41.2 Configuring User Access through the Domain

Although users do not access the domain as they use the GroupWise client, their messages often pass through domains while traveling from one post office to another.

41.2.1 Restricting Message Size between Domains

You can configure the MTA to restrict the size of messages that users are permitted to send outside the domain.

  1. In ConsoleOne, click Tools > GroupWise Utilities > Link Configuration.

    Link Configuration Tool window
  2. Double-click the domain where you want to restrict message size.

    Edit Domain Link dialog box
  3. In the Maximum Send Message Size field, specify in megabytes the size of the largest message you want users to be able to send outside the post office.

    IMPORTANT:If you have also set a message size limit for your GWIAs, as described in Section 47.1.2, Creating a Class of Service, make sure that the MTA message size limit is equal to or greater than the GWIA message size limit.

  4. If you want to delay large messages, specify the size in megabytes for message files the MTA can process immediately in the Delay Message Size field.

    If a message file exceeds the delay message size, the message file is moved into the low priority (6) message queue, where only one MTA thread is allocated to process very large messages. This arrangement allows typical messages to be processed promptly, while delaying large messages that exceed the specified size. The result is that large messages do not slow down processing of typical messages. Message size restrictions override message priority, meaning that even high priority messages are delayed if they exceed the size restrictions.

  5. Click OK.

  6. To exit the Link Configuration Tool and save your changes, click File > Exit > Yes.

    ConsoleOne then notifies the MTA to restart using the new message size limits.

If a user’s message is not sent out of the domain because of this restriction, the user receives an e-mail message providing the following information:

Delivery disallowed - Transfer limit is nn MB

However, the message is delivered to recipients in the sender’s own domain.

There are additional ways to restrict the size of messages that users can send, as described in Section 12.3.5, Restricting the Size of Messages That Users Can Send.

41.2.2 Enabling Live Remote

You can configure the MTA to redirect GroupWise Remote client requests to other MTAs and POAs. The GroupWise client can establish a client/server connection to an MTA across the Internet, eliminating the queuing and polling process used by earlier Remote clients. The result is improved performance for Remote client users. To configure the MTA to redirect Remote client requests, add the /liveremote, /lrconn and /lrwaitdata switches to the MTA startup file. You can monitor the live remote connections from the MTA server console. See Displaying Live Remote Status.

IMPORTANT:Live remote connections are still supported in GroupWise, but are not recommended. Superior functionality is currently available by using proxy servers for POAs, so that client users in Remote mode connect to their mailboxes through the proxy servers rather than through MTAs. Full SSL security is provided through the proxy servers and POAs. See Section 36.3.1, Securing Client/Server Access through an External Proxy Server.

41.2.3 Securing the Domain with SSL Connections to the MTA

Secure Sockets Layer (SSL) ensures secure communication between the MTA and other programs by encrypting the complete communication flow between the programs. For background information about SSL and how to set it up on your system, see Section 75.2, Server Certificates and SSL Encryption.

To configure the MTA to use SSL:

  1. In ConsoleOne, browse to and right-click the MTA object, then click Properties.

  2. Click GroupWise > Network Address to display the Network Address page.

    MTA Network Address property page
  3. To use SSL connections between the MTA and the POAs for its post offices, which provides optimum security, select Enabled in the Message Transfer SSL drop-down list.

    The MTA must use a TCP/IP connection to each POA in order to enable SSL for the connection. See Using TCP/IP Links between a Domain and its Post Offices.

    Each POA must also have SSL enabled for the connection to be secure. See Section 36.3.3, Securing the Post Office with SSL Connections to the POA.

  4. To use SSL connections between the MTA and the MTA Web console displayed in your Web browser, which provides optimum security, select Enabled in the HTTP SSL drop-down list.

    To set up the MTA Web console, see Section 42.2.1, Setting Up the MTA Web Console.

  5. Click Apply to save the settings on the Network Address page.

    You are prompted the supply the SSL certificate and key files. The key file must be password protected in order for SSL to function correctly.

  6. Click Yes to display the SSL Settings page.

    MTA SSL Settings property page

    For background information about certificate files and SSL key files, see Section 75.2, Server Certificates and SSL Encryption.

    By default, the MTA looks for the certificate file and SSL key file in the same directory where the MTA executable is located, unless you provide a full path name.

  7. In the Certificate File field, browse to and select the public certificate file provided to you by your CA.

  8. In the SSL Key File field:

    1. Browse to and select your private key file.

    2. Click Set Password.

    3. Provide the password that was used to encrypt the private key file when it was created.

    4. Click Set Password.

  9. Click OK to save the SSL settings.

    ConsoleOne then notifies the MTA to restart using the new message size limits.

Corresponding Startup Switches You can also use the /certfile, /keyfile, /keypassword, /httpssl, and /msgtranssl switches in the MTA startup file to configure the MTA to use SSL.

MTA Web Console You can list which connections the MTA is using SSL for from the Links page. Click View TCP/IP Connections to display the list if TCP/IP links.