This chapter describes how to configure your server to support one or more of the POP, IMAP, or HTTP services by using command-line utilities.
Oracle Communications Messaging Server supports the Post Office Protocol 3 (POP3), the Internet Mail Access Protocol 4 (IMAP4), and the HyperText Transfer Protocol (HTTP) for client access to mailboxes. IMAP and POP are both Internet-standard mailbox protocols. Convergence, a web-enabled electronic mail program, enables end users to access their mailboxes by using a browser running on an Internet-connected computer system using HTTP.
Configuring the general features of the Messaging Server POP, IMAP, and HTTP services includes enabling or disabling the services, assigning port numbers, and optionally modifying service banners sent to connecting clients. This section provides background information about configuring these services.
You can control whether any particular instance of Messaging Server makes its POP, IMAP, or HTTP service available for use. This is not the same as starting and stopping services (see "Stopping and Starting Messaging Server"). To function, POP, IMAP, or HTTP must be both enabled and started.
Enabling a service is a more "global" process than starting or stopping a service. For example, the Enable setting persists across system reboots, whereas you must restart a previously "stopped" service after a reboot.
There is no need to enable services that you do not plan to use. For example, if a Messaging Server instance is used only as a Mail Transfer Agent (MTA), you should disable POP, IMAP, and HTTP services. If a Messaging Server instance is used only for POP services, you should disable IMAP and HTTP. If a Messaging Server instance is used only for web-based email, you should disable both POP and IMAP.
You can enable or disable services at the server level, described later in this information. "To Specify What Services Can Be Started" also describes this process. In addition, you can enable or disable services at the user level by setting the LDAP attribute mailAllowedServiceAccess seen in Schema Reference.
For each service, you can specify the port number that the server is to use for service connections:
If you enable the POP service, you can specify the port number that the server is to use for POP connections. The default is 110.
If you enable the IMAP service, you can specify the port number that the server is to use for IMAP connections. The default is 143.
If you enable the HTTP service, you can specify the port number that the server is to use for HTTP connections. The default is 8990.
You might need to specify a port number other than the default if you have, for example, two or more IMAP server instances on a single host machine, or if you are using the same host machine as both an IMAP server and a Messaging Multiplexor server. See "Configuring and Administering Multiplexor Services" for information about the Multiplexor.
Keep the following in mind when you specify a port:
Port numbers can be any number from 1 to 65535.
Make sure the port you choose isn't already in use or reserved for another service.
Messaging Server supports encrypted communications with IMAP, POP, and HTTP clients by using the Secure Sockets Layer (SSL) protocol. For general information on support for SSL in Messaging Server, see the discussion on configuring encryption and certificate-based authentication in Messaging Server Security Guide.
You can accept the default (recommended) IMAP over SSL port number (993) or you can specify a different port for IMAP over SSL.
Messaging Server provides the option of using separate ports for IMAP and IMAP over SSL because most current IMAP clients require separate ports for them. Same-port communication with both IMAP and IMAP over SSL is an emerging standard. As long as your Messaging Server has an installed SSL certificate (see the discussion on obtaining certificates in Messaging Server Security Guide), it can support same-port IMAP over SSL.
The default separate SSL port for POP is 995. You can also initiate SSL over normal POP port with the command "STLS" (see "To Configure POP Services").
When a client first connects to the Messaging Server POP or IMAP port, the server sends an identifying text string to the client. This service banner (not normally displayed to the client's user) identifies the server as Messaging Server, and gives the server's version number. The banner is most typically used for client debugging or problem-isolation purposes.
You can replace the default banner for the POP or IMAP service if you want a different message sent to connecting clients.
Use the msconfig utility and the (pop.banner) option to set service banners.
You can control how users are permitted to log in to the POP, IMAP, or HTTP service to retrieve mail. You can allow password-based login (for all services), and certificate-based login (for IMAP or HTTP services). This section provides background information. See the following sections for information about configuring these settings:
In addition, you can specify the valid login separator for POP logins.
Some older mail clients do no accept @ as the login separator (that is, the @ in an address like uid@domain). If you are using one of these older mail clients, the workaround is as follows:
Make + a valid separator with the following command:
msconfig set base.loginseparator "@+"
Inform POP client users that they should log in with + as the login separator, not @.
A typical login involves the user entering a user ID followed by a separator and the domain name and then the password. Users in the default domain specified during installation, however, can log in without entering a domain name or separator.
To allow users of other domains to log in with just the user ID (that is, without having to use the domain name and separator) set the auth.searchfordomain option to 0. The user ID must be unique to the entire directory tree. If it is not unique, logging in without the domain name will not work.
You might want to modify the attribute that user must enter to log in. For example, to allow the user to log in with a phone number (telephoneNumber) or employee number (employeeID), change the LDAP search defined by the auth.searchfilter option. This option is a global default setting for the inetDomainSearchFilter per-domain attribute and follows the same syntax.
Refer to Messaging Server Reference for further information on these options.
In typical messaging installations, users access their mailboxes by entering a password into their POP, IMAP, or HTTP mail client. The client sends the password to the server, which uses it to authenticate the user. If the user is authenticated, the server decides, based on access-control rules, whether or not to grant the user access to certain mailboxes stored on that server.
If you allow password login, users can access POP, IMAP, or HTTP by entering a password. (Password- or SSL-based login is the only authentication method for POP services.) Passwords are stored in an LDAP directory. Directory policies determine what password policies, such as minimum length, are in effect.
If you disallow password login for IMAP or HTTP services, password-based authentication is not permitted. Users are then required to use certificate-based login, as described in the next section.
To increase the security of password transmission for IMAP and HTTP services, you can require that passwords be encrypted before they are sent to your server. You do this by selecting a minimum cipher-length requirement for login.
If you choose 0, you do not require encryption. Passwords are sent in the clear or they are encrypted, depending on client policy.
If you choose a nonzero value, the client must establish an SSL session with the server by using a cipher whose key length is at least the value you specify, thus encrypting any IMAP or HTTP user passwords the client sends.
If the client is configured to require encryption with key lengths greater than the maximum your server supports, or if your server is configured to require encryption with key lengths greater than what the client supports, password-based login cannot occur. For information on setting up your server to support various ciphers and key lengths, see the discussion on enabling SSL and selecting ciphers in Messaging Server Security Guide.
In addition to password-based authentication, Oracle servers support the authentication of users through examination of their digital certificates. Instead of presenting a password, the client presents the user's certificate when it establishes an SSL session with the server. If the certificate is validated, the user is considered authenticated.
For instructions on setting up Messaging Server to accept certificate-based user login to the IMAP or HTTP service, see the discussion on setting up certificate-based login in Messaging Server Security Guide.
If you have performed the tasks required to set up certificate-based login, both password-based and certificate-based login are supported. Then, if the client establishes an SSL session and supplies a certificate, certificate-based login is used. If the client does not use SSL or does not present a client certificate, it sends a password instead.
You can set some of the basic performance options for the POP, IMAP, and HTTP services of Messaging Server. Based on your hardware capacity and your user base, you can adjust these options for maximum efficiency of service. This section provides background information. See the following sections for the steps you follow to make these settings:
Messaging Server can divide its work among several executing processes, which in some cases can increase efficiency. This capability is especially useful with multiprocessor server machines, in which adjusting the number of server processes can allow more efficient distribution of multiple tasks among the hardware processors.
There is a performance overhead, however, in allocating tasks among multiple processes and in switching from one process to another. The advantage of having multiple processes diminishes with each new one added. A simple rule of thumb for most configurations is to have one IMAPD and one POPD process per hardware processor on your server machine, up to a maximum of perhaps four processes. Your optimum configuration might be different. This rule of thumb is meant only as a starting point for your own analysis.
Note:
On some platforms you might also want to increase the number of processes to get around certain per-process limits (such as the maximum number of file descriptors), specific to that platform, that might affect performance. The default number of processes is one each for the POP, IMAP, or HTTP service.The more simultaneous client connections your POP, IMAP, or HTTP service can maintain, the better it is for clients. If clients are denied service because no connections are available, they must then wait until another client disconnects.
On the other hand, each open connection consumes memory resources and makes demands on the I/O subsystem of your server machine, so there is a practical limit to the number of simultaneous sessions you can expect the server to support. (You might be able to increase that limit by increasing server memory or I/O capacity.)
IMAP, HTTP, and POP have different needs in this regard:
IMAP connections are generally long-lived compared to POP and HTTP connections. When a user connects to IMAP to download messages, the connection is usually maintained until the user quits or the connection times out. In contrast, a POP or HTTP connection is usually closed as soon as the POP or HTTP request has been serviced.
IMAP and HTTP connections are generally very efficient compared to POP connections. Each POP re-connection requires re-authentication of the user. In contrast, an IMAP connection requires only a single authentication because the connection remains open for the duration of the IMAP session (login to logout). An HTTP connection is short, but the user need not re-authenticate for each connection because multiple connections are allowed for each HTTP session (login to logout). POP connections, therefore, involve much greater performance overhead than IMAP or HTTP connections. Messaging Server, in particular, has been designed to require very low overhead by open but idle IMAP connections and by multiple HTTP connections.
Note:
For more information about HTTP session security, see the discussion about HTTP security in Messaging Server Security Guide.Thus, at a given moment for a given user demand, Messaging Server may be able to support many more open IMAP or HTTP connections than POP connections.
The default value for IMAP is 4000. The default value for HTTP is 6000 connections per process. The default value for POP is 600. These values represent roughly equivalent demands that can be handled by a typically configured server machine. Your optimum configuration might be different. These defaults are meant only as general guidelines.
Typically, active POP connections are much more demanding on server resources and bandwidth than active IMAP connections since IMAP connections are idle most of the time while POP connections are constantly downloading messages. Having a lower number of sessions for POP is correct. Conversely, POP connections only last as long as it takes to download email, so an active POP user is only connected a small percentage of the time, while IMAP connections stay connected between successive mail checks.
Besides supporting multiple processes, Messaging Server further improves performance by subdividing its work among multiple threads. The server's use of threads greatly increases execution efficiency, because commands in progress are not holding up the execution of other commands. Threads are created and destroyed, as needed during execution, up to the maximum number you have set.
Having more simultaneously executing threads means that more client requests can be handled without delay, so that a greater number of clients can be serviced quickly. However, there is a performance overhead to dispatching among threads, so there is a practical limit to the number of threads the server can use.
For POP, IMAP, and HTTP, the default maximum value is 250 threads per process. The numbers are equal despite the fact that the default number of connections for IMAP and HTTP is greater than for POP. It is assumed that the more numerous IMAP and HTTP connections can be handled efficiently with the same maximum number of threads as the fewer, but busier, POP connections. Your optimum configuration might be different, but these defaults are high enough that it is unlikely you would ever need to increase them; the defaults should provide reasonable performance for most installations.
To reclaim system resources used by connections from unresponsive clients, the IMAP4, POP3, and HTTP protocols permit the server to unilaterally drop connections that have been idle for a certain amount of time.
The respective protocol specifications require the server to keep an idle connection open for a minimum amount of time. The default times are 10 minutes for POP, 30 minutes for IMAP, 3 minutes for HTTP. You can increase the idle times beyond the default values, but you cannot make them less.
If a POP or IMAP connection is dropped, the user must re-authenticate to establish a new connection. In contrast, if an HTTP connection is dropped, the user need not re-authenticate because the HTTP session remains open. For more information about HTTP session security, see the discussion about HTTP security in Messaging Server Security Guide.
Idle POP connections are usually caused by some problem (such as a crash or hang) that makes the client unresponsive. Idle IMAP connections, on the other hand, are a normal occurrence. To keep IMAP users from being disconnected unilaterally, IMAP clients typically send a command to the IMAP server at some regular interval that is less than 30 minutes.
An HTTP session can persist across multiple connections. HTTP clients are not logged out when a connection is dropped. However, if an HTTP session remains idle for a specified time period, the server will automatically drop the HTTP session and the client is logged out (the default time period is 2 hours). When the session is dropped, the client's session ID becomes invalid and the client must re-authenticate to establish another session. For more information about HTTP security and session ID's, see the discussion about HTTP security in Messaging Server Security Guide.
Messaging Server includes access-control features that enable you to determine which clients can gain access to its POP, IMAP, or HTTP messaging services (and SMTP as well). You can create flexible access filters that allow or deny access to clients based on a variety of criteria.
Client access control is an important security feature of Messaging Server. For information on creating client access-control filters and examples of their use, see the discussion on configuring client access to POP, IMAP, and HTTP services in Messaging Server Security Guide.
You configure the Messaging Server POP service by using the msconfig command. This section lists the more common POP services options. The Messaging Server Reference provides a complete listing of options.
Note:
For the POP service, password-based login is automatically enabled.For more information, see also:
To enable the POP service:
msconfig set pop.enable 1
To disable the POP service:
msconfig set pop.enable 0
To specify the port number:
msconfig set pop.port port_number
To set the maximum number of network connections per process (see "Number of Connections per Process" for details):
msconfig set pop.maxsessions number
To set the maximum idle time for connections (see "Dropping Idle Connections" for details):
msconfig set pop.idletimeout number
To set the maximum number of threads per process (see "Number of Threads per Process" for more information):
msconfig set pop.maxthreads number
To set the maximum number of processes (see "Number of Processes" for additional information):
msconfig set pop.numprocesses number
To enable POP over SSL on port 995:
msconfig msconfig> set pop.enablesslport 1 msconfig# set pop.sslusessl 1 msconfig# set pop.sslport 995 msconfig# write msconfig> exit stop-msg pop start-msg pop
TLS is also supported if SSL is configured correctly.
To specify a protocol welcome banner:
msconfig set pop.banner banner
You configure the Messaging Server IMAP service by using the msconfig command. This section lists the common IMAP services options. Messaging Server Reference provides a complete listing of options. For more information, see also:
To enable the IMAP service:
msconfig set imap.enable 1
To disable the IMAP service:
msconfig set imap.enable 0
To specify the port number:
msconfig set imap.port number
To enable a separate port for IMAP over SSL:
msconfig set imap.enablesslport 1
To specify a port number for IMAP over SSL:
msconfig set imap.sslport number
To enable or disable password login to the IMAP service:
msconfig set imap.plaintextmincipher value
If value is greater than 0, disable use of plaintext passwords unless a security layer (SSL or TLS) is activated. This forces users to enable SSL or TLS on their client to log in, which prevents exposure of their passwords on the network. Default is 0.
To set the maximum number of network connections per process (see "Number of Connections per Process" for additional information):
msconfig set imap.maxsessions number
To set the maximum idle time for connections (see "Dropping Idle Connections" for additional information):
msconfig set imap.idletimeout number
To set the maximum number of threads per process (see "Number of Threads per Process"):
msconfig set imap.maxthreads number
To set the maximum number of processes (see "Number of Processes"):
msconfig set imap.numprocesses number
To specify a protocol welcome banner:
msconfig set imap.banner banner
To enable IMAP over SSL on port 993:
msconfig msconfig> set imap.enablesslport 1 msconfig# set imap.sslusessl 1 msconfig# set imap.sslport 993 msconfig# write msconfig> exit stop-msg imap start-msg imap
The IMAP IDLE extension to the IMAP specification, defined in RFC 2177, enables an IMAP server to notify the mail client when new messages arrive and other updates take place in a user's mailbox. See "Configuring IMAP IDLE" for conceptual and task information on enabling IMAP IDLE in Messaging Server.
Messaging Server supports the mail client Convergence.
While POP and IMAP clients send mail directly to a Messaging Server MTA for routing or delivery, HTTP clients send mail to a specialized web server called the Webmail Server (also called mshttpd or Messaging Server HTTP daemon). Depending on where the message is addressed, the Webmail Server directs the mail to an outbound MTA for routing or to one of the back-end message stores using IMAP. Convergence simply routes requests to and from the Webmail Server.
The Webmail Server accesses the message store through the IMAP server. This provides several advantages:
Convergence clients are able to access shared folders that are located on different back-end message stores.
The Webmail Server does not need to be installed on each back-end server.
The Webmail Server can serve as a front-end server performing multiplexing capabilities.
Users can access shared folders that are not on their message store.
The Webmail Server operates as a front-end server receiving HTTP client email requests. It translates these requests to SMTP or IMAP calls and forwards the calls to either the MTA or the appropriate IMAP server on the back-end message store. If Messaging Server is used only for web-based email, make sure that IMAP is enabled.
Many of the HTTP configuration options are similar to the options available for the POP and IMAP services, including options for connection settings and process settings. This section lists common HTTP service options. Messaging Server Reference provides a complete listing of options. For more information, see also:
For each IMAP server that users access, the Webmail Server needs to know the IMAP port, whether to use SSL, and the administrative credentials for user log-in. The configuration options to do this are as follows:
base.proxyimapport: IMAP port on which to connect (default 143).
base.proxyimapssl: Enable SSL (default no).
base.proxyadmin: Specifies the store Admin ID.
base.proxyadminpass: Specifies the store Admin password.
You can set these options globally in Unified Configuration to apply to every IMAP back-end server by using base.proxyadmin. Alternatively, you can set these options for each individual IMAP back-end server by using proxy:storeaffinitygroup.imapadmin.
To use IMAP over SSL, you must configure mshttpd as an SSL HTTP server, and the mshttpd certificate database must trust the IMAP back end's CA. You must enable http.sslusessl. If the back-end message store running IMAP is using a self-signed certificate (for example, as created by generate-certDB), then this certificate needs to be added to the front-end mshttpd daemon server.
If base.proxyadmin and base.proxyadminpass are not configured, logins are rejected. The system provides the error message, "Mail server unavailable. Administrator, check server log for details" and the HTTP log lists the missing configuration options.
Additional values for HTTP attributes can be set at the command line as follows:
To enable the HTTP service:
msconfig set http.enable 1
To disable the HTTP service:
msconfig set http.enable 0
By default, the HTTP service sends outgoing web mail to the local MTA for routing or delivery. You might want to configure the HTTP service to send mail to a remote MTA, for example, if your site is a hosting service and most recipients are not in the same domain as the local host machine. To send web mail to a remote MTA, you need to specify the remote host name and the SMTP port number for the remote host.
To specify the port number:
msconfig set http.port number
To enable a separate port for HTTP over SSL:
msconfig set http.enablesslport 1
To specify a port number for HTTP over SSL:
msconfig set http.sslport number
To enable or disable password login:
msconfig set http.plaintextmincipher value
If value is greater than 0, then disable use of plaintext passwords unless a security layer (SSL or TLS) is activated. This forces users to enable SSL or TLS on their client to log in, which prevents exposure of their passwords on the network. Default is 0.
To set the maximum number of network connections per process (for more information, see "Number of Connections per Process"):
msconfig set http.maxsessions number
See "Dropping Idle Connections" for more information.
To set the maximum idle time for client sessions (for more information, see "Logging Out HTTP Clients"):
msconfig set http.sessiontimeout number
To set the maximum number of threads per process:
msconfig set http.maxthreads number
To set the maximum number of processes:
msconfig set http.numprocesses number
When an HTTP client constructs a message with attachments, the attachments are uploaded to the server and stored in a file. The HTTP service retrieves the attachments and constructs the message before sending the message to an MTA for routing or delivery. You can accept the default attachment spool directory or specify an alternate directory. You can also specify a maximum size allowed for attachments. To specify the attachment spool directory for client outgoing mail use the following command. This includes all the attachments encoded in base64, and that base64 encoding requires an extra 33 percent more space. Thus, a 5 Mb limit in the option results in the maximum size of one message and attachments being about 3.75 Mb.
To set the spool directory:
msconfig set http.spooldir dirpath
To specify the maximum message size:
msconfig set http.maxmessagesize size
where size is a number in bytes. This includes all the attachments encoded in base64, and that base64 encoding requires an extra 33 percent more space. Thus, a 5 Mb limit in the option results in the maximum size of one message and attachments being about 3.75 Mbs.
To specify an alternate MTA host name:
msconfig set http.smtphost hostname
To specify the port number for the alternate MTA host name:
msconfig set http.smtpport portnum
To enable HTTP access over SSL on port 8991:
msconfig msconfig> set http.enablesslport -1 msconfig# set http.sslusessl 1 msconfig# set http.sslport 8991 msconfig# write msconfig> exit stop-msg http start-msg http