 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
Mac Forum / General / Networking / December 2005Mac OS X Server Mail Problem
I just got a Mac OS X Server to use as our mail server (mail.bolen.bc.ca), and I'm having trouble getting it to receive mail. (It sends outgoing mail no problem). The SMTP logs record all the messages trying to arrive, but say that they're being refused. Here's the exact SMTP log message: Dec 21 16:51:14 mail postfix/smtpd[1209]: connect from omc3-s24.bay6.hotmail.com[65.54.249.98] Dec 21 16:51:15 mail postfix/smtpd[1209]: NOQUEUE: reject: RCPT from omc3-s24.bay6.hotmail.com[65.54.249.98]: 554 <user@bolen.bc.ca>: Relay access denied; from=<user2@hotmail.com> to=<user@bolen.bc.ca> proto=ESMTP helo=<omc3-s24.bay6.hotmail.com> Dec 21 16:51:15 mail postfix/smtpd[1209]: disconnect from omc3-s24.bay6.hotmail.com[65.54.249.98] When I try to send mail to this server, it bounces saying that it wasn't relayed. Here's the exact bounce message: Your message cannot be delivered to the following recipients: Recipient address: dalef@bolen.bc.ca Reason: Remote SMTP server has rejected address Diagnostic code: smtp;554 <dalef@bolen.bc.ca>: Relay access denied Remote system: dns;mail.bolen.bc.ca (TCP|10.0.120.164|15726|24.68.44.238|25) (mail ESMTP Postfix) Reporting-MTA: dns;l-daemon (shaw_outgoing-daemon) Original-recipient: rfc822;dalef@bolen.bc.ca Final-recipient: rfc822;dalef@bolen.bc.ca Action: failed Status: 5.0.0 (Remote SMTP server has rejected address) Remote-MTA: dns;mail.bolen.bc.ca (TCP|10.0.120.164|15726|24.68.44.238|25) (mail ESMTP Postfix) Diagnostic-code: smtp;554 <dalef@bolen.bc.ca>: Relay access denied Any suggestions? -- Opinions expressed are not necessarily those of Bolen Books. Dale Friesen, Sysadmin Bolen Books, Inc Victoria, BC Canada root@bolen.bc.ca http://www.bolen.bc.ca > I just got a Mac OS X Server to use as our mail server > (mail.bolen.bc.ca), and I'm having trouble getting it to receive mail. [quoted text clipped - 34 lines] > > Any suggestions? Well, I could be mean and say "hire someone who knows how to configure and run a mail server" - especially since, if not configured/run correctly, the spammers will find it, own it, and make your life miserable. Or I could try and be helpful, and suggest that you tell us which version of OS X Server it is, since different versions use different mailers. Under NO circumstances should you attempt to run Apple Mail Server on MacOS X Server 10.1 - too insecure, and needs to be front- ended with a real mail server like Exim (my choice) or PostFix (iirc what Apple now uses since at least Server 10.3) It sounds like you simply have not configured the "accept mail for domains" correctly. Either that, or there is something funky with your server's name and your domain dns settings. Is your domain virtual, or is the fully-qualified machine name actually mail.bolen.bc.ca? The fact that mail.bolen.bc.ca has no reverse DNS configured isn't going to help if you do get your server working, anyways - there are a number of placese that outright reject mail sent from IPs that don't reverse-resolve. Probably the best advice is to hire a mail administrator, at least to set the thing up. The second best advice would be to join the Macos-x-server mailing list over on Apple's website: http://lists.apple.com/mailman/ (I think that's correct - it's been a while since I went to the specific site) The list archives might be illuminating... > Well, I could be mean and say "hire someone who knows how to configure > and run a mail server" - especially since, if not configured/run > correctly, the spammers will find it, own it, and make your life > miserable. I'm hoping to learn to do some of this myself. It's not something I've done before, but that doesn't mean I don't want to learn. I hired someone to come in and set it up, and he couldn't figure out why it wasn't working. Now I'm on my own. I'm confident that our firewall isn't going to let outsiders use our mail server as a spam relay, though. > Or I could try and be helpful, and suggest that you tell us which > version of OS X Server it is, since different versions use different > mailers. D'oh! I should have done that straight off. I'm running version 1.4. > Under NO circumstances should you attempt to run Apple Mail > Server on MacOS X Server 10.1 - too insecure, and needs to be front- > ended with a real mail server like Exim (my choice) or PostFix (iirc > what Apple now uses since at least Server 10.3) Yes, version 1.4 is using Postfix. > It sounds like you simply have not configured the "accept mail for > domains" correctly. Is this the same as "accept mail FROM domains"? Because that's where I thought I might have messed up. I've been over the documentation several times and tried all the permutations I can come up with, and it hasn't started working. > Either that, or there is something funky with your > server's name and your domain dns settings. Is your domain virtual, > or is the fully-qualified machine name actually mail.bolen.bc.ca? It's virtual. There was another mail server sitting there running, but it died and now I need to put something else in place. I'd been hoping that this was going to be quick and easy (primarily because I thought that someone else was doing it), but that turned out not to be the case. I can access all the logs and settings of the old box (linux running exim), and I thought I'd successfully transferred the configuration. Clearly though, I've messed something up. > The fact that mail.bolen.bc.ca has no reverse DNS configured isn't > going to help if you do get your server working, anyways - there are a > number of placese that outright reject mail sent from IPs that don't > reverse-resolve. Good point. I'll look into that. > Probably the best advice is to hire a mail administrator, at least to > set the thing up. That was Plan A. It didn't work out, and I really want to get this thing working this week. > The second best advice would be to join the > Macos-x-server mailing list over on Apple's website: > > http://lists.apple.com/mailman/ (I think that's correct - it's been > a while since I went to the specific site) The list archives might > be illuminating... Thanks! I'll check that out. I appreciate your response. -- Opinions expressed are not necessarily those of Bolen Books. Dale Friesen, Sysadmin Bolen Books, Inc Victoria, BC Canada root@bolen.bc.ca http://www.bolen.bc.ca > It sounds like you simply have not configured the "accept mail for > domains" correctly. Either that, or there is something funky with your > server's name and your domain dns settings. For what it's worth, you were right. I hadn't properly configured "mydestination" in postfix. Thanks for pointing me in the right direction. -- Opinions expressed are not necessarily those of Bolen Books. Dale Friesen, Sysadmin Bolen Books, Inc Victoria, BC Canada root@bolen.bc.ca http://www.bolen.bc.ca > > It sounds like you simply have not configured the "accept mail for > > domains" correctly. Either that, or there is something funky with your [quoted text clipped - 3 lines] > "mydestination" in postfix. Thanks for pointing me in the right > direction. So does it work now? That's the thing about hosting virtual domains on a mail server - you have to tell the software which domains it is accepting mail for. You don't want to blindly accept mail for any domain, or you'll be a wide-open spam relay. And just in case, that is NOT the same as the "accept mail FROM" domain list!! A couple of other things: - I'd only accept mail from authenticated users using one of the standard (encrypted) authentication schemes - make sure that no-one has a bonehead password; spammers have successfully guessed username/password combinations and sent spam through authenticated-sender servers. The classic is to use the user name or domain name as the password - ouch! > So does it work now? It does indeed. I have some minor challenges left (eg how to check e-mail sent to the "root" account), but I can deal with those at my leisure. > That's the thing about hosting virtual domains on a mail server > - you have to tell the software which domains it is accepting > mail for. You don't want to blindly accept mail for any domain, > or you'll be a wide-open spam relay. That was the step that I missed. Thanks again for pointing me in the right direction. > And just in case, that is NOT the same as the "accept mail FROM" > domain list!! Heh. I got that one already. :) > A couple of other things: > > - I'd only accept mail from authenticated users using one of the > standard (encrypted) authentication schemes I'm under pressure to make it easy for people to e-mail us. We're a retail environment, and the last thing my bosses want is to bounce e-mail sent to us from legitimate customers. That being said, I'll look into this. Maybe there are some things I can do that won't reject people for not setting up a standard account but will still reject spammers. Thanks for the suggestion. > - make sure that no-one has a bonehead password; spammers have > successfully guessed username/password combinations and sent spam > through authenticated-sender servers. The classic is to use the > user name or domain name as the password - ouch! Is there a way to run password checking in Mac OS X to filter for this sort of thing? Red Hat had a warning in linuxconf if people entered boneheaded passwords. I'm also looking for a way to force users to change their passwords periodically. Cheers. -- Opinions expressed are not necessarily those of Bolen Books. Dale Friesen, Sysadmin Bolen Books, Inc Victoria, BC Canada dalef@bolen.bc.ca http://www.bolen.bc.ca >[snip] > > A couple of other things: [quoted text clipped - 5 lines] > retail environment, and the last thing my bosses want is to bounce > e-mail sent to us from legitimate customers. My miscommunication - do not accept mail that is to be sent _outbound_ from your server on behalf of anyone other than authenticated local users. > That being said, I'll look into this. Maybe there are some things I can > do that won't reject people for not setting up a standard account but [quoted text clipped - 9 lines] > boneheaded passwords. I'm also looking for a way to force users to > change their passwords periodically. That depends a little on how everything is configured in server 10.4, which is not a version I have much experience with. I know this was discused with the original 10 and 10.1 releases. It _should_ be possible, although whether this extends to mail authentication depends a little on how the latter has been set up (I know in exim you can allow different authentication methods, some of which use different user name/password combinations than user login/password). Should be someone on the macos-x-server list who can answer though. You might also want to check out the PostFix user groups and mailing lists. BTW, I'm not certain, but I don't think you need to accept mail FOR root. Postmaster/abuse, yes, but not root. In my exim configuration, mail _from_ root is also disallowed. Good luck! [snip] > > I'm under pressure to make it easy for people to e-mail us. We're a > > retail environment, and the last thing my bosses want is to bounce [quoted text clipped - 3 lines] > from your server on behalf of anyone other than authenticated local > users. I understand now. Yes, that's how I've set it up. > > Is there a way to run password checking in Mac OS X to filter for this > > sort of thing? Red Hat had a warning in linuxconf if people entered [quoted text clipped - 8 lines] > allow different authentication methods, some of which use different > user name/password combinations than user login/password). Now that I have the server accepting mail I can take my leisure and actually learn how to run the thing. Sadly, there aren't any books available about Server 10.4 yet, but I'll study some internet resources until that changes. If nothing else I could always start using LDAP, but that seems like overkill. > Good luck! Thanks! You've been a great help! -- Opinions expressed are not necessarily those of Bolen Books. Dale Friesen, Sysadmin Bolen Books, Inc Victoria, BC Canada dalef@bolen.bc.ca http://www.bolen.bc.ca [snip] > Now that I have the server accepting mail I can take my leisure and > actually learn how to run the thing. Sadly, there aren't any books [quoted text clipped - 7 lines] > > Thanks! You've been a great help! If O'Reilly doesn't have a book on PostFix, I would be very surprised. > If O'Reilly doesn't have a book on PostFix, I would be very surprised. Sorry--my miscommunication. We have a book on posfix; it's Server 10.4 that doesn't have a book yet. There's one being released in April, so I'll pick it up then. Thanks again. -- Opinions expressed are not necessarily those of Bolen Books. Dale Friesen, Sysadmin Bolen Books, Inc Victoria, BC Canada dalef@bolen.bc.ca http://www.bolen.bc.ca |
Reply to this Message |
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.