Previous 1 2 Next 19 Replies Latest reply: Oct 19, 2012 12:47 PM by OoO_Bailey_OoO
OoO_Bailey_OoO Level 1 Level 1 (0 points)

I just did a fresh install of Mountain Lion 10.8.2 + Server and I can't get the Mail server to work properly.

 

Here are the behaviours:

  • Receive emails sometimes then it stops
  • Cannot send
  • Client-side connection only works with Cleartext, not with Open Directory authentication settings for Mail (Kerberos and MD5)

 

I've verified the hostname and DNS settings. Compared to what I had in Lion Server, things look good.

I'm showing my limited knowledge here, but one difference is that I didn't create an MX record on the server because I didn't have one in Lion or Snow Leopard Server, having it at the domain registrar-level instead. From here it sends to mail.mydomain.com where I have an alias from mail to server.mydomain.com.

 

Ports 993 and 587 (and more) are open although I had to create them manually. For some reason, ML doesn't have this Airport preset.

 

Anyway, please help if you can.

 

Thanks


Mac mini, OS X Server, Mid-2010
  • Mark23 Level 3 Level 3 (975 points)

    First, do you run OS X Server 2.1.1, which is the latest version of server? You can check by opening the App Store and see if there are updates.

     

    Second, do you run OS X Server at home? I yes, your provider might be blocking port 25 which is needed so that SMTP servers (for delivering mail) can talk to each other. Using a DNS provider that offers SMTP services to another port together with your Airport Extreme, this isn't hard to overcome.

     

    Third, look here to see if you've set up mail correctly: http://krypted.com/mac-os-x/setting-up-the-mail-service-in-mountain-lion-server/

  • OoO_Bailey_OoO Level 1 Level 1 (0 points)

    Thank you for your response.

     

    I am running 2.1.1 and I am running this server at home.

     

    I've been running a OS X mail server successfully for a number of years with the same ISP without issues on port 25. Recently, I called to ask them if they were blocking a different port for a different issue and they told me that they "do not block any ports, ever, period".

     

    So I think I am ok there. I've seen that post before, but I'll read through it more carefully this time and report back.

  • Mark23 Level 3 Level 3 (975 points)

    Do you use IMAP? You are using IMAP... (993 being the port)

    I found that IMAP only worked for me when I had an SSL certificate set in the Server app, so make sure it is set correctly.

  • OoO_Bailey_OoO Level 1 Level 1 (0 points)

    I am, no POP actually. I have SSL set already.

  • Mark23 Level 3 Level 3 (975 points)

    Yes, well... You've opened the wrong port if you are using POP... the port would be 995...

  • OoO_Bailey_OoO Level 1 Level 1 (0 points)

    So I ran through the krypted.com page. I can successfully telnet on 25. My fullstatus read-out is pretty much the same as his (except for timestamps of course).

     

    I'm not sure if this is mandatory or not, but I haven't done anything in here and I’m not sure what it's for:

    mail:postfix:mynetworks:_array_index:0 = “127.0.0.0/8″ – Add entries to this one to add “local” clients

     

    Other than that, things look good.

  • OoO_Bailey_OoO Level 1 Level 1 (0 points)

    Sorry, I wrote that in sentence fragments and it wasn't clear. I am running IMAP, I have not permitted POP.

  • Mark23 Level 3 Level 3 (975 points)

    When you open up the server app and look in the logs section under Mail server, what does it read?

  • OoO_Bailey_OoO Level 1 Level 1 (0 points)

    Nothing terribly descriptive (to me) unfortunately:

     

    Oct 15 14:30:24 server.mydomain.com log[21712]: imap(pid 21731 user com.apple.calendarserver): Disconnected: Logged out bytes=68/817

    Oct 15 14:30:55 server.mydomain.com log[21712]: imap-login: Login: user=<com.apple.calendarserver>, method=CRAM-MD5, rip=127.0.0.1, lip=127.0.0.1, mpid=21731, TLS

     

    REPEAT the above two statements a lot

     

    Oct 15 14:30:55 server.mydomain.com log[21712]: imap(pid 21731 user com.apple.calendarserver): Disconnected: Logged out bytes=68/817

     

    SMTP Log shows some things though:


    Oct 15 14:24:58 server.mydomain.com postfix/qmgr[21695]: AC28E8D9A9: from=<bounces+18368-a488-bailey=mydomain.com@messages.address.com>, size=27929, nrcpt=1 (queue active)

    Oct 15 14:24:58 server.mydomain.com postfix/error[23139]: 667488EAA9: to=<bailey@mydomain.com>, relay=none, delay=21135, delays=21135/0.15/0/0.03, dsn=4.3.0, status=deferred (mail transport unavailable)

    Oct 15 14:24:58 server.mydomain.com postfix/error[23142]: AC28E8D9A9: to=<bailey@mydomain.com>, relay=none, delay=33950, delays=33950/0.07/0/0.01, dsn=4.3.0, status=deferred (mail transport unavailable)

    Oct 15 14:24:58 server.mydomain.com postfix/error[23140]: 6ED788EAA5: to=<bailey@mydomain.com>, relay=none, delay=21143, delays=21143/0.11/0/0.02, dsn=4.3.0, status=deferred (mail transport unavailable)

    Oct 15 14:29:58 server.mydomain.com mail_groups[23440]: initializing email group services

    Oct 15 14:29:59 server.mydomain.com mail_groups[23440]: no enabled mail groups found

    Oct 15 14:29:59 server.mydomain.com mail_groups[23440]: sleeping for: 1 hour(s)

    Oct 15 14:34:58 server.mydomain.com postfix/qmgr[21695]: 1F6C98DB8A: from=<someone@anotheraddress.com>, size=17580, nrcpt=1 (queue active)

    Oct 15 14:34:58 server.mydomain.com postfix/qmgr[21695]: warning: connect to transport private/smtp-amavis: Connection refused

    Oct 15 14:34:58 server.mydomain.com postfix/error[23523]: 1F6C98DB8A: to=<bailey@mydomain.com>, relay=none, delay=33807, delays=33807/0.1/0/0.01, dsn=4.3.0, status=deferred (mail transport unavailable)

    Oct 15 14:37:29 server.mydomain.com postfix/smtpd[23565]: warning: hostname proxy.address.com does not resolve to address XX.XXX.XXX.XXX: nodename nor servname provided, or not known

    Oct 15 14:37:29 server.mydomain.com postfix/smtpd[23565]: connect from unknown[XX.XXX.XXX.XXX]

    Oct 15 14:37:33 server.mydomain.com postfix/smtpd[23565]: lost connection after EHLO from unknown[XX.XXX.XXX.XXX]

    Oct 15 14:37:33 server.mydomain.com postfix/smtpd[23565]: disconnect from unknown[XX.XXX.XXX.XXX]

  • OoO_Bailey_OoO Level 1 Level 1 (0 points)

    Do you get these errors? Do you think they could be related?

     

    2012-10-15 4:31:17.839 PM com.apple.launchd[1]: (com.apple.collabd.expire[26444]) Exited with code: 1

    2012-10-15 4:31:18.000 PM kernel[0]: Sandbox: sandboxd(26449) deny mach-lookup com.apple.coresymbolicationd

    2012-10-15 4:31:19.405 PM sandboxd[26449]: ([26445]) collabpp(26445) deny file-read-metadata /private/var/teamsserver

    2012-10-15 4:31:19.448 PM sandboxd[26449]: ([26445]) collabpp(26445) deny file-read-data /Library/Preferences/.GlobalPreferences.plist

    2012-10-15 4:31:20.456 PM sandboxd[26449]: ([26445]) collabpp(26445) deny file-read-data /Library/Preferences/.GlobalPreferences.plist

    2012-10-15 4:34:00.435 PM collabd[116]: [CSContentService:47 cd41000 +19ms] Detected Magic Superuser Auth Token

     

    I'm not sure why there could be so many errors with a fresh install and the basic services set up. Maybe I didn't do it in the right order, but I was following the order of topics in the Apple admin guide.

     

    Is there a recommended order to the initial set up that I should follow?

     

    Thanks

  • Mark23 Level 3 Level 3 (975 points)

    How does the content of the file /Library/Server/Mail/Config/postfix/main.cf look?

  • OoO_Bailey_OoO Level 1 Level 1 (0 points)

    Seems so, but I don't know what I'm looking for. Previously, I increased the size limit, but that's the only thing I've changed that I recognize in here.

     

    I noticed entries for TLS. Is that required on the client side? I would have expected Profile Manager to set that all up when I issued the profiles.

     

    Uncommented lines only:

     

    queue_directory = /Library/Server/Mail/Data/spool

     

    command_directory = /usr/sbin

     

    daemon_directory = /usr/libexec/postfix

     

    data_directory = /Library/Server/Mail/Data/mta

     

    mail_owner = _postfix

     

    unknown_local_recipient_reject_code = 550

     

    debug_peer_level = 2

     

    debugger_command =

         PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin

         xxgdb $daemon_directory/$process_name $process_id & sleep 5

     

    sendmail_path = /usr/sbin/sendmail

     

    newaliases_path = /usr/bin/newaliases

     

    mailq_path = /usr/bin/mailq

     

    setgid_group = _postdrop

     

    html_directory = /usr/share/doc/postfix/html

     

    manpage_directory = /usr/share/man

     

    sample_directory = /usr/share/doc/postfix/examples

     

    readme_directory = /usr/share/doc/postfix

     

    dovecot_destination_recipient_limit = 1

     

    mailbox_size_limit = 0

     

    smtpd_tls_exclude_ciphers = SSLv2, aNULL, ADH, eNULL

     

    tls_random_source = dev:/dev/urandom

     

    imap_submit_cred_file = /Library/Server/Mail/Config/postfix/submit.cred

     

    use_sacl_cache = yes

    mydomain_fallback = localhost

    message_size_limit = 104857600

    biff = no

    mynetworks = 127.0.0.0/8, [::1]/128

    smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated permit

    recipient_delimiter = +

    smtpd_tls_ciphers = medium

    inet_protocols = all

    inet_interfaces = all

    config_directory = /Library/Server/Mail/Config/postfix

    smtpd_enforce_tls = no

    smtpd_use_pw_server = yes

    relayhost =

    smtpd_tls_cert_file = /etc/certificates/server.mydomain.com.3CFA895E35F8C6ABD1641E07CE2CE315EA908FE1. cert.pem

    mydomain = mydomain.com

    smtpd_pw_server_security_options = cram-md5,gssapi,login,plain

    smtpd_sasl_auth_enable = yes

    smtpd_helo_required = no

    smtpd_tls_CAfile = /etc/certificates/server.mydomain.com.3CFA895E35F8C6ABD1641E07CE2CE315EA908FE1. chain.pem

    content_filter =

    smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks reject_unauth_destination permit

    header_checks =

    myhostname = server.mydomain.com

    smtpd_helo_restrictions =

    smtpd_use_tls = yes

    smtpd_tls_key_file = /etc/certificates/server.mydomain.com.3CFA895E35F8C6ABD1641E07CE2CE315EA908FE1. key.pem

    enable_server_options = yes

    recipient_canonical_maps = hash:/Library/Server/Mail/Config/postfix/system_user_maps

    virtual_alias_maps = $virtual_maps

    smtpd_sasl_local_domain = server.mydomain.com

    mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain

    mailbox_transport = dovecot

    postscreen_dnsbl_sites =

    maps_rbl_domains =

  • OoO_Bailey_OoO Level 1 Level 1 (0 points)

    I tried resorting to the default and I tried retrofitting someone else's main.cf from another post, but SMTP still doesn't work in either case and IMAP only works with Cleartext.

     

    At this point I think I have to start over and reinstall, but I'd like to find out an appropriate order of operations first.

     

    Unfortunately, Lynda.com didn't do a Mountain Lion Server series so I can't get a subscription there and following the order of topics in the Apple documentation didn't work this time so I'm wondering if someone can point me to a good source of orderly information or tell me their approach.

     

    Here's what I've gleaned from another post (thanks Martyin):

     

    1. initial Mountain Lion, then install and setup OSX Server (basic)
    2. Adjust and or Check! the DNS for correct operation, as it is the only service started after the basic installation.
      • Question: If I have an MX record at the registrar and a mail -> server.mydomain.com alias on the server, do I need an MX record on the server?
      • Breakdown for DNS records that I would set up. Please correct me if I'm wrong:
        • server. machine record
        • server. name server record (in primary and reverse zones)
        • www alias
        • mail alias
        • _carddav service as per Apple doc
        • _caldav service
        • _xmpp-client
        • _xmpp-server
        • reverse IP to server. mapping
    3. reallocate the Users Map / groups map and or server data location.
      • Since I'm doing a new install, I'm not sure if this applies to my case
    4. Create the "missing" teamsserver map and give appropriate rights
      chown  _teamsserver:teamsserver  teamsserver
      • I've noticed this error among many others in the standard install so this is a good time to correct it. Let me know if there are others that I can/should do.
    5. Configure the correct ports / port forwarding
      • Question: Including typical Mail ports manually since there is no preset, right?
    6. Check if needed the Certs ( if needed cause you have a commercial one )
    7. Start the Profile Manager configuration (Without starting up the service, just configure)
    8. Check the logs after this
    9. Start Web server and Wiki and Messenger
    10. Start Profile manager
    11. Start rest of the services as needed
    12. After checking logs again and if everything seems ok, THEN start creating users and groups.

     

    Is this an appropriate order? Is anything missing?

     

    Thank you!

  • OoO_Bailey_OoO Level 1 Level 1 (0 points)

    So I reinstalled following the procedure above and things are better except a couple of issues:

     

    - I can send mail from my Mac but I can't send from the iPhone

    - Profile Manager insists on setting up the Mail account with port 143 despite having SSL checked

    - Profile Manager also insists on setting up anything with an email address as "@server.mydomain.com" instead of "@mydomain.com" (i.e. with the subdomain)

    - I'm getting enormous amounts of mail log errors suddenly tonight

    "Oct 18 22:38:51 server.mydomain.com postfix/postscreen[78873]: CONNECT from [173.9.0.233]:10239 to [10.0.1.50]:25

    Oct 18 22:38:51 server.mydomain.com postfix/postscreen[78873]: PASS OLD [173.9.0.233]:10239

    Oct 18 22:38:51 server.mydomain.com postfix/smtpd[78958]: connect from 173-9-1-233-newengland.hfc.comcastbusiness.net[173.9.0.233]

    Oct 18 22:38:52 server.mydomain.com postfix/smtpd[78944]: error: authentication method: LOGIN is not enabled

    Oct 18 22:38:52 server.mydomain.com postfix/smtpd[78944]: warning: 173-9-1-233-newengland.hfc.comcastbusiness.net[173.9.0.233]: SASL LOGIN authentication failed"

     

    I don't recognize the IP address which suggests that someone is trying to get in via a brute force attack, but I have a feeling that maybe I have something set wrong. Even if I leave the Mail service off for an hour it comes back as soon as I start it up again.

     

    I tried Icefloor to block the IP with pfctl, but ended up blocking port 25 instead. Mail is set to authenticate by SSL cert (not self-signed), Kerberos or MD5 only so I'm hoping that's good insurance.

     

    What can I do to see if I have something set wrong? I don't really like the idea of having to permanently block port 25 when I never had to before, especially since I'm having send problems.

Previous 1 2 Next