FromOZ

Q: Server 5.x install -> Amavis wrong domain setting

I am interested to get feedback from everyone regarding this query. I am not sure if the current Server 5.x install on El Capitan (clean install) is meant to have this (incorrect?) behaviour or not.

 

Here is the background:

 

  • Clean install of OS X Server (5.0.15) on a clean install of El Capitan 10.11.2
  • Server pre-flight preparation rigorously checked.
  • Assume Internet legal domain is 'example.com' (real domain obviously different), server host name is 'server.example.com' and server name is 'Server'. Bonjour local hostname is 'Server.local'.
  • DNS checked and double checked before setup of any other services — forward and reverse domains. Check. Internal (split-horizon) domain of example.com with OS X DNS server correctly acting as SOA. Check.
  • Internet legal domain and DNS for 'example.com' with A record for 'server.example.com'.
  • Internet legal SSL certificate for hostname 'server.example.com' installed in OS X Server and functioning for all services.
  • Open Directory installed and working.
  • Local Network Directory users created, e.g. User 'user' with email of user@example.com
  • In / out email working flawlessly.
  • It's all working.


Here's the issue though...


When I did the first install (I redid the whole thing when I saw this) and I was checking everything I saw in email headers that mail was being delivered saying this 'user@server.example.com' (the host name) instead of 'user@example.com' (the domain) as I used to see with server 3.x


============ EMAIL HEADER ============

Return-Path: <bounce-5308718-50395022@nowhere.com>

Delivered-To: user@server.example.com

Received: from localhost (localhost [127.0.0.1])

  by server.example.com (Postfix) with ESMTP id BD9B5906982

  for <user@example.com>; Wed, 30 Dec 2015 09:24:24 +0100 (CET)

X-Virus-Scanned: amavisd-new at server.example.com

Authentication-Results: server.example.com (amavisd-new);

  dkim=pass (1024-bit key) header.d=nowhere.com

Received: from server.example.com ([127.0.0.1])

  by localhost (server.example.com [127.0.0.1]) (amavisd-new, port 10024)

  with ESMTP id F3rRxxYjQxCz for <user@example.com>;

  Wed, 30 Dec 2015 09:24:23 +0100 (CET)

Received: from nowhere.com (svr03.nowhere.com [12.123.12.123])

  by server.example.com (Postfix) with SMTP id 1AE2FF0892A

  for <user@example.com>; Wed, 30 Dec 2015 09:24:22 +0100 (CET)

========================================


After I did the complete reinstall, and after double/triple checking everything it still said the same. As everything was working perfectly I thought it was just a change in how Apple had setup things from Server 3.x to 5.x and I left it.


Today I was looking at setting up DKIM and had occasion to look at the amavisd.conf file and saw the following

============ amavisd.conf ============

# COMMONLY ADJUSTED SETTINGS:

 

$mydomain = 'server.example.com';   # a convenient default for other settings

$MYHOME = '/Library/Server/Mail/Data/scanner/amavis';   # a convenient default for other settings, -H

8<------------------

# OTHER MORE COMMON SETTINGS (defaults may suffice):

 

# $myhostname = 'host.example.com';  # must be a fully-qualified domain name!

=======================================


I don't believe the (auto set by Apple setup) entry for $mydomain is correct, it should be obviously 'example.com' (it was that on my 3.x server). Also the $myhostname entry is disabled and has not been set by the Apple setup, it should be enabled and be 'server.example.com'. I will note that, as commonly happens (well it does for me) when you setup a server machine from scratch that the Apple DNS server initially makes a DNS domain of the hostname (server.example.com) which you have to delete. I did so, again, before enabling any other services esp. email.


Questions:

  • What do others see on their new, from scratch, Server 5.x installs — the same behaviour?
  • Do we agree that the $mydomain variable should be 'example.com'
  • If I change this now (after email been running for a week) what will be the impact? To the Postfix mail service, the Amavis service?
  • Would the change have any affect on already received user emails in the Dovecot IMAP folders.

Mac mini, OS X El Capitan (10.11.2), OS X Server 5

Posted on Dec 30, 2015 4:09 AM

Close

Q: Server 5.x install -> Amavis wrong domain setting

  • All replies
  • Helpful answers

  • by FromOZ,

    FromOZ FromOZ Dec 30, 2015 8:47 AM in response to FromOZ
    Level 3 (545 points)
    Dec 30, 2015 8:47 AM in response to FromOZ

    I did further investigation and found the following.


    Looking for text 'server.example.com' (again my details anonymised) in all the config files (you can run also to check)

    sudo grep -rnw '/Library/Server/Mail/Config' -e "server.example.com"


    I found the following list, I removed out all the entries for certificates as they should be for 'server.example.com'

     

    Mail

    ====

    /Library/Server/Mail/Config/amavisd/amavisd.conf:22:$mydomain = 'server.example.com';   # a convenient default for other settings

    /Library/Server/Mail/Config/dovecot/conf.d/10-auth.conf:43:auth_realms = server.example.com

    /Library/Server/Mail/Config/dovecot/conf.d/15-lda.conf:20:postmaster_address = postmaster@server.example.com

    /Library/Server/Mail/Config/postfix/main.cf:735:myhostname = server.example.com

     

    Details:

    • again the amavisd conf file entry for $mydomain is wrong
    • the amavisd conf file has the entry for the host commented out, it should be 'server.example.com'
    • not sure about the dovecot auth entry
    • the Dovecot postmaster address is wrong, in the configuration file it states the form should be postmaster@<yourdomain>
    • also in the Dovecot 15-lda.conf file there is a line for hostname which is commented out, the conf file says it should default to the system's real hostname@domain but when I run doveconf I see only 'hostname=' so it seems to me that should be set also.

     

    Has anyone seen other than this on their (new install, not upgrade) OS X Server 5.x systems? That is your system says "example.com" for $mydomain entry in amavisd.conf etc.


    Again, obviously, my main concern is — will there be any negative affect on the running system if I change the wrong entries and add the entries which were not uncommented and correctly filled in by the Apple server setup.

  • by UptimeJeff,Solvedanswer

    UptimeJeff UptimeJeff Dec 30, 2015 12:40 PM in response to FromOZ
    Level 4 (3,477 points)
    Dec 30, 2015 12:40 PM in response to FromOZ

    Server 5 uses virtual_users to map address to local accounts.

    cat /Library/Server/Mail/Config/postfix/virtual_users

    The file is updated automatically by Server.app

    Mail arrives for user@example.com then is mapped to user@server.example.com for local delivery.

     

    If you are curious, this command pulls the relevant settings from postfix  (space after mydomain is intentional)

    grep -E '^(myhostname|mydomain |mydestination|virtual_alias)' /Library/Server/Mail/Config/postfix/main.cf

     

    As you discovered, there is an issue with mydomain in amavisd.conf.

    Your mail header shows a virus scan but not a spam scan (x-spam).

    virus scans are performed regardless if mydomain matches the recipient address, but spam scans only occur when matched.

     

    Change mydomain (in amavisd.conf) to example.com

     

    Restart amavis

    sudo launchctl stop org.amavis.amavisd

     

    Note:

    Its possible to change your setup to the old behavior  (local, not virtual domains) but you might as well adapt to the way Apple defaults. It makes things easier and helps ensure compatability with their GUI.

     

     

    Hope that helps.

  • by FromOZ,

    FromOZ FromOZ Dec 30, 2015 12:40 PM in response to UptimeJeff
    Level 3 (545 points)
    Dec 30, 2015 12:40 PM in response to UptimeJeff

    Hi - thanks for info. Good to know about the virtual users part so don't need to be worried about the @server.example.com part.


    I ran the command you mentioned, here is the result (domain name changed again).

    $ grep -E '^(myhostname|mydomain |mydestination|virtual_alias)' /Library/Server/Mail/Config/postfix/main.cf

    virtual_alias_domains = $virtual_alias_maps hash:/Library/Server/Mail/Config/postfix/virtual_domains

    virtual_alias_maps = $virtual_maps hash:/Library/Server/Mail/Config/postfix/virtual_users hash:/Library/Server/Mail/Data/listserver/aliases/list_server_virtual

    mydomain = example.com

    myhostname = server.example.com

    mydestination = $mydomain, $myhostname, localhost.$mydomain, localhost

     

    After you having mentioned about the spam scanning not appearing to be happening I checked further and you are correct. Thing is after making the change to amavisd.conf to


    $mydomain = 'example.com';


    and the other files I mentioned and doing a full reboot spam checking is still not working. I even changed the mydestination line in Postfix main.cf to put the $mydomain at the beginning. Still no spam checking. What can I check to see if spamassassin is being called/working.

  • by FromOZ,

    FromOZ FromOZ Dec 30, 2015 2:12 PM in response to FromOZ
    Level 3 (545 points)
    Dec 30, 2015 2:12 PM in response to FromOZ

    Well this must be something new in OS X Server 5... spam filtering is working, and... I see all the X-Spam headers

    Return-Path: <MAILER-DAEMON>

    Delivered-To: user@server.example.com

    Received: from localhost (localhost [127.0.0.1])

      by server.example.com (Postfix) with ESMTP id 92FB21148E6

      for <user@example.com>; Wed, 30 Dec 2015 22:45:58 +0100 (CET)

    X-Quarantine-ID: <xdk8XihueEjX>

    X-Virus-Scanned: amavisd-new at example.com

    X-Amavis-Alert: BAD HEADER SECTION, Missing required header field: "Date"

    X-Spam-Flag: YES

    X-Spam-Score: 13.305

    X-Spam-Level: *************

    X-Spam-Status: Yes, score=13.305 tagged_above=2 required=6

      tests=[DSN_NO_MIMEVERSION=1.999, HELO_DYNAMIC_SPLIT_IP=2.893,

      LONG_TERM_PRICE=0.001, MISSING_DATE=1.396, MISSING_MID=0.14,

      RCVD_IN_BL_SPAMCOP_NET=1.246, RCVD_IN_BRBL_LASTEXT=1.644,

      RCVD_IN_MSPIKE_BL=0.01, RCVD_IN_MSPIKE_L5=0.001, RCVD_IN_PSBL=2.7,

      RDNS_NONE=1.274, TVD_RCVD_IP=0.001] autolearn=no autolearn_force=no

    Received: from server.example.com ([127.0.0.1])

      by localhost (server.example.com [127.0.0.1]) (amavisd-new, port 10024)

      with ESMTP id xdk8XihueEjX for <user@example.com>;

      Wed, 30 Dec 2015 22:45:58 +0100 (CET)

     

    but I don't see them for emails which are not marked as being spam. So it seems in server 5.x they only put in the spam headers if the email is flagged as spam positive.

  • by UptimeJeff,

    UptimeJeff UptimeJeff Dec 30, 2015 6:30 PM in response to FromOZ
    Level 4 (3,477 points)
    Dec 30, 2015 6:30 PM in response to FromOZ

    To see x-spam headers on all mail (not just spam), edit:

    /Library/Server/Mail/Config/amavisd/amavisd.conf

     

    Look for:

    $sa_tag_level_deflt  = 2.0;  # add spam info headers if at, or above that level

     

    This means headers will not be added unless the score is 2.0 or higher. Most non-spam will be under 2.0.

    Change it to -999.0 to see headers on all mail.

    $sa_tag_level_deflt  = -999;  # add spam info headers if at, or above that level

     

    Here is a old, but still relevant thread on this topic.

    Amavis Not Marking Mail as Spam


    And the amavisd-new docs have more detail which you can use to customize amavisd

    https://www.ijs.si/software/amavisd/amavisd-new-docs.html