Netscape Mail Server Administrator's Guide
                              

Working with users and groups

This chapter provides information that you'll need in working with user and group directory entries to create email accounts.

Here's what you'll read about in this chapter:

Using the Administration Server

 When you installed Netscape Messaging Server 3.0, another server--the Administration Server--was also installed with it. This Administration Server provides centralized user and group administration. That is, user and group entries are created and maintained with the Administration Server; the information is available to any Netscape SuiteSpot server that uses it.

The Administration Server means simplified account administration for the server administrator because user and group entries can be created once, in one place, rather than repeatedly for each server that needs the information. For users, this means signing on once, rather than having to maintain and enter a different password for each server used.

The Administration Server maintains user and group entries in a local directory database that can be shared by multiple SuiteSpot servers installed on the same machine. You can also use a Lightweight Directory Access Protocol (LDAP) Directory Server that can be shared by multiple SuiteSpot servers installed on across multiple hosts.

The forms used to create and manage user and group entries on the Administration Server provide a "General" portion, with fields that are non-server specific. Servers that require additional forms--such as the Messaging Server--automatically provide additional, server-specific forms that are accessed from within those user and group forms.

For more information about the Administration Server and how it works with other SuiteSpot servers, or for instructions on setting up and maintaining user and group accounts, see Managing Netscape Servers.

Starting and stopping the
Administration Server

You can start and stop your Administration Server from the command line using the start-admin and stop-admin utilities that are available in your root installation directory. That is, if you installed your server in:

/usr/netscape/suitespot
then you can start your Administration Server by running:

/usr/netscape/suitespot/start-admin
Similarly, you can use the stop-admin utility to stop your Administration Server:

/usr/netscape/suitespot/stop-admin
In addition, you can stop your Administration Server by going to the Server Preferences | Shut Down form in the Administration Server interface.

For more information on stopping and starting your Administration Server, see Managing Netscape Servers.

Accessing the Administration Server

You use your web browser to connect to the Administration Server. Assuming that the Administration Server is running, you can connect to it by entering the server's hostname and port address to your web browser. For example, if your Administration Server is installed on the host host.mydomain.com at port number 1500, then you can access the Administration Server by entering the following to your web browser:

          http://host.mydomain.com:1500
NT
Note that if you are using a Windows NT machine, you can automatically start your Administration Server, launch your web browser, and connect to the Administration Server by clicking the Administration program item.

Using the Server Administration page

 When you first connect to the Administration Server, you see a form that identifies the various Netscape servers that this Administration Server is managing. This is the Server Administration page. There are also several links on the Server Administration page that take you to general administration functions, such as setting up Secure Socket Layer (SSL), managing users and groups, and so on. To manage your Messaging Server, click the button that represents your Messaging Server.

For a complete description of the Server Administration page, and of the various management functions available through the Administration Server, see Managing Netscape Servers.

Using the Messaging Server manager

This guide frequently mentions the Messaging Server manager. This term is used to refer to the collection of forms that you access when you click the Messaging Server button from the Server Administration page. These forms allow you to perform Messaging Server management tasks such as:

All Netscape servers are managed through server managers that have the same look and feel as the Messaging Server manager. Consequently, if you have ever managed other Netscape servers before, there should be few surprises when you manage the Messaging Server.

What are email accounts?

Information about users and groups who receive email on your messaging system is organized by the Administration Server into directory entries. Because other types of servers can also provide additional attributes within these user and group entries, only a portion of the information contained in a directory entry may be used by the Messaging Server. It would be inaccurate to think of a directory entry as an email account. However, it is helpful to consider the relevant subset of attributes in a directory entry that are used by the Messaging Server as constituting an email "account," and it is in this sense that the term is used throughout this guide.

Email accounts comprise such information as the user's or group's name, email address or addresses, how and where email is delivered, and so on.

Of the many types of information potentially contained in a directory entry, here are some of the categories of information in each mail user's entry that are used by the Messaging Server to process incoming email messages:

Although the server administrator controls most of the information in a directory entry, the entry's owner can change certain items that apply only to his or her entry--such as the password and auto-reply information, for instance.

Working with user and group forms

Managing Netscape Servers provides a general introduction to using HTML forms to manage Netscape servers. It also provides step-by-step instructions for creating, editing, renaming, and deleting user and group entries. The following sections provide information on the forms within the user and group entries that are used by the Messaging Server.

Managing user accounts

The Mail User Information form is the portion of a user's directory entry that you use to provide information about the user that the Messaging Server needs to process that user's messages. You access the Mail User Information form by clicking Mail in the user's directory entry form.

Jane Doe's directory entry form.

After you click Mail, the Mail User Information form appears.

About the Mail User Information form

The following sections describe each of the fields in the Mail User Information form.

Preferred Language field

The preferred language field specifies the human language to be used to interact with the form. The default language is U.S. English, using 7-bin ASCII characters. To change the language:

Primary Email Address field

 The primary email address is the publicized address--that is, the address likely to be looked up by "white pages" applications. The primary email address is used to select this account for email delivery. This is also the address that the Messaging Server will put on the "From:" line of all outgoing mail if the Messaging Server is set up to do so.

This field should include only one correctly formatted SMTP address. You can assign any valid address (that is, an address that conforms to RFC 821 specifications) to an account. However, you might want to choose a consistent convention for user addresses (such as First.Lastname@mail_domain or another common convention).

Note
Addresses are not case sensitive. For example, the Messaging Server will not distinguish between Dispatch.com and dispatch.com.
Regardless of the convention you choose, you must set up the domain name system (DNS) so that mail addressed to the mail domain you use will be delivered to your network. The Messaging Server can accept messages for any number of domains; it's not limited to your "official" domains specified during installation.

Alternate Email Addresses field

Use this field to list any alternate email addresses. A message arriving for any of the listed addresses will be directed to this account and then delivered using the local delivery method selected for the account.

You can have as many alternate addresses per account as you like, but they must all be unique, just as all Internet addresses should be unique no matter where they are located.

Many sites prefer that the specific hostname not be included on the sender's outgoing email address. This technique is called hostname hiding. If you want to use hostname hiding, the account will need a primary address that does not include the hostname:

  Jane.Doe@Dispatch.com
Unix
Most Unix mail systems use the user's login ID as their mail address, so further alternate addresses might be required. For instance, if Jane Doe's Unix login is "jane," you might also have the following addresses in her account: 
  jane@sunnyvale.dispatch.com
 
  jane@dispatch.com

Messaging Server field

 This field specifies the hostname of the Messaging Server that handles this user's email. The name you enter here must be a fully-qualified domain name (FQDN). If the server has multiple hostnames (FQDNs), it must be the FQDN that is known by the Messaging Server on that machine.

Delivery Options fields

You have four delivery options to choose from: POP3/IMAP delivery, Unix delivery, program delivery, and forward delivery.

POP/IMAP Delivery
If this option is enabled, mail is held by the Messaging Server until the user checks for mail using a POP3/IMAP4 mail client. Users who employ this delivery must use the User ID specified in their directory entry as their POP/IMAP login name. You can also specify the specific message store path, mail quota, and access domains for this user:

The message store path specifies an alternate location for the mail spool--for instance, to spread accounts over multiple disk drives. Leave this field blank to use the system default, which is configured when you install the Messaging Server. The directory you enter in this field must exist, and the Messaging Server account must be able to write to it.

Use this field to specify a user's disk quota in bytes. You can leave the field blank to use the default. (You use the Messaging Server's System Configuration form to set the default.)

You can use this field to limit the access that users have to their accounts. Users can retrieve their mail through POP3/IMAP only from within their access domains. An access domain can be as restrictive as a single computer, a list of several computers, or an incomplete domain. For example, the access domain dispatch.com would include any computer whose DNS address includes the suffix dispatch.com. If you leave this field blank, the access domain will be unlimited. If you write "none," you prevent POP/IMAP logins. (Note that either domains entries or IP addresses can be used in this field.) See "Access domains" on page 59 for more information.

Unix Delivery
Unix
If this option is enabled, messages are delivered to a maildrop file within a user's Unix account located on the same host as the Messaging Server. Unix delivery is available only on the Unix platform, and users' User IDs specified in their directory entries are taken to be their Unix login names. This option enables pickup with legacy Unix mail clients.
Forward Delivery
 If this option is enabled, mail is forwarded to the addresses that you specify in the Addresses for Forward Delivery field. Follow the same rules as you would for an SMTP address (an Internet address). You can forward mail for an account to as many addresses as you like.

Program Delivery
Unix
If this option is enabled, users can deliver messages to external programs such as procmail. Users' User IDs specified in their directory entries are taken to be their Unix login names. If the Program Delivery option is selected, the Messaging Server runs the programs listed in the Command lines for Program Delivery field when mail arrives for the account. Programs are run with the permissions of the user specified by the Unix login name and receive the incoming message as input. The format for entries is a complete command-line statement including options, such as

   /usr/local/bin/procmail -f -
Note
By default, program delivery is disabled when the Messaging Server is installed. Programs must be set up and program delivery enabled before the program delivery fields can be used. You should familiarize yourself with the special security considerations involved in using this feature before enabling it. See Appendix C, "Program delivery" for more information.

Auto-Reply Mode field

 Select "None," Vacation," "Reply," or "Echo." See Chapter 2 for more information on these options.

Auto-Reply Text field

This field is used when you select the vacation, reply, or echo options for the Auto-Reply Mode option. You can leave it blank if a default reply message exists.

Personal Description field

This information is provided when the account receives a finger query for this user.

Managing group accounts

Mail group accounts are often useful when delivery is intended for several people in a single conceptual group, such as the sales staff. For example, there might be several people who need to receive any messages addressed to sales@dispatch.com.

There are other reasons you might want to create group accounts. For example, sites connected to the Internet might maintain a valid address for "webmaster," so that people can contact the person responsible for the corporate home page, and since more than one person may be assigned to that responsibility, each may need to receive mail at this address. Similarly, you might want to create a group called "support" to handle technical support questions or "info" to handle public relations questions. See "Required and recommended groups" on page 35 for more information.

Like user directory entry forms, group entry forms provide both a general and a mail-specific set of fields. The information provided in the General fields can be used by other SuiteSpot servers, for instance, to help organize access control. The Mail Group Information form is the portion of a group's directory entry that you use to provide information about the group that the Messaging Server needs to deliver that group's messages. You access the Mail Group Information form by clicking Mail in the group's directory entry form.

The Sales group's directory entry form.

After you click Mail, the Mail Group Information form appears.

About the Mail Group Information form

The following sections describe each of the fields in the Mail Group Information form.

Preferred Language field

The preferred language field specifies the human language to be used to interact with the form. The default language is U.S. English, using 7-bin ASCII characters. To change the language:

Primary Email Address field

 The primary email address is the publicized address. The primary email address is used to select this account for email delivery.

This field should include only one correctly formatted SMTP address. You can assign any valid address (that is, an address that conforms to RFC 821 specifications) to an account. However, you might want to choose a consistent convention for group addresses (such as Groupname@mail_domain or another common convention).

Note
Addresses are not case sensitive. For example, the Messaging Server will not distinguish between Dispatch.com and dispatch.com.
Regardless of the convention you choose, you must set up the domain name system (DNS) so that mail addressed to the mail domain you use will be delivered to your network. The Messaging Server can accept messages for any number of domains; it's not limited to your "official" domains specified during installation.

The Primary Email Address must be unique, just as all Internet addresses should be unique no matter where they are located.

Alternate Email Addresses field

Use this field to list any alternate email addresses. A message arriving for any of the listed addresses will be directed to this account and then delivered using the local delivery method selected for the account.

You can have as many alternate addresses per account as you like, but they must all be unique, just as all Internet addresses should be unique no matter where they are located.

Send Errors To field

Use this field to specify the person to whom the Messaging Server should send error messages. You can leave this field empty to return error messages to the sender.

If this field is left empty, the group is treated as a mail alias. With an entry in this field, the group is considers a mailing list. The difference is in the degree to which they are managed. It is assumed that lists are more actively managed than aliases, and therefore error messages need to be sent to the person responsible for managing the list.

It is recommended that you usually create mailing lists by entering an address in this field so that the group manage can handle bounced messages, rather than bothering everyone in the mail group with error messages.

The entry should be in the form of a complete email address; for example, jane@dispatch.com.

Messaging Server field

Use this field to specify the hostname of the Messaging Server that handles this group's email. The name you enter here must be a fully-qualified domain name (FQDN). If the server has multiple hostnames (FQDNs), it must be the FQDN that is known by the Messaging Server on that machine. You can leave this field empty to allow any Messaging Server to handle mail for the group.

Note
Leaving this field empty is usually more efficient, since it allows any Messaging Server to process this group's mail. You may want to list a specific hostname in cases where you want to force processing to specific machine. For example, if you are creating a very large group, you may want to force processing on a less busy machine.
The FQDN is indicated by the MessageHostName setting in the
/etc/netscape.mail.conf file (Unix) or by the combined Host Name and Domain fields in the DNS configuration area of the Windows NT Network Control Panel.

List of CC Recipients field

 Use this field to specify "email" group members--that is, recipients who are specified by their email address rather than by name. Enter one address per line (for example, jdoe@example.com).

For example, you may create a group that consists of top executives in your firm. You might list each executive's assistant in this field to provide copies of group email to the assistants without giving them access control.

You might also include in this field recipients who are external to your Messaging Server, or who do not have a directory entry in your directory database.

Note
These members are "email-only" members, and email-only group members are not consideredgGroup members for any other purpose.

LDAP Criteria for Generating CC List field

 This field is used for criteria-based mail group membership, and is useful when you want to create a group that includes everyone that meets certain criteria (for example, everyone in the organization or organizational unit, or everyone on a particular Messaging Server), instead of listing all the members explicitly.

Note
These members are "email-only" members, and email-only group members are not considered Group Members for any other purpose.
This field requires that you know the syntax for specifying LDAP filters. Enter each LDAP search filter on its own line.

This field can be very useful for large groups and groups with very dynamic membership: you don't need to add and remove people individually since membership is conferred by meeting the LDAP criteria for the group.

For example:

ldap:///o=Ace Corp,c=US???(&(mailHost=sunnyvale.ace.com)(objectClass=inetOrgPerson))
This filter would make everyone who has sunnyvale as a mail server a member of this group. You might use such a filter to notify everyone on the server when the server needs to be shut off for maintenance.

Another example:

ldap:///ou=Marketing, o=Ace Corp, c=US???(objectClass=inetOrgPerson)
This filter makes everyone in the marketing department a member of the group.

Note:
See RFC 1959 for information on constructing a LDAP filter. Note also that the "searchDN" and "filter" fields are currently used.
Important
Generally, you will want at least a filter of (objectClass=inetOrgPerson) unless you want the group to include agents or other groups. Groups are not expanded within a search, even if they are not specifically excluded by the LDAP filter.

Maximum Message Size field

 This field restricts the size in bytes of messages that can be received by this group. Messages that exceed this maximum size are rejected.

You can also leave this field blank to impose no limit on the message size.

Allowed Sender Domains field

This field restricts messages received by this group to messages sent from the domain you specify.

Important
This feature can be "spoofed" and should therefore not be used as a security measure. The feature is useful, however, in restricting the volume of messages received by the group.

Allowed Senders field

This field restricts messages received by this group to messages sent by people or groups that you specify. For example, if you list the group you are creating in this field as the only allowed senders, only members of the group can send messages to the group.

Important
This feature can be "spoofed" and should therefore not be used as a security measure. The feature is useful, however, in restricting the volume of messages received by the group.

Rejection Notice field

 Use this field to provide a message that will be sent when messages addressed to this group are rejected. You have the option of including the original message along with the rejection notice.

Using the LDAP search tool to create criteria-based cc lists

You can now use the LDAP Search Tool to specify criteria for assigning criteria-based mail group membership. This feature is useful when you want to create a group that includes everyone that meets certain criteria (for example, everyone in the organization or organizational unit, or everyone on a particular Messaging Server), instead of listing all the members explicitly. This feature can be very useful for managing large groups and groups with very dynamic membership: you don't need to add and remove people individually since membership is conferred by meeting the LDAP criteria for the group.

The LDAP Search Tool is accessed from the Mail Group Information form.

  1. 1.From the Administration Server's Server Administration page, choose Users & Groups | Manage Groups.

  2. 2.Enter the name of the group you want to manage.

  3. 3.Click Mail.

  4. 4.Click LDAP Search Tool.

    The LDAP Search Tool button is located near the LDAP Criteria for Generating CC List field. When you click LDAP Search Tool, the LDAP Query Generator window appears:

The LDAP Query Generator

Use the window to select criteria for your search, including the depth of the search and the Base DN to search from.

To retrieve more than one criterion, click More (all criteria are added together).

To remove the most recently added criterion, click Fewer.

To add the LDAP search URLs based on your choices, click Add to list. You can modify the generated Search URL in the edit box.

Required and recommended groups

As Messaging Server administrator, you will need to maintain at least one required group, the postmaster group. You most likely will also want to maintain other groups that are often used by convention to assist routing messages to their appropriate recipients.

Required group: Postmaster

By convention, messaging systems need to provide an account for "postmaster" so that messages sent to postmaster@host.domain can be delivered successfully. Most often, the postmaster is the person responsible for setting up and maintaining the Messaging Server, but it can be others who share some responsibilities with the server administrator.

The postmaster group is created automatically from information you provide during Messaging Server installation. As server administrator, you should maintain a separate, personal email account and use the postmaster account merely to funnel messages addressed to postmaster@host.domain to you. You can add others to the postmaster group if you need or want to share administrative duties with others.

Important
Assigning others to the postmaster group does not give them access to the full range of forms available to the Messaging Server administrator. Membership in the postmaster group merely channels messages addressed to postmaster to those assigned to that group. If you want or need to share server administrator responsibilities with others, you will need to provide access through shared passwords for logging on to the Messaging Server.

Recommended groups

Following are some generic group accounts that are used by convention to route messages to their appropriate recipients. The benefit of maintaining these accounts, of course, is that senders do not need to know a unique email address to send their messages successfully to the responsible recipient.

Note
Members of these group accounts can be either people who have directory entries managed by the same local directory database or LDAP Directory Server (preferred), or people whose mail is forwarded elsewhere. Multiple aliases are supported (customer_service@mydomain.com, support@mydomain.com). Mail routing is independent of uppercase/lowercase--that support@mydomain.com is equivalent to Support@mydomain.com.

Group ID

 Common Name

 Description

Business-related groups

INFO

 Marketing

 Packaged information about the organization, products, and or services, as appropriate

 MARKETING

 Marketing

 Product marketing and marketing communications

 SALES

 Sales

 Product purchase information

 SUPPORT

 Customer Service

 Problems with product or service

Network Operations

ABUSE

 Customer Relations

 Inappropriate public behavior

 NOC

 Network Operations

 Network infrastructure

 SECURITY

 Network Security

 Security bulletins or queries

Internet Services

HOSTMASTER

 DNS

 RFC 1033-RFC 1035

 USENET

 NNTP

 RFC 977

 NEWS

 NNTP

 Synonym for USENET

 WEBMASTER

 HTTP

 RFC 2068

 WWW

 HTTP

 Synonym for WEBMASTER

 UUCP

 UUCP

 RFC 976

 FTP

 FTP

 RFC 959

Starting and stopping the Messaging Server

 You can start and stop the Messaging Server from the: