Version 7

    How to run JBoss Mail Server Without Superuser/Root Access

     

    versions: 1.0M3, 1.0M4, 1.0M5-pre1

     

    Reason

     

    Superuser access is required because JBMS, by default, services ports below 1000.  Specifically:

     

    • 25  - SMTP

    • 143 - IMAP (1.0M5-pre1 only)

    • 465 - SMTP over SSL

    • 110 - POP

    • 995 - POP/SSL

     

    Most UNIX systems require root/superuser access to access these ports.

     

    Duh

     

    So the "duh" answer is "change the ports" either through the installer or through manual configuration.  This isn't a big deal for POP other than you will have to inform users since most mail clients will make these assumptions for "default" ports.  However, it will cause problems with receiving outside mail if you change port SMTP from 25.

     

    For example you could change the ports to:

     

    • 8025 - SMTP

    • 8143 - IMAP (1.0M5-pre1 only)

    • 8464 - SMTP/SSL

    • 8110 - POP

    • 8995 - POP/SSL

     

    And root access wouldn't be required (be sure to delete or chown/chgrp $JBOSS_HOME/server/CONFIG/tmp, log and work directories).  However you'll have problems with outside mail and those pesky users saying the email doesn't work.

     

    iptables

     

    For Linux, you can use the "iptables" tool (or ipchains for older distributions).  Other UNIX operating system have similar tools.  You will need to set up your rules as the root users, preferrably in your startup scripts (i.e. /etc/rc.d/inid.d/iptables for SYS V init script based distributions) or whatever config routine your distribution uses.  These rules will forward port 25 to port 8025 and back, for instance:

     

    • /sbin/iptables -t nat -A PREROUTING -p tcp --dport 25 -d 192.168.x.x -j DNAT --to 192.168.x.x:8025

    • /sbin/iptables -t nat -A PREROUTING -p tcp --dport 143 -d 192.168.x.x -j DNAT --to 192.168.x.x:8143 (1.0M5-pre1 only)

    • /sbin/iptables -t nat -A PREROUTING -p tcp --dport 464 -d 192.168.x.x -j DNAT --to 192.168.x.x:8464

    • /sbin/iptables -t nat -A PREROUTING -p tcp --dport 110 -d 192.168.x.x -j DNAT --to 192.168.x.x:8110

    • /sbin/iptables -t nat -A PREROUTING -p tcp --dport 995 -d 192.168.x.x -j DNAT --to 192.168.x.x:8995

     

    Thus JBMS can then run on ports 8025/8143/8464/8110/8995 yet SMTP, for instance, will be routed from port 25 to 8025.

     

    Other Options

     

    Depending on your views of network security you could also introduce ip load balancers and things that are also capable of this or even other UNIX or even Win32 boxes in front of your actual mail server.  In the case of other boxes you could use NAT style routing or even SSH Port Forwarding.  The latter would be very slow and introduce a scalability issue but you could chat up how encrypted things are for you and make everyone think you were a security nut (until someone pointed out that the mail will go out over the net unencrypted anyhow so who cares and why pay the cost).

     

    other operating systems

     

     

    related

     

    • UsingPortForwardingWithJBoss