4.7 Installing and Configuring Messaging Server

To Install Messaging Server

Steps

1. Make sure Admin server is already installed.

2. Create UNIX user/group names: mailsrv/mailsrv if not already done by JumpStart.

3. Install Messaging Server on both nodes using silent install method:

   Verify you are using latest version of the install and configuration files and that you have customized if needed for your hostname.

   phys-bedge1-[12]# ./installer -nodisplay -noconsole -state /var/bits/silent/BE/msg-ha-bits.cnf

4. Patch Messaging Server on both nodes with the latest patches.

5. Prepare the LDAP directories

   1. Run comm_dssetup.pl on all CFG directory servers -- master and replicas, FE and BE.

   2. Apply schema to cfgdir (on node 2 of 1st cluster where directory server cfg instance is installed)

      phys-bedge1-2# cd /opt/SUNWmsgsr/lib phys-bedge1-2# perl comm_dssetup.pl ... Here is a summary of the settings that you chose: Server Root : /opt/ds Server Instance : slapd-cfg Users/Groups Directory : no Update Schema : yes Schema Type : 2 Directory Manager DN : cn=Directory Manager

To Configure HA on the BE

Before You Begin

• All steps under Solaris Installation and Configuration section must be completed, especially parts pertaining to BE nodes.

• Directory Server on port 34389 must be installed and configured.

• Administration Server must be installed and configured.

• Messaging Server must be installed and patched.

Steps

1. Verify that the SUNWscims package is installed; if not, install it on both nodes.

2. Set up the cluster resource group and resources:

   Clusters 1 and 2 will have 15 stores while clusters 3 & 4 will have only 11 stores. Run commands on primary node.

   phys-bedgeN-1# scrgadm -a -t SUNW.HAStoragePlus phys-bedgeN-1# scrgadm -a -t SUNW.ims phys-bedgeN-1# scrgadm -a -g msg1-svc-rg -h phys-bedge1-1,phys-bedge1-2 phys-bedgeN-1# scrgadm -a -L -g msg1-svc-rg -j msg1-addr-rs -l bedge1-mail1 phys-bedgeN-1# scswitch -Z -g msg1-svc-rg phys-bedgeN-1# scrgadm -a -j msg1-storplus1-rs -g msg1-svc-rg -t SUNW.HAStoragePlus \ -x FilesystemMountPoints=/shared/bedge1/msg/partition/store001,\ /shared/bedge1/msg/partition/store002,/shared/bedge1/msg/partition/store003,\ /shared/bedge1/msg/partition/store004,/shared/bedge1/msg/partition/store005,\ /shared/bedge1/msg/partition/store006,/shared/bedge1/msg/conf,\ /shared/bedge1/msg/dbbackup -x AffinityOn=True phys-bedgeN-1# scrgadm -a -j msg1-storplus2-rs -g msg1-svc-rg -t SUNW.HAStoragePlus \ -x FilesystemMountPoints=/shared/bedge1/msg/partition/store007,\ /shared/bedge1/msg/partition/store008,/shared/bedge1/msg/partition/store009,\ /shared/bedge1/msg/partition/store010,/shared/bedge1/msg/partition/store011,\ /shared/bedge1/msg/partition/store012,/shared/bedge1/msg/imta,\ /shared/bedge1/msg/var -x AffinityOn=True phys-bedgeN-1# scrgadm -a -j msg1-storplus3-rs -g msg1-svc-rg -t SUNW.HAStoragePlus \ -x FilesystemMountPoints=/shared/bedge1/msg/partition/store013,\ /shared/bedge1/msg/partition/store014,/shared/bedge1/msg/partition/store015,\ /shared/bedge1/msg/partition/store016,/shared/bedge1/msg/partition/store006,\ /shared/bedge1/msg/partition/store018,/shared/bedge1/msg/db -x AffinityOn=True phys-bedgeN-1# scswitch -e -j msg1-storplus1-rs phys-bedgeN-1# scswitch -e -j msg1-storplus2-rs phys-bedgeN-1# scswitch -e -j msg1-storplus3-rs

3. Verify that all messaging partitions are mounted before proceeding. Run configure on primary node interactively:

   phys-bedgeN-1# cd /opt/SUNWmsgsr/lib phys-bedgeN-1# ./configure

   Alternatively, use the silent install state file (always check the silent install file before using):

   phys-bedgeN-1# ./configure -noconsole -state /var/bits/bedge/BE/bedge1-msg.cnf

4. Backup configdir with db2ldif to ensure a good copy is saved

   phys-bedgeN-2# cd /opt/ds/slapd-cfg phys-bedgeN-2# ./db2ldif

5. On the primary node, run the ha_ip_config command:

   phys-bedgeN-1# cd /opt/SUNWmsgsr/sbin phys-bedgeN-1# ./ha_ip_config Logical IP address: 129.146.xx.yy iMS server root: /opt/SUNWmsgsr The iMS server root directory does not contain any slapd-* subdirectories. Skipping configuration of LDAP servers. Logical IP address: 129.146.xx.yy iMS server root: /opt/SUNWmsgsr Do you wish to change any of the above choices (yes/no) [no]? Updating the file /opt/SUNWmsgsr/config/dispatcher.cnf Updating the file /opt/SUNWmsgsr/config/job_controller.cnf Setting the service.listenaddr configutil parameter Setting the service.http.smtphost configutil parameter Setting the local.watcher.enable configutil parameter Setting the local.autorestart configutil parameter Configuration successfully updated

6. Copy state files to node 2, then run useconfig on node 2

   phys-bedgeN-1# cd /opt/SUNWmsgsr/install phys-bedgeN-1# cp -r configure_20050318142130 /shared/bedge1/msg/var/

7. Switch over services to node 2 OR use scp to copy configure dir locally to node 2

   phys-bedgeN-2# /opt/SUNWmsgsr/sbin/useconfig /shared/bedge1/msg/var/configure_20050318142130

To Configure Messaging Server

Steps

1. Set up hostnames

   phys-bedgeN-1# configutil -o local.hostname -v "bedge1-mail1.us.example.com" phys-bedgeN-1# configutil -o local.webmail.da.host -v bedge1-mail1.us.example.com phys-bedgeN-1# configutil -o local.servername -v bedge1-mail1.us.example.com

2. Set up LDAP (using the following guidelines)

   phys-bedgeN-1# configutil -o local.ldapuselocal -v yes phys-bedgeN-1# configutil -o local.ugldaphost -v "stringBelow" phys-bedgeN-1# configutil -o local.ldaphost -v "stringBelow" phys-bedgeN-1# configutil -o local.service.pab.ldaphost -v "localMMR"

   Substitution string:

   cluster 1: ds-amer-03.us.example.com ds-amer-02.us.example.com cluster 2: ds-amer-02.us.example.com ds-amer-03.us.example.com cluster 3: ds-amer-03.us.example.com ds-amer-02.us.example.com cluster 4: ds-amer-02.us.example.com ds-amer-03.us.example.com

3. Change administrative account names to msg-admin-bedgeN-mail1

   Need to also change account name in the LDAP directory and verify that it is in the correct group.

   phys-bedgeN-1# configutil -o local.enduseradmindn \ -v "uid=msg-admin-bedge1-mail1,ou=People,dc=example,dc=com" phys-bedgeN-1# configutil -o local.service.pab.ldapbinddn \ -v "uid=msg-admin-bedge1-mail1,ou=People,dc=example,dc=com" phys-bedgeN-1# configutil -o local.ugldapbinddn \ -v "uid=msg-admin-bedge1-mail1,ou=People,dc=example,dc=com"

4. Disable POP

   phys-bedgeN-1# configutil -o service.pop.enable -v 0 phys-bedgeN-1# configutil -o service.pop.enablesslport -v 0

5. Enable Distributed IMAP Folder Sharing

   First server listed in local.service.proxy.serverlist should be the one being installed/configured.

   phys-bedgeN-1# configutil -o local.service.proxy.admin -v admin phys-bedgeN-1# configutil -o local.service.proxy.adminpass -v adminPassword phys-bedgeN-1# configutil -o local.service.proxy.serverlist -v \ "nedge1-mail1.sfbay.example.com, \ nedge2-mail1.sfbay.example.com, \ nedge3-mail1.sfbay.example.com, \ bedge1-mail1.us.example.com, \ bedge2-mail1.us.example.com, \ bedge3-mail1.us.example.com \ sedge1-mail1.singapore.example.com, \ sedge2-mail1.singapore.example.com"

6. Set up logdir

   phys-bedgeN-1# configutil -o logfile.imap.logdir -v /shared/bedge1/msg/var/log/imap phys-bedgeN-1# configutil -o logfile.http.logdir -v /shared/bedge1/msg/var/log/http phys-bedgeN-1# configutil -o logfile.imta.logdir -v /shared/bedge1/msg/var/log/imta

7. Verify local.autorestart is true:

   phys-bedgeN-1# configutil -o local.autorestart

8. Configure stores (repeat for each store partition)

   phys-bedgeN-1# configutil -o store.partition.store001.path \ -v "/shared/bedge1/msg/partition/store001"

9. Set up log locations:

   phys-bedgeN-1# mkdir -p /shared/bedge1/msg/var/log phys-bedgeN-1# chown mailsrv:mailsrv /shared/bedge1/msg/var/log phys-bedgeN-1# cd /shared/bedge1/msg/var/log phys-bedgeN-1# mkdir imap http imta default phys-bedgeN-1# chown mailsrv:mailsrv imap http imta default phys-bedgeN-1# chmod 755 imap http imta default phys-bedgeN-1# cd /opt/SUNWmsgsr/data; mv log log.orig; ln -s /shared/bedge1/msg/var/log

10. Edit imta_tailor to place MTA logs into the imta subdir

    phys-bedgeN-1# cd /opt/SUNWmsgsr/config phys-bedgeN-1# cp imta_tailor imta_tailor.orig phys-bedgeN-1# sed s/"\/log\/"/"\/log\/imta\/"/ imta_tailor.orig > imta_tailor phys-bedgeN-1# diff imta_tailor.orig imta_tailor

11. Other settings including tuning, queue, db snapshots...

    phys-bedgeN-1# cd /shared/bedge1/msg/db phys-bedgeN-1# mkdir mboxlist phys-bedgeN-1# chown -R mailsrv:mailsrv * phys-bedgeN-1# cd /shared/bedge1/msg/imta phys-bedgeN-1# mkdir -p queue phys-bedgeN-1# chown -R mailsrv:mailsrv * phys-bedgeN-1# chmod -R 755 * phys-bedgeN-1# cd /opt/SUNWmsgsr/data

    phys-bedgeN-1# rm -r queue db phys-bedgeN-1# ln -s /shared/bedge1/msg/imta/queue queue phys-bedgeN-1# ln -s /shared/bedge1/msg/db db phys-bedgeN-1# cd /opt/SUNWmsgsr/data/store phys-bedgeN-1# ln -s /shared/bedge1/msg/db/mboxlist mboxlist phys-bedgeN-1# cd /opt/SUNWmsgsr/data/store/dbdata phys-bedgeN-1# mkdir -p /shared/bedge1/msg/dbbackup/snapshots phys-bedgeN-1# chown mailsrv:mailsrv /shared/bedge1/msg/dbbackup/snapshots phys-bedgeN-1# chmod 755 /shared/bedge1/msg/dbbackup/snapshots phys-bedgeN-1# ln -s /shared/bedge1/msg/dbbackup/snapshots snapshots

    phys-bedgeN-1# configutil -o local.store.snapshotdirs -v 12 phys-bedgeN-1# configutil -o local.store.snapshotinterval -v 720

12. Verify start of services and proper logging

    phys-bedgeN-1# /opt/SUNWmsgsr/sbin/stop-msg phys-bedgeN-1# /opt/SUNWmsgsr/sbin/start-msg

13. Set up messaging resource and enable:

    phys-bedgeN-1# scrgadm -a -j msg1-svc-rs -g msg1-svc-rg -t SUNW.ims \ -x IMS_serverroot=/opt/SUNWmsgsr \ -y Resource_dependencies=msg1-addr-rs,msg1-storplus1-rs,msg1-storplus2-rs,msg1-storplus3-rs phys-bedgeN-1# /usr/cluster/bin/scswitch -e -j msg1-svc-rs

To Configure SMTP

Steps

1. Make sure SUNWsndmr SUNWsndmu packages are installed

2. Stop sendmail if it's running

   # /etc/init.d/sendmail stop (for Solaris 9) # svcadmin disable network/smtp:sendmail (for Solaris 10)

3. Create or modify /etc/default/sendmail to prevent accidental start of sendmail in daemon mode. Add:

   MODE=""

4. Edit sjsms-submit.mc and change the line that starts with FEATURE to:

   # cd /usr/lib/mail/cf # cp submit.mc sjsms-submit.mc

   FEATURE('msp', `[cookbook-mail1.us.example.com]')dnl

   # /usr/ccs/bin/make sjsms-submit.cf # mv /etc/mail/submit.cf /etc/mail/submit.cf.orig # cp sjsms-submit.cf /etc/mail/submit.cf

5. Add patch 113575-05 or the most recent patch that replaces it. Note: future sendmail patches may overwrite submit.cf. You should always check submit.cf after applying such patches.

6. Start sendmail

   # /etc/init.d/sendmail start (for Solaris 9) # svcadmin enable network/smtp:sendmail (for Solaris 10)

7. * Repeat the above on the other node(s) if applicable * Test that failover is working properly before proceeding.

8. Modify the file /opt/SUNWmsgsr/config/imta.cnf and put the IP addresses of all MTAs, including those of other sites, into the tcp_scanner-daemon definition.

   ! ! IMTA configuration file ! ! part I : rewrite rules ! ! Domain Rewrite Rules. ! Uncomment this line to use domain rewrite rules ! from the configuration file instead of the domain database. ! Please refer to the iMS documentation for details. !<IMTA_TABLE:domains.rules ! ! Rules to select local users $* $A$E$F$U%$H$V$H@bedge1-mail1.us.example.com bedge1-mail1.us.example.com $U%$D@bedge1-mail1.us.example.com phys-bedge1-1.us.example.com $U@bedge1-mail1.us.example.com phys-bedge1-2.us.example.com $U@bedge1-mail1.us.example.com localhost $U@bedge1-mail1.us.example.com ! ! ims-ms .ims-ms-daemon $U%$H.ims-ms-daemon@ims-ms-daemon ! ! lmtp !.lmtp $U%$H@lmtpcs-daemon ! ! lmtpn !.lmtpn $U%$H@lmtpcn-daemon ! ! native .native-daemon $U%$H.native-daemon@native-daemon ! ! pipe .pipe-daemon $U%$H.pipe-daemon@pipe-daemon ! ! tcp_local ! Rules for top level internet domains <IMTA_TABLE:internet.rules ! ! tcp_intranet ! Do mapping lookup for internal IP addresses [] $E$R${INTERNAL_IP,$L}$U%[$L]@tcp_intranet-daemon bedge2-mail1.us.example.com $U%$D@tcp_intranet-daemon bedge3-mail1.us.example.com $U%$D@tcp_intranet-daemon bedge4-mail1.us.example.com $U%$D@tcp_intranet-daemon* $U%$&0.example.com ! ! tcp_example for internal example.com addresses .example.com $U%$H$D@tcp_example-daemon! ! messages returning from MTA must not be re-scanned ! US MTA [10.1.82.175] $E$R$U%[10.1.82.175]@tcp_scanner-daemon [10.1.82.176] $E$R$U%[10.1.82.176]@tcp_scanner-daemon [10.1.82.177] $E$R$U%[10.1.82.177]@tcp_scanner-daemon [10.1.82.178] $E$R$U%[10.1.82.178]@tcp_scanner-daemon [10.1.82.179] $E$R$U%[10.1.82.179]@tcp_scanner-daemon [10.1.82.180] $E$R$U%[10.1.82.180]@tcp_scanner-daemon [10.1.82.183] $E$R$U%[10.1.82.183]@tcp_scanner-daemon [10.1.82.184] $E$R$U%[10.1.82.184]@tcp_scanner-daemon! ! Repeat for MTAs at other EdgeMail complexes as necessary ! ! reprocess reprocess $U%reprocess.bedge1-mail1.us.example.com@reprocess-daemon reprocess.bedge1-mail1.us.example.com $U%reprocess.bedge1-mail1.us.example.com @reprocess-daemon ! ! process process $U%process.bedge1-mail1.us.example.com@process-daemon process.bedge1-mail1.us.example.com $U%process.bedge1-mail1.us.example.com@pro cess-daemon ! ! defragment defragment $U%defragment.bedge1-mail1.us.example.com@defragment-daemon defragment.bedge1-mail1.us.example.com $U%defragment.bedge1-mail1.us.example.c om@defragment-daemon ! ! conversion conversion $U%conversion.bedge1-mail1.us.example.com@conversion-daemon conversion.bedge1-mail1.us.example.com $U%conversion.bedge1-mail1.us.example.c om@conversion-daemon ! ! bitbucket bitbucket $U%bitbucket.bedge1-mail1.us.example.com@bitbucket-daemon bitbucket.bedge1-mail1.us.example.com $U%bitbucket.bedge1-mail1.us.example.com @bitbucket-daemon ! ! deleted deleted-daemon $U%$H@deleted-daemon .deleted-daemon $U%$H@deleted-daemon ! ! inactive inactive-daemon $U%$H@inactive-daemon .inactive-daemon $U%$H@inactive-daemon ! ! hold hold-daemon $U%$H@hold-daemon .hold-daemon $U%$H@hold-daemon ! ! part II : channel blocks ! defaults notices 1 2 4 7 errwarnpost errsendpost postheadonly noswitchchannel im mnonurgent maxjobs 7 logging defaulthost example.com example.com ! ! delivery channel to local /var/mail store l subdirs 20 viaaliasrequired maxjobs 7 pool LOCAL_POOL bedge1-mail1.us.example.com ! ! ims-ms ims-ms defragment threaddepth 20 subdirs 20 notices 1 7 14 21 28 backoff "pt5m" "pt10m" "pt30m" "pt1h" "pt2h" "pt4h" maxjobs 4 pool IMS_POOL fileinto $U+$S@$D ims-ms-daemon ! ! native native defragment subdirs 20 maxjobs 1 native-daemon ! ! pipe pipe single defragment subdirs 20 pipe-daemon ! ! tcp_local tcp_local smtp nomx single_sys remotehost daemon gis-relay.us.example.com inne r switchchannel identnonenumeric subdirs 20 maxjobs 7 sourceblocklimit 10000 poo l SMTP_POOL maytlsserver maysaslserver saslswitchchannel tcp_auth missingrecipie ntpolicy 0 aliasdetourhost tcp_scanner-daemon tcp-daemon ! ! tcp_example tcp_example smtp nomx single_sys remotehost daemon gis-relay.us.example.com inner switchchannel identnonenumeric subdirs 20 maxjobs 7 pool SMTP_POOL maytlsserver maysaslserver saslswitchchannel tcp_auth missingrecipientpolicy 0 tcp_example-daemon ! ! tcp_intranet tcp_intranet smtp nomx single_sys subdirs 20 dequeue_removeroute maxjobs 7 sourceblocklimit 10000 pool SMTP_POOL maytlsserver allowswitchchannel saslswitchchann el tcp_auth missingrecipientpolicy 4 tcp_intranet-daemon ! ! tcp_scanner tcp_scanner smtp mx single_sys subdirs 20 noreverse maxjobs 7 pool SMTP_POOL all owswitchchannel daemon mail-amer-xfr.example.com enqueue_removeroute tcp_scanner-daemon ! ! tcp_submit tcp_submit submit smtp mx single_sys mustsaslserver maytlsserver missingrecipien tpolicy 4 tcp_submit-daemon ! ! tcp_auth tcp_auth smtp mx single_sys mustsaslserver missingrecipientpolicy 4 tcp_auth-daemon

9. Modify the /opt/SUNWmsgsr/config/option.dat file:

   # cp -p option.dat option.dat.orig_`date +%Y%m%d` # vi option.dat

   #add below MISSING_RECIPIENT_POLICY: ALLOW_RECIPIENTS_PER_TRANSACTION=256 LOG_CONNECTION=3 LOG_USERNAME=1 LOG_TRANSPORTINFO=1 SEPARATE_CONNECTION_LOG=1 LOG_MESSAGE_ID=1

10. Modify /opt/SUNWmsgsr/config/mappings. Use a range with the /NN format that will contain all the physical hosts IPs for your edge site. In the case of bedge, 129.147.156.99/26 spans from 129.147.156.65 to 129.147.156.126.

    INTERNAL_IP $(129.147.156.99/##) $Y 127.0.0.1 $Y * $N ORIG_SEND_ACCESS tcp_local|*|tcp_local|* $N$D30|Relaying$ not$ allowed tcp_*|*|native|* $N tcp_*|*|hold|* $N tcp_*|*|pipe|* $N tcp_*|*|ims-ms|* $N ! ! Block "external" submissions of explicitly source-routed "internal" addresses ! tcp_local|*|tcp_intranet|@*:*.* $N$D30|Explicit$ routing$ not$ allowed tcp_local|*|tcp_intranet|*$%*@* $N$D30|Explicit$ routing$ not$ allowed tcp_local|*|tcp_intranet|*.*!*@* $N$D30|Explicit$ routing$ not$ allowed tcp_local|*|tcp_intranet|"*@*"@* $N$D30|Explicit$ routing$ not$ allowed SEND_ACCESS tcp_local|*|tcp_example|* $N$D30|Relaying$ not$ allowed tcp_*|*|*|*@[127.*] $X5.1.2|$NBad$ destination$ system tcp_*|*|*|*@localhost.* $X5.1.2|$NBad$ destination$ system tcp_*|*|*|*@example.com $X5.1.2|$NBad$ destination$ system tcp_*|*|*|*@example.net $X5.1.2|$NBad$ destination$ system tcp_*|*|*|*@example.org $X5.1.2|$NBad$ destination$ system tcp_*|*|*|*@*.test $X5.1.2|$NBad$ destination$ system tcp_*|*|*|*@*.example $X5.1.2|$NBad$ destination$ system tcp_*|*|*|*@*.invalid $X5.1.2|$NBad$ destination$ system tcp_*|*|*|*@*.localhost $X5.1.2|$NBad$ destination$ system <IMTA_TABLE:mappings.locale

11. Modify the /opt/SUNWmsgsr/config/aliases file:

    ! MTA aliases file ! !root@example.com: postmaster adm@bedge1-mail1.us.example.com: postmast root@bedge1-mail1.us.example.com: postmast postmaster@bedge1-mail1.us.example.com: postmast sunmc-alert: root@bedge1-mail1.us.example.com sunmc-critical: root@bedge1-mail1.us.example.com

12. Setup logadm

    # mkdir /opt/SUNWmsgsr/log/imta/archive (owner mailsrv:mailsrv) # logadm -f /opt/SUNWmsgsr/config/logadm.conf -w mail -C 28 -p 1d \ -t '/opt/SUNWmsgsr/log/imta/archive/mail.log.$n' -z 6 \ /opt/SUNWmsgsr/log/imta/mail.log # configutil -o local.schedule.logadm -v "10 4 * * * /usr/sbin/logadm \ -f /opt/SUNWmsgsr/config/logadm.conf

13. Create the alias smarthost.example.com to the GIS relay VIP in /etc/hosts to ensure a fallback mechanism through the local smarthost:

    10.1.97.30 gis-relay.us.example.com smarthost.example.com

14. Configure the IMAP parameters

    # configutil -o local.ldapconnecttimeout -v 30 # configutil -o service.imap.maxsessions -v 600 # configutil -o service.imap.maxthreads -v 250 # configutil -o service.imap.numprocesses -v 8 # configutil -o store.dbtmpdir -v /tmp/msg-bedge1-mail1

15. Setting to enable MailFilter

    # configutil -o local.webmail.sieve.port -v 444

16. Set smtphost to the dedicated MTA host:

    # configutil -o service.http.smtphost -v mail-amer-xfr.example.com

17. If UWC is not enabled, set local.service.http.cookiename to something, for example webmailsid to prevent sessionid from being visible in the URL. When UWC is enabled, this is set by default.

To Configure Messaging Server on FE Servers

Before You Begin

• All steps under in Chapter 3, Solaris Installation and Configuration must be completed, especially parts pertaining to FE nodes.

• Directory Server on port 34389 in /opt/ds must be installed and configured.

• Admin Server must be installed and configured.

• Web Server must be installed for MailFilters.

• Messaging Server must be installed and patched.

• FOUNDRY: set up loopback for mail-amer.example.com and use mail VIP for install and configuration.

• NAUTICUS: use hostname of d1 server for install and configuration: d1-amer-01.example.com.

Steps

1. Run configure Always check the silent install file before using it.

   # cd /opt/SUNWmsgsr/sbin # ./configure -nodisplay -noconsole -state /var/bits/silent/BE/FE_RAMESH/d1-msg-configure.cnf

2. Backup configdir with db2ldif to ensure a good copy is saved

   # cd /opt/ds/slapd-cfg # ./db2ldif

3. Disable POP and IMAP

   # configutil -o service.pop.enable -v 0 # configutil -o service.pop.enablesslport -v 0 # configutil -o service.imap.enable -v 0 # configutil -o service.imap.enablesslport -v 0

4. Verify msg-admin account for your geo; setup if needed; add to group similar to BE process

   1. ldapsearch -h ds-amer-0[123] -b dc=example,dc=com uid=msg-admin-mail-amer.example.com dn

   • IF uid is NOT in ldap , create ldap entry for your msg-admin user. Create ldap file .e.g call it msg-admin.ldif with contents (modify contents for your geo):

     dn: uid=msg-admin-mail-sfbay.example.com,ou=People, dc=example,dc=com givenName: Messaging End User SFBAY userPassword: {SSHA}ttW9Pash8si8u81XCWAXwV9Hfk9JRBti/yOJMw== objectClass: top objectClass: person objectClass: inetorgperson objectClass: iplanet-am-managed-person objectClass: organizationalPerson cn: Messaging End User SFBAY Administrator sn: Administrator uid: msg-admin-mail-sfbay.example.com

     Add the entry to ldap

     ldapmodify -h ds-amer-0[123] -D "cn=Directory Manager" -w password -a -f ./msg-admin.ldif

   • IF uid IS in ldap, then verify the msg-admin user for your geo is a uniqueMember in the ou=groups entry for cn=Messaging End User Administrators

     ldapsearch -h ds-amer-01 -b dc=example,dc=com cn="Messaging End User Administrators Group" uniqueMember |\ grep msg-admin-mail-amer

     If necessary add in your msg-admin user to the Administrators Group using an ldap browser or ldapmodify command. Note: any entries with long time stamps should probably be removed in a clean up effort. However, it is suggested that you clean up entries only for geo you are configuring.

5. Change the following:

   ImapProxyAservice.cfg default:BindDN "uid=msg-admin-mail-amer.example.com, ou=People, dc=example, dc=com" default:BindPass (verify PW for your msg-admin user and reset if needed) configutil values local.service.pab.ldapbinddn (same DN as above) local.ugldapbinddn (same DN as above) local.ugldapbindcred (same PW as above) local.service.pab.ldappasswd (same PW as above)

6. Restart messaging and test. Use e.g. ImapProxy log to see if authentication is working as expected. Edit LDIF or configuration information as needed; it all needs to match.

7. Enable SSL by following the procedures To Request an SSL Certificate and To Install an SSL Certificate. Messaging Server uses the /opt/SUNWmsgsr/config/sslpassword.conf file.

To Configure Messaging Server on the MTA Server

Steps

1. Make sure SUNWsndmr SUNWsndmu packages are installed

2. Stop sendmail if it's running

   # /etc/init.d/sendmail stop (for Solaris 9) # svcadmin disable network/smtp:sendmail (for Solaris 10)

3. Create or modify /etc/default/sendmail to prevent accidental start of sendmail in daemon mode. Add:

   MODE=""

4. Edit sjsms-submit.mc and change the line that starts with FEATURE

   # cd /usr/lib/mail/cf # cp submit.mc sjsms-submit.mc

   FEATURE('msp', `[cookbook-mail1.us.example.com]')dnl

   # /usr/ccs/bin/make sjsms-submit.cf # mv /etc/mail/submit.cf /etc/mail/submit.cf.orig # cp sjsms-submit.cf /etc/mail/submit.cf

5. Add patch 113575-05. Note: future sendmail patches may overwrite submit.cf. You should always check submit.cf after applying such patches.

6. Start sendmail

   # /etc/init.d/sendmail start (for Solaris 9) # svcadmin enable network/smtp:sendmail (for Solaris 10)

7. Repeat the above on the other node(s) if applicable

8. Edit imta.cnf (changes are marked in bold)

   ! ! IMTA configuration file ! ! part I : rewrite rules ! ! Domain Rewrite Rules. ! Uncomment this line to use domain rewrite rules ! from the configuration file instead of the domain database. ! Please refer to the iMS documentation for details. !<IMTA_TABLE:domains.rules ! ! Rules to select local users $* $A$E$F$U%$H$V$H@mail-amer.example.com mail-amer.example.com $U%$D@mail-amer.example.com example.com $U%$D@mail-amer.example.com fe-amer-09.example.com $U@mail-amer.example.com phys-bedge5-1.us.example.com $U@mail-amer.example.com phys-bedge5-2.us.example.com $U@mail-amer.example.com localhost $U@mail-amer.example.com! ! ims-ms .ims-ms-daemon $U%$H.ims-ms-daemon@ims-ms-daemon ! ! lmtp !.lmtp $U%$H@lmtpcs-daemon ! ! lmtpn !.lmtpn $U%$H@lmtpcn-daemon ! ! native .native-daemon $U%$H.native-daemon@native-daemon ! ! pipe .pipe-daemon $U%$H.pipe-daemon@pipe-daemon ! ! tcp_local ! Rules for top level internet domains %lt;IMTA_TABLE:internet.rules ! ! tcp_intranet ! Do mapping lookup for internal IP addresses [] $E$R${INTERNAL_IP,$L}$U%[$L]@tcp_intranet-daemon !.example.com $U%$H.example.com@tcp_intranet-daemon ! b complex back-end servers bedge1-mail1.us.example.com $U%$D@tcp_intranet-daemon bedge2-mail1.us.example.com $U%$D@tcp_intranet-daemon bedge3-mail1.us.example.com $U%$D@tcp_intranet-daemon bedge4-mail1.us.example.com $U%$D@tcp_intranet-daemon ! add back=end servers for global complexes aedge1-mail1.eu.example.com $U%$D@tcp_intranet-daemon ! ...* $U%$&0.example.com ! ! tcp_example for internal example.com addresses .example.com $U%$H$D@tcp_example-daemon! ! reprocess reprocess $U%reprocess.mail-amer.example.com@reprocess-daemon reprocess.mail-amer.example.com $U%reprocess.mail-amer.example.com@reprocess-daemon ! ! process process $U%process.mail-amer.example.com@process-daemon process.mail-amer.example.com $U%process.mail-amer.example.com@process-daemon ! ! defragment defragment $U%defragment.mail-amer.example.com@defragment-daemon defragment.mail-amer.example.com $U%defragment.mail-amer.example.com@defragment-daemon ! ! conversion conversion $U%conversion.mail-amer.example.com@conversion-daemon conversion.mail-amer.example.com $U%conversion.mail-amer.example.com@conversion-daemon ! ! bitbucket bitbucket $U%bitbucket.mail-amer.example.com@bitbucket-daemon bitbucket.mail-amer.example.com $U%bitbucket.mail-amer.example.com@bitbucket-daemon ! ! deleted deleted-daemon $U%$H@deleted-daemon .deleted-daemon $U%$H@deleted-daemon ! ! inactive inactive-daemon $U%$H@inactive-daemon .inactive-daemon $U%$H@inactive-daemon ! ! hold hold-daemon $U%$H@hold-daemon .hold-daemon $U%$H@hold-daemon ! ! part II : channel blocks ! defaults notices 1 2 4 7 errwarnpost errsendpost postheadonly noswitchchannel im mnonurgent maxjobs 7 logging defaulthost example.com example.com ! ! delivery channel to local /var/mail store l subdirs 20 viaaliasrequired maxjobs 7 pool LOCAL_POOL mail-amer.example.com ! ! ims-ms ims-ms defragment subdirs 20 notices 1 7 14 21 28 backoff "pt5m" "pt10m" "pt30m" "pt1h" "pt2h" "pt4h" maxjobs 2 pool IMS_POOL fileinto $U+$S@$D ims-ms-daemon ! ! native native defragment subdirs 20 maxjobs 1 native-daemon ! ! pipe pipe single defragment subdirs 20 pipe-daemon ! ! tcp_local tcp_local smtp nomx single_sys remotehost daemon gis-relay.us.example.com inne r switchchannel identnonenumeric subdirs 20 maxjobs 7 pool SMTP_POOL musttlsserv er mustsaslserver saslswitchchannel tcp_auth missingrecipientpolicy 0 dequeue_removeroute tcp-daemon ! ! tcp_example tcp_example smtp nomx single_sys remotehost daemon gis-relay.us.example.com inner switchchannel identnonenumeric subdirs 20 maxjobs 7 pool SMTP_POOL authrewrite 1 musttlsserver mustsaslserver saslswitchchannel tcp_auth missingrecipientpolicy 0 dequeue_removeroute tcp_example-daemon ! ! tcp_iplanet tcp_iplanet smtp nomx single_sys remotehost daemon gis-relay.us.example.com in ner switchchannel identnonenumeric subdirs 20 maxjobs 7 pool SMTP_POOL authrewri te 1 musttlsserver mustsaslserver saslswitchchannel tcp_auth missingrecipientpol icy 0 dequeue_removeroute tcp_iplanet-daemon ! ! tcp_intranet tcp_intranet smtp nomx single_sys sourceblocklimit 10000 subdirs 20 maxjobs 7 po ol SMTP_POOL maytlsserver allowswitchchannel saslswitchchannel tcp_auth missingr ecipientpolicy 4 tcp_intranet-daemon ! ! tcp_submit tcp_submit submit smtp mx single_sys sourceblocklimit 10000 authrewrite 1 mustsa slserver musttlsserver missingrecipientpolicy 4 tcp_submit-daemon ! ! tcp_auth tcp_auth smtp mx single_sys authrewrite 1 sourceblocklimit 10000 musttlsserver m ustsaslserver missingrecipientpolicy 4 tcp_auth-daemon ! ! tcp_tas tcp_tas smtp mx single_sys allowswitchchannel mustsaslserver maytlsserver delive ryflags 2 tcp_tas-daemon ! ! tcp_lmtpss (LMTP server - store) !tcp_lmtpss lmtp subdirs 20 !tcp_lmtpss-daemon ! ! tcp_lmtpsn (LMTP server - native) !tcp_lmtpsn lmtp subdirs 20 !tcp_lmtpsn-daemon ! ! tcp_lmtpcs (LMTP client - store) !tcp_lmtpcs defragment lmtp port 225 nomx single_sys subdirs 20 maxjobs 7 pool S MTP_POOL dequeue_removeroute !lmtpcs-daemon ! ! tcp_lmtpcn (LMTP client - native) !tcp_lmtpcn defragment lmtp port 226 nomx single_sys subdirs 20 maxjobs 7 pool S MTP_POOL dequeue_removeroute !lmtpcn-daemon ! ! reprocess reprocess reprocess-daemon ! ! process process process-daemon ! ! defragment defragment defragment-daemon ! ! conversion conversion threaddepth 100 maxjobs 10 pool CONVERSION_POOL conversion-daemon ! ! bitbucket bitbucket bitbucket-daemon

9. Edit option.dat

   ! MTA configuration options ! ! This sets the alias resolution order ! 8 = Use ALIAS_URL0 ! 7 = Use ALIAS_URL1 ! 6 = Use ALIAS_URL2 ! 4 = Use the alias file ALIAS_MAGIC=8764 ALIAS_URL0=ldap:///$V?*?sub?$R USE_REVERSE_DATABASE=4 REVERSE_URL=ldap:///$V?$N?sub?$R USE_DOMAIN_DATABASE=0 ! MISSING_RECIPIENT_POLICY controls how illegal headers that don't ! contain any To:, Cc:, or Bcc: fields are handled for channels that ! do not have their own explicit missingrecipientpolicy keyword set. ! The default of 0 means that the envelope addresses are used to ! construct a valid To: header field. This default behavior tends ! to be especially appropriate for the tcp_local channel. MISSING_RECIPIENT_POLICY=0 MISSING_RECIPIENT_GROUP_TEXT=Undisclosed recipients ALIAS_DOMAINS=6 ! LDAP_SCHEMALEVEL=2 ! VACATION_TEMPLATE=file:///opt/SUNWmsgsr/data/vacation/$3I/$1U/$2U/$U.vac ! ! custom add-ons below ALLOW_RECIPIENTS_PER_TRANSACTION=256 LOG_CONNECTION=3 LOG_MESSAGE_ID=1 LOG_TRANSPORTINFO=1 LOG_USERNAME=1 SEPARATE_CONNECTION_LOG=1 !LOG_PROCESS=1

10. Edit mappings

    ! MTA mappings file ! for access control and other table lookups PORT_ACCESS *|*|*|*|* $C$|INTERNAL_IP;$3|$Y$E * $YEXTERNAL INTERNAL_IP $(10.1.82.183/24) $Y (129.147.156.0/24) $Y 127.0.0.1 $Y * $N ORIG_SEND_ACCESS tcp_local|*|tcp_local|* $N$D30|Relaying$ not$ allowed tcp_*|*|native|* $N tcp_*|*|hold|* $N tcp_*|*|pipe|* $N tcp_*|*|ims-ms|* $N ! ! Block "external" submissions of explicitly source-routed "internal" addresses ! tcp_local|*|tcp_intranet|@*:*.* $N$D30|Explicit$ routing$ not$ allowed tcp_local|*|tcp_intranet|*$%*@* $N$D30|Explicit$ routing$ not$ allowed tcp_local|*|tcp_intranet|*.*!*@* $N$D30|Explicit$ routing$ not$ allowed tcp_local|*|tcp_intranet|"*@*"@* $N$D30|Explicit$ routing$ not$ allowed SEND_ACCESS tcp_*|*|*|*@[127.*] $X5.1.2|$NBad$ destination$ system tcp_*|*|*|*@localhost.* $X5.1.2|$NBad$ destination$ system tcp_*|*|*|*@example.com $X5.1.2|$NBad$ destination$ system tcp_*|*|*|*@example.net $X5.1.2|$NBad$ destination$ system tcp_*|*|*|*@example.org $X5.1.2|$NBad$ destination$ system tcp_*|*|*|*@*.test $X5.1.2|$NBad$ destination$ system tcp_*|*|*|*@*.example $X5.1.2|$NBad$ destination$ system tcp_*|*|*|*@*.invalid $X5.1.2|$NBad$ destination$ system tcp_*|*|*|*@*.localhost $X5.1.2|$NBad$ destination$ system CONVERSIONS in-chan=tcp_intranet;out-chan=tcp_example;CONVERT No in-chan=tcp_*;out-chan=*;CONVERT Yes in-chan=l;out-chan=*;CONVERT Yes <IMTA_TABLE:mappings.locale

11. Install the scan-attachment.sh script and make sure its permission and ownership are correct:

    fe-amer-N# cd /opt/SUNWmsgsr/config fe-amer-N# ls -ld scripts/ drwxr-xr-x 2 mailsrv mailsrv 512 Apr 20 00:37 scripts/ fe-amer-N# ls -ld scripts/scan-attachment.sh -rwxr--r-- 1 mailsrv mailsrv 5330 Apr 20 00:35 scripts/scan-attachment.sh

12. Create the conversions file:

    ! Scan attachments for banned prefixes that often contain viruses in-channel=*; out-channel=*; in-type=*; in-subtype=*; parameter-symbol-0=NAME; parameter-copy-0=*; dparameter-symbol-0=FILENAME; dparameter-copy-0=*; message-header-file=2; original-header-file=1; override-header-file=1; command="/opt/SUNWmsgsr/config/scripts/scan-attachment.sh"

13. Edit the dispatcher.cnf file with the following highlighted changes:

    ! VERSION=1.1 ! IMTA default dispatcher configuration file ! ! Global defaults ! MIN_PROCS=1 MAX_PROCS=10 MIN_CONNS=30 MAX_CONNS=50 MAX_SHUTDOWN=2 MAX_LIFE_TIME=86400 MAX_LIFE_CONNS=10000 MAX_IDLE_TIME=600 HISTORICAL_TIME=0 ! ! multithreaded SMTP server ! [SERVICE=SMTP] PORT=25,12196 ! Uncomment the following line if you want to support SSL on the alternate ! port 465 TLS_PORT=465 IMAGE=IMTA_BIN:tcp_smtp_server LOGFILE=IMTA_LOG:tcp_smtp_server.log STACKSIZE=2048000 ! Uncomment the following line and set INTERFACE_ADDRESS to an appropriate ! host IP (dotted quad) if the dispatcher needs to listen on a specific ! interface (e.g. in a HA environment). INTERFACE_ADDRESS=10.1.82.187,127.0.0.1 ! ! rfc 2476 Submit server ! [SERVICE=SMTP_SUBMIT] PORT=587 IMAGE=IMTA_BIN:tcp_smtp_server LOGFILE=IMTA_LOG:tcp_smtp_server.log PARAMETER=CHANNEL=tcp_submit STACKSIZE=2048000 ! Uncomment the following line and set INTERFACE_ADDRESS to an appropriate ! host IP (dotted quad) if the dispatcher needs to listen on a specific ! interface (e.g. in a HA environment). INTERFACE_ADDRESS=10.1.82.187 ! ! rfc 2033 LMTP server - store ! ![SERVICE=LMTPSS] !PORT=225 !IMAGE=IMTA_BIN:tcp_lmtp_server !LOGFILE=IMTA_LOG:tcp_lmtpss_server.log !PARAMETER=CHANNEL=tcp_lmtpss !STACKSIZE=2048000 ! Uncomment the following line and set INTERFACE_ADDRESS to an appropriate ! host IP (dotted quad) if the dispatcher needs to listen on a specific ! interface (e.g. in a HA environment). !INTERFACE_ADDRESS= ! ! rfc 2033 LMTP server - native ! ![SERVICE=LMTPSN] !PORT=226 !USER=root !IMAGE=IMTA_BIN:tcp_lmtpn_server !LOGFILE=IMTA_LOG:tcp_lmtpsn_server.log !PARAMETER=CHANNEL=tcp_lmtpsn !STACKSIZE=2048000 ! Uncomment the following line and set INTERFACE_ADDRESS to an appropriate ! host IP (dotted quad) if the dispatcher needs to listen on a specific ! interface (e.g. in a HA environment). !INTERFACE_ADDRESS= !

14. Edit the job_controller.cnf file:

    [POOL=SMTP_POOL] job_limit=10 ! [POOL=CONVERSION_POOL] job_limit=10 ! !Channel definitions !

15. Edit aliases

    ! MTA aliases file ! !root@example.com: postmast adm@mail-amer.example.com: postmast root@mail-amer.example.com: postmast postmaster@mail-amer.example.com: postmast examplemc-alert: root@mail-amer.example.com examplemc-critical: root@mail-amer.example.com

16. Add BE relay host to /etc/hosts (different site uses different BE relay host, refer to EdgeProfile):

    fe-amer-N# grep gis-relay /etc/hosts 10.1.99.30 amerea-mail.example.com gis-relay.us.example.com

17. Create symbolic link for the certmap.conf file to workaround known issue 5008768:

    fe-amer-N# cd /opt/SUNWmsgsr/config fe-amer-N# ls -l certmap* lrwxrwxrwx 1 root other 34 Apr 20 00:16 certmap.conf -> /opt/ds/shared/config/certmap.conf

18. Edit the imta_tailor file to place MTA logs into the imta subdirectory:

    fe-amer-N# cd /opt/SUNWmsgsr/config fe-amer-N# cp imta_tailor imta_tailor.orig_`date +%Y%m%d` fe-amer-N# sed s/"\/log\//\/log\/imta\/"/ imta_tailor.orig_`date +%Y%m%d` > imta_tailor

19. Compile this new configuration and restart the dispatcher with the following commands:

    fe-amer-N# imsimta cnbuild fe-amer-N# imsimta restart dispatcher

20. Configure the logadm utility:

    fe-amer-N# mkdir /opt/SUNWmsgsr/log/imta/archive (owner mailsrv:mailsrv) fe-amer-N# logadm -w mail -C 28 -p 1d -t \ '/opt/SUNWmsgsr/log/imta/archive/mail.log.$n' \ -z 6 /opt/SUNWmsgsr/log/imta/mail.log fe-amer-N# logadm -w attach -C 28 -c -t \ '/opt/SUNWmsgsr/log/imta/archive/attachment.log.$n' -z 6 \ /opt/SUNWmsgsr/log/imta/attachment.log_current fe-amer-N# logadm -w virus -C 28 -c -t \ '/opt/SUNWmsgsr/log/imta/archive/virus.log.$n' \ -z 6 /opt/SUNWmsgsr/log/imta/virus-attachment.log_current fe-amer-N# logadm -w connection -C 28 -t \ '/opt/SUNWmsgsr/log/imta/archive/connection.log.$n' \ -z 6 /opt/SUNWmsgsr/log/imta/connection.log

21. If there is a dedicated queue partition, relocate imta/queue

    fe-amer-N# stop-msg smtp fe-amer-N# mkdir -p /imta/queue fe-amer-N# chown mailsrv:mailsrv /imta/queue fe-amer-N# cd /opt/SUNWmsgsr/data fe-amer-N# ln -s /imta/queue queue fe-amer-N# start-msg smtp

22. Create an alias called smarthost.example.com to the GIS relay VIP in /etc/hosts to ensure a fallback mechanism through the local smarthost vs a single GIS relay VIP.

    10.1.99.30 gis-relay.us.example.com smarthost.example.com

To Configure Messaging Server on the MMP Server

Steps

1. Make backups of the original MMP configuration files AService.cfg and ImapProxyAService.cfg:

   # cd /opt/SUNWmsgsr/config # cp AService.cfg AService.cfg.orig_`date +%Y%m%d` # cp ImapProxyAService.cfg ImapProxyAService.cfg.orig_`date +%Y%m%d`

2. Edit the AService.cfg file:

   default:ServiceList /opt/SUNWmsgsr/lib/ImapProxyAService@10.1.82.187:143|10.1.82.187:993 default:LogDir /opt/SUNWmsgsr/data/log/mmp default:NumThreads 2

3. Edit the ImapProxyAService.cfg file. For odd-numbered FE, use Directory Servers in the following order: –03, -02, -01. For even-numbered FE use Directory Servers in the following order: –02, -03, -01.

   default:LdapUrl "ldap://ds-amer-03.us.example.com ds-amer-02.us.example.com ds-amer-01.us.example.com/dc=example,dc=com" default:LogDir /opt/SUNWmsgsr/data/log/mmp default:LogLevel 10 default:BindDN "uid=msg-admin-mail-amer.example.com, ou=People, dc=example, dc=com" default:BindPass "password" default:BacksidePort 143 default:SearchFormat (uid=%s) default:SSLEnable yes default:SSLPorts 993 default:SSLCertNicknames Server-Cert default:SSLKeyPasswdFile /opt/SUNWmsgsr/config/sslpassword.conf default:SSLCacheDir /opt/SUNWmsgsr/config default:SSLSecmodFile secmod.db default:SSLCertPrefix "" default:SSLKeyPrefix "" default:SSLBacksidePort 0 default:RestrictPlainPasswords yes default:ConnLimits 129.0.0.0|255.0.0.0:10000,0.0.0.0|0.0.0.0:500 default:LdapCacheSize 10000 default:LdapCacheTTL 900

4. Create log directory

   # mkdir /opt/SUNWmsgsr/data/log/mmp # chown mailsrv:mailsrv /opt/SUNWmsgsr/data/log/mmp # chmod 755 /opt/SUNWmsgsr/data/log/mmp

5. Restart service and verify IMAP is working properly. If so, and assuming certificates have been configured, turn on SSL by uncommenting the following lines in ImapProxyAService.cfg

   default:SSLEnable yes default:RestrictPlainPasswords yes

To Configure Messaging Server on the MEM Server

Before You Begin

Validate that webmail is working properly and that you can connect to the back end server via the front end webmail connection.

Steps

1. Set up configutil

   # configutil -o service.http.ipsecurity -v yes # configutil -o local.service.http.proxy -v 1

2. Restart webmail

   # stop-msg http # start-msg http

3. Verify that when you connect that the url displayed does not change to that of the back end server.

4. Complete steps for configuring *MailFilters*

5. Verify BE/D2 mail servers are configured for port 444 for mail filters.

   # configutil -o local.webmail.sieve.port -v 444

   dd ports 92 and/or 444 to webserver server.xml file on FE/D1 nodes. */opt/SUNWwbsvr/https-mail-amer.example.com/config* Add/replace series of LS sections as follows replacing your GEO and your IP and modifying ports as needed: Note: each *LS* section is a single line; each *SSLPARAMS* section is a single line.

   Port 92 is not required for Foundry Sites; ports 80, 443, 444 required. Port 443 not needed for Nauticus sites; one of port 92, 444 will be used for mail filters; need to test to confirm.

   <LS id="ls1" port="80" servername="mail-amer.example.com" defaultvs="https-mail-am er.example.com" security="false" ip="10.1.82.187" blocking="false" acceptorthread s="1" /> <LS id="ls2" port="92" servername="mail-amer.example.com" defaultvs="https-mail-am er.example.com" security="false" ip="10.1.82.187" blocking="false" acceptorthread s="1" /> <LS id="ls3" port="444" servername="mail-amer.example.com" defaultvs="https-mail-a mer.example.com" security="true" blocking="false" acceptorthreads="1" ip="10.1.82 .187"> <SSLPARAMS servercertnickname="Server-Cert" ssl2="off" ssl2ciphers="-rc4,-rc 4export,-rc2,-rc2export,-desede3,-des" ssl3="on" tls="on" ssl3tlsciphers="+rsa_r c4_128_sha,+rsa_rc4_128_md5,-rsa_rc4_56_sha,-rsa_rc4_40_md5,+rsa_3des_sha,-rsa_d es_sha,-rsa_des_56_sha,-rsa_rc2_40_md5,-rsa_null_md5,-fortezza,-fortezza_rc4_128 _sha,-fortezza_null,+fips_3des_sha,-fips_des_sha" tlsrollback="on" clientauth="o ff"/> </LS>

6. Restart Web server and verify it is listening on correct ports and no errors messages in logs

   # /opt/SUNWwbsvr/https-mail-amer.example.com/ {stop,start}

7. Deploy the MailFilter war file

   # /opt/SUNWwbsvr/bin/https/httpadmin/bin/wdeploy deploy \ -u /MailFilter -i https-mail-amer.example.com \ -v https-mail-amer.example.com /opt/SUNWmsgsr/SUNWmsgmf/MailFilter.war

8. Test Mail Filters from a webmail connection on the corporate network.

9. Remove Password option from Messenger Express:

   --- /opt/SUNWmsgsr/config/html/opts_fs.html.orig Thu Mar 31 16:04:17 2005 +++ /opt/SUNWmsgsr/config/html/opts_fs.html Wed Aug 10 10:00:26 2005 @@ -131,8 +131,6 @@ 'javascript:parent.toggle(\'summary\')') + getToggle(main.i18n['personal'], 'personal', 'javascript:parent.toggle(\'personal\')') + - getToggle(main.i18n['password'], 'password', - 'javascript:parent.toggle(\'password\')') + (main.cfgFrame.mbox.length == 0 ? : getToggle(main.i18n['settings'], 'settings', 'javascript:parent.toggle(\'settings\')')) +