I want to use mail services on Panther Server

Joined
Aug 19, 2005
Messages
5
Reaction score
0
Hi

I hope someone can please take time to try and assist me with an overview of my desired setup.

I have been given responsibility of configuring services on our XServe in a design studio of 10 people. I am a little out of my depth but willing to listen and learn.
I have a domain registered with one company and I have a 2Mbs ADSL connection (No NAT with 5 public IPs - so I was told by my ISP) with another company.

I want to setup up the email services, I have users currently setup in a local domain.

So how should I move forward?

Thank you for any help and suggestions.

LGG ( Pippa )
 

Ric

Joined
May 14, 2004
Messages
4,260
Reaction score
5
Hi Pippa,

How is your email currently handled ? Does you ISP currently handle your mail ?

A few of us on here have 'quite' a lot of experience of OS X Server software...

Setting up the email server is relatively straight forward, however it's best to plan your strategy first.

You mentioned that you have a domain name, and 5 public ip's, so far so good !

Do you have access to change where the domain name is pointed to ?

let us know and we'll carry on,

regards

Ric
 

Ric

Joined
May 14, 2004
Messages
4,260
Reaction score
5
Not sure if you have had a read of the Mail PDF so here it is...

...good place to start, although a little bit techy !
 

Attachments

  • MacOSXSrvr10.3_MailServiceAdminGuide.pdf
    1.2 MB · Views: 1,277

Ric

Joined
May 14, 2004
Messages
4,260
Reaction score
5
From page 17 and 18...This is what you need to do.

If you would like a translation from geek speak to human let us know. If you're xServe is connected to the Internet...don't turn on Mail services till you know how to secure it (stop it being an open relay) if you don't your server could end up being 'blacklisted' before you have configured the rest.


Step 1: Before you begin, make a plan

See “Before You Begin” on page 15 for a list of items to think about before you start full-scale mail service.

Step 2: Set up MX records

If you want users to be able to send and receive mail over the Internet, you should make sure DNS service is set up with the appropriate MX records for your mail service.

• If you have an ISP that provides DNS service to your network, contact the ISP and have the ISP set up MX records for you. Your ISP will need to know your mail server’s DNS name (such as mail.example.com) and your server’s IP address.

• If you use Mac OS X Server to provide DNS service, create your own MX records as described in “Configuring DNS for Mail Service” on page 14.
• If you do not set up an MX record for your mail server, your server may still be able to exchange mail with some other mail servers. Some mail servers will find your mail server by looking in DNS for your server’s A record. (You probably have an A record if you have a web server set up.)
Note: Your mail users can send mail to each other even if you do not set up MX records. Local mail service doesn’t require MX records.

Step 3: Configure incoming mail service

Your mail service has many settings that determine how it handles incoming mail. For instructions, see “Configuring Incoming Mail Service” on page 19.

Step 4: Configure outgoing mail service

Your mail service also has many settings that determine how it handles outgoing mail.
For instructions, see “Configuring Outgoing Mail Service” on page 22.

Step 5: Secure your server

If your server exchanges mail with the rest of the Internet, make sure you’re not operating an open relay. An open relay is a security risk and enables junk-mail senders (spammers) to use your computer resources for sending unsolicited commercial email. For instructions see “Limiting Junk Mail” on page 29, and “Restricting SMTP Relay” on
page 30.

Step 6: Configure additional settings for mail service

Additional settings that you can change affect how mail service stores mail, interacts with DNS service, limits junk-mail (spam), and handles undeliverable mail. See the following sections for detailed instructions:

• “Working With the Mail Store and Database” on page 35

• “Limiting Junk Mail” on page 29

• “Working With Undeliverable Mail” on page 42

Step 7: Set up accounts for mail users

Each person who wants mail service must have a user account in a directory domain accessible by your mail service. The short name of the user account is the mail account name and is used to form the user’s mail address. In addition, each user account has settings that determine how your mail service handles mail for the user account. You can configure a user’s mail settings when you create the user’s account, and you can change an existing user’s mail settings at any time. For instructions, see “Supporting Mail Users” on page 24, and “Configuring Email Client Software” on page 25

Step 8: Create a postmaster account (optional, but advised)

You need to create a user account named “postmaster.” The mail service may send reports to the postmaster account. When you create the postmaster account, make sure mail service is enabled for it. For convenience, you can set up forwarding of the postmaster’s mail to another mail account that you check regularly. Other common postmaster accounts are named “abuse” (used to report abuses of your mail service) and “spam” (used to report unsolicited commercial email abuses by your users). The user management guide tells you how to create user accounts.

Step 9: Start mail service

Before starting mail service, make sure the server computer shows the correct day, time, time zone, and daylight-saving settings in the Date & Time pane of System Preferences. Mail service uses this information to timestamp each message. An incorrect timestamp may cause other mail servers to handle a message incorrectly. Also, make sure you’ve enabled one or more of the mail service protocols (SMTP, POP, or IMAP) in the Settings pane. Once you’ve verified this information, you can start mail service. If you selected the Server Assistant option to have mail service started automatically, stop mail service now, and then start it again for your changes to take effect. For detailed instructions, see “Starting and Stopping Mail Service” on page 33.

Step 10: Set up each user’s mail client software

After you set up mail service on your server, mail users must configure their mail client software for your mail service. For details about the facts that users need when configuring their mail client software, see “Supporting Mail Users” on page 24.

regards

Ric
 
Joined
Aug 19, 2005
Messages
5
Reaction score
0
Ric

Thank you ever so much for giving your time to try and help me.

The situation is that a previous employee sorted all this out and he left under a cloud...need I say more.

I have registered a name with Demon and I have the ADSL being supplied by another ISP, I need to buy a router (any recommendations?). I have these 5 public IP addresses and I assume I can use one of those on enO (WAN) of the XServe and connect LAN to en1 (see, I can read and learn a little).

A little confused about NAT (as ISP tells me the service is No NAT but in Apple manual tells me to turn on NAT & Firewall, I'm so confused !)

I asked Demon if they could point the domain to one of those public IPs and they said no problem...so I thought I was going in the right direction.

I am going about this in the right way?

I really do appreciate all your efforts, I'm sure I have all the required knowledge but not necessarily realising that I do.

Pippa :)
 

Ric

Joined
May 14, 2004
Messages
4,260
Reaction score
5
No problem, will give you a walk through later tonight..unless some one else helps before then...

I have enough information from you to give you a reasonable plan !

will post later,

regards

Ric
 

Ric

Joined
May 14, 2004
Messages
4,260
Reaction score
5
Little Girl Glossed said:
The situation is that a previous employee sorted all this...


Before we start, what state is the Xserve in...and what is it currently used for ?

Taking over any Server that was administered by someone else is possibly harder than starting from 'new'.

If this employee left, did they have access to the Server before they 'knew' they were going, or were they shipped out quick.

The only reason I ask is because it is relatively easy for a knowledgable Sys Admin to either leave a few nasties behind, or to leave themselves a few backdoors, so that they can get back in. Depending, on what the System is currently configured to do, I personally would 'always' wipe the Xserve reload the software, and set up from scratch. That way if the previous employee had left something malicious or a back door then you've got rid of them for good !


Little Girl Glossed said:
I have registered a name with Demon and I have the ADSL being supplied by another ISP...

Forgive me if I am covering ground that you already know...

...The name that you have registered with Demon for example will be currently 'parked' somewhere ! Probably with Demon. You should have access to a control panel with Demon, that will be accessed via the web. This will allow you to specify what each of your IP addresses is used for...

This can all get very technical but...if you have been given a block of five IP addresses i.e. 234.12.120.20 | 234.12.120.21 | 234.12.120.22 | 234.12.120.23 | 234.12.120.24

You can assign these to whatever you want, every computer connected to the Internet has a unique address.

For example if you had 4 Xserves:

234.12.120.20 Router/Firewall
234.12.120.21 Web Server
234.12.120.22 Web Server (Backup)
234.12.120.23 Mail Server
234.12.120.24 Mail Server (Backup)

As it stands you probably only need to use one of your 'public' IP addresses. Just one for the ADSL Modem. You can configure this in a few hundred different combinations...

but in essence:


Internet--->ADSL Modem--->Xserve--->Studio Network

or

Internet--->ADSL Modem--->Firewall--->Xserve--->Studio Network

You could give the Xserve a Public IP Address as long as you configure it correctly this would allow you to access it from home etc (if required).

NAT and or DHCP is another question...you can use NAT internally (Network Address Translation) to share your internet connection amongst the rest of the studio machines. Hard to say what you need with out knowing more about your network.


Little Girl Glossed said:
I need to buy a router (any recommendations?).

What do you want the router for ? can you give a map/list of current network devices ?


Little Girl Glossed said:
I have these 5 public IP addresses and I assume I can use one of those on enO (WAN) of the XServe and connect LAN to en1 (see, I can read and learn a little).

Yes, sort of. The ADSL Modem would take one of the IP addresses. Presumably the ADSL Modem has an Ethernet port, this would then connect to the en0 (WAN) of the Xserve, the en0 port could either be given a public IP address or an internal IP address, depends how you setup the ADSL Modem. The ADSL modem will have a DHCP Server and NAT built into it ! And yes the LAN would then connect via en1 on a local IP address.

Little Girl Glossed said:
A little confused about NAT (as ISP tells me the service is No NAT but in Apple manual tells me to turn on NAT & Firewall, I'm so confused !)

Don't worry NAT and DHCP and Firewalls can be very confusing ! Even for the geeks :) We'll come back to that, later.

Make sure you read up on the Firewall, if you don't have any other type of Firewall then this must be turned on, on the Xserve. This is the only 'thing' that prevents the outside world getting in to your network. You will have to configure the Firewall to allow 'in' some traffic for the "Mail Server". What is your understanding of "IP Ports" ?


Little Girl Glossed said:
I asked Demon if they could point the domain to one of those public IPs and they said no problem...so I thought I was going in the right direction.

I am going about this in the right way?.

Yes !

This should keep you going for a bit, let us know some of the answers to the questions I've asked, and we'll carry on...

regards

Ric
 

Cory Cooper

Moderator
Joined
May 19, 2004
Messages
11,102
Reaction score
492
Go

Wow Ric...nice "tutorial".

I will review when I get a chance and lend a hand if needed...been following this, but don't have the time to chime in yet.

Just a reminder...it's a little trickier when you have an internal LAN and an external WAN (Internet) connection to deal with.

C
 

Ric

Joined
May 14, 2004
Messages
4,260
Reaction score
5
Thanks Cory, jump in any time you want !!

-----------------------------------------------------------

From Little Girl Glossed via PM...



Little Girl Glossed said:
Mac Infrastructure

XServe G5 - 1
G5 Desktop - 10 (running Panther or Tiger)
Epson Colour Laser - 1
A3 Mono Laser - 1
Gigabit Switched Hub - 1

ourdomain.com is registered at Demon who tell me they will point it to one of the external IP address provided by our ISP who is Entanet (xx.xx.xxx.xxx) and create the required MX and DNS records.

I have looked online and decided to get a Speedtouch 510E Single Port Ethernet Modem / ADSL Router; should it be in Bridge mode? (The more I read the more confused I become)

I personally would go for a Netgear product, something like a DG834. Depending on the level of protection you require...the last studio I fitted out, I tend to use Sonic products...they are a little expensive though !

http://www.sonicwall.com/

Not sure about this particular modem but I haven't heard to many great reviews about their USB ADSL Modems.

Little Girl Glossed said:
My intention is to connect the Speedtouch to en0 and the LAN to en1 and according to the setup example in the Apple manuals, I should setup the network interfaces on the Xserve as follows -

Primary Interface (en0)

IP Address - xx.xx.xxx.xxx
Subnet - as supplied by Entanet
DNS - as supplied by Entanet (both primary and secondary) or should it be the Demon DNS servers?

Thats correct.

DNS Servers can be set to which ever way you want, primary Entanet and the secondary to Demon. Then if Demon's DNS Server is not responding Entanet's hopefully is.

DNS Servers are used to look up and translate IP addresses to/into domain names and vice a versa...www.google.co.uk == 216.239.57.104

So you can type either into your web browser and end up in the same place. If your DNS server is currently not working then typing www.google.co.uk would not work, but typing in the IP address would !

So if your able, set your primary and secondary to two different companies...


Little Girl Glossed said:
Secondary Interface (en1)

IP Address - 10.1.0.1
Subnet - 255.255.0.0
DNS - 10.1.0.1

I will setup the host name of the Xserve as xserve.ourdomain.com

Fine, that'll work !

Little Girl Glossed said:
Do I then setup a Master Zone on the Xserve to serve local DNS as in -

Zone name - ourdomain.com.
SOA - xserve.ourdomain.com.
Email - admin.ourdomain.com.

And then an A record

Map from - xserve.ourdomain.com.
Map to - 10.1.0.1


Yes you can but you don't have to straight away. Is there a reason why you are wanting to runs a DNS Server, or do you just presume that you 'need' to run a DNS server....

If you want to setup DNS then I will gladly give you a walk through...you don't need to setup DNS Server on the Xserve to run a Mail Server!

As long as Demon setup forward and reverse records, that should suffice, unless you have other needs...

regards

Ric
 
Joined
Aug 19, 2005
Messages
5
Reaction score
0
Ric

Well I can't sleep, more through sheer dread than anything else...

But your assistance is making me feel a whole lot better...thanks

As far as DNS is concerned, I thought I needed it to be able to run in a shared directory domain (OD Master), if I don't need to change from Standalone, then I wont

I'll keep you informed as I progress

I am a little concerned about Open Relay, what is my best way to stop this?

Pippa x
 

Ric

Joined
May 14, 2004
Messages
4,260
Reaction score
5
Hi Pippa,

Panther Server, is configured 'not' to be an open relay, it's just if you change things (incorrectly) then you can make it an open relay...(been there done that, on a XP box !)

Initially the Xserve will be configured to only allow SMTP relaying to itself. As it is set up anyone who has a mail account on your Xserve will be able to send mail to the outside world. This however means that a knowledgeable spammer can use (if they find it) or masquerade as one of your users to send spam...

...to prevent this you need to turn on a few of the inbuilt security features...In the advanced tab of Mail, you can turn on SMTP Authentication Plain | Login | Cram-MDS | Kerberos...

Initially, probably best just use Plain and/or Login for SMTP and Clear for POP, depends what else you want to setup on your Xserve.

This now means that any user must supply a password to send mail through your server (SMTP) !

If you have just the one Xserve and no Windows boxes etc, then there is no reason why initially you can't run the Xserve as a 'Standalone'. It can still do most things...

Is there a reason why you want to run as OD Master ? or is it just that you 'thought' you had to ?

Sorry, didn't pick up on OD Master comments, (long day on the beach, a couple of beers etc!),.

If you are doing a new install, you can setup as a Standalone and then change to OD Master if you need to later on, this is normally the best way to do things anyway.

I however can sleep...

...speak to you tomorrow/today

regards

Ric
 

Ric

Joined
May 14, 2004
Messages
4,260
Reaction score
5
As a side note:

If the Xserve is going to handle all the company emails...what happens if it breaks, or your ADSL line is down...will your ISP offer a backup mailserver (second MX record)...or do you need to think about it !

If the Xserve is out of action/off all your incoming emails get bounced...looks like you've gone bump...or haven't paid your domain reg fees...either way doesn't look good to clients !!!

regards

Ric
 

Ric

Joined
May 14, 2004
Messages
4,260
Reaction score
5
DNS walk through here

Remember, DNS Server on your Xserver does not need to be running. You can still run a web server and mail server etc without having DNS services running on that machine it is not needed to run a mail server. You just use your ISP's DNS addresses.

regards

Ric
 
Joined
Aug 19, 2005
Messages
5
Reaction score
0
Hi Ric & Cory

I haven't even started yet, I just haven't had a moment to myself this week.

I am going in tomorrow to see how I get on, fairly confident now (probably misplaced), I am a little worried about this Open Relay and getting banned by our ISP.

I'll keep you both posted and thanks for your support.

Pippa.
 

Ric

Joined
May 14, 2004
Messages
4,260
Reaction score
5
That's what I like to see commitment ! (overtime I hope !)

Don't worry about Open Relay, as I said before the standard install does not leave you as an open relay.

A few pointers:

SMTP (Simple Mail Transfer Protocol) is used to send 'emails' from clients (your users) to the mail server, it also sends 'email' from one server to another !

POP (Post Office Protocol) is one way that clients (your users) can receive email from the server.

As you stated in your PM, SMTP requires port 25 to be open and forwarded to your mail server. POP requires port 110 to be open and forwarded to your mail server. You can also use IMAP (Internet Message Access Protocol).

Example Pics below.

Mac OS X Server (Panther) uses Postfix to provide SMTP services, depending on your needs sometimes you have to use the command line (Terminal) To edit the Postfix config files... www.postfix.org has a lot of info on it !

IMAP and POP are provided by Cyrus. http://asg.web.cmu.edu/cyrus/

As long as your DNS records are correct and the Firewall(s) are configured to let the correct data in and out, then it should be quite straight forward !

-------------------------------------------------------------------------------------------------

Open server admin, Select Mail service, click the settings tab, click the general tab.

Click enable SMTP

Ignore 'Relay all mail through this host' ( this is used if you have more than one email server and this server would then forward all the outgoing mail to the other server)

Click enable POP

Click enable IMAP (only if you need it, personally I don't use it, so I leave it unchecked)

Copies BCC if you click this, and add in an email address to the line below, all undeliverable emails will be sent to the email address specified.

Copy incoming and outgoing messages to, again if you click this and enter an email address all email's going through the server can be sent to someone...be careful with this one. If your company allows staff to send and receive email...you need to have a 'usage' letter/policy written out for all the staff to see. ie "Our company allows the use of the email system for work related messages only, all emails are monitored."

Would need to be a lot longer and 'more' than this but you get my drift...then an employee can not complain because you have read his/her email that she sent out with a CV attached looking for a new job. You do however need to be very careful, and check the current Data protection laws etc. Plus you need to be very discreet !

Now click the advanced tab:

Check that your mail servers MX record is in the local host aliases pane, if it isn't than add it in, or double click on the current entry and edit that one !(to add a new one)...press the plus sign and then type in the mail servers name. Mine would be:

mac-help.com


If you had other domains, or sub domains you would add them in here.
ie

faqs.mac-help.com
blog.mac-help.com
mac-help.com

So as long as DNS, MX records were setup correctly any emails coming to @faqs.mac-help.com or @blog.mac-help.com or @mac-help.com would all get routed/accepted through this server !

It will also tell you below the Local Host Aliases pane where the mail will be stored, you don't have to change this just leave it as is. When you become more familiar with OS X Mail Server you may have a reason to change it, in the future.

When this is done press the save box to save changes...

Now go back to the overview button, and then click Start Service...your mail server is now running !

Now do a restart ! When it's back up reopen Server admin and check that Mail Service is running.

Don't worry, about being an open relay we will now secure it !

Back to the Mail Service settings-->Advanced tab

Now depending on what you are running, POP and SMTP etc click on the clear for POP and PLAIN for SMTP. This is the weakest form of protection, but it will do the job. (by clicking on any of those check boxes...activates password only usage ie. If a Hacker does a Port scan on you machine and see's that ports 25 and 110 are open (which they will be !) he/she knows that you are running a mail server...but by selecting any of those check boxes, this now means that the Hacker has to enter a password to send any emails through your server...more often that not,they will just move on to the next target, which is not secured ! The only real reason to use any of the other Password 'schemes' is to provide better protection. To be honest clear/plain or better still login will do an adequate job.

Remember: which every 'sceme' you use you 'clients' must be able to use the same scheme, otherwise they won't be able to send and receive mail !!

Now you need to enable 'Mail' services for each user, unless you have already done it !

Open Workgroup Admin and select which ever user you are going to start with...

Then select the mail tab, and click "Enabled"

You can now set their Mail Quota Size (how much space they are allowed) if left at 0 this gives them unlimited space...I would leave it at 0 for now !

Then below that, you can click on the "POP Only" button, (Unless you are going to setup IMAP).

Leave the Alternate Mail store for now, let the Server put the Mail where it wants to !
You may need this later, once you have been running the server for a while !

One common mistake/annomily is that when you have set up all your users accounts, most people go into 'Mail Service' in Server Admin and look in the Accounts Pane...there will be "no" accounts there !!!

You will have set them up correctly but they do not 'appear' in the Server Admin Mail Accounts Pane until they become 'Active' ie someone sends or recives an email for that account...try it, set up one account in the Workgroup Manager and then have a look...it will look like there is no account setup ! Fire off an email to that account and then check again (a few minutes later), and hey presto it magically appears...this one confused a lot of us !!!

Now set up your email clients...then start sending off some test emails !

Whenever making changes to any config elements in Mail Service - you must restart Mail Service...there are quicker and better ways of doing this with the Terminal but we'll save them for another day....

regards

Ric
 
Joined
Jan 1, 2006
Messages
7
Reaction score
0
Ric,
Have been following this know you posted it long time ago...
I have a dual XServe G5 machine with a fully loaded XRAID..
Am going to setup mail services and web services so thanks for these posts you have made on this forum.
I expect the mail load to be very high we send LARGE attachments..
So therefore as I am using the XRAID entirely for large video files I am thinking about getting a second HD for the main G5 Xserve machine. I know Apple only offer 80Gbyte or 500Gbyte versions.. I assume I can run my mail database and store on this second "data" drive away from the system drive.
Happy New Year to everyone.
Cheers,
Russ
 

Ric

Joined
May 14, 2004
Messages
4,260
Reaction score
5
Hi Russ and welcome,

Yes you can store the mail database where you want, even on an external 'data' drive.

Depending on how many XServes you have (just one ?), depends on what services to run on which machine...

1) Fileserving on one
2) Mail server
3) Web server
4) DNS server

etc or a mix and match depending on your 'loads' or requirements...

regards and Happy New Year

Ric
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top