Picking up where the last article left off, this article looks at setting up the mail service in Leopard, including migrating mail data from Tiger.

Configuring the Mail Service

In the Server Admin application, I jumped right to the Settings part of the Mail section and filled out things appropriately. In the “Domain name” field I entered the fully qualified domain name of the server in its role as a mail server; this is the same address that is in the MX records in DNS. For example, “mail.netmojo.ca”.

The “Host name” field contains the fully qualified domain name of the server itself. “leopardserver.netmojo.ca”, for example.

I checked off Enable IMAP, SMTP, and “Copy undeliverable mail to:”, with an appropriate postmaster email address. In the Filters tab, I enabled Junk mail and virus scanning to my taste.

I would like to use the mailling list feature some time, but I’ll come back to that later, so for now I left it disabled.

In the Logging tab, I increased the verbosity of each section, since I like to know what is going on with my server, and I monitor the logs as much as I can. To save on disk space, I also checked off the Archive option, setting it for 7 days.

In the Advanced tab, I checked off all of the authentication methods for SMTP and IMAP, except for CRAM-MD5, which my clients won’t be using. In the SSL settings, I selected “Use” for SMTP and “Require” for IMAP. I selected a self-signed SSL certificate that I created with the “Manage Certificates” feature of Server Admin.

Migrating IMAP Email: Bad Documentation

I discovered that the Upgrading and Migrating book contains an egregious error.

In the “Migrating from Mac OS X Server v10.4″ chapter, on page 40, it describes how to migrate the mail database. Step 8, “Run the mail database upgradedb script” shouldn’t be there. That script is for Panther.

The mail database between 10.4 and 10.5 does not need to be modified - basically, no migration is necessary, just copy the files over. The advice in the Upgrading and Migrating manual contradicts advice in the Mail Service Administration manual:

Moving Mail Messages from Apple Mail Server to Mac OS X
Server v10.5

If you have upgraded your server from a version prior to Mac OS X Server v10.3 and you have an existing Apple Mail Server database, you must migrate your mail database to Mac OS X Server v10.5 Mail service. If you are upgrading from Mac OS X Server v10.3 or v10.4, no migration is necessary.

To migrate the data, all you need to do is copy it over.

Copy The IMAP Files From Tiger to Leopard

If your IMAP files are in the default location, you can back them up to an archive file using tar. On your 10.4 Server:

cd /
mkdir /Volumes/disk2/imap
tar czvf /Volumes/disk2/imap/var-imap.tgz var/imap
tar czvf /Volumes/disk2/imap/var-spool-imap.tgz var/spool/imap

On my server, “/Volumes/disk2″ is a disk that is shared between my 10.4 install and my 10.5 install.

On the 10.5 Server, make sure that the Mail service is not running, and backup the same directories:

sudo bash
cd /var
mv imap imap.original
mkdir imap
chown _cyrus:mail imap
ls -l | grep imap
drwxr-xr-x 2 _cyrus mail 68 Nov 14 18:16 imap
drwxr-xr-x 16 _cyrus mail 544 Nov 7 19:52 imap.original

Do the same thing for /var/spool/imap. Then, extract the archived files:

cd /
tar xvf /Volumes/disk2/imap/var-imap.tgz
tar xvf /Volumes/disk2/imap/var-spool-imap.tgz

One bit of advice that I did follow from the Upgrading and Migrating manual is step 9 on page 41: reconstruct the mail index files:

/usr/bin/cyrus/bin/reconstruct -i

Enable Alternate SMTP Port

Many big ISPs now block outgoing traffic on port 25, to fight spam and irritate their customers. A work-around is to accept mail on the alternate SMTP port, 587, also known as the “submission” service. It is easy to enable: open /etc/postfix/master.cf in a text editor, and uncomment the line:

submission inet n - n - - smtpd

If your mail server is already running, you need to restart it for the changes to take place (run “postfix reload”). Remember to allow connections to this port in your static firewall rules, at some point.

Setup Requisite Email Aliases

Every UNIX server has a few standard email addresses: root@hostname, and postmaster@hostname, for example. You need to tell the server where to send email that the system sends to these addresses. To do that, you need to edit the /etc/postfix/aliases file.

Edit at least the first aliases, at the top of the file:

# Person who should get root's mail. Don't receive mail as root!
root: brentk

# Basic system aliases -- these MUST be present
MAILER-DAEMON: postmaster
postmaster: root

This tells the system to send email addressed to root@ to brentk@, and email going to MAILER-DAEMON@ to postmaster@, and email going to postmaster@ to root@. So ‘brentk’ gets everything.

If you have any other email aliases, you could add them to this file too. Mail doesn’t need to go to a local user; instead of just ‘brentk’, I could have put ‘brentk@gmail.com’ (not my address — apologies to the imposter) instead.

Once you have edited the aliases file, you need to run the “newaliases” command.

Start the Mail Service

Before starting the Mail service, I want to make sure that the server does not accept any incoming email — I’m not done configuring the server yet, and I don’t want it accepting new mail from external sources. To be sure that the server doesn’t accept any email, I added a temporary firewall rule to block port 25 in general, but to allow it from me:

ipfw add 00002 allow tcp from 123.456.789.111 to me dst-port 25
ipfw add 00002 allow tcp from 123.456.789.111 to me dst-port 587
ipfw add 00003 deny tcp from any to me dst-port 25
ipfw add 00003 deny tcp from any to me dst-port 587

In Server Admin, when I started the Mail service, I got the warning that “Service port may be restricted”. I watched the logs as it started up, and everything looks good.

Nov 14 18:36:13 leopardserver master[695]: process started
Nov 14 18:36:14 leopardserver ctl_cyrusdb[700]: verifying cyrus databases
Nov 14 18:36:14 leopardserver ctl_cyrusdb[700]: skiplist: recovered /var/imap/mailboxes.db (288 records, 27996 bytes) in 0 seconds
Nov 14 18:36:14 leopardserver ctl_cyrusdb[700]: skiplist: recovered /var/imap/annotations.db (0 records, 144 bytes) in 0 seconds
Nov 14 18:36:17 leopardserver ctl_cyrusdb[700]: done verifying cyrus databases
Nov 14 18:36:17 leopardserver master[695]: Cyrus POP/IMAP Server v2.3.8 ready for work
Nov 14 18:36:17 leopardserver ctl_cyrusdb[731]: checkpointing cyrus databases
Nov 14 18:36:18 leopardserver ctl_cyrusdb[731]: done checkpointing cyrus databases
Nov 14 18:40:54 leopardserver master[847]: process started

I fired up Mail.app (client), and connected to IMAP. It logged in fine, and all of my mailboxes and email messages are there. I can see from the Mail Access logs that I logged in using plaintext+TLS, so my authentication data did not go over the wire in the clear.

Trouble with SMTP

I encountered a little problem when I tested sending email. Fortunately, /var/log/mail.log told me exactly what the problem was:

Nov 14 19:40:23 leopardserver postfix/tlsmgr[1828]: warning: no entropy source specified with parameter tls_random_source
Nov 14 19:40:23 leopardserver postfix/tlsmgr[1828]: warning: encryption keys etc. may be predictable
Nov 14 19:40:23 leopardserver postfix/smtpd[1827]: warning: cannot get private key from file /etc/certificates/mail.netmojo.ca.key
Nov 14 19:40:23 leopardserver postfix/smtpd[1827]: warning: TLS library problem: 1827:error:0906406D:PEM routines:DEF_CALLBACK:problems getting password:pem_lib.c:105:
Nov 14 19:40:23 leopardserver postfix/smtpd[1827]: warning: TLS library problem: 1827:error:0906A068:PEM routines:PEM_do_header:bad password read:pem_lib.c:401:
Nov 14 19:40:23 leopardserver postfix/smtpd[1827]: warning: TLS library problem: 1827:error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib:ssl_rsa.c:709:
Nov 14 19:40:23 leopardserver postfix/smtpd[1827]: cannot load RSA certificate and key data

The SSL certificate was not being loaded. The reason was because I had added a password to it. I edited the certificate using the Certificate Manager feature of Server Admin, removed the password, and ran ‘postfix reload’. When I retried sending with my mail client, I got a pop-up message asking whether to accept the self-signed certificate. I accepted it, and the mail was sent.

Curious how IMAP worked with TLS, but SMTP didn’t. I guess Postfix is more picky than Cyrus.

Authenticating with Kerberos

In my next article, I will look at setting up client computers to authenticate to the server. Part of this will be getting Kerberos (”single sign-on”) services working, which will also provide an even more secure mail login.

Tags: Apple, Leopard, Leopard-Server, Mac-OS-X, OS-X-Server, Sysadmin

This entry was posted on Wednesday, November 14th, 2007 at 8:55 pm MST and is filed under Articles, System Administration. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.