Monday, August 31, 2009

Search indexing could create fear at times




A long-time friend of mine told me something that amused me. The church that he attends was looking for a mail hosting solution. Being a technologist, he suggested Google Apps as it's free and thus cost-saving for the church.

Oh no, Gmail? No, no ... we should not use Gmail. It indexes the emails that are in our mailboxes. Others might accidentially read our emails if they search for them!

Sometimes, it's hard to explain to the layman how high-tech innovation like Gmail works.

:)

On a more serious note, we being technologists should try our best to explain technology in simpler term. Otherwise, customers see no value in spending with us.



Sunday, August 30, 2009

OpenMail.SG - rebrand



I met up with a friend few days back. I told him our OpenMail.SG has a new look-and-feel. It's a rebranding exercise to attract even more customers.

He asked about the business model of OpenMail.SG. In brief, I told him we are no different from what Gmail or Yahoo provides, except:

  1. We are a phone-call away (especially for the non-technicals);
  2. We provide mostly for the Singapore corporates (especially for the SMEs);
  3. We know our product (we are the Sun product specialists)

We need to be a little different and we better be best in our differentiators.


We believe the pie is always big enough for everyone.

Even with tough competition from Google Apps, there is a segment where customers still prefer personal service ("warm" phone call, rather than "cold" email correspondences).

We also concentrate our effort in the Singapore SME (Small-Medium Enterprises) market. This is the market that requires a service provider that can explain the various technologies in simpler terms for them. (You'll be surprised they do not even know what "domain name" means)

Lastly, we know our product! We have been providing Professional Services on behalf of Sun Microsystems for the past 5 years. We are especially strong in Portal, Messaging and Identity.

We could have easily provide our customers with Fedorda/SendMail/SquirrelMail combination. ROI would have be much higher. However, we are not value-adding to our customers.

That is why we deploy what we think is best-of-breed product for our customers - Solaris/Sun Java System Communications Suite. (which comes with 2 choices of Webmail - Communications Express or Sun Convergence).





More costly setup but if this is what our customers are looking for, we are game for it!

A happy customer will refer 2 more potential customers ... and the maths continues ....

Saturday, August 29, 2009

Syntergy Replicator for SharePoint




Syntergy has a nice product called Replicator for SharePoint. If your company has branches around the world, this Replicator becomes useful.

Now, why?

From performance point of view, it is best to position a SharePoint server in each country where your office is located.

However, since each is standalone, documents cannot be shared across branches.

Here comes Replicator for SharePoint - it helps to sync your documents residing in the various SharePoint servers.


Friday, August 28, 2009

HAWKMail - if only the URL can be friendlier



I saw an article mentioning that a American college (HACC) has just migrated their mail system to Google Apps. I went to take a look since it's such a hype to adopt Google Apps these days.


Looks good. It makes business sense to migrate to Google Apps (or even Sun Java System Communications Suite :> ) if you manage a huge number of mailboxes. The operating cost per mailbox will drastically reduce.

Anyway, I scroll down and saw that to access HAWKMail, the URL is http://mail.HAWKMail.hacc.edu.



I went ahead to click on it. I was redirected to the customized login page on Gmail. I did not like what I saw. (".... www.google.com/a/hawkmail.hacc.edu....")





If only the URL can be rewritten to be privately labelled to HACC brand ...

That would be nice!



Thursday, August 27, 2009

Sun’s Unique Business Model


Anyone ever wonder how can Open-Source sustain a vitable business? This is how Sun tries to do.


Is it a successful model after all?


Wednesday, August 26, 2009

Integrate Google Apps with BlackBerry Enterprise Server

We like what we see from the work from the Google team - they simply can make anything happen, if they want to.


Some of our customers run Google Apps and the higher management wants to continue to use their Blackberry. The connector has come timely.

Well done, Google!


Tuesday, August 25, 2009

Cacao MBean Server - No trusted certificate found


We are trying to set up a development environment to test a patch for Sun Portal Server 7.1.

(Yes, pretty old version. And yes, our company is pretty strict. If customer does not have a development/staging environment to test the new patch, we need to set it up in our office. Otherwise, it's a No-Go!)

Not smooth sailing... Encountered the following error:

bash-3.00# /opt/SUNWportal/bin/psconfig --config ps.xml 
Creating directory: /etc/opt/SUNWportal
Successfully created PSConfig.properties file
Copying config templates from: /opt/SUNWportal/template/config
Successfully created PortalDomainConfig.properties file
Validating the Input Config XML File
Configuring Cacao Agent for Portal Software
Configuring Derby Server Instance
Connecting to Cacao MBean Server
testportal
Configuration Failed : javax.management.remote.JMXProviderException: sun.security.validator.ValidatorException: No trusted certificate found

It must be Cacao again! I hate this "animal"! 

I suspect it's a certificate issue when I rename our Solaris OS hostname from testportal to portal.

Let's recreate the Cacao key again!

bash-3.00# cacaoadm stop
bash-3.00# cacaoadm create-keys --force
bash-3.00# cacaoadm start

Bingo! The configuration can now proceed ...

bash-3.00# /opt/SUNWportal/bin/psconfig --config ps.xml 
Successfully created PSConfig.properties file
Copying config templates from: /opt/SUNWportal/template/config
Successfully created PortalDomainConfig.properties file
Validating the Input Config XML File
Configuring Cacao Agent for Portal Software
Connecting to Cacao MBean Server
portal
Creating Portals
Successfully created Portal: myPortal




Monday, August 24, 2009

Messaging Server 64-bit Edition Is Better



With the release of Microsoft Exchange 2007 onwards, the production support is only on 64-bit platform. Reason is simple: 

To scale and to sustain heavier load, you need more RAM. Bigger mailboxes also require larger addressing space.




Sun recently advises its customers, who are on Message Server x86 32-bit platform, to migrate to 64-bit platform. Similar reasons given:

  • Solves the problems with large store.idx files 
  • Ability to run a reasonable number of imapd processes instead of running dozens of them.
  • Better LDAP cache utilization

Sunday, August 23, 2009

Older version of Java Enterprise System


We installed Java Enterprise System 5 few years back. Recently, we need to patch the Sun Portal component (Sun Portal 7.1). 

The customer has no Development environment, not even Staging. This is quite common in Asia, believe me. 

If you go to Sun Java Enterprise System website, you are only able to download the latest version of JES.  



We even went to the Sun Downloads A-Z site - no luck! 




It's pretty hard to locate older version of JES. It took me quite some time.

You actually need to go to Sun Java Enterprise System website, scroll down and pay attention to the right-hand side of the webpage. There is this section "Related Resources". 



Click on "Previous Version" will lead to the following page. 



Bingo!

Saturday, August 22, 2009

Scalix Follow-Up Part I



Following my blog on Scalix Architecture, I pushed on for a quick install of the software. Installation of Scalix is easy, provided you have all the prerequisite packages already installed.

My initial impression, after installation, was not good. 



I hate pop-ups! Maybe it's just me.


Friday, August 21, 2009

How to verify Solaris Patch Level



We were trying to patch Sun Java System Portal Server for a customer. The latest patch required a certain Solaris Patch Level to be in-place.

To determine what Solaris patch you have installed, do the following:

# showrev -p
or
# patchadd -p


Thursday, August 20, 2009

Cure for the common CRM - CureCRM



I bounced into this website accidentally last night and I was taken away. CureCRM is cool!


The features, when combined together in use, are really what business owners have been looking for.

  1. Email-powered CRM - Cool!
  2. Twitter Relationship Management - Innovative!
  3. Automated sales scheduling assistant - Just a cron job, I think. Nothing fanciful.
  4. Sales Productivity within Microsoft Outlook - Outlook is a must these days for most people
  5. Close deals virtually anywhere - Mobile access in short.




What really caught my attention was how CureCRM went about pricing their hosted/cloud service.






Hmm ...  Personal Free with Tweet - what's that?




Great way of spreading the words around ... Cool!

 

Wednesday, August 19, 2009

Business model of a Zimbra Wrapper




I was initially amused with what MeritMail is offering. It is nothing interesting - just a Zimbra wrap. That was my conclusion if I see it from a standalone product viewpoint.

However, if you position it as a Total Solution or One-Stop Solution, then it starts to make sense. Take a look at MeritMail's feature list.

What interests me is:
MeritMail Leverages your existing Merit network connection

I think it's much easier to push a new solution onto an existing solid infrastructure. In this example, customers (mostly universities, I think)  who are already on Merit network will naturally incline to subscribe to MeritMail service. 

Easier to maintain the vendor relationship. Easier to raise a support case, if any. 

I would think it's easier to bargain for a cheaper price since there is definitely economy of scale managing data center/network/mail servers. 



Tuesday, August 18, 2009

Exchange with SendMail as MTA and MessageLabs as additional message filter

It is not uncommon to find an architecture like the one below:



I was involved with such deployment a year ago with a local corporation. The back-end is Microsoft Exchange.


Basically, there are 3 layers of messaging filtering:
1. MessageLabs Anti-Spam/Anti-Virus Filtering (Hosted/Cloud version)
2. TrendMicro InterScan Messaging Security Suite (In-house)
3. Symantec Mail Security for Exchange (In-house)


The primary idea behind choosing different vendors at different layers is to ensure that most (if not all) illegitimate emails are caught. 

This is what I call Total-Defense - you do not use the same key to lock all the doors in your house for convenience sake. 

Yes, I do agree that liaising with 3 different vendors is a nightmare. But for the sake of security, this is inevitable.


Ok, MessageLabs is now under Symantec umbrella. Maybe it's time to switch to Goggle Postini Service, or even ProofPoint SaaS Email Security Solutions. 

However, I am still not convinced with ProofPoint customer service support, especially in the APAC region.




Monday, August 17, 2009

Scalix Architecture

Our company is preparing a proof-of-concept for a upcoming tender. One component requires a dedicated mail server for mail corresponding and notifications/alert for a secured/intranet environment.

The user base is not huge. There are two products which are interesting - Zimbra and Scalix.

Both offers basic email and calendaring services (good enough for most usage). Easy to install for single-box deployment, yet able to scale when required.

Sun Java System Communications Suite will be an overkill for this tender. It can scale definitely. But for small deployment like this, it's better to keep things simple. (This has always been my working style.)

Today, I look into Scalix Architecture. Looks good.


Scalix is supposed to work very well with Outlook client (both email and calendar). I'm anxious to test it out personally.


The pluggable modules (for AV/AS especially) also look interesting. But I'll still need to find out how easy and well-intergated they are when I start installation and configuration. Hopefully it will be a nice experience.


Sunday, August 16, 2009

Sun Portal Server - Authentication Failed

A local university has Sun Java System Portal Server 7.1 deployed. We are the vendor that helped with the deployment and maintenance. 

We got a call few days back. The customer was not able to login to Portal Server Console (aka /psconsole). I asked for the error message and was told "Authentication Failed" (Please reenter username and password).

Well, I was thinking: "Come on, please reenter the correct username and password. What is more difficult than this?"




The customer told me very firmly that he did keyed in the correct username and password. 

Ok, let's look at the logs then. 


appuser@portal1 # tail -100f portal.admin.console.0.0.log

[#|2009-08-13T13:06:58.079+0800|SEVERE|SJS Portal Server|debug.com.sun.portal.admin.console|ThreadID=246; ClassName=com.sun.portal.admin.console.common.PSBaseBean; MethodName=log; |Failed to authenticate with JMX Server: LoginBean.login()
javax.management.remote.JMXProviderException: Connection refused
        at com.sun.cacao.agent.impl.AbstractCacaoConnectorProvider.newJMXConnector(AbstractCacaoConnectorProvider.java:403)

Oh, that's easy.

root@portal1 # cacaoadm status
default instance is ENABLED at system startup. 
default instance is not running

Hmm.. why is CACAO agent not running? 

root@portal1 # cacaoadm start
root@portal1 # cacaoadm status
default instance is ENABLED at system startup. 
Smf monitoring process: 
22058
22059
Uptime: 0 day(s), 0:0

The solution is to start the CACAO agent and log-in is fine after that. 

Well, I must admit the error message is not friendly though. Hard for debugging.

Saturday, August 15, 2009

Disable SSL port on Sun Directory Server - Take Note!

We received an email from the Security Team of a local university. We maintain the Sun Java System Portal Server for them.

They detected port 636 running and asked what it is used for. Hmm... it was enabled, by default, when Sun Java System Directory Server was installed. (FYI, Portal Server requires Directory Server as the data source)

Ok, it's our fault. We should have disabled it. Any port that is not in use should be disabled. Otherwise, the Security Team will not be happy.

That's easy.

  • Navigate to the Security Tab.
  • Uncheck SSL Encryption.
  • Click Save.



On the Directory Servers Tab, it showed that the Secure Port 636 on both instances are disabled. I was happy.




Hmmm... I was not.



netstat was still showing port 636 to be running.


To ensure port 636 is disabled, do remember to RESTART the directory instances.

Friday, August 14, 2009

MessageLabs TLS support

I continued to read up more on TLS following up with my customer's query. I know their solution is fronted with MessageLabs Anti-Spam/Anti-Virus Filtering Service. 

So in order to turn-on TLS on Sendmail to receive in-coming mails, I need to find out whether or not MessageLabs supports TLS communication.



Yes, it does. Read here.

MessageLabs is using this bombastic term - Email Boundary Encryption Service (End-to-End TLS Email Encryption). Wow!

Oh ya, forget to mention, you need to pay extra for this service. Nothing is free in this world. :)



Thursday, August 13, 2009

Sendmail Sentrion Gmail Security Appliance Solution for Google Apps

A long-time telco customer ping-ed me asking for my opinion on securing Sendmail with TLS. I helped deployed their load-balanced Sendmail nodes few years ago.

I started reading up on Securing Sendmail with TLS. Not too difficult to implement he wants to proceed with the idea.  

Then I came across a solution from Sendmail - Sendmail Sentrion Gmail™ Security Appliance Solution for Google Apps™

Read here for more details. 

  


Pretty interesting architecture. But ... will there be any taker? :) 


Wednesday, August 12, 2009

OpenLDAP on Solaris 10 - Persons and Roles

Yesterday, I posted a how-to article on OpenLDAP on Solaris 10. After installation completed, we created a simple company organizational structure as follows:



Suffix is dc=sg,dc=com. There is a People sub-suffix and a Roles sub-suffix. 

We created the Persons object under the People sub-suffix first. Then assign the Persons to each Role.

A LDIF file was created and ldapadd command was executed:
bash-3.00# /opt/openldap/bin/ldapadd -x -D "cn=Manager,dc=sg,dc=com" -w XXXXXX -f all.ldif
Sample LDIF file:

    all.ldif
    
    dn: dc=sg,dc=com
    dc: sg
    o: sg.com
    description: azlabs openldap
    objectClass: top
    objectClass: dcObject
    objectClass: organization
    
    dn: cn=Manager,dc=sg,dc=com
    objectclass: organizationalRole
    cn: Manager
    description: LDAP Directory Administrator
    
    dn: ou=people, dc=sg,dc=com
    ou: people
    description: All people in organisation
    objectclass: top
    objectclass: organizationalunit
    
    dn: uid=user1,ou=people,dc=sg,dc=com
    objectclass: top
    objectclass: organizationalPerson
    objectclass: inetOrgPerson
    cn: user1
    sn: user1
    uid: user1
    userpassword: sSmitH
    mail: user1@sg.com
    ou: IT
    
    dn: uid=user2,ou=people,dc=sg,dc=com
    objectclass: top
    objectclass: organizationalPerson
    objectclass: inetOrgPerson
    cn: user2
    sn: user2
    uid: user2
    userpassword: sSmitH
    mail: user2@sg.com
    ou: IT
    
    dn: uid=user3,ou=people,dc=sg,dc=com
    objectclass: top
    objectclass: organizationalPerson
    objectclass: inetOrgPerson
    cn: user3
    sn: user3
    uid: user3
    userpassword: sSmitH
    mail: user3@sg.com
    ou: IT
    
    dn: uid=user4,ou=people,dc=sg,dc=com
    objectclass: top
    objectclass: organizationalPerson
    objectclass: inetOrgPerson
    cn: user4
    sn: user4
    uid: user4
    userpassword: sSmitH
    mail: user4@sg.com
    ou: IT
    
    dn: uid=user5,ou=people,dc=sg,dc=com
    objectclass: top
    objectclass: organizationalPerson
    objectclass: inetOrgPerson
    cn: user5
    sn: user5
    uid: user5
    userpassword: sSmitH
    mail: user5@sg.com
    ou: IT
    
    dn: ou=Roles,dc=sg,dc=com
    objectclass: top
    objectclass: organizationalUnit
    ou: Roles
    
    # Define an Admin role.
    dn: cn=Admin,ou=Roles,dc=sg,dc=com
    objectClass: top
    objectClass: groupOfNames
    cn: Admin
    description: Admin role
    member: uid=user1,ou=People,dc=sg,dc=com
    
    # Define an Group1 role.
    dn: cn=Group1,ou=Roles,dc=sg,dc=com
    objectClass: top
    objectClass: groupOfNames
    cn: Group1
    description: Group1 role
    member: uid=user1,ou=People,dc=sg,dc=com
    member: uid=user2,ou=People,dc=sg,dc=com
    
    # Define an Group2 role.
    dn: cn=Group2,ou=Roles,dc=sg,dc=com
    objectClass: top
    objectClass: groupOfNames
    cn: Group2
    description: Group2 role
    member: uid=user1,ou=People,dc=sg,dc=com
    member: uid=user3,ou=People,dc=sg,dc=com
    member: uid=user4,ou=People,dc=sg,dc=com
    
    # Define an Group3 role.
    dn: cn=Group3,ou=Roles,dc=sg,dc=com
    objectClass: top
    objectClass: groupOfNames
    cn: Group3
    description: Group3 role
    member: uid=user1,ou=People,dc=sg,dc=com
    member: uid=user5,ou=People,dc=sg,dc=com
    

Tuesday, August 11, 2009

OpenLDAP on Solaris 10 - How To


We have a LifeRay Proof-of-Concept coming up. The customer is a local defense company. Their environment utilizes OpenLDAP at the moment. (Yes, I'm pushing hard for OpenDS deployment soon :>) 



We need LifeRay to authenticate with OpenLDAP.  Thus here I am - helping my team with getting an instance of OpenLDAP up on Solaris 10 x86 OS.



bash-3.00# cat /etc/release 
                        Solaris 10 5/08 s10x_u5wos_10 X86
           Copyright 2008 Sun Microsystems, Inc.  All Rights Reserved.
                        Use is subject to license terms.
                             Assembled 24 March 2008

Dependencies (Download from sunfreeware):

1. libiconv-1.11 
2. gcc-3.4.6
3. libgcc-3.4.6
4. db-4.4.20.NC 
5. sasl-2.1.21
6. openssl-0.9.8k
7. libtool-1.5.24
8. make-3.81


Note: Do not install the latest Berkeley DB 4.7.25 unless you know how to patch it. I'll give it a miss here since this OpenLDAP is only for our POC, not for production usage.


Package install for dependencies

bash-3.00# pkgadd -d libiconv-1.11-sol10-x86-local
bash-3.00# pkgadd -d gcc-3.4.6-sol10-x86-local   
bash-3.00# pkgadd -d libgcc-3.4.6-sol10-x86-local
bash-3.00# pkgadd -d db-4.4.20.NC-sol10-x86-local
bash-3.00# pkgadd -d sasl-2.1.21-sol10-x86-local 
bash-3.00# pkgadd -d openssl-0.9.8k-sol10-x86-local 
bash-3.00# pkgadd -d libtool-1.5.24-sol10-x86-local 
bash-3.00# pkgadd -d make-3.81-sol10-x86-local <- required for source compile

Note: When you package-add libgcc-3.4.6-sol10-x86-local, you'll encounter this error. Choose "n" will do.
    The following files are already installed on the system and are being
    used by another package:
      /usr/local/lib/libg2c.so.0.0.0
      /usr/local/lib/libgcc_s.so.1
      /usr/local/lib/libstdc++.so.6.0.3
    
    Do you want to install these conflicting files [y,n,?,q] n
Source Compile OpenLDAP 2.4.16 (Download source from here)

    bash-3.00# cd /openldap/openldap-2.4.16

Environment Setting

    bash-3.00# export CFLAGS="-D_AVL_H" 
    bash-3.00# export CPPFLAGS="-I/usr/local/include –I/usr/local/BerkeleyDB.4.4/include –I/usr/local/include/sasl –I/usr/sfw/include"
    bash-3.00# export LDFLAGS="-L/usr/local/lib –L/usr/local/BerkeleyDB.4.4/lib –L/usr/local/lib/sasl2 –L/usr/sfw/lib" 
    bash-3.00# export CC="/usr/local/bin/gcc"
    bash-3.00# export LD_LIBRARY_PATH=/usr/dt/lib:/usr/openwin/lib:/usr/local/BerkeleyDB.4.4/lib:/usr/local/lib:/usr/sfw/lib
    bash-3.00# export PATH=/usr/sbin:/usr/bin:/usr/local/bin:/usr/sfw/bin:/usr/ccs/bin

    bash-3.00# vi /etc/profile
export LOGNAME PATH <- default
PATH=$PATH:/usr/local/bin:/usr/sfw/bin:/usr/ccs/bin
export PATH
LD_LIBRARY_PATH=/usr/dt/lib:/usr/openwin/lib:/usr/local/BerkeleyDB.4.4/lib:/usr/local/lib:/usr/sfw/lib
export LD_LIBRARY_PATH

Configure

    bash-3.00# ./configure –-prefix=/opt/openldap --enable-monitor --enable-syslog
    bash-3.00# make depend
    bash-3.00# make
    bash-3.00# make test <- MUST complete succesfully; otherwise, do not continue
    bash-3.00# make install

    bash-3.00# vi /opt/openldap/etc/openldap/slapd.conf
include         /opt/openldap/etc/openldap/schema/core.schema <- default
include         /opt/openldap/etc/openldap/schema/cosine.schema
include         /opt/openldap/etc/openldap/schema/inetorgperson.schema

suffix            "dc=sg,dc=com"
rootdn          "cn=Manager,dc=sg,dc=com"
rootpw          secret <- leave as-is
        

Start OpenLDAP
    bash-3.00# /opt/openldap/libexec/slapd    

Stop OpenLDAP
    bash-3.00# /usr/bin/pkill slapd

Symantec Registration Server is down - Cannot imagine!

I was trying to install an evaluation copy of Symantec BrightMail Message Filter. The final step to get it run for 30-days trial was to register the eval-copy.


[root@mail bin]# /opt/symantec/sbas/Scanner/sbin/register.sh
Please enter the path to a valid license file: /tmp/13311525.slf
Connecting to Brightmail. This may take a few minutes.
Unable to communicate with Symantec to register. Please check your connection settings, and try again.

Registration Server returned: 503 Service Unavailable

I blogged and found out that the Registration Server URL is register.brightmail.com. So I thought maybe my machine could not resolve the FQDN.

[root@mail bin]# nslookup
> register.brightmail.com
Server: 192.168.0.54
Address: 192.168.0.54#53

Non-authoritative answer:
Name: register.brightmail.com
Address: 216.250.24.63
Name: register.brightmail.com
Address: 143.127.103.14
> exit
Hmm... it was able to resolve.

I could not believe this is happening. So I double-check using my browser.






Monday, August 10, 2009

Dispatcher versus Job Controller

One of my customers is driving me crazy. He is not able to differentiate the difference between a Dispatcher and a Job Controller in Sun Messaging Server MTA Architecture.




In layman term, a Dispatcher takes care of in-coming mails; whereas a Job Controller takes care of out-going mails

Isn't the architectural diagram clear enough?

For example, if the Sun Messaging Server needs to handle more load in receiving emails, then we need to tweak the configuration in dispatcher.cnf. e.g. increase number of processors/threads

In another scenario, if Sun Messaging Server is sending too many emails to a specific host/ISP (e.g. yahoo, hotmail) which subsequently rejects mails over a certain limit, then we need to tweak job_controller.cnf. e.g. decrease the rate at which emails get sent out from SJMS






Sunday, August 9, 2009

Saturday, August 8, 2009

Delivery Failure Notice and Retry Frequency

For any email system, the administrators are most concern about the safe delivery of emails. Otherwise, their job will not be safe. 

In Sun Java System Messaging Server, there are 2 channel keywords to pay attention to: "notices" and "backoff".

Notices refers to the Delivery Failure Notice:

Undeliverable messages are held in a given channel queue for specified amount of time before being returned to sender. In addition, a series of status/warning messages can be returned to the sender while Messaging Server attempts delivery. The amount of time and intervals between messages can be specified with the notices, nonurgentnotices, normalnotices, or urgentnotices keywords.

Backoff refers to retry frequency for undeliverable messages:

By default, the frequency of delivery retries for messages that have had delivery failures depends on the message’s priority. 

2 more things to note:

1. The notices unit is in days; while the backoff unit is in minutes

2. An email can be further classified as non-urgent, normal, urgent. Thus, you'll have nonurgentnotices, normalnotices, urgentnotices and nonurgentbackoff, normalbackoff, urgentbackoff.


Let's see an example:

defaults logging notices 1 2 4 7 copywarnpost copysendpost postheadonly noswitch channel immnonurgent maxjobs 7 defaulthost openmail.sg openmail.sg

  • The above configuration for notices is declared in the defaults channel, which means this is the default system-wide setting. 
  • Non-delivery notification will be sent to the originator every 1 day, 2 days, and 4 days. At the 7th day, the message will be returned to the originator and removed from the queue.

ims-ms defragment subdirs 20 notices 1 7 14 21 28 backoff "pt5m" "pt10m" "pt30m" "pt1h" "pt2h" "pt4h" maxjobs 2 pool IMS_POOL fileinto $U+$S@$D destinationspamfilter1optin spam


  • The above configuration for backoff is declared in the ims-ms channel, which means this will affect the in-coming emails to our users' mailboxes. 
  • Retry interval is set at 5 mins, then 10 mins, then 30 mins, then 1 hour, then 2 hours. At the 4th hour, the message will be returned to the originator with a delivery failure notification. 

The most common query I have from customers is: 

What happens when the limit is reached? 

That is what their bosses want to know, so they need to know so as to preempt. The answer is simple: the original message will be bounced back to the originator/sender. There is no such thing as silence removal of messages, so no worries. Life is good!


By the way, the configuration for the above is to be modified in imta.cnf.


Friday, August 7, 2009

How to forward Postmaster emails to a valid user account?

A customer of mine called today to ask:

How to route the default Postmaster emails to a valid user account? This is because no one is currently monitoring the emails for Postmaster.


The customer has Sun Java System Messaging Server 7.0 U2 installed.

Not a difficult request. Here is what we can do to fulfill the requirement:

1. Log in to Delegated Administrator.
2. Navigate to the default domain and select the Groups tab.
3. You'll see the Postmaster being defined as a group.
4. Click on Postmaster hyperlink.



5. Scroll down until the Mail Service Details.
6. Key in a valid user email address (e.g. noc@abc.com) in External Members section.



Done. Simple.

Thursday, August 6, 2009

OpenMail Architecture

Some people have asked for an architectural diagram of our OpenMail.SG solution. Here we go:

Key Features
  • Flexible 2nd layer of anti-spam/anti-virus hosted security protection (Google Postini, TrendMicro IMHS, IronPort, MessageLabs)
  • Mobile Synchronization (Sun Java Mobile Communications Server)
  • Calendar Access (for Premium customers)
  • WebMail Access




Logical Component Diagram as below:




Wednesday, August 5, 2009

Why TrendMicro IMHS is dropped? -Review 2!!

Looks good... The daily Quarantine Summary is coming.... Finally!





I am currently evaluating Symantec BrightMail Message Filter for integration with Sun Java System Messaging Server. 

There is this little diagram which interests me - Suggested Quarantine Deployment Timeline.



This is another similar Opt-In approach which I was very much against with, as mentioned in my previous post.

I am still preaching that all emails (legitimate or not) must be made available for users. They themselves then decide whether or not to delete the emails.
  

Tuesday, August 4, 2009

Why TrendMicro IMHS is dropped? -Review!!

In my 3rd post on why TrendMicro IMHS was dropped, I mentioned the importance of visibility of the quarantined messages, especially in a hosted security solution. 

I still cannot believe that TrendMicro's hosted security solution is that bad, because I have very good impression of their technical support when my previous company used OfficeScan Client-Server Suite.

I must admit TrendMicro technical support is one of the better ones. 

So, I decided to conduct a review. 

I was saying the end-user Message Center was always empty for a particular user who we are very sure that his account receives a lot of spam emails daily. 



Yesterday, I log into the Administrator Console again. I clicked on Policy and bingo! I then realized most of the Action have been set to "Delete", by default, including Spam or Phish. No wonder no quarantined email was found for that user. 



So I went ahead to modify the Action from "Delete" to "Quarantine".






This morning, I checked the Message Center again. Yeah! The quarantined emails are shown.



Hmm... now I am left wondering why Spam or Phish emails are deleted by default. It's back to "Opt-In or Opt-Out" rule. I would say for emails, it should be a Opt-Out, rather than Opt-In. Why do you say?