Everything you should need to know about the initial setup of Mail.
Mail in Tiger Server
Mail depends on DNS. No DNS; No Mail. For email to work smoothly, MX records are required. A MX record in a DNS server tells other mail servers which server handles email for the domain. If you send an email to [email protected], your mailserver will do a DNS lookup to the authoritative nameserver for afp548.com and look at the MX record to determine which server it contacts in order to send the mail.
Most mailers will be able to send mail to a destination without an MX record, but they will still try to look up the MX record before moving on to look at A records. This slows everything down and puts an extra load on your name servers.
So, the first thing you’re going to need to do is make sure that there is an MX record pointing to the fully qualified domain name of your mail server on the authoritative nameserver(s) for your domain (usually hosted at your ISP or domain registrar). MX records all have a priority assigned to them. This allows you to have multiple mail servers acting as backup to one another. Mail delivery is attempted to the highest priority mailserver (indicated by the lowest number) available. A server with a priority of 1 will be contacted before one with a priority of 10 and so on.
Note: When running your mailserver behind a firewall (you are, aren’t you?), remember to punch a hole on port 25 to allow SMTP traffic through.
Time to test things! In the terminal:
<code>dig yourdomainname mx</code>
This should return something like:
<code> dig apple.com mx ; <<>> DiG 9.2.2 <<>> apple.com mx ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37974 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 6, ADDITIONAL: 4 ;; QUESTION SECTION: ;apple.com. IN MX ;; ANSWER SECTION: apple.com. 86400 IN MX 10 mail-in3.apple.com. apple.com. 86400 IN MX 30 eg-mail-in1.apple.com. ;; AUTHORITY SECTION: apple.com. 432000 IN NS nserver.apple.com. apple.com. 432000 IN NS nserver2.apple.com. ;; ADDITIONAL SECTION: mail-in3.apple.com. 86400 IN A 126.96.36.199 eg-mail-in1.apple.com. 86400 IN A 188.8.131.52 ;; Query time: 172 msec ;; SERVER: 192.168.1.7#53(192.168.1.7) ;; WHEN: Wed May 11 18:20:38 2005 ;; MSG SIZE rcvd: 339 </code>
You should see your mailserver name in the answer section, and your external IP address in the Additional section.
We could also test connections here by telnetting to the mail server on port 25. Start the mail service and type the following into Terminal
<code> telnet mailservername 25 </code>
Ideally, this should be done from outside of your LAN to check name resolution and your firewall settings. Make sure you turn off the mail service once that’s done.
Setting up your users.
In Workgroup manager, click on the Mail tab for your users and enable mail on IMAP/POP as appropriate.
With the underlying bits done, it’s time to configure the Mail server, click on the settings tab at the bottom. Let’s go through the tabs one at a time.
Decide whether you want to enable POP, IMAP or both. POP mail is generally downloaded by the client and resides on their machine. IMAP mail is generally kept on the server. Having said that, mail clients can be configured to leave POP messages on the server and to keep a local copy of all IMAP mail, so there’s a degree of flexibility there. I like to go with IMAP because your users can get their mail from anywhere (VPN or webmail permitting), on any machine. It also makes backup easy.
Check off the boxes for SMTP and incoming mail. Type in the domain and host name of your server. We’re not going to touch multiple server configurations here, but the option to have all mail pass through another server either for security, message scanning, or selective routing is there if you want it.
It’s a good idea to have undeliverable mail routed to the mail administrator so you know when there has been a mis-typed email address or a message that can’t be delivered.
For those of you that enjoyed reading 1984 you can have all messages copied to another mailbox too.
Open relays are the scourge of the Internet and a haven for unsolicited commercial emailers (you might know these people as spammers). By default Tiger server is pretty secure in this regard. If you need other mail servers to relay through yours without authenticating you can specify them here using either (1) IP address, (2) network address (CIDR notation) eg. 192.168.1.0/16, (3) Fully qualified domain name (4) Internet domain name eg. example.com
With SpamAssassin now built-in, the need to block senders is greatly reduced, but you decide that you don’t want to accept any messages from a particular network, or domain name you can set that here using the same options as above for naming.
We can also use some Real-time blacklists (RBL) to block incoming mail. RBL’s are maintained by external groups and they sometime block legitimate senders, so be aware that using this option may result in you not getting the occasional valid message. ( Ed. Note: At AFP548.com, we really like the sbl-xbl.spamhaus.org RBL.)
This is the cool new bit in Tiger server. First, SpamAssassin (SA):
Check the box to enable scanning. SA works on a scoring system. Incoming mail is rated according to a complex matrix of keywords, addressing, DNS lookups and formatting. Each component has a score and the email receives a total value. This value is compared the score you set on this screen. If it is lower, the mail gets delivered. If it is higher, the mail gets marked as spam and action is taken. As a rough guide, anything above 20 will guarantee only real spam gets actioned on, but you’ll likely have a lot of spam get through untagged. A value below 5 most likely catch every bit of spam, but it will also tag a lot of genuine messages.
The action taken is set in the drop-down for ‘Junk mail messages should be:’ Here we have 4 choices:
1. Bounce – the message is bounced back to the sender with an explanation of why. You can also have a notification sent so you know when it’s happening.
2. Delete – the message gets deleted, pure and simple. Again, you can get a notification so you know when it’s happening.
3. Deliver – the message gets delivered as normal, but a subject tag of your choice can be appended to the message. You can also put the offending message in as an attachment.
4. Redirect – the mail is sent to an alternative mailbox. This allows you to monitor messages, and hone your scoring setup without losing mail or having messages bounce back.
SA can learn from messages too. First the manual way…select a mailbox of over 200 messages, all spam and type:
<code> sa-learn --showdots --spam <junk mail directory>/* </code>
You can also select a mailbox of over 200 messages, all good, and type:
<code> sa-learn --showdots --ham <junk mail directory>/* </code>
To automate this process, you can set up 2 local accounts, junkmail and notjunkmail and get your users to REDIRECT untagged junk to junkmail and tagged good messages to notjunkmail. SA will learn from these every day at 1am. Make sure you delete these messages the following day.
Anti-virus (using ClamAV) is configured in a straightforward manner. Infected messages can be:
1. Bounced – the message is returned to the sender. Notifications can be sent to an administrator and the intended recipients can be informed that this action has been taken.
2. Deleted – the message is deleted. Notifications can be sent to an administrator and the intended recipients can be informed that this action has been taken.
3. Quarantined – the message is put in a new mailbox. No notification is sent and the recipients are not informed.
Someone will need to monitor this mailbox and take appropriate actions.
The AV database can be set to update any number of times a day. With a long history of dealing with Windows, I have mine updating 5 times a day. (Ed Note: The ClamAV guys are now recommending hourly updates!) Needless to say the AV engine detects all viruses and not just Mac ones, so all your clients, even Windows users, can benefit. I remember when virus updates used to be once a month! For the truly paranoid you have it go off and look for updates even more frequently.
To help maintain an efficient and manageable mail server you may want to set a restriction on the size of incoming messages. It’s worth bearing in mind that when you send an attachment, the encoding adds to the file size anything between 20 and 30%. So if you set a limit of 10MB, the effective limit is really around 7MB.
The rest of settings here are very obvious and allow you to control the size of users mailboxes and how they are told about these restrictions.
Mailing Lists are a subject for another article
Log files can be set to record only critical errors all the way up to debug level where most everything is written to the log files which is very useful when troubleshooting problems with your setup.
Here you can set the authentication mechanisms that are allowed for each service. The options range from the most secure (Kerberos) down to the ‘you may just as well not have bothered’ (Clear). With the built-in Certificate Authority in Tiger, you already have a certificate sat waiting for you, and creating a new one takes seconds, so opting to use SSL to encrypt all mail traffic is a breeze if you’re worried about security. (‘Use’ lets your email clients use SSL if they are able to, but doesn’t manadate it. ‘Require’ mandates an SSL connection so make sure your mail application can do this before you set it (most can).)
Local host aliases allows you to set your mail server up so that it can receive mail for multiple domains and route messages to the same mailbox. If you have multiple domains registered, but want your users to get mail regardless of which domain the email was addressed to you should add them in here. This means a message for [email protected] and [email protected] will both be delivered to bob’s mailbox
Virtual hosting is essentially the opposite of local host aliases. This lets you set up your server to host multiple domains that resolve to the same IP address and ensure that mail to [email protected] goes to bob, while mail to [email protected] goes to fred. For this to work, you’ll need to set up aliases for fred. You do this by adding [email protected] to fred’s short name list in WGM. You can also do it by adding [email protected]: fred in /etc/aliases (don’t forget to run postalias /etc/aliases, newaliases, and postfix reload after making these changes).
From here you can update the location of the Database and MailStore (if you need to move them onto a bigger or faster volume, for example) – make sure you stop the mail service before moving anything!
You can also split the store by adding extra partitions and assigning users to those partitions in the mail tab in WGM. This allows you to scale out your mail store very easily.
This allows you to see your accounts and get a quick overview of which store they’re using, and their quota information. There’s also a handy ‘Reconstuct’ button if a single user’s mailbox gets corrupted. Fortunately I’ve not had to use this yet, but it can be done while the mail server is online.
Quick overview of the location and size of the Database and the mail store(s). There’s also a repair button here that I’ve haven’t needed to use. This is for use if users aren’t getting messages, or there is a system wide problem. This can be done while the server is online, but it’s recommended to block incoming mail while you’re doing it (common sense really – you’ve got a problem with the database, you don’t want to be processing messages while you’re repairing it). There’s a command line methods to reconstruct the database using the reconstruct command. See Apple KB# 107996 for more details.
This is really handy feature. From here you can see what’s happening to individual messages in the queue. It’s possible to force a retry or to delete the message from the queue altogether. Very useful for troubleshooting, or for just being nosey
Allows users from 10.1 or 10.2 to migrate their mail stores over to Tiger. I’ve not tested this feature. (Ed Note: This provides a GUI for the amsmailtool command.)
The mail service has more log files than you can shake a stick at, and with the handy little reminder of where each log file resides you’ll have no trouble keeping on top of what’s going on.
If you want your users to be able to access their mail while not connected to the LAN (either directly or via VPN), you have 2 choices: (1) Open up the ports to let POP or IMAP traffic in – not advised as every time they read an email the contents will be traveling over the internet unencrypted. (2) Enable WebMail. Tiger Server comes with SquirrelMail (SM) built-in. Turning it on is as easy a checking the box in the Options tab of the default site in the Web section of Server Admin. It’s worth noting that by default your traffic is still going to be unencrypted until you go to the Security tab and enable SSL for the site. This will automagically update the port to 443 so you may want to set up a separate site if you have something already running on the default site using plain http on port 80.
Webmail is accessed at the following URL:
Depending on the authentication mechanisms you allowed earlier you may need to change the config for SM to let you log in. This is done from the command line:
<code> sudo /private/etc/squirrelmail/config/conf.pl </code>
Fortunately it’s all menu driven from here on, so don’t worry if you don’t like all this Terminal stuff. Also, nothing is saved till you hit S, so don’t worry if you mess up – Q will save you.
Press 2 for Server Settings
Press 6 for Authentication type
Press y to let it try to auto-detect supported mechanisms
Tell it which type you’re using
While you’re here, you might need to Press 1 and enter your domain (example.com)
When you’re done, press S to save, ENTER to continue and Q to quit.
You should now be able to log in to WebMail and send and receive from anywhere – again make sure port 443 is being let through the firewall to your server.