Sun Java System Messaging Server 6 2005Q4 Administration Reference

Encryption (SSL) Option

The Sun Java System Messaging Multiplexor supports both unencrypted and encrypted (SSL) communications between the Messaging Server(s) and their mail clients.

When SSL is enabled, the MMP IMAP supports both STARTTLS on the standard IMAP port and IMAP+SSL on port 993. The MMP can also be configured to listen on port 995 for POP+SSL.

To enable SSL encryption for IMAP and POP services, edit the ImapProxyAService.cfg and PopProxyAService.cfg files, respectively. You must also edit the default:ServiceList option in the AService.cfg file to include the list of all IMAP and POP server ports regardless of whether or not they are secure.

To enable SSL encryption for SMTP proxy services, edit the SmtpProxyAService.cfg file.

By default, SSL is not enabled since the SSL configuration parameters (Table 5–1) are commented out. Install a certificate as documented in the Sun Java System Messaging Server 6 2005Q4 Administration Guide. To enable SSL, un-comment and set the following parameters:

Table 5–1 SSL Configuration Parameters




Port number to which the MMP will try to connect on the store servers for SSL. If this parameter is not set, the MMP will not use SSL when connecting to the store. 

There are no default values, but ports 993 and 995 are recommended for IMAP and POP, respectively. 

This parameter does not apply to SMTP proxy. 


SSL session cache directory. 

The recommended value is the msg_svr_base/config directory.


This has been replaced by the option SSLCertPrefix.


Nicknames of the certificates in the SSL certificate database to offer as the server certificate. 

The recommended value is Server-Cert.


Filename prefix to the SSL certificate database file. The certificate database file must be in the directory specified by the SSLCacheDir setting. The recommended value is ““.


Whether or not to enable SSL. If set to “True”, “Yes” or “1”, Multiplexor will activate the STARTTLS (for IMAP, SMTP) or STLS (for POP) command. To activate SSL on separate ports, this must be set in addition to the SSLPorts option. 

If SSL is enabled, all of the following variables must be set. You can specify an empty parameter with empty quotes (““). 


The default is no (SSL is not enabled).


Key database file location (defined when you obtained a certificate for this server). Multiplexor requires a private key corresponding to its SSL server certificate. The location specified here should be absolute, not relative to the Multiplexor installation directory. 

The recommended value is msg_svr_base/config/key3.db.

Be sure to protect this file so only the multiplexor and other authorized servers can read it. 


File location for the passwords that protect access to the private key file. Passwords may be null if the key is not password-protected. 

The default is msg_svr_base/config/sslpassword.conf.


Ports on which SSL will be turned on (accepted SSL connections). Syntax is: 

[ IP ":" ] PORT [ "|" [ IP ":" ] PORT ]

For example: 993| means connections to any IP on port 993 and localhost on port 1993 get SSL on accept.

There are no default values, but ports 993 and 995 are recommended for POP and IMAP, respectively. Note that even if you set a port, the MMP will not actually accept connections to that port until it is included in the ServiceList (see Multiplexor Configuration Parameters). If this parameter is not set, and SSLEnable is set to “true” or “yes,” then only IMAP STARTTLS is enabled.


Security module database file location. If you have hardware accelerators for SSL ciphers, this file describes them to the Multiplexor. 

The recommended value is secmod.db.