Microsoft KB Archive/194528

XFOR: POP3 and IMAP4 Require a Virtual Server for Each Domain

PSS ID Number: Q194528 Article last modified on 06-02-1999

winnt:2.0

winnt

================================================================ ==

The information in this article applies to:

 == Microsoft Commercial Internet System version 2.0 == 

= SYMPTOMS =

This article applies to Microsoft Mail Server. Two users of an e-mail service implemented by Microsoft Commercial Internet System (MCIS) 2.0 can share the same user name. This can occur because the mail server does not use the full e-mail name, which specifies the domain for the mailbox name. If one user name is defined in the DIT subcontainer of the other, the possibility exists that the mailbox owned by the user defined in the top- level container may be assigned to a user defined in the subcontainer. This constitutes a potential security breach.

= CAUSE =

This problem originates in the way the POP3/IMAP4 mail servers assign e- mail addresses to user containers. For example, if three common names are defined in three user containers in the DIT hierarchy, as follows:

o=domain ou=members cn=Joe (email=‘Joe@domain.com’) ou=members2 cn=Joe (email=‘Joe@members2.domain.com’) cn=Bob (email=‘Bob@members2.domain.com’)

and one instance of the mail server is running, the e-mail address and mailbox corresponding to the user name “Joe” defined in the “members2” subcontainer is located by LDAP according to the following steps:


 * 1) The user name “Joe” is verified as a valid member of the domain named “domain.com,” and the corresponding logon password is also verified.
 * 2) If the result of the verifications are positive, the default domain name “domain.com” is appended to the authenticated user name “Joe.” The string “Joe@domain.com” is then used by LDAP to locate a container named Joe&quot; within the top-level container “members.”
 * 3) A container named “Joe” is found within the “members” container, and the mailbox location corresponding to the e-mail address “Joe@domain.com” is incorrectly assigned. The correct e-mail address should be “Joe@members2.domain.com.”

A related problem occurs in this example if the user name “Bob” is provided for authentication.


 * 1) The user name “Bob” and the supplied logon password is verified.
 * 2) If the result of the verifications are positive, the default domain name “domain.com” is appended to the user name “Bob.” A search for a container named “Bob” in the top-level “members” container is conducted.
 * 3) The result of the search is negative, no e-mail address is found, and no mailbox location is assigned.

E-mail sent to the users in this example is re-routed. For example, if e- mail is sent to “Joe@members2.domain.com,” the domain part of the address is overwritten as “Joe@domain.com.” E-mail sent to “Bob@members2.domain.com” has its address overwritten as “Bob@,” which is an invalid address.

= RESOLUTION =

A supported fix that corrects this problem is now available from Microsoft, but has not been fully regression tested and should be applied only to systems experiencing this specific problem. If you are not severely affected by this specific problem, Microsoft recommends that you wait for the next Site Server service pack.

To resolve this problem immediately, contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information on support costs, please go to the following address on the World Wide Web:

http://support.microsoft.com/support/supportnet/default.asp

The English version of this fix should have the following file attributes or later:

10/09/98 02:43a 5.5.1877.11 395,536 Imapsvc.dll (Alpha) 10/09/98 02:29a 5.5.1877.11 58,640 Mbxsink.dll (Alpha) 10/09/98 02:28p 5.5.1877.11 33,591 MCIS2UPD.SQL (Alpha) 10/09/98 02:28p 5.5.1877.11 106,299 OBJSP.SQL (Alpha) 10/09/98 02:40a 5.5.1877.11 249,616 Pop3svc.dll (Alpha) 10/09/98 02:45a 5.5.1877.11 173,328 Routeldp.dll (Alpha) 10/09/98 02:31a 5.5.1877.11 719,632 Smtpsvc.dll (Alpha)

= WORKAROUND =

To work around this problem, use one of the following methods:

Method 1
The user can specify a fully qualified e-mail addresses as authentication strings. In the example above, if the user provides the authentication string “domain.com” or “members22.domain.com,” the mail server searches for the e-mail address and mailbox location in the correct container.

Method 2
The system administrator can run one instance of POP3/IMAP4 for each defined e-mail domain, with a root naming context pointing to the appropriate subcontainers. In the example above, the “Joe@members2.domain.com” authentication string is processed by the mail server instance assigned to the “members2” subcontainer, and searches for the mailbox directories assigned to user names only in that subcontainer.

= STATUS =

Microsoft has confirmed this to be a problem in Microsoft Commercial Internet System version 2.0.

= MORE INFORMATION =

Issues addressed in this fix

 * 1) Support for multiple domain hosting.
 * 2) Support for multiple email addresses for the same user.

CanonicalEmailAddress: Allows multiple email proxies for an account. No metabase settings are needed to activate this. It checks to see if there is a canonicalEmailAddress attribute for the user in the DS. If there is, it uses that value as the mailbox directory. If not, it uses the first mail attribute.

LookupByRDN fix: Activated by turning on the following metabase keys:

PopLookupByRDN : [IF] (DWORD) 0x1={1} ImapLookupByRDN : [IF] (DWORD) 0x1={1}

This allows IMAP4 and POP3 to perform LDAP lookups(to find mailbox location) into subcontainers of ou=members.

UseFullEmailMailbox fix: Activated by turning on the following metabase keys:

PopUseFullEmailMailbox : [IF] (DWORD) 0x1={1} ImapUseFullEmailMailbox : [IF] (DWORD) 0x1={1} SmtpUseFullEmailMailbox : [IF] (DWORD) 0x1={1}

This changes the mailbox behavior of the services. The services will now create mailboxes in the user1@domain.com format.

Important Information concerning this release:
Before the fix is applied, the naming context for IMAP and POP can be either o=Corp,ou=members or ou=members,o=Corp. After the fix is applied, the naming context MUST be ou=members,o=Corp. If it is not set correctly, POP access is given to the wrong mailbox for users located in sub- containers of the members container with the same cn as users located in the members container.

If it is decided to use the CanonicalEmailAddress attribute in the DS, it is absolutely critical that the IMS Optimization Registry key on the LDAP servers be turned off.

HKLM/system/currentcontrolset/services/LDAPsvc/parameters Set Parameter: IMSOptimized 0

For any pre-existing account, it is very important that the canonicalEmailAddress exactly match the first(primary) mail attribute for a user. Consider the problem that arises if this is not done:

CN= cw001 mail= cw001@domain.com mailBoxLocation= /mailbox UserPassword= password

At this point, when sending mail to cw001@domain.com, it is delivered into a mailbox name of cw001@domain.com (assuming the fix is applied). The admin then adds a canonicalEmailAddress attribute to the user?s account:

CN= cw001 canonicalEmailAddress= JOE@domain.com mail= cw001@domain.com mailBoxLocation= /mailbox UserPassword= password

Mail sent to cw001@domain.com is now delivered into the JOE@domain.com mailbox. All mail that was in the cw001@domain.com mailbox is now orphaned.

The CanonicalEmailAddress attribute must be in the format of an email address (user1@domain.com). If a string is used that does not contain an @ sign, access to the mailbox will be denied (causing an NDR for SMTP, causing POP3 and IMAP4 not to logon).

Setting the Metabase Keys: Two of the features built into this hot-fix require the user to set some metabase keys on the mail server(s). The Metabase is similar to the Windows NT Registry and is where IIS services store their configuration information. These keys are not currently exposed in ADSIs so that the settings cannot be modified using VBScript. The Smtpmd.exe utility should be used to change the metabase keys (see installation instructions, below). Microsoft does not support the use of Smtpmd.exe outside the scope of following the instructions outlined in this document.

Adding a new virtual server: The customer must set the metabase keys manually before the desired fixes take effect. The user must stop and start the specific instance for the metabase changes to be picked up.

If two different users (different CNs) share an e-mail address or canonicalEmailAddress, the first one found is the recipient of the message. The customer must design checks into their application scripts to ensure uniqueness of the e-mail and canonicalEmailAddress attributes.

Dependencies:
Site Server 3 Service Pack 1 must be installed prior to this fix.

Installation Instructions:
SQL DS Setup:

Run Mcis2upd.sql against all existing LDAP Databases. It is not required to run this script against LDAP Databases created after installation of this fix.

To run this script, follow these steps:


 * 1) Copy Mcis2upd.sql from the &m directory to a location accessible from your SQL Server computer.
 * 2) On the Start menu of the SQL Server computer, point to Programs, point to Microsoft SQL Server 6.5, and then click SQL Enterprise Manager.
 * 3) Click the plus sign (+) next to the name of the SQL Server computer that is hosting the Membership Directory, click the plus sign (+) next to Databases, and then click the Membership Directory database.
 * 4) On the Tools menu, click SQL Query Tool.
 * 5) In the Query window, click Load SQL Query, and then in the Open File dialog box, open Mcis2upd.sql from the location to which it was previously copied. The mcis2upd.sql script is loaded into the Query window.
 * 6) Click the Execute Query icon.

Adding the canonicalEmailAttribute to the DS Schema
The following instructions detail how to add the canonicalEmailAddress Attribute to the DS Schema using Membership Directory Manager in the Microsoft Management Console (MMC).


 * 1) Run Site Server Service Admin (MMC).
 * 2) Log on to the LDAP service using the Administrator’s account.
 * 3) Starting from the MDM node of the Console Root, expand ou=Admin.
 * 4) Right-click on cn=Schema, and then click New and Attribute on the menus that appear.
 * 5) When the New Attribute Wizard displays a Welcome page, click Next.
 * 6) Type “canonicalEmailAddress” in the Name field. Type the Display name and Description in the appropriate fields, do not select Multi-valued, and then click Next.
 * 7) Select String from the options, and then click Next.
 * 8) Select None for syntax constraints, and then click Next.
 * 9) Expand cn=Schema, right-click on cn=member, and then select Properties from the menu that appears.
 * 10) Click the Class Attributes tab, and then click Add.
 * 11) Select canonicalEmailAddress from the Attributes list, and then click OK.
 * 12) In the Attributes list on the Class Attributes tab, click the canonicalEmailAddress check box to select it, and then click OK.

At this point, the attribute has now been created and may be added to user objects in the Members container.

Setting the Metabase Keys
Enable the “Lookup By RDN” feature, which allows users to authenticate into subcontainers below the ou=members container in the directory. To enable this feature, change the following metabase keys with the supplied tool, Smtpmd.exe. These settings are Virtual Server specific. This means if your server has five SMTP Virtual Servers (Instances), you must make the setting change for each instance separately.

  Copy Smtpmd.exe into a directory on the system (c:).   Stop all IIS-based services. To do so, type the following at a command prompt, and then press ENTER: net stop iisadmin /y   After all services have stopped successfully, restart IISAdmin. To do so, type the following at a command prompt, and then press ENTER: net start IISAdmin   To enable the Lookup By RDN feature for the first POP3 Virtual Server, change to the directory where Smtpmd.exe is located, type the following at a command prompt, and then press ENTER: smtpmd set pop3svc/1/POPLookUpByRDN “1” The command should return the following: POPLookUpByRDN :[IF} (DWORD) 0x1 = (1)   To enable the Look Up By RDN feature for the first IMAP4 Virtual Server, type the following at a command prompt, and then press ENTER: smtpmd set imapsvc/1/ImapLookupByRDN “1” The command should return the following: ImapLookupByRDN :[IF} (DWORD) 0x1 = (1) 

Repeat this process for every IMAP4 and POP3 virtual server on the system. (For example, replace imapsvc/1 with imapsvc/2 for the second IMAP4 virtual server, and so on.) When all IMAP4 and POP3 Virtual Servers’ Metabase keys are set, restart the previously running IIS-based services. To set these keys back to default, re-issue the command for each instance, but replace “1” with “0”. It is always required to stop and restart the virtual server to pick up the new Metabase setting. SMTP Metabase keys do not need to be changed to support the Lookup by RDN feature of MCIS 2.0 Mail.

Enable the Use Full Email Mailbox feature. This feature changes the way mailboxes are stored on the file system. By default, MCIS 2.0 Mail stores the mailbox as the alias name of the user’s Email Address. (For example user1@domain.com mailto:user1@domain.com would have a mailbox name of “user1.”) Enabling the Use Full Email Mailbox feature changes this behavior to use the entire e-mail address as the mailbox location on the file system. For example, user1@domain.com would have a mailbox name of user1@domain.com. This feature is also enabled by a Metabase key specific to each SMTP, POP3, and IMAP4 Virtual Server. The following instructions explain how to enable this feature:

<ol style="list-style-type: decimal;">  Copy Smtpmd.exe into a directory on the system (c:). </li>  Stop all IIS-based services. To do so, type the following at a command prompt, and then press ENTER: net stop iisadmin /y </li>  After all services have stopped successfully, restart IISAdmin. To do so, type the following at a command prompt, and then press ENTER: net start IISAdmin </li>  To enable the Use Full Email Mailbox feature for the first POP3 virtual server, change to the directory where Smtpmd.exe is located, type the following at a command prompt, and then press ENTER: smtpmd set pop3svc/1/PopUseFullEmailMailbox “1” The command should return the following: PopUseFullEmailMailbox :[IF} (DWORD) 0x1 = (1) </li>  To enable the Use Full Email Mailbox feature for the first IMAP4 Virtual Server, type the following at a command prompt, and then press ENTER: smtpmd set imapsvc/1/ImapUseFullEmailMailbox “1” The command should return the following: ImapUseFullEmailMailbox :[IF} (DWORD) 0x1 = (1) </li>  To enable the Use Full Email Mailbox feature for the first SMTP Virtual Server, type the following at a command prompt, and then press ENTER: smtpmd set smtpsvc/1/SmtpUseFullEmailMailbox “1” The command should return the following: SmtpUseFullEmailMailbox :[IF} (DWORD) 0x1 = (1) </li></ol>

Again, repeat this process for every SMTP, IMAP4, and POP3 Virtual Server on the system. (For example, Replace imapsvc/1 with imapsvc/2 for the second IMAP4 virtual server, and so on.) When all IMAP4 and POP3 Virtual Servers’ Metabase keys have been set, restart the previously running IIS-based services. To set these keys back to the default, re- issue the command for each instance, but replace “1” with “0.” It is always required to stop and restart the virtual server to pick up the new Metabase setting.

Additional query words: mcis hotfix hot fix qfe quick fix Engineering patch ====================================================================== Keywords :

Version : winnt:2.0 Platform : winnt Hardware : ALPHA x86 Issue type : kbbug Solution Type : kbfix ============================================================================= Copyright Microsoft Corporation 1999.