After more then 3 years there is a new release of Postfixadmin, the webbased tool to allow you to maintain your postfix mailserver installation. It assist in the creation of mail adresses and aliases.

New is the all in one interface where the super user and the domain admin will work. In the 2.1.0 there was a subdirectory called admin which needed to be secured extra. It is now an all in one interface.

The new version still has the same problem as the old one in sending the SMTP commands to fast which will result in the error:

BD5DAF029E: reject: DATA from localhost[127.0.0.1]: 503 5.5.0 : Data command rejected: Improper use of SMTP command pipelining; from= to= proto=ESMTP helo=

This will easily be solved by again editing the ‘functions.inc.php‘. Open the file and find the function ‘smtp_mail‘. Change the following code:

fputs ($fh, "EHLO $smtp_server\r\n");
$res = smtp_get_response($fh);
fputs ($fh, "MAIL FROM:<$from>\r\n”);
$res = smtp_get_response($fh);
fputs ($fh, “RCPT TO:<$to>\r\n”);
$res = smtp_get_response($fh);
fputs ($fh, “DATA\r\n”);
$res = smtp_get_response($fh);
fputs ($fh, “$data\r\n.\r\n”);
$res = smtp_get_response($fh);
fputs ($fh, “QUIT\r\n”);
$res = smtp_get_response($fh);
fclose ($fh);

into

fputs ($fh, "EHLO $smtp_server\r\n");
$res = smtp_get_response($fh);
usleep(10000);
fputs ($fh, "MAIL FROM:<$from>\r\n”);
$res = smtp_get_response($fh);
usleep(10000);
fputs ($fh, “RCPT TO:<$to>\r\n”);
$res = smtp_get_response($fh);
usleep(10000);
fputs ($fh, “DATA\r\n”);
$res = smtp_get_response($fh);
usleep(10000);
fputs ($fh, “$data\r\n.\r\n”);
$res = smtp_get_response($fh);
usleep(10000);
fputs ($fh, “QUIT\r\n”);
$res = smtp_get_response($fh);
fclose ($fh);

Full instructions on how to upgrade your current 2.1.0 installation to 2.2.0 can be found here: Upgrading Postfix Admin 2.1.0 to 2.2.0

In the continuing endeavour of improving the quality of his software Sam Varshavchik has released an upgrade to the Courrier-auth daemon. This release has the following changes:

• Cleaned up authmysql module — allow punctuation in userids and passwords
• Dropped the unmaintained authvchkpw module

If you want to upgrade your installation please read my upgrade instructions for Courier-auth.

I’ve finished the documentation set for the DSpam installation on Leopard. There are some minor changes that would cause many problems between Tiger and Leopard. Most, if not all, of the changes are the result of the new user name creation and naming in Leopard. The last change is in the startup procedure, we are now using the lanchd system for DSpam as well.

• Compiling DSPAM on OS X Leopard
• Creating the MySQL database for DSPAM on Leopard
• Configuring DSPAM on Leopard
• Configure Postfix for the DSPAM content filter on Leopard
• Starting DSPAM on Leopard
• Training DSPAM with scripts

We’ll the new server is proving it’s worth. As it is running Leopard I finally had a machine permanently available to test it out in the real world. So I’ve checked and double checked all the install instructions and they all work. Still to do is adding DSPAM and Maildrop but that won’t take that long. When that is done I’ll write some documents on upgrading!

• The basic mailserver on Leopard
• Building the Postfix mailserver on Leopard
• Building the Courier Auth library
• Building the Courier IMAP/POP3 server
• Setting up the database for mailserver administration
• Create the mailbox directories
• Configuring SASL for SMTP authentication
• Configuring Postfix for virtual domains using MySQL
• Configuring Courier-auth to use MySQL
• Configuring Courier IMAP with your maildir
• Starting your basic mailserver

The only problem I haven’t tackled yet is how to start postfix using the new launchctl plist files. I can’t get it to start properly. If someone can show me how it’s done I would greatly appreciate it.

Update: Allright, persistence has paid off. I’d kept googling and searching the Apple support pages and found the answer on how to start postfix using launchd. The documentation has been updated to reflect the new findings.

If you are reading this the page has been fed from the new server at macminicolo.net. I hope you like the new speed. Now this is finished and most of the design has been tweaked I now can spend some time on writing some more documentation again. I hope to get the Leopard specifics for the installation grouped into one place, the aim is to get this done before the end of May.

We used to use the /etc/hostconfig file for determining which programs should start at boot time on our Mac. Apple however has decided that this will stop in future versions and that they will move over to launchd, it is currently used in Leopard and is the prefered way in controlling your deamons. You can read more about it on the AFP548 site and the manpages for lauchd, launchctl and plist.

To enable it we need to create a .plist file with all the details, as MySQL is a system wide application we need to put it in /System/Library/LaunchDaemons/ and I’m going to call it com.diymacserver.mysql.plist. The content of the file will look like:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>Label</key>
  <string>com.diymacserver.mysql</string>
  <key>KeepAlive</key>
  <true/>
  <key>ProgramArguments</key>
  <array>
    <string>/usr/local/mysql/bin/mysqld</string>
  </array>
  <key>RunAtLoad</key>
  <true/>
  <key>UserName</key>
  <string>_mysql</string>
  <key>WorkingDirectory</key>
  <string>/usr/local/mysql</string>
</dict>
</plist>

The label key should be the same as the plist file name without the .plist
The KeepAlive option will restart MySQL when it crashes or is stopped.
The RunAtLoad means it will start at boot time.
The UserName option indicates under which user the program should start.

To load and activate the .plist file and to make sure that it is started after a reboot you’ll need to load the plist file by using the command:

sudo launchctl load /System/Library/LaunchDaemons/com.diymacserver.mysql.plist

You can see if it loaded correctly by using the command:

sudo launchctl list

This will show you all the active plist files.

You can see if everything went correctly by trying to start the mysql instance.

sudo launchctl start com.diymacserver.mysql

To stop the instance you could use:

sudo launchctl stop com.diymacserver.mysql

Bu because of the KeepAlive option it will be restarted.

To stop the script being run at boot time you need to unload the plist file.

sudo launchctl unload /System/Library/LaunchDaemons/com.diymacserver.mysql.plist

I’m still very busy and I haven’t had time to rewrite the documentation to reflect all the changes needed to install the mailserver components on a Leopard based Mac.

But here is a quick instruction set on how to get every item compiled on Leopard. Use the documentation set for all the other instructions, here are only the differences in use for Leopard.

As a first you don’t need to install SASL anymore, it all works without it.

Postfix:
make -f Makefile.init makefiles \
CFLAGS='-arch i386 -isysroot /Developer/SDKs/MacOSX10.4u.sdk' \
CCARGS='-DUSE_TLS -DUSE_SASL_AUTH -DUSE_CYRUS_SASL \
-I/usr/include/sasl \
-DHAS_PCRE -I/usr/local/include \
-DHAS_SSL -I/usr/include/openssl \
-DHAS_MYSQL -I/usr/local/mysql/include/mysql' \
AUXLIBS='-L/usr/lib -lldap -lsasl2 -L/usr/lib -llber -L/usr/local/lib \
-L/usr/local/lib -lpcre \
-lssl -L/usr/local/mysql/lib/mysql \
-lmysqlclient -lz -lm'

Courier Auth:
export MACOSX_DEPLOYMENT_TARGET=10.5
./configure --with-authmysql \
--without-authpam \
--with-mysql-libs=/usr/local/mysql/lib/mysql \
--with-mysql-includes=/usr/local/mysql/include/mysql

Courier Imap:
./configure --prefix=/usr/local \
--with-authpwd=YES \
--without-authcram \
COURIERAUTHCONFIG=/usr/local/bin/courierauthconfig

Create the vmail user:
sudo dscl . -create /Users/_vmail
sudo dscl . -create /Users/_vmail UserShell /usr/bin/false
sudo dscl . -create /Users/_vmail UniqueID 102
sudo dscl . -create /Users/_vmail PrimaryGroupID 102
sudo dscl . -create /Users/_vmail NFSHomeDirectory /var/empty
sudo dscl . -passwd /Users/_vmail ''

Create the dspam user:
sudo dscl . -create /Users/_dspam
sudo dscl . -create /Users/_dspam UserShell /usr/bin/false
sudo dscl . -create /Users/_dspam UniqueID 101
sudo dscl . -create /Users/_dspam PrimaryGroupID 101
sudo dscl . -create /Users/_dspam NFSHomeDirectory /usr/local/var/dspam
sudo dscl . -passwd /Users/_dspam ''

DSpam:
/configure --enable-daemon \
--with-storage-driver=mysql_drv \
--with-mysql-includes=/usr/local/mysql/include/mysql \
--with-mysql-libraries=/usr/local/mysql/lib/mysql \
--enable-preferences-extension \
--with-dspam-home-owner=_dspam \
--with-dspam-home-group=_postfix \
--with-dspam-home=/usr/local/var/dspam \
--enable-long-usernames \
--with-dspam-group=postfix \
--enable-mysql4-initialization \
--enable-domain-scale \
--enable-virtual-users \
--enable-debug \
--enable-verbose-debug

Maildrop:
sudo chown _vmail maildroprc

maildrop unix - n n - - pipe
flags=DRhu user=_vmail argv=/usr/local/bin/maildrop /etc/maildroprc -d ${user}@${nexthop} ${extension} ${recipient} ${user} ${nexthop} ${sender}

Some of the changes are minor but they are required. I’m still testing most of the setup, sorry that it takes so much time to update the documentation. If someone knows a way to edit Wordpress pages offline in an easy way I would like to hear about it.

There are more and more problems being reported by people trying to use postfix 2.5.0. I haven’t gotten it to work myself as well. The error occurs during linking you will see a message related to “_sasl_set_path”.

Please use 2.4.7 as a stable version that works.

Update: It looks like on Leopard you don’t need to install SASL, somehow the default installed version does work. To use that you also need to adjust the makefile creation.

make -f Makefile.init makefiles \
CFLAGS='-arch i386 -isysroot /Developer/SDKs/MacOSX10.4u.sdk' \
CCARGS='-DUSE_TLS -DUSE_SASL_AUTH -DUSE_CYRUS_SASL \
-I/usr/local/include/sasl \
-DHAS_PCRE -I/usr/local/include \
-DHAS_SSL -I/usr/include/openssl \
-DHAS_MYSQL -I/usr/local/mysql/include/mysql' \
AUXLIBS='-L/usr/lib -lldap -lsasl2 -L/usr/lib -llber -L/usr/local/lib \
-L/usr/local/lib -lpcre \
-lssl -L/usr/local/mysql/lib/mysql \
-lmysqlclient -lz -lm'

There are still other people testing this, if you can test this as well please let me know the outcome.

It’s that time of year again for me. My certificates which I normally give a lifespan of a year expired again. I thought I should write down the procedure for refreshing your certificates for all of you and myself so you don’t need to wade through the complete documentation set to find the relevant parts. I hope it as usefull to as it will be for me in a year.

First we’ll do the postifx SMTP TLS/SSL part.

Just open a Terminal and execute the following command in the directory ‘/etc/postfix‘:

sudo openssl req -new -outform PEM -out smtpd.cert \
    -newkey rsa:2048 -nodes -keyout smtpd.key -keyform PEM \
    -days 365 -x509

This will create a 2048 bit encryption key that, for now, is secure enough for you mailserver to use. If you are paranoid and want a bigger key just increase the number after rsa:. The key will be valid for a year, if you want a longer period just increase the number after the -days option. When the key is finished you will be asked a couple of questions you need to answer. The information will be shown to people who want to see your certificate when their mail client complains. The most important one is the ‘Common Name’, make sure that that one is the same as the mail server name. Also please make sure that all your answers are the same as the original certificate.

Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:your.mailserver.tld
Email Address []:you@yourdomain.tld

To make sure everything is refreshed do a ‘sudo postfix reload‘ and try to send an email.

For the IMAP server it is a bit simpler as all the details there are put in a configuration file that still should be there: ‘/usr/local/etc/imapd.cnf‘. Please check the contents of the file and if they don’t relfect your setup please edit the file as described here.

When everything is verified and found in the correct state you can go to the directory ‘/usr/local/share‘ and run ‘sudo ./mkimapdcert‘ to generate a new certificate. Make sure you remove the existing ‘imapd.pem‘ in the same directory first or no new certificate will be created.

Start up your favourite mail client and check the certificate.

All should be in the correct state and our certificates are valid for another year.

In the last year I had some discussions with DIYMacServer users on how to upgrade their machine or even move their setup to some new hardware. The biggest issue or problem they encountered was how to safely move the emails stored on the server. In this post I will try to describe one way (there are more possibilities to do this) that is pretty safe and you won’t lose any mail.

Before you start please check if you have enough diskspace to make an archive of the mail directory, it might have become very big. You can check the size of the directory by using the command:

sudo du -hc /usr/local/virtual

The last line from the output will tell you how much space you need on your disk. If you haven’t got enough room you can ask your users to empty their Trash and Sent mail in their email application or remove some items you have stored on the server yourself. If that ain’t possible you’ll need to buy an extra drive (external or internal, depending on the machine you’ve got).

If you have users other then yourself using the mail-server please inform them in advance that the mail-server is going off-line for a short period at a time that is convenient for you to perform this task. This is only about moving the mail, not the websites and I’m assuming you’ve got the other machine ready and setup to take over.

When the time has comes, take the IMAP server off-line, to prevent users from accessing their IMAP folders and accidentally do something between backup and restore actions. If you’ve got POP3 configured as well please stop that as well.

Stop Postfix to prevent incoming mail to be lost when it arrives between backup and restore actions.

Now everything is stopped and you are ready to make a backup of the email directory.

You can do this by using the following command:

sudo tar -czf mailbackup.tar.gz /usr/local/virtual

This will create a big file called ‘mailbackup.tar.gz’, you can copy/move/ftp this file to any destination you would like.

To unpack the backup and restore it to it’s new destination please use the following command:

cd /
sudo tar -xzf /locationofarchive/mailbackup.tar.gz

Replace ‘locationofarchive’ with the path to where you stored your backup archive.

If you used the same setup on both machines the mail directory should have the proper security settings and ownership. You can test this by using the following command:

sudo ls -l /usr/local/virtual

The owner of the directories should be postfix or vmail, depending on your setup.

Now you can start the IMAP server first and check with your own mail client if you can access all your email again on the server. If there is a problem please check your logfile (/var/log/mail.log for a possible explanation). If it all works turn on the Postfix server and send yourself an email using another mailserver (use a webbased service like Gmail, Yahoo mail or Hotmail) and check if the email will arrive in your mailbox. Keep an eye on the logfile to see the email coming in.

If everything is working for you inform your users that it is all right to use the mail-server and if they have any issues that they please inform you about it.

Good luck!