Friday, July 31, 2009

How to send email using telnet command

It's handy to know how to send email using Telnet command, especially for debugging purpose. 

FYI, many people out there do not even realize that emails are sent via tcp/ip port 25 protocol. They told me in order to test, they need a Outlook or Thunderbird client. Those are technical people. :)

cclow@ohost:~>telnet 25
Connected to
Escape character is '^]'.
220 -- Server ESMTP (Sun Java(tm) System Messaging Server 7.0-0.04 64bit (built Jun 20 2008))
250 OK, [].
250 2.5.0 Address Ok.
250 2.1.5 OK.
354 Enter mail, end with a single ".".
subject: test only

helo test test test
250 2.5.0 Ok, envelope id
221 2.3.0 Bye received. Goodbye.
Connection to closed by foreign host.


Thursday, July 30, 2009

Why IronPort and Red Condor are dropped?

We wanted to evaluate Cisco IronPort Hosted Email Security, but they did not give us the chance. I was initially thrilled when I saw on their website "Try Before You Buy". I applied twice. No luck!

Our company policy is as such: Before we recommend a product to our customers, we'll evaluate internally first. The criteria is simple:
  1. Product capability and suitability
  2. Customer/Support service experience
  3. Pricing

Notice that we are very particular about service experience before any recommendation is made. If the experience with the pre-sales or sales is no good, we do not even proceed further. We are always against spending money on vendors who do not give a dime on customer service experience.

Honestly speaking, there are far too many comparable products out there in the market. The ones that support our customers best, we'll stick our heads with them. (even if their pricing might be the highest)

So, what about Red Condor? Why did we drop it?

Below is the email respond from Red Condor's Director Channel Management:
Regarding your reseller application: Red Condor is not currently signing resellers in Asia. We are in the process of reviewing this decision and to approach partners throughout Asia as we are expanding internationally.

It's a matter of presence. Red Condor is a relatively young company with main focus in the US/Europe markets. I think it will take them a couple of years before they get serious with the booming Asia market.


Wednesday, July 29, 2009

Message Recall in Microsoft Outlook - Make sense?

I received an email today which reminded me of a discussion I had with my potential customer some time back. (OK, I received 3 emails in actual fact since I am not on Exchange and this person is not from the same company)

Back then, I was trying to sell Sun Java System Messaging Server and the customer explicitly asked for a Message Recall feature which she found so dearly useful to her. I was amused. I probed further and realized she did not follow nor care about Internet Mail Standards and Protocols.

To know exactly how Message Recall works in Microsoft Exchange, read here.

Sometimes, it is very hard to convince customers that the feature(s) they are looking for are non-standard. And thus, even if deployed, they do not inter-operate well with other type of systems.

e.g. Sending an email from Microsoft Exchange to a recipient residing in Sun Messaging Server; then attempting to recall the sent mail. It's totally impossible to recall. The recipient will experience like what I did today - receive 3 emails instead!! (1 original non-intentional mail; 1 recall mail; 1 resent corrected mail)

Why TrendMicro IMHS is dropped? -Reason 3

There must be visibility of the messages that are quarantined, especially in a hosted security solution. Otherwise, customers do feel uneasy. (This is really a feedback from our customers)

And this is something we look out for in evaluating a good hosted security product. Our company offers OpenMail. It is a secure-hosted environment for corporate customers. Internally, we subscribe to Google Postini Service for our own domain. We allow our customers to choose any hosted security product of their choice, if they want to have that extra layer of protection.

What we like about Google Postini Service is a daily Quarantine Summary email which each of us will receive.

If any of us detects that a genuine email has been detained, a simple click on "Deliver" will instruct Postini to deliver that email to our mailbox. There is also a Message Center for each user to manage his/her own quarantined emails.

In TrendMicro IMHS, there is this very nice Quarantines Settings module. Initially, it was not enabled, so we did not receive any Quarantine Summary email. However, even after we enabled it, we still receive nothing from IMHS. (Is it because we are testing with Free Trial account? We do not know why.)

Even when we log in as Administrator, there is no quarantined message being displayed for a particular user account which, we know for sure, receive lots of spam each day.

Yes, this particular user account does receive lesser spam when IMHS is activated during the trial period. However, if the visibility is not there, customer will never feel at ease.

Tuesday, July 28, 2009

How to interpret Sent Date in email client?

I received an email from my customer today. He suspected that I might have mis-configured his Sun Java Messaging Server.

The mail was enqueued at 21:50 yesterday and dequeued at 23:09. I received the mail at 23:09. In my email client, it shows the received time as 21:50, whereas I think it should show 23:09. Is there a way to change it?

He went on to show me the log:

27-Jul-2009 21:50:15.57 tcp_intranet tcp_local EE 23 rfc822; ahmei@mybankcom
27-Jul-2009 23:09:15.15 tcp_local DEQ 23 rfc822; dns; (mxhub ESMTP qpsmtpd 0.32 ready; .) smtp;250 , recipient ok

I asked for the message header and a screenshot of the email he received.

From: Mybank Singapore
Subject: Weekly Market Updates
Date: Mon, 27 Jul 2009 21:50:15 +0800
Message-id: <>

It was actually very obvious. The Sent Date reflects the time the email was sent by the Sender. It does not reflect the time the email reaches the Receiver.

This was his mis-interpretation, I told him.

Why TrendMicro IMHS is dropped? -Reason 2

In terms of look-and-feel, TrendMirco IMHS leaves a very good first impression.

Google Postini Service can never compete in terms of look-and-feel. Or rather, Google has never been bothered too much with slick design. They place their focus on functionalities instead.

For example, in IMHS, there is no way for administrator to know how many accounts he has created so far. I can understand that it's convenient for a CSV upload utility. It's helpful and most welcomed. However, after importing, there must be an intuitive way to show the list of imported users.

Google Postini Service's experience, again, is vastly different. A list of user accounts is shown distinctly. What's more? There is a way to adjust anti-spam for different categories (Sexually Explicit, Get Rich Quick, Special Offers, Racially Insensitive) at per-user level.

For each category filter, there is a way to set a base level (from Lenient to Aggressive).

Monday, July 27, 2009

Why TrendMicro IMHS is dropped? -Reason 1

The company I work for provides Corporate Email Hosting - OpenMail.SG. Customers are free to introduce another layer of anti-virus/anti-spam protection before their emails flow into our Sun Messaging Server.

We helped evaluate various hosted security services from Postini, TrendMicro IMHS, IronPort, Red Condor. We also evaluate appliances like ProofPoint, Sophos PureMessage and Symantec BrightMail.

We are almost done with evaluating the various technologies. We'll be posting a series of blogs highlighting what we like and what we do not like about certain products.

The first series is why we choose to drop TrendMicro IMHS (InterScan Messaging Hosted Security).

Registration is required for End-User Quarantine account. Why? Shouldn't the account be created by default?

Spam email messages are deleted by default. For systems configured to quarantine spam email messages, each employee can create an End User Quarantine account to access their quarantined email messages and set up approved senders. Please provide your employees the instructions below and the End User Guide which can be downloaded from the IMHS console (see below).

1. Each employee can register an account using the IMHS WebEUQ Console at the following web page:
2. Click the "Create a new account" link on the login page.

3. Follow the on-screen instructions. After you submit your information, you will receive an email message verifying your new account with a username and password.
4. Change your password after your first log in.

We evaluated Google Postini Service as well. The experience is vastly different. Once an account has been set up and the very first spam/junk mail is captured, Postini will send a friendly email to the user of that account:

Dear,'s new junk email protection service has quarantined its first suspected junk email message directed at you. Since you have not signed in at your personal Message Center, we are sending this notification informing you of the service's initial action. After this notification, we will begin the standard practice of sending notifications of quarantined messages on a regular basis.

You can inspect your suspicious email at:

Your temporary password is: XXXXXXX

Suspicious email is kept in your Message Center for 14 days, after which it will be automatically deleted. Please visit your Message Center to deliver valid email or delete messages you do not want.

For help accessing and configuring your Message Center, please visit:

Thank You!

This is so user-friendly and the message is so user centric. No technical terms; Easy to understand by layman. AND ... there isn't a need to register.

Sunday, July 26, 2009

OpenDS 2.0 Installation on MacBook

OpenDS 2.0 has been released for 2 weeks. I did not have the time until now to install a copy on my laptop for self-discovery purpose.

As long as you have JDK installed on MacBook, installation is a breeze. It took me less than 5 mins to get a decent instance up and running.
cheechongs-macbook:OpenDS-2.0.0 cheechong$ ./setup --cli

OpenDS Directory Server 2.0.0
Please wait while the setup program initializes...

What would you like to use as the initial root user DN for the Directory
Server? [cn=Directory Manager]:     
Please provide the password to use for the initial root user:         
Please re-enter the password for confirmation:         

On which port would you like the Directory Server to accept connections from
LDAP clients? [1389]: 

On which port would you like the Administration Connector to accept
connections? [4444]: 8888 <-- I dun like 4444. I'll use 8888 instead.

What do you wish to use as the base DN for the directory data?
[dc=example,dc=com]: dc=sg,dc=sun
Options for populating the database:

    1)  Only create the base entry
    2)  Leave the database empty
    3)  Import data from an LDIF file
    4)  Load automatically-generated sample data

Enter choice [1]: 4
Please specify the number of user entries to generate: [2000]: 

Do you want to enable SSL? (yes / no) [no]: yes
On which port would you like the Directory Server to accept connections from
LDAPS clients? [1636]: 

Do you want to enable Start TLS? (yes / no) [no]: 
Certificate server options:

    1)  Generate self-signed certificate (recommended for testing purposes
    2)  Use an existing certificate located on a Java Key Store (JKS)
    3)  Use an existing certificate located on a JCEKS key store
    4)  Use an existing certificate located on a PKCS#12 key store
    5)  Use an existing certificate on a PKCS#11 token

Enter choice [1]: 

Do you want to start the server when the configuration is completed? (yes /
no) [yes]: 

Setup Summary
LDAP Listener Port:            1389
Administration Connector Port: 8888
LDAP Secure Access:            Enable SSL on LDAP Port 1636
Create a new Self-Signed Certificate
Root User DN:                  cn=Directory Manager
Directory Data:                Create New Base DN dc=sg,dc=sun.
Base DN Data: Import Automatically-Generated Data (2000 Entries)

Start Server when the configuration is completed

What would you like to do?

    1)  Setup the server with the parameters above
    2)  Provide the setup parameters again
    3)  Cancel the setup

Enter choice [1]: 

Configuring Directory Server ..... Done.
Configuring Certificates ..... Done.
Importing Automatically-Generated Data (2000 Entries) ....... Done.
Starting Directory Server ......... Done.

See /tmp/opends-setup-17177.log for a detailed log of this operation.

To see basic server configuration status and configuration you can launch /Users/cheechong/Documents/Technical/OpenDS-2.0.0/bin/status

To verify:

cheechongs-macbook:bin cheechong$ ./status 

>>>> Specify OpenDS LDAP connection parameters
Administrator user bind DN [cn=Directory Manager]: 
Password for user 'cn=Directory Manager':         
--- Server Status ---
Server Run Status:        Started
Open Connections:         1

--- Server Details ---
Host Name:                       cheechongs-macbook.local
Administrative Users:     cn=Directory Manager
Installation Path:             /Users/cheechong/Documents/Technical/OpenDS-2.0.0
Version:                             OpenDS Directory Server 2.0.0
Java Version:                    1.5.0_16
Administration Connector: Port 8888 (LDAPS)

--- Connection Handlers ---
Address:Port : Protocol : State
--                   : LDIF        : Disabled  : SNMP      : Disabled : LDAP     : Enabled : LDAPS   : Enabled : JMX      : Disabled

--- Data Sources ---
Base DN:     dc=sg,dc=sun
Backend ID:  userRoot
Entries:     2002
Replication: Disabled

This installation is far easier and faster than Sun Directory Server Enterprise Edition installation.

Saturday, July 25, 2009

Sun Messaging Server uses SendMail to deliver emails

It is very important to discuss with your customers the reasons behind their requests. Let's be frank... Sometimes, they really have no idea what they want.

I have a customer who, until today, thinks that Sun Messaging Server utilizes the SendMail daemon on the Solaris OS to deliver emails.

How did I found out? Well, he called me 2 days ago: "We need to perform maintenance this weekend. We do not want our internal applications to deliver emails via our Sun Messaging Server during this period of time. So, can I just disable the SendMail daemon for the time being?"

I almost jumped off my chair. I do not feel sad for him. I feel sad for his employer. I feel that workers these days do not really spend their time reading up. They are just clocking hours. They have stopped asking "Why" which I used to do.

So, these days, I will usually ask the rationale behind any request. On times which I forgotten to ask, I found out I usually wasted a lot of time researching for them only to realize it does not fit their actual operational requirement.

Lesson learnt: Ask for business requirement first.
  • With the business requirement, try to resolve it with the technology available in their environment.
  • Do not start the discussion purely from technical point of view.

Friday, July 24, 2009

Sun Directory Server Patch for MMR setup without downtime

We implemented Sun Portal solution for a local university 3 years ago and are now maintaining their systems. It is designed with high availability in mind. Every component involved requires redundancy support.

Part of the maintenance contract requires us to patch any component as and when they are made available. We know that Sun Directory Server 6.3.1 has been released since Feb 2009. We are only given the green light to patch tonight. :) And no downtime is expected.

Looking at the architecture above, we know we need to take care of 2 dependency components:
  • Multi-Master Replication between the 2 Directory Servers
  • Sun Access Manager
As long as the 2 components are taken care of, everything should be fine.

Multi-Master Replication between the 2 Directory Servers

MMR is designed such that if one server crashes and recovers later, the replication mechanism will synchronize the 2 nodes back to identical state again. Not too worrying.

Sun Access Manager 

The Users' information and Sun Access Manager configuration data are stored in Sun Directory Servers. If the connection from AM to DS is down, the AM will not work. And this implies the Portal will be down as well. Thus, it is very important that the Sun Directory service is always available.

Luckily, Sun Access Manager is designed such that we can designated a Primary and a Secondary Directory Server. So if one is unavailable, the other is always reachable.

2 places to modify to support HA DS in Sun Access Manager:
  1. Sun Access Manager Admin Console
  2. serverconfig.xml 
Read here for more detail.

So, it should not be a big problem for the patching to go ahead. We'll do it one node at a time, without disruption to the Portal service to the University users.

We took about 40 mins to finish the job. Below is the task list we followed closely:

0. Backup. Backup. Backup
1. Make sure portal is accessible via

2. Verify existing version is 6.0 on node2

    root@node2 # ./dsadm -V
    [slapd 32-bit]
    Sun-Java(tm)-System-Directory/6.0 B2007.025.1834 32-bit
3. Stop dsins1 on node2
4. Make sure portal is accessible via 
5. Patch on node2 using patchadd

    root@node2 # patchadd /var/spool/patch/125278-08

6. Verify latest version on node2

    root@node2 # /opt/SUNWdsee/ds6/bin/dsadm -V
    [slapd 32-bit]
    Sun-Java(tm)-System-Directory/6.3.1 B2008.1121.0308 32-bit
7. Start dsins1 on node2 

8. Ensure replication continues to work between node1 (6.0) and node2 (6.3.1)
    -> Need to wait a while for replication to be in-sync. DO NOT PANIC!!
9. Make sure portal is accessible via
10. Verify existing version is 6.0 on node1

    root@node1 # ./dsadm -V
    [slapd 32-bit]
    Sun-Java(tm)-System-Directory/6.0 B2007.025.1834 32-bit
11. Stop dsins1 on node1
12. Make sure portal is accessible via   

13. Patch on node1 using patchadd

    root@node1 # patchadd /var/spool/patch/125278-08

14. Verify latest version on node1

    root@node1 # /opt/SUNWdsee/ds6/bin/dsadm -V
    [slapd 32-bit]
    Sun-Java(tm)-System-Directory/6.3.1 B2008.1121.0308 32-bit

15. Start dsins1 on node1 
16. Ensure replication continues to work between node1 (6.3.1) and node2 (6.3.1)
    -> Need to wait a while for replication to be in-sync. DO NOT PANIC!!
17. Make sure portal is accessible via

If your organization requires a Portal solution, talk to us. We have an experienced team well-versed with Sun Portal technology. Not forgetting, LifeRay Portal technology. I'm reachable at cheechong @


Wednesday, July 22, 2009

E71 Fireware Update - Backup and Charge your battery first

Nokia E71 Firmware 300.21.012 was recently released. I wanted to update my Nokia phone with this latest patch.

It's fairly simple if you have Nokia PC Suite installed on your Windows desktop. (I use Acer AspireOne netbook with XP at home)

Upon starting Nokia PC Suite, you will be notified of the latest firmware available.

See "A new software update is available for your phone. Click to update" above.

Well, I clicked on the hyperlink and after a series of click-click-click, I landed with the dialog prompt below:

Hmmm... Not a big issue... I plugged in my charger and I thought the complain will go away.

It did not. You need to really charge your battery first. Please remember.

I advise reading the following instruction once the update is done.

Now, what does the instruction say above? "... revert to factory default ..."

So, before you even get started with updating, please remember to perform a backup.
(Click on the top left button in your Nokia PC Suite)

This will enable you to restore your phone to it's original state prior to the update. If you forget o backup, I'm really sorry.

Oh... not forgetting to mention... SingNet download speed is faster than Starhub at this hour of the day (23:00hr). I failed twice trying to download the updates via Starhub. Luckily I have 2 links to choose from. *phew*

How to limit incoming connections for Sun Messaging Server

In the environment where the American bank operates, the same instance of Sun Messaging Server is to be utilized by a number of applications. e.g. Feedback application (online feedback form on their website), Broadcasting application (marketing purpose).

The bank considers the Feedback application as the most important. Definitely, customer service is very important.! That's what I always preach as well.
The Broadcasting application is used by the Marketing department in 10 counties around the Asia Pacific region. There will be days when more than 3-5 countries need to broadcast emails. Each country might send out around 100,000 - 200,000 emails. Sometimes, this happens at the same day around the same time.

When this happens, the delivery of feedback emails will be affected since both applications utilized the same shared resource. 

They ask for my opinion. My reply below:  

To ensure “fair sharing” of messaging service, it is sometimes necessary to limit the number of messages to be handled by the Messaging Server from a certain application (e.g. Broadcasting Application). This will ensure other applications have equal chances of sending out messages via the same Messaging Server. Metermaid comes in handy. 

Tuesday, July 21, 2009

Role concept in Sun Portal Server vs LifeRay Portal Server

I was with a friend today for lunch. After lunch, he asked me to help him with setting up a development environment for Sun Java System Portal Server 7.1. 

His company was engaged by a local Online Ticketing Service Provider for some change requests. The initial contract was to a big MNC, but they did not do a good job. Anyway, to his surprise, this service provider does not have a development environment for his engineers to work with. Thus, no choice... he, being always preaching for best practice, decided to set up the environment in his premise. 

They spent numerous days, but are still not able to get an identical site set up. Thus, he asked for my help.

For your information, my experience with Sun Portal Server dated back to iPlanet Portal Server version 3.  It has been 5 years. Sun Portal Server is now named as GlassFish Web Space Server. This version is not a continuous/enhancement update from previous ones. It is actually "OEM" from LifeRay Portal Server. A few portlets have been ported to Web Space Server, and that's about it. Not too much different from the default LifeRay installation.

So, back to the development environment setup, I advised his engineers on how to migrate the existing Display Profile from the production server. I also explained about the Authentication-less Anonymous Desktop and its associated Display Profile. Basically, just make sure of the following:
  1. Organization Domain is the same 
  2. Portlets to be copied over and deployed on development server
  3. Import display profile for default organization
  4. Import display profile for authless anonymous user
Fairly simple. 

When I was about to leave, one engineer asked whether or not is there a way to hide a certain tab from showing when a particular group of users log in.

He told me it was so easy to achieve this requirement using LifeRay. (Yes, they implement quite a number of LifeRay. But not Sun Portal Server)

What he needs to do in LifeRay is to navigate to Plugin Configuration and then assign the Role appropriately. Done. Single login; Integrated Administrative Module.

Yes, I do agree. I do LifeRay as well, since Sun has moved on to Glassfish Web Space Server. So, that's part of my job scope.

Anyway, I explained that the concept is slightly different in Sun Portal Server. It is basically driven by Display Profile. 

When a user logs in, the Portal Server will check in the following sequence:
  1. Does User Display Profile exist? If yes, render it.
  2. Does Role Display Profile exist? If yes, render it.
  3. Otherwise, render Organization Display Profile.
To fulfill his requirement, what he needs to do is to create a Role Display Profile. How to achieve that is more complicated:

1. Go to Sun Access Manager
  • Define a new Role. 
  • Assign users to this new Role.

2. Go to Sun Portal Server Console
  • Search for the Role Display Profile. 
  • Customize this Role Display Profile. (By default, without customizing, it will be the same as Organization Display Profile)

FYI, the EOL for Sun Java System Portal Server 7.1 is Nov 2009. If you are using this version of Portal Server and would require upgrade service, do send me an email (cheechong @ 

Friday, July 17, 2009

Mail tab not showing in UWC

I spent the whole day debugging what went wrong with my customer's messaging setup. I had installed Sun Messaging Server for them last week. I configured and everything was working before I left this Tuesday.

Today, they reported that since I left, the Mail tab is not showing whenever a user logs into UWC (Sun Communications Express).

Initially, I thought it was a silly mistake made because I encountered the same before. I solved it with the following previously:

bash-3.00# cd /opt/sun/comms/messaging/sbin
bash-3.00# ./configutil -o service.http.port -v 2080 <- mshttpd port
bash-3.00# ./configutil -o local.webmail.sso.uwcenabled -v 1
bash-3.00# ./configutil -o local.webmail.sso.uwccontexturi -v uwc
bash-3.00# ./configutil -o local.webmail.sso.uwcport -v 80 <- web/app server port
bash-3.00# ./stop-msg
bash-3.00# ./start-msg

So, I asked them to verify the above first. Everything looks fine. Strange...

Then I asked if they have modify any configuration. As usual, "No, we'hv done nothing special."
OK, that's fine. I asked them to send the output of "configutil" to me. (any modification made will be reflected very clearly)

bash-3.00# ./configutil > /tmp/configutil.output

It was very clear to me what happened the moment I looked at the output!

service.http.enable = 1
service.http.port = 2080
service.imap.enable = 0
service.pop.enable = 1
To confirm, I asked for http.log (this log tracks the activity in UWC).

[17/Jul/2009:13:14:28 +0800] nodeA httpd[25463]: General Error: IMAP connection to failed: Connection refused
[17/Jul/2009:13:14:28 +0800] nodeA httpd[25463]: General Error: Failed to connect to imap server on
[17/Jul/2009:13:14:28 +0800] nodeA httpd[25463]: General Warning: Couldn't login admin on IMAP server: Mail server unavailable. Administrator, check server log for details.

Why is the IMAP service disabled? "Oh, we only want users to access via POP and SMTP. No IMAP is allowed." Well, at least I should be consulted before the change is made. Right?

UWC required IMAP service to be running in order for the Mail Tab to be rendered.

Anyway, I instructed them to enable IMAP service and the Mail Tab is now showing.

bash-3.00# cd /opt/sun/comms/messaging/sbin
bash-3.00# ./configutil -o service.imap.enable -v 1
bash-3.00# ./stop-msg
bash-3.00# ./start-msg

By the way, a better approach to restricted IMAP access is to modify the mailAllowedServiceAccess attribute.

By default, it looks like:
mailAllowedServiceAccess: +pop:ALL$+imap:ALL$+smtp:ALL$+http:ALL

To disallow IMAP access, do this:
mailAllowedServiceAccess: +pop:ALL$-imap:ALL$+smtp:ALL$+http:ALL

Thursday, July 16, 2009

Why need to purge user manually?

Yesterday, I mentioned that a Delete action via Delegated Admin will not remove/purge a user permanently in Sun Messaging Server. Read here

This is where Sun Messaging Server differ from the other email products. A delete action does not actually remove/purge a user's mailbox, nor does it remove the user from the Directory Server. It merely set the inetUserStatus flag to "deleted".
I can provide one of the reasons why the product is built as such.

Sun Messaging Server is built with ISP in mind. As such, there must be a way for billing ($$$).

Can you see the "Billing ID" above?

For proper billing at the end of each month, all users (active or deleted) must be reflected correctly in the Sun Directory Server. Deleted Users should be purged only after this information is captured (usually via a Billing Application).


Wednesday, July 15, 2009

How to purge a user from Sun Messaging Server

When a user is deleted from Sun Messaging Server via the Delegated Administrator, the user still exists in the Directory Server. 

Before user is deleted via DA

bash-3.00# ldapsearch -D "cn=Directory Manager" -w password -b,o=isp uid=test*
dn: uid=test_user1,ou=People,,o=isp
uid: test_user1
mailUserStatus: active
inetUserStatus: Active

After user is deleted via DA

bash-3.00# ldapsearch -D "cn=Directory Manager" -w password -b,o=isp uid=test*
dn: uid=test_user1,ou=People,,o=isp
uid: test_user1
mailUserStatus: active
inetUserStatus: deleted

This is where Sun Messaging Server differ from the other email products. A delete action does not actually remove/purge a user's mailbox, nor does it remove the user from the Directory Server. It merely set the inetUserStatus flag to "deleted".

In order to purge a user, 2 more steps are required:

  1. After a service has been marked as deleted, a utility that removes mail resource (msuserpurge) must be run before the service can be purged from the directory. 
  2. Permanently remove the user, by invoking the following command: commadmin domain purge 
So, here we go:

bash-3.00# /opt/sun/comms/messaging/lib/msuserpurge -d -g 0

bash-3.00# ldapsearch -D "cn=Directory Manager" -w password -b,o=isp uid=test*
dn: uid=test_user1,ou=People,,o=isp
uid: test_user1
inetUserStatus: deleted
mailUserStatus: removed

bash-3.00# /opt/sun/comms/da/bin/commadmin domain purge -D admin -n -w password -d -g 0

bash-3.00# ldapsearch -D "cn=Directory Manager" -w password -b,o=isp uid=test*

Tuesday, July 14, 2009

Block POP access by IP addresses

I am still in the American bank today. They ask for a way to block POP access by IP addresses. Well, Sun Messaging Server has this feature in place - service.pop.domainallowed.

Not too hard to implement. Use configutil command will do.

However, the IP list is pretty long.

bash-3.00# ./configutil -o service.pop.domainallowed -v 
pop: 1 1
ERROR: too many arguments

What to do? Well, this is the workaround:

1. Create a file domainallowed.txt and add the following in 1 single line.

service.pop.domainallowed=pop: 1

2. bash-3.00# ./configutil -i domainallowed.txt

3. bash-3.00# ./stop-msg; ./start-msg

cheechongs-macbook:~ cheechong$ telnet 110
Connected to
Escape character is '^]'.
-ERR Access denied

Done. Nice!

Added @ 18:00hr:

Job completed. Will be back for production cut-over next week.

Here's the view I have for the past few days ...

Full view of Singapore Flyer.

Monday, July 13, 2009

Failed to add mail service by commadmin

I went to the American bank today again. Our task was to continue with what we have left last week.

But we hit a problem trying to assign service packages to the default domain. It kept displaying "Failed to update organization". Not helpful indeed.

Hmm.. I thought I have missed out the step in adding the mail service to the default domain.

So I went ahead to issue the command:

$ commadmin domain modify -D admin -w [password] -n -d -S mail -H

But we kept getting this error:


netscape.ldap.LDAPException: error result (20)

Luckily, there was a discussion at Sun Forum. I have actually messed up the configuration steps!

A note to all: Remember to configure Delegated Administrator and it's CLI before Messaging Server configuration! Otherwise, you'll end up having the same error.

I thought I was pretty comfortable with Sun Communications Suite since I have been implementing for the past 5 years. Ha!

My wrong procedure:

  1. Preparing the Directory
  2. Configuring Messaging Server
  3. Configuring Communications Express
  4. Configuring Delegated Administrator and Communications CLI

The correct procedure:

  1. Preparing the Directory
  2. Configuring Delegated Administrator and Communications CLI
  3. Configuring Messaging Server
  4. Configuring Communications Express

You can read the wikis here. (Note: I am not using Access Manager for DA. Using Direct LDAP mode instead)


Sunday, July 12, 2009

Weird IPMP Output

In Solaris, there is this very nice feature called IPMP (IP Multipathing).

It is able to failover the IP address from one network card to the other when the primary fails. From the end-user point of view, it's transparent. Services continue and there's no downtime. This is nice!

IPMP is mandatory when Sun Cluster is configured.

Anyway, we were conducting UAT few days back and I observed this very weird output when both network cables are unplugged from the 2 network cards. We thought the IPMP was not configured properly. In fact, nothing was wrong.

In normal operational situation, you'll see the following output:

Now, we unplug the cable from e1000g0 interface. The output is still correct:
(Notice that the IP address from e1000g0 has failover to bge0:1)

Let's proceed to unplug the cable from bge0 interface. Now, the output is misleading:

Why is bge0 and bge0:1 still showing UP? On the same machine, we can even perform a ping to and they are still showing alive.

Very strange indeed. We were puzzled. 

It's only some time later then we realized we did not take a detailed look at the output:

Although the UP flag is there, there is a FAILED flag behind which implies that the interface is indeed down.

We switched our test: bring bge0 down; then bring e1000g0 down. This time round, e1000g0 is showing the UP + FAILED flag. It's always the second interface to be brought in the IPMP group that will show this UP + FAILED flag.

Misleading indeed ...

Password Reset Behavior

There is a "Password Reset" feature in Sun Directory Server Password Policy setting. 

This forces:
  1. A new user to change password upon 1st time login
  2. An existing user to change password upon administrator's reset (Forget Password)

Once this Password Policy is created, you can see something like this:

dn: cn=CustomPasswordPolicy,dc=abc,dc=com
objectClass: top
objectClass: pwdPolicy
objectClass: LDAPsubentry
cn: CustomPasswordPolicy
pwdMustChange: TRUE
pwdattribute: userPassword

If this Password Policy is assigned to a user, then there will be this read-only attribute pwdReset appearing in the User object entry when either of the above 2 conditions occurs.

When pwdReset is TRUE, then user will be force to change password upon next login.

Note: pwdReset can only be modified by the Directory Server.

There is this nice article talking about the Sun Access Manager Password Reset function.

Friday, July 10, 2009

Force JAVA_HOME during Sun Communications Express configuration

I was with my American bank customer yesterday trying to install and configure a new instance of Sun Messaging Server 7.0 u2.

Simple architecture - single instance, no high-availability, no failover capability. (Ask them why? No budget was the answer. :> )

Anyway, they have this special requirement:

  • All components to be installed in a dedicated directory /sjsms
  • All components to utilize JDK from a special directory /sjsms/jdk, not the default /usr/jdk in Solaris
Fine, I have no issue. Isn't setting JAVA_HOME=/sjsms/jdk and export the variable into the installation environment will do?

All went fine, except when we tried to configure UWC (Sun Communications Express). Very strange, "configure-uwc" was not able to pick up the JAVA_HOME variable.

A look into the script reveals:

## Look for a Java Runtime Environment#
if [ -x ${INSTALLDIR}/bin/base/jre/bin/java ]; then
export JAVA_HOME
## Our private copy of java
elif [ -x /usr/jdk/entsys-j2se/bin/java ]; then
export JAVA_HOME
## Standard Orion location
elif [ -x /usr/j2se/bin/java ]; then
export JAVA_HOME
## Standard java location
elif [ ${JAVA_HOME} ]; then
## honor JAVA_HOME variable
## No Java was found. Execute the default java
## command to produce a meaningfull L10N message
## and then exit.
exit 1

Shouldn't the JAVA_HOME variable be consulted first? If it exists, the if-the-else condition should terminate immediately. Weird logic.

Anyway, we change the script to suit the bank's requirement.

Total Fibre Cables Failure Test on Sun Cluster

We were having our UAT few days back with our National Healthcare customer here in Singapore.

They have SAP with Oracle running on Sun Cluster 3.2. There are 2 nodes which share a common storage SL500 connected via 2 pairs of Fibre Cables.

One of the test was to ensure that if the 2 fibre cables which are connected to a node are accidentially plug out, the resources running on that node should fail over to the other active node (which still has FC connection to the storage).

As this is a migration job for a hardware upgrade, they would like to use back the same UAT Test Cases from another vendor. (Actually I do not like this arrangement, really)

Nevertheless, we went ahead, but were stuck with this Total Fibre Cables Failure Test.


• Unplug both fibre cables from node nodeA and run “vxdctl enable” to rescan the devices, plug both cables after test.

Expected Results

• There will be error message on node nodeA's console showing link failure of both FC HBA port. After some time, the resource group, oracledb-rg, will failover to node nodeB.

We kept testing but the resource group simply refused to fail-over. We did, however, saw the link failure error message.

We debugged and we discussed. We wanted to know what was the actual expected result then. We were then told by the customer that he actually saw nodeA rebooting when the FC are taken out from nodeA. And this action actually causes the resource group to failover to nodeB.

Now, this is simple!

root@nodeA # clnode show

=== Cluster Nodes ===
Node Name: nodeA
Node ID: 1
Enabled: yes
reboot_on_path_failure: disabled

Node Name: nodeB
Node ID: 2
Enabled: yes
reboot_on_path_failure: disabled

The reboot_on_path_failure was set to "disabled" which means even if there is a FC path failure, no action is taken. (aka nodeA will not reboot; and if nodeA does not reboot, the resource group will not failover)

To solve this problem, it's simple.

root@nodeA # clnode set -p reboot_on_path_failure=enabled nodeA nodeB

In addition, we need to make sure local disk is set to unmonitored.

root@nodeA # cldev status

=== Cluster DID Devices ===

Device Instance Node Status
--------------- ---- ------
/dev/did/rdsk/d1 nodeA Unmonitored
/dev/did/rdsk/d10 nodeA Ok
nodeB Ok

local disk refers to "/dev/did/rdsk/d1".

If only we could write our own UAT document .... *sigh*

Tuesday, July 7, 2009

How to configure E71 with Sun Java Mobile Communications?

In my last post, I mentioned that I installed a fresh instance of Sun Java Mobile Communications Server (aka Synchronica Mobile Gateway).

Once the Communications Server is up, we need to configure our handsets. If you are using a Windows Mobile 5/6 or Palm 650/680/700p phones, then you're in luck!  It's fairly easy to download the pre-packaged software into your handsets. If you have a SMS gateway integrated, you can even use the Communications Server Admin module to push the software to your handsets.

Mine is Nokia E71. I'll need to configure it manually. 

1. Click on Tools -> Sync.
2. Click on Options -> New sync profile.
3. Key in a Sync profile name, say "Synchronia". Click OK
4. Click on Applications
4a. Click on Contacts. 
  • Include in sync: Yes
  • Remote database: Contacts
  • Synchronization type: Both ways

4b. Click on Calendar
  • Include in sync: Yes
  • Remote database: Calendar
  • Synchronization type: Both ways
5. Click on Connection settings

  • Data bearer: Internet
  • Access point: Always ask (my preference)
  • Host address:
  • Port: 81 (change to your setting)
  • User name: (change to your setting)
  • Password: *****  (change to your setting)
  • Synchronization type: Both ways
The rest of the parameters do not need to bother.

Sunday, July 5, 2009

Sun Java Mobile Communications Installation

Alright, I gave up on Funambol. Not that the software itself is no good, it's just that the integration component I needed wasn't there - Sun Java System Calendar Server support. (We still have a Zimbra server left after a PoC. Maybe I'll try to integrate Funambol with Zimbra connector next time to test it's usability)

So I turned my attention to Sun Java Mobile Communications Installation instead. FYI, it's an OEM from Synchronica. The look-n-feel belongs to Sun, but the engine still runs like what Synchronica Mobile Gateway Enterprise Edition would.

Which one should I push to our customers?

a. Synchronica pricing and licensing model are amazingly attractive for SME

  • If you know the SME market well, it's a superbly price conscious/sensitive market. Thus, if say we sell 100 OpenMail accounts to Company A, they might only want to purchase 5-8 premium accounts (basic + mobile access) with us.  

b. Sun pricing is a mystery to me still. 
  • But I believe they are not interested in selling to low-volume customers. I'll talk to the folks to find out nevertheless.

My report card as follows:

1. Installation is a breeze (30 mins)
  • Install Sun Application Server 9.1 U2 with JDK 1.5.0
  • Configure Postgres (it's pre-installed with Solaris OS)
  • Install Mobile Communications binary
2. Admin configuration is intuitive (<>
  • This is something I like very much. You do not need a manual to complete administrative configuration. Most application software should be designed as such.
3. User handset configuration takes some time initially
  • This is where I'm stuck for a fairly long time. As I'm using Nokia E71 to test, there isn't any documentation for it. I did a fair bit of trial-n-error.
  • But once you get the right configuration, synchronization is a breeze. Really nice!

Special Note:
  1. If you install Sun Application Server 9.1 U2, do remember to use JDK 1.5.0. I use JDK 1.5.0_14. Do not use JDK 1.6.0, it does not work! (I tried)
  2. When configuring Sync in E71, key in http://ip-address/sync/. "/sync/" is required. (Even if your port is not 80. Ours is port 81. Kind of weird!)  
  3. Remote database for Contacts should be "Contacts"
  4. Remote database for Calendar should be "Calendar"
  5. There's no Tasks in E71. (Will "Notes" works? I do not know) 

Overall, I'm a happy customer. I'll fully test the software for 90 days (free trial). Not forgetting, I'll have to download Synchronica Mobile Gateway Enterprise Edition to test if there's any difference. I bet it will.


Thursday, July 2, 2009

Funambol installation

We intend to install Funambol Forge to offer the service for our customers.

Installation is a breeze. It's done within 5 mins.

$ chmod 700 funambol-7.1.1.bin
$ ./funambol-7.1.1.bin

Do you agree to the above license terms? [yes or no]
Directory to extract Funambol [/opt] ?

Extracting... to /opt/Funambol

Do you want to start the server? [yes or no]

Done. Configuring is another story ...

Grace login for expired password

My thai customer chatted me today. He explained that the password policy which we implemented some time back is such that user's password will expire every 30 days (typical of a bank). Once the password expires, user will not be allowed to login.

Now, he wants a feature such that there is a grace login limit such that even though password has expired, the Sun Directory Server still allows authentication to pass through.

Well, this request can be easily fulfilled with Sun Directory Server 6.2 onwards. The latest release implements New Password Policy - one of it being 

A grace login limit, specified by the pwdGraceAuthNLimit attribute. This attribute specifies the number of times an expired password can be used to authenticate. If it is not present or if it is set to 0, authentication will fail.

However, do note that the compatibility mode needs to set to DS6-mode. By default, Sun Directory Server 6.x comes installed with DS5-compatible-mode.

Exchange System Manager crashes when Help is accessed

My customer (the Singapore ministry one) called again today. It's regarding his newly migrated Exchange Server 2003. (Yes, 2003, not 2007. He's afraid to upgrade. I do not know why)

Today, the complain was that whenever he spawns the Exchange System Manager and accesses the Help, the ESM will crash. I asked him to try the ESM on the old Exchange Server. No problem, he said. 

Hmm.. How can that be? I had ensure both ESM and Exchange are of the same patch level before I left.

After some investigation, we found out that the only difference between the 2 Exchange servers is the IE version. The old server has IE 6, while the new server has IE 7. A quick search in Microsoft Knowledge-Base pointed to 

A conflict between the newer version of the Psapi.dll file that Internet Explorer 7 uses and the older version that Exchange System Manager uses

I'm left wondering why can't there be a hotfix for Exchange Server 2003 such that all cumulative fixes for bugs or conflicting .dll be packaged and released to all Exchange customers. 

This will save us a lot of time debugging.

Wednesday, July 1, 2009

SMTP Connector Delivery Restrictions on Microsoft Exchange 2003

The company I work for focuses on Portal, Messaging, and Identity. While we implement a lot of solutions based on Sun technology, we do provide consultation and deploy technology from other vendors. 

As long as it's Portal, Messaging and Identity.

For messaging alone, we are pretty comfortable with Sun Java System Messaging Server, Microsoft Exchange, Zimbra, Postfix and Sendmail

Personally, I prefer Postfix over Sendmail. Our company used to provide email hosting based on Postfix, until we switched to Sun Messaging Server some time back. 

Interestingly enough, a teleco in Singapore is using Sendmail as their MTA with Exchange as their backend. I configured the Sendmail for them, with integration to TrendMicro Anti-Virus/Anti-Spam engine.

As for Microsoft Exchange, I start to like it with Exchange 2007 onwards. I like the architecture for the new releases. I can't say the same about Exchange 2000/2003 though. :)

Anyway, I received a call from my customer (a ministry) that the Delivery Restrictions on their newly migrated Exchange Server 2003 is not working. As they have not purchased a support contract with us, we are not able to make a trip on-site to quickly resolve the issue.

It took quite a while to pin-point what had actually gone wrong remotely. It turned out that a registry key was not turned on while the migration was carried out. It was a rather rush job then. See here for detailed information.

Connector restriction checking is turned off by default because it can significantly affect performance to expand distribution groups and check the restrictions for each message that passes through the system. If possible, turn on this setting on where it is necessary (for example, on the bridgehead server for the restricted connector).


On the Edit menu, click Add Value, and then add the following registry value:
Value Name: CheckConnectorRestrictions
Data Type: REG_DWORD
Radix: Hexadecimal
Value: 1

It slipped my mind then. 

But come to think of it again, isn't Microsoft all about user-friendliness?

Why is there no warning message after the "OK" button is clicked? Or at least an instruction to modify the registry right on top of the "OK" button? :)