To configure the MMP to use SSL, do the following:
It is assumed that the MMP is installed on a machine that does not have a Message Store or MTA.
Install an SSL server certificate (see 23.5 Configuring Encryption and Certificate-Based Authentication.
Edit the ImapProxyAService.cfg file and uncomment the relevant SSL settings.
If you want SSL and POP, edit the PopProxyAService.cfg file and uncomment the relevant SSL settings.
Additionally, you must edit the AService.cfg file and add |995 after the 110 in the ServiceList setting.
Make sure that the BindDN and BindPass options are set in the ImapProxyAService.cfg and PopProxyAService.cfg files.
You should also set the DefaultDomain option to your default domain (the domain to use for unqualified user names).
If you just want server-side SSL support, you are finished. Start the MMP with the following command in the msg-svr-base/sbin directory:
start-msg mmp
If you do not want to use SSL between the MMP and the backend server, then set the SSLBacksidePort option to 0 in the ImapProxyAService.cfg or PopProxyAService.cfg MMP configuration files.
If you want client certificate based login, do the following:
Get a copy of a client certificate and the CA certificate which signed it.
Import the CA certificate as a Trusted Certificate Authority (see 23.5.1 Obtaining Certificates).
Use the Store Administrator you created during your Messaging Server installation.
For more information, see the 20.4 Specifying Administrator Access to the Store
Create a certmap.conf file for the MMP. For example:
certmap default default default:DNComps default:FilterComps e=mail |
This means to search for a match with the e field in the certificate DN by looking at the mail attribute in the LDAP server.
Edit your ImapProxyAService.cfg file and do the following:
If you want client certificates with POP3, repeat Step 5 for the PopProxyAService.cfg file.
If the MMP is not already running, start it with the following command in the msg-svr-base/sbin directory:
start-msg mmp
Import the client certificate into your client. In NetscapeTM Communicator, click on the padlock (Security) icon, then select Yours under Certificates, then select Import a Certificate... and follow the instructions.
All your users will have to perform this step if you want to use client certificates everywhere.
The fictional Siroe Corporation has two Messaging Multiplexors on separate machines, each supporting several Messaging Servers. POP and IMAP user mailboxes are split across the Messaging Server machines, with each server dedicated exclusively to POP or exclusively to IMAP (You can restrict client access to POP services alone by removing the ImapProxyAService entry from the ServiceList setting; likewise, you can restrict client access to IMAP services alone by removing the PopProxyAService entry from the ServiceList setting.). Each Messaging Multiplexor also supports only POP or only IMAP. The LDAP directory service is on a separate, dedicated machine.
This topology is illustrated below in Figure 7–2.
The IMAP Messaging Multiplexor in Figure 7–2 is installed on sandpit, a machine with two processors. This Messaging Multiplexor is listening to the standard port for IMAP connections (143). Messaging Multiplexor communicates with the LDAP server on the host phonebook for user mailbox information, and it routes the connection to the appropriate IMAP server. It overrides the IMAP capability string, provides a virtual domain file, and supports SSL communications.
This is its ImapProxyAService.cfg configuration file:
default:LdapUrl ldap://phonebook.siroe.com/o=internet default:LogDir /opt/SUNWmsgsr/config/log default:LogLevel 5 default:BindDN "cn=Directory Manager" default:BindPass secret default:BacksidePort 143 default:Timeout 1800 default:Capability "IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS CHILDREN BINARY LANGUAGE XSENDER X-NETSCAPE XSERVERINFO" default:SearchFormat (uid=%s) default:SSLEnable yes default:SSLPorts 993 default:SSLSecmodFile /opt/SUNWmsgsr/config/secmod.db default:SSLCertFile /opt/SUNWmsgsr/config/cert8.db default:SSLKeyFile /opt/SUNWmsgsr/config/key3.db default:SSLKeyPasswdFile /opt/SUNWmsgsr/config/sslpassword.conf default:SSLCipherSpecs all default:SSLCertNicknames Siroe.com Server-Cert default:SSLCacheDir /opt/SUNWmsgsr/config default:SSLBacksidePort 993 default:VirtualDomainFile /opt/SUNWmsgsr/config/vdmap.cfg default:VirtualDomainDelim @ default:ServerDownAlert "your IMAP server appears to be temporarily out of service" default:MailHostAttrs mailHost default:PreAuth no default:CRAMs no default:AuthCacheSize 10000 default:AuthCacheTTL 900 default:AuthService no default:AuthServiceTTL 0 default:BGMax 10000 default:BGPenalty 2 default:BGMaxBadness 60 default:BGDecay 900 default:BGLinear no default:BGExcluded /opt/SUNWmsgsr/config/bgexcl.cfg default:ConnLimits 0.0.0.0|0.0.0.0:20 default:LdapCacheSize 10000 default:LdapCacheTTL 900 default:HostedDomains yes default:DefaultDomain Siroe.com |
The POP Messaging Multiplexor example in 7.4.1 A Sample Topology is installed on tarpit, a machine with four processors. This Messaging Multiplexor is listening to the standard port for POP connections (110). Messaging Multiplexor communicates with the LDAP server on the host phonebook for user mailbox information, and it routes the connection to the appropriate POP server.
This is its PopProxyAService.cfg configuration file:
default:LdapUrl ldap://phonebook.siroe.com/o=internet default:LogDir /opt/SUNWmsgsr/config/log default:LogLevel 5 default:BindDN "cn=Directory Manager" default:BindPass password default:BacksidePort 110 default:Timeout 1800 default:SearchFormat (uid=%s) default:SSLEnable no default:VirtualDomainFile /opt/SUNWmsgsr/config/vdmap.cfg default:VirtualDomainDelim @ default:MailHostAttrs mailHost default:PreAuth no default:CRAMs no default:AuthCacheSize 10000 default:AuthCacheTTL 900 default:AuthService no default:AuthServiceTTL 0 default:BGMax 10000 default:BGPenalty 2 default:BGMaxBadness 60 default:BGDecay 900 default:BGLinear no default:BGExcluded /opt/SUNWmsgsr/config/bgexcl.cfg default:ConnLimits 0.0.0.0|0.0.0.0:20 default:LdapCacheSize 10000 default:LdapCacheTTL 900 default:HostedDomains yes default:DefaultDomain Siroe.com |