Getting Sierra Mac OS Server to Work

[Mork]

Has anyone successfully gotten Mail to work with an account under Sierra MacOS Server?

I'm having an extremely difficult time.

I found out today that the reason POP/IMAP wasn't working (incoming mail) was that NOIP.COM doesn't support anything but the Comcast-blocked port 25 with their free offering. If you want port 143 for incoming mail, you pay NOIP.COM $9.99 per year for their POP hosting. Not sure if there's another way around that.

Now, for SMTP (sending), I can't get that to work either. I watched Todd Othoff's video on Youtube, and tried to match HostName + MX Record between NOIP.COM and my local Mac Server, but, assuming I should be able to send from, say, Thunderbird, without an special NOIP.COM service offerings, I'm still doing something wrong.

In the A record in MacOS Server, for example, I set the IP address to the static IP of the server itself. Should that IP address be the external mac's IP address?

I have an Airport Extreme so server is auto-configuring the router for the various Mail ports. Mail and even the email address shows up as being available on the Internet so I must be somewhere in the ballpark.

I've also tried configuring Thunderbird all kinds of different ways, using the regular domain for the SMTP server and also the "mail" prefix. Nothing works yet.

If anyone could give me some tips (encouragement welcome, too), I'd appreciate it.

I'd really like to get Mail working, but it's proving to be much more difficult that I expected.

TIA

 

[960design]

Contact Cox and ask for a business account. They will open up the ports you need to host mail and be within their EULA for servers. The business account will be significantly more expensive per month, which is one of the fee reasons most people go with hosted servers.

The price of a low bandwidth hosted server for three years will run about the same as 1 or 2 months on a Cox business account. No setup, no hassles and very little downtime.

 

[Mork]

Contact Cox and ask for a business account. They will open up the ports you need to host mail and be within their EULA for servers. The business account will be significantly more expensive per month, which is one of the fee reasons most people go with hosted servers.

The price of a low bandwidth hosted server for three years will run about the same as 1 or 2 months on a Cox business account. No setup, no hassles and very little downtime.

Yep, I understand that already.

I have Comcast and a separate ISP for my business email, but that wasn't my question. At this point, I'm just trying to get it to work. Once mail on mac server works, due to all the 143 IMAP hack attempts, I'll disable it.

Now, the answer "appears" to be that I need the paid NOIP.COM email service ($9.99/yr.) so they don't block ports 143 and 993.

Trying to confirm that with them now.

I'll post back with their reply.

Thanks for your reply.

 

[crazzyeddie]

Yep, I understand that already.

I have Comcast and a separate ISP for my business email, but that wasn't my question. At this point, I'm just trying to get it to work. Once mail on mac server works, due to all the 143 IMAP hack attempts, I'll disable it.

Now, the answer "appears" to be that I need the paid NOIP.COM email service ($9.99/yr.) so they don't block ports 143 and 993.

Trying to confirm that with them now.

I'll post back with their reply.

Thanks for your reply.

This doesn't make any sense to me. Using a dynamic DNS service resolves a hostname to an IP. Once that is done, your computer connects on a certain port number. NoIP should never see that information.

Think of it this way: when you configure a DNS record, you only do it for services (A, MX, etc...) but not the port numbers (80, 443, 143, 445).

 

[Mork]

This doesn't make any sense to me. Using a dynamic DNS service resolves a hostname to an IP. Once that is done, your computer connects on a certain port number. NoIP should never see that information.

Think of it this way: when you configure a DNS record, you only do it for services (A, MX, etc...) but not the port numbers (80, 443, 143, 445).

Yeah, you're right I'm sure. I don't think the noip.com folks really understood my issue.

Since the logs seem to indicate all is well and I get server firewall pop-ups when I try to send en email, I must be close. I'm guessing it's an outgoing IP issue (like configured in DNS) or some other DNS issue. I don't know how, beyond the logs, firewall pop-ups, etc., how to debug this further.

The lingering question is whether anyone here on this forum has actually set up a Mac Mail Server. If so, I have some basic questions.

Here are two log entries:

Jun 23 11:44:32 <server-address-here> /Applications/Server.app/Contents/ServerRoot/usr/bin/amavisd[1241]: (01241-04) size: 666, TIMING [total 124 ms] - SMTP greeting: 1.0 (1%)1, SMTP EHLO: 0.5 (0%)1, SMTP pre-MAIL: 0.5 (0%)2, SMTP MAIL: 2.6 (2%)4, SMTP pre-DATA-flush: 1.5 (1%)5, SMTP DATA: 0.2 (0%)5, check_init: 0.2 (0%)5, digest_hdr: 0.4 (0%)5, digest_body_dkim: 0.1 (0%)6, collect_info: 1.0 (1%)6, mime_decode: 7 (5%)12, get-file-type1: 12 (10%)21, parts_decode: 0.1 (0%)21, check_header: 0.3 (0%)22, AV-scan-1: 6 (5%)27, spam-wb-list: 0.4 (0%)27, SA msg read: 0.3 (0%)28, SA parse: 1.0 (1%)28, SA check: 44 (35%)64, decide_mail_destiny: 2.0 (2%)65, notif-quar: 0.3 (0%)66, fwd-connect: 29 (23%)89, fwd-mail-pip: 1.6 (1%)90, fwd-rcpt-pip: 0.1 (0%)90, fwd-data-chkpnt: 0.0 (0%)90, write-header: 0.3 (0%)91, fwd-data-contents: 0.0 (0%)91, fwd-end-chkpnt: 1.6 (1%)92, prepare-dsn: 1.3 (1%)93, report: 1.3 (1%)94, main_log_entry: 4.4 (4%)97, update_snmp: 1.8 (1%)99, SMTP pre-response: 0.2 (0%)99, SMTP response: 0.1 (0%)99, unlink-2-files: 0.4 (0%)100, rundown: 0.6 (0%)100

Jun 23 11:44:32 <server-address-here> /Applications/Server.app/Contents/ServerRoot/usr/bin/amavisd[1241]: (01241-04) Passed CLEAN {RelayedOpenRelay}, [ip-address-here]:506 [ip-addres-here] <from-email-account-here> -> <to-email-account-here>, Queue-ID: A2522FR2CE, Message-ID: <dagde7-03p5-Z4ca-216-3127e331283@<server-address-here>, mail_id: eOPY4XNN3d68, Hits: -1, size: 667, queued_as: NTBDAH99, 120 ms

---

Here is mail-info.log stuff

Jun 23 11:45:07 imap-login: Info: Login: user=<test>, method=PLAIN, rip=<ip-address>, lip=10.0.1.50, mpid=744, TLS

Jun 23 11:45:07 imap(pid 744 user test): Info: ID sent: name=MacMail, (etc.)...

-----------

Thanks,

 

[960design]

Yep, I understand that already.

I believe I'm complete confused then. I have a Mac Server ( actually, 2 local Mac Servers and 4 remote, but they are Unix and Solaris based ) running on Cox business with no blocked ports. No need to do anything, really except flip a 'switch' in the server console.

I'm a little lost on why Cox would be blocking ports on a business line. Do you not have an owned IP address?

 

[Mork]

I believe I'm complete confused then. I have a Mac Server ( actually, 2 local Mac Servers and 4 remote, but they are Unix and Solaris based ) running on Cox business with no blocked ports. No need to do anything, really except flip a 'switch' in the server console.

I'm a little lost on why Cox would be blocking ports on a business line. Do you not have an owned IP address?

Comcast (home) - which is what I have, not Cox, not Comcast Business blocks port 25.

https://www.xfinity.com/support/internet/list-of-blocked-ports/

Now, I don't use Comcast Business since it's hundreds of dollars per month. So, I'm using Comcast Home + NOIP.COM to maintain the constantly changing IP address.

I have my email program configured to use SSL (have tried TLS, also) so the outgoing port is 993. On SMTP, the port is 587.

Now, I sent an email to a user on ProtonMail, but regardless of my mail settings, Mac Mail Server said it was going to use ... Port 25, which is blocked by Comcast.

You're not the only one who's totally confused.

I personally am a software developer, not a network admin, so I'm sure you know (a lot) more than I do. Hopefully, you can give me some additional things to try.

Not sure what to try next.

 

[960design]

I personally am a software developer, not a network admin, so I'm sure you know (a lot) more than I do. Hopefully, you can give me some additional things to try.

Not sure what to try next.

Software developer here as well, I really have no idea what I'm talking about. I could not even discern the bolded Comcast as opposed to Cox. Please ignore me. I will watch to see if I can learn something from your experience. Yes the business line is ridiculously expensive and slower than my Cox home line. Makes no sense.

 

[Mork]

Software developer here as well, I really have no idea what I'm talking about. I could not even discern the bolded Comcast as opposed to Cox. Please ignore me. I will watch to see if I can learn something from your experience. Yes the business line is ridiculously expensive and slower than my Cox home line. Makes no sense.

LOL

Anyways, here is a reply I just got from NOIP support:

You don't have a mail service that will send to those ports [993/587]. If your ISP is blocking port 25 both ways, then you must use a service to circumvent that. By default, all mail sent to a domain uses port 25 of the MX record for that domain. Since port 25 is blocked by your ISP [Comcast], you need somebody else to accept that mail for you on port 25 and relay it to a port of your choice (No-IP Mail Reflector). In order to send mail, you need to use an SMTP connector that will sent mail on port 25 on your behalf (No-IP Alternate-Port SMTP). Together, these services will cost $129.90/yr. If that pricing does not work for you, you can use our POP3/IMAP Managed Mail service which costs $9.95/yr.

-----------------

Sounds reasonable, but I have no way to evaluate if this is actually correct.

 

[chrfr]

LOL

Anyways, here is a reply I just got from NOIP support:

You don't have a mail service that will send to those ports [993/587]. If your ISP is blocking port 25 both ways, then you must use a service to circumvent that. By default, all mail sent to a domain uses port 25 of the MX record for that domain. Since port 25 is blocked by your ISP [Comcast], you need somebody else to accept that mail for you on port 25 and relay it to a port of your choice (No-IP Mail Reflector). In order to send mail, you need to use an SMTP connector that will sent mail on port 25 on your behalf (No-IP Alternate-Port SMTP). Together, these services will cost $129.90/yr. If that pricing does not work for you, you can use our POP3/IMAP Managed Mail service which costs $9.95/yr.

-----------------

Sounds reasonable, but I have no way to evaluate if this is actually correct.

Yes, home internet accounts on Comcast block port 25. If you want to use that port, you'll need a business account, or use some sort of email relay as No-IP suggests. It really isn't worthwhile to run an email server at home. Furthermore, a lot of recipients will block emails coming from consumer IP blocks as it's a vector for spam.
https://www.xfinity.com/support/internet/list-of-blocked-ports/

 

[Mork]

Yes, home internet accounts on Comcast block port 25. If you want to use that port, you'll need a business account, or use some sort of email relay as No-IP suggests. It really isn't worthwhile to run an email server at home. Furthermore, a lot of recipients will block emails coming from consumer IP blocks as it's a vector for spam.
https://www.xfinity.com/support/internet/list-of-blocked-ports/

So, it's true that even though my email program is using port 993 for receiving email and port 587 for sending email (SMTP), it's still port 25 at Comcast ... somehow???

If that's true, then I am confused since...

1. I have hosting with a Linux hosting service where all my email accounts (set up the same way) work fine. I'm still connected through Comcast to my Linux hosting service. So, why do my Linux email accounts, setup the exact same way, work?

2. My Mac Server logs show email activity. Both when I try to send an email and when I receive it. There are log entries. I'm making connections to the server. I posted two log entries above. Not sure how to explain this, either, especially since my Linux email accounts all work perfectly.

Can you shed some light on this since I am not using port 25 at all in any email setups and my other email accounts, set up the exact same was as the Mac Server Mail email account, all work fine.

I actually don't plan to use the Mac Server mail account for anything other than to say I was finally able to set it up and get it working. I called Comcast yesterday and it would cost more than $50 extra dollars per month to get a static IP (and you HAVE to rent their router $15/mo. if you want static IP), the same speed we have now. And that's just a "promotion" that expires in two years!

Thanks,

 

[chrfr]

Can you shed some light on this since I am not using port 25 at all

Mail servers communicate with each other over port 25.

 

[Mork]

OK, so you're saying my mac mail server is talking over port 25 so that's why outgoing mail is blocked. And, incoming mail talking to the mac server is also port 25.

So it really does sound like I need the NOIP.COM SMTP re-director (for outgoing), right?

----

I guess I need to better understand why my Linux hosting accounts all work fine.

Also, do you think I'd have any luck getting Comcat to unblock port 25 for my home account or is this how they hold you hostage to get the Business ($$$) offering?

 

[chrfr]

OK, but since my other email accounts all work and, assuming those server accounts are also using port 25, wouldn't Comcast block those, too? But, they're all working.

Sorry if I'm dense here. I just don't quite get it.

Also, do you think I'd have any luck getting Comcat to unblock port 25 for my home account or is this how they hold you hostage to get the Business ($$$) offering?

Comcast blocks port 25 on residential accounts. Your other email accounts are not hosted on a mail server at your home, correct? Your email client on your workstation computer is connecting to those other email servers on ports that are not 25. Comcast will never unblock port 25 on a residential account. It's not a matter of holding you hostage but rather that when port 25 was open, spam from home accounts was rampant and it's very easy to accidentally set up a mail server so that others can relay mail through yours to obscure where their spam originates.
The mail servers for your other accounts all successfully communicate with other mail servers using ports 25 because they aren't connected to the internet on residential accounts.

 

[Mork]

Comcast blocks port 25 on residential accounts. Your other email accounts are not hosted on a mail server at your home, correct? Your email client on your workstation computer is connecting to those other email servers on ports that are not 25. Comcast will never unblock port 25 on a residential account. It's not a matter of holding you hostage but rather that when port 25 was open, spam from home accounts was rampant and it's very easy to accidentally set up a mail server so that others can relay mail through yours to obscure where their spam originates.
The mail servers for your other accounts all successfully communicate with other mail servers using ports 25 because they aren't connected to the internet on residential accounts.

So, port 25 means either incoming or outgoing email will be blocked. Got it. (Finally.)

So, I guess I need to spend $ on the SMTP re-director that NOIP.COM has, afterall. If I can get that working (I couldn't when I last tried with their limited documentation with no step-by-step examples), then I'll get their incoming mail service, too. $129/yr for both services.

Thanks very much for your patience and excellent help!

 

[chrfr]

So, port 25 means either incoming or outgoing email will be blocked. Got it. (Finally.)

So, I guess I need to spend $ on the SMTP re-director that NOIP.COM has, afterall. If I can get that working (I couldn't when I last tried with their limited documentation with no step-by-step examples), then I'll get their incoming mail service, too. $129/yr for both services.

Thanks very much for your patience and excellent help!

I would strongly urge you to abandon the idea of trying to run a mail server at home. You can do a lot better than $129 a year for mail hosting.

 

[Mork]

I agree. I already am doing better with my Linux hosting.

Just want to see if I can do it. Once I can, I'll quickly abandon it. Too many "friends" (hackers/bots) trying to "visit" my server on port 143, for example. Not worth it. Just a technical challenge at the moment.

 

[kiwipeso1]

Basically you're getting ripped off because your ISP can't block off individual spammers.
However, you should just use a different port number than port 25.

 

[chrfr]

However, you should just use a different port number than port 25.

If you're running a mail server, as the OP is, you must use port 25. This is the way mail servers communicate with each other.

 

[belvdr]

If you're running a mail server, as the OP is, you must use port 25. This is the way mail servers communicate with each other.

Or TCP 587, if you want secure email transfer.

 

[chrfr]

Or TCP 587, if you want secure email transfer.

587 is a submission port for client computers to send email to a server, not a port for server-to-server mail transfer. If a mail server doesn't have access to port 25, it's not going to be able to send or receive mail to other servers.

 

[Alrescha]

I would strongly urge you to abandon the idea of trying to run a mail server at home. You can do a lot better than $129 a year for mail hosting.

I agree, trying to work around Comcast's blocks is going to be a pretty frustrating task. You probably are not going to get a working mail-delivery agent going.

On the other hand, running an IMAP server so you have access to your mail archive when you are out and about can be very useful. This does assume that you have a preference for storing your mail at home rather than on some company's servers.

A.

 

[Geeky Chimp]

So we've got macOS Server running successfully on several Mac minis. Some of these are running the Mail Service. Setup of the Mail Service should be fairly straightforward. We did make some edits to the config files for additional functionality and security. We have Servers running directly on Public IPs (No NAT) and some running behind NAT with Port Fowarding.