test

Sun Java System Messaging Server 6.3 Administration Guide

7.4 Configuring MMP with SSL

To configure the MMP to use SSL, do the following:

Note –

It is assumed that the MMP is installed on a machine that does not have a Message Store or MTA.

ProcedureTo Configure MMP with SSL

  1. Install an SSL server certificate (see 23.5 Configuring Encryption and Certificate-Based Authentication.

  2. Edit the ImapProxyAService.cfg file and uncomment the relevant SSL settings.

  3. If you want SSL and POP, edit the PopProxyAService.cfg file and uncomment the relevant SSL settings.

    Additionally, you must edit the AService.cfg file and add |995 after the 110 in the ServiceList setting.

  4. Make sure that the BindDN and BindPass options are set in the ImapProxyAService.cfg and PopProxyAService.cfg files.

    You should also set the DefaultDomain option to your default domain (the domain to use for unqualified user names).

    If you just want server-side SSL support, you are finished. Start the MMP with the following command in the msg-svr-base/sbin directory:

    start-msg mmp

  5. If you do not want to use SSL between the MMP and the backend server, then set the SSLBacksidePort option to 0 in the ImapProxyAService.cfg or PopProxyAService.cfg MMP configuration files.

ProcedureTo Configure MMP with Client Certificate-based Login

If you want client certificate based login, do the following:

  1. Get a copy of a client certificate and the CA certificate which signed it.

  2. Import the CA certificate as a Trusted Certificate Authority (see 23.5.1 Obtaining Certificates).

  3. Use the Store Administrator you created during your Messaging Server installation.

    For more information, see the 20.4 Specifying Administrator Access to the Store

  4. Create a certmap.conf file for the MMP. For example:


    certmap default default
default:DNComps
default:FilterComps e=mail

    This means to search for a match with the e field in the certificate DN by looking at the mail attribute in the LDAP server.

  5. Edit your ImapProxyAService.cfg file and do the following:

    1. Set CertMapFile to certmap.conf

    2. Set StoreAdmin and StorePass to values from Step 3.

    3. Set UserGroupDN to the root of your Users and Groups tree.

  6. If you want client certificates with POP3, repeat Step 5 for the PopProxyAService.cfg file.

  7. If the MMP is not already running, start it with the following command in the msg-svr-base/sbin directory:

    start-msg mmp

  8. Import the client certificate into your client. In NetscapeTM Communicator, click on the padlock (Security) icon, then select Yours under Certificates, then select Import a Certificate... and follow the instructions.

    Note –

    All your users will have to perform this step if you want to use client certificates everywhere.

7.4.1 A Sample Topology

The fictional Siroe Corporation has two Messaging Multiplexors on separate machines, each supporting several Messaging Servers. POP and IMAP user mailboxes are split across the Messaging Server machines, with each server dedicated exclusively to POP or exclusively to IMAP (You can restrict client access to POP services alone by removing the ImapProxyAService entry from the ServiceList setting; likewise, you can restrict client access to IMAP services alone by removing the PopProxyAService entry from the ServiceList setting.). Each Messaging Multiplexor also supports only POP or only IMAP. The LDAP directory service is on a separate, dedicated machine.

This topology is illustrated below in Figure 7–2.

Figure 7–2 Multiple MMPs Supporting Multiple Messaging Servers

Graphics shows multiple MMPs supporting multiple messaging servers.

7.4.1.1 IMAP Configuration Example

The IMAP Messaging Multiplexor in Figure 7–2 is installed on sandpit, a machine with two processors. This Messaging Multiplexor is listening to the standard port for IMAP connections (143). Messaging Multiplexor communicates with the LDAP server on the host phonebook for user mailbox information, and it routes the connection to the appropriate IMAP server. It overrides the IMAP capability string, provides a virtual domain file, and supports SSL communications.

This is its ImapProxyAService.cfg configuration file:


default:LdapUrl ldap://phonebook.siroe.com/o=internet
default:LogDir /opt/SUNWmsgsr/config/log
default:LogLevel 5
default:BindDN "cn=Directory Manager"
default:BindPass secret
default:BacksidePort 143
default:Timeout 1800
default:Capability "IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE 
UIDPLUS CHILDREN BINARY LANGUAGE XSENDER X-NETSCAPE XSERVERINFO"
default:SearchFormat (uid=%s)
default:SSLEnable yes
default:SSLPorts 993
default:SSLSecmodFile /opt/SUNWmsgsr/config/secmod.db
default:SSLCertFile /opt/SUNWmsgsr/config/cert8.db
default:SSLKeyFile /opt/SUNWmsgsr/config/key3.db
default:SSLKeyPasswdFile /opt/SUNWmsgsr/config/sslpassword.conf
default:SSLCipherSpecs all
default:SSLCertNicknames Siroe.com Server-Cert
default:SSLCacheDir /opt/SUNWmsgsr/config
default:SSLBacksidePort 993
default:VirtualDomainFile /opt/SUNWmsgsr/config/vdmap.cfg
default:VirtualDomainDelim @
default:ServerDownAlert "your IMAP server appears to be temporarily
out of service"
default:MailHostAttrs mailHost
default:PreAuth no
default:CRAMs no
default:AuthCacheSize 10000
default:AuthCacheTTL 900
default:AuthService no
default:AuthServiceTTL 0
default:BGMax 10000
default:BGPenalty 2
default:BGMaxBadness 60
default:BGDecay 900
default:BGLinear no
default:BGExcluded /opt/SUNWmsgsr/config/bgexcl.cfg
default:ConnLimits 0.0.0.0|0.0.0.0:20
default:LdapCacheSize 10000
default:LdapCacheTTL 900
default:HostedDomains yes
default:DefaultDomain Siroe.com

7.4.1.2 POP Configuration Example

The POP Messaging Multiplexor example in 7.4.1 A Sample Topology is installed on tarpit, a machine with four processors. This Messaging Multiplexor is listening to the standard port for POP connections (110). Messaging Multiplexor communicates with the LDAP server on the host phonebook for user mailbox information, and it routes the connection to the appropriate POP server.

This is its PopProxyAService.cfg configuration file:


default:LdapUrl ldap://phonebook.siroe.com/o=internet
default:LogDir /opt/SUNWmsgsr/config/log
default:LogLevel 5
default:BindDN "cn=Directory Manager"
default:BindPass password
default:BacksidePort 110
default:Timeout 1800
default:SearchFormat (uid=%s)
default:SSLEnable no
default:VirtualDomainFile /opt/SUNWmsgsr/config/vdmap.cfg
default:VirtualDomainDelim @
default:MailHostAttrs mailHost
default:PreAuth no
default:CRAMs no
default:AuthCacheSize 10000
default:AuthCacheTTL 900
default:AuthService no
default:AuthServiceTTL 0
default:BGMax 10000
default:BGPenalty 2
default:BGMaxBadness 60
default:BGDecay 900
default:BGLinear no
default:BGExcluded /opt/SUNWmsgsr/config/bgexcl.cfg
default:ConnLimits 0.0.0.0|0.0.0.0:20
default:LdapCacheSize 10000
default:LdapCacheTTL 900
default:HostedDomains yes
default:DefaultDomain Siroe.com