Using the New Anti-Relay Features in Mac OS X Server 10.1.3
Updated 16 August 2002
With the release of the Mac OS X Server 10.1.3 update you can now cease being an open relay and use SMTP Authentication if you use Apple Mail Service. Apple has put out four Tech Info articles on this subject. The first two deal with Restricted SMTP Relay.
Mac OS X Server: Restricted SMTP Relay Helps Prevent Unsolicited Email
Mac OS X Server: How to Set up Restricted SMTP Relay for Apple Mail Server
The second two deal with SMTP Authentication.
Mac OS X Server: About SMTP Authentication for Apple Mail Server
Mac OS X Server: How to Set up SMTP Authentication
The configuration of the new features is done through NetInfo, not through Server Admin, and the Tech Info articles include Terminal commands for advanced Administrators.
Restricted SMTP
There are two parts to setting up Restricted STMP. The first is the open_relay_addr_flag attribute and this is by default set to 0. Setting it to 1 will enable relay protection as long as you also define who is allowed to relay in the open_relay_addr_list attribute. The list of open_relay_addr_list values can be host names, domains, IP addresses or IP address ranges from which relaying may be allowed and a list of example values is included in the Tech Info article.
Note: If the open_relay_addr_list value list is left blank during set up, the mail server starts up with the open_relay_addr_flag attribute default set to 0 and the open_relay_addr_list attribute will contain the IP address of the local server.
SMTP Authentication
There is only one option for SMTP Authentication and this involves setting the smtp_plain_login_flag to 1. Using this option turns your mail server into a “send only” server. No one will be able to relay without authenticating first and no local delivery will occur without authenticating first. The authentication is the same username and password that the user uses for POP or IMAP access. The username and password get transmitted in clear text, much like the POP or IMAP password does.
Configuration Options for Restricted SMTP and SMTP Authentication
Restricted SMTP ON, SMTP Authentication OFF
This is the standard configuration for protecting your mail server from being an open relay. Your local users will be able to send and receive e-mail but spammers will not be able to relay their e-mail through your server.
Restricted SMTP ON, SMTP Authentication ON
This configuration protects your server from being an open relay and also makes your mail server “send only.” Your local users on the pre-approved list can relay without authentication and all others can relay with authentication. Your local users will only receive mail from other local e-mail clients or from SMTP servers that are set up to authenticate to your server. Make sure this is what you want your mail server to do before turning on the SMTP Authentication option.
Restricted SMTP OFF, SMTP Authentication ON
This configuration protects your server from being an open relay by making all local delivery or relay traffic authenticate first before being accepted but also makes your mail server “send only.” Your local users will be able to send mail after authenticating but will only receive mail from other local e-mail clients or from SMTP servers that are set up to authenticate to your server. Make sure this is what you want your mail server to be before turning on the SMTP Authentication option.