Take Control of OS X Server, Chapter 8: Mail Services
In this chapter of “Take Control of OS X Server,” Charles Edge tries to persuade readers not to turn on OS X Server’s mail services, not because they’re difficult, but because doing so means non-stop battle against a constant onslaught of spam and malware. But if you do wish to venture into the breach, Charles provides the necessary background and instructions.
You forgot to mention port 587: it's the standard port for authenticated mail submissions. It was invented to get around the very common blocks of port 25, and is the default for most mail clients.
Also worth noting that many IP addresses (even static) will be blacklisted - either because you haven't arranged with your ISP to use it for outbound mail, or because it has previously been allocated to a spammer. So, it's important to check the IP address against various blacklists before deploying a mail server. For example, you could use http://www.dnswatch.info/dns/rbl-lookup
And one other thing: if the IP address doesn't have a PTR record pointing to the domain name of the host, you'll look like you don't own the IP address: so you'll look like a spammer. Make sure you have at least a pair of matching PTR and A records.
Thanks for reminding me about 587 - I missed that in editing because AirPort Utility so clearly includes all the others.
RBL checking and getting a PTR are indeed important, and are mentioned above.
Please describe in more detail what battling "against the constant onslaught of spam and malware" requires in practice.
Once OS X Server's mail and DNS and reverse-DNS, etc., are set-up and SpamAssassin is in place, what more battles need to be fought?
Servers routinely get blacklisted for little to no reason. Settings from ISPs change, other people get blacklisted that you need to whitelist, etc. It's standard admin stuff. If you only have a few domains you mail back and forth with, it's not usually a massive deal. It does help that those NDRs are usually googleable so not complicated, just consistent to deal with the problems.
I'm trying to think back to some of the things that have made my life miserable in the past...
* SpamAssassin marks something incorrectly and a user goes ballistic because they missed an important message. And figuring out why they missed it takes 30-60 minutes you don't have on an important day.
* An idiot spammer sends spam to a few hundred thousand addresses with a return address of one of your users. Depending on a wide variety of possibilities, your server is blacklisted, suffers from delivery delays as it processes the bounces, starts bouncing legit mail to the user due to mail quotas, runs out of disk space, or crashes. And you have to explain all this to the user, who probably isn't technical and doesn't understand.
* One of your users has poor password hygiene and his account is compromised and used to send spam. Again, you're blacklisted, all your other users are confused and angry because their mail isn't going through, and you have to drop everything to figure out what happened and try to fix it. Getting off blacklists can be difficult, time consuming, and depressing, since you know you're not a spammer, but the people who run the blacklists have no reason to believe you.
* Either through some misconfiguration on your part, or a security exploit, your server is used to relay spam. This can not only get you blacklisted, but can get your Internet connectivity shut down.
Charles is right that this is standard sysadmin stuff, and if you are a sysadmin and understand what that means in terms of being at the beck and call of both a server and its users, you'll probably be fine. It's just important to realize that running a mail server is far from set-and-forget.
Just a couple of comments:
Under DNS Configuration - maybe explain why you should setup a PTR record as this isn't obvious.
Under "Connecting to Mail Server When Port 25 Is Blocked" The last bullet point should read "On the router, you can forward a custom port to port 25 on the server in order to..."
I also have a question about the Junk Mail filtering. Does SpamAssassin add a new email header with the score in as well as add the text to the subject if the score is breached?
Does mail.app move email with the ***JUNK MAIL*** to the Junk folder automatically?
I have a number of mac minis running at my library, hosting various PHP apps and other systems that need to send mail. All I want a particular box to do is send mail out to a relay on campus. Don't want the machine to accept any incoming mail or relay mail for anyone else.
Is there an easy way to configure mail under OSX Server (10.8 and 10.9) to do that task?
Is setting up server even necessary for this very limited "outgoing smtp only" capability?
I'm not sure what the best way to do this is, Wally, since the Mail server isn't very granular in terms of what you can turn on and off (I don't see any way to avoid enabling incoming mail, for instance).
Perhaps Charles has some other ideas.
I'd just use the firewall to restrict incoming access from all but your LAN IPs. You can then use the Relay to relay outgoing mail through. Or better yet, use "sudo serveradmin settings mail:postfix:mynetworks:_array_index:0 = "127.0.0.0/8" to add an array of your local networks so smtp only works there.
Awesome post. I've been doing this for 20 years as a hobby on my own domain but you just answered some of my long standing questions in very simple and easy to understand language. Thanks Adam!!
Comments like this warm the cockles of my heart. :-)