“I just setup a new server and within days we were on a corporate email blacklist, I contacted the company in question and asked why are we on your blacklist, why won’t you deliver our email. They shared with me an email log of thousands of emails being sent from my mail server through several legitimate email accounts. I ensured that my server was not an open relay so I asked these users, if they had indeed sent this many emails in one shot without any kind of unsubscribe link in the footer of their email. They had! I was so shocked, now what do I do?”

This is an uncomfortable and very perilous position. You want to allow your users to send email to get their job done however you as a systems administrator need to comply with the “Can Spam Act” passed by the FCC to ensure that email continues to flow. You also have companies out there who will block you for violating this act as a precaution on their part. All the while your users can not be bothered to learn about proper email procedures.

In my experience the only thing you can do at this point is to limit how many emails are allowed to be sent at any given time. If you are using OSX Server for Mail or Postfix for Sendmail then this walkthrough will talk about how to limit email recipients and stay off those dreaded blacklists.

Here are the basics that you should know, the following are all settings that can be added to the /etc/postfix/main.cf file of your postfix setup.

smtpd_recipient_limit (default 1000) parameter controls how many recipients the SMTP server will take per message delivery request. You can’t restrict this to a to/cc/bcc field – it’s for all recipients. For that you’d have to use a regular expression in header_checks to arbitrarily limit the length of each header to something reasonable.

smtpd_recipient_overshoot_limit (default 1000) The number of recipients that a remote SMTP client can send in excess of the hard limit specified with smtpd_recipient_limit, before the Postfix SMTP server increments the per-session error count for each excess recipient.

smtpd_hard_error_limit (default 20) parameter to know at what number of errors it will disconnect.

So you technically need to consider the 3 values here which affect both inbound & outbound mail. Then there’s the throttling tools.

smtpd_client_recipient_rate_limit (default: 0 no limit) The maximum number of recipient addresses that an SMTP client may specify in the time interval specified via anvil_rate_time_unit (default: 60s -careful adjusting this affects other things)” and note that this is “regardless of whether or not Postfix actually accepts those recipients” Those over will receive a 450 4.7.1 Error: too many recipients from [the.client.ip.address] It’s up to the client to deliver those recipients at some later time.

smtpd_client_connection_rate_limit (default: 0) The maximal number of connection attempts any client is allowed to make to this service per time unit. The time unit is specified with the anvil_rate_time_unit configuration parameter.

smtpd_client_message_rate_limit (default: 0) The maximal number of message delivery requests that any client is allowed to make to this service per time unit, regardless of whether or not Postfix actually accepts those messages. The time unit is specified with the anvil_rate_time_unit configuration parameter.

The purpose of these features are to limit abuse, as opposed to regulating legitimate mail traffic, but I use them that way in order to mitigate spam blacklisting. In my organization we limit the recipients from one email to 25 you can see the code from my sample /etc/postfix/main.cf. If your file does not have these values you can add them to the bottom of the file.

1
2
3
4
5
6
7
8
9
10

smtpd_recipient_limit = 50
smtpd_recipient_overshoot_limit = 51
smtpd_hard_error_limit = 20
smtpd_client_recipient_rate_limit = 50
smtpd_client_connection_rate_limit = 10
smtpd_client_message_rate_limit = 25
default_extra_recipient_limit = 50
duplicate_filter_limit = 50
default_destination_recipient_limit = 50
smtp_destination_recipient_limit = $default_destination_recipient_limit

Once done you need to restart postfix

sudo postfix reload

I hope that you all found this article and walkthrough educational, as always please feel free to interact with me by posting questions and comments and I will answer them as best as I can. If you feel like any of this is wrong or could be improved upon also please leave a comment below, thanks!

Great, another strange Apple bug I thought until someone was able to forward me the bounced email to my personal email account. Further insight in the error showed that the message was getting bounced back due to a blank subject line. As you can see from the example below its due to a blank or empty subject heading. Yes, apparently Apple has added this as an actual “Feature”. You can turn this off however by commenting out the only line of code in the file /etc/postfix/custom_header_checks.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

=====================================
This is the mail system at host mail.xxxxxxx.org.
 
I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.
 
For further assistance, please send mail to postmaster.
 
If you do so, please include this problem report. You can
delete your own text from the attached returned message.
 
The mail system
 
<user@domain.org>: host
mail.domain.org http://xx.xxx.xxx.xxx said: 550 5.7.1 empty subject
=====================================

Turn off the mail service before you do this. Once the mail service is off edit the file using sudo pico.

1
2
3
4
5

/^subject: *$/ REJECT empty subject header in /etc/
 
into:
 
#/^subject: *$/ REJECT empty subject header in /etc/

Start mail back up again and you will notice that the blank subject line blues are gone away.

I found Roundcube to be extremely easy to setup, however sort of hard to configure and tweak for use on an OSX Server. The biggest drawback to the old mail system was that while everyone had email accounts they were local accounts meaning their was no LDAP database at work so there was no way to have an auto complete or global LDAP address book that most of the people at our organization really craved. I decided that when moving to 10.6.2 we would have to get this feature established and I am documenting this here clearly as I found there was limited documentation for and I know there are many people using 10.6.2 and Roundcube together.

Once Roundcube is installed head over to main.inc.php in the Roundcube config directory. I wanted the user to have access to the LDAP address book and also have the ability to have their own so on this line make sure that SQL is chosen as the primarty type of address book if this is your intent.

1

$rcmail_config['address_book_type'] = 'sql';

in the main.inc.php file the LDAP settings are kind of tricky. It gives you an example of a functional LDAP setup below for an organization named Verisign locate these lines in the main.inc.php file

1
2
3

// In order to enable public ldap search, configure an array like the Verisign
// example further below. if you would like to test, simply uncomment the example.
$rcmail_config['ldap_public'] = array(Verisign);

Notice that the third line is un-commented meaning that it is an active setting. Which means that what we are about to do below will not register until we comment out this line otherwise there will be two active configurations and neither will work this really tripped me up and had me stumped for days until I realized that I had two

1

 $rcmail_config['ldap_public']

attributes at work at the same time so next comment this out as below.

1
2
3

// In order to enable public ldap search, configure an array like the Verisign
// example further below. if you would like to test, simply uncomment the example.
// $rcmail_config['ldap_public'] = array(Verisign);

Once this is done go down to the example below and start uncommenting the LDAP configuration lines one by one and filling out the information as you go here is an example of my configuration for the Name use whatever name you want the address book to show up as in the roundcube address book area. Your host name should be the fully qualified domain name of your directory server. Your default port on an ODM is 389. Only use TLS if you are using a secure SSL connection and always use User Specific so that the user is what is causing the OD Bind during lookups rather than the Directory Admin.

1
2
3
4
5
6

$rcmail_config['ldap_public']['Verisign'] = array(
  'name'          => 'Company Name',
  'hosts'         => array('fullyqualified.domainofdirectoryserver.com'),
  'port'          => 389,
  'use_tls'	    => false,
  'user_specific' => true,

Next you must define the Base Search DN which is always your fully qualified domain name split up using dc= so if your directory name was directory.verisign.com then your base dn would be dc=directory, dc=verisign, dc=com. Here is what is not documented in many places it took me a long time to figure out that the Bind DN must have an active user or the directory admins UID here as well as cn=users, so that it knows how to find that user. I also configured mine to be non writable because I was unsure how safe this would be with the ODM.

1
2
3
4

  'base_dn'       => 'dc=fullyqualified,dc=domainofdirectoryserver,dc=com',
  'bind_dn'       => 'uid=DirAdmin,cn=users,dc=fullyqualified,dc=domainofdirectoryserver,dc=com',
  'bind_pass'     => 'DirAdmin_Password',
  'writable'      => false,

In order to get an actual accurate listing in the address book you must tweak the settings to include the specific user settings int he ODM LDAP directory.

1
2
3
4
5
6
7
8
9
10
11
12
13

  'LDAP_Object_Classes' => array("top","person","inetOrgPerson","abxldapPerson"), 
  'required_fields'     => array("givenName", "cn", "sn", "mail"),    
  'LDAP_rdn'      => 'mail', 
  'ldap_version'  => 3,      
  'search_fields' => array('givenName', 'cn', 'sn', 'mail'),  // fields to search in
  'name_field'    => 'cn',    
  'email_field'   => 'mail',  
  'surname_field' => 'sn',   
  'firstname_field' => 'givenName', 
  'sort'          => 'givenName',    
  'scope'         => 'sub',  
  'filter'        => 'givenName=*',     
  'fuzzy_search'  => true);

These settings will help you establish the correct mappings to Last Name, First Name, Email Address and Full Name or Given Name. These settings were very hard to find as there was limited documentation on both Apples part and on the Roundcube forums. Once done here I set it up to auto complete from the sql address book first and then to default over to the LDAP address book.

1
2
3

// An ordered array of the ids of the addressbooks that should be searched
// when populating address autocomplete fields server-side. ex: array('sql','Verisign');
$rcmail_config['autocomplete_addressbooks'] = array('sql','Verisign');

In parting my only piece of advice is to use the configuration here and remove the term Verisign and replace that variable with one that makes sense for you and your organization. Lastly if this does not work make sure that you have the correct domain name of the server and also ensure that you have enabled users to access the LDAP directory in Workgroup Manager.

setup the 10.6.2 Snow Leopard server clean before I did anything I setup DNS on the server and manually retyped and rechecked all of the DNS records from the 10.5 server to the 10.6.2 server. Once I verified that the DNS records were set. I checked the server’s DNS by running sudo changeip -checkhostname and it came back clean. Great good to go, or so I thought.

I had setup split horizon DNS on the server, the Open Directory Master, has already been setup on a single use Mac Mini Server. The Mac Mini Server is running the ODM and DNS. The DNS on the Mini is self referencing and my router has the public ip mapped to the private. The new Mail server (10.6.2) also running DNS had a record pointing to the public ip of the ODM. Great, next step bind the mail server to the ODM so that I can start to migrate mail accounts.

I was working on this project around 10:00pm in the evening not knowing how long that it would take to migrate the accounts from Cyrus to Dovecot, but I had studied the Apple upgrade instructions for weeks prior so I felt like I had it totally under control. I followed the instructions and used the code from page 42 of the manual.

sudo /usr/libexec/dovecot/migrate_mail_data.pl --moveMail 0 --cyrusBin "/Volumes/10.5 Server Volume Name/usr/bin/cyrus/bin" --database "/Volumes/10.5 Server Volume Name/var/imap" --sourceSpool "/Volumes/10.5 Server Volume Name/var/spool/imap" --targetSpool "/var/spool/imap/dovecot/mail"

The script will tell you if your doing something wrong, which is helpful. My biggest question was how long would it take to migrate 30GB of mail to the new mail server. The answer, exactly two hours. I had decided that instead of using a firewire cable to connect the two servers together that I would simply pop the HD out of the old mail server and put it into the new server. This made a huge difference in the time of migration.

Once it finished I turned on mail, and everything started working fine. Great! I cleaned up my tools and logged out of the server and went home around 2am. The next few days were pure hell. As mentioned above I decided to use split horizon DNS. It was my first attempt at doing this and what I had noticed in the logs were a myriad of disconnect warnings every 5 min the mail server was getting disconnected from the ODM and then reconnecting causing some major issues.

The log files were filling up so fast that they were causing kernel panics, I had to reboot the server many times once every couple of hours, I decided to call Apple. The Apple representative captured my logs, and promptly told me that I would have to reformat the hard drive and completely start over. I told him that this was a clean install and that no way would I be starting over. He offered no other solution or advice other than telling me that it was not normal for a new server to have kernel panics this early in the game.

I decided to check my DNS turns out that the route statement in the router, was not properly entered. It was getting to the server but it was unable to retain a connection. I re-entered the route statement correctly and then rebooted the router. Almost immediately the issues stopped. Apple has come a long way in their migration capabilities if your ever having issues with your 10.6.2 mail service DNS is almost always the culprit!