Articles June 13, 2005 at 8:06 am

Best practices: Mail

Everything you should need to know about the initial setup of Mail.
Mail in Tiger Server

Mail Overview

Mail depends on DNS. No DNS; No Mail. For email to work smoothly, MX records are required. A MX record in a DNS server tells other mail servers which server handles email for the domain. If you send an email to [email protected], your mailserver will do a DNS lookup to the authoritative nameserver for and look at the MX record to determine which server it contacts in order to send the mail.

Most mailers will be able to send mail to a destination without an MX record, but they will still try to look up the MX record before moving on to look at A records. This slows everything down and puts an extra load on your name servers.

So, the first thing you’re going to need to do is make sure that there is an MX record pointing to the fully qualified domain name of your mail server on the authoritative nameserver(s) for your domain (usually hosted at your ISP or domain registrar). MX records all have a priority assigned to them. This allows you to have multiple mail servers acting as backup to one another. Mail delivery is attempted to the highest priority mailserver (indicated by the lowest number) available. A server with a priority of 1 will be contacted before one with a priority of 10 and so on.

Note: When running your mailserver behind a firewall (you are, aren’t you?), remember to punch a hole on port 25 to allow SMTP traffic through.

Time to test things! In the terminal:

<code>dig yourdomainname mx</code>

This should return something like:

dig mx

; &lt;&lt;&gt;&gt; DiG 9.2.2 &lt;&lt;&gt;&gt; mx
;; global options:  printcmd
;; Got answer:
;; -&gt;&gt;HEADER&lt;&lt;- opcode: QUERY, status: NOERROR, id: 37974
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 6, ADDITIONAL: 4

;                     IN      MX

;; ANSWER SECTION:              86400   IN      MX      10              86400   IN      MX      30

;; AUTHORITY SECTION:              432000  IN      NS              432000  IN      NS

;; ADDITIONAL SECTION:     86400   IN      A  86400   IN      A

;; Query time: 172 msec
;; WHEN: Wed May 11 18:20:38 2005
;; MSG SIZE  rcvd: 339

You should see your mailserver name in the answer section, and your external IP address in the Additional section.

We could also test connections here by telnetting to the mail server on port 25. Start the mail service and type the following into Terminal

telnet mailservername 25

Ideally, this should be done from outside of your LAN to check name resolution and your firewall settings. Make sure you turn off the mail service once that’s done.

Setting up your users.
In Workgroup manager, click on the Mail tab for your users and enable mail on IMAP/POP as appropriate.

With the underlying bits done, it’s time to configure the Mail server, click on the settings tab at the bottom. Let’s go through the tabs one at a time.


Decide whether you want to enable POP, IMAP or both. POP mail is generally downloaded by the client and resides on their machine. IMAP mail is generally kept on the server. Having said that, mail clients can be configured to leave POP messages on the server and to keep a local copy of all IMAP mail, so there’s a degree of flexibility there. I like to go with IMAP because your users can get their mail from anywhere (VPN or webmail permitting), on any machine. It also makes backup easy.

Check off the boxes for SMTP and incoming mail. Type in the domain and host name of your server. We’re not going to touch multiple server configurations here, but the option to have all mail pass through another server either for security, message scanning, or selective routing is there if you want it.

It’s a good idea to have undeliverable mail routed to the mail administrator so you know when there has been a mis-typed email address or a message that can’t be delivered.

For those of you that enjoyed reading 1984 you can have all messages copied to another mailbox too.

Open relays are the scourge of the Internet and a haven for unsolicited commercial emailers (you might know these people as spammers). By default Tiger server is pretty secure in this regard. If you need other mail servers to relay through yours without authenticating you can specify them here using either (1) IP address, (2) network address (CIDR notation) eg., (3) Fully qualified domain name (4) Internet domain name eg.

With SpamAssassin now built-in, the need to block senders is greatly reduced, but you decide that you don’t want to accept any messages from a particular network, or domain name you can set that here using the same options as above for naming.

We can also use some Real-time blacklists (RBL) to block incoming mail. RBL’s are maintained by external groups and they sometime block legitimate senders, so be aware that using this option may result in you not getting the occasional valid message. ( Ed. Note: At, we really like the RBL.)

This is the cool new bit in Tiger server. First, SpamAssassin (SA):
Check the box to enable scanning. SA works on a scoring system. Incoming mail is rated according to a complex matrix of keywords, addressing, DNS lookups and formatting. Each component has a score and the email receives a total value. This value is compared the score you set on this screen. If it is lower, the mail gets delivered. If it is higher, the mail gets marked as spam and action is taken. As a rough guide, anything above 20 will guarantee only real spam gets actioned on, but you’ll likely have a lot of spam get through untagged. A value below 5 most likely catch every bit of spam, but it will also tag a lot of genuine messages.

The action taken is set in the drop-down for ‘Junk mail messages should be:’ Here we have 4 choices:
1. Bounce – the message is bounced back to the sender with an explanation of why. You can also have a notification sent so you know when it’s happening.
2. Delete – the message gets deleted, pure and simple. Again, you can get a notification so you know when it’s happening.
3. Deliver – the message gets delivered as normal, but a subject tag of your choice can be appended to the message. You can also put the offending message in as an attachment.
4. Redirect – the mail is sent to an alternative mailbox. This allows you to monitor messages, and hone your scoring setup without losing mail or having messages bounce back.

SA can learn from messages too. First the manual way…select a mailbox of over 200 messages, all spam and type:

sa-learn --showdots --spam &lt;junk mail directory&gt;/* 

You can also select a mailbox of over 200 messages, all good, and type:

sa-learn --showdots --ham &lt;junk mail directory&gt;/* 

To automate this process, you can set up 2 local accounts, junkmail and notjunkmail and get your users to REDIRECT untagged junk to junkmail and tagged good messages to notjunkmail. SA will learn from these every day at 1am. Make sure you delete these messages the following day.

Anti-virus (using ClamAV) is configured in a straightforward manner. Infected messages can be:
1. Bounced – the message is returned to the sender. Notifications can be sent to an administrator and the intended recipients can be informed that this action has been taken.
2. Deleted – the message is deleted. Notifications can be sent to an administrator and the intended recipients can be informed that this action has been taken.
3. Quarantined – the message is put in a new mailbox. No notification is sent and the recipients are not informed.
Someone will need to monitor this mailbox and take appropriate actions.

The AV database can be set to update any number of times a day. With a long history of dealing with Windows, I have mine updating 5 times a day. (Ed Note: The ClamAV guys are now recommending hourly updates!) Needless to say the AV engine detects all viruses and not just Mac ones, so all your clients, even Windows users, can benefit. I remember when virus updates used to be once a month! For the truly paranoid you have it go off and look for updates even more frequently.

To help maintain an efficient and manageable mail server you may want to set a restriction on the size of incoming messages. It’s worth bearing in mind that when you send an attachment, the encoding adds to the file size anything between 20 and 30%. So if you set a limit of 10MB, the effective limit is really around 7MB.

The rest of settings here are very obvious and allow you to control the size of users mailboxes and how they are told about these restrictions.

Mailing Lists are a subject for another article

Log files can be set to record only critical errors all the way up to debug level where most everything is written to the log files which is very useful when troubleshooting problems with your setup.


Here you can set the authentication mechanisms that are allowed for each service. The options range from the most secure (Kerberos) down to the ‘you may just as well not have bothered’ (Clear). With the built-in Certificate Authority in Tiger, you already have a certificate sat waiting for you, and creating a new one takes seconds, so opting to use SSL to encrypt all mail traffic is a breeze if you’re worried about security. (‘Use’ lets your email clients use SSL if they are able to, but doesn’t manadate it. ‘Require’ mandates an SSL connection so make sure your mail application can do this before you set it (most can).)

Local host aliases allows you to set your mail server up so that it can receive mail for multiple domains and route messages to the same mailbox. If you have multiple domains registered, but want your users to get mail regardless of which domain the email was addressed to you should add them in here. This means a message for [email protected] and [email protected] will both be delivered to bob’s mailbox

Virtual hosting is essentially the opposite of local host aliases. This lets you set up your server to host multiple domains that resolve to the same IP address and ensure that mail to [email protected] goes to bob, while mail to [email protected] goes to fred. For this to work, you’ll need to set up aliases for fred. You do this by adding [email protected] to fred’s short name list in WGM. You can also do it by adding [email protected]: fred in /etc/aliases (don’t forget to run postalias /etc/aliases, newaliases, and postfix reload after making these changes).

From here you can update the location of the Database and MailStore (if you need to move them onto a bigger or faster volume, for example) – make sure you stop the mail service before moving anything!
You can also split the store by adding extra partitions and assigning users to those partitions in the mail tab in WGM. This allows you to scale out your mail store very easily.


This allows you to see your accounts and get a quick overview of which store they’re using, and their quota information. There’s also a handy ‘Reconstuct’ button if a single user’s mailbox gets corrupted. Fortunately I’ve not had to use this yet, but it can be done while the mail server is online.

Quick overview of the location and size of the Database and the mail store(s). There’s also a repair button here that I’ve haven’t needed to use. This is for use if users aren’t getting messages, or there is a system wide problem. This can be done while the server is online, but it’s recommended to block incoming mail while you’re doing it (common sense really – you’ve got a problem with the database, you don’t want to be processing messages while you’re repairing it). There’s a command line methods to reconstruct the database using the reconstruct command. See Apple KB# 107996 for more details.

Mail Queue
This is really handy feature. From here you can see what’s happening to individual messages in the queue. It’s possible to force a retry or to delete the message from the queue altogether. Very useful for troubleshooting, or for just being nosey

Allows users from 10.1 or 10.2 to migrate their mail stores over to Tiger. I’ve not tested this feature. (Ed Note: This provides a GUI for the amsmailtool command.)


Log files
The mail service has more log files than you can shake a stick at, and with the handy little reminder of where each log file resides you’ll have no trouble keeping on top of what’s going on.

Really Finally…

If you want your users to be able to access their mail while not connected to the LAN (either directly or via VPN), you have 2 choices: (1) Open up the ports to let POP or IMAP traffic in – not advised as every time they read an email the contents will be traveling over the internet unencrypted. (2) Enable WebMail. Tiger Server comes with SquirrelMail (SM) built-in. Turning it on is as easy a checking the box in the Options tab of the default site in the Web section of Server Admin. It’s worth noting that by default your traffic is still going to be unencrypted until you go to the Security tab and enable SSL for the site. This will automagically update the port to 443 so you may want to set up a separate site if you have something already running on the default site using plain http on port 80.

Webmail is accessed at the following URL:

Depending on the authentication mechanisms you allowed earlier you may need to change the config for SM to let you log in. This is done from the command line:

sudo /private/etc/squirrelmail/config/

Fortunately it’s all menu driven from here on, so don’t worry if you don’t like all this Terminal stuff. Also, nothing is saved till you hit S, so don’t worry if you mess up – Q will save you.
Press 2 for Server Settings
Press 6 for Authentication type
Press y to let it try to auto-detect supported mechanisms
Tell it which type you’re using
While you’re here, you might need to Press 1 and enter your domain (
When you’re done, press S to save, ENTER to continue and Q to quit.

You should now be able to log in to WebMail and send and receive from anywhere – again make sure port 443 is being let through the firewall to your server.

No Comments

  • “…make sure that there is an MX record pointing to the external IP
    address of your mailserver…”

    Just nitpicking a bit. MX records should never contain an IP address.
    RFC 973 states that
    “The format of the MX RR is a 16 bit preference value followed by a domain
    . So, perhaps “make sure that there is an MX record pointing to the
    fully qualified domain name of your mail server…”

  • You can use the OD auth just fine, but if you have turned of clear
    passwords for IMAP, and you should, you will need to tell SM about it so
    that it can connect.

    Just set your server to allow nothing less than MD5 and then let do
    it’s thing.

    Breaking my server to save yours.

    Josh Wisenbaker

  • Either that or setup your mail client with an account for that mailbox and do it
    through that.

    • Never touch Cyrus folders, this is my first recomendation when I train

      Then, to empty our junkmail folder, I transformed a perl script I found on

      It connects through POP3 and deletes all mails on the server. I joined a
      shell script (you’ll have to modify according to your settings) that you can
      put in the crontab, I setup mine à 7am everyday.

      You can find it here :

      Feel free to improve it or comment it.

      Laurent Pertois

  • You don’t *need* internal DNS to run a mail server. The port forwarding on your
    NAT router will direct incoming traffic (mail) to the appropriate server for
    delivery. Your internal clients can have their mail clients setup with the IP
    address of your mail server instead of its name.

    This isn’t to say this is recommended. OS X server runs a whole lot better with
    functioning DNS. Open Directory won’t work properly without it, and your clients
    will behave much better with DNS properly configured.

    • Do not use .local in your local domain name as this gets confused with
      rendezvous names…

      • Not really with 10.4 anymore. With 10.4 you just add your .local domain as the
        first one in your search domains and you are done.

        With 10.3 you need to edit the resolver.conf file, but it’s still not too bad.

        The article you linked shows both methods.

        FWIW, I tend to use my regular domain name in my internal networks, that way
        I don’t have confusing configs for the users. Joel recommends this as well in our
        Best Practices: DNS article.

        Breaking my server to save yours.

        Josh Wisenbaker

        • Thanks, Josh. I had not noticed they updated the article to include the 10.4

          Still seems a bit of a ‘workaround’ in that Rendezvous is tried first before the
          unicast DNS call. It probably would not be such an issue except for the use of
          .local in Windows server networks (not that I have much experience of this).

          By the way – thanks for a great site!

  • If I want to create backup mail servers is it as simple as:
    assuming mServer1 and mServer2 are setup with different MX priorities, and is setup in the DNS on mServer1&2

    mServer1 with Open Directory Master
    mServer2 with Open Directory Replica
    mServer1 allow relay from mServer2

    Sooo if mServer1 goes down, mServer2 acts like mServer1? Can you do https://SquirrelMail and all email services?

    Or can we use xgrid!!!??????? 😉 sorry

    • xgrid won’t help you; right now, I use my DNS registrar’s mail servers as
      backups. If my server dies, all my mail is queued on their servers until I’m back
      up and running. With failover working (see Andrina’s article), that’s only a matter
      of seconds. It’s not real mail clustering but it certainly keeps it available.

  • My level is set at 3 and I get maybe 3 or 4 genuine mails incorrectly tagged as
    spam per week. It’s pretty low, I know, but on the upside, virtually no spam ever
    gets through.

  • I’m wondering if it is possible with the setup that Apple led to us to manage
    multiple domain, statistics, quotas, rights and so on with Tiger server? I’m
    actually looking over SurgeMail from
    and i’d like to use Tiger Server.

    Does anyone have ideas where 2 look. Howtos, comments, third party app in
    php or xml….


Leave a reply

You must be logged in to post a comment.