4 Configuring and Administering Multiplexor Services

This chapter describes the Messaging Multiplexor (MMP) for standard mail protocols (POP, IMAP, and SMTP).

Multiplexor Services in Unified Configuration Overview

The MMP configuration is stored in the Unified Configuration. The following MMP configuration files are no longer used in Unified Configuration:

Table 4-1 Legacy MMP Configuration Files

File Type	Legacy File Names
POP SSL MMP Encryption File	PopProxyAService.cfg
POP Services Configuration Template	PopProxyAService-def.cfg
IMAP SSL MMP Encryption File	ImapProxyAService.cfg
IMAP Services Configuration Template	ImapProxyAService-def.cfg
Service Starting Configuration File	AService.cfg
Service Starting Configuration Template	AService-def.cfg
SMTP SSL MMP Encryption File	SmtpProxyAService.cfg
SMTP Services MMP Configuration Template	SmtpProxyAService-def.cfg

In Unified Configuration, you enable and modify the MMP configuration by running the msconfig command to set the appropriate MMP options. The ServiceList and SSLports options are gone in Unified Configuration. You now use the imapproxy, popproxy, and smtpproxy configuration groups, and the tcp_listen option. Use the following commands to view the initial MMP configuration settings.

msconfig
msconfig> show mmp*
role.mmp.enable = 0
msconfig> show imapproxy*
role.imapproxy.connlimits = :20
role.imapproxy.tcp_listen:imapproxy1.tcp_ports = 143
msconfig> show popproxy*
role.popproxy.connlimits = :20
role.popproxy.tcp_listen:popproxy1.tcp_ports = 110
msconfig> show submitproxy*
role.submitproxy.connlimits = :20

In addition, the ssl_ports option works the like tcp_ports option but enables SSL services (thus fixing the problem in legacy configuration, where an SSL proxy service had to be listed in both ServiceList and SSLPorts options).

The following examples commands show how to update the MMP configuration:

• To enable MMP: msconfig set mmp.enable 1

• To change an IMAP proxy option: msconfig set imapproxy.optionvalue

• To change a POP proxy option: msconfig set popproxy.optionvalue

• To change an SMTP proxy option: msconfig set smtpproxy.optionvalue

• To set a certmap default option: msconfig set base.certmap:default.optionvalue

See the Messaging Server Reference, or option descriptions in the msconfig online help, for more information.

Multiplexor Services

A multiplexor is necessary to achieve horizontal scalability (the ability to support more users by adding more machines), because it provides a single domain name that can be used to connect indirectly to multiple mail stores. A multiplexor can also provide security benefits.

In Unified Configuration, MMP is no longer managed separately from Oracle Communications Messaging Server.

Multiplexor Benefits

Message stores on heavily used messaging servers can grow quite large. Spreading user mailboxes and user connections across multiple servers can therefore improve capacity and performance. In addition, it can be more cost-effective to use several small server machines than one large, high-capacity, multiprocessor machine.

If the size of your mail-server installation requires the use of multiple message stores, your organization can benefit in several ways from using the multiplexor. The indirect connection between users and their message stores, coupled with the ease of reconfiguration of user accounts among messaging servers allows for the following benefits:

• Simplified User Management Because all users connect to one server (or more, if you have separate multiplexor machines for POP, IMAP, SMTP, or web access), you can preconfigure email clients and distribute uniform login information to all users. This simplifies your administrative tasks and reduces the possibility of distributing erroneous login information.

  For especially high-load situations, you can run multiple multiplexor servers with identical configurations and manage connections to them by DNS round robin or by using a load-balancing system. Because the multiplexors use information stored in the LDAP directory to locate each user's Messaging Server, moving a user to a new server is simple for the system administrator and transparent to the user. The administrator can move a user's mailbox from one Messaging Server host to another, and then update the user's entry in the LDAP directory. The user's mail address, mailbox access, and other client preferences need not change.

• Improved Performance If a message store grows prohibitively large for a single machine, you can balance the load by moving some of the message store to another machine.

  You can assign different classes of users to different machines. For example, you can choose to locate premium users on a larger and more powerful machine.

  The multiplexors perform some buffering so that slow client connections (through a modem, for example) do not slow down the Messaging Server.

• Decreased Cost Because you can efficiently manage multiple Messaging Server hosts with a multiplexor, you might be able to decrease overall costs by purchasing several small server machines that together cost less than one very large machine.

• Better Scalability With the multiplexors, your configuration can expand easily. You can incrementally add machines as your performance or storage-capacity needs grow, without replacing your existing investment.

• Minimum User Downtime. Using the multiplexors to spread a large user base over many small store machines isolates user downtime. When an individual server fails, only its users are affected.

• Increased Security You can use the server machine on which the multiplexor is installed as a firewall machine. By routing all client connections through this machine, you can restrict access to the internal message store machines by outside computers. The multiplexors support both unencrypted and encrypted communications with clients.

About Messaging Multiplexor

The Messaging Multiplexor (MMP) is a specialized messaging server that acts as a single point of connection to multiple back-end messaging servers. With Messaging Multiplexor, large-scale messaging service providers can distribute POP and IMAP user mailboxes across many machines to increase message store capacity. All users connect to the single multiplexor server, which redirects each connection to the appropriate messaging server.

If you provide electronic mail service to many users, you can install and configure the Messaging Multiplexor so that an entire array of Messaging Server hosts appear to your mail users to be a single host.

The Messaging Multiplexor is provided as part of Messaging Server. You can install the MMP at the same time you install Messaging Server or other Communications Suite servers, or you can install the MMP separately at a later time. The MMP supports the following items:

• Both unencrypted and encrypted (SSL) communications with mail clients.

• Client certificate-based authentication, described in "Certificate-Based Client Authentication."

• User pre-authentication, described in "User Pre-Authentication."

• Virtual domains that listen on different IP addresses and automatically append domain names to user IDs, described in "MMP Virtual Domains."

• Multiple installations of the MMP on different servers.

• Enhanced LDAP searching.

• POP before SMTP service for legacy POP clients.

This section consists of the following subsections:

• How the Messaging Multiplexor Works

• Encryption (SSL) Option

• Certificate-Based Client Authentication

• To Enable Certificate-based Authentication for Your IMAP or POP Service

• User Pre-Authentication

• MMP Virtual Domains

• About SMTP Proxy

How the Messaging Multiplexor Works

The MMP is a multithreaded server that facilitates distributing mail users across multiple server machines. The MMP handles incoming client connections destined for other server machines (the machines on which user mailboxes reside). Clients connect to the MMP itself, which determines the correct server for the users, connects to that server, and then passes data between the client and server. This capability allows Internet service providers and other large installations to spread message stores across multiple machines (to increase capacity) while providing the appearance of a single mail host for users (to increase efficiency) and for external clients (to increase security). The following figure shows clients and servers in an MMP installation.

Figure 4-1 Clients and Servers in an MMP Installation

Description of ''Figure 4-1 Clients and Servers in an MMP Installation''

All POP, IMAP, and SMTP clients work with the Messaging Multiplexor. The MMP accepts connections, performs LDAP directory lookups, and routes the connections appropriately. As is typical with other mail server installations, each user is assigned a specific address and mailbox on a specific Messaging Server. However, all connections are routed through the MMP.

In more detail, these are the steps involved in establishing a user connection:

1. A user's client connects to the MMP, which accepts preliminary authentication information (user name).

2. The MMP queries the Directory Server to determine which Messaging Server contains that user's mailbox.

3. The MMP connects to the proper Messaging Server, replays authentication, then acts as a pass-through pipe for the duration of the connection.

Encryption (SSL) Option

Messaging Multiplexor supports both unencrypted and encrypted (SSL) communications between the Messaging Server(s) and their mail clients. The current version of Messaging Server supports the new certificate database format (cert8.db).

When SSL is enabled, the MMP IMAP supports both STARTTLS on the standard IMAP port and IMAP+SSL on port 993. The MMP can also be configured to listen on port 995 for POP+SSL.

In legacy configuration, to enable SSL encryption for your IMAP, POP, and SMTP services, you would uncomment the appropriate SSL settings from the .cfg files. In Unified Configuration, you use the msconfig command to set the appropriate options. You must also set the list of all IMAP, POP, and SMTP server ports regardless of whether or not they are secure. See "Configuring MMP with SSL or Client Certificate-Based Login" for details.

By default, SSL is not enabled. To enable SSL, you must install an SSL server certificate. Then, you should use the msconfig command to set the SSL options. For a list of the SSL options, see the ssl* options in the msconfig online help.

Certificate-Based Client Authentication

In Unified Configuration, the certificate mapping file (certmap.conf), which matches a client's certificate to the correct user in the Users/Groups Directory Server, is no longer used. Instead, you use the following msconfig command to set the appropriate options:

msconfig set base.certmap:default.<option> <value>

The default can be replaced with the certificate issuerDN to have configuration specific to that certificate. That replaces the other groups in the certmap.conf file.

To use certificate-based client authentication, you must also enable SSL encryption as described in "Encryption (SSL) Option."

You also have to configure a store administrator. You can use the mail administrator, but it is recommended that you create a unique user ID, such as mmpstore for this purpose so that you can set permissions as needed.

In Unified Configuration, the MMP supports the dncomps and filtercomps options. The values of these two options has the form fromattr=toattr. A fromattr value in a certificate's subjectDN can be used to form an LDAP query with the toattr=value element. For example, a certificate with a subjectDN of "cn=Pilar Lorca, ou=pilar, o=example.com" could be mapped to an LDAP query of "(uid=pilar)" with the line:

msconfig> set base.certmap:default.filtercomps ou=uid

To Enable Certificate-based Authentication for Your IMAP or POP Service

1. Decide on the user ID you intend to use as store administrator. While you can use the mail administrator for this purpose, it is recommended that you create a unique user ID for store administrator (for example, mmpstore).

2. Make sure that SSL encryption is (or will be) enabled as described in "Encryption (SSL) Option."

3. Configure the MMP to use certificate-based client authentication by specifying default certmap option in your configuration. For example:

   msconfig set base.certmap:default.dncomps ""
   

4. Install at least one trusted CA certificate, as described in the discussion on installing certificates of trusted CAs in the Messaging Server Security Guide.

User Pre-Authentication

The MMP provides you with the option of pre-authenticating users by binding to the directory as the incoming user and logging the result.

Note:

Enabling user pre-authentication reduces server performance.

The log entries are in the format:datetime(sid 0xhex) user namepre-authenticated - clientIPaddress, server IPaddress

Where date is in the format yyyymmdd, time is in the time configured on the server in the format hhmmss, hex is the session identifier (sid) represented as a hexidecimal number, the username includes the virtual domain (if any), and the IP address is in dot-quad format.

MMP Virtual Domains

An MMP virtual domain is a set of configuration settings associated with one or more server IP addresses. The primary use of this feature is to provide different default domains for each server IP address. The hosteddomains option defaults to 1 (enabled).

A user can authenticate to the MMP with either a short-form userID or a fully qualified userID in the form user@domain. When a short-form userID is supplied, the MMP will append the defaultdomain setting, if specified. Consequently, a site which supports multiple hosted domains can permit the use of short-form user IDs simply by associating a server IP address and MMP virtual domain with each hosted domain.

To configure a virtual domain option, use the following command:

msconfig set vdomain:<IP-address>.<option> <value>

For example, to set the default domain, use the following command:

msconfig set vdomain:192.0.2.0.defaultdomain example.com

When set, virtual domain configuration option values override global configuration option values.

You can specify the following configuration options for a virtual domain:

authcachettl
authenticationldapattributes
authservice
authservicettl
binddn
bindpass
clientlookup
crams
debugkeys
defaultdomain
domainsearchformat
ehlokeywords
failovertimeout
hosteddomains
ldapcachesize
ldapcachettl
mailhostattrs
popbeforesmtpkludgechannel
preauth
replayformat
restrictplainpasswords
searchformat
smtpproxypassword
smtprelays
ssladjustciphersuites
sslnicknames
storeadmin
storeadminpass
tcpaccess
tcpaccessattr
virtualdomaindelim

For more information on these configuration options, see the msconfig online help or the Messaging Server Reference.

Tip:

To view the reference information for these configuration options, use the following URL:

http://msg.wikidoc.info/index.php/MMP_Reference#<optionname>

For example, to see the description for the tcpaccess option, use the following URL:

http://msg.wikidoc.info/index.php/MMP_Reference#tcpaccess 

About SMTP Proxy

The MMP includes an SMTP submission proxy, which is disabled by default. Most sites do not need the SMTP proxy because Internet Mail standards already provide an adequate mechanism for horizontal scalability of SMTP (DNS MX records).

The SMTP proxy is useful for the security features it provides. First, the SMTP proxy is integrated with the POP proxy to implement the POP before SMTP authorization facility required by some legacy POP clients. For more information, see the discussion on using the MMP SMTP proxy in the Messaging Server Installation and Configuration Guide. In addition, an investment in SSL acceleration hardware can be maximized by using the SMTP proxy.

Setting Up the Messaging Multiplexor

During the initial runtime configuration of Messaging Server, you determined if you wanted to configure the MMP on a machine. You could either set it up on the same machine as your Messaging Server or set it up on a separate machine.

Note:

MMP does not cache DNS results. A high quality caching DNS server on the local network is a requirement for a production deployment of Messaging Server.

The following sections describe how to set up the MMP:

• Before You Configure MMP

• Multiplexor Configuration

• To Configure the MMP

• Multiplexor Configuration Options

• Starting the Multiplexor

• Modifying an Existing MMP

Before You Configure MMP

Before configuring the MMP:

1. Choose the machine on which you will configure the MMP. It is best to use a dedicated machine for the MMP.

   Note:

   It is recommended that the MMP not be enabled on a machine that is also running either the POP or IMAP servers. If you install MMP on the same machine as Messaging Server, you must make sure that the POP and IMAP servers are set to non-standard ports. That way, the MMP and Messaging Server ports do not conflict with one another.

2. On the machine where the MMP is to be configured, create a UNIX system user to be used by the MMP. This new user must belong to a UNIX system group. See the discussion on creating UNIX system users and groups in the Messaging Server Installation and Configuration Guide.

3. Set up the Directory Server and its host machine for use with Messaging Server, if they are not already set up. See the discussion on preparing directory server for Messaging Server configuration in the Messaging Server Installation and Configuration Guide.

4. If the MMP is upgraded before the back-end servers, set the capability option to match the response to the capability command from the older back end. See the discussion on the capability option in the Messaging Server Reference for more information.

Multiplexor Configuration

To configure the MMP, you must use the Messaging Server configure program, which gives you the option of enabling the Messaging Multiplexor. For detailed information about the configure program, see the Messaging Server Installation and Configuration Guide.

To Configure the MMP

1. Install Messaging Server software on the machine where you are installing and configuring the MMP.

2. Configure the MMP by creating the Messaging Server Initial Runtime Configuration. See the discussion on creating the initial Messaging Server runtime configuration in the Messaging Server Installation and Configuration Guide.

Multiplexor Configuration Options

You control how the MMP operates by specifying various configuration options in the Unified Configuration. See the Messaging Server Reference for more information.

Starting the Multiplexor

To start, stop, or refresh an instance of the Messaging Multiplexor, use the one of the commands in Table 4-2. These commands are located in the MessagingServer_home/bin directory.

Table 4-2 MMP Commands

Option	Description
start-msg mmp	Starts the MMP (only if the MMP is enabled and one is not already running).
stop-msg mmp	Stops the most recently started MMP.
refresh mmp	Causes an MMP that is already running to refresh its configuration without disrupting any active connections.

Modifying an Existing MMP

1. To modify an existing instance of the MMP, use the msconfig command to edit the configuration as necessary.

2. The run either refresh mmp or stop-msg mmp; start-msg mmp.

   Use the former only if you changed "refreshable" options and the latter if you changed any "non-refreshable" options.

Configuring MMP with SSL or Client Certificate-Based Login

This section describes how to configure MMP with SSL or client certificate-based login.

Note:

It is assumed that the MMP is installed on a machine that does not have a Message Store or MTA.

To Configure MMP with SSL

1. Generate and install the certificate by using the certutil command. See the discussion on certificate based authentication for Messaging Server in the Messaging Server Security Guide for details.

2. Set the password used for the certificate file. For example:

   msconfig
   msconfig> set "sectoken:Internal (Software) Token.tokenpass" newpassword
   msconfig> write
   

   The default setting for this password was provided during initial configuration, but it might be different. It must match the password that was used when the certificate db was created by running the certutil -N command.

3. Set either sslenable on the relevant proxy (for STARTTLS) and/or set the ssl_ports on a tcp_listen for the appropriate proxy. In general, the default settings cover the remainder of the configuration and you do not need to be changed.

4. Start the MMP:

   MessagingServer_home/bin/start-msg
   

5. If you do not want to use SSL between the MMP and the back-end server, then set the sslbacksideport option to 0 for imapproxy and popproxy as appropriate.

To Configure MMP with Client Certificate-based Login

If you want client certificate based login, do the following:

1. Get a copy of a client certificate and the CA certificate which signed it.

2. Import the CA certificate as a Trusted Certificate Authority (see the discussion on obtaining and managing certificates in the Messaging Server Security Guide).

3. Use the Store Administrator you created during your Messaging Server installation. For more information, see "Specifying Administrator Access to the Message Store."

4. Create a certmap.conf file for the MMP. For example:

   msconfig> set base.certmap:default.dncomps ""
   msconfig# set base.certmap:default.filtercomps "e=mail"
   

   This means to search for a match with the e field in the certificate DN by looking at the mail attribute in the LDAP server.

5. Use the msconfig command to update the configuration with the following options:

   1. Set storeadmin and storeadminpass to values from Step 3.

   2. Set usergroupdn to the root of your Users and Groups tree.

6. If you want client certificates with POP3, repeat Step 5 for the popproxy group.

7. If the MMP is not already running, start it with the following command in the MessagingServer_home/bin directory:

   start-msg mmp

8. Import the client certificate into your client. In Netscape Communicator, click the padlock (Security) icon, then select Yours under Certificates, then select Import a Certificate and follow the instructions.

   Note:

   All your users have to perform this step if you want to use client certificates everywhere.

A Sample Topology

The fictional Example Corporation has two Messaging Multiplexors on separate machines, each supporting several Messaging Servers. POP and IMAP user mailboxes are split across the Messaging Server machines, with each server dedicated exclusively to POP or exclusively to IMAP. (You can restrict client access to POP services alone by removing the imapproxy entry from the MMP configuration. Likewise, you can restrict client access to IMAP services alone by removing the popproxy entry from the MMP configuration). Each Messaging Multiplexor also supports only POP or only IMAP. The LDAP directory service is on a separate, dedicated machine.

The following figure illustrates this topology.

Figure 4-2 Multiple MMPs Supporting Multiple Messaging Servers

Description of ''Figure 4-2 Multiple MMPs Supporting Multiple Messaging Servers''

MMP Tasks

This section describes the following miscellaneous MMP configuration tasks:

• To Configure Mail Access with MMP

• To Set a Failover MMP LDAP Server

To Configure Mail Access with MMP

The MMP does not make use of the PORT_ACCESS mapping table. If you wish to reject SMTP connections from certain IP addresses and you are using the MMP, you must use the tcpaccessattr option.

To Set a Failover MMP LDAP Server

It is possible to specify more than one LDAP server for the MMP so that if one fails another takes over. Modify the ugldaphost option. For example:

msconfig set ugldaphost "ldap1.example.com ldap2.example.com"

Note:

Make sure there is a space between the host names in the preceding configuration, and because of that space, to enclose the hosts in quotation marks.