TCPAccess in MMP

Hi All (and Jay!),
We are going all ssl here for mail, but we have a few servers that will need to send and receive (IMAP) using non-ssl. So: I want to block non-ssl ports to our end users, but allow a handful of IPs to connect to 25 and 143. The MTA seems easy enough, given the PORTAccess directive, but I'm less clear on IMAP.
The TCPAccess directive in the ImapProxyAService.cfg is, I'm guessin, what one uses, but (as usual), the manuals don't mention that setting or how to use it. Can anyone point me to information or tell me how to include/exclude certain IP ranges from access to non-ssl ports?
We're running Sun Java System Messaging Server 6.2-3.04.
Thanks
Message was edited by:
LesliStClair

Hi Shane,
The lockdown is standard to our set up. I've done everything but the configutil change, and find I'm getting an error: Access to this service for user@mydomain denied from client address (*mailAllowedServiceAccess).
In the record, I have: mailAllowedServiceAccess: imaps:*$-imap:*. I've also tried only imaps:*.
Since the stores can't be accessed by anything but the proxies, is the configutil change necessary? Since I'd have to restart (and this is a clustered system) to get a configutail change to stick, I'd rather not make it if I don't have to.
(I assume the configutail change needs to be made on the stores rather than the proxies?)
Message was edited by:
LesliStClair

Similar Messages

MMP using wrong search base when doing LDAP query.

Hi all,
I installed a new MMP (sun java communication suite v5 on Redhat linux x86).
When an imap user connects to MMP, the MMP does an ldap query for attributes "MailHostAttrs mailHost".
This query fails because the search base is
SRCH base="dc=my,dc=domain,dc=com,o=my.domain.com"
instead of simply "o=my.domain.com"
When I ran 'configure' I specified the Organization DN to be o=my.domain.com
And I've specified the following in the ImapProxyAService.cfg file:
LdapUrl "ldap://ldap1.my.domain.com:389/o=my.domain.com"
UserGroupDN "o=my.domain.com"
DefaultDomain my.domain.com
So why does it use "dc=my,dc=domain,dc=com,o=my.domain.com"?
I must be missing something but I can't find it.

Hi,
kevin_sysadmin wrote:
So why does it use "dc=my,dc=domain,dc=com,o=my.domain.com"?
I must be missing something but I can't find it.The first step the MMP will do to resolve the base DN for a hosted domain is a directory search along the lines of (this is for schema 2 which is the default for a new install):
[26/Oct/2007:16:46:23 +1000] conn=3152 op=1 msgId=2 - SRCH base="dc=aus,dc=sun,dc=com" scope=2 filter="(&(objectClass=sunManagedOrganization)(|(associatedDomain=aus.sun.com)(sunPreferredDomain=aus.sun.com)))" attrs=ALL
So in my case I have default:LdapUrl "ldap://server.aus.sun.com/dc=aus,dc=sun,dc=com" and default:DefaultDomain aus.sun.com
So you will probably find that you have a hosted domain configured under "dc=my,dc=domain,dc=com,o=my.domain.com" which got created during installation but not propagated with users.
Regards,
Shane.

MMP Client Certificate Auth problem

Hi, All!
I can't configure clients cert auth through MMP. I'm using the most recent release of communicationsuite (7u2) .
Proxy auth for clear imap using admin settings like StoreAdmin and StoreAdminPass works well.
MMP for unencrypted IMAP works well too.
However MMP for clents certificate auth does not work.
I see the following message in the log
[19/Dec/2011:11:27:43 +0400] sf240 ImapProxy[1688]: General Alert: dmap_locate_basedn called with baseDN uid=monakhv, ou=people, o=dvatest.ot,o=isp
[19/Dec/2011:11:27:43 +0400] sf240 ImapProxy[1688]: General Debug: (id 554) User '[email protected]' replay user '[email protected]'
[19/Dec/2011:11:27:43 +0400] sf240 ImapProxy[1688]: General Error: (id 554) Proxy authentication invalid admin '[email protected]', login as '[email protected]'
I would appreciate any ideas to recover it.
Regards, Monk.

cnewman wrote:
For the MMP, the MMP's StoreAdmin setting has to exactly match the administrative user. The log error you see:
This is from my ImapProxyAService.cfg
default:StoreAdmin admin
default:StoreAdminPass enz.ZIM137
[19/Dec/2011:11:27:43 +0400] sf240 ImapProxy[1688]: General Error: (id 554) Proxy authentication invalid admin '[email protected]', login as '[email protected]'
This is really strange message for me. Some experiment with mail client (Thunderbird) shows that
one '[email protected]' goes from user ssl certificate email field which is used for auth, another '[email protected]' goes from
user name field from Thunderbird server settings.
May be the problem is for mail client configuration?
Anyway I do not want to provide for users Admins certificate and password!
Is it possible to configure MMP authorization using user's SSL certificate?
indicates that the value of the MMP's StoreAdmin setting is something other than '[email protected]', so the request for proxy authentication is denied.
It seems odd that the authentication id and the authorization id is identical in this case, but I'd have to see the actual AUTH EXTERNAL protocol as well as your StoreAdmin setting to explain further.How can I get AUTH EXTERNAL protocol?

Mmp config question

Hi,
I'm trying to setup mmp to allow remote users to check emails via IMAP and send via SMTP submit. Configuring IMAP portion was clear and works but I'm not sure I understand all required steps for SMTP.
1. AService.cfg
default:ServiceList /opt/SUNWmsgsr/lib/ImapProxyAService@143|993 /opt/SUNWmsgsr/lib/SmtpProxyAService.so@587
2. SmtpProxyAService.cfg
default:SmtpRelays backend.mydomain.com:587
mmp# mconnect -p 587
connecting to host localhost (127.0.0.1), port 587
connection open
220 ESMTP Messaging Multiplexor (Sun Java(tm) System Messaging Server 6.2-4.03 (built Sep 22 2005))
helo
421 4.3.0 Service not available now.
Do I need to configure something on the back end?
Is using MMP correct for my purpose or should it be complete MTA? Basicly, allowing remote users to relay.
Thanks,
d.

Thanks for the answer.
Let me rephrase my question:
To configure a server that will be sitting in a DMZ for the purpose of allowing remote users to check and send emails, one would configure MMP for IMAP access and MTA for
SMTP submit. Am I correct?
Thanks again,
d.
Before we go any further.
There is ONLY one valid use for the SMTP proxy
included with MMP. Pop before SMTP.
For ANY other use, you should install the MTA. SMTP
proxy is a very, very limited application, and should
not be used as a general purpost smtp relay. It just
can't handle that.

Mmp 5.2 questions

Hi Jay,
I installed mmp 5.2 on a server having iMS with ports listening to standard ports.
The mmp-<instance> folder has only the -def.cfg files for imap, pop and smpt and Aservice:
ls output:
AService-def.cfg PopProxyAService-def.cfg
AService.rc SmtpProxyAService-def.cfg
ImapProxyAService-def.cfg log
I expcted AService.cfg, ImapProxyAService.cfg, PopProxyAService.cfg and SmtpProxyAService.cfg.
Could these files were missing because ports 110 and 143 were busy by the MTA?
Can I simply create these files from the templates? or is this behavior a sign that the installation has failed?
thanks,

Hi Jay,
I installed mmp 5.2 on a server having iMS with ports
listening to standard ports.You can't have two different applications listening to the same ports.
If you install MMP on the same box as iMS, you either have to set MMP for non-standard ports, or move iMS to non-standard ports.
The mmp-<instance> folder has only the -def.cfg files
for imap, pop and smpt and Aservice:
ls output:
AService-def.cfg PopProxyAService-def.cfg
AService.rc SmtpProxyAService-def.cfg
ImapProxyAService-def.cfg log
I expcted AService.cfg, ImapProxyAService.cfg,
PopProxyAService.cfg and SmtpProxyAService.cfg.No, you have to create those from the templates manually. The installer doesn't do that for you.
>
Could these files were missing because ports 110 and
143 were busy by the MTA?
Can I simply create these files from the templates?
or is this behavior a sign that the installation has
failed?
thanks,

Runninig 10.6.8 on new iMac. The last wo weeks I keep loosing internet and have to turn airport off and on to restore service. It is not the router as my two laptops do not have this problem. I read that in 2008 MMP's had a similar issue.Any thoughts?

Runninig 10.6.8 on new iMac. The last two weeks I keep loosing internet and have to turn airport off and on to restore service. This happens every time it goes into sleep mode. It is not the router as my two laptops do not have this problem. I read that in 2008 MMP's had a similar issues .Any thoughts?

Go to /Library/Preferences/System Configuration
Move all the files from the System Configuration folder to the Trash.
Restart your Mac. See if that made a difference.

Login Separator not setting on MMP's

We are having a problem with setting alternate login separators on our MMP boxes. I made the change on our mail store to include % as well as @ and after a restart of the messagining service we could then use user%domain for pop'ing mail.
However, when I made the same setting change on our 2 MMP servers (using configutil to set service.loginseparator = "@%"), they both do not recognize the % as a valid separator and insist on adding the value of the default domain onto the user%domain turning it into user%domain@defaultdomain
Has anyone experienced this problem?
Thank you,
Dan Morris

According to docs.sun.com on http://docs.sun.com/source/817-6266/mmp.html the login separator is set via configutil:
2. Run the configutil command in directory msg_svr_base/sbin/configutil of your proxy machine messaging server to set the configuration values. Note that these values should match the values of the back-end messaging servers.
I found that when I ran the configutil that the value was loaded into msg.conf:
# grep loginseparator *
msg.conf:service.loginseparator = @%+
And I have the exact same setting on our backend mailstore.
We hosting virtual domains on this server, therefore we need to be able to specify full email addresses for POP, and as some clients do not allow the @ in an email account we need to be able to support %. The MMPs are fine with the @ but are not recognizing the % (or the + which I also added)

MMP on Win2k and iMS on Solaris 9?

Is it possible to install MMP on Win2k and the corresponding iMS on Solaris 9?

Hi Tyme,
I would guess that your second system is producing CDs with an ISO-9660 level 2 file system, which supports long file names, and which Solaris can read. The first is probably making CDs with an ISO-9660 level 1 file system.
Cheers,
Chuck

[iMS 5.2] - Unable to start up MMP proxy services.

Hi:
I encountered the following error when starting up the MMP services for version 5.2.
20040121 004914 /opt/iplanet/ims52/bin/msg/mmp/bin/AService ImapProxy(ImapProxyAService.cfg): exiting
20040121 004917 /opt/iplanet/ims52/bin/msg/mmp/bin/AService PopProxy(PopProxyAService.cfg): exiting
20040121 004917 /opt/iplanet/ims52/bin/msg/mmp/bin/AService SmtpProxy(SmtpProxyAService.cfg): exiting
20040121 005753 /opt/iplanet/ims52/bin/msg/mmp/bin/AService CField error: couldn't open MapFile file ImapProxyAService.cfg error 13
20040121 005753 /opt/iplanet/ims52/bin/msg/mmp/bin/AService CField error: couldn't open MapFile file PopProxyAService.cfg error 13
20040121 005753 /opt/iplanet/ims52/bin/msg/mmp/bin/AService CField error: couldn't open MapFile file SmtpProxyAService.cfg error 13
This error occurred when this server was rebooted and checks on the rc script (used to start/stop these processes) indicated no problems. The same Unix user was su-ed to start up all these processes and this was working fine previously.
Appreciate any comments cos I couldn't find anything useful on this forum for such errors.
Thanks,
Terence

Thanks for the reply. Have checked the file permissions and ownerships and they look fine to me.
Btw, do u happen to know how to interpret the timestamp of this log?
20040121 004914 /opt/iplanet/ims52/bin/msg/mmp/bin/AService ImapProxy(ImapProxyAService.cfg): exiting
What does 004914 mean?

SMTP connection times out on the MMP after a hung dirsync.

The dirsync ran all night, at 8am we found that SMTP to the MMP was no longer working. We restarted it, it still would not take connections. We've shut down all Iplanet systems on the MMP and looked for the lock files, deleted those we found and restarted. Still not working. Any insight would be appreacitated.

Ray,
First off I think you're talking about an MTA not MMP. Two different beasts. You also do not mention what version of iMS you are using. Try the following:
cd msg-<instance>
./imsimta shutdown
./imsimta cleandb
./imsimta startup
NOTE -- I've no idea how large your environment is but if you change local.ugldapbinddn and local.ugldapbindcred to that of your Directory Manager and password you'll see dramatic performance increase on the LDAP side and thus dirsync will finish faster.

SMTP AUTH and the SMTP MMP.

Messaging Server 6.0p1
We've run into a problem with the SMTP component of the MMP. Specifically with regards to SMTP authentication.
The messaging server is sending out AUTH=LOGIN and AUTH PLAIN LOGIN options to the client in the ESMTP negotiation even when the SMTP client is listed as INTERNAL in the mappings file.
Consider the 4 scenarios:
1. Connecting directly to the messaging server SMTP from outside of the Intranet.
external.hostname# telnet smtpserver.hostname 25
Trying 1.2.3.4...
Connected to smtpserver.hostname.
Escape character is '^]'.
220 smtpserver.hostname -- Server ESMTP (Sun ONE Messaging Server 6.0 Patch 1 (built Jan 28 2004))
EHLO external.hostname
250-smtpserver.hostname
250-8BITMIME
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-EXPN
250-HELP
250-XADR
250-XSTA
250-XCIR
250-XGEN
250-XLOOP 1CB2DE93C0A60C457A290686F164049E
250-AUTH PLAIN LOGIN
250-AUTH=LOGIN
250-ETRN
250 SIZE 0
AUTH PLAIN XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
235 2.7.0 PLAIN authentication successful.
QUIT
221 2.3.0 Bye received. Goodbye.
Connection to smtpserver.hostname closed by foreign host.
external.hostname#
As you can see, the messaging server responds with the AUTH PLAIN LOGIN and AUTH=LOGIN. The SMTP authentication is successful. This is the correct behavior.
2. Connecting to the MMP SMTP from outside of the Intranet.
external.hostname# telnet mmp.hostname 25
Trying 1.2.3.5...
Connected to mmp.hostname.
Escape character is '^]'.
220 ESMTP Messaging Multiplexor (Sun ONE Messaging Server 6.0 Patch 1 (built Jan 28 2004))
EHLO external.hostname
250-smtpserver.hostname
250-8BITMIME
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-EXPN
250-HELP
250-XLOOP 1CB2DE93C0A60C457A290686F164049E
250-AUTH PLAIN LOGIN
250-AUTH=LOGIN
250-ETRN
250 SIZE 0
AUTH PLAIN XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
235 2.7.0 PLAIN authentication successful.
QUIT
221 2.3.0 Bye received. Goodbye.
Connection to mmp.hostname closed by foreign host.
external.hostname#
Just as in example #1, the MMP responds with the AUTH PLAIN LOGIN and AUTH=LOGIN. Like example #1, the SMTP authentication is successful. This is the correct behavior.
3. Connecting directly to the messaging server SMTP from inside the Intranet.
internal.hostname# telnet smtpserver.hostname 25
Trying 1.2.3.4...
Connected to smtpserver.hostname.
Escape character is '^]'.
220 smtpserver.hostname -- Server ESMTP (Sun ONE Messaging Server 6.0 Patch 1 (built Jan 28 2004))
EHLO internal.hostname
250-smtpserver.hostname
250-8BITMIME
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-EXPN
250-HELP
250-XADR
250-XSTA
250-XCIR
250-XGEN
250-XLOOP 1CB2DE93C0A60C457A290686F164049E
250-ETRN
250 SIZE 0
AUTH PLAIN XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
533 5.7.1 AUTH command is not enabled.
QUIT
221 2.3.0 Bye received. Goodbye.
Connection to smtpserver.hostname closed by foreign host.
internal.hostname#
This time, because the client is on the intranet, the AUTH PLAIN LOGIN and AUTH=LOGIN ESMTP options are not presented to the client. The attempt to perform SMTP authentication fails. This appears to be the correct behavior, as the server didn't advertise as supporting SMTP authentication.
4. Connecting to the MMP SMTP from inside the Intranet.
internal.hostname# telnet mmp.hostname 25
Trying 1.2.3.5...
Connected to mmp.hostname.
Escape character is '^]'.
220 ESMTP Messaging Multiplexor (Sun ONE Messaging Server 6.0 Patch 1 (built Jan 28 2004))
EHLO internal.hostname
250-smtpserver.hostname
250-8BITMIME
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-EXPN
250-HELP
250-XLOOP 1CB2DE93C0A60C457A290686F164049E
250-AUTH PLAIN LOGIN
250-AUTH=LOGIN
250-ETRN
250 SIZE 0
AUTH PLAIN XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
533 5.7.1 AUTH command is not enabled.
QUIT
221 2.3.0 Bye received. Goodbye.
Connection to mmp.hostname closed by foreign host.
internal.hostname#
This time, even though the client is within the intranet, the AUTH PLAIN LOGIN and AUTH=LOGIN ESMTP options are presented to the client. Even though these options are presented to the client, the server refuses to honor authentication attempts. The attempt to perform SMTP authentication fails. THIS IS A BIG PROBLEM!
The implecation is that SMTP clients within the intranet that honor the SMTP authentication ESMTP options presented by the server ALWAYS fail to authenticate.
Netscape 4.x clients, when they see the AUTH=LOGIN and AUTH PLAIN LOGIN options force the user to authenticate. Netscape 7.x at least has a checkbox that gives the user the option to ignore these options and attempt to send anyway. It's now impossible for all of the Netscape 4.x mail clients within the intranet to send mail.
The correct behavior is that the AUTH PLAIN LOGIN and AUTH=LOGIN options should NOT be presented to the intranet clients. I have made every attempt to ensure that our configuration is correct. I believe this is a bug with the Messaging server but I'm posting here in hopes that someone knows what specific changes I can make to the mappings or imta.cnf files that will prevent the Messaging server to present these options to clients through the MMP.
Netscape 7.x clients within the intranet that have been configured to ignore the AUTH smtp ESMTP options can send mail to both local and remote recipients.

Before even looking at your data. . .
We've run into a problem with the SMTP component of the MMP
There is EXACTLY ONE reason to use the SMTP componant of MMP: POP before SMTP
If you have ANY other need for smtp, you should use the entire MTA. That's what it's for.
Actually, it looks like your scenario 3 isn't connecting to the correct MTA at all. The banner should be the same as you got for the other cases. You're sure you didn't start sendmail up by accident?

Mmp services log files rotation

Hi,
Sun Java(tm) System Messaging Server 6.3-5.02 (built Oct 12 2007; 32bit)
libimta.so 6.3-5.02 (built 17:15:31, Oct 12 2007; 32bit)
SunOS mta01 5.10 Generic_120011-14 sun4u sparc SUNW,Sun-Fire-V240
I'm trying to find out what setting controls mmp services log file rotation and how to change it. Presently, it appears rotation take place daily and files are kept forever.
ImapProxy_<date>.log
AServices_<date>.log
I would prefer to only keep these files for a week or so.
Should I configure:
local.schedule.prune_mmp = "45 23 * * * /usr/bin/find /var/opt/SUNWmsgsr/log -name ImapProxy\* -atime +3 -exec rm {} \; "
local.schedule.prune_mmp.enable = 1
Thanks.

d-v-k wrote:
I'm trying to find out what setting controls mmp services log file rotation and how to change it. Presently, it appears rotation take place daily and files are kept forever.There is no inbuilt Log Rotation mechanism for the MMP logs.
ImapProxy_<date>.log
AServices_<date>.log
I would prefer to only keep these files for a week or so.
Should I configure:
local.schedule.prune_mmp = "45 23 * * * /usr/bin/find /var/opt/SUNWmsgsr/log -name ImapProxy\* -atime +3 -exec rm {} \;
local.schedule.prune_mmp.enable = 1This is definitely one way to prune the log files. I would use the following find string instead:
{code}
/usr/bin/find /var/opt/SUNWmsgsr/log/ -name 'ImapProxy_*.log' -mtime +6 -exec rm {} \; "
You would need to write/enable a similar rule to prune the AServices_*.log files as well.
Regards,
Shane.

Tracking MMP vdmap users not supplying full email address?

We're using MMP 5.1 and using the vdmap feature to assign a default domain to users who do not supply one. We'd like to move everyone to using their full email address, but need to figure out which customers aren't.
Does anyone know of a way -- other than raw packet capture -- to determine which users are having a domain appended, and which ones are using a fully-qualified email address? I tried increasing "LogLevel" in both AService.cfg and PopProxyAService.cfg to 9, and got a lot of output, but no information on which users are having their domain-name appended.
Our vdmap.cfg configurations are similar ot the following:
vdmap example net 192.168.254.1
example.net:VDomain example.net
example.net:SearchFormat "uid=%U"
example.net:ReplayFormat %[email protected]
vdmap example com 192.168.254.2
example.com:VDomain example.com
example.com:SearchFormat "uid=%U"
example.com:ReplayFormat %[email protected]
In this way, if a user is configured to pop from .1, and do not supply a full email address, '@example.net' is appended to their username before being passed to the back-end iMS servers. If someone pops from .2, '@example.com' is appended.
Royce

Hi,
I had a play around with vdmap.cfg and couldn't see any record either of whether the user provided the fully qualified email address or just the UID. This sounds like a desirable feature that I would recommend logging a Sun support call for (log an RFE - request for enhancement).
The only thing is that any improvements which would provide this feature (in the log files perhaps) will only be made to the 6.X release so you would still have to upgrade to 6 even if this feature was implemented.
Regards,
Shane.

Help me ! Client can't connect to mmp

mmp installed ip mmp.test.com
messaging server ms.test.com
affer install mssesaging server ,
#telnet ms.test.com
+OK ms.test.com POP3 service (Sun Java(tm) System Messaging Server 6
.2-3.04 (built Jul 15 2005))
user admin
+OK Name is a valid mailbox
pass 1111111
+OK Maildrop ready
list
+OK scan listing follows
1 118595
2 82006
3 59679
4 224259
#telnet mmp.test.com
+OK ms.test.com POP3 service (Sun Java(tm) System Messaging Server 6
.2-3.04 (built Jul 15 2005))
user admin
+OK password required for user [email protected]
pass 1111111
Connection closed by foreign host.
the log on mmp
/var/opt/sun/messaging/log/PopProxy_20060630.log
20060630 174021 /opt/sun/messaging/config/PopProxyAService.cfg (sid 0x0x80e1fb8) Connection limit reached for client IP 192.168.0.151
I don't know how to sovle,who can help me ,thanks!
Message was edited by:
[email protected]
Message was edited by:
[email protected]

I though I'll resposne to this thread since it took me half a day to figure out on what's going on.
In my situtaion what happend, LDAP mailHost attribute was pointing to MMP server instead of Mailstore. And since i entered worog password for worong user while tunning virtual hosting it got into infinative loop MMP->MMP->MMP.... and finaly it reaches the connection limit.
Hope this helps.
-Saulius

MMP 5.2p2 'waiting for connection; X on queue' errors, X increasing

Shortly after manually upgrading our standalone POP/IMAP multiplexors to 5.2 Patch 2, we started experiencing problems where the CPU utilization of the AService process would drop to almost nothing, and this message would begin to appear in the logs:
20060328 161950 PopProxyAService.cfg (ldap 0x4bb0d8) (uid=redacted) waiting for connection; 10 on queue
20060328 161952 PopProxyAService.cfg (ldap 0x819c50) (uid=another.redacted) waiting for connection; 11 on queue
20060328 161952 PopProxyAService.cfg (ldap 0x817918) (uid=redacted3) waiting for connection; 12 on queueThis message continues with the value increasing:
20060328 163719 PopProxyAService.cfg (ldap 0xcae928) (uid=redacted4) waiting for connection; 235 on queue
20060328 163733 PopProxyAService.cfg (ldap 0xcb13c8) (uid=redacted5) waiting for connection; 236 on queue
20060328 163809 PopProxyAService.cfg (ldap 0xcb5250) (uid=redacted6) waiting for connection; 237 on queue... until AService is restarted.
At first blush, it looks like something is making the LDAP connection wedge, and it's not timing out for some reason, but that's a guess.
I see that someone on the Info-iMS list had the same problem shortly after installing 6.1 back in September 2004:
http://lists.balius.com/pipermail/info-ims-archive/2004-September/019517.html
Has anyone else seen this or know if this has been identified as a specific bug ... or is a symptom of something else?
Royce

That's the problem. THere IS no timeout for the
situation you've gotten into, where MMP (or messaging
server itself) believes a connection exists, and is
active, but gets no response.That's unfortunate. It sounds like a useful timeout for a number of circumstances.
The solution is to refresh all connections so you
don't get into this situation.Unfortunately, the LdapRefreshInterval doesn't appear to be a documented option for 5.2p2, but only for 6. Can you confirm this?
The overhead of binding and unbinding once every 10
minutes or so is very, very minimal.Fair enough.
The latter, if it exists, would be a much more
precise way of handling our symptom. Well, actually, the real problem is that the
connection between MMP and LDAP is getting silently
severed by the load balancer. That's something
that's BAD for both LDAP and for MMP.
Causes fd leaks in ldap, as it never knows when to
close what it beleives is an active connection. It
will attempt to close, but, since it can never get an
ack back after the load balancer severs the
connection, it can't fully close it.
This is truly a bad situation, and it's easy to fix.
recycle the connections before the LB cuts you off.It looks like our LB has an idle timeout of 1 hour, with any traffic at all resetting the timer. In other words, it doesn't look like the LB that's causing the wedge. There is also no internal LB probing going on.
From ulimit/plimit/pfiles output, I've also learned that the slapd user currently has a 65536 FD cap. I've been monitoring the FD usage of the slapd process for the past couple of days, and our LDAP servers have not been getting above 1000. We've also had multiple lockups in that period of time. So running out of FDs may not be causing our problem.
You're very clear about what you want.
Unfortunately, you are not correct about what is
s possible.Perhaps our definitions of 'possible' need some negotiation. :) You're saying that the MMP can't do this today, which I accept as fact. But the pieces are all there, as far as I can see.
The MMP keep close track of how many queries have been served by a particular LDAP connection, how many are on queue without being serviced, and the age of the existing connection. In other words, the app has all the information necessary to do what I'm describing: notice that a connection hasn't actually gotten a response back in X seconds, and terminate it.
Since the app doesn't support what I'm yearning for, this is academic at this point, so I agree that it's time to take a different tack. I don't want to appear ungrateful for your responses. I appreciate the time you've spent on this issue with me. I'm just trying to understand the underlying issues.
So I find myself in these unfortunate circumstances:
1. 5.2 doesn't lock up.
2. No other applications using our LDAP are experiencing any hung LDAP connections (neither at the TCP level nor at the LDAP application level), even though they're using the same LB front-end.
3. From the output of plimit/pfiles, our LDAP servers are configured to handle far more file descriptors than they're consuming. The FD theory appears to not apply.
4. Our LB is configured to time out after 1 hour of inactivity.
5. It seems unlikely that any of the LDAP connections coming from the MMPs are reaching the 1-hour threshold, considering how high-volume they are for POP, unless they are distributing queries across connections very asymmetrically. Even at 3am, there are enough people who leave their computers on all night who check every 1 minutes that the connections are almost never idle for more than a few tens of seconds.
Based on the above, it's hard for me to not conclude that 5.2.p2 appears to either have a regression bug that's causing the wedge itself, or has changed the way that it handles some types of timeouts.
We cannot use 5.2 because we need a bugfix that is in 5.2p2. We appear to not be able to use 5.2p2 because it has this lockup problem that 5.2 does not.
My 'strings' search for LdapRefreshInterval on the AService binary and Pop/IMAP libraries turns up nothing. Can you confirm that 5.2p2 does or does not support this feature?
If not, and the only solution is to use LdapRefreshInterval, do you know if II can run 6.x MMP on our multiplexor boxes and leave 5.2 running on our back-end systems?

TCPAccess in MMP

Similar Messages

Maybe you are looking for