After more then 3 years there is a new release of Postfixadmin, the webbased tool to allow you to maintain your postfix mailserver installation. It assist in the creation of mail adresses and aliases.

New is the all in one interface where the super user and the domain admin will work. In the 2.1.0 there was a subdirectory called admin which needed to be secured extra. It is now an all in one interface.

The new version still has the same problem as the old one in sending the SMTP commands to fast which will result in the error:

BD5DAF029E: reject: DATA from localhost[127.0.0.1]: 503 5.5.0 : Data command rejected: Improper use of SMTP command pipelining; from= to= proto=ESMTP helo=

This will easily be solved by again editing the ‘functions.inc.php‘. Open the file and find the function ‘smtp_mail‘. Change the following code:

fputs ($fh, "EHLO $smtp_server\r\n");
$res = smtp_get_response($fh);
fputs ($fh, "MAIL FROM:<$from>\r\n”);
$res = smtp_get_response($fh);
fputs ($fh, “RCPT TO:<$to>\r\n”);
$res = smtp_get_response($fh);
fputs ($fh, “DATA\r\n”);
$res = smtp_get_response($fh);
fputs ($fh, “$data\r\n.\r\n”);
$res = smtp_get_response($fh);
fputs ($fh, “QUIT\r\n”);
$res = smtp_get_response($fh);
fclose ($fh);

into

fputs ($fh, "EHLO $smtp_server\r\n");
$res = smtp_get_response($fh);
usleep(10000);
fputs ($fh, "MAIL FROM:<$from>\r\n”);
$res = smtp_get_response($fh);
usleep(10000);
fputs ($fh, “RCPT TO:<$to>\r\n”);
$res = smtp_get_response($fh);
usleep(10000);
fputs ($fh, “DATA\r\n”);
$res = smtp_get_response($fh);
usleep(10000);
fputs ($fh, “$data\r\n.\r\n”);
$res = smtp_get_response($fh);
usleep(10000);
fputs ($fh, “QUIT\r\n”);
$res = smtp_get_response($fh);
fclose ($fh);

Full instructions on how to upgrade your current 2.1.0 installation to 2.2.0 can be found here: Upgrading Postfix Admin 2.1.0 to 2.2.0

We’ll the new server is proving it’s worth. As it is running Leopard I finally had a machine permanently available to test it out in the real world. So I’ve checked and double checked all the install instructions and they all work. Still to do is adding DSPAM and Maildrop but that won’t take that long. When that is done I’ll write some documents on upgrading!

• The basic mailserver on Leopard
• Building the Postfix mailserver on Leopard
• Building the Courier Auth library
• Building the Courier IMAP/POP3 server
• Setting up the database for mailserver administration
• Create the mailbox directories
• Configuring SASL for SMTP authentication
• Configuring Postfix for virtual domains using MySQL
• Configuring Courier-auth to use MySQL
• Configuring Courier IMAP with your maildir
• Starting your basic mailserver

The only problem I haven’t tackled yet is how to start postfix using the new launchctl plist files. I can’t get it to start properly. If someone can show me how it’s done I would greatly appreciate it.

Update: Allright, persistence has paid off. I’d kept googling and searching the Apple support pages and found the answer on how to start postfix using launchd. The documentation has been updated to reflect the new findings.

Postfix 2.5.1 had been released for a few weeks but I just got around to test it on both Tiger and Leopard. Both OS X version do not cause any problems. I did found out one error in the previous blogpost on the Leopard install instructions concerning the SASL include path which might have also caused the issues with 2.5.0. I’ve updated that post to reflect the changes. It will compile on Tiger without any changes.

The bugfixes introduced in 2.5.1 are:

• The Postfix 2.5 “postfix upgrade-configuration” command now works even with Postfix 2.4 or earlier versions of the postfix command, instead of producing a main.cf file with an empty “data_directory” parameter value.
• When installing Postfix 2.5.0 without upgrading from an existing master.cf file, the new master.cf file had an incorrect process limit for the proxywrite service. This service is used only by the obscure “smtp_sasl_auth_cache_name” and “lmtp_sasl_auth_cache_name” configuration parameters.
• Someone needed multi-line support for header/body Milter replies.
• The LDAP client’s TLS support was broken in several ways.

I’m still very busy and I haven’t had time to rewrite the documentation to reflect all the changes needed to install the mailserver components on a Leopard based Mac.

But here is a quick instruction set on how to get every item compiled on Leopard. Use the documentation set for all the other instructions, here are only the differences in use for Leopard.

As a first you don’t need to install SASL anymore, it all works without it.

Postfix:
make -f Makefile.init makefiles \
CFLAGS='-arch i386 -isysroot /Developer/SDKs/MacOSX10.4u.sdk' \
CCARGS='-DUSE_TLS -DUSE_SASL_AUTH -DUSE_CYRUS_SASL \
-I/usr/include/sasl \
-DHAS_PCRE -I/usr/local/include \
-DHAS_SSL -I/usr/include/openssl \
-DHAS_MYSQL -I/usr/local/mysql/include/mysql' \
AUXLIBS='-L/usr/lib -lldap -lsasl2 -L/usr/lib -llber -L/usr/local/lib \
-L/usr/local/lib -lpcre \
-lssl -L/usr/local/mysql/lib/mysql \
-lmysqlclient -lz -lm'

Courier Auth:
export MACOSX_DEPLOYMENT_TARGET=10.5
./configure --with-authmysql \
--without-authpam \
--with-mysql-libs=/usr/local/mysql/lib/mysql \
--with-mysql-includes=/usr/local/mysql/include/mysql

Courier Imap:
./configure --prefix=/usr/local \
--with-authpwd=YES \
--without-authcram \
COURIERAUTHCONFIG=/usr/local/bin/courierauthconfig

Create the vmail user:
sudo dscl . -create /Users/_vmail
sudo dscl . -create /Users/_vmail UserShell /usr/bin/false
sudo dscl . -create /Users/_vmail UniqueID 102
sudo dscl . -create /Users/_vmail PrimaryGroupID 102
sudo dscl . -create /Users/_vmail NFSHomeDirectory /var/empty
sudo dscl . -passwd /Users/_vmail ''

Create the dspam user:
sudo dscl . -create /Users/_dspam
sudo dscl . -create /Users/_dspam UserShell /usr/bin/false
sudo dscl . -create /Users/_dspam UniqueID 101
sudo dscl . -create /Users/_dspam PrimaryGroupID 101
sudo dscl . -create /Users/_dspam NFSHomeDirectory /usr/local/var/dspam
sudo dscl . -passwd /Users/_dspam ''

DSpam:
/configure --enable-daemon \
--with-storage-driver=mysql_drv \
--with-mysql-includes=/usr/local/mysql/include/mysql \
--with-mysql-libraries=/usr/local/mysql/lib/mysql \
--enable-preferences-extension \
--with-dspam-home-owner=_dspam \
--with-dspam-home-group=_postfix \
--with-dspam-home=/usr/local/var/dspam \
--enable-long-usernames \
--with-dspam-group=postfix \
--enable-mysql4-initialization \
--enable-domain-scale \
--enable-virtual-users \
--enable-debug \
--enable-verbose-debug

Maildrop:
sudo chown _vmail maildroprc

maildrop unix - n n - - pipe
flags=DRhu user=_vmail argv=/usr/local/bin/maildrop /etc/maildroprc -d ${user}@${nexthop} ${extension} ${recipient} ${user} ${nexthop} ${sender}

Some of the changes are minor but they are required. I’m still testing most of the setup, sorry that it takes so much time to update the documentation. If someone knows a way to edit Wordpress pages offline in an easy way I would like to hear about it.

There are more and more problems being reported by people trying to use postfix 2.5.0. I haven’t gotten it to work myself as well. The error occurs during linking you will see a message related to “_sasl_set_path”.

Please use 2.4.7 as a stable version that works.

Update: It looks like on Leopard you don’t need to install SASL, somehow the default installed version does work. To use that you also need to adjust the makefile creation.

make -f Makefile.init makefiles \
CFLAGS='-arch i386 -isysroot /Developer/SDKs/MacOSX10.4u.sdk' \
CCARGS='-DUSE_TLS -DUSE_SASL_AUTH -DUSE_CYRUS_SASL \
-I/usr/local/include/sasl \
-DHAS_PCRE -I/usr/local/include \
-DHAS_SSL -I/usr/include/openssl \
-DHAS_MYSQL -I/usr/local/mysql/include/mysql' \
AUXLIBS='-L/usr/lib -lldap -lsasl2 -L/usr/lib -llber -L/usr/local/lib \
-L/usr/local/lib -lpcre \
-lssl -L/usr/local/mysql/lib/mysql \
-lmysqlclient -lz -lm'

There are still other people testing this, if you can test this as well please let me know the outcome.

It’s that time of year again for me. My certificates which I normally give a lifespan of a year expired again. I thought I should write down the procedure for refreshing your certificates for all of you and myself so you don’t need to wade through the complete documentation set to find the relevant parts. I hope it as usefull to as it will be for me in a year.

First we’ll do the postifx SMTP TLS/SSL part.

Just open a Terminal and execute the following command in the directory ‘/etc/postfix‘:

sudo openssl req -new -outform PEM -out smtpd.cert \
    -newkey rsa:2048 -nodes -keyout smtpd.key -keyform PEM \
    -days 365 -x509

This will create a 2048 bit encryption key that, for now, is secure enough for you mailserver to use. If you are paranoid and want a bigger key just increase the number after rsa:. The key will be valid for a year, if you want a longer period just increase the number after the -days option. When the key is finished you will be asked a couple of questions you need to answer. The information will be shown to people who want to see your certificate when their mail client complains. The most important one is the ‘Common Name’, make sure that that one is the same as the mail server name. Also please make sure that all your answers are the same as the original certificate.

Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:your.mailserver.tld
Email Address []:you@yourdomain.tld

To make sure everything is refreshed do a ‘sudo postfix reload‘ and try to send an email.

For the IMAP server it is a bit simpler as all the details there are put in a configuration file that still should be there: ‘/usr/local/etc/imapd.cnf‘. Please check the contents of the file and if they don’t relfect your setup please edit the file as described here.

When everything is verified and found in the correct state you can go to the directory ‘/usr/local/share‘ and run ‘sudo ./mkimapdcert‘ to generate a new certificate. Make sure you remove the existing ‘imapd.pem‘ in the same directory first or no new certificate will be created.

Start up your favourite mail client and check the certificate.

All should be in the correct state and our certificates are valid for another year.

Just a quick note on the progression I’m making to get the mailserver components working on Leopard. At first I thought it would be simple, just recompile the lot and be done with it. But as most of you might have noticed, a lot has changed under the hood for Leopard. most notably was the removal of all the netinfo stuff and replacing it with dscl.

I’ve got the basic stuff working with some workarounds but still need to test SSL, maildrop and DSpam. But to reveal some of the stuff that needs to be done in a different here are some of the changes to be made in the documentation:

Postfix has no changes to the install instructions.

Instead of niutil to create the vmail user we use dscl:

sudo dscl . -create /Users/_vmail
sudo dscl . -create /Users/_vmail UserShell /usr/bin/false
sudo dscl . -create /Users/_vmail UniqueID 102
sudo dscl . -create /Users/_vmail PrimaryGroupID 102
sudo dscl . -create /Users/_vmail NFSHomeDirectory /var/empty
sudo dscl . -passwd /Users/_vmail ''

To compile courier-auth you need this line added to the configure fase:

export MACOSX_DEPLOYMENT_TARGET=10.5 \
./configure --with-authmysql \
--without-authpam \
--with-mysql-libs=/usr/local/mysql/lib/mysql \
--with-mysql-includes=/usr/local/mysql/include/mysql

IMAP 4.3.0 compiles without a problem, but won’t run properly yet. I’ve got IMAP 4.2.1 working without any change in how you need to compile it. Update: tried it again and it all works, my mistake! Sorry…

On to the next item on the todo list, will keep you posted on my progress.

In the last year I had some discussions with DIYMacServer users on how to upgrade their machine or even move their setup to some new hardware. The biggest issue or problem they encountered was how to safely move the emails stored on the server. In this post I will try to describe one way (there are more possibilities to do this) that is pretty safe and you won’t lose any mail.

Before you start please check if you have enough diskspace to make an archive of the mail directory, it might have become very big. You can check the size of the directory by using the command:

sudo du -hc /usr/local/virtual

The last line from the output will tell you how much space you need on your disk. If you haven’t got enough room you can ask your users to empty their Trash and Sent mail in their email application or remove some items you have stored on the server yourself. If that ain’t possible you’ll need to buy an extra drive (external or internal, depending on the machine you’ve got).

If you have users other then yourself using the mail-server please inform them in advance that the mail-server is going off-line for a short period at a time that is convenient for you to perform this task. This is only about moving the mail, not the websites and I’m assuming you’ve got the other machine ready and setup to take over.

When the time has comes, take the IMAP server off-line, to prevent users from accessing their IMAP folders and accidentally do something between backup and restore actions. If you’ve got POP3 configured as well please stop that as well.

Stop Postfix to prevent incoming mail to be lost when it arrives between backup and restore actions.

Now everything is stopped and you are ready to make a backup of the email directory.

You can do this by using the following command:

sudo tar -czf mailbackup.tar.gz /usr/local/virtual

This will create a big file called ‘mailbackup.tar.gz’, you can copy/move/ftp this file to any destination you would like.

To unpack the backup and restore it to it’s new destination please use the following command:

cd /
sudo tar -xzf /locationofarchive/mailbackup.tar.gz

Replace ‘locationofarchive’ with the path to where you stored your backup archive.

If you used the same setup on both machines the mail directory should have the proper security settings and ownership. You can test this by using the following command:

sudo ls -l /usr/local/virtual

The owner of the directories should be postfix or vmail, depending on your setup.

Now you can start the IMAP server first and check with your own mail client if you can access all your email again on the server. If there is a problem please check your logfile (/var/log/mail.log for a possible explanation). If it all works turn on the Postfix server and send yourself an email using another mailserver (use a webbased service like Gmail, Yahoo mail or Hotmail) and check if the email will arrive in your mailbox. Keep an eye on the logfile to see the email coming in.

If everything is working for you inform your users that it is all right to use the mail-server and if they have any issues that they please inform you about it.

Good luck!

Alright, this time on time and not weeks behind the official release like the last update of Postfix. Wietse released a minor bug-fix which solves some problems in the SMTP client. The bug-fixes include:

• A remote SMTP client TLS certificate with an unparsable canonical
  name triggered a panic error in the Postfix SMTP server (attempt
  to allocate zero-length memory) while sending a request to an
  SMTPD policy server.
• On backup MX servers where the queue file system is mounted with
  “atime” (file read/execute access time) updates disabled, the
  flush daemon would trigger mail delivery attempts once every 1000
  seconds, thus rendering the maximal_backoff_time setting useless
  for backup MX service.

This update has been tested on my test server and my production server is using this latest release as well for a few hours now without a problem.

By the way as a sidenote, I’ve ordered my Leopard box in the online Apple store. I need to prepare my test server for the upgrade!

Alright, Wietse has been busier than me and because of that I missed an update. So the current source version that is available is 2.4.5 which should run fine on your current machine without a problem. Here is a summary of changes; for details please see HISTORY or RELEASE_NOTES in the source archive:

• MILTER bugfix: When a milter replied with ACCEPT at or before the first RCPT command, the cleanup server would apply the non_smtpd_milters setting as if the message was a local submission. Problem reported by Jukka Salmi.
• MILTER bugfix: Problem with header updates after body updates. Reported by Jose-Marcio Martins da Cruz.
• MILTER robustness: Assorted cleanups to harden error handling in the Postfix Milter client.
• SASL workaround for Postfix SMTP client: Some non-Cyrus SASL SMTP servers require SASL login without authzid (authoriZation ID), i.e. the client must send only the authcid (authentiCation ID) + the authcid’s password. This is now the default Postfix SMTP client behavior.
• Loopback TCP performance workaround: Some systems exhibited poor SMTP and Milter performance with loopback (127.0.0.1) connections. Problem reported by Mark Martinec.