How to run JBoss Mail Server Without Superuser/Root Access
versions: 1.0M3, 1.0M4, 1.0M5-pre1
Superuser access is required because JBMS, by default, services ports below 1000. Specifically:
25 - SMTP
143 - IMAP (1.0M5-pre1 only)
465 - SMTP over SSL
110 - POP
995 - POP/SSL
Most UNIX systems require root/superuser access to access these ports.
So the "duh" answer is "change the ports" either through the installer or through manual configuration. This isn't a big deal for POP other than you will have to inform users since most mail clients will make these assumptions for "default" ports. However, it will cause problems with receiving outside mail if you change port SMTP from 25.
For example you could change the ports to:
8025 - SMTP
8143 - IMAP (1.0M5-pre1 only)
8464 - SMTP/SSL
8110 - POP
8995 - POP/SSL
And root access wouldn't be required (be sure to delete or chown/chgrp $JBOSS_HOME/server/CONFIG/tmp, log and work directories). However you'll have problems with outside mail and those pesky users saying the email doesn't work.
For Linux, you can use the "iptables" tool (or ipchains for older distributions). Other UNIX operating system have similar tools. You will need to set up your rules as the root users, preferrably in your startup scripts (i.e. /etc/rc.d/inid.d/iptables for SYS V init script based distributions) or whatever config routine your distribution uses. These rules will forward port 25 to port 8025 and back, for instance:
/sbin/iptables -t nat -A PREROUTING -p tcp --dport 25 -d 192.168.x.x -j DNAT --to 192.168.x.x:8025
/sbin/iptables -t nat -A PREROUTING -p tcp --dport 143 -d 192.168.x.x -j DNAT --to 192.168.x.x:8143 (1.0M5-pre1 only)
/sbin/iptables -t nat -A PREROUTING -p tcp --dport 464 -d 192.168.x.x -j DNAT --to 192.168.x.x:8464
/sbin/iptables -t nat -A PREROUTING -p tcp --dport 110 -d 192.168.x.x -j DNAT --to 192.168.x.x:8110
/sbin/iptables -t nat -A PREROUTING -p tcp --dport 995 -d 192.168.x.x -j DNAT --to 192.168.x.x:8995
Thus JBMS can then run on ports 8025/8143/8464/8110/8995 yet SMTP, for instance, will be routed from port 25 to 8025.
Depending on your views of network security you could also introduce ip load balancers and things that are also capable of this or even other UNIX or even Win32 boxes in front of your actual mail server. In the case of other boxes you could use NAT style routing or even SSH Port Forwarding. The latter would be very slow and introduce a scalability issue but you could chat up how encrypted things are for you and make everyone think you were a security nut (until someone pointed out that the mail will go out over the net unencrypted anyhow so who cares and why pay the cost).
other operating systems