To Configure Messaging Server on the MTA Server

Steps

1. Make sure SUNWsndmr SUNWsndmu packages are installed

2. Stop sendmail if it's running

   # /etc/init.d/sendmail stop (for Solaris 9) # svcadmin disable network/smtp:sendmail (for Solaris 10)

3. Create or modify /etc/default/sendmail to prevent accidental start of sendmail in daemon mode. Add:

   MODE=""

4. Edit sjsms-submit.mc and change the line that starts with FEATURE

   # cd /usr/lib/mail/cf # cp submit.mc sjsms-submit.mc

   FEATURE('msp', `[cookbook-mail1.us.example.com]')dnl

   # /usr/ccs/bin/make sjsms-submit.cf # mv /etc/mail/submit.cf /etc/mail/submit.cf.orig # cp sjsms-submit.cf /etc/mail/submit.cf

5. Add patch 113575-05. Note: future sendmail patches may overwrite submit.cf. You should always check submit.cf after applying such patches.

6. Start sendmail

   # /etc/init.d/sendmail start (for Solaris 9) # svcadmin enable network/smtp:sendmail (for Solaris 10)

7. Repeat the above on the other node(s) if applicable

8. Edit imta.cnf (changes are marked in bold)

   ! ! IMTA configuration file ! ! part I : rewrite rules ! ! Domain Rewrite Rules. ! Uncomment this line to use domain rewrite rules ! from the configuration file instead of the domain database. ! Please refer to the iMS documentation for details. !<IMTA_TABLE:domains.rules ! ! Rules to select local users $* $A$E$F$U%$H$V$H@mail-amer.example.com mail-amer.example.com $U%$D@mail-amer.example.com example.com $U%$D@mail-amer.example.com fe-amer-09.example.com $U@mail-amer.example.com phys-bedge5-1.us.example.com $U@mail-amer.example.com phys-bedge5-2.us.example.com $U@mail-amer.example.com localhost $U@mail-amer.example.com! ! ims-ms .ims-ms-daemon $U%$H.ims-ms-daemon@ims-ms-daemon ! ! lmtp !.lmtp $U%$H@lmtpcs-daemon ! ! lmtpn !.lmtpn $U%$H@lmtpcn-daemon ! ! native .native-daemon $U%$H.native-daemon@native-daemon ! ! pipe .pipe-daemon $U%$H.pipe-daemon@pipe-daemon ! ! tcp_local ! Rules for top level internet domains %lt;IMTA_TABLE:internet.rules ! ! tcp_intranet ! Do mapping lookup for internal IP addresses [] $E$R${INTERNAL_IP,$L}$U%[$L]@tcp_intranet-daemon !.example.com $U%$H.example.com@tcp_intranet-daemon ! b complex back-end servers bedge1-mail1.us.example.com $U%$D@tcp_intranet-daemon bedge2-mail1.us.example.com $U%$D@tcp_intranet-daemon bedge3-mail1.us.example.com $U%$D@tcp_intranet-daemon bedge4-mail1.us.example.com $U%$D@tcp_intranet-daemon ! add back=end servers for global complexes aedge1-mail1.eu.example.com $U%$D@tcp_intranet-daemon ! ...* $U%$&0.example.com ! ! tcp_example for internal example.com addresses .example.com $U%$H$D@tcp_example-daemon! ! reprocess reprocess $U%reprocess.mail-amer.example.com@reprocess-daemon reprocess.mail-amer.example.com $U%reprocess.mail-amer.example.com@reprocess-daemon ! ! process process $U%process.mail-amer.example.com@process-daemon process.mail-amer.example.com $U%process.mail-amer.example.com@process-daemon ! ! defragment defragment $U%defragment.mail-amer.example.com@defragment-daemon defragment.mail-amer.example.com $U%defragment.mail-amer.example.com@defragment-daemon ! ! conversion conversion $U%conversion.mail-amer.example.com@conversion-daemon conversion.mail-amer.example.com $U%conversion.mail-amer.example.com@conversion-daemon ! ! bitbucket bitbucket $U%bitbucket.mail-amer.example.com@bitbucket-daemon bitbucket.mail-amer.example.com $U%bitbucket.mail-amer.example.com@bitbucket-daemon ! ! deleted deleted-daemon $U%$H@deleted-daemon .deleted-daemon $U%$H@deleted-daemon ! ! inactive inactive-daemon $U%$H@inactive-daemon .inactive-daemon $U%$H@inactive-daemon ! ! hold hold-daemon $U%$H@hold-daemon .hold-daemon $U%$H@hold-daemon ! ! part II : channel blocks ! defaults notices 1 2 4 7 errwarnpost errsendpost postheadonly noswitchchannel im mnonurgent maxjobs 7 logging defaulthost example.com example.com ! ! delivery channel to local /var/mail store l subdirs 20 viaaliasrequired maxjobs 7 pool LOCAL_POOL mail-amer.example.com ! ! ims-ms ims-ms defragment subdirs 20 notices 1 7 14 21 28 backoff "pt5m" "pt10m" "pt30m" "pt1h" "pt2h" "pt4h" maxjobs 2 pool IMS_POOL fileinto $U+$S@$D ims-ms-daemon ! ! native native defragment subdirs 20 maxjobs 1 native-daemon ! ! pipe pipe single defragment subdirs 20 pipe-daemon ! ! tcp_local tcp_local smtp nomx single_sys remotehost daemon gis-relay.us.example.com inne r switchchannel identnonenumeric subdirs 20 maxjobs 7 pool SMTP_POOL musttlsserv er mustsaslserver saslswitchchannel tcp_auth missingrecipientpolicy 0 dequeue_removeroute tcp-daemon ! ! tcp_example tcp_example smtp nomx single_sys remotehost daemon gis-relay.us.example.com inner switchchannel identnonenumeric subdirs 20 maxjobs 7 pool SMTP_POOL authrewrite 1 musttlsserver mustsaslserver saslswitchchannel tcp_auth missingrecipientpolicy 0 dequeue_removeroute tcp_example-daemon ! ! tcp_iplanet tcp_iplanet smtp nomx single_sys remotehost daemon gis-relay.us.example.com in ner switchchannel identnonenumeric subdirs 20 maxjobs 7 pool SMTP_POOL authrewri te 1 musttlsserver mustsaslserver saslswitchchannel tcp_auth missingrecipientpol icy 0 dequeue_removeroute tcp_iplanet-daemon ! ! tcp_intranet tcp_intranet smtp nomx single_sys sourceblocklimit 10000 subdirs 20 maxjobs 7 po ol SMTP_POOL maytlsserver allowswitchchannel saslswitchchannel tcp_auth missingr ecipientpolicy 4 tcp_intranet-daemon ! ! tcp_submit tcp_submit submit smtp mx single_sys sourceblocklimit 10000 authrewrite 1 mustsa slserver musttlsserver missingrecipientpolicy 4 tcp_submit-daemon ! ! tcp_auth tcp_auth smtp mx single_sys authrewrite 1 sourceblocklimit 10000 musttlsserver m ustsaslserver missingrecipientpolicy 4 tcp_auth-daemon ! ! tcp_tas tcp_tas smtp mx single_sys allowswitchchannel mustsaslserver maytlsserver delive ryflags 2 tcp_tas-daemon ! ! tcp_lmtpss (LMTP server - store) !tcp_lmtpss lmtp subdirs 20 !tcp_lmtpss-daemon ! ! tcp_lmtpsn (LMTP server - native) !tcp_lmtpsn lmtp subdirs 20 !tcp_lmtpsn-daemon ! ! tcp_lmtpcs (LMTP client - store) !tcp_lmtpcs defragment lmtp port 225 nomx single_sys subdirs 20 maxjobs 7 pool S MTP_POOL dequeue_removeroute !lmtpcs-daemon ! ! tcp_lmtpcn (LMTP client - native) !tcp_lmtpcn defragment lmtp port 226 nomx single_sys subdirs 20 maxjobs 7 pool S MTP_POOL dequeue_removeroute !lmtpcn-daemon ! ! reprocess reprocess reprocess-daemon ! ! process process process-daemon ! ! defragment defragment defragment-daemon ! ! conversion conversion threaddepth 100 maxjobs 10 pool CONVERSION_POOL conversion-daemon ! ! bitbucket bitbucket bitbucket-daemon

9. Edit option.dat

   ! MTA configuration options ! ! This sets the alias resolution order ! 8 = Use ALIAS_URL0 ! 7 = Use ALIAS_URL1 ! 6 = Use ALIAS_URL2 ! 4 = Use the alias file ALIAS_MAGIC=8764 ALIAS_URL0=ldap:///$V?*?sub?$R USE_REVERSE_DATABASE=4 REVERSE_URL=ldap:///$V?$N?sub?$R USE_DOMAIN_DATABASE=0 ! MISSING_RECIPIENT_POLICY controls how illegal headers that don't ! contain any To:, Cc:, or Bcc: fields are handled for channels that ! do not have their own explicit missingrecipientpolicy keyword set. ! The default of 0 means that the envelope addresses are used to ! construct a valid To: header field. This default behavior tends ! to be especially appropriate for the tcp_local channel. MISSING_RECIPIENT_POLICY=0 MISSING_RECIPIENT_GROUP_TEXT=Undisclosed recipients ALIAS_DOMAINS=6 ! LDAP_SCHEMALEVEL=2 ! VACATION_TEMPLATE=file:///opt/SUNWmsgsr/data/vacation/$3I/$1U/$2U/$U.vac ! ! custom add-ons below ALLOW_RECIPIENTS_PER_TRANSACTION=256 LOG_CONNECTION=3 LOG_MESSAGE_ID=1 LOG_TRANSPORTINFO=1 LOG_USERNAME=1 SEPARATE_CONNECTION_LOG=1 !LOG_PROCESS=1

10. Edit mappings

    ! MTA mappings file ! for access control and other table lookups PORT_ACCESS *|*|*|*|* $C$|INTERNAL_IP;$3|$Y$E * $YEXTERNAL INTERNAL_IP $(10.1.82.183/24) $Y (129.147.156.0/24) $Y 127.0.0.1 $Y * $N ORIG_SEND_ACCESS tcp_local|*|tcp_local|* $N$D30|Relaying$ not$ allowed tcp_*|*|native|* $N tcp_*|*|hold|* $N tcp_*|*|pipe|* $N tcp_*|*|ims-ms|* $N ! ! Block "external" submissions of explicitly source-routed "internal" addresses ! tcp_local|*|tcp_intranet|@*:*.* $N$D30|Explicit$ routing$ not$ allowed tcp_local|*|tcp_intranet|*$%*@* $N$D30|Explicit$ routing$ not$ allowed tcp_local|*|tcp_intranet|*.*!*@* $N$D30|Explicit$ routing$ not$ allowed tcp_local|*|tcp_intranet|"*@*"@* $N$D30|Explicit$ routing$ not$ allowed SEND_ACCESS tcp_*|*|*|*@[127.*] $X5.1.2|$NBad$ destination$ system tcp_*|*|*|*@localhost.* $X5.1.2|$NBad$ destination$ system tcp_*|*|*|*@example.com $X5.1.2|$NBad$ destination$ system tcp_*|*|*|*@example.net $X5.1.2|$NBad$ destination$ system tcp_*|*|*|*@example.org $X5.1.2|$NBad$ destination$ system tcp_*|*|*|*@*.test $X5.1.2|$NBad$ destination$ system tcp_*|*|*|*@*.example $X5.1.2|$NBad$ destination$ system tcp_*|*|*|*@*.invalid $X5.1.2|$NBad$ destination$ system tcp_*|*|*|*@*.localhost $X5.1.2|$NBad$ destination$ system CONVERSIONS in-chan=tcp_intranet;out-chan=tcp_example;CONVERT No in-chan=tcp_*;out-chan=*;CONVERT Yes in-chan=l;out-chan=*;CONVERT Yes <IMTA_TABLE:mappings.locale

11. Install the scan-attachment.sh script and make sure its permission and ownership are correct:

    fe-amer-N# cd /opt/SUNWmsgsr/config fe-amer-N# ls -ld scripts/ drwxr-xr-x 2 mailsrv mailsrv 512 Apr 20 00:37 scripts/ fe-amer-N# ls -ld scripts/scan-attachment.sh -rwxr--r-- 1 mailsrv mailsrv 5330 Apr 20 00:35 scripts/scan-attachment.sh

12. Create the conversions file:

    ! Scan attachments for banned prefixes that often contain viruses in-channel=*; out-channel=*; in-type=*; in-subtype=*; parameter-symbol-0=NAME; parameter-copy-0=*; dparameter-symbol-0=FILENAME; dparameter-copy-0=*; message-header-file=2; original-header-file=1; override-header-file=1; command="/opt/SUNWmsgsr/config/scripts/scan-attachment.sh"

13. Edit the dispatcher.cnf file with the following highlighted changes:

    ! VERSION=1.1 ! IMTA default dispatcher configuration file ! ! Global defaults ! MIN_PROCS=1 MAX_PROCS=10 MIN_CONNS=30 MAX_CONNS=50 MAX_SHUTDOWN=2 MAX_LIFE_TIME=86400 MAX_LIFE_CONNS=10000 MAX_IDLE_TIME=600 HISTORICAL_TIME=0 ! ! multithreaded SMTP server ! [SERVICE=SMTP] PORT=25,12196 ! Uncomment the following line if you want to support SSL on the alternate ! port 465 TLS_PORT=465 IMAGE=IMTA_BIN:tcp_smtp_server LOGFILE=IMTA_LOG:tcp_smtp_server.log STACKSIZE=2048000 ! Uncomment the following line and set INTERFACE_ADDRESS to an appropriate ! host IP (dotted quad) if the dispatcher needs to listen on a specific ! interface (e.g. in a HA environment). INTERFACE_ADDRESS=10.1.82.187,127.0.0.1 ! ! rfc 2476 Submit server ! [SERVICE=SMTP_SUBMIT] PORT=587 IMAGE=IMTA_BIN:tcp_smtp_server LOGFILE=IMTA_LOG:tcp_smtp_server.log PARAMETER=CHANNEL=tcp_submit STACKSIZE=2048000 ! Uncomment the following line and set INTERFACE_ADDRESS to an appropriate ! host IP (dotted quad) if the dispatcher needs to listen on a specific ! interface (e.g. in a HA environment). INTERFACE_ADDRESS=10.1.82.187 ! ! rfc 2033 LMTP server - store ! ![SERVICE=LMTPSS] !PORT=225 !IMAGE=IMTA_BIN:tcp_lmtp_server !LOGFILE=IMTA_LOG:tcp_lmtpss_server.log !PARAMETER=CHANNEL=tcp_lmtpss !STACKSIZE=2048000 ! Uncomment the following line and set INTERFACE_ADDRESS to an appropriate ! host IP (dotted quad) if the dispatcher needs to listen on a specific ! interface (e.g. in a HA environment). !INTERFACE_ADDRESS= ! ! rfc 2033 LMTP server - native ! ![SERVICE=LMTPSN] !PORT=226 !USER=root !IMAGE=IMTA_BIN:tcp_lmtpn_server !LOGFILE=IMTA_LOG:tcp_lmtpsn_server.log !PARAMETER=CHANNEL=tcp_lmtpsn !STACKSIZE=2048000 ! Uncomment the following line and set INTERFACE_ADDRESS to an appropriate ! host IP (dotted quad) if the dispatcher needs to listen on a specific ! interface (e.g. in a HA environment). !INTERFACE_ADDRESS= !

14. Edit the job_controller.cnf file:

    [POOL=SMTP_POOL] job_limit=10 ! [POOL=CONVERSION_POOL] job_limit=10 ! !Channel definitions !

15. Edit aliases

    ! MTA aliases file ! !root@example.com: postmast adm@mail-amer.example.com: postmast root@mail-amer.example.com: postmast postmaster@mail-amer.example.com: postmast examplemc-alert: root@mail-amer.example.com examplemc-critical: root@mail-amer.example.com

16. Add BE relay host to /etc/hosts (different site uses different BE relay host, refer to EdgeProfile):

    fe-amer-N# grep gis-relay /etc/hosts 10.1.99.30 amerea-mail.example.com gis-relay.us.example.com

17. Create symbolic link for the certmap.conf file to workaround known issue 5008768:

    fe-amer-N# cd /opt/SUNWmsgsr/config fe-amer-N# ls -l certmap* lrwxrwxrwx 1 root other 34 Apr 20 00:16 certmap.conf -> /opt/ds/shared/config/certmap.conf

18. Edit the imta_tailor file to place MTA logs into the imta subdirectory:

    fe-amer-N# cd /opt/SUNWmsgsr/config fe-amer-N# cp imta_tailor imta_tailor.orig_`date +%Y%m%d` fe-amer-N# sed s/"\/log\//\/log\/imta\/"/ imta_tailor.orig_`date +%Y%m%d` > imta_tailor

19. Compile this new configuration and restart the dispatcher with the following commands:

    fe-amer-N# imsimta cnbuild fe-amer-N# imsimta restart dispatcher

20. Configure the logadm utility:

    fe-amer-N# mkdir /opt/SUNWmsgsr/log/imta/archive (owner mailsrv:mailsrv) fe-amer-N# logadm -w mail -C 28 -p 1d -t \ '/opt/SUNWmsgsr/log/imta/archive/mail.log.$n' \ -z 6 /opt/SUNWmsgsr/log/imta/mail.log fe-amer-N# logadm -w attach -C 28 -c -t \ '/opt/SUNWmsgsr/log/imta/archive/attachment.log.$n' -z 6 \ /opt/SUNWmsgsr/log/imta/attachment.log_current fe-amer-N# logadm -w virus -C 28 -c -t \ '/opt/SUNWmsgsr/log/imta/archive/virus.log.$n' \ -z 6 /opt/SUNWmsgsr/log/imta/virus-attachment.log_current fe-amer-N# logadm -w connection -C 28 -t \ '/opt/SUNWmsgsr/log/imta/archive/connection.log.$n' \ -z 6 /opt/SUNWmsgsr/log/imta/connection.log

21. If there is a dedicated queue partition, relocate imta/queue

    fe-amer-N# stop-msg smtp fe-amer-N# mkdir -p /imta/queue fe-amer-N# chown mailsrv:mailsrv /imta/queue fe-amer-N# cd /opt/SUNWmsgsr/data fe-amer-N# ln -s /imta/queue queue fe-amer-N# start-msg smtp

22. Create an alias called smarthost.example.com to the GIS relay VIP in /etc/hosts to ensure a fallback mechanism through the local smarthost vs a single GIS relay VIP.

    10.1.99.30 gis-relay.us.example.com smarthost.example.com