Search indexing could create fear at times

A long-time friend of mine told me something that amused me. The church that he attends was looking for a mail hosting solution. Being a technologist, he suggested Google Apps as it's free and thus cost-saving for the church.

Oh no, Gmail? No, no ... we should not use Gmail. It indexes the emails that are in our mailboxes. Others might accidentially read our emails if they search for them!

Sometimes, it's hard to explain to the layman how high-tech innovation like Gmail works.

:)

On a more serious note, we being technologists should try our best to explain technology in simpler term. Otherwise, customers see no value in spending with us.

OpenMail.SG - rebrand

I met up with a friend few days back. I told him our OpenMail.SG has a new look-and-feel. It's a rebranding exercise to attract even more customers.

He asked about the business model of OpenMail.SG. In brief, I told him we are no different from what Gmail or Yahoo provides, except:

1. We are a phone-call away (especially for the non-technicals);
2. We provide mostly for the Singapore corporates (especially for the SMEs);
3. We know our product (we are the Sun product specialists)

We need to be a little different and we better be best in our differentiators.

We believe the pie is always big enough for everyone.

Even with tough competition from Google Apps, there is a segment where customers still prefer personal service ("warm" phone call, rather than "cold" email correspondences).

We also concentrate our effort in the Singapore SME (Small-Medium Enterprises) market. This is the market that requires a service provider that can explain the various technologies in simpler terms for them. (You'll be surprised they do not even know what "domain name" means)

Lastly, we know our product! We have been providing Professional Services on behalf of Sun Microsystems for the past 5 years. We are especially strong in Portal, Messaging and Identity.

We could have easily provide our customers with Fedorda/SendMail/SquirrelMail combination. ROI would have be much higher. However, we are not value-adding to our customers.

That is why we deploy what we think is best-of-breed product for our customers - Solaris/Sun Java System Communications Suite. (which comes with 2 choices of Webmail - Communications Express or Sun Convergence).

More costly setup but if this is what our customers are looking for, we are game for it!

A happy customer will refer 2 more potential customers ... and the maths continues ....

Syntergy Replicator for SharePoint

Syntergy has a nice product called Replicator for SharePoint. If your company has branches around the world, this Replicator becomes useful.

Now, why?

From performance point of view, it is best to position a SharePoint server in each country where your office is located.

However, since each is standalone, documents cannot be shared across branches.

Here comes Replicator for SharePoint - it helps to sync your documents residing in the various SharePoint servers.

HAWKMail - if only the URL can be friendlier

I saw an article mentioning that a American college (HACC) has just migrated their mail system to Google Apps. I went to take a look since it's such a hype to adopt Google Apps these days.

Looks good. It makes business sense to migrate to Google Apps (or even Sun Java System Communications Suite :> ) if you manage a huge number of mailboxes. The operating cost per mailbox will drastically reduce.

Anyway, I scroll down and saw that to access HAWKMail, the URL is http://mail.HAWKMail.hacc.edu.

I went ahead to click on it. I was redirected to the customized login page on Gmail. I did not like what I saw. (".... www.google.com/a/hawkmail.hacc.edu....")

If only the URL can be rewritten to be privately labelled to HACC brand ...

That would be nice!

Sun’s Unique Business Model

Anyone ever wonder how can Open-Source sustain a vitable business? This is how Sun tries to do.

Is it a successful model after all?

Integrate Google Apps with BlackBerry Enterprise Server

We like what we see from the work from the Google team - they simply can make anything happen, if they want to.

Some of our customers run Google Apps and the higher management wants to continue to use their Blackberry. The connector has come timely.

Well done, Google!

Cacao MBean Server - No trusted certificate found

We are trying to set up a development environment to test a patch for Sun Portal Server 7.1.

(Yes, pretty old version. And yes, our company is pretty strict. If customer does not have a development/staging environment to test the new patch, we need to set it up in our office. Otherwise, it's a No-Go!)

Not smooth sailing... Encountered the following error:

bash-3.00# /opt/SUNWportal/bin/psconfig --config ps.xml 

Creating directory: /etc/opt/SUNWportal

Successfully created PSConfig.properties file

Copying config templates from: /opt/SUNWportal/template/config

Successfully created PortalDomainConfig.properties file

Validating the Input Config XML File

Configuring Cacao Agent for Portal Software

Configuring Derby Server Instance

Connecting to Cacao MBean Server

testportal

Configuration Failed : javax.management.remote.JMXProviderException: sun.security.validator.ValidatorException: No trusted certificate found

It must be Cacao again! I hate this "animal"! 

I suspect it's a certificate issue when I rename our Solaris OS hostname from testportal to portal.

Let's recreate the Cacao key again!

bash-3.00# cacaoadm stop

bash-3.00# cacaoadm create-keys --force

bash-3.00# cacaoadm start

Bingo! The configuration can now proceed ...

bash-3.00# /opt/SUNWportal/bin/psconfig --config ps.xml 

Successfully created PSConfig.properties file

Copying config templates from: /opt/SUNWportal/template/config

Successfully created PortalDomainConfig.properties file

Validating the Input Config XML File

Configuring Cacao Agent for Portal Software

Connecting to Cacao MBean Server

portal

Creating Portals

Successfully created Portal: myPortal

Messaging Server 64-bit Edition Is Better

With the release of Microsoft Exchange 2007 onwards, the production support is only on 64-bit platform. Reason is simple: 

To scale and to sustain heavier load, you need more RAM. Bigger mailboxes also require larger addressing space.

Sun recently advises its customers, who are on Message Server x86 32-bit platform, to migrate to 64-bit platform. Similar reasons given:

• Solves the problems with large store.idx files 
  
• Ability to run a reasonable number of imapd processes instead of running dozens of them.
  
• Better LDAP cache utilization
  

Older version of Java Enterprise System

We installed Java Enterprise System 5 few years back. Recently, we need to patch the Sun Portal component (Sun Portal 7.1). 

The customer has no Development environment, not even Staging. This is quite common in Asia, believe me. 

If you go to Sun Java Enterprise System website, you are only able to download the latest version of JES.  

We even went to the Sun Downloads A-Z site - no luck! 

It's pretty hard to locate older version of JES. It took me quite some time.

You actually need to go to Sun Java Enterprise System website, scroll down and pay attention to the right-hand side of the webpage. There is this section "Related Resources". 

Click on "Previous Version" will lead to the following page. 

Bingo!

Scalix Follow-Up Part I

Following my blog on Scalix Architecture, I pushed on for a quick install of the software. Installation of Scalix is easy, provided you have all the prerequisite packages already installed.

My initial impression, after installation, was not good. 

I hate pop-ups! Maybe it's just me.

How to verify Solaris Patch Level

We were trying to patch Sun Java System Portal Server for a customer. The latest patch required a certain Solaris Patch Level to be in-place.

To determine what Solaris patch you have installed, do the following:

# showrev -p

or

# patchadd -p

Cure for the common CRM - CureCRM

I bounced into this website accidentally last night and I was taken away. CureCRM is cool!

The features, when combined together in use, are really what business owners have been looking for.

1. Email-powered CRM - Cool!
   
2. Twitter Relationship Management - Innovative!
   
3. Automated sales scheduling assistant - Just a cron job, I think. Nothing fanciful.
   
4. Sales Productivity within Microsoft Outlook - Outlook is a must these days for most people
   
5. Close deals virtually anywhere - Mobile access in short.
   

What really caught my attention was how CureCRM went about pricing their hosted/cloud service.

Hmm ...  Personal Free with Tweet - what's that?

Great way of spreading the words around ... Cool!

 

Business model of a Zimbra Wrapper

I was initially amused with what MeritMail is offering. It is nothing interesting - just a Zimbra wrap. That was my conclusion if I see it from a standalone product viewpoint.

However, if you position it as a Total Solution or One-Stop Solution, then it starts to make sense. Take a look at MeritMail's feature list.

What interests me is:

MeritMail Leverages your existing Merit network connection

I think it's much easier to push a new solution onto an existing solid infrastructure. In this example, customers (mostly universities, I think)  who are already on Merit network will naturally incline to subscribe to MeritMail service. 

Easier to maintain the vendor relationship. Easier to raise a support case, if any. 

I would think it's easier to bargain for a cheaper price since there is definitely economy of scale managing data center/network/mail servers. 

Exchange with SendMail as MTA and MessageLabs as additional message filter

It is not uncommon to find an architecture like the one below:

I was involved with such deployment a year ago with a local corporation. The back-end is Microsoft Exchange.

Basically, there are 3 layers of messaging filtering:

1. MessageLabs Anti-Spam/Anti-Virus Filtering (Hosted/Cloud version)

2. TrendMicro InterScan Messaging Security Suite (In-house)

3. Symantec Mail Security for Exchange (In-house)

The primary idea behind choosing different vendors at different layers is to ensure that most (if not all) illegitimate emails are caught. 

This is what I call Total-Defense - you do not use the same key to lock all the doors in your house for convenience sake. 

Yes, I do agree that liaising with 3 different vendors is a nightmare. But for the sake of security, this is inevitable.

Ok, MessageLabs is now under Symantec umbrella. Maybe it's time to switch to Goggle Postini Service, or even ProofPoint SaaS Email Security Solutions. 

However, I am still not convinced with ProofPoint customer service support, especially in the APAC region.

Scalix Architecture

Our company is preparing a proof-of-concept for a upcoming tender. One component requires a dedicated mail server for mail corresponding and notifications/alert for a secured/intranet environment.

The user base is not huge. There are two products which are interesting - Zimbra and Scalix.

Both offers basic email and calendaring services (good enough for most usage). Easy to install for single-box deployment, yet able to scale when required.

Sun Java System Communications Suite will be an overkill for this tender. It can scale definitely. But for small deployment like this, it's better to keep things simple. (This has always been my working style.)

Today, I look into Scalix Architecture. Looks good.

Scalix is supposed to work very well with Outlook client (both email and calendar). I'm anxious to test it out personally.

The pluggable modules (for AV/AS especially) also look interesting. But I'll still need to find out how easy and well-intergated they are when I start installation and configuration. Hopefully it will be a nice experience.

Sun Portal Server - Authentication Failed

A local university has Sun Java System Portal Server 7.1 deployed. We are the vendor that helped with the deployment and maintenance. 

We got a call few days back. The customer was not able to login to Portal Server Console (aka /psconsole). I asked for the error message and was told "Authentication Failed" (Please reenter username and password).

Well, I was thinking: "Come on, please reenter the correct username and password. What is more difficult than this?"

The customer told me very firmly that he did keyed in the correct username and password. 

Ok, let's look at the logs then. 

appuser@portal1 # tail -100f portal.admin.console.0.0.log

[#|2009-08-13T13:06:58.079+0800|SEVERE|SJS Portal Server|debug.com.sun.portal.admin.console|ThreadID=246; ClassName=com.sun.portal.admin.console.common.PSBaseBean; MethodName=log; |Failed to authenticate with JMX Server: LoginBean.login()

javax.management.remote.JMXProviderException: Connection refused

        at com.sun.cacao.agent.impl.AbstractCacaoConnectorProvider.newJMXConnector(AbstractCacaoConnectorProvider.java:403)

Oh, that's easy.

root@portal1 # cacaoadm status

default instance is ENABLED at system startup. 

default instance is not running. 

Hmm.. why is CACAO agent not running? 

root@portal1 # cacaoadm start

root@portal1 # cacaoadm status

default instance is ENABLED at system startup. 

Smf monitoring process: 

22058

22059

Uptime: 0 day(s), 0:0

The solution is to start the CACAO agent and log-in is fine after that. 

Well, I must admit the error message is not friendly though. Hard for debugging.

Disable SSL port on Sun Directory Server - Take Note!

We received an email from the Security Team of a local university. We maintain the Sun Java System Portal Server for them.

They detected port 636 running and asked what it is used for. Hmm... it was enabled, by default, when Sun Java System Directory Server was installed. (FYI, Portal Server requires Directory Server as the data source)

Ok, it's our fault. We should have disabled it. Any port that is not in use should be disabled. Otherwise, the Security Team will not be happy.

That's easy.

• Navigate to the Security Tab.
• Uncheck SSL Encryption.
• Click Save.

On the Directory Servers Tab, it showed that the Secure Port 636 on both instances are disabled. I was happy.




Hmmm... I was not.



netstat was still showing port 636 to be running.


To ensure port 636 is disabled, do remember to RESTART the directory instances.

MessageLabs TLS support

I continued to read up more on TLS following up with my customer's query. I know their solution is fronted with MessageLabs Anti-Spam/Anti-Virus Filtering Service. 

So in order to turn-on TLS on Sendmail to receive in-coming mails, I need to find out whether or not MessageLabs supports TLS communication.

Yes, it does. Read here.

MessageLabs is using this bombastic term - Email Boundary Encryption Service (End-to-End TLS Email Encryption). Wow!

Oh ya, forget to mention, you need to pay extra for this service. Nothing is free in this world. :)

Sendmail Sentrion Gmail Security Appliance Solution for Google Apps

A long-time telco customer ping-ed me asking for my opinion on securing Sendmail with TLS. I helped deployed their load-balanced Sendmail nodes few years ago.

I started reading up on Securing Sendmail with TLS. Not too difficult to implement he wants to proceed with the idea.  

Then I came across a solution from Sendmail - Sendmail Sentrion Gmail™ Security Appliance Solution for Google Apps™. 

Read here for more details. 

  

Pretty interesting architecture. But ... will there be any taker? :) 

OpenLDAP on Solaris 10 - Persons and Roles

Yesterday, I posted a how-to article on OpenLDAP on Solaris 10. After installation completed, we created a simple company organizational structure as follows:

Suffix is dc=sg,dc=com. There is a People sub-suffix and a Roles sub-suffix. 

We created the Persons object under the People sub-suffix first. Then assign the Persons to each Role.

A LDIF file was created and ldapadd command was executed:

bash-3.00# /opt/openldap/bin/ldapadd -x -D "cn=Manager,dc=sg,dc=com" -w XXXXXX -f all.ldif

Sample LDIF file:

    all.ldif

    

    dn: dc=sg,dc=com

    dc: sg

    o: sg.com

    description: azlabs openldap

    objectClass: top

    objectClass: dcObject

    objectClass: organization

    

    dn: cn=Manager,dc=sg,dc=com

    objectclass: organizationalRole

    cn: Manager

    description: LDAP Directory Administrator

    

    dn: ou=people, dc=sg,dc=com

    ou: people

    description: All people in organisation

    objectclass: top

    objectclass: organizationalunit

    

    dn: uid=user1,ou=people,dc=sg,dc=com

    objectclass: top

    objectclass: organizationalPerson

    objectclass: inetOrgPerson

    cn: user1

    sn: user1

    uid: user1

    userpassword: sSmitH

    mail: user1@sg.com

    ou: IT

    

    dn: uid=user2,ou=people,dc=sg,dc=com

    objectclass: top

    objectclass: organizationalPerson

    objectclass: inetOrgPerson

    cn: user2

    sn: user2

    uid: user2

    userpassword: sSmitH

    mail: user2@sg.com

    ou: IT

    

    dn: uid=user3,ou=people,dc=sg,dc=com

    objectclass: top

    objectclass: organizationalPerson

    objectclass: inetOrgPerson

    cn: user3

    sn: user3

    uid: user3

    userpassword: sSmitH

    mail: user3@sg.com

    ou: IT

    

    dn: uid=user4,ou=people,dc=sg,dc=com

    objectclass: top

    objectclass: organizationalPerson

    objectclass: inetOrgPerson

    cn: user4

    sn: user4

    uid: user4

    userpassword: sSmitH

    mail: user4@sg.com

    ou: IT

    

    dn: uid=user5,ou=people,dc=sg,dc=com

    objectclass: top

    objectclass: organizationalPerson

    objectclass: inetOrgPerson

    cn: user5

    sn: user5

    uid: user5

    userpassword: sSmitH

    mail: user5@sg.com

    ou: IT

    

    dn: ou=Roles,dc=sg,dc=com

    objectclass: top

    objectclass: organizationalUnit

    ou: Roles

    

    # Define an Admin role.

    dn: cn=Admin,ou=Roles,dc=sg,dc=com

    objectClass: top

    objectClass: groupOfNames

    cn: Admin

    description: Admin role

    member: uid=user1,ou=People,dc=sg,dc=com

    

    # Define an Group1 role.

    dn: cn=Group1,ou=Roles,dc=sg,dc=com

    objectClass: top

    objectClass: groupOfNames

    cn: Group1

    description: Group1 role

    member: uid=user1,ou=People,dc=sg,dc=com

    member: uid=user2,ou=People,dc=sg,dc=com

    

    # Define an Group2 role.

    dn: cn=Group2,ou=Roles,dc=sg,dc=com

    objectClass: top

    objectClass: groupOfNames

    cn: Group2

    description: Group2 role

    member: uid=user1,ou=People,dc=sg,dc=com

    member: uid=user3,ou=People,dc=sg,dc=com

    member: uid=user4,ou=People,dc=sg,dc=com

    

    # Define an Group3 role.

    dn: cn=Group3,ou=Roles,dc=sg,dc=com

    objectClass: top

    objectClass: groupOfNames

    cn: Group3

    description: Group3 role

    member: uid=user1,ou=People,dc=sg,dc=com

    member: uid=user5,ou=People,dc=sg,dc=com

    

OpenLDAP on Solaris 10 - How To

We have a LifeRay Proof-of-Concept coming up. The customer is a local defense company. Their environment utilizes OpenLDAP at the moment. (Yes, I'm pushing hard for OpenDS deployment soon :>) 

We need LifeRay to authenticate with OpenLDAP.  Thus here I am - helping my team with getting an instance of OpenLDAP up on Solaris 10 x86 OS.

bash-3.00# cat /etc/release 

                        Solaris 10 5/08 s10x_u5wos_10 X86

           Copyright 2008 Sun Microsystems, Inc.  All Rights Reserved.

                        Use is subject to license terms.

                             Assembled 24 March 2008

Dependencies (Download from sunfreeware):

1. libiconv-1.11 

2. gcc-3.4.6

3. libgcc-3.4.6

4. db-4.4.20.NC 

5. sasl-2.1.21

6. openssl-0.9.8k

7. libtool-1.5.24

8. make-3.81

Note: Do not install the latest Berkeley DB 4.7.25 unless you know how to patch it. I'll give it a miss here since this OpenLDAP is only for our POC, not for production usage.

Package install for dependencies

bash-3.00# pkgadd -d libiconv-1.11-sol10-x86-local

bash-3.00# pkgadd -d gcc-3.4.6-sol10-x86-local   

bash-3.00# pkgadd -d libgcc-3.4.6-sol10-x86-local

bash-3.00# pkgadd -d db-4.4.20.NC-sol10-x86-local

bash-3.00# pkgadd -d sasl-2.1.21-sol10-x86-local 

bash-3.00# pkgadd -d openssl-0.9.8k-sol10-x86-local 

bash-3.00# pkgadd -d libtool-1.5.24-sol10-x86-local 

bash-3.00# pkgadd -d make-3.81-sol10-x86-local <- required for source compile

Note: When you package-add libgcc-3.4.6-sol10-x86-local, you'll encounter this error. Choose "n" will do.

    The following files are already installed on the system and are being

    used by another package:

      /usr/local/lib/libg2c.so.0.0.0

      /usr/local/lib/libgcc_s.so.1

      /usr/local/lib/libstdc++.so.6.0.3

    

    Do you want to install these conflicting files [y,n,?,q] n

Source Compile OpenLDAP 2.4.16 (Download source from here)

    bash-3.00# cd /openldap/openldap-2.4.16

Environment Setting

    bash-3.00# export CFLAGS="-D_AVL_H" 

    bash-3.00# export CPPFLAGS="-I/usr/local/include –I/usr/local/BerkeleyDB.4.4/include –I/usr/local/include/sasl –I/usr/sfw/include"

    bash-3.00# export LDFLAGS="-L/usr/local/lib –L/usr/local/BerkeleyDB.4.4/lib –L/usr/local/lib/sasl2 –L/usr/sfw/lib" 

    bash-3.00# export CC="/usr/local/bin/gcc"

    bash-3.00# export LD_LIBRARY_PATH=/usr/dt/lib:/usr/openwin/lib:/usr/local/BerkeleyDB.4.4/lib:/usr/local/lib:/usr/sfw/lib

    bash-3.00# export PATH=/usr/sbin:/usr/bin:/usr/local/bin:/usr/sfw/bin:/usr/ccs/bin

    bash-3.00# vi /etc/profile

export LOGNAME PATH <- default

PATH=$PATH:/usr/local/bin:/usr/sfw/bin:/usr/ccs/bin

export PATH

LD_LIBRARY_PATH=/usr/dt/lib:/usr/openwin/lib:/usr/local/BerkeleyDB.4.4/lib:/usr/local/lib:/usr/sfw/lib

export LD_LIBRARY_PATH

Configure

    bash-3.00# ./configure –-prefix=/opt/openldap --enable-monitor --enable-syslog

    bash-3.00# make depend

    bash-3.00# make

    bash-3.00# make test <- MUST complete succesfully; otherwise, do not continue

    bash-3.00# make install

    bash-3.00# vi /opt/openldap/etc/openldap/slapd.conf

include         /opt/openldap/etc/openldap/schema/core.schema <- default

include         /opt/openldap/etc/openldap/schema/cosine.schema

include         /opt/openldap/etc/openldap/schema/inetorgperson.schema

suffix            "dc=sg,dc=com"

rootdn          "cn=Manager,dc=sg,dc=com"

rootpw          secret <- leave as-is

        

Start OpenLDAP

    bash-3.00# /opt/openldap/libexec/slapd    

Stop OpenLDAP

    bash-3.00# /usr/bin/pkill slapd

Symantec Registration Server is down - Cannot imagine!

I was trying to install an evaluation copy of Symantec BrightMail Message Filter. The final step to get it run for 30-days trial was to register the eval-copy.

[root@mail bin]# /opt/symantec/sbas/Scanner/sbin/register.sh

Please enter the path to a valid license file: /tmp/13311525.slf

Connecting to Brightmail. This may take a few minutes.

Unable to communicate with Symantec to register. Please check your connection settings, and try again.

Registration Server returned: 503 Service Unavailable

I blogged and found out that the Registration Server URL is register.brightmail.com. So I thought maybe my machine could not resolve the FQDN.

[root@mail bin]# nslookup

> register.brightmail.com

Server: 192.168.0.54

Address: 192.168.0.54#53

Non-authoritative answer:

Name: register.brightmail.com

Address: 216.250.24.63

Name: register.brightmail.com

Address: 143.127.103.14

> exit

Hmm... it was able to resolve.

I could not believe this is happening. So I double-check using my browser.

Dispatcher versus Job Controller

One of my customers is driving me crazy. He is not able to differentiate the difference between a Dispatcher and a Job Controller in Sun Messaging Server MTA Architecture.

In layman term, a Dispatcher takes care of in-coming mails; whereas a Job Controller takes care of out-going mails. 

Isn't the architectural diagram clear enough?

For example, if the Sun Messaging Server needs to handle more load in receiving emails, then we need to tweak the configuration in dispatcher.cnf. e.g. increase number of processors/threads

In another scenario, if Sun Messaging Server is sending too many emails to a specific host/ISP (e.g. yahoo, hotmail) which subsequently rejects mails over a certain limit, then we need to tweak job_controller.cnf. e.g. decrease the rate at which emails get sent out from SJMS

Happy National Day!

Yes, I am proud being a Singaporean! Happy National Day!

Delivery Failure Notice and Retry Frequency

For any email system, the administrators are most concern about the safe delivery of emails. Otherwise, their job will not be safe. 

In Sun Java System Messaging Server, there are 2 channel keywords to pay attention to: "notices" and "backoff".

Notices refers to the Delivery Failure Notice:

Undeliverable messages are held in a given channel queue for specified amount of time before being returned to sender. In addition, a series of status/warning messages can be returned to the sender while Messaging Server attempts delivery. The amount of time and intervals between messages can be specified with the notices, nonurgentnotices, normalnotices, or urgentnotices keywords.

Backoff refers to retry frequency for undeliverable messages:

By default, the frequency of delivery retries for messages that have had delivery failures depends on the message’s priority. 

2 more things to note:

1. The notices unit is in days; while the backoff unit is in minutes

2. An email can be further classified as non-urgent, normal, urgent. Thus, you'll have nonurgentnotices, normalnotices, urgentnotices and nonurgentbackoff, normalbackoff, urgentbackoff.

Let's see an example:

defaults logging notices 1 2 4 7 copywarnpost copysendpost postheadonly noswitch channel immnonurgent maxjobs 7 defaulthost openmail.sg openmail.sg

• The above configuration for notices is declared in the defaults channel, which means this is the default system-wide setting. 
• Non-delivery notification will be sent to the originator every 1 day, 2 days, and 4 days. At the 7th day, the message will be returned to the originator and removed from the queue.
  

ims-ms defragment subdirs 20 notices 1 7 14 21 28 backoff "pt5m" "pt10m" "pt30m" "pt1h" "pt2h" "pt4h" maxjobs 2 pool IMS_POOL fileinto $U+$S@$D destinationspamfilter1optin spam

• The above configuration for backoff is declared in the ims-ms channel, which means this will affect the in-coming emails to our users' mailboxes. 
  
• Retry interval is set at 5 mins, then 10 mins, then 30 mins, then 1 hour, then 2 hours. At the 4th hour, the message will be returned to the originator with a delivery failure notification. 

The most common query I have from customers is: 

What happens when the limit is reached? 

That is what their bosses want to know, so they need to know so as to preempt. The answer is simple: the original message will be bounced back to the originator/sender. There is no such thing as silence removal of messages, so no worries. Life is good!

By the way, the configuration for the above is to be modified in imta.cnf.

How to forward Postmaster emails to a valid user account?

A customer of mine called today to ask:

How to route the default Postmaster emails to a valid user account? This is because no one is currently monitoring the emails for Postmaster.

The customer has Sun Java System Messaging Server 7.0 U2 installed.

Not a difficult request. Here is what we can do to fulfill the requirement:

1. Log in to Delegated Administrator.
2. Navigate to the default domain and select the Groups tab.
3. You'll see the Postmaster being defined as a group.
4. Click on Postmaster hyperlink.



5. Scroll down until the Mail Service Details.
6. Key in a valid user email address (e.g. noc@abc.com) in External Members section.



Done. Simple.

OpenMail Architecture

Some people have asked for an architectural diagram of our OpenMail.SG solution. Here we go:

Key Features

• Flexible 2nd layer of anti-spam/anti-virus hosted security protection (Google Postini, TrendMicro IMHS, IronPort, MessageLabs)
  
• Mobile Synchronization (Sun Java Mobile Communications Server)
  
• Calendar Access (for Premium customers)
• WebMail Access

Logical Component Diagram as below:

Why TrendMicro IMHS is dropped? -Review 2!!

Looks good... The daily Quarantine Summary is coming.... Finally!

I am currently evaluating Symantec BrightMail Message Filter for integration with Sun Java System Messaging Server. 

There is this little diagram which interests me - Suggested Quarantine Deployment Timeline.

This is another similar Opt-In approach which I was very much against with, as mentioned in my previous post.

I am still preaching that all emails (legitimate or not) must be made available for users. They themselves then decide whether or not to delete the emails.

  

Why TrendMicro IMHS is dropped? -Review!!

In my 3rd post on why TrendMicro IMHS was dropped, I mentioned the importance of visibility of the quarantined messages, especially in a hosted security solution. 

I still cannot believe that TrendMicro's hosted security solution is that bad, because I have very good impression of their technical support when my previous company used OfficeScan Client-Server Suite.

I must admit TrendMicro technical support is one of the better ones. 

So, I decided to conduct a review. 

I was saying the end-user Message Center was always empty for a particular user who we are very sure that his account receives a lot of spam emails daily. 

Yesterday, I log into the Administrator Console again. I clicked on Policy and bingo! I then realized most of the Action have been set to "Delete", by default, including Spam or Phish. No wonder no quarantined email was found for that user. 

So I went ahead to modify the Action from "Delete" to "Quarantine".

This morning, I checked the Message Center again. Yeah! The quarantined emails are shown.

Hmm... now I am left wondering why Spam or Phish emails are deleted by default. It's back to "Opt-In or Opt-Out" rule. I would say for emails, it should be a Opt-Out, rather than Opt-In. Why do you say?