Apple 10.6 User Manual

Mac OS X Server

Mail Service Administration Version 10.6 Snow Leopard

Apple Inc. K

Under the copyright laws, this manual may not be copied, in whole or in part, without the written consent of Apple.

The Apple logo is a trademark of Apple Inc., registered in the U.S. and other countries. Use of the “keyboard” Apple logo (Option-Shift-K) for commercial purposes without the prior written consent of Apple may constitute trademark infringement and unfair competition in violation of federal and state laws.

Every eort has been made to ensure that the

information in this manual is accurate. Apple is not responsible for printing or clerical errors.

Apple

1 Innite Loop

Cupertino, CA 95014-2084 408-996-1010 www.apple.com

Apple, the Apple logo, AppleScript, FireWire, Keychain,

Leopard, Mac, Mac OS, Quartz, Safari, Snow Leopard,

Xcode, Xgrid, Xsan, and Xserve are trademarks of Apple Inc., registered in the U.S. and other countries.

Apple Remote Desktop and Finder are trademarks of Apple Inc.

AIX is a trademark of IBM Corp., registered in the U.S. and other countries, and is being used under license.

The Bluetooth® word mark and logos are registered trademarks owned by Bluetooth SIG, Inc. and any use of such marks by Apple is under license.

This product includes software developed by the University of California, Berkeley, FreeBSD, Inc., The NetBSD Foundation, Inc., and their respective contributors.

Java™ and all Java-based trademarks and logos are trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and other countries.

PowerPC™ and the PowerPC logo™ are trademarks of International Business Machines Corporation, used under license therefrom.

UNIX® is a registered trademark of The Open Group.

Other company and product names mentioned herein are trademarks of their respective companies. Mention of third-party products is for informational purposes only and constitutes neither an endorsement nor a recommendation. Apple assumes no responsibility with regard to the performance or use of these products.

The product described in this manual incorporates copyright protection technology that is protected by method claims of certain U.S. patents and other intellectual property rights owned by Macrovision Corporation and other rights owners. Use of this

by Macrovision Corporation and is intended for home and other limited viewing uses only unless otherwise

authorized by Macrovision Corporation. Reverse

engineering or disassembly is prohibited.

Apparatus Claims of U.S. Patent Nos. 4,631,603, 4,577,216, 4,819,098 and 4,907,093 licensed for limited viewing uses only.

Simultaneously published in the United States and Canada.

019-1412/2009-08-01

7 Preface: About This Guide 7 What’s in This Guide 8 Using Onscreen Help 9 Document Road Map 10 Viewing PDF Guides Onscreen 10 Printing PDF Guides 11 Getting Documentation Updates 11 Getting Additional Information

12 Chapter 1: Understanding Mail Service 12 Mail Service Architecture 13 Mail Transfer Agent 14 Mail Screening 15 Where Mail Is Stored 16 Local Delivery Agent 17 User Interaction with Mail Service 18 Using Mailing Lists with Mail Service 18 Mailman-Based Mailing Lists 18 Wiki-Based Mailing Lists 19 Using Network Services with Mail Service

20 Chapter 2: Mail Service Setup 20 Managing Mail Service 20 Before You Begin 21 Using Mail Service Tools 21 Conguring DNS for Mail Service 22 How User Account Settings Aect Mail Service 22 Setup Overview 25 Administering Mail Service 25 Changing Mail Service Settings 26 Viewing Mail Service Settings from the Command Line 26 General Setup 26 Conguring Outgoing Mail Service

29 Conguring Incoming Mail Service 31 Restricting SMTP Relay 32 Restricted SMTP Relay and SMTP Authentication Interaction 32 Rejecting SMTP Connections from Specic Servers 33 Rejecting Mail from Blacklisted Senders 33 Filtering SMTP Connections 34 Limiting Junk Mail and Viruses 34 Connection Control 35 Mail Service Filtering 40 Managing Mail Quotas 40 Limiting Incoming Message Size 40 Enabling Mail Quotas for Users 41 Viewing a User’s Quota Usage 41 Conguring Quota Warnings 41 Congure Quota Violation Responses 42 Mailing Lists 42 Setting Up a Wiki-Based Mailing List 43 About Mailman 44 Setting Up a Mailman Mailing List 50 Administering Mailing Lists 53 Working with Mailing List Subscribers 55 List Subscriber Options 58 Where to Find More Information 59 Setting Mail Service Logging Options 59 Setting the Mail Service Log Detail 59 Archiving Mail Service Logs by Schedule 60 Client-Specic Conguration for Mail Service 60 Conguring Mail Client Applications 61 Using Webmail 61 Vacation Notices

62 Chapter 3: Mail Service Advanced Conguration 62 Securing User Access to Mail Service 62 Designating Authorized Mail Service Users 63 Using Workgroup Manager for Mail Service Access 63 Using Access Control Lists for Mail Service Access 64 Choosing Authentication for Mail Service 64 SMTP Authentication 65 IMAP and POP Authentication 67 Securing Mail Service with SSL 68 Conguring SSL Transport for SMTP Connections 68 Conguring SSL Transport for IMAP and POP Connections 69 Using an SSL Certicate from an External Certicate Authority

4 Contents

71 Accessing Server Certicates from the Command Line 72 Creating a Password File from the Command Line 73 A Mail Service Virtual Host 73 Enabling Virtual Hosting 74 Adding or Removing Virtual Hosts 74 Associating Users to the Virtual Host 77 Creating Additional Mail Addresses for Users 78 Setting Up Forwarding Mail Addresses for a User 79 Working with Mail Service Data Storage 79 Viewing the Location of the Mail Store 79 Specifying the Location of the Mail Store 80 Creating Additional Mail Store Locations 81 Maximum Number of Mail Messages Per Volume 81 Backing Up and Restoring Mail Messages 82 Setting Up Mail Server Clustering with Xsan 82 Conguring Additional Mail Service Support for 8-Bit MIME

83 Chapter 4: Monitoring and Maintaining Mail Service 83 Starting or Stopping Mail Service 84 Reloading Mail Service 84 Holding Outbound Mail 85 Blocking Inbound Mail Connections 85 Allowing Administrator Access to Mail Folders 85 Creating an Administration Account 86 Monitoring Mail Service Activity 86 Viewing an Overview of Mail Service Activity 86 Viewing Mail Service Logs 87 Viewing the Mail Connections List 88 Viewing Mail Accounts 88 Monitoring the Outgoing Mail Queue 89 Viewing Mail Service Statistics

91 Chapter 5: Troubleshooting Mail Service 91 Improving Performance 92 When a Disk Is Full 92 When Mail Is Undeliverable 92 Forwarding Undeliverable Incoming Mail 92 Where to Find More Information 93 Books 93 Internet

Contents 5

94 Appendix A: Command-Line Parameters for the serveradmin Tool and

Default Mail Service Settings

128 Appendix B: Sample Sieve Scripts

131 Index

6 Contents

About This Guide

This guide provides a starting point for administering Mail Service using its advanced administration tools. It contains

information about conguring Mail Service using Server

Admin.

Mail Service Administration might not be the only guide you need when administering

Mail Service, but it gives you the basics beyond initial Mac OS X Server conguration.

What’s in This Guide

This guide includes the following sections:

Chapter Â 1, “ Understanding Mail Service,” gives an overview of the components of the Mac OS X Server Mail service.

Chapter Â 2, “ Mail Service Setup,” includes everything you need to set up and

congure Mail service and to support and congure mail users.

Chapter Â 3, “ Mail Service Advanced Conguration,” builds on the basic setup instructions to help you ne tune your mail server, especially concerning security

settings and data storage.

Chapter Â 4, “ Monitoring and Maintaining Mail Service,” includes information for ongoing mail server maintenance and administration.

Chapter Â 5, “ Troubleshooting Mail Service,” helps you to resolve some of the most common issues that may arise with Mail service.

Appendix Â A, “ Command-Line Parameters for the serveradmin Tool and Default Mail

Service Settings,” shows the default state of the settings you can congure from the command line.

Appendix Â B, “ Sample Sieve Scripts,” provides examples of sieve scripts.

Preface

Note: Because Apple periodically releases new versions and updates to its software,

images shown in this book may be dierent from what you see on your screen.

Using Onscreen Help

You can get task instructions onscreen in Help Viewer while you’re managing Mac OS X Server v10.6. You can view help on a server or an administrator computer. (An administrator computer is a Mac OS X computer with Mac OS X Server v10.6 administration software installed on it.)

To get the most recent onscreen help for Mac OS X Server:

Open Server Admin or Workgroup Manager and then: m

Use the Help menu to search for a task you want to perform. Â

Choose Help > Server Admin Help or Help > Workgroup Manager Help to browse Â and search the help topics.

The onscreen help contains instructions taken from Server Administration and other advanced administration guides described “Document Road Map”in next.

To see the most recent server help topics:

Make sure the server or administrator computer is connected to the Internet while m you’re getting help.

Help Viewer automatically retrieves and caches the most recent server help topics from the Internet. When not connected to the Internet, Help Viewer displays cached help topics.

8 Preface About This Guide

Document Road Map

Network Services

Administration

Explains how to set up DNS, VPN,

and ﬁrewall for use

with mail service.

Advanced Server

Administration

Describes using Server Admin

to install, conﬁgure, and administer server software and services. Includes best

practices and advice for system

planning, security, backing up,

and monitoring.

Information

Technologies

Dictionary

Provides onscreen

deﬁnitions of server

and mail service

terminology.

Introduction to Command-Line Administration

Explains how to use

UNIX shell commands to

conﬁgure and manage

servers and services.

Getting Started

Covers basic

installation, setup,

and management of

mail service using

Server Preferences.

Mail Server

Administration

Describes advanced

options for setting

up, conﬁguring,

and managing

mail service.

User Management

Explains how to

give each user a

mail service account

and add users to

directory services.

Open Directory Administration

Explains how to set up

Open Directory to authenticate users

of mail service.

Mac OS X Server v10.6 has a suite of guides which can cover management of

individual services. Each service may be dependent on other services for maximum

utility. The road map below shows some related documentation that you may need to

fully congure your desired service to your specications. You can get these guides in

PDF format from the Mac OS X Server documentation website:

www.apple.com/server/documentation

Preface About This Guide 9

Viewing PDF Guides Onscreen

While reading the PDF version of a guide onscreen:

Show bookmarks to see the guide’s outline, and click a bookmark to jump to the Â corresponding section.

Search for a word or phrase to see a list of places where it appears in the document. Â Click a listed place to see the page where it occurs.

Click a cross-reference to jump to the referenced section. Click a web link to visit the Â website in your browser.

Printing PDF Guides

If you want to print a guide, you can take these steps to save paper and ink:

Save ink or toner by not printing the cover page. Â

Save color ink on a color printer by looking in the panes of the Print dialog for an Â option to print in grays or black and white.

Reduce the bulk of the printed document and save paper by printing more than Â one page per sheet of paper. In the Print dialog, change Scale to 115% (155% for Getting Started). Then choose Layout from the untitled pop-up menu. If your

printer supports two-sided (duplex) printing, select one of the Two-Sided options.

Otherwise, choose 2 from the Pages per Sheet pop-up menu, and optionally choose Single Hairline from the Border menu. (If you’re using Mac OS X v10.4 or earlier, the Scale setting is in the Page Setup dialog and the Layout settings are in the Print dialog.)

You may want to enlarge the printed pages even if you don’t print double sided, because the PDF page size is smaller than standard printer paper. In the Print dialog or Page Setup dialog, try changing Scale to 115% (155% for Getting Started, which has

CD-size pages).

10 Preface About This Guide

Getting Documentation Updates

Periodically, Apple posts revised help pages and new editions of guides. Some revised help pages update the latest editions of the guides.

To view new onscreen help topics for a server application, make sure your server or Â

administrator computer is connected to the Internet and click “Latest help topics” or

“Staying current” in the main help page for the application.

To download the latest guides in PDF format, go to the Mac OS X Server Â documentation website:

www.apple.com/server/documentation

An RSS feed listing the latest updates to Mac OS X Server documentation and Â onscreen help is available. To view the feed use an RSS reader application, such as Safari or Mail:

feed://helposx.apple.com/rss/snowleopard/serverdocupdates.xml

Getting Additional Information

For more information, consult these resources:

Â Read Me documents—important updates and special information. Look for them on

the server discs.

Â Mac OS X Server website (www.apple.com/server/macosx)—gateway to extensive

product and technology information.

Â Mac OS X Server Support website (www.apple.com/support/macosxserver)—access to

hundreds of articles from Apple’s support organization.

Â Apple Discussions website (discussions.apple.com)—a way to share questions,

knowledge, and advice with other administrators.

Â Apple Mailing Lists website (www.lists.apple.com)—subscribe to mailing lists so you

can communicate with other administrators using email.

Preface About This Guide 11

Understanding Mail Service

Mail service in Mac OS X Server is comprised of many

dierent components that work together to provide incoming and outgoing Mail service, mail ltering, and

mailing lists.

This chapter begins with a look at the standard protocols used for sending and receiving mail. Then it explains how Mail service works, discusses mailing lists, and concludes with information on how Mail service integrates with other network services.

Mail Service Architecture

Mail service in Mac OS X Server allows network users to send and receive mail over your network or across the Internet.

Mail service sends and receives mail using the following standard Internet mail protocols:

Simple Mail Transfer Protocol (SMTP) Â

Internet Message Access Protocol (IMAP) Â

Post Oce Protocol (POP) Â

A standard mail client setup uses SMTP to send outgoing mail and POP and IMAP to receive incoming mail. Mac OS X Server includes an SMTP service and a combined POP and IMAP service.

Mail service also uses a Domain Name System (DNS) service to determine the destination IP address of outgoing mail.

The following image gives an overview of how the components of Mac OS X Server

Mac OS X Server

External Mail

Transfer Agent (MTA)

Native Mail

User Agent (MUA)

Web Browser

Optional

Mail Delivery Agent

(Squirrel Mail)

Mail Transfer Agent (MTA)

SMTP Server (Postfix)

Dovecot

POP Server

IMAP Server

Virus Scanner

(ClamAV)

Spam Filter

(Spam Assassin)

Message storage

on disk in

Maildir format

Mail service interact:

Mail Transfer Agent

Simple Mail Transfer Protocol (SMTP) is a protocol used to send and transfer mail. SMTP queues outgoing mail messages from the user. These messages are transferred over the Internet to their destinations, to be picked up by incoming mail protocols.

Mac OS X Server uses Postx as its mail transfer agent (MTA). Postx fully supports

SMTP. Your mail users will set their mail application’s outgoing mail server to your

Mac OS X Server running Postx.

Postx is easy to administer. Its basic conguration can be managed through Server Admin and therefore it does not rely on editing the conguration le.

Postx uses multiple layers of defense to protect the server computer from intruders:

There is no direct path from the network to the security-sensitive local delivery tools. Â

Postx does not trust the contents of its queue les or the contents of its IPC messages. Â

Postx lters sender-provided information before exporting it via environment Â

variables.

Chapter 1 Understanding Mail Service 13

Nearly every Postx application can run with xed low privileges and no ability to Â

change ID, run with root privileges, or run as any other user.

Postx uses the conguration les main.cf and master.cf in /etc/postx/. When Server Admin modies Postx settings, it overwrites the main.cf le.

If you make a manual change to the conguration le of Postx, Server Admin overwrites your changes the next time you use it to modify the Mail service conguration.

The spool les for Postx are located in /var/spool/postx/ and the log le is /var/log/ mail.log. For more information about Postx, see www.postx.org.

If you use another MTA (such as Sendmail), you can’t congure Mail service with Mac

OS X Server administration tools.

To use Sendmail instead of Postx, disable the current SMTP service through Postx, then install and congure Sendmail. For more information about Sendmail,

see www.sendmail.org.

Mail Screening

After a mail delivery connection is made and the message is accepted for local delivery (relayed mail is not screened), the mail server can screen it before delivery.

Mac OS X Server uses SpamAssassin (from spamassassin.apache.org) to analyze the text of a message, and gives it a probability rating for being junk mail.

No junk mail lter is 100% accurate in identifying unwanted mail. For this reason the junk mail lter in Mac OS X Server doesn’t delete or remove junk mail from being

delivered. Instead, it marks the mail as potential junk mail.

The user can then decide if it’s really unsolicited commercial mail and deal with it accordingly. Many mail clients use the ratings that SpamAssassin adds as a guide in classifying mail for the user.

Mac OS X Server uses ClamAV (from www.clamav.net) to scan mail messages for viruses. If a suspected virus is found, you can deal with it in several ways, as described

below. The virus denitions are kept up to date (if enabled) via the Internet using a

process called freshclam.

14 Chapter 1 Understanding Mail Service

Where Mail Is Stored

Mail is stored in an outgoing queue awaiting transfer to a remote server or in a local mail store accessible by local mail users.

Outgoing Mail Location

By default, outgoing mail messages are stored in the following spool directory on the

startup disk in /var/spool/postx/.

This location is temporary, and the mail is stored until it’s transferred to the Internet. These locations can be moved to any accessible volume if you create a symlink link to the new location.

Incoming Mail Location

Mail service stores each message as a separate le in a mail folder for each user.

Incoming mail is stored on the startup disk in /var/spool/imap/dovecot/mail/GUID.

You can change the location of mail folders and indexes to another folder, disk, or disk

partition. You can even specify a shared volume on another server as the location of

the mail folder, although using a shared volume negatively aects performance.

For remotely mounted le systems, NFS isn’t recommended. The incoming mail

remains on the server until deleted by a Mail User Agent (MUA).

Mail storage can also be split across multiple partitions or stored on an Xsan cluster. This can be done to scale Mail service or to facilitate data backup. For more information see “Setting Up Mail Server Clustering with Xsan” on page 82.

You can change where mail is stored. For more information, see “Working with Mail Service Data Storage” on page 79.

Chapter 1 Understanding Mail Service 15

Local Delivery Agent

Mail is transferred from incoming mail storage to the mail recipient’s inbox by a local delivery agent (LDA). The LDA handles local delivery, making mail accessible by the user’s mail application. Two protocols are available from the Mac OS X Server LDA:

POP and IMAP.

Mac OS X Server uses Dovecot to provide POP and IMAP service. Your mail users will set their mail application’s incoming mail server to your Mac OS X Server running Dovecot.

More information about Dovecot can be found at: http://www.dovecot.org/.

Dovecot

Dovecot is an open-source enterprise mail system for use in small to large enterprise environments. Dovecot developers have focused on security, scalability, and ease of administration.

Each message is stored as a separate le in a mail folder for each user. This design gives the server advantages in eciency, scalability, and administration. User access to

mail is primarily through software using IMAP or POP3.

Dovecot uses the conguration le /etc/dovecot/dovecot.conf. Server Admin uses the defaults le /etc/dovecot/dovecot.conf.default. Dovecot logs its events in

/var/log/mailaccess.log. The Dovecot mail store is located in /var/imap/ and user folders are located in /var/spool/imap/.

The Dovecot delivery application receives mail from the Postx delivery agent and stores the mail in user spool les in /var/spool/imap/dovecot/mail/GUID, where GUID is

the Globally Unique ID (GUID) of the mail user. The user can then use IMAP or POP to retrieve messages.

After receiving mail from external MTAs, you can apply virus ltering or junk mail ltering to the messages. Mac OS X Server uses ClamAV and Spam Assassin for these

tasks. For more information on enabling these, see “Limiting Junk Mail and Viruses” on page 34.

For more information about Dovecot, see http://www.dovecot.org/.

Internet Message Access Protocol (IMAP)

IMAP is the solution for people who use more than one computer to receive mail. IMAP is a client-server mail protocol that allows users to access mail from anywhere on the Internet.

With IMAP, a user’s mail is delivered to the server and stored in a remote mailbox on

the server. To users, mail appears as if it were on the local computer.

A key dierence between IMAP and POP is that with IMAP the mail isn’t removed from

the server until the user deletes it.

16 Chapter 1 Understanding Mail Service

The IMAP user’s computer can ask the server for message headers, ask for the bodies

of specied messages, or search for messages that meet certain criteria. These

messages are downloaded as the user opens them.

IMAP connections are persistent and remain open, maintaining load on the server and possibly the network as well.

Post Oce Protocol (POP)

POP is used only for receiving mail, not for sending mail.

The POP service is like a post oce, storing mail and delivering it to a specic

address. Mail service stores incoming POP mail until users connect to Mail service and download their waiting mail.

After a user’s computer downloads POP mail, the mail is stored only on the user’s computer. The user’s computer disconnects from Mail service, and the user can read,

organize, and reply to the received POP mail.

An advantage of using POP is that your server doesn’t need to store mail that users have downloaded. Therefore, your server doesn’t need as much storage space as it would using IMAP.

However, because the mail is removed from the server, if the user’s computer sustains

hard disk damage and loses mail les, there’s no way to recover these les without

using data backups.

Another advantage of POP is that POP connections are transitory. After mail is transferred, the connection is dropped and the load on the network and mail server is removed.

POP isn’t the best choice for users who access mail from more than one computer,

such as a home computer, an oce computer, and a laptop while on the road. When

a user retrieves mail via POP, the mail is downloaded to the user’s computer and is

usually removed from the server. If the user logs in later from a dierent computer, the

user can’t see previously downloaded mail.

User Interaction with Mail Service

Mail is delivered to its nal recipient using a mail user agent (MUA). MUAs are usually

referred to as mail clients or mail applications. These mail clients often run on the user’s local computer.

Each user’s mail application must be congured to send messages to the outgoing server and receive messages from the incoming server. These congurations can aect

your server’s processing load and available storage space. For more information, see “Conguring Mail Client Applications” on page 60.

Users can also access mail through Webmail. For more information, see “Mail Service Filtering” on page 35.

Chapter 1 Understanding Mail Service 17

Using Mailing Lists with Mail Service

Mac OS X Server provides two types of mailing lists:

A Mailman-based list where a single mail message is distributed to recipients who Â have subscribed to the list

A wiki-based list that allows you to send a single message that is copied to each Â member of a Mac OS X Server wiki group

Mailman-Based Mailing Lists

Mac OS X Server uses Mailman for its traditional mailing list service.

Mailman is a mailing list service with support for built-in archiving, automatic bounce

processing, content ltering, digest delivery, spam lters, and other features. Mailman provides a customizable web page for each mailing list.

Users can subscribe and unsubscribe themselves, as well as change list preferences.

List and site administrators can use the web interface for common tasks such as account management, approvals, moderation, and list conguration. The web interface

requires that you have the Apache web server running.

You can access Mailman at www.yourdomain.com/mailman/listinfo.

Mailman receives mail from the local postx process by conguring alias maps.

Messages destined for a mail list are piped by the local process to Mailman processes. The mapping is provided in /var/mailman/data/aliases.

You can nd more information about conguring and administering mail lists using Mailman at www.list.org and at /Library/Documentation/Services/mailman.

Mailing lists dier from workgroups in a few fundamental ways:

Mailing lists aren’t linked to le or directory permissions. Â

Mailing lists can be administered by someone other than the workgroup or Â server administrator.

Mailing list subscribers do not need an account (mail or le access) on the list’s Â

server. Any mail address can be added to the list.

Mailing list subscribers can often remove themselves from and add themselves to lists. Â

Wiki-Based Mailing Lists

A wiki-based mailing list is based on a Mac OS X wiki group. It diers from a Mailman-

based mailing list in the following ways:

Group members receive all messages sent to the group’s address. No subscription Â is required.

The recipients list is up-to-date with the wiki group, so only members of the group Â receive mail messages.

The group administrator controls the membership of the group. Â

18 Chapter 1 Understanding Mail Service

Using Network Services with Mail Service

Mail service makes use of network services to ensure delivery of mail. Before sending mail, your Mail service will probably have a DNS service determine the Internet Protocol (IP) address of the destination.

The DNS service is necessary because people typically address their outgoing mail

by using a domain name, such as example.com, rather than an IP address, such as

198.162.12.12. To send an outgoing message, Mail service must know the IP address of the destination.

Mail service relies on a DNS service to look up domain names and determine the corresponding IP addresses. The DNS service can be provided by your Internet Service

Provider (ISP) or by Mac OS X Server, as explained in Network Services Administration.

Additionally, a mail exchange (MX) record can provide redundancy by listing an

alternate mail host for a domain. If the primary mail host isn’t available, the mail can be sent to the alternate mail host. An MX record can list several mail hosts, each with a priority number. If the lowest priority host is busy, mail can be sent to the host with

the next lowest priority, and so on.

Without a properly congured MX record in DNS, mail might not reach your intended

server.

Mail service uses DNS like this:

1 The sending server reads the mail recipient’s domain name (what comes after the @ in

the To address).

2 The sending server looks up the MX record for that domain name to nd the

receiving server.

3 If the MX record is found, the message is sent to the receiving server.

4 If the lookup fails to nd an MX record for the domain name, the sending server

assumes that the receiving server has the same name as the domain name, so the sending server does an Address (A) lookup on that domain name and attempts to

send the le there.

To congure DNS, see “Conguring DNS for Mail Service” on page 21.

Chapter 1 Understanding Mail Service 19

Mail Service Setup

This chapter explains the basic conguration of Mail service.

You learn about tools used to manage Mail service and conguration steps to manually congure Mail service or make changes after using the Server Setup Assistant.

Managing Mail Service

This sections provides basic steps to set up Mail service on Mac OS X Server and

explains the tools you use to manage Mail service.

Before You Begin

Before setting up Mail service for the rst time:

If you are upgrading from a previous version of Mac OS X Server, you might need Â to take special steps to upgrade Mail service. See “Viewing Mailing List Archives” on page 53.

Decide whether to use POP, IMAP, or both for accessing mail. Â

If your server will provide Mail service over the Internet, obtain a registered Â domain name.

Determine whether your ISP will create your MX records or whether you’ll create Â them using your own DNS service. See “Conguring DNS for Mail Service” on page 21.

Identify the people who will use Mail service but who don’t have user accounts Â in a directory domain accessible to Mail service. Then create user accounts for these mail users.

Determine your authentication and transport security needs. See “ Â Understanding SMTP Authentication” on page 26.

Using Mail Service Tools

Mac OS X Server provides two primary applications and one primary command-line tool to help you set up and manage Mail service:

Â Server Admin: Use to start, stop, congure, maintain, and monitor Mail service when

you install Mac OS X Server.

Â Workgroup Manager: Use to create user accounts for mail users and congure each

user’s mail options.

Â serveradmin: Use to manage Mail service from the command-line remotely via ssh

or locally through the Terminal application. See “Viewing Mail Service Settings from the Command Line” on page 26 and Introduction to Command-Line Administration.

Conguring DNS for Mail Service

Conguring DNS for Mail service entails enabling MX records with your DNS server. If you have an ISP that provides DNS service, contact the ISP so they can enable your MX records.

To enable MX records:

Follow these steps if you provide your own DNS service using Mac OS X Server.

1 In Server Admin, choose a server, then select DNS.

2 Click the Zones button in the toolbar.

3 Select the zone that the MX record will be added to.

If there are no zones, create one. If the mail server does not have a machine record (A),

add one. For more information, see Network Services Administration.

4 Click the + button in the Mail Exchangers list.

5 Enter the mail server’s hostname.

6 Set a mail server precedence number.

Mail servers try to deliver mail at lower numbered mail servers rst.

7 Click OK to Save.

To set up multiple servers for redundancy, add MX records with dierent precedence

numbers.

Chapter 2 Mail Service Setup 21

How User Account Settings Aect Mail Service

In addition to setting up Mail service as described in this chapter, you can also

congure individual mail settings for anyone who has a user account on your server.

For each user, you need to:

Enable mail usage. Â

Enter the DNS name or IP address of your mail server. Â

Select the protocols for retrieving incoming mail (POP, IMAP, or both). Â

Set a quota on disk space available for storing a user’s mail. Â

Congure any alternate mail storage location. Â

You congure these settings with the Workgroup Manager application. For more

information, see User Management.

Setup Overview

You can have Mail service set up and start as part of the Mac OS X Server installation process. An option for setting up Mail service appears in the Setup Assistant application, which runs at the conclusion of the installation process. If you select this option, Mail service is set up as follows:

SMTP, POP, and IMAP are active and use standard ports. Â

Junk mail lter is on. Â

Virus ltering is on. Â

Quotas are not enforced. Â

Incoming messages larger than 10 MB are refused. Â

Mailing lists are inactive. Â

Standard authentication methods are used (not Kerberos), with POP and IMAP Â

set for clear-text passwords (APOP and CRAM MD-5 turned o) and SMTP authentication turned o.

If your server is an Open Directory master, Kerberos, CRAM-MD5, and APOP are used.

Mail is delivered only locally. (No mail is sent over the Internet.) Â

Mail relay is unrestricted. Â

You can also use the conguration assistant to set up Mail service. This interactive assistant helps you select options and settings. If you use the conguration assistant,

you should already have MX records set properly. After using the assistant, you can use Server Admin, Workgroup Manager, and the serveradmin command-line tool to

customize your conguration.

22 Chapter 2 Mail Service Setup

To start the mail conguration assistant:

1 In Server Admin, select a computer in the Servers list, then select Mail.

If Mail is not listed beneath the server you selected, you must start Mail service. Click the + button at the bottom of the Servers lists, then select Add Service from the pop-up list.

2 Click the Congure Mail Service button to start the assistant.

3 Follow the onscreen instructions.

To congure Mail service manually:

To change Mail service manually, complete the following:

1 Make a plan.

For a list of items to think about before you start full-scale Mail service, see “Before You Begin” on page 20.

2 Set up MX records.

For users to send and receive mail over the Internet, make sure DNS service is set up with the relevant MX records for Mail service:

If an ISP provides DNS service to your network, contact the ISP and have them set Â up MX records for you. Your ISP needs your mail server’s DNS name (such as mail.

example.com) and your server’s IP address.

If you use Mac OS X Server to provide DNS service, create MX records as described Â in “Conguring DNS for Mail Service” on page 21.

If you do not set up an MX record for your mail server, your server might still be Â

able to exchange mail with other mail servers. Some mail servers will nd your mail

server by looking in DNS for your server’s A record. (You probably have an A record if you have a web server set up.)

Note: Your mail users can send mail to each other even if you do not set up MX

records. Local Mail service doesn’t require MX records.

3 Congure incoming Mail service.

Mail service has many settings that determine how it handles incoming mail. For instructions, see “Conguring Incoming Mail Service” on page 29.

4 Congure outgoing Mail service.

Mail service has many settings that determine how it handles outgoing mail. For instructions, see “Conguring Outgoing Mail Service” on page 26.

5 Secure your server.

If your server exchanges mail over the Internet, make sure you’re not operating an

open relay. An open relay is a security risk and enables junk mail senders to use your computer resources for sending unsolicited commercial mail. For instructions see “Restricting SMTP Relay” on page 31.

Chapter 2 Mail Service Setup 23

6 Congure additional settings for Mail service.

Additional settings that you can change aect how Mail service stores mail, limits junk

mail, and handles undeliverable mail. See the following sections for instructions:

“ Â Working with Mail Service Data Storage” on page 79

“ Â Limiting Junk Mail and Viruses” on page 34

“ Â When Mail Is Undeliverable” on page 92

7 Set up accounts for mail users.

Each person who wants Mail service must have a user account in a directory domain accessible by your Mail service. The short name of the user account is the mail account name and is used to form the user’s mail address.

In addition, each user account has settings that determine how Mail service handles

mail for the user account. You can congure a user’s mail settings when you create the user’s account, and you can change an existing user’s mail settings at any time.

For instructions, see “How User Account Settings Aect Mail Service” on page 22 and “To create a list description:” on page 46.

8 Create a postmaster alias (optional, but recommended).

You should create an administrative alias named postmaster. Mail service or the mail administrators send reports to the postmaster account. An alias allows mail sent to postmaster@yourdomain.com to be forwarded to an account of your choice.

Set up forwarding of the postmaster’s mail to a mail account that you check regularly. Other common postmaster accounts are named abuse (used to report abuses of your Mail service) and spam (used to report unsolicited commercial mail abuses by users).

To learn about creating an alias to an existing mail users, see “Creating Additional Mail Addresses for Users” on page 77.

9 Start Mail service.

Before starting Mail service, make sure the server computer shows the correct day,

time, time zone, and daylight-saving settings in the Date & Time pane of System

Preferences. Mail service uses this information to timestamp each message. An incorrect timestamp can cause other mail servers to handle a message incorrectly.

Also, make sure you’ve enabled Mail service protocols (SMTP, POP, or IMAP) in the Settings pane.

After you verify this information, you can start Mail service. If you selected the Server Assistant option to have Mail service start automatically, stop Mail service now, then

start it again for your changes to take eect. For detailed instructions, see “Setting Up a Wiki-Based Mailing List” on page 42.

10 Set up each user’s mail client software.

After you set up Mail service on your server, mail users must congure their mail client

software. For details, see “Mail Screening” on page 14 .

24 Chapter 2 Mail Service Setup

Administering Mail Service

You must turn on Mail service administration before you can use Server Admin to congure or enable it. This allows Server Admin to start, stop, and change settings for Mail service.

To enable Mail Service for administration:

1 Open Server Admin.

2 Select a server, click the Settings button in the toolbar, and then click the Services tab.

3 Select the checkbox for Mail service.

You can now congure and control Mail service using Server Admin.

You can also congure and control Mail service from the command line using the

serveradmin command-line tool. For more information, see the serveradmin man page and Introduction to Command-Line Administration.

For advanced command-line conguration and maintenance, you may need to enable a specic mail administration account. For more information, see “Creating an

Administration Account” on page 85.

Changing Mail Service Settings

Most settings are exposed in Server Admin and Workgroup Manager and can be

changed in those applications. If you make a change, you may need to stop and restart the Mail service.

Many settings can also be accessed through the serveradmin command-line tool.

To change Mail service settings from the command line:

Find the name of the specic setting you need to change and then submit your setting as an argument to serveradmin. For example, to disable POP email service:

$ sudo serveradmin settings mail:imap:enable_pop = no

$ sudo serveradmin stop mail

$ sudo serveradmin start mail

To see all possible commands, see Appendix A, “ Command-Line Parameters for the serveradmin Tool and Default Mail Service Settings,” on page 94.

For more specic conguration of Postx and Dovecot you might want to congure them directly. For information about conguring these tools, see the following:

For Postx, see Â www.postx.org.

For Dovecot IMAP/POP, see Â www.dovecot.org.

Chapter 2 Mail Service Setup 25

Viewing Mail Service Settings from the Command Line

To view Mail service conguration settings:

$ sudo serveradmin settings mail

To view a specic setting:

$ sudo serveradmin settings mail:setting

To view a group of settings:

You can view a group of settings that have part of their names in common by entering as much of the name as you want, stopping at a colon (:), and entering an asterisk (*)

as a wildcard for the remaining parts of the name. For example:

$ sudo serveradmin settings mail:imap:*

General Setup

This section discusses basic conguration settings you make to use Mail service.

Conguring Outgoing Mail Service

Mail service includes an SMTP service for sending mail. Subject to restrictions that you control, the SMTP service also transfers mail to and from Mail service on other servers.

If your mail users send messages to another Internet domain, your SMTP service delivers the outgoing messages to the other domain’s Mail service. Other Mail services deliver messages for your mail users to your SMTP service, which then transfers the messages to your POP service and IMAP service.

Understanding SMTP Authentication

If you don’t choose a method of SMTP authentication or authorized specic SMTP

servers to relay for, the SMTP server allow anonymous SMTP mail relay and is

considered an open relay. Open relays are bad because junk mail senders can exploit

the relay to hide their identities and send illegal junk mail without penalty.

There is a dierence between relaying mail and accepting delivery of mail. Relaying mail means passing mail from one (possibly external) mail server or a local user’s mail client

to another (third) mail server. Accepting delivery means receiving mail from a (possibly

external) mail server to be delivered to the server’s mail users. Mail addressed to local

recipients is still accepted and delivered.

Enabling authentication for SMTP requires authentication from any selected authentication method prior to relaying mail.

SMTP Authentication is used with restricted SMTP mail transfer to limit junk mail propagation. For more information about these settings, see “Understanding SMTP Authentication” on page 26.

26 Chapter 2 Mail Service Setup

Enabling SMTP Access

SMTP is used for transferring mail between Mail service and sending mail from users’ mail clients. The SMTP Mail service stores outgoing mail in a queue until it has found

the mail exchange server at the mail’s destination. Then it transfers the mail to the

destination server for handling and eventual delivery.

SMTP service is required for outgoing Mail service and for accepting delivery of mail

from mail servers outside your organization.

To enable SMTP access:

1 In Server Admin, select a computer in the Servers list, then select Mail.

2 Click Settings.

3 Select the General tab.

4 Click Enable SMTP.

5 Select “Allow incoming mail,” if wanted.

6 If you allow incoming mail, enter the domain name to accept mail for and the mail

server’s host name.

7 Click Save.

By default SMTP is enabled on port 25. If port 25 is blocked in your environment, you need to change the port SMTP uses.

Requiring SMTP Authentication

If your Mail service requires SMTP authentication, your server cannot be used as an open relay by anonymous users. Someone who wants to use your server as a relay

point must rst provide the name and password of a user account on your server.

Although SMTP authentication applies primarily to mail relay, your local mail users must also authenticate before sending mail. This means your mail users must have mail client software that supports SMTP authentication or they can’t send mail to

remote servers. Mail sent from external mail servers and addressed to local recipients

is still accepted and delivered.

To require SMTP authentication, see “Requiring SMTP Authentication” on page 27.

Chapter 2 Mail Service Setup 27

Relaying SMTP Mail Through Another Server

Rather than delivering outgoing mail to its destinations, your SMTP Mail service can relay outgoing mail to another server.

Normally, when an SMTP server receives a message addressed to a remote recipient,

it attempts to send that message to that server or the server specied in the MX record, if it exists. Depending on your network setup, this method of mail transport

might not be wanted or even possible. You might then need to relay outbound

messages through a specic server.

You might need to use this method to deliver outgoing mail through the rewall set up by your organization. In this case, your organization will designate a server for relaying mail through the rewall.

This method can be useful if your server has slow or intermittent connections to the Internet.

Do not attempt to relay mail through a mail server outside your organization’s control

without the relay administrator’s permission. Trying to do so will label you as a Mail service abuser.

To relay SMTP mail through another server:

1 In Server Admin, select a computer in the Servers list, then select Mail.

2 Click Settings.

3 Click the General tab.

4 Click “Relay outgoing mail through host” and enter the DNS name or IP address of the

server that provides SMTP relay.

5 Click Save.

Copying Undeliverable Incoming Mail

You can have Mail service copy messages that arrive for unknown local users to

another person or a group in your organization, usually the postmaster. You can

use this setting to track mail delivery failures such as SMTP connection rejections or misaddressed mail, or to determine the source of junk mail.

To keep a copy of undeliverable incoming mail:

1 In Server Admin, select a computer in the Servers list, then select Mail.

2 Click Settings.

3 Select the General tab.

4 Select “Copy undeliverable mail to” and enter a user, group name, or alias.

5 Click Save.

28 Chapter 2 Mail Service Setup

Saving Mail Messages for Monitoring and Archival Purposes

You can congure Mail service to send a blind carbon copy (Bcc) of each incoming or outgoing message to a user or group. You might want to do this to monitor or archive messages. Senders and receivers of mail don’t know that copies of their mail are being archived.

You can set up the user or group to receive Bccs using POP, then set up a client mail application to log in periodically and clean out the account by retrieving all new messages. Otherwise, you might want to periodically copy and archive the messages from the destination directory using automated shell commands.

You can set up lters in the mail client to highlight types of messages. Additionally, you

can archive all messages for legal reasons.

To save all messages:

1 In Server Admin, select a computer in the Servers list, then select Mail.

2 Click Settings.

3 Select the General tab.

4 Click the “Copy all mail to” checkbox and enter a user or group name.

5 Click Save.

Conguring Incoming Mail Service

When conguring incoming Mail service, you congure mail to be retrieved by users

and mail client applications. It involves these basic steps:

Choose and enable the type of access (POP, IMAP, or both). Â

Choose a method for authentication of the mail client. Â

Choose a policy for secure transport of mail data over SSL. Â

The following sections explain how to enable IMAP and POP access. For information on authentication and SSL, see “Securing User Access to Mail Service” on page 62.

Enabling IMAP Access

IMAP is a client-server mail protocol that allows users to access mail from the Internet.

With IMAP, mail is delivered to the server and stored in a remote mailbox on the server.

To users, mail appears as if it were on the local computer.

A key dierence between IMAP and POP is that with IMAP the mail isn’t removed from

the server until the user deletes it. IMAP connections are persistent and remain open, maintaining load on the server and possibly the network as well.

Chapter 2 Mail Service Setup 29

To enable IMAP access:

1 In Server Admin, select a computer in the Servers list, then select Mail.

2 Click Settings.

3 Select the General tab.

4 Click Enable IMAP.

5 Enter the number of concurrent connections you want to allow, then click Save.

6 Click Save.

7 Continue and congure security for IMAP authentication and transport.

See the following to continue conguration:

“ Â IMAP and POP Authentication” on page 65

“ Â Securing Mail Service with SSL” on page 67

Enabling POP Access

POP is used for receiving mail. The POP Mail service stores incoming POP mail until users have their computers connect to Mail service and download their waiting mail. After a user’s computer downloads POP mail, the mail is stored only on the user’s computer.

An advantage of using POP is that your server doesn’t need to store mail that users have downloaded.

POP isn’t the best choice for users who access mail from more than one computer,

such as a home computer, an oce computer, and a laptop while on the road because

after messages are accessed by one computer, they are deleted from the server.

To enable POP access:

1 In Server Admin, select a computer in the Servers list, then select Mail.

2 Click Settings.

3 Select the General tab.

4 Click Enable POP.

5 Click Save.

6 Continue and congure security for POP authentication and transport.

See the following to continue conguration:

“ Â IMAP and POP Authentication” on page 65

“ Â Securing Mail Service with SSL” on page 67

Choosing No Incoming Mail Retrieval

You can choose to enable SMTP Mail service but not supply POP or IMAP service for incoming mail retrieval. If neither POP nor IMAP is enabled, incoming mail from other mail servers is still delivered to users but they can’t access their mail with their mail client applications.

30 Chapter 2 Mail Service Setup

+ 104 hidden pages