22.2 Configuring Domain Access

Although users do not access the domain as they use the GroupWise client, their messages often pass through domains while traveling from one post office to another.

22.2.1 Securing the Domain with SSL Connections to the MTA

Secure Sockets Layer (SSL) ensures secure communication between the MTA and other programs by encrypting the complete communication flow between the programs. By default, the MTA is enabled to use SSL connections, but SSL connections are not required.

For background information about SSL and how to set it up on your system, see Configuring Server Certificates and TLS.

To configure the MTA to use SSL:

  1. In the GroupWise Administration Console, browse to and click the MTA.

  2. Click the SSL Settings tab.

  3. (Conditional) If you need to generate a new GroupWise CA signed certificate for the MTA:

    The GroupWise Admin Service generates a certificate signing request (CSR) and a private key file, and then sends them to the GroupWise certificate authority (CA) on the primary domain. The CA issues the requested certificate, which is then returned to the local server.

    1. Click Generate Certificate.

    2. Specify and confirm the password for the private key file for the new SSL certificate, and then click OK.

      The newly created SSL certificate and private key files display on the SSL Settings tab.

    3. Click Save to save the SSL certificate and key files.

  4. (Conditional) If you already have an SSL certificate and key file for the MTA:

    1. In the SSL Certificate File field, click the Browse icon.

    2. Click Upload Local File to Server, and then click Browse.

    3. Browse to and select the SSL certificate File on your local workstation.

      You can use certificate files in the PEM, PFX, CRT, B64, or CER format.

    4. Click Upload to upload the certificate file into the GroupWise certificates folder on the server where the POA is running.

    5. Click OK.

    6. In the SSL Key File field, browse to, select, and upload the private key file, and then click OK.

    7. Click Save to save the SSL certificate and key files.

  5. To enable or require SSL connections with the POA, with other MTAs, and with the MTA console, click the Agent Settings tab.

  6. To enable or require an SSL connection between the MTA and the POA, and between this MTA and other MTAs, select Enabled or Required in the Message Transfer SSL drop-down list.

    The POA must also use SSL for the connection to be secure. See Securing the Post Office with SSL Connections to the POA.

    IMPORTANT:To prevent closed links between agents, select Enabled when you are initially configuring agents for SSL. Select Required for tighter security only after all agents are successfully using SSL.

  7. To enable SSL between the MTA and the MTA console, select Enabled or Required in the HTTP SSL drop-down list.

  8. Click Save, and then click Close to return to the main Administration Console window.

Corresponding Startup Switches: You can also use the ‑‑certfile, ‑‑keyfile, ‑‑keypassword, ‑‑httpssl, and ‑‑msgtranssl switches in the MTA startup file to configure the MTA to use SSL.

MTA Console: You can list which connections the MTA is using SSL for from the Links page. Click View TCP/IP Connections to display the list if TCP/IP links.

22.2.2 Restricting Message Size between Domains

You can configure the MTA to restrict the size of messages that users are permitted to send outside the domain.

  1. In the GroupWise Administration Console, click System > Link Configuration.

  2. In the Maximum Send Message Size field, specify in megabytes the size of the largest message you want users to be able to send outside the post office.

    IMPORTANT:If you have also set a message size limit for your GWIAs, as described in Creating a Class of Service, ensure that the MTA message size limit is equal to or greater than the GWIA message size limit.

  3. (Conditional) If you want to delay large messages, specify the size in megabytes for message files the MTA can process immediately in the Delay Message Size field.

    If a message file exceeds the delay message size, the message file is moved into the low priority (6) message queue, where only one MTA thread is allocated to process very large messages. This arrangement allows typical messages to be processed promptly, while delaying large messages that exceed the specified size. The result is that large messages do not slow down processing of typical messages. Message size restrictions override message priority, meaning that even high priority messages are delayed if they exceed the size restrictions.

  4. Click Save, and then click Close to return to the main Administration Console window.

If a user’s message is not sent out of the domain because of this restriction, the user receives an email message providing the following information:

Delivery disallowed - Transfer limit is nn MB

However, the message is delivered to recipients in the sender’s own domain.

There are additional ways to restrict the size of messages that users can send, as described in Restricting the Size of Messages That Users Can Send.

22.2.3 Configuring a Routing Domain

As you create each new domain in your GroupWise system, you link it to another domain. You can view and modify the links between domains using the Link Configuration Tool. See Managing the Links between Domains and Post Offices.

As an alternative to configuring individual links between individual domains throughout your GroupWise system, you can establish a system of one or more routing domains. Domains must connect to the routing domains with TCP/IP links.

A routing domain can serve as a hub in the following situations:

  • Messages that are otherwise undeliverable can be automatically sent to a single routing domain. This routing domain can be set up to perform DNS lookups and route messages out across the Internet.

  • All messages from a domain can be automatically routed through another domain, regardless of the final destination of the messages. This provides additional control of message flow through your GroupWise system.

You can set up routing domains on two levels:

Selecting a System Default Routing Domain

You can establish a single default routing domain for your entire GroupWise system. This provides a centralized routing point for all messages. It takes precedence over specific links established when domains were created or links modified with the Link Configuration Tool.

To set up a system default routing domain:

  1. In the GroupWise Administration Console, click System > System Preferences.

  2. On the General tab, locate the Routing Options section.

  3. In the Default Routing Domain field, browse to and select the domain you want to serve as the default routing domain for your entire GroupWise system.

  4. If you want all GroupWise messages to pass through the default routing domain regardless of the destination of the message, select Force All Messages to This Domain.

    or

    If you want only undeliverable GroupWise messages to be routed to the default routing domain, deselect Force All Messages to This Domain.

    If you do not force all messages to the system default routing domain, then you have the option of allowing selected MTAs to provide routing domain services in addition to the system default routing domain.

  5. Select MTAs Send Directly to Other GroupWise Systems if you want all MTAs in your GroupWise system to perform DNS lookups and route messages out across the Internet.

    or

    Deselect MTAs Send Directly to Other GroupWise Systems if you want to individually designate which MTAs should perform DNS lookups and route messages out across the Internet.

  6. Click OK to save the routing options you have specified for the system default routing domain.

Selecting a Specific Routing Domain for an Individual Domain

As long as you are not forcing all messages to the system default routing domain, you can override the system default routing information for an individual domain.

  1. In the GroupWise Administration Console, browse to and click the MTA.

  2. Click the General tab, and locate the Routing Options section.

    System default routing information displays if it has been set up. See Selecting a System Default Routing Domain.

  3. Select Override next to the default information you want to change for the selected domain.

  4. Set the routing options as needed for the selected domain.

  5. Click Save, and then click Close to return to the main Administration Console window.

MTA Console: You can check routing information on the Configuration page under the General Settings heading.