Messaging Server Administrator's Guide: Messaging Multiplexor

Chapter 13 Messaging Multiplexor

This chapter describes Netscape Messaging Multiplexor and provides installation and configuration instructions. This chapter contains the following sections:

About Messaging Multiplexor

Multiplexor Configuration

Installing and Configuring Multiplexor (Unix)

Installing and Configuring Multiplexor (NT)

Running Multiplexor

Uninstalling Multiplexor

About Messaging Multiplexor

Netscape Messaging Multiplexor is a specialized messaging server that acts as a single point of connection to multiple messaging servers. With the Multiplexor, large-scale messaging-service providers can distribute POP and IMAP user mailboxes across many machines to increase messaging capacity. All users connect to the single Multiplexor server, which redirects each connection to the appropriate messaging server.

If you provide electronic mail service to many users, you can install and configure Messaging Multiplexor so that an entire array of messaging servers will appear to your mail users to be a single host.

Messaging Multiplexor is provided as part of Netscape Messaging Server. You can install Messaging Multiplexor when first installing Messaging Server or other Netscape servers, or at a later time.

Netscape Messaging Multiplexor supports:

Both unencrypted and encrypted (SSL) communications with mail clients.

Client certificate-based authentication, described in Certificate-Based Client Authentication.

User pre-authentication, described in User Pre-Authentication.

Virtual domains that listen on different IP addresses and automatically append domain names to user IDs, described in Virtual Domains.

Multiple installations of Multiplexor on different machines (one installation per machine).

Multiple instances of Multiplexor on a server machine, described in Multiple Multiplexor Instances. Multiple instances can be used for alternate configurations such as SSL or the listen port that cannot be handled through virtual domains.

Enhanced LDAP searching.

Multiplexor Benefits

Message stores on heavily used messaging servers can grow quite large. Spreading user mailboxes and user connections across multiple servers can therefore improve capacity and performance. In addition, it may be more cost-effective to use several small server machines than one large, high-capacity, multiprocessor machine.

If the size of your mail-server installation requires the use of multiple messaging servers, your organization can benefit in several ways from using the Messaging Multiplexor. The indirect connection between users and their message stores, coupled with the ease of reconfiguration of user accounts among messaging servers allows for the following benefits:

Simplified user management

Because all users connect to one server (or two, if you have separate Multiplexors for POP and IMAP), you can preconfigure email clients and distribute uniform login information to all users. This simplifies your administrative tasks and reduces the possibility of distributing erroneous login information.

For especially high-load situations, you can run multiple Multiplexor servers and manage connections to them by DNS round robin or by using a load- balancing program, such as LocalDirector from Cisco Systems.

Because Multiplexor uses information stored in the LDAP directory to locate each user's messaging server, moving a user to a new server is simple for the system administrator and transparent to the user. The administrator can move a user's mailbox from one messaging server to another, and then update the user's entry in the directory. The user's mail address, mailbox access, and other client preferences need not change.

Improved performance

If a message store grows prohibitively large for a single machine, you can balance the load by moving some of the message store to another machine.

You can assign different classes of users to different machines. For example, you can choose to locate premium users on a larger and more powerful machine.

Multiplexor performs some buffering, so that slow client connections (through a modem, for example) do not slow down the messaging server.

Decreased cost

Because you can efficiently manage multiple messaging servers with Messaging Multiplexor, you can decrease overall costs by purchasing several small server machines that together cost less than one very large machine.

Better scalability

With Messaging Multiplexor, your configuration can expand easily. You can incrementally add machines as your performance or storage-capacity needs grow, without replacing your existing investment.

Minimum user downtime

Using Messaging Multiplexor to spread a large user base over many small store machines isolates user downtime. When an individual server fails, only its users are affected.

Increased security

You can use the server machine on which Messaging Multiplexor is installed as a firewall machine. By routing all client connections through the Multiplexor machine, you can restrict access to the internal message store machines by outside computers. Messaging Multiplexor supports both unencrypted and encrypted communications with clients.

How Multiplexor Works

Messaging Multiplexor is a multithreaded server that facilitates distributing mail users across multiple server machines. Multiplexor handles incoming client connections destined for other server machines (the machines on which user mailboxes reside). Clients connect to Multiplexor itself, which then redirects the session to the server with the correct mailbox. This capability allows Internet service providers and other large installations to spread message stores across multiple machines (to increase capacity) while providing the appearance of a single mail host for users (to increase efficiency) and for external clients (to increase security).

Figure 13.1 shows how servers and clients relate to each other in a Messaging Multiplexor installation.

Figure 13.1 How the Messaging Multiplexor interacts with clients and servers

All POP and IMAP clients work with Messaging Multiplexor. Messaging Multiplexor accepts connections, performs LDAP directory lookups, and routes the connections appropriately. As is typical with other mail-server installations, each user is assigned a specific address and mailbox on a specific messaging server. However, all connections are routed through Multiplexor.

In more detail, these are the steps involved in establishing a user connection:

A user's client connects to Multiplexor, which accepts preliminary authentication information (user name).

Multiplexor queries an LDAP directory server to determine which messaging server contains that user's mailbox.

Multiplexor connects to the proper messaging server, replays authentication, then acts as a pass-through pipe for the duration of the connection.

Encryption (SSL) Option

The Netscape Multiplexor supports both unencrypted and encrypted (SSL) communications between the IMAP server and mail clients.

In SSL mode, Multiplexor listens by default on port 993. You can specify a different port if you wish. The IMAP Multiplexor SSL supports STARTTLS which allows Multiplexor to promote non-SSL connections to SSL.

To enable SSL encryption for your IMAP service:

When using the mmp-setup script, answer yes to the "Should the IMAP MMP do SSL" prompt. Then specify port, secmodfile, certfile, keyfile, keypass, ciphers, and certname parameters. See Table 13.9 for details about configuration prompts.

When specifying Multiplexor configuration options from the command line, use the -s parameters (secmodfile, certfile, keyfile, keypass, ciphers, and certname) parameters. See Table 13.4 for details.

Certificate-Based Client Authentication

Multiplexor can use certmap to match a client's certificate to the correct user in the user-group LDAP database.

In order to use certificate-based client authentication, you must also enable SSL encryption as described in Encryption (SSL) Option.

You also have to configure a store administrator. You can use the mail administrator, but Netscape recommends that you create a unique user ID, such as mmpstore for this purpose so that you can set permissions as needed.

Note that Multiplexor does not support certmap plug-ins. Instead, Multiplexor accepts enhanced DNComps and FilterComps property value entries in the certmap.conf file. These enhanced format entries use the form:

mapname:DNComps FROMATTR=TOATTR
mapname:FilterComps FROMATTR=TOATTR

So that a FROMATTR value in a certificate's subjectDN can be used to form an LDAP query with the TOATTR=value element. For example, a certificate with a subjectDN of "cn=Pilar Lorca, ou=pilar o=airius.com" could be mapped to an LDAP query of "(uid=pilar)" with the line:

mapname:FilterComps ou=uid

To enable certificate-based authentication for your IMAP service:

Decide on the user ID you intend to use as store administrator.

While you can use the mail administrator for this purpose, Netscape recommends that you create a unique user ID for store administrator. For example, mmpstore.

Make sure that SSL encryption is (or will be) enabled as described in Encryption (SSL) Option.

Configure Multiplexor to use certificate-based client authentication:

When using the mmp-setup script, answer yes to the "Do you have a certmap.conf (Should MMP do client-cert auth)" prompt. Then specify the location of the certmap.conf file, the store administrator user ID, and password. See Table 13.9 for details.

When specifying Multiplexor configuration options from the command line, use the -cm cmfile, -d storeadmin, and -W password options. See Table 13.4 for details about these configuration prompts.

User Pre-Authentication

Multiplexor has the option of pre-authenticating users by binding to the directory as the incoming user and logging the result.

Note: Enabling the pre-authentication option will reduce server performance.

The log entries are in the format:

date time (sid 0x%p) user name pre-authenticated - client IP address

Where date is in the format yyyymmdd, time is in the format hhmmss, sid is the session object, the user name includes the virtual domain (if any), and the IP address is in dot-quad format.

Virtual Domains

Multiplexor supports the 4.0 format virtual domain file syntax.

Virtual domains listen on different IP addresses and automatically append domain names to user IDs. They can also be used to specify alternate configurations.

Multiplexor can map IP addresses to domain names for searching an LDAP directory and for logging in to the store server. When a connection is accepted from a client, if the server's IP address is in the virtual domain mapping file, the domain is appended to the user ID and used for the LDAP search and for subsequent replay of authentication. This capability is useful for hosting multiple domains with overlapping user ID name spaces.

To enable virtual domains:

When installing in Unix environments, answer yes to the "Should this MMP do virtual domain mapping?" prompt. Then specify the location (name) of the virtual domain mapping file and the domain delimiters it uses. See Table 13.7 for details.

When specifying Multiplexor with the Server Setup program in Windows NT environments, answer yes to the "Use Virtual Domain Mapping" prompt. See Table 13.9 for details.

When specifying Multiplexor configuration options from the command line in Windows NT environments, use the -vd file option followed by the -vdd str option. See Table 13.4 for details.

Each entry of a virtual domain file has the following syntax:

vdmap name IPaddr
name:property value

Where name is whatever name you choose to use, IPaddr is in dot-quad format, and property and value pairs configure the virtual domain as described in Table 13.1. When set, virtual domain properties override global configuration parameters.

Table 13.1 describes the properties you can specify for a virtual domain. (See Table 13.3 for a description of configuration variables you can specify for Multiplexor.)

Table 13.1 Virtual domain properties


Property	Description
BindDN BindPass	User-group LDAP credentials. This property is ignored if the LdapUrl property is not set. In most cases it is not necessary to specify this property.
CanonicalVirtual DomainDelim	The delimiter used by the Multiplexor to separate the user ID from the appended virtual domain when talking to the message store server and LDAP server.
CertMapFile	If certificate-based authentication is enabled, the certmap.conf file for this domain.
LdapUrl	The URL for user-group LDAP information using the format: ldap[s]://HOST[:PORT]/BASEDN
MailHostAttrs	A comma-separated list of LDAP attributes to be treated as the users' mailhost. Multiplexor tries to connect to each server returned by the search in turn.
PreAuth	If set to "Yes," pre-authentication is enabled. Note that enabling pre-authentication reduces server performance.
StoreAdmin StoreAdminPass	The store administrator credentials (user ID and password). For proxy-authentication to the store server when the client is authenticated to the Multiplexor via an SSL client certificate.
UidSearch	A printf-style format string with which to construct a user-group LDAP query for the user's mailhost. These are the valid escapes for UidSearch: %s - For userd+virtualdomain %U - For userid only %V - For virtual domain only %C - Client IP address %S - Server IP address %D - Client cert DN
VDomain	The virtual domain name to append to incoming user names (for sites that have virtual domains enabled). If omitted, no domain name is appended to the replayed credentials.
VirtualDomainDelim	A string listing all of the virtual domain delimiters that the Multiplexor accepts. This is just a string of characters not separated by spaces or commas. Any character in the string is treated as a delimiter.
VirtualDomainFile	The name of the file containing your virtual domain mapping. If a filename is entered for this variable, virtual domains are enabled. See Table 13.1 for a description of configuration variables that apply to virtual domains.

Multiple Multiplexor Instances

You can create multiple instances of Multiplexor, all of which must be on the same server. In other words, you can have multiple installations of Multiplexor on different servers, and on any given machine you can have multiple instances.

Using multiple instances of Multiplexor allows you to create alternate configurations, such as SSL or the listen port, that cannot be handled through virtual domains.

You can configure a single instance of Multiplexor to support both POP and IMAP protocols (as shown in Figure 13.1), or you can create separate Multiplexor instances for each protocol, as shown in Figure 13.2. By splitting messaging services across different machines, you can tune the resources on each computer for maximum performance.

Figure 13.2 Separate Multiplexors and messaging servers for POP and IMAP support

For instructions on creating multiple instances of Multiplexor, see Installing and Configuring Multiplexor (Unix) or Installing and Configuring Multiplexor (NT).

Multiplexor Configuration

You control how Multiplexor operates by setting configuration parameters.

There are two ways to set configuration parameters:

Configuration environment variables are parameters that are permanently stored and applied each time Multiplexor is run. There are several methods of specifying configuration environment variables as described in Table 13.2.

Command line configuration options are parameters that are specified on the command line at the time Multiplexor is run. A configuration parameter specified on the command line at the time Multiplexor is run overrides any corresponding value specified as an environment variable. For example, if you have specified a value for the capability parameter as an environment variable, but you enter a different capability value from the command line, the command line value will be used by that Multiplexor session.

Note that the only difference between environment variable and command-line option parameters is how you choose to set them. Any configuration parameter can be set as either an environment variable or a command-line option.

In Unix environments, environment variables for each Multiplexor instance are stored in configuration files named ImapMMP.config and PopMMP.config. These files are stored in the directory MMPRoot/MMP_instanceName.

In NT environments, environment variables for each Multiplexor instance are stored in the Windows registry.

Table 13.2 describes different ways to set environment variables. Table 13.3 describes the configuration parameters you can set for Multiplexor.

Table 13.2 Methods of setting Multiplexor configuration parameters


Unix Environment Configuration Methods	NT Environment Configuration Methods
Run the Server Setup program to install and configure the first Multiplexor instance as described in Multiplexor Installation (Unix) which takes you through the configuration prompts described in Table 13.7. You can also use this method to configure subsequent Multiplexor instances.	Run the Server Setup program as to install and configure the first Multiplexor instance described in Multiplexor Installation (NT) which takes you through the configuration prompts described in Table 13.9. You can also use this method to configure subsequent Multiplexor instances.
Once Multiplexor has been installed with the Server Setup program, you can configure Multiplexor instances with the mmp-setup script as described in Multiplexor Installation (Unix) which takes you through the configuration prompts described in Table 13.7.	(The mmp-setup script is not available on NT platforms.)
An alternate method of configuring Multiplexor instances is to run the PopProxy or ImapProxy commands with the install and command-line options. This displays configuration syntax on your screen which you can paste into Multiplexor configuration files.	An alternate method of configuring Multiplexor instances is to run the PopProxy or ImapProxy commands with the install option and use command-line options to specify configuration variables as described in Command-Line Configuration Options and Table 13.4.
You can also directly edit the configuration parameters in the Multiplexor configuration files as described in Directly Setting Configuration Variables (Unix).	You can also directly edit the configuration parameters in the Windows NT Registry as described in Directly Specifying Configuration Variables (NT).

Note: You cannot run the mmp-setup script or PopProxy or ImapProxy commands, or directly edit variables, until your first instance of Multiplexor has been set up through the Server Setup program.

Multiplexor Configuration Parameters

You control how Multiplexor operates by specifying various configuration parameters, either as environment variables or as command-line options.

Table 13.3 describes the parameters you can set. (Table 13.1 describes the parameters that you can set for virtual domains.)

Note: The names and values of configuration parameters are case-sensitive.

Table 13.3 Multiplexor configuration parameters


Variable	Description
BacksidePort	Port on which to connect to message store server. This parameter lets you run a multiplexor and a store server on the same machine, with the store server on a different port. You might want to do this if you want a flat configuration--that is, if you want to run Multiplexors on all machines. For information about specifying ports, see Configuration Prompts (NT). Default = 110 for POP3; 143 for IMAP (the standard ports) (select n on Unix installer to choose defaults)
Banner	Banner replacement string. Multiplexor will use the string you specify instead of its default banner for its greeting line. Default = "Netscape Messaging Multiplexor ready" (select n on Unix installer to choose default)
BaseDN	BaseDN is where Multiplexor begins its search in the LDAP database. Some LDAP servers may require that a client (in this case Messaging Multiplexor) be authenticated before it can search the database for certain information. If your server has ACLs that require some level of authentication for getting a user's mail information, set this parameter. The BaseDN must specify an entry to which the bind distinguished name (binddn) has access privileges for operations on the directory database. Default: o=mcom.com (Change this to your base DN.)
BindDN	LDAP bind DN to use to authenticate to the LDAP server. Default = Anonymous
BindPass	LDAP bind password. There is no default.
CanonicalVirtual DomainDelim	Canonical virtual domain delimiter. The character used by Multiplexor to separate the user ID from the appended virtual domain when talking to the message store server and LDAP server. The default is +, so user IDs passed to LDAP and the message store servers have the form userid+virtual.domain. Default = "+" (default string passed to directory is "userid+virtual.domain")
Capability	Capability replacement string. Multiplexor will use the string you specify for Capability instead of its default (own) capability to tell IMAP clients what it (or the servers behind it) can do. This variable has no effect in POP3. If you are using Netscape servers and want to use the Manage Mail Account feature, you must specify this Capability configuration parameter to change Multiplexor's capability. A suggested string to support Manage Mail Account is: IMAP4 IMAP4rev1 AUTH=LOGIN AUTH=PLAIN X-NETSCAPE Default = IMAP4 IMAP4rev1 AUTH=LOGIN AUTH=PLAIN (select n on Unix installer to choose default)
CertMapFile	The name of the certmap.conf file. Default = certmap.conf
LDAPHost	LDAP server and port to use for user information. The host machine name and port of the LDAP server that contains your user database (among other things). You must set up the LDAP host before the Multiplexor can work properly. Default = Localhost:IPPORT_LDAP (port 389)
ListenPort	The port on which to listen for incoming client connections. An IP address may be specified for an optional bind address, for multi-homed hosts (hosts that have more than one IP address). For information about specifying ports, see Choosing a Port Number (Unix) or Configuration Prompts (NT). Default = 110 for POP3; 143 for IMAP (the standard ports) (select n on Unix installer to choose defaults)
LogDir	The directory in which the Multiplexor creates log files. If you specify a directory that does not exist, no log file is created. Log file names have the following format: MMP_yyyymmdd.log Default = current directory (the directory that contains Multiplexor)
LogLevel	The logging verbosity level--the amount of information written into log files. You can specify a number from 0 through 10, with 10 representing the highest level of verbosity. At higher levels, more events are logged. The higher the level, the more information in the log. Default = 1
MailHostAttrs	Comma-separated list of LDAP attributes identifying the user's mail host. Multiplexor tries to connect to each server returned by the search in the order specified by the list. Default = mailHost
NumThreads	The maximum number of worker threads to allocate. If the machine has multiple CPUs, running the Multiplexor with worker threads will improve performance. The optimal number of work threads is the number of processors on the machine. For example if your machine has two CPUs, specify 2. If this is a single-processor machine, specify 0 for optimal performance. Default = 0 (the main thread does all the work)
PreAuth	Enables Global Roaming preauthentication. With preauthentication, clients authenticate to Multiplexor and Multiplexor relays authentication information to the message store. If set to "Yes," pre-authentication is enabled. Note that enabling pre-authentication reduces server performance. Default = off
ServerDownAlert	IMAP only. String returned to client in an IMAP ALERT message when Multiplexor cannot connect to a user's store server. Default = "Your IMAP server appears to be temporarily out of service."
SpoofMessageFile	The file to use for POP3 inbox spoofing. Multiplexor can imitate a base-functionality POP3 server in case Multiplexor can't connect to a client's store machine. In such a situation, Multiplexor creates an inbox for the user and places this one message into it. The format of the message contained in this file should conform to RFC 822 (including the final '.'). Default = no spoof message
SSLBacksidePort	Port on which to connect to message store server using SSL.
SSLCertFile	Server certificate database file location (defined when you obtained a certificate for this server). Multiplexor needs a server certificate to offer to clients in the handshake phase of SSL. The location specified here should be absolute, not relative to the Multiplexor installation directory. Default = cert7.db
SSLCertName	Name of this server's SSL server certificate (defined when you obtained the certificate). Multiplexor uses this string to identify the certificate in its certificate database (certfile).
SSLCipherSecs	A colon-separated list of ciphers (or the string "all") representing the cipher algorithms that this server can use to encrypt SSL sessions. The client and server agree to one of them when a session is established. The available cipher specifications are: SSL_RSA_WITH_RC4_128_ MD5 SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA SSL_RSA_WITH_3DES_EDE_CBC_SHA SSL_RSA_FIPS_WITH_DES_CBC_SHA SSL_RSA_WITH_DES_CBC_SHA SSL_RSA_EXPORT_WITH_RC4_40_MD5 SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 SSL_RSA_WITH_NULL_MD5 Default = all
SSLEnable	Whether or not to enable SSL. If set to "True" or "Yes", Multiplexor will listen on both normal and SSL ports. If SSL is enabled, all of the following variables must be set. You can specify an empty parameter with empty quotes (""). SSLSecmodFile SSLCertFile SSLKeyFile SSLKeyPasswd SSLCipherSpecs SSLCertNickname Default = n (SSL not enabled)
SSLKeyFile	Key database file location (defined when you obtained a certificate for this server). Multiplexor needs a private key corresponding to its SSL server certificate. The location specified here should be absolute, not relative to the Multiplexor installation directory. Default = key3.d
SSLKeyPasswd	Password that protects access to the private key file. The password may be null if the key is not password-protected. Default = no password protection
SSLListenPort	Port on which to listen for incoming SSL connections. Default = 993 for IMAP (the standard SSL IMAP port) (select n on Unix installer to choose default)
SSLSecmodFile	Security module database file location (usually null). If you have hardware accelerators for SSL ciphers, this file describes them to the Multiplexor. Default = no secmod database (select n on Unix installer to choose default)
StoreAdmin	The user name of the store administrator for proxy authentication during SSL. Default = Null Recommended = mmpstore
StoreAdminPass	Password of store admin for proxy-authentication during SSL. There is no default.
VirtualDomainDelim	String of acceptable virtual domain delimiters. Any character in this string will be treated as a domain delimiter in a user ID received by Multiplexor. (Multiplexor searches user IDs from the end.)
VirtualDomainFile	The name of the file containing your virtual domain mapping. If a filename is entered for this variable, virtual domains are enabled. See Table 13.1 for a description of configuration variables that apply to virtual domains.
UidSearch	A printf-style format string with which to construct user-group LDAP query for the user's mailhost when virtual domains are enabled.

Command-Line Configuration Options

Once an instance of Multiplexor has been installed using the Server Setup program, you can run Multiplexor directly from the command line using either the PopProxy or ImapProxy commands as described in Running Multiplexor.

Note: In NT environments, the preferred method of running Multiplexor is from the Service Control Manager as described in Running Multiplexor (NT). Normally, you would run Multiplexor from the command line only if you wanted to override one or more configuration options by specifying different options on the command line.

If you choose to run Multiplexor from a command line, configuration options you specify on the command line itself take precedence over any corresponding configuration environment variables contained in Unix configuration files or the Windows registry. For example, if there is a UidSearch environment variable set, but you specify a different UidSearch value from the command line, the one you specify on the command line is used for that Multiplexor session. When starting Multiplexor from the command line, configuration options that you do not specify on the command line are taken from environment variables if they exist, or set to default values if there is no existing configuration variable.

To run Multiplexor for POP service with command-line configuration options, use this syntax:

PopProxy [install] [options]

To run Multiplexor for IMAP service with command-line configuration options, use this syntax:

ImapProxy [install] [options]

Where the configuration options you can set are described in Table 13.4. For the environment variables that the command-line options specify, see Table 13.3.

Table 13.4 Multiplexor command-line option descriptions


Option	Description
-a str	IMAP only. IMAP ALERT message. Specifies the message returned to IMAP clients when the Multiplexor cannot connect to a user's store server. Configuration parameter = ServerDownAlert
-b basedn	The distinguished name (DN) to use as the search base for LDAP user queries. Configuration parameter = BaseDN
-ba str	Banner replacement string. Multiplexor uses str instead of its default banner for its greeting line. Configuration parameter = Banner
-c port	The port on which to connect to the message store server. Configuration parameter = BacksidePort
-cm cmfile	Specifies the certmap.conf file. Configuration parameter = CertMapFile
-d storeadmin	The user name of the store administrator for proxy authentication during SSL. Configuration parameter = StoreAdmin Recommended = mmpstore
-D binddn	The distinguished name used by Multiplexor to authenticate to an LDAP server when performing an operation. Configuration parameter = BindDN
h host[:port]	The host machine name and port of the LDAP server that contains your user database (among other things). Configuration parameter = LDAPHost
install	In Unix environments, the install option simply prints out the configuration syntax you specify on the command line. In NT environments, the install option changes the configuration variables you specify in the Windows registry. See Using the install Option for details. Note: If you use the install option, Multiplexor does not run as a server.
-m file	The file to use for POP3 inbox spoofing. Configuration parameter = SpoofMessageFile
-ma str	Comma-separated list of LDAP attributes identifying the user's mail host. Multiplexor tries to connect to each server returned by the search in the order specified by the list. Configuration parameter = MailHostAttrs
-n instance	The name of the instance that is displayed in service control manager. If the Multiplexor instance of this name already exists, the configuration options you specify on the command line will be applied to that instance. If no instance of this name exists, a new one will be created.
-o dir	The directory in which Multiplexor creates log files. If you specify a directory that does not exist, no log file is created. Log file names have the following format: MMP_yyyymmdd.log Configuration parameter = LogDir
-p [IP:]port	The port on which to listen for incoming client connections. IP is an optional bind address for a machine that is multihomed (has more than one IP address). For information about specifying ports, see Choosing a Port Number (Unix) or Configuration Prompts (NT). Configuration parameter = ListenPort
-pre	Enables Global Roaming preauthentication; clients can authenticate to Multiplexor; Multiplexor relays authentication information to the message store. Configuration parameter = PreAuth
-ps port	The port on which to listen for incoming client SSL connections. Configuration parameter = SSLListenPort
-s SSLSecmodFile SSLCertFile SSLKeyFile SSLkeypass SSLCipherSecs SSLCertNickname	Specify whether to enable SSL connections with clients. If you enable SSL, Multiplexor listens on both normal and SSL ports. If you do enable SSL by using the -s option in the command line, you must set the six required SSL parameters in the following order, on the command line: -s SSLSecmodFile SSLCertFile SSLKeyFile SSLkeypass SSLCipherSecs SSLCertNickname See Table 13.5 for descriptions of these six parameters, and Table 13.3 for a description of the variables that they set. You can specify an empty parameter with empty quotes ("").
-t num	The maximum number of worker threads to allocate to the machine on which Multiplexor runs. Configuration parameter = NumThreads
-us str	String for user ID search. When performing LDAP directory searches, Multiplexor uses str instead of the default. Configuration parameter = UidSearch
-v num	The logging verbosity level--the amount of information written into log files. You can specify a number from 0 through 10, with 10 representing the highest level of verbosity. At higher levels, more events are logged. Configuration parameter = LogLevel
-vd file	Virtual domain file location. Configuration parameter = VirtualDomainFile
-vdd str	Virtual domain delimiter list. A string containing the acceptable delimiter characters for virtual domains. Configuration parameter = VirtualDomainDelim
-vddc char	Canonical virtual domain delimiter. Configuration parameter = CanonicalVirtualDomainDelim
-w pass	The password associated with the bind distinguished name, for authenticating to an LDAP server. Configuration parameter = BindPassword
-W pass	The password of the store administrator for proxy authentication during SSL. Configuration parameter = StoreAdminPass
-x str	Capability replacement string. Configuration parameter = Capability

Table 13.5 SSL command line parameters for -s command


Option	Description
SSLSecmodFile	Security module database file location (usually null). Configuration parameter = SSLSecmodFile
SSLCertFile	Server certificate database file location (defined when you obtained a certificate for this server). Configuration parameter = SSLCertFile
SSLKeyFile	Key database file location (defined when you obtained a certificate for this server). Configuration parameter = SSLKeyFile
SSLKeyPasswd	Password that protects access to the private key file. The password may be null if the key is not password-protected. Configuration parameter = SSLKeyPasswd
SSLCipherSpecs	A colon-separated list of ciphers (or the string "all") representing the cipher algorithms that this server can use to encrypt SSL sessions. See Table 13.3 for the available cipher specifications. Configuration parameter = SSLCipherSpecs
SSLCertNickname	Name of this server's SSL server certificate (defined when you obtained the certificate). Configuration parameter = SSLCertNickname

Using the install Option

Note that using the install option aborts loading Multiplexor. In other words, if you run PopProxy or ImapProxy with the install option, Multiplexor does not start.

When running Multiplexor from the command line, you can use the install option:

In NT environments, if you run PopProxy or ImapProxy with the install option, any options you specify on the command line are added to or changed in the NT registry. In other words, options you specify on the command line become environment variables. The next time Multiplexor is started, it will take those variables from the registry. Note that if a parameter is specified in the registry, and you do not include it on the command line, it remains as it was in the registry.

In Unix environments, the install option does not make any changes to any of the configuration files. In other words, the install option does not create any environment variables. Instead, the configuration options you specified on the command line are printed out, and you can copy those into a configuration file.

Installing and Configuring Multiplexor (Unix)

Messaging Multiplexor is available as part of Netscape Messaging Server. You can install Multiplexor at the same time as you install Messaging Server, or you can install it later using the Server Setup program. Either way, you first need to prepare the system to support Multiplexor.

Before You Install (Unix)

Before you install Messaging Multiplexor on a Unix machine, perform the following tasks:

Choose the machine on which you will install Multiplexor. Netscape recommends against installing Multiplexor on a system that is also running Messaging Server or Directory Server. It is best to use a separate machine for Multiplexor.

Check that the system meets all the hardware and software requirements for using Netscape Messaging Server. For more information about installation requirements, see the Messaging Server Installation Guide.

On the machine that Messaging Multiplexor is to be installed on, create a new user to be used exclusively by Multiplexor. This new user must belong to a group. Suggested names for the user are nsmmp ("Netscape Messaging Multiplexor") or nsmail.

Set up the LDAP directory server and its host machine for use with Messaging Server, if they are not already set up. For more information, see the Directory Server documentation.

If you already have an older version of the Multiplexor installed and want to replace it, you must remove the old version of Multiplexor before you can install the new one. To remove Multiplexor, remove the mmp server root directory and the /etc/netscape.mmp.conf file.

HP-UX. If you're using Messaging Multiplexor on HP-UX, you must install the operating-system patches that are required to run Messaging Server 4.1. For more information, see the Messaging Server Installation Guide.

Also for HP-UX, you should increase the values of the configurable kernel parameters maxfiles, maxfiles_lim, and nfiles to a much larger number. For example, with the settings shown below, Multiplexor can support approximately 8,000 simultaneous sessions. (The more RAM you have in your machine, the higher these values can be.)

maxfiles 16384
maxfiles_lim 16384
nfiles 32768

See your platform documentation for information on how to set these parameters.

Multiplexor Files (Unix)

In Unix environments, Multiplexor executable files are stored in the Multiplexor installation directory (MMPRoot in this document), and two subdirectories of MMPRoot: MMPRoot/bin and MMPRoot/lib. At installation time you specify the directory that you want to use as MMPRoot. For example,
/usr/netscape/server4/bin/mmp.

When you install Multiplexor, you create one or more Multiplexor instances. Different instances can use different configuration variables. Each instance has its own directory that contains the configuration files for that instance. Instance directories are created as subdirectories of MMPRoot. For example,
MMPRoot/mplex1.

Table 13.6 lists the principal files that make up a Messaging Multiplexor installation in a Unix environment.

Table 13.6 Messaging Multiplexor files (Unix)


File	Description
PopProxy, ImapProxy	The executable Messaging Multiplexor programs for IMAP and POP services, respectively (installed in directory MMPRoot/bin).
ImapMMP.config, PopMMP.config	Configuration files specifying environment variables used for IMAP and POP services, respectively (installed in directory MMPRoot/MMP_instanceName).
ImapMMP, PopMMP	Shell scripts that set environment variables and execute Multiplexor for IMAP and POP services, respectively (installed in directory MMPRoot/MMP_instanceName). May be included in the init directory to automatically start up Multiplexor.
mmp-setup	The Multiplexor Installer (installed in directory MMPRoot).
libldapv30 (or libldap32v30), libnspr21, libplc21, libplds21	Shared libraries used by Messaging Multiplexor (installed in directory MMPRoot/lib).
$CONFIG_FILE	Identifies the location of MMPRoot (installed in /etc/netscape.mmp.conf).

Multiplexor Installation (Unix)

In Unix environments, there are two ways to install Messaging Multiplexor on a machine:

When you install Messaging Server or other Netscape components, the Server Setup program gives you the option of choosing to install Messaging Multiplexor at the same time. You can run the Server Setup program to install Multiplexor at any time. See Creating a Multiplexor Instance (Unix) for details. (For instructions on using the Server Setup program, see the Messaging Server Installation Guide.)

Once Multiplexor has been installed on a machine, you can also use the Multiplexor Installer to create additional Multiplexor instances by running the mmp-setup script on that machine. See Creating Additional Instances (Unix) for details.

Note: Netscape recommends that Multiplexor not be installed on a machine that is also running either Messaging Server or Directory Server.

Creating a Multiplexor Instance (Unix)

You must use the Server Setup program to create your first Multiplexor instance. This program sets up and then uses the Netscape Messaging Multiplexor Installer. (Note that Multiplexor installation is not the default; you must select it as part of the Messaging Server suite.) For subsequent installations of additional instances, you can call the Multiplexor Installer directly by running the mmp-setup script.

When the Multiplexor Installer starts (either from the Server Setup program or from running mmp-setup), follow these steps to install and configure the Multiplexor:

When prompted for the user name that Multiplexor should run as, enter the user name that you created for exclusive use of Multiplexor as explained in Before You Install (Unix).

The default value is nobody. Change this to the user name that you created.

At the next prompt, enter the installation directory (called MMPRoot/ in this document), the directory path into which you want Multiplexor to be installed.

To accept the default (/usr/netscape/suitespot4/mmp), press Enter. In this example the /mmp directory is the MMPRoot.

The installation program creates the directories for the Multiplexor installation and installs the files. (If you are creating a second or subsequent instance of Multiplexor on this machine, the installation program uses the existing installed files.)

The installer program starts to create an instance of Multiplexor from those files. (If there is a previously installed instance of Multiplexor, you can at this point choose to either configure the existing instance or create a new one.)

If you choose to configure a new instance of Multiplexor, enter the name you want to give it.

To accept the default name (the host name of the machine you are installing Multiplexor onto) press Enter. The installation program finishes creating the new instance, installing it into the subdirectory MMPRoot/ MMP-instanceName/ where instanceName is the name you specified.

Enter one of the following numbers to specify which kind of mail service you want this instance to support:

1 - Configure this instance for IMAP mail service
2 - Configure this instance for POP3 mail service
3 - Configure this instance for both IMAP4 and POP3 mail service

You are then stepped through a series of configuration prompts that allow you to specify environment variables that will control how this instance of Multiplexor operates. See Configuration Prompts (Unix) for a description of these prompts.

The installer shows you a summary of the information you have entered. If the information is correct, type y. If you need to make changes, type n, in which case the install program takes you back through the prompts again.

After you have approved the configuration parameters and the Multiplexor Installer has implemented them, the program displays the following information:

The location of shell scripts you can use to start Multiplexor. Depending on your system's capabilities, you may be able to put these scripts in your init directory to start Multiplexor automatically at system startup. Alternatively, you can run the scripts from the command line by typing ImapMMP.sh start or PopMMP.sh start. These shell scripts set environment variables that control Multiplexor configuration and then execute the Multiplexor program.

The location of the Netscape Messaging Multiplexor Installer (mmp-setup). When you use the Netscape Servers installation program to install the Messaging Multiplexor, the Multiplexor Installer installs itself (at the top level of the installation directory, under MMPRoot/), so that you can later execute it directly to modify the configuration of this instance.

Instructions for removing Messaging Multiplexor, in case you ever need to. To remove all instances of Multiplexor from the host, remove the entire installation directory (MMPRoot/) and the Multiplexor configuration file (netscape.mp.conf, in the directory /etc/). To remove only a single instance of Multiplexor, remove just the subdirectory MMPRoot/MMP_instanceName/.

Creating Additional Instances (Unix)

Use the Multiplexor Installer to create a new instance after an initial installation.

To run the Multiplexor Installer, follow these steps:

Go to the directory that contains the Multiplexor Installer.

The program is installed at the top of the installation directory, under MMPRoot/.

From the command line, type mmp-setup.

The Multiplexor Installer asks whether you want to change an existing instance or create a new one. If you choose to create a new instance, the installer takes you through the installation process, as described in Creating a Multiplexor Instance (Unix).

Modifying an Instance (Unix)

Use the Multiplexor Installer to modify the configuration of a previously installed instance of the Multiplexor.

To run the Multiplexor Installer, follow these steps:

Go to the directory that contains the Multiplexor Installer. The program is installed at the top of the installation directory, under MMPRoot/.

From the command line, type mmp-setup.

The Multiplexor Installer asks whether you want to change an existing instance or create a new one. To change an existing instance, select the name of that instance. The installer takes you back through the prompts for configuring the Multiplexor so you can make the changes you want. For information about each parameter, see Multiplexor Configuration.

Multiplexor Configuration (Unix)

Multiplexor is controlled by setting the configuration parameters that are described in Table 13.3. See Table 13.2 for different methods you can use to set configuration parameters.

This section describes how to set Multiplexor configuration variables by:

Using the configuration prompts invoked by running the Server Setup program or the mmp-setup script. See Configuration Prompts (Unix).

Directly editing the Multiplexor configuration files. See Directly Setting Configuration Variables (Unix).

You can also set Multiplexor configuration variables by running the PopProxy and ImapProxy commands with the install option as described in Command-Line Configuration Options, then copying the screen output into the configuration files.

Listing Options (Unix)

To display a list of the current configuration parameters, you can execute Multiplexor for either POP or IMAP by running either PopProxy or ImapProxy from the command line, using the -h option with no attributes:

PopProxy -h
ImapProxy -h

Choosing a Port Number (Unix)

Keep the following in mind when entering a port number:

Port numbers can be any number from 1 to 65535.

If you choose a port number 1024 or lower, you must start all processes as root (superuser).

Make sure the port you choose isn't already in use or reserved for another service. Look at the file /etc/services on the Multiplexor machine to make sure you don't assign a port number that is used by another service.

Configuration Prompts (Unix)

Table 13.7 lists the Multiplexor configuration prompts and associated environment variables in Unix environments. See Table 13.3 for environment variable descriptions.

Table 13.7 Multiplexor configuration prompts (Unix)


Installer prompt	Environment variable
LDAP Host:	LDAPHost
Base DN:	BaseDN
[IMAP4/POP3] MMP LogDir:	LogDir
Log Level:	LogLevel
Should the MMP bind to LDAP as someone in particular (y/n): If you answer yes, the following two questions are asked: What user should the MMP authenticate as: What's the password for "BindDN":	LDAPAuth LDAPAuth BindPassword
Number of Threads:	NumThreads
Should the MMP listen on a non-default port (y/n): (See Choosing a Port Number (Unix) for additional information about choosing a port.) If you answer yes, the following question is asked: Which port:	ListenPort
Do your main [IMAP4/POP3] servers listen on non-default ports (y/n): If you answer yes, the following question is asked: Which port:	BacksidePort
Would you like to override the IMAP4 MMP's CAPABILITY response (y/n): If you answer yes, the following question is asked: Please type in the new CAPABILITY, and hit return.	Capability
Would you like to override the MMP's banner (y/n): If you answer yes, the following prompt is displayed: Please type in the new banner, and hit return.	Banner
Would you like to override the MMP's LDAP search string (y/n): If you answer yes, the following prompt is displayed: Please type in the new search string, and hit return.	UidSearch
Would you like MMP to use a particular attribute for auth replay (y/n): If you answer yes, the following prompt is displayed: Please type in attribute, and hit return.	UidAttr
Would you like the MMP to use a non-default attribute for the mailhost? (y/n): If you answer yes, the following prompt is displayed: Please type in the list of attributes, and hit return. (Comma-delimited list.)	MailHostAttrs
Should this MMP do virtual domain mapping(y/n): If you answer yes, the following prompt is displayed: Please type the location of the mapping file, and hit return:	VirtualDomainFile
Do you want to specify a list of virtual domain delimiters? (y/n) If you answer yes, the following prompts are displayed: Please type in the new delimiter and hit return: Do you want to specify a canonical virtual domain delimiter? (y/n) Please type in the new delimiter and hit return:	VirtualDomainDelim VirtualDomainDelim CanonicalVirtual DomainDelim CanonicalVirtual DomainDelim
Would you like to provide a "spoof" message for POP3 (y/n): This prompt is only displayed for POP Multiplexors. If you answer yes, the following prompt is displayed: Please type in the location of the file to be used, and hit return:	SpoofMessageFile
Would you like to override the Server Down Alert for the MMP? (y/n) If you answer yes, the following prompt is displayed: Please type in the alert string and hit return:	ServerDownAlert
Should the IMAP4 MMP do SSL (y/n): (This prompt is only displayed for IMAP Multiplexors.) If you answer yes, the following five prompts are displayed:	SSLEnable
1 - Should the MMP listen for SSL on a non-default port (y/n) If you answer yes, you are asked: Which port?	ListenPort