Home.... | log in.... | Pub my question! | Sign-up....
Java-index >> E-Mail, Calendar, & Collaboration >> Sun Java System Messaging Server

TCP Access denied for user@Domain on a ims5.2 MMP

Hi,

I have a iMS5.2 hf 2.08 MMP ahead of a store of same version running on Solaris 8

I installed a cert on the MMP through console and tried to enable SSL for POP

I configured following

AService.cfg

============

default:ServiceList /iplanet/ims52/bin/msg/mmp/lib/ImapProxyAService@143|993 /iplanet/ims52/bin/msg/mmp/lib/PopProxyAService@110|995

added 995 at the end

PopProxyAService.cfg

==================

# SSL configuration

default:SSLEnable yes

default:SSLPorts 995

default:SSLSecmodFile/iplanet/ims52/mmp-mta1/secmodule.db

default:SSLCertFile/iplanet/ims52/mmp-mta1/cert7.db

default:SSLKeyFile/iplanet/ims52/mmp-mta1/key3.db

default:SSLKeyPasswdFile /iplanet/ims52/mmp-mta1/sslpassword.conf

default:SSLCipherSpecsall

default:SSLCertNicknames Server-Cert

default:SSLCacheDir/iplanet/ims52/mmp-mta1/cache

default:SSLBacksidePort0

I created links for cert/key/secmod files and created cache directory manually

-rwxr-x1 mailsrv iplanet36 Feb 13 2003 sslpassword.conf

-rwxr-x1 mailsrv iplanet5505 Feb 14 2003 PopProxyAService-def.cfg

-rwxr-x1 mailsrv iplanet5405 Feb 14 2003 ImapProxyAService-def.cfg

-rwxr-x1 mailsrv iplanet1470 Feb 14 2003 AService.rc

-rwxr-x1 mailsrv iplanet2280 Feb 14 2003 AService-def.cfg

-rw-r--r--1 mailsrv iplanet2280 Feb 14 2003 AService.cfg.preperf

-rw-r--r--1 mailsrv iplanet2280 Feb 14 2003 AService.cfg.bak

-rw-r--r--1 mailsrv iplanet5407 Jun 2 2003 ImapProxyAService.cfg

-rwxr-x1 mailsrv iplanet7405 Jun 3 2003 SmtpProxyAService-def.cfg

-rw-r--r--1 mailsrv iplanet2303 Sep 26 2005 AService.cfg_BeforeSSL

-rw-r--r--1 mailsrv iplanet5506 Dec 18 01:23 PopProxyAService.cfg_BeforeSSL

lrwxrwxrwx1 rootother 30 Jan 4 15:23 secmodule.db -> /iplanet/ims52/alias/secmod.db

lrwxrwxrwx1 rootother 38 Jan 4 15:23 cert7.db -> /iplanet/ims52/alias/msg-mta1-cert7.db

lrwxrwxrwx1 rootother 37 Jan 4 15:23 key3.db -> /iplanet/ims52/alias/msg-mta1-key3.db

-rw-r--r--1 mailsrv iplanet2306 Jan 4 21:30 AService.cfg

drwxr-x2 mailsrv iplanet88576 Jan 4 22:04 log

-rw-r--r--1 mailsrv iplanet5500 Jan 4 22:15 PopProxyAService.cfg

-rw-r--r--1 rootother 6 Jan 4 22:16 pidfile

drwxr-xr-x2 mailsrv iplanet512 Jan 4 22:16 cache

root@mta2# pwd

/iplanet/ims52/mmp-mta1

I set SSLBacksidePort to 0 so that communication between MMP and store is over plain POP3 port.

Now when I try to access using Outlook express I get following error

==

20070104 214047 PopProxyAService.cfg (sid 0x488fdc) session start, client IP 59.189.201.145:61447, server IP MMP_IP:995

20070104 214047 PopProxyAService.cfg (sid 0x488fdc) USER login

20070104 214047 PopProxyAService.cfg (sid 0x488fdc) TCP Access denied for USER_A@domain.com

20070104 220801 PopProxyAService.cfg (ldap 0x3c2df0 0x4169c4) (uid=USER_A) reuse existing search connection

20070104 220802 PopProxyAService.cfg (ldap 0x3c2df0 0x4169c4) completed search host 'ms.domain.com' baseDN 'o=domain.com, o

=isp' filter '(uid=USER_A)' bindDN 'cn=Directory Manager' entries 1 first-entry 'uid=USER_A,ou=people,o=domain.com,o=isp

'

20070104 220802 PopProxyAService.cfg (sid 0x3c2c0c) TCP Access denied for USER_A@domain.com

I fail to understand why this error ...as the access to store is over port 110 ...and why should mailallowedServices come in picture ...

My settings for said user are:

mailAllowedServiceAccess=+pop:*$+imap:*$+http:*$+smtp:*

Please note that I am able to see the cert when I access the express client for pops...it fails when it tries to authorise......

Need you help here..

msg_admin

[3824 byte] By [msg_admina] at [2007-11-26 14:07:14]
«« sun webserver - DST Time changes
»» Understanding '.configure --help' options
# 1
I think MMP understands, "POPS", "IMAPS", etc.You might try that.
jay_plesseta at 2007-7-8 1:52:57 > top of Java-index,E-Mail, Calendar, & Collaboration,Sun Java System Messaging Server...
# 2

Correct - the MMP does differentiate between POP and POPS connections. As per the 2006Q4 (beta) schema guide for mailallowedserviceaccess attribute:

"Legal service names are: imap, imaps, pop, pops, smtp, smtps, http, and smime. Note that the MMP supports imap, imaps, pop, pops, and smtp, and smime. The back-end supports imap, pop, smtp, http, and smime."

Therefore the said user needs to have the following:

mailAllowedServiceAccess=+pops:*$+pop:*$+imap:*$+http:*$+smtp:*

If sometime in the future you want to prevent the user from logging into the POP port but allow the POPS port, that gets a bit more complex (this is something I am trying to get added to the schema guide for the future):

An example on how to restrict user access to SSL encrypted POP and IMAP access only:

mailallowedserviceaccess: +imaps,pops:*$+imap,pop:<MMP IP Address>

Note: The back-end doesn't recognise the imaps & pops service names so it is necessary to grant the MMP IP address(es) pop and imap service access otherwise connections between the MMP and the back-end for that user will be rejected.

Hope this helps,

Shane.

shane_hjortha at 2007-7-8 1:52:57 > top of Java-index,E-Mail, Calendar, & Collaboration,Sun Java System Messaging Server...
E-Mail, Calendar, & Collaboration
Sun Java System Messaging Server

E-Mail, Calendar, & Collaboration New Topic

E-Mail, Calendar, & Collaboration Hot Topic

E-Mail, Calendar, & Collaboration

All Classified