Directory Server SSL Certificate

Recently, I've added the article about SSL configuration of Sun Java Commmunications Suite components (link).
Today I want to expand its content with Directory Server SSL preparation.

DS comes with self-signed certificate (it's valid for a period of three months). It name's defaultCert, and by defalt allow for secure connections through the port 636.
It's stored in alias directory under the instance path:

book [/]# ls /instances/ds1/alias
certmap.conf secmod.db slapd-cert8.db slapd-key3.db

book [/instances/ds1/alias]# dsconf get-server-prop -D cn=dirmgr ssl-rsa-cert-name
Enter "cn=dirmgr" password:
ssl-rsa-cert-name : defaultCert

book [/]# /opt/SUNWdsee/ds6/bin/dsadm list-certs /instances/ds1/
Alias Valid from Expires on Self-signed? Issued by Issued to
----------- ---------------- ---------------- ------------ ----------------------------------------------------- --------------
defaultCert 2009/03/18 12:28 2009/06/18 12:28 y CN=book,CN=636,CN=Directory Server,O=Sun Microsystems Same as issuer
1 certificate(s) found

book [/instances/ds1/alias]# /usr/sfw/bin/certutil -L -P slapd- -d .
defaultCert CTu,u,u

But, I want to use the same one as with other COMMS components - Server-Cert - issued by CA.

book [/instances/ds1/alias]# dsadm import-cert /instances/ds1/ /root/SSL/VeriSign.cert.pkcs12
Enter the PKCS#12 file password:
The Directory Server will need to be restarted before being able to use the new certificate.
book [/instances/ds1/alias]# dsadm stop /instances/ds1
Directory Server instance '/instances/ds1' stopped
book [/instances/ds1/alias]# dsadm start /instances/ds1
Directory Server instance '/instances/ds1' started: pid=25150
book [/instances/ds1/alias]# /usr/sfw/bin/certutil -L -P slapd- -d .
defaultCert CTu,u,u
Server-Cert u,u,u

Now i have to change default rsa certificate name, within the DS configuration:

book [~]# dsconf set-server-prop -p 389 -D cn=dirmgr ssl-rsa-cert-name:Server-Cert
Enter "cn=dirmgr" password:
Before setting SSL configuration, export Directory Server data.
Do you want to continue [y/n] ? y
Directory Server must be restarted for changes to take effect.

Restart DS one more time.

That's all folks.

book [~]# dsconf get-server-prop -p 389 -D cn=dirmgr ssl-rsa-cert-name
Certificate "CN=[...]" presented by the server is not trusted.
Type "Y" to accept, "y" to accept just once, "n" to refuse, "d" for more details: Y
Enter "cn=dirmgr" password:
ssl-rsa-cert-name : Server-Cert


Forward mappings

The presented configuration allows to gather messages of specified address pattern inside the given mail account.
The below example is based on the destination address, but can be easily changed into source based.

Sun Java Messaging Server allow to use the FORWARD mapping table and FORWARD lookup table.
I will focus on FORWARD Mapping Table. This usage is disabled by default. So, before I can go further I have to enable the USE_FORWARD_DATABASE withing the option.dat file.

USE_FORWARD_DATABASE can take one of three values. The meaning is as follows:

  • 1 - use forward database
  • 8 - use forward database entries with a specified channel
  • 16 - use forward mapping table entries with a specified channel

To get the pieces together I've used 16, so:


To let the Messaging Server keep all the messages begining with a prefix- on the wisnios@wisnios.com account, add the following to your mappings file:


! Format for channel specific forward mapping entries
! src-channel|source-address|original-address changed-address
*|*|prefix-*@wisnios.com $D$H$Ywisnios@wisnios.com

The first * (asterisk) could be tcp_local. I thought so, but it's not true.
Simple test with imsimta test -rewrite -debug prefix-test@wisnios.com shows that message uses the l channel:

12:41:14.65: Applying forward mapping to: l|postmaster@book.entic.net|prefix-test@wisnios.com
12:41:14.65: Matched, result is: wisnios@wisnios.com

The second field could be used as an additional pattern filter, based on the sender address / domain part.
In my example it's also the asterisk sign.

The third field does the trick.

$D - run rewrite process one more time (without this option mapping will fail)
$H - do not check any other forward lookup table or FORWARD mapping entries (optional with this one entry)
$Y - use specified address as a new one (no comment - required)

So, let's try:

book [/]# imsimta test -mapping -debug
Enter table name: FORWARD
Input string: tcp_local|wisnios@gmail.com|prefix-test@wisnios.com
13:00:03.39: Mapping 6 applied to tcp_local|wisnios@gmail.com|prefix-test@wisnios.com
13:00:03.39: Entry #1 matched, pattern "*|*|prefix-*@wisnios.com", template "$D$H$Ywisnios@wisnios.com", match #0.
13:00:03.39: New target "wisnios@wisnios.com"
13:00:03.39: Exiting...
13:00:03.39: Final result "wisnios@wisnios.com"
Output string: wisnios@wisnios.com
Output flags: [0, 'D' (68), 'H' (72), 'Y' (89)]
Input string:

The last bastion was the imsimta command itself.
After the configuration changes I've run imsimta cnbuild && imsimta reload.
That was a mistake.
It allows imsimta test -rewrite complete successfully, but rejects the incoming messages to prefix-something with:
550 5.1.1 unknown or illegal alias: prefix-something@wisnios.com

To make everything work smoothly run imsimta restart after job complete.

To test this configuration I've used:

Sun Java(tm) System Messaging Server 6.3-2.01 (built Jun 13 2007; 64bit)
libimta.so 6.3-2.01 (built 00:30:08, Jun 13 2007; 64bit)


Summary of the mail traffic size

Today I've written a handy oneliner to get a summary of mail traffic size for a current/yesterday period of log time.
Sun Java Messaging Server denotes the size (sz) of every message in kilobytes, accordingly to the (MTA) BLOCK_SIZE variable (default value: 1024 bytes).

For example, to get the yesterday sum of messages being sent to domain.com (single-tiered architecture):

sed '/tcp_local.*ims-ms.*domain.com/p;d' mail.log_yesterday | awk '{ SIZE+=$6 } END { print SIZE/1024 }'

The returned value will be presented in Mb.

To get a similar check for frontend-backend (two-tiered) scenario, with LMTP, and for a current log file:

sed '/tcp_local.*tcp_lmtpcs.*domain.com/p;d' mail.log_current | awk '{ SIZE+=$6 } END { print SIZE/1024 }'

To engage a command for the outbound messages I've used a tcp_auth channel name as a significant mark.

# sed '/tcp_auth.*wisnios.com/p;d;' mail.log_yesterday | awk '{ SIZE+=$6 } END { print SIZE/1024 }'


MTA log rotation for Messaging Server

Sun Java System Messaging Server do not rotate the log file of MTA process - mail.log. There is only a two steps of pseudo rotation between the files: mail.log_current, mail.log_yesterday and a mail.log "bucket".

Present activity is being logged into mail.log_current. It's content will be moved into mail.log_yesterday after a day period.
After the next day, it will end its rotation life inside the mail.log file, increasing its content.

To control the mail.log growth process I use the Solaris logadm tool.

book [/]# crontab -l
# Messaging Server MTA log rotation
0 0 * * 1 /usr/sbin/logadm -c -C 52 -t '$dirname/$basename.$n' /var/opt/sun/comms/messaging64/log/mail.log
book [/]#

Every monday, at 0:00 AM, the logadm rotates the given logfile. It copies the original file (-c) to a next available one, with increased version number ($basename.$n), and truncates the mail.log content to zero (-c). It keeps 52 copies of rotated files (-C 52) and cleans the rest.