HP OpenVMS Systems Documentation
HP TCP/IP Services for OpenVMS
With a cluster-forwarding SMTP address, the POP server uses the SMTP address within the quotation marks. For example, the message header From: ABCDEF::SMTP%"firstname.lastname@example.org" becomes:
For all other address formats, the POP server changes the entire address to the SMTP format:
For example, if the substitute domain is xyz.org , the message header From: ABCMTS::MRGATE::"ORDERS::SPECIAL" becomes:
If the logical name TCPIP$POP_IGNORE_MAIL11_HEADERS is defined and the
address is an SMTP address, the rebuilt
field is not displayed to the user. In this case, the POP server sends
the actual headers from the body of the mail as the mail headers.
19.2 POP Server Startup and Shutdown
The POP server process starts automatically if you specified automatic startup during the configuration procedure (TCPIP$CONFIG.COM).
The POP server can be shut down and started independently of TCP/IP Services. This is useful when you change parameters or logical names that require the service to be restarted.
The following files are provided:
To preserve site-specific parameter settings and commands, create the following files. These files are not overwritten when you reinstall TCP/IP Services:
To modify the default POP server settings and configure additional characteristics, define TCPIP$POP logical names in the POP_SYSTARTUP.COM file. If you modify the POP startup file, restart the POP server to make the changes take effect.
You can modify the following POP server characteristics:
Table 19-2 outlines the POP logical names, default settings, and characteristic options.
Defines a level of security for the POP server. Determines the timing
and text of error messages sent from the POP server to the POP client
when authorization errors occur (for example, when an invalid user name
or password is sent):
|TCPIP$POP_DISABLE_CLEARTEXT||If defined, the POP server process does not serve incoming connections to the cleartext POP port (port 110). It will listen on port 110 and respond to any client that tries to connect with a failure message. See Section 19.5.3 for more information.|
|TCPIP$POP_DISABLE_SSL||If defined, the POP server process does not serve incoming connections to the Secure POP port (port 995). The POP server does not listen on port 995. Clients trying to connect have their connections rejected. See Section 19.5.3 for more information.|
|TCPIP$POP_CERT_FILE||Specifies the name of the certificate file that POP uses for SSL. If not defined, the default is SSL$CERTS:SERVER.CRT. See Section 19.5.3 for more information.|
|TCPIP$POP_KEY_FILE||Specifies the name of the key file that POP uses for SSL. If not defined, the default is SSL$KEY:SERVER.KEY. See Section 19.5.3 for more information.|
|TCPIP$POP_TRACE||If defined, the POP server records all messages sent to and received from the POP client in a log file.|
Defines the type of messages logged by the POP server:
Defines a person or persons to receive a failure mail message from the
POP server startup procedure (TCPIP$POP_STARTUP.COM) when the POP
server exits with an error. For example, to have the failure mail
message sent to users JONES and SMITH, define the logical name as
$ DEFINE/SYSTEM TCPIP$POP_POSTMASTER "JONES, SMITH"
|TCPIP$POP_MESSAGE_MAXIMUM n||Defines the maximum number of mail messages that a single client can download per connection, where n is a number from 0 to 65,535. If not defined, the POP server uses the default value of 0 (no maximum).|
Determines the length of time the server allows a link to a POP client
to remain idle, where
n is a number specified in OpenVMS delta time delimited by
quotation marks. A POP link remains active until it is released by the
If not defined, the POP server does not set a link idle value (0 00:00:00.00).
|TCPIP$POP_PERSONAL_NAME||If defined, the POP server provides the POP clients with the message header From: fields that include the sender's personal name, if one appeared in the sender's From: field.|
|TCPIP$POP_LEAVE_IN_NEWMAIL||If defined, mail that has been read by the PC client but not deleted remains in the NEWMAIL folder. Allows users to access mail from different systems and determine when to move or delete the mail from the POP server. If not defined, mail that has been read but not deleted is moved to the MAIL folder.|
|TCPIP$POP_USE_MAIL_FOLDER||If defined, moves all mail to the MAIL folder and displays this folder instead of the NEWMAIL folder.|
|TCPIP$POP_FAST_SCAN||If defined, the POP server estimates the number of bytes for the size of the mail message based on the number of lines in the message instead of counting the exact number of bytes. Setting this logical may improve performance.|
|TCPIP$POP_MAXIMUM_THREADS||Allows you to define the number of process threads that POP can activate. The default is 15. If you set this logical to 1, the POP server becomes single threaded. This logical is recommended only as a temporary solution to system resource problems.|
If defined, the POP server ignores the OpenVMS message headers when the
field contains an SMTP address, which indicates that the message has
come from SMTP.
For information about how POP forms message headers, see Section 19.1.6.
|TCPIP$POP_SEND_ID_HEADERS||If defined, the POP server sends X-POP3-Server and X-POP3-ID headers for each mail message. If not defined, the ID headers are not sent for any mail from an SMTP address. For information about how POP handles message headers, see Section 19.1.6.|
Determines how the POP server rebuilds a simple DECnet address (of the
node::user) in the OpenVMS Mail
field when it sends the mail to the POP client;
value is one of the following:
For more information about how POP rebuilds the message headers, see Section 18.104.22.168.2.
Determines how the POP server rebuilds a DECnet address that contains
quotation marks (an address of the form
node::"user@host") in the OpenVMS Mail
field when it sends the message to the POP client;
value is one of the following:
For more information about how POP rebuilds the message headers, see Section 22.214.171.124.4.
|TCPIP$POP_SNDBUF n||Allows you to increase or decrease the size of the TCP flow control buffer. Sets the SO_SNDBUF socket option to a specific number; n is the number 512 or greater. If not defined, the POP server uses the value specified in the SHOW PROTOCOL/PARAMETERS command.|
|TCPIP$POP_DISUSERPASS||Disables the client USER and PASS commands and sends a failure message to the POP client on receipt of either command. For more information about POP user authorization methods, see Section 19.1.5.|
|TCPIP$POP_PURGE_RECLAIM||If defined, the POP server performs a PURGE/RECLAIM command action after it deletes messages.|
The MIME (Multipurpose Internet Mail Extensions) specification provides a set of additional headers you can use so users can send mail messages composed of more than simple ASCII text. MIME is an enhancement to RFC 822.
For MIME mail to be decoded correctly, follow these guidelines:
$ DEFINE/SYSTEM TCPIP$SMTP_JACKET_LOCAL 1
If MIME mail does not decode, check the mail headers on the client
system. If you see multiple blocks of headers and the MIME version
header is not in the first block, confirm that you have followed these
19.5 Secure POP
Secure POP provides secure retrieval of mail.
The secure POP server accepts connections on port 995. Secure POP encrypts passwords, data, and POP commands and is compatible with clients that use the Secure Sockets Layer (SSL), such as Microsoft Outlook.
To use this feature, you must download the HP SSL kit for OpenVMS Alpha from the HP OpenVMS web site. If the OpenVMS SSL software is not installed, the POP server will communicate in non-SSL mode. It is easy to configure the SSL POP server. You can use self-signed certificates or CA-issued certificates for greater security. For more information, see the HP Open Source Security for OpenVMS, Volume 2: HP SSL for OpenVMS manual.
The POP client must also be configured to use the secure POP server.
Refer to your client documentation for procedures.
19.5.1 Installing SSL Shareable Images
The POP server image is installed with privileges, requiring that the shareable images that it loads be installed. Therefore, the following images must be installed before the POP server:
$ INSTALL CREATE SYS$LIBRARY:SSL$LIBCRYPTO_SHR32.EXE $ INSTALL CREATE SYS$LIBRARY:SSL$LIBSSL_SHR.EXE
The secure POP startup procedure does not install these images. You must ensure they are installed before the TCP/IP Services startup procedure runs.
The POP server is implemented with links to the OpenVMS SSL software,
thereby allowing new versions of the SSL software to be installed and
utilized by the POP server automatically. The SSL software must be
loaded with the OpenVMS INSTALL command for any changes to affect the
19.5.2 Starting SSL before TCP/IP Services
The SSL logical names are defined by the SSL startup procedure.
Therefore, if you have POP configured to use SSL logical names to
locate the certificate and key files, you must ensure that the SSL
startup procedure is run before the TCP/IP Services startup procedure.
19.5.3 Controlling Secure POP With Logical Names
You can use the following logical names to control the way the POP server works:
You can use logical names to specify the location of certificate and key files. The values assigned to these logical names may be full or partial file specifications. That is, you may specify the directory, the file name, or both. The parts of the file specification that you do not specify are supplied from the defaults.
The following examples show how to use these logical names. Each example shows the logical name, its value, and the full file specification that the secure POP server uses for the associated file.
|Logical Name||Defined To||File Specification|
|Logical Name||Defined To||File Specification|
|Logical Name||Defined To||File Specification|
If you use the full defaults for the POP certificate and key files, any
use of the SSL certificate tool to create a new certificate or key file
might affect Secure POP because the POP server and certificate tool use
the same default file names.
19.5.5 Security Recommendations for the SSL Key File
To maximize security, you should restrict access to the .KEY file to users who need to use it. You can use a combination of file protections, file ownership, and ACLs to accomplish this. For the POP server to access the .KEY file, read access to the file must be granted to the TCPIP$POP account. If you are sharing the .KEY file between different SSL-enabled applications, those applications must also have access to the .KEY file.
Because the information in the certificate file is public, it does not
require the same security restrictions.
19.5.6 Encrypted Private Keys
Secure POP does not support encrypted private keys. When you generate a
private key, you can choose to have the key encrypted in a passphrase
that you provide. This requires all users of the private key to have
access to the passphrase. The Secure POP server cannot access the
19.6 Solving POP Problems
The following sections describe ways to troubleshoot problems associated with using the POP server. Some of these include:
Many of the problems encountered using POP pertain to failed or misinterpreted commands or authorization errors. As the first step toward solving problems, you should review the messages provided by the POP server.
The POP server logs command error and OPCOM (authorization) messages in the file SYS$SYSDEVICE:[TCPIP$POP]POP_RUN.LOG. By default, the POP server sends informative error messages to the client about specific errors.
If the SERVICE database log option REJECT is set, the POP server sends OPCOM messages when it rejects POP client commands because of authorization failures. These errors include the receipt of a client's USER command with an invalid user name, or a PASS command with an invalid password.
By default, OPCOM messages are displayed on the client system and are listed in the log file. To disable OPCOM messages, disable the REJECT logging option for the POP service, as follows:
$ TCPIP SET SERVICE POP/LOG=NOREJECT
For troubleshooting purposes, you can simulate a POP client and enter the XTND commands listed in Table 19-3 to obtain information.
|XTND CLIENT||Logs POP client information (if the client supplies it). Helpful for troubleshooting if you use POP with a variety of POP clients that identify themselves.|
|XTND LOGLEVEL||Dynamically adjusts POP logging level. Supported levels are INFORMATIONAL (default), ERROR, THREAD, and DEBUG.|
Displays POP statistics in the following format:
+OK Statistics follow
|XTND SHUTDOWN||Performs an orderly shutdown of POP. Waits for current client connections to disconnect. Recommended over the DCL command STOP.|
To simulate a POP client and obtain information:
$ TELNET UCXSYS 110 %TELNET-I-TRYING, Trying ... 126.96.36.199 %TELNET-I-SESSION, Session 01, host ucxsys, port 110 +OK POP server TCPIP Version 5.0, OpenVMS V7.1 Alpha at ucxsys.acme.com, up since 1999-04-04 06:42:17 <24A00E61._6_APR_1999_06_02_31_15@ucxsys.acme.com> USER username +OK Password required for "username" PASS password +OK Username/password combination ok XTND LOGLEVEL DEBUG +OK logging level changed to debug QUIT +OK TCPIP POP server at ucxsys.acme.com signing off.