machines for POP, IMAP, SMTP or web access), you can preconfigure email clients and distribute uniform login information to all users. This simplifies your administrative tasks and reduces the possibility of distributing erroneous login information.

For especially high-load situations, you can run multiple Multiplexor servers with identical configurations and manage connections to them by DNS round robin or by using a load-balancing system.

Because the Multiplexors use information stored in the LDAP directory to locate each user’s Messaging Server, moving a user to a new server is simple for the system administrator and transparent to the user. The administrator can move a user’s mailbox from one Messaging Server to another, and then update the user’s entry in the LDAP directory. The user’s mail address, mailbox access, and other client preferences need not change.

Improved Performance

If a message store grows prohibitively large for a single machine, you can balance the load by moving some of the message store to another machine.

You can assign different classes of users to different machines. For example, you can choose to locate premium users on a larger and more powerful machine.

The Multiplexors perform some buffering so that slow client connections (through a modem, for example) do not slow down the Messaging Server.

Decreased Cost

Because you can efficiently manage multiple Messaging Servers with a Multiplexor, you might be able to decrease overall costs by purchasing several small server machines that together cost less than one very large machine.

Better Scalability

Minimum User Downtime

Using the Multiplexors to spread a large user base over many small store machines isolates user downtime. When an individual server fails, only its users are affected.

Increased Security

You can use the server machine on which the Multiplexor is installed as a firewall machine. By routing all client connections through this machine, you can restrict access to the internal message store machines by outside computers. The Multiplexors support both unencrypted and encrypted communications with clients.

About Messaging Multiplexor

The Sun ONE Messaging Multiplexor (MMP) is a specialized messaging server that acts as a single point of connection to multiple back-end messaging servers. With Messaging Multiplexor, large-scale messaging-service providers can distribute POP and IMAP user mailboxes across many machines to increase message store capacity. All users connect to the single Multiplexor server, which redirects each connection to the appropriate messaging server.

If you provide electronic mail service to many users, you can install and configure the Messaging Multiplexor so that an entire array of messaging servers will appear to your mail users to be a single host.

The Messaging Multiplexor is provided as part of Messaging Server. You can install the MMP at the same time you install the Messaging Server or other Sun ONE servers, or you can install the MMP separately at a later time.

Both unencrypted and encrypted (SSL) communications with mail clients.

Client certificate-based authentication, described in Certificate-Based Client Authentication.

User pre-authentication, described in User Pre-Authentication.

Virtual domains that listen on different IP addresses and automatically append domain names to user IDs, described in MMP Virtual Domains.

Multiple installations of the MMP on either the same server (see Multiple Messaging Multiplexor Installs) or different servers (see the Messaging Server Installation Guide). Separate installations on the same server can have separate configurations for SSL or the listen port that cannot be handled through virtual domains.

Enhanced LDAP searching.

POP before SMTP service for legacy POP clients. For more information, see "Enabling POP Before SMTP".

How the Messaging Multiplexor Works

The MMP is a multithreaded server that facilitates distributing mail users across multiple server machines. The MMP handles incoming client connections destined for other server machines (the machines on which user mailboxes reside). Clients connect to the MMP itself, which determines the correct server for the users, connects to that server, and then passes data between the client and server. This capability allows Internet service providers and other large installations to spread message stores across multiple machines (to increase capacity) while providing the appearance of a single mail host for users (to increase efficiency) and for external clients (to increase security).

Figure 5-1 shows how servers and clients relate to each other in an MMP installation.

All POP, IMAP, and SMTP clients work with the Messaging Multiplexor. The MMP accepts connections, performs LDAP directory lookups, and routes the connections appropriately. As is typical with other mail server installations, each user is assigned a specific address and mailbox on a specific Messaging Server. However, all connections are routed through the MMP.

Encryption (SSL) Option

Messaging Multiplexor supports both unencrypted and encrypted (SSL) communications between the Messaging Server(s) and their mail clients.

When SSL is enabled, the MMP supports STARTTLS and the MMP can also be configured to listen on additional ports for SSL IMAP, POP, and SMTP connections.

To enable SSL encryption for your IMAP, POP, and SMTP services, edit the ImapProxyAService.cfg, PopProxyAService.cfg, and SmtpProxyAService.cfg files, respectively. You must also edit the default:ServiceList option in the AService.cfg file to include the list of all IMAP, POP, and SMTP server ports regardless of whether or not they are secure. See "Configuring MMP with SSL" for details.

By default, SSL is not enabled since the SSL configuration parameters are commented out. To enable SSL, you must install an SSL server certificate. Then, you should uncomment and set the SSL parameters. For a list of the SSL parameters, see the Messaging Server Reference Manual.

Certificate-Based Client Authentication

The MMP can use a certificate mapping file (certmap) to match a client’s certificate to the correct user in the Users/Groups Directory Server.

In order to use certificate-based client authentication, you must also enable SSL encryption as described in Encryption (SSL) Option.

You also have to configure a store administrator. You can use the mail administrator, but it is recommended that you create a unique user ID, such as mmpstore for this purpose so that you can set permissions as needed.

Note that the MMP does not support certmap plug-ins. Instead, the MMP accepts enhanced DNComps and FilterComps property value entries in the certmap.conf file. These enhanced format entries use the form:

So that a FROMATTR value in a certificate’s subjectDN can be used to form an LDAP query with the TOATTR=value element. For example, a certificate with a subjectDN of "cn=Pilar Lorca, ou=pilar, o=siroe.com" could be mapped to an LDAP query of "(uid=pilar)" with the line:

Decide on the user ID you intend to use as store administrator.

While you can use the mail administrator for this purpose, it is recommended that you create a unique user ID for store administrator (for example, mmpstore).

Make sure that SSL encryption is (or will be) enabled as described in Encryption (SSL) Option.

Configure the MMP to use certificate-based client authentication by specifying the location of the certmap.conf file in your configuration files.

Install at least one trusted CA certificate, as described in "To Install Certificates of Trusted CAs".

User Pre-Authentication

The MMP provides you with the option of pre-authenticating users by binding to the directory as the incoming user and logging the result.


Note	Enabling user pre-authentication will reduce server performance

date time (sid 0xhex) user name pre-authenticated - client IP address, server IP address

Where date is in the format yyyymmdd, time is in the time configured on the server in the format hhmmss, hex is the session identifier (sid) represented as a hexidecimal number, the user name includes the virtual domain (if any), and the IP address is in dot-quad format.

MMP Virtual Domains

An MMP virtual domain is a set of configuration settings associated with a server IP address. The primary use of this feature is to provide different default domains for each server IP address.

A user can authenticate to MMP with either a short-form userID or a fully qualified userID in the form user@domain. When a short-form userID is supplied, the MMP will append the DefaultDomain setting, if specified. Consequently, a site which supports multiple hosted domains can permit the use of short-form user IDs simply by associating a server IP address and MMP virtual domain with each hosted domain.

The recommended method for locating the user subtree for a given hosted domain is via the inetDomainBaseDN attribute in the LDAP domain tree entry for that domain. The MMP’s LdapUrl setting is not suitable for this purpose since the back-end mail store servers will also need to look up the user in LDAP and do not support virtual domains.

When Sun ONE LDAP Schema, v.2 is enabled (see the Sun ONE Messaging Server Installation Guide and Sun ONE Messaging Server Schema Reference Manual), the user subtree for the specified domain will be all the users in the subtree below the organization node for that domain.

To enable virtual domains, edit the ImapProxyAService.cfg, PopProxyAService.cfg, or SmtpProxyAService.cfg file(s) in the instance directory such that the VirtualDomainFile setting specifies the full path to the virtual domain mapping file.

Where name is simply used to associate the IP address with the configuration parameters and can be any name you choose to use, IPaddr is in dot-quad format, and parameter and value pairs configure the virtual domain. When set, virtual domain configuration parameter values override global configuration parameter values.

Listed below are the configuration parameters you can specify for a virtual domain:

AuthCacheSize and AuthCacheSizeTTL
AuthService
BindDN and BindPass
CertMap
ClientLookup
CRAMs
DefaultDomain
DomainDelim
HostedDomains
LdapCacheSize and LdapCacheTTL
LdapURL
MailHostAttrs
PreAuth
ReplayFormat
RestrictPlainPasswords
StoreAdmin and StoreAdminPass
SearchFormat
TCPAccess
TCPAccessAttr


Note	Unless the LdapURL is correctly set, the BindDN, BindPass, LdapCacheSize and LdapCacheTTL settings will be ignored.

For detailed descriptions of these configuration parameters, see the Messaging Server Reference Manual.

Multiple Messaging Multiplexor Installs

You can do multiple installs of the MMP on a single server. Each of these installs will run as a separate process and can have different configuration files. Multiple installs are necessary when you need different settings for different server IP addresses or ports and those settings are ones that cannot be changed by a virtual domain. The SSL server certificate is an example of such a setting.

You can configure a single install of the MMP to support both POP, IMAP, and SMTP protocols (as shown in Figure 5-1), or you can create separate MMP installs for each protocol, as shown in Figure 5-2. By splitting messaging services across different machines, you can tune the resources on each computer for maximum performance.

About SMTP Proxy

The MMP includes an SMTP proxy which is disabled by default. Most sites do not need the SMTP proxy because Internet Mail standards already provide an adequate mechanism for horizontal scalability of SMTP (DNS MX records).

The SMTP proxy is useful for the security features it provides. First, the SMTP proxy is integrated with the POP proxy to implement the POP before SMTP authorization facility required by some legacy POP clients. For more information, see "Enabling POP Before SMTP". In addition, an investment in SSL acceleration hardware can be maximized by using the SMTP proxy. See "How to Optimize SSL Performance Using the SMTP Proxy".

Setting Up the Messaging Multiplexor

During the initial runtime configuration of Messaging Server, you determined if you wanted to configure the MMP on a machine. You could either set it up on the same machine as your Messaging Server or set it up on a separate machine.

Before You Configure MMP


Note	MMP does not cache DNS results. A high quality caching DNS server on the local network is a requirement for a production deployment of Messaging Server.

You will need the Sun ONE Messaging Server Installation Guide to do some of the procedures in the this section. Before configuring the MMP:

Choose the machine on which you will configure the MMP. It is best to use a dedicated machine set aside for the MMP.



Note	It is recommended that the MMP not be enabled on a machine that is also running either the POP or IMAP servers. If you install MMP on the same machine as Messaging Server, you must make sure that the POP and IMAP servers are set to non-standard ports. That way, the MMP and Messaging Server ports will not conflict with one another.

On the machine that the MMP is to be configured, create a UNIX system user to be used by the MMP. This new user must belong to a UNIX system group. See the Sun ONE Messaging Server Installation Guide on how to Create UNIX System Users and Groups.

Set up the Directory Server and its host machine for use with Messaging Server, if they are not already set up. See the Sun ONE Messaging Server Installation Guide on how to Run the Java Enterprise Services Installer and Prepare Directory Server for Messaging Server Configuration.

If the MMP is upgraded before the backend servers, customers should set the Capability option in ImapProxyAService.cfg to match the response to the capability command from the older backend. This would be:

IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS CHILDREN LANGUAGE XSENDER X-NETSCAPE XSERVERINFO

Note that line break is for editorial clarity, and that the configuration value must be on one line.

Multiplexor Configuration

To configure the MMP, you must use the Messaging Server configure program, which gives you the option of enabling the Messaging Multiplexor. For detailed information about the configure program see the Sun ONE Messaging Server Installation Guide on how to Create the Initial Messaging Server Runtime Configuration.

Put Sun ONE Messaging Server on the machine where you are installing and configuring the MMP.

You must install the Administration Server, Java, and Messaging Server packages.

Configure the MMP by creating the Messaging Server Initial Runtime Configuration. See the Sun ONE Messaging Server Installation Guide on how to Create the Initial Messaging Server Runtime Configuration.

Note the following exception: when installing Messaging Server, check only the Messaging Multiplexor option.

Multiplexor Files

The Messaging Multiplexor files are stored in the msg_svr_base/config configuration file directory. You must manually edit the configuration parameters in the Messaging Multiplexor configuration files listed in Table 5-1.

Table 5-1 Messaging Multiplexor Configuration Files
File	Description
PopProxyAService.cfg	Configuration file specifying configuration variables used for POP services.
PopProxyAService-def.cfg	POP services configuration template. If the PopProxyAService.cfg file does not exist, the PopProxyAService-def.cfg template is copied to create a new PopProxyAService.cfg file.
ImapProxyAService.cfg	Configuration file specifying configuration variables used for IMAP services.
ImapProxyAService-def.cfg	IMAP services configuration template. If the ImapProxyAService.cfg file does not exist, the ImapProxyAService-def.cfg template is copied to create a new ImapProxyAService.cfg file.
AService.cfg	Configuration file specifying which services to start and a few options shared by both POP and IMAP services.
AService-def.cfg	Configuration template specifying which services to start and a few options shared by both POP and IMAP services. If the AService.cfg file does not exist, the AService-def.cfg template is copied to create a new AService.cfg file.
SmtpProxyAService.cfg	Optional configuration file specifying configuration variables used for SMTP Proxy services. Required if you enable POP before SMTP; useful for maximizing support for SSL hardware even if POP before SMTP is not enabled. For more information on POP before SMTP, see "Enabling POP Before SMTP".
SmtpProxyAService-def.cfg	Configuration template specifying configuration variables used for SMTP Proxy services. If the SmtpProxyAService.cfg file does not exist, the SmtpProxyAService-def.cfg template is copied to create a new SmtpProxyAService.cfg file.

The Messaging Multiplexor configuration files are stored in the msg_svr_base/config directory, where msg_svr_base is the directory where you installed the Messaging Server.

As an example, the LogDir and LogLevel parameters can be found in all configuration files. In ImapProxyAService.cfg, they are used to specify logging parameters for IMAP-related events; similarly, these parameters in PopProxyAService.cfg are used to configure logging parameters for POP-related events. In SmtpProxyAService.cfg, they are used to specify logging for SMTP Proxy-related events.

In AService.cfg, however, LogDir and LogLevel are used for logging MMP-wide failures, such as the failure to start a POP, IMAP, or SMTP service.


Note	When the MMP is configured or upgraded, the configuration template files will be overwritten.

For a complete description of all MMP configuration parameters, see the Sun ONE Messaging Server Reference Manual.

Starting the Multiplexor

To start, stop, or refresh an instance of the Messaging Multiplexor, use the one of the following commands in Table 5-2 located in the msg_svr_base/sbin directory:

Table 5-2 MMP Commands
Option	Description
start-msg mmp	Starts the MMP (even if one is already running).
stop-msg mmp	Stops the most recently started MMP.
refresh mmp	Causes an MMP that is already running to refresh its configuration without disrupting any active connections.

Modifying an Existing MMP

To modify an existing instance of the MMP, edit the ImapProxyAService.cfg and/or PopProxyAService.cfg configuration files as necessary. These configuration files are located in the msg_svr_base/config subdirectory.

Configuring MMP with SSL


Note	It is assumed that the MMP is installed on a machine that does not have a Message Store or MTA.

Administration Server must be installed and configured.

Go to your Administration Server installation directory and run mpsadmserver startconsole to login to the Sun ONE Console:

/usr/sbin/mpsadmserver startconsole

Use the Sun ONE Server Console to install an SSL server certificate.

See http://docs.sun.com/db/doc/816-5572-10

From the command line, make the following symbolic links to simplify things:

cd msg_svr_base/config
ln -s /var/mps/serverroot/alias/admin-serv-instance-cert7.db cert7.db
ln -s /var/mps/serverroot/alias/admin-serv-instance-key3.db key3.db

Also, make sure that those files are owned by the system ID under which the MMP will run.

Since the sslpassword.conf file is set during the initial Messaging Server runtime configuration, you do not need to set one up. See the Sun ONE Messaging Server Installation Guide on how to Create the Initial Messaging Server Runtime Configuration.



Note	An alternative approach to steps 1-8 is to copy the following files: cert7.db, key3.db, secmod.db, and sslpassword.conf from an existing Messaging or Directory Server. These servers must have a server certificate and a key appropriate for the same domain already installed.

Edit the ImapProxyAService.cfg file and uncomment the relevant SSL settings.

If you want SSL and POP, edit the PopProxyAService.cfg file and uncomment the relevant SSL settings.

Additionally, you must edit the AService.cfg file and add |995 after the 110 in the ServiceList setting.

Make sure that the BindDN and BindPass options are set in the ImapProxyAService.cfg and PopProxyAService.cfg files.

You should also set the DefaultDomain option to your default domain (the domain to use for unqualified user names).

If you just want server-side SSL support, you are finished. Start the MMP with the following command in the msg_svr_base/sbin directory:

Get a copy of a client certificate and the CA certificate which signed it.

Start the Sun ONE Console as before (on the same machine as the MMP), but this time import the CA certificate as a Trusted Certificate Authority.

Use the Store Administrator you created during your Messaging Server installation.

For more information, see the "Specifying Administrator Access to the Store".

Create a certmap.conf file for the MMP. For example:

certmap default default
default:DNComps
default:FilterComps e=mail

This means to search for a match with the e field in the certificate DN by looking at the mail attribute in the LDAP server.

Edit your ImapProxyAService.cfg file and:

Set CertMapFile to certmap.conf

Set StoreAdmin and StorePass to values from Step 3.

Set UserGroupDN to the root of your Users and Groups tree.

If you want client certificates with POP3, repeat Step 5 for the PopProxyAService.cfg file.

If the MMP is not already running, start it with the following command in the msg_svr_base/sbin directory:

start-msg mmp

Import the client certificate into your client. In Netscape™ Communicator, click on the padlock (Security) icon, then select Yours under Certificates, then select Import a Certificate... and follow the instructions.



Note	All your users will have to perform this step if you want to use client certificates everywhere.

A Sample Topology

The fictional Siroe Corporation has two Messaging Multiplexors on separate machines, each supporting several Messaging Servers. POP and IMAP user mailboxes are split across the Messaging Server machines, with each server dedicated exclusively to POP or exclusively to IMAP (You can restrict client access to POP services alone by removing the ImapProxyAService entry from the ServiceList setting; likewise, you can restrict client access to IMAP services alone by removing the PopProxyAService entry from the ServiceList setting.). Each Messaging Multiplexor also supports only POP or only IMAP. The LDAP directory service is on a separate, dedicated machine.

IMAP Configuration Example

The IMAP Messaging Multiplexor in Figure 5-3 is installed on sandpit, a machine with two processors. This Messaging Multiplexor is listening to the standard port for IMAP connections (143). Messaging Multiplexor communicates with the LDAP server on the host phonebook for user mailbox information, and it routes the connection to the appropriate IMAP server. It overrides the IMAP capability string, provides a virtual domain file, and supports SSL communications.

default:LdapUrl             ldap://phonebook.siroe.com/o=internet
default:LogDir              /opt/SUNWmsgsr/config/log
default:LogLevel            5
default:BindDN              "cn=Directory Manager"
default:BindPass            secret
default:BacksidePort        143
default:Timeout             1800
default:Capability          "IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS CHILDREN BINARY LANGUAGE XSENDER X-NETSCAPE XSERVERINFO"
default:SearchFormat        (uid=%s)
default:SSLEnable           yes
default:SSLPorts            993
default:SSLSecmodFile       /opt/SUNWmsgsr/config/secmod.db
default:SSLCertFile         /opt/SUNWmsgsr/config/cert7.db
default:SSLKeyFile          /opt/SUNWmsgsr/config/key3.db
default:SSLKeyPasswdFile    ""
default:SSLCipherSpecs      all
default:SSLCertNicknames    Siroe.com Server-Cert
default:SSLCacheDir         /opt/SUNWmsgsr/config
default:SSLBacksidePort     993
default:VirtualDomainFile   /opt/SUNWmsgsr/config/vdmap.cfg
default:VirtualDomainDelim  @
default:ServerDownAlert     "your IMAP server appears to be temporarily out of service"
default:MailHostAttrs       mailHost
default:PreAuth             no
default:CRAMs               no
default:AuthCacheSize       10000
default:AuthCacheTTL        900
default:AuthService         no
default:AuthServiceTTL      0
default:BGMax               10000
default:BGPenalty           2
default:BGMaxBadness        60
default:BGDecay             900
default:BGLinear            no
default:BGExcluded          /opt/SUNWmsgsr/config/bgexcl.cfg
default:ConnLimits          0.0.0.0|0.0.0.0:20
default:LdapCacheSize       10000
default:LdapCacheTTL        900
default:HostedDomains       yes
default:DefaultDomain       Siroe.com

POP Configuration Example

The POP Messaging Multiplexor example in Figure 5-3 is installed on tarpit, a machine with four processors. This Messaging Multiplexor is listening to the standard port for POP connections (110). Messaging Multiplexor communicates with the LDAP server on the host phonebook for user mailbox information, and it routes the connection to the appropriate POP server. It also provides a spoof message file.

default:LdapUrl             ldap://phonebook.siroe.com/o=internet
default:LogDir              /opt/SUNWmsgsr/config/log
default:LogLevel            5
default:BindDN              "cn=Directory Manager"
default:BindPass            password
default:BacksidePort        110
default:Timeout             1800
default:SearchFormat        (uid=%s)
default:SSLEnable           no
default:VirtualDomainFile   /opt/SUNWmsgsr/config/vdmap.cfg
default:VirtualDomainDelim  @
default:MailHostAttrs       mailHost
default:PreAuth             no
default:CRAMs               no
default:AuthCacheSize       10000
default:AuthCacheTTL        900
default:AuthService         no
default:AuthServiceTTL      0
default:BGMax               10000
default:BGPenalty           2
default:BGMaxBadness        60
default:BGDecay             900
default:BGLinear            no
default:BGExcluded          /opt/SUNWmsgsr/config/bgexcl.cfg
default:ConnLimits          0.0.0.0|0.0.0.0:20
default:LdapCacheSize       10000
default:LdapCacheTTL        900
default:HostedDomains       yes
default:DefaultDomain       Siroe.com

Setting a Failover MMP LDAP Server

It is possible to specify more than one LDAP server for the MMP so that if one fails another takes over. Modify your PopProxyAservice.cfg or IMAPProxyAservice.cfg to the following:

About Messenger Express Multiplexor

The Sun ONE Messenger Express Multiplexor is a specialized server that acts as a single point of connection to the HTTP access service. Messenger Express is the client interface to the Sun ONE Messaging Server HTTP service. All users connect to the single messaging proxy server, which directs them to their appropriate mailbox. As a result, an entire array of messaging servers will appear to your mail users to be a single host.

While Messaging Multiplexor (MMP) connects to POP and IMAP servers, the Messenger Express Multiplexor connects to an HTTP server. In other words, the Messenger Express Multiplexor is to Messenger Express as MMP is to POP and IMAP.

Unlike MMP, the Messenger Express Multiplexor is built into the mshttpd service, and consequently uses the same logging and configuration mechanisms.

How Messenger Express Multiplexor Works

The Messenger Express Multiplexor is made up of a proxy messaging server that acts as a Multiplexor; it allows you to connect to the HTTP service of Messaging Server (Messenger Express). The Messenger Express Multiplexor facilitates distributing mailboxes across multiple server machines. Clients connect to the Multiplexor when logging onto Messenger Express, which determines the correct server for the users, connects to that server, and then passes data between the client and server. This capability allows large installations to spread message stores across multiple machines (to increase capacity) while providing the appearance of a single mail host for users (to increase efficiency) and for external clients (to increase security). Figure 5-4 describes where the Messenger Express Multiplexor resides in an Messaging Server installation.

The Messenger Express Multiplexor interfaces between the Messenger Express client and Messaging Servers by accepting connections and routing them appropriately. As is typical with other mail server installations, each user is assigned a specific address and mailbox on a specific messaging server. However, all HTTP connections are routed through the Messenger Express Multiplexor.

In more detail, these are the steps involved when establishing a user connection:

Setting Up the Messenger Express Multiplexor

This section will describe the steps you should follow to set up and configure your Messenger Express Multiplexor. Topics that are covered include:

To Install Messaging Server on Proxy Machine

The first step is to install Messaging Server on the proxy machine that will become the Messenger Express Multiplexor. For specific installation instructions, see the Sun ONE Messaging Server Installation Guide.

Be sure to configure the Messaging Server to a users and groups directory server that points to the back-end messaging servers. This directory server will be used to authenticate users to Messaging Server through the Messenger Express Multiplexor.

To Configure Messenger Express Multiplexor Parameters

After you complete the Messaging Server installation on the proxy machine, configure the Messenger Express Multiplexor parameters:

Gather the needed back-end Messaging Server information.

Run the configutil command in the directory of your back-end messaging servers to determine the values of the parameters that are later described in this section. The configuration of the proxy machine (where the Multiplexor will be enabled) must match the back-end messaging servers to ensure successful setup.

Set the configuration parameters for the Messenger Express Multiplexor.

Run the configutil command in directory msg_svr_base/sbin/configutil of your proxy machine messaging server to set the configuration values. Note that these values should match the values of the back-end messaging servers.

For a detailed explanation on running the configutil command, see the Sun ONE Messaging Server Reference Manual.

The following sections describe the configutil parameters needed to set up the Messenger Express Multiplexor:

LDAP Parameters

You will need to make sure that the Directory Server parameters are correctly specified prior to enabling the Messenger Express Multiplexor. To determine your LDAP parameters, run the following command in the appropriate back-end Messaging Server instance directory:

configutil -o local.ugldaphost

This parameter displays the users and groups LDAP Directory Server that the back-end messaging servers use. Make sure that ldaphost is set to the same value (or a replicated LDAP server containing the same data) that the back-end messaging servers use.

configutil -o local.ugldapbinddn
configutil -o local.ugldapbindcred

These parameters display the DN and password of the users and groups Directory Server administrator. Both ldapbinddn and ldapbindcred must be the same as in your back-end messaging servers specifications.

dcroot

You will need to make sure that the dcroot is correctly specified. To determine your dcroot, run the following command in the appropriate messaging server instance directory:

Default Domain

You will need to make sure that the messaging server default domain (defaultdomain) is correctly indicated. To determine your messaging server default domain, run the following configutil command in the appropriate messaging server instance directory:

Make sure that the login separator (loginseparator) is consistent with the login separator used by the back-end messaging server. To determine your messaging server login separator, run the configutil command in the appropriate back-end messaging server instance directory:

To Enable Messenger Express Multiplexor

Once you set the configuration parameters, you can enable the Messenger Express Multiplexor on the proxy machine. To do so, run the following configutil command in the directory msg_svr_base/sbin/configutil of the messaging server instance on the proxy machine:

When a non-local user (users whose mail host is not on the server where they log in) logs in and the value of local.service.http.proxy is 0, the user will be directed to his host, and the user will see the host name change; therefore, the Multiplexor is not enabled.

If the value of local.service.http.proxy is set to 1, the Multiplexor is enabled, the host name does not change, and the entire array of messaging servers will appear to be a single host to your non-local mail users.

For local users (users whose mail host is the server where they log in), the server will use the local message store regardless of the local.service.http.proxy parameter value. It is possible to have both proxy and local users coexisting on the same messaging server.

For more information on the configutil command, see the Sun ONE Messaging Server Reference Manual.

Testing Your Setup

In this section, you will learn how to test your Messenger Express Multiplexor setup and to look for messages in the log files. It is assumed that you have configured and enabled the Messenger Express Multiplexor.

To Access Messenger Express Client

Prior to testing your installation, you should already be familiar with the Messenger Express product. In addition, you should already have a test account that you have previously created.

Through the Messenger Express Multiplexor, connect to Messenger Express by typing in the browser location:

http://msgserver_name in the browser location.

For example:

http://budgie.sesta.com

Using a test account that you previously created, log in to Messenger Express.

You should be able to successfully log in and access messages from the back-end messaging servers.

If the messaging server name changes once you log in through Messenger Express, make sure local.service.http.proxy is set to 1 and that you have restarted the messaging proxy server. The Messenger Express Multiplexor should provide the appearance of a single mail host to your users.

Error Messages

If you receive an error message when you enter the user id, password, and click Connect, you should review the HTTP log file of the proxy machine. To view the error messages, go to the msg_svr_base/log directory. In most cases, the error message will contain sufficient information to diagnose the problem. In those instances where there is not sufficient information to diagnose the problem, contact Customer Support.

Administering Your Messenger Express Multiplexor

This section describes the basic administration capabilities of the Messenger Express Multiplexor.

To Configure and Administer SSL

To configure and administer SSL (otherwise known as Secure Sockets Layer) for your Messenger Express Multiplexor, refer to "To Enable SSL and Selecting Ciphers".

To Set Up Multiple Proxy Servers

To set up multiple Messenger Express Multiplexors that are addressed by a single name, you can use a session-aware load balancing device. With this device, all requests can be routed from any given client to a unique server.

To Manage Different Versions of Messaging Server and Messenger Express Multiplexor

If you use different versions of Messaging Server for the Messenger Express Multiplexor and the back-end mail hosts, you need to update the Messenger Express static files to ensure compatibility between the servers.

The static files which make up the Messenger Express interface are served directly from the Messenger Express Multiplexor, not user’s mail host. The Multiplexor finds these files in the msg_svr_base/config/html directory.

To update these files in order to ensure compatibility between servers, replace the entire contents (which consist of these static files that make up the Messenger Express interface) of the directory msg_svr_base/config/html in the newer version of Messaging Server with the entire contents of the same directory in the older version of Messaging Server.

For example, if the back-end messaging servers use Messaging Server 5.1 and you have installed Messaging Server 5.2 as the Messenger Express Multiplexor, you need to replace the entire contents of the directory msg_svr_base/config/html of the Messenger Express Multiplexor with the contents of the same directory from the Messaging Server 5.1 back-end server. When you eventually upgrade Messaging Server 5.1 to Messaging Server 5.2, you can update these static files in directory msg_svr_base/config/html for the Messenger Express Multiplexor server as well.

To Configure the Port of the Back-end Messaging Server with the Messenger Express Multiplexor

If you want to configure the port of the back-end HTTP Messaging Server with the Messenger Express Multiplexor, use the following configutil command on your Multiplexor machine:

For example, if the host name of the back-end messaging server is sesta.com and the port number is 8888, the command would be in the following format:

To Configure Single Sign-on

Single sign-on must be configured on the Messenger Express Multiplexor machine in the same way as the Messaging (HTTP) server, with the following additional configurations:

where store_administrator is the back-end store administrator specified during your back-end Messaging Server installation.

where store_admin_password is the back-end store administrator password specified during your back-end Messaging Server installation.

If you are using multiple back-end Messaging Servers that use different store administrators and passwords, you can configure them individually by appending the fully qualified host name to each configuration variable in Messenger Express Multiplexor:

configutil -o local.service.http.proxy.adminpass.hostname -v store_admin_password

where hostname is the host of the back-end HTTP Messaging Server, store_administrator and store_admin_password are the back-end store administrator and password specified during your back-end Messaging Server installation.

To log the user into the back-end servers, Messenger Express Multiplexor uses the proxyauth login command. To enable proxyauth, use the following configutil parameter:


Note	If Single sign-on is enabled through the Messenger Express Multiplexor, it does not need to be configured on the back-end HTTP Messaging Servers.