My Oracle Support Banner

Security Implications Of XCLIENT (Doc ID 2606365.1)

Last updated on FEBRUARY 06, 2024

Applies to:

Oracle Communications Messaging Server - Version 8.1.0 and later
Information in this document applies to any platform.


This question pertains to security implications of XCLIENT on a particular Messaging Server MTA deployment behind a load balancer.

In this example, a Dynamic Source Router (DSR) would normally be used and the MTA systems would have the VIP IP address configured on the loopback interface, so that TCP/IP can recognize/accept connections to port 25 on the VIP address.

But in this deployment, that is not desired. Instead, the preference is to use XCLIENT for the load balancer to tell the MTA the client information over protocol, instead of at the TCP/IP layers.

Does Messaging Server have a mechanism to only allow XCLIENT from certain client IP addresses?

Possibly answering the question...

A normal [] rewrite rule to switch the "allowed" clients (the load balancer) to a channel that has XCLIENT.

Q1. It is assumed that channel switching does not happen again after the XCLIENT command. Is that correct?

So, the load balancer IPs could be added to the INTERNAL_IP and put the xclient option on the tcp_intranet channel.
The load balancers and any clients they serve would be allowed thru with sc=tcp_intranet.
Anything else would be tcp_local.

Q2. Would the above work?


To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.