Installing and Configuring Postfix 2.x and
UW IMAP/POP3 on Mac OS X Server 10.2
13 April 2003—Updated 27 March 2004
Note: This article supersedes my earlier one on the subject.
Note: Apple have included Postfix 2.0.10 with Mac OS X Server 10.3, rendering this article not applicable to administrators running that version of Server.
Postfix is a popular mail transport agent (MTA) used by thousands of mail servers on the Internet. It is flexible, easily configurable, extensible, and powerful. This article will show you how to install Postfix (version 2.0.7 as of this writing) as your MTA, either replacing Apple Mail Service or working with it. For those who choose to disable Apple Mail Server completely, you will also install the University of Washington’s IMAP and POP servers, as well as their popular command-line e-mail client, Pine. As and additional bonus, you will install a newer version of the Pico visual editor.
Note: CERT has published a security bug in UW IMAP. See <http://www.kb.cert.org/vuls/id/961489> for more details. According to UW, the bug does not exist in current releases of their IMAP server. If you already use UW IMAP, you should make sure to run the latest version of the software. See <http://www.washington.edu/imap> for more information.
There are two avenues you can pursue: you can choose to replace Apple Mail Service altogether, or to install Postfix and use it as the “Other Mail Transfer Agent” in conjunction with Apple Mail Service. The direction you take will depend on a few variables. If you are currently using Apple Mail Service and have users who send and retrieve e-mail with it, then you should only completely replace Apple Mail Service if your users can remove all mail from the Server. AMS uses a proprietary database format for its mail store, so there is no easy or intuitive way of removing e-mail from AMS and moving it to Postfix. (You could possibly do it by using an IMAP server on another machine, or by doing lots of digging and coding; neither are within the scope of this article.)
If you anticipate that your needs will not be particularly complex—for example, you have no plans to implement mailing lists, or integrate anti-spam/anti-virus scanning—then you should consider keeping Apple’s mail storage, IMAP, and POP functions in place and replacing Sendmail with Postfix.
If you expect to have a complex mail setup—multiple domains, mailing lists, server-side e-mail filtering, anti-spam/anti-virus scanning, etc.—then I recommend replacing Apple Mail Service completely. You will find that Postfix, with rare exception, is a most capable MTA and can be managed quite easily.
Part 
University of Washington IMAP and POP daemons, Pine, and Pico
Even if you have no plans to replace Apple Mail Service’s IMAP and POP daemons, there is merit in completing this part of the article. Pine (currently version 4.53) is a popular and remarkably complete command-line e-mail program that is fast and quite configurable. It is quite usable even over a slow dialup line, and is a good tool for a system administrator. Pine employs Pico as its default visual editor, and version 4.4 ships with the Pine package. This version is much newer than the version Apple distributes.
Our first step is to retrieve the source archive. You should have a directory somewhere on your path in which to store the archive and its decompressed source files. Do not put the repository in a place where any portion of the path contains a space or special characters like accents; few if any UNIX installers are designed to deal with complex paths like this, despite UNIX’ built-in ability to handle them via quoting. Here, I store my UNIX sources in a subdirectory of my downloads directory, which is kept on an external FireWire drive.
Retrieve the file <ftp://ftp.cac.washington.edu/pine/pine.tar.gz> and decompress it:
curl -O ftp://ftp.cac.washington.edu/pine/pine.tar.gz gunzip pine.tar.gz tar xvf pine.tar
Change into the source directory. If your Server makes use of SSL certificates, the installer will detect their presence during its build process and build support into IMAP. It has been my experience that this does not work properly for self-signed certificates.
Execute either the command “./build osx” (which will integrate support for SSL) or “./build NOSSL osx” to build non-SSL distributions. When the build process has completed, you will be presented with a list of the compiled applications. Put them in an appropriate location:
sudo mkdir -p /usr/local/bin sudp cp bin/* /usr/local/bin
Make sure to modify your shell path to include /usr/local/bin as a searchable location; otherwise, you will need to specify the full path to these applications.
Note: if you want to use Pine with AMS, you will need to configure Pine to use an IMAP inbox. On your local server, for example, you would configure your inbox-path (reached from Pine’s main menu by the keystrokes s, c) to be {localhost}INBOX. Otherwise, Pine will never see the messages stored in AMS’ database.
If you do not wish to replace Apple Mail Service, please skip now to Part 2.
If you do wish to completely replace Apple Mail Service, you need to enable support for imap and pop3. Then you must set them up in xinetd and get them started.
Apple uses the xinetd internet daemon in Mac OS X Server 10.2 to manage fundamental UNIX services. Apple Mail Service is not managed by xinetd, but our new IMAP and POP servers will be. To have them controlled by xinetd, we need to create two files in the /etc/xinetd.d directory. You will need to be root to create these files:
/etc/xinetd.d/imapd:
service imap
{
disable = no
socket_type = stream
wait = no
user = root
server = /usr/local/bin/imapd
groups = yes
flags = REUSE
}
/etc/xinetd.d/ipop3d:
service pop3
{
disable = no
socket_type = stream
wait = no
user = root
server = /usr/local/bin/ipop3d
groups = yes
flags = REUSE
}
Once you have created them, restart the xinetd process (prefix the command with sudo if you are not already superuser):
kill -HUP `cat /var/run/xinetd.pid`
Note: the “cat /var/run/xinetd.pid” portion of that command is enclosed in “back-ticks” (found on the same key as the tilde, on most keyboards)—not apostrophes or single quotes.
IMPORTANT: If you use Open Directory, your local (Administrator) user account information must use a “Basic” password in order to use UW IMAP. Otherwise, you will never be able to connect successfully.
Part 
Installing Postfix
Change to your preferred sources directory. Retrieve the current Postfix source code from whichever of the Postfix Download Sites at <http://www.postfix.org/download.html> is closest to you. Decompress and untar the archive (postfix-2.0.7.tar.gz) and change into the resulting source directory (postfix-2.0.7).
Postfix' authors and contributors have done a remarkable job of supporting Mac OS X Server, but there are still a few tweaks to their setup. The following process will ameliorate the differences—which may be completely removed in future versions:
cd auxiliary/MacOSX sudo ./repair-oldsetup sudo ./backup-sendmail-binaries sudo ./niscript (cd ../..; sudo make clean; sudo make install)
After the build process is complete, the installation part of setup will commence. You will be prompted for various bits of information that the installation script will use to build a basic Postfix configuration. With the exception of the following questions and answers, you can accept the defaults as they are listed.
- setgid_group: the default is postdrop; answer maildrop
- manpage_directory: the default is /usr/local/man; unless you have symlinks in place already, answer /usr/share/man
- (optional) readme_directory: the default is no; answer /etc/postfix if you want to be able to refer to the many explanatory sample configuration files
When this process has completed, the following steps will finalize Postfix installation and set up a proper StartupItem:
sudo mkdir -p /usr/sbin/.postfixbinaries sudo ./backup-postfix-binaries sudo ./activate-postfix cd /Library/StartupItems/Postfix sudo mkdir -p Resources/English.lproj cd Resources/English.lproj
Create a file called “Localizable.strings” (as root) and input the following information into it:
<?xml version="1.0” encoding="UTF-8"?>
<!DOCTYPE plist SYSTEM “file://localhost/System/Library/DTDs/PropertyList.dtd">
<plist version="0.9">
<dict>
<key>Starting Postfix Mail Transport Agent</key>
<string>Starting Postfix Mail Transport Agent</string>
<key>Configuring Postfix Mail Transport Agent</key>
<string>Configuring Postfix Mail Transport Agent</string>
</dict>
</plist>
At this point, Postfix is running—but it is not configured.
Part 
Configuring Postfix
This final part of my article will help you create a basic configuration for Postfix. Postfix has many configuration directives and can interface with other applications to enhance its ability to handle e-mail. Read the various sample configuration files and documentation on Postfix' Web site to gain greater insight into making the most of the MTA.
First off, you need to manage Postfix' aliases file. An e-mail alias is a simple way of redirecting e-mail aimed at one address to another, for addresses at the local machine level. You should edit the /etc/postfix/aliases file (as root) and, at minimum, make sure that root, postmaster, and abuse are pointing to a local account (note to AMS users: this account must be configured to receive e-mail in Workgroup Manager) that someone will regularly check and read. Failure to read and respond to e-mail addressed to postmaster and abuse is a serious breach of Internet etiquette and may result in your host/domain being blacklisted or nullrouted. Don’t say I didn’t warn you!
After you have edited the aliases file, build its database with the following command:
postalias /etc/postfix/aliases
Now we turn to main.cf, the main configuration file for Postfix. This file configures the core operation of Postfix. It can be quite short and simple, or very long and complex. Postfix' author has filled the file with copious operational notes, and you would be well-served by making a backup copy for the purpose of reading and referring to these notes later.
As root, open the file in your favourite text editor.
Search for the phrase “INTERNET HOST AND DOMAIN NAMES” and set the values for myhostname and mydomain. For example, in our configuration they are set as follows:
mydomain = fates.org myhostname = mrsgale.fates.org
Search for the phrase “SENDING MAIL” and set the value of myorigin (setting it to $mydomain is normally fine).
If you want to configure Postfix to receive mail as well as send it, search for the phrase “RECEIVING MAIL” and set the variable mydestination. By default, the following is acceptable:
mydestination = $myhostname, localhost.$mydomain, $mydomain
If you host multiple domains, you may have additional values.
Search for the phrase, “TRUST AND RELAY CONTROLS” and set the value of either mynetworks_style or mynetworks. Which variable you will use will depend on your netmask/CIDR setting and your level of trust. If your users are all on fixed IP addresses within an easily-defined netblock, then mynetworks_style may be sufficient. Read the documentation in the default main.cf file for more information.
If your mail server will not actually send e-mail out to the Internet, but must use a relay hose, you may have to set a value for the variable relayhost in the “INTERNET OR INTRANET” section.
Search for the phrase “ALIAS DATABASE” and set the following variables:
alias_maps = netinfo:/aliases, hash:/etc/postfix/aliases alias_database = hash:/etc/postfix/aliases
Doing so will allow you to specify e-mail alias maps in NetInfo as well as the plaintext “aliases” file. If you augment your e-mail situation later with, e.g., mailman, then you will need to add information to these variables.
Search for the phrase “ADDRESS EXTENSIONS” and set the variable recipient_delimeter to “+". This will have the effect of allowing users to virtually create filter folders by appending “+information” to their e-mail usernames, without Postfix complaining that the expanded address does not map to a local user. One reason for doing this is that it allows you to “tag” e-mail addresses you give on the Internet, so you can see who is giving it out to spammers.
Unless you are using AMS, I strongly recommend setting the variable mailbox_command to “/usr/bin/procmail". Procmail is a UNIX command that processes e-mail before it gets to the user’s e-mail client. At its most simplistic level, Procmail is a mail filtering tool that can automatically sort e-mail into folders based on the sender, subject, or any other part of the mail message. At its most complex, in conjunction with other Apple-supplied UNIX commands, Procmail can act as an automated file exchange and storage tool; spam detector and auto-complainer; e-mail archive manager; and much more. To learn more about Procmail, type man procmail and prepare to spend a lot of time learning the power of this amazing tool.
The “JUNK MAIL CONTROLS” section of main.cf is one of the gold mines of Postfix. While Apple is to be commended for building basic anti-spam controls into AMS, virtually any other MTA is superior at squashing the tide of unsolicited pornography, make-money-fast scams, and fraud that is consuming an ever-increasing percentage of total Internet resources. Whatever you do, if your mail server will receive mail from the Internet, don’t skip this section. Explaining all of the various controls is beyond the scope of this article, but you should at least read sample-smtpd.cf, <http://www.postfix.org/uce.html>, and refer to our UCE controls:
maps_rbl_reject_code = 571 smtpd_helo_required = yes smtpd_delay_reject = yes smtpd_data_restrictions = reject_unauth_pipelining smtpd_recipient_restrictions = permit_sasl_authenticated, reject_invalid_hostname, reject_non_fqdn_hostname, reject_non_fqdn_recipient, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unknown_recipient_domain, permit_mynetworks, check_helo_access hash:/etc/postfix/helo-access, reject_unauth_destination, check_client_access hash:/etc/postfix/smtpdreject, check_client_access hash:/etc/postfix/proxylist, check_client_access hash:/etc/postfix/comcast.classful, check_client_access hash:/etc/postfix/access-ips, check_sender_access hash:/etc/postfix/access-addresses, reject_rbl_client dynablock.njabl.org, reject_rbl_client relays.ordb.org, reject_rbl_client sbl.spamhaus.org, reject_rbl_client korea.services.net, reject_rbl_client opm.blitzed.org, reject_rbl_client dialups.visi.com, reject_rbl_client relays.visi.com, reject_rbl_client list.dsbl.org, reject_rbl_client cn-kr.blackholes.us, reject_rbl_client singapore.blackholes.us, reject_rbl_client thailand.blackholes.us, reject_rbl_client malaysia.blackholes.us, reject_rbl_client china.blackholes.us, reject_rbl_client korea.blackholes.us, reject_rbl_client argentina.blackholes.us, reject_rbl_client brazil.blackholes.us, reject_rbl_client taiwan.blackholes.us, reject_rbl_client nigeria.blackholes.us, reject_rbl_client cbl.abuseat.org, permit_mx_backup # permit # allow_untrusted_routing = no header_checks = regexp:/etc/postfix/spammerheaders # # 20030113 - dbo - New filter option. USE WITH EXTREME CAUTION body_checks = regexp:/etc/postfix/spammerbodies
IMPORTANT: use of the configurations above will cause you to lose mail. Virtually all of that mail will be spam, but there may be some “false positives” in the mix. You should monitor your /var/log/mail.log every time you adjust your spam controls, and periodically check it for rejections and warnings.
Search for the phrase “SHOW SOFTWARE VERSION OR NOT” and set the smtpd_banner variable appropriately. I like this format:
smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) [NO UCE]
At this point, you can save the file. There is a lot more you can configure—virtual hosts, body filters, content filters, external processing applications—but that’s for another time and article. Always remember that after every change to main.cf, you need to tell Postfix to reload itself:
sudo postfix reload
Last but not least, you need to change the default permissions on /var/mail if you are not using AMS:
sudo chmod 1777 /var/mail
There you have it—go forth and serve e-mail!