Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

l008com

macrumors regular
Original poster
Jan 20, 2004
112
4
I'm setting up a new server. And with the death of "OS X Server" aka "Server.app", I've been doing everything by hand. Which isn't that bad at all really. apache config is super intuitive. Setting up a VPN server is very easy too. Configuring `pf` firewall is oddly quirky but has an easy config once you shake out all the bugs.

It's all easy (if a little time consuming).
But that brings it to Mail. I've run Mail servers under OS X Server since 10.3. It's been very easy. Now that that's gone, I'm a little lost. I don't really know where to begin. I've never set up my own mail servers by hand. Do I just need to install dovecot and postfix via Homebrew? Are there other pieces you need? Is there a better way to do this entirely?

The other problem here is that it's virtually impossible to search for help on this topic. There are about 90 million help articles on the web about setting up mail accounts in mail clients. That is always what you get when trying to search for setting up a mail server on a Mac.
 
I'm setting up a new server. And with the death of "OS X Server" aka "Server.app", I've been doing everything by hand. Which isn't that bad at all really. apache config is super intuitive. Setting up a VPN server is very easy too. Configuring `pf` firewall is oddly quirky but has an easy config once you shake out all the bugs.

It's all easy (if a little time consuming).
But that brings it to Mail. I've run Mail servers under OS X Server since 10.3. It's been very easy. Now that that's gone, I'm a little lost. I don't really know where to begin. I've never set up my own mail servers by hand. Do I just need to install dovecot and postfix via Homebrew? Are there other pieces you need? Is there a better way to do this entirely?

The other problem here is that it's virtually impossible to search for help on this topic. There are about 90 million help articles on the web about setting up mail accounts in mail clients. That is always what you get when trying to search for setting up a mail server on a Mac.

I must confess that I have no experience with Postfix + Dovecot on the Mac, specifically, but installing the software via Homebrew, if that's an option sounds like a good start. Then you only have to worry about "the rest", which as it turns out is quite a lot.

For setting up Postfix + Dovecot manually, I usually refer people to the excellent ISPMail Tutorials. They're aimed at a Debian host, but most of the stuff should be easily translatable. Of course if you no longer have a need to run macOS specifically, you might well find it easier to simply set up a VM running an appropriate Debian release and not have to think about platform inconsistencies when follow the guide.
 
Much to my surprise, Postfix isn't in Homebrew. And the version that comes with El Capitan is pretty old. Now I remember why I've always told customers of mine not to run their own mailserver. But still, I must run my own.
 
Good luck :) The only people I know who (successfully) run their own *nix mail servers are pretty much grey beards by this point and have been doing it for over 20 years on FreeBSD/Linux/etc. Security, spam filters, etc, it's a major pain in the ass. I'd just let Google or someone else do the job for me.
 
  • Like
Reactions: chrfr
Good luck :) The only people I know who (successfully) run their own *nix mail servers are pretty much grey beards by this point and have been doing it for over 20 years on FreeBSD/Linux/etc. Security, spam filters, etc, it's a major pain in the ass. I'd just let Google or someone else do the job for me.
Hey, I’ve only got a few grey strands! ;)

It’s not hard, but you need to think before you leap with these things; that’s all, really.
 
I've been doing it very successfully myself since probably 2004 or so. I'm not going to be starting from scratch. All the various DNS pieces are already properly in place. I just need to get the server software running reliably. I'm going to play around with a few different options today on a VM.
 
So, Mail in OS X Server was Postfix, Dovecot, Amavis, Spamassassin, ClamAV and Mailman. All of these packages are available from MacPorts ( most aren’t included in Homebrew, even though I prefer Homebrew ) .
We are switching, where possible, to Kerio Connect for Mail, even though it has licensing costs it’s a great product.
We do have a need for ‘free’ mail server software for many of our users though so for those we are going to go down the MacPorts route to install the packages and link Postfix and Dovecot to MySQL / MariaDB for easier configuration.
Hope that helps!
 
  • Like
Reactions: Flint Ironstag
Yeah I had lots of people tell me to go with Homebrew over MacPorts. I saved the mail server for last, and now I'm finding that Homebrew doesn't have anything and MacPorts has everything. I figured every package manager would have all the major pieces of software, but apparently not. I don't really want to uninstall everything form homebrew then reinstall it all from macports. Will there be any collisions or issues if I use macports and homebrew at the same time?
I really don't want to use the built in Postfix. I'm sure my whole mail sever will get knocked off line every time theres a security update from Apple :/
 
Yeah I had lots of people tell me to go with Homebrew over MacPorts. I saved the mail server for last, and now I'm finding that Homebrew doesn't have anything and MacPorts has everything. I figured every package manager would have all the major pieces of software, but apparently not. I don't really want to uninstall everything form homebrew then reinstall it all from macports. Will there be any collisions or issues if I use macports and homebrew at the same time?
I really don't want to use the built in Postfix. I'm sure my whole mail sever will get knocked off line every time theres a security update from Apple :/

I have run several Mac Servers that have had both Homebrew and MacPorts installed. I don’t think it’s recommended but I don’t remember any issues when I did it for a couple of packages.
 
I have run several Mac Servers that have had both Homebrew and MacPorts installed. I don’t think it’s recommended but I don’t remember any issues when I did it for a couple of packages.
They pretty much stay out of each other's way (they stick to different philosophies on how/where to install software). The main drawback with running them both would be purely administrative: you'll be better off if you remember what package you've installed using which system to avoid later confusion.
 
A basic, working, configurable mail server is now available in MacPorts:

sudo port install mail server
port notes mail-server
sudo port load mail-server

This mail server uses postfix for the MTA, dovecot for the MDA, solr for fast search, Rspamd for a milter, and clamav for email virus scanning. These are all installed and configured automatically when mail-server is installed. Surrogate TLS and DKIM configurations are created during the installation; these must be changed prior to deployment.

The configuration files in this port are a combination of macOS Server version 5.7's Mail server
setup, with many newer capabilities added. See the individual projects for configuration details, as well as
online guides, e.g. https://www.c0ffee.net/blog/mail-server-guide/, and the MacPorts
mail-server Portfile itself:

port notes mail-server
less `port file mail-server`
port contents mail-server

Users must reconfigure the mail-server installation for their own system, network, and security model specifics by editing all necessary files and checking file permissions. Full deployment also requires a working DNS configuration on both the LAN and the internet (pre-installed with mail-server), including SPF, DMARC, and DKIM records, trusted TLS certificates, port forwarding, possibly a mail relay, and more.

I’ve been migrating deprecated macOS Server functionality to MacPorts; see the repo https://github.com/essandess/macOS-Open-Source-Server/blob/master/README.md.

DNS, VPN, and other capabilities are all now MacPorts installs:

sudo port install dns-server
sudo port install macos-vpn-server

Please open MacPorts tickets for any issues.

I'm setting up a new server. And with the death of "OS X Server" aka "Server.app", I've been doing everything by hand. Which isn't that bad at all really. apache config is super intuitive. Setting up a VPN server is very easy too. Configuring `pf` firewall is oddly quirky but has an easy config once you shake out all the bugs.

It's all easy (if a little time consuming).
But that brings it to Mail. I've run Mail servers under OS X Server since 10.3. It's been very easy. Now that that's gone, I'm a little lost. I don't really know where to begin. I've never set up my own mail servers by hand. Do I just need to install dovecot and postfix via Homebrew? Are there other pieces you need? Is there a better way to do this entirely?

The other problem here is that it's virtually impossible to search for help on this topic. There are about 90 million help articles on the web about setting up mail accounts in mail clients. That is always what you get when trying to search for setting up a mail server on a Mac.
 
Also, there’s a pending pull request at MacPorts for a port of Apple’s Calendar and Contacts Server that works with MacPorts mail-server. See: https://github.com/macports/macports-ports/pull/4978

A basic, working, configurable mail server is now available in MacPorts:

sudo port install mail server
port notes mail-server
sudo port load mail-server

This mail server uses postfix for the MTA, dovecot for the MDA, solr for fast search, Rspamd for a milter, and clamav for email virus scanning. These are all installed and configured automatically when mail-server is installed. Surrogate TLS and DKIM configurations are created during the installation; these must be changed prior to deployment.

The configuration files in this port are a combination of macOS Server version 5.7's Mail server
setup, with many newer capabilities added. See the individual projects for configuration details, as well as
online guides, e.g. https://www.c0ffee.net/blog/mail-server-guide/, and the MacPorts
mail-server Portfile itself:

port notes mail-server
less `port file mail-server`
port contents mail-server

Users must reconfigure the mail-server installation for their own system, network, and security model specifics by editing all necessary files and checking file permissions. Full deployment also requires a working DNS configuration on both the LAN and the internet (pre-installed with mail-server), including SPF, DMARC, and DKIM records, trusted TLS certificates, port forwarding, possibly a mail relay, and more.

I’ve been migrating deprecated macOS Server functionality to MacPorts; see the repo https://github.com/essandess/macOS-Open-Source-Server/blob/master/README.md.

DNS, VPN, and other capabilities are all now MacPorts installs:

sudo port install dns-server
sudo port install macos-vpn-server

Please open MacPorts tickets for any issues.
 
Homebrew’s security model is incompatible with running a secure server.

All of the tools used in a mail server like postfix must be installed and controlled securely at the system level with `sudo`. Homebrew avoids `sudo` by taking over permissions in `/usr/local`. This won’t work on a server and is to be avoided.

For more details on the issues that can arise with Homebrew’s approach, I agree with much of the criticism in this post: https://saagarjha.com/blog/2019/04/26/thoughts-on-macos-package-managers/.

Much to my surprise, Postfix isn't in Homebrew. And the version that comes with El Capitan is pretty old. Now I remember why I've always told customers of mine not to run their own mailserver. But still, I must run my own.
 
Homebrew’s security model is incompatible with running a secure server.

All of the tools used in a mail server like postfix must be installed and controlled securely at the system level with `sudo`. Homebrew avoids `sudo` by taking over permissions in `/usr/local`. This won’t work on a server and is to be avoided.

For more details on the issues that can arise with Homebrew’s approach, I agree with much of the criticism in this post: https://saagarjha.com/blog/2019/04/26/thoughts-on-macos-package-managers/.

I agree 100%. Homebrew is a bad idea.

Regarding email servers, they're not hard to build and run yourself if you have some sysadmin knowledge. I run my own without any problems and while they require some thought, they are no more difficult than any other server IMO.
 
I’ve been running a small OS X Server-based mail server for well over a decade now. I’ve been holding my breath to see if Apple will provide migration steps for Mail, but it really doesn’t seem like that will happen.

I’ve been slowly trying to learn about docker, hoping that maybe I could get docker up and running and move to something like this full-stack mail server for docker. The thinking was that if more and more MacOS Server tools become more difficult, I could eventually move everything over to Ubuntu or whichever platform I like.

I did indeed get docker up via virtualbox (wow, even remotely enabling a kernel extension for that was an adventure!). I’d rather not re-create all my users—I’m rather happy with them being able to access the Mac server for basic things like changing passwords. But now I’m stumbling on trying to get the mail server to access the local Directory Services users database (via LDAP/SASL I assume? that’s what I’m trying). Anyone done anything like that?


I’m happy I found this thread, because now my fallback is likely the MacPorts mail-server setup.
 
Look into mailinabox.email

A simple turnkey and full featured mail server system. Takes about 15 minutes to install (or 1-2 hours if you start from scratch and are learning)
 
I’d rather not re-create all my users—I’m rather happy with them being able to access the Mac server for basic things like changing passwords. But now I’m stumbling on trying to get the mail server to access the local Directory Services users database (via LDAP/SASL I assume? that’s what I’m trying). Anyone done anything like that?

Looking into the MacPorts mail-server project, and thus the dovecot2 portfile, it seems to be using PAM directly. So maybe I was following a red herring with the LDAP thing and instead need to be figuring out how to get my docker to forward PAM through.
 
holding my breath to see if Apple will provide migration steps for Mail, but it really doesn’t seem like that will happen.

It won’t happen. Also, mail server tech has moved on since OS X Server’s Mail Server was originally designed. rspamd >> spamassassin, Apache solr search >> vanilla fts, and so forth. The capabilities used in the MacPorts mail-server port really outshine Server.app’s, and though every macOS Server user was very annoyed that Apple gutted that product, it really was time to move on.

Looking into the MacPorts mail-server project, and thus the dovecot2 portfile, it seems to be using PAM directly. So maybe I was following a red herring with the LDAP thing and instead need to be figuring out how to get my docker to forward PAM through.

There’s no reason LDAP authentication couldn’t be used as well. It’s simply not used in the baseline example configuration provided in the mail-server port, which uses PAM as you see.

If you get LDAP authentication with Open Directory (or other ldap) up and running, please document the configuration as a feature request at https://trac.macports.org/.

Note that Apple used a modified dovecot (open source) to use Open Directory in their macOS Server.app. That may provide some clues.
 
I have no doubt mail server tech today has advanced significantly. I just wanted a way to move forward with more assurance I’m going to have a working setup.

There’s no reason LDAP authentication couldn’t be used as well. It’s simply not used in the baseline example configuration provided in the mail-server port, which uses PAM as you see.

Well, PAM should continue to allow my existing mail users to continue to log in uninterrupted, right? They were created as regular users on this machine. It was just implementation detail that Apple’s dovecot got that info via Open Directory?
 
PAM should continue to allow my existing mail users to continue to log in uninterrupted, right? They were created as regular users on this machine. It was just implementation detail that Apple’s dovecot got that info via Open Directory?

Yes, I believe so. I have OD running myself and network users are able to authenticate using PAM. There’s just not the nifty feature of mailbox directories named with the user UUID, which is pulled from LDAP.

Of course, you should double-check and test everything on your own server before deploying it.

The MacPorts mail-server port configuration example works, but you’ll still have to go line-by-line through the configuration and file permissions both to verify that that’s how your want your own server to be set up, sanity check security, and specify all the server-specific things you need: DNS, TLS certificates, DKIM, sieve passwords, and more.
 
I have no doubt mail server tech today has advanced significantly. I just wanted a way to move forward with more assurance I’m going to have a working setup.

It’ll work and in my experience far outshines the old Server.app Mail server.

• Search from mobile devices is lightening fast (thank you, solr), unlike Apple’s old dovecot configuration.
• There are no issues with mail rejection/spam filtering to major email providers from one’s tiny email domain after SPF/DKIM/DMARC are all configured and deployed—in my experience even if you have an ISP-assigned dynamic IP that doesn’t match reverse DNS lookups.
• Rspamd is impressively fast and effective and easy to train—just copy items to the per-user folders Spam_train and Notspam_train.
• Modern dovecot features for efficient mailbox storage and common attachments are used.
• Postfix is run in chroot where it belongs, and both postfix and dovecot are on the latest versions.

There’s more in there you’ll see when you start going through the configuration files, and there’s a lot more nice features that you can add yourself. My own server is now in the launch-daemon-at-boot-and-forget-about-it phase, and I strongly prefer this MacPorts-based server to my old Server.app instance.
 
I started from @sssandess mail-server in MacPorts a while back. There are a things I want differently:
  • I expect that Kerberos will be a no go. I'm a bit scared about its complexity. I want my users's to keep using CRAM-MD5 authentication for IMAP and submission. Yes, I know that the link is TLS-secured, so plain should be OK, but it isn't. There are situations where there is a 'legal' man-in-the-middle attack (such as using your email on a company-provided phone which has the SSL-intercept by the firewall enabled by having the firewall's intercept root cert). I have CRRAM-MD5 working, but I had to move to a file-based userdb/passdb in dovecot to make this happen. I'd rather use Open Directory (or more specifically Apple's Password Server).
  • The mail-server comes with bind, I use nsd/unbound instead (I already had that running)
  • I want to migrate the data of the old server to the new, but not via a mail client. So, it is Maildir format in dovecot2 for now (I also suspect Maildir is slower but less brittle than mdbox)
  • I use postscreen in front of postfix's smtpd
  • I want to reuse my existing smooth letsencrypt certificate setup
It is all very slow going because the config files as installed by MacPorts are a mix of old Server.app files, existing defaults, and specific choices and it is a steep learning curve having to learn dovecot etc when the only thing I ever did before myself was a bit of postfix configuration. And the documentation is hard to find.

Some things are baffling, such as why my DNS setup works fine when accessed via dig/nslookup, but postfix refuses to do a proper reverse lookup (so logging constantly says unknown[192.168.2.86] instead of fqdn[192.168.2.86] for instance. Again, such matters make it very slow going.

But, at this point, I have dovecot and postfix running, the mail client can authenticate using CRAM-MD5 inside TLS, the certificate is the letsencrypt one. The mail client can send mail to himself.

Next steps: rspamd/DKIM (I already have SPF), solr, virus scanning and greylisting. And then at some point I will want to migrate the maildirs from the old server to the new, make it the default and move the backup setup over. It will be a while yet before everything works well enough to move the users over.
 
I started from @sssandess mail-server in MacPorts a while back. There are a things I want differently:
  • I expect that Kerberos will be a no go. I'm a bit scared about its complexity. I want my users's to keep using CRAM-MD5 authentication for IMAP and submission. Yes, I know that the link is TLS-secured, so plain should be OK, but it isn't. There are situations where there is a 'legal' man-in-the-middle attack (such as using your email on a company-provided phone which has the SSL-intercept by the firewall enabled by having the firewall's intercept root cert). I have CRRAM-MD5 working, but I had to move to a file-based userdb/passdb in dovecot to make this happen. I'd rather use Open Directory (or more specifically Apple's Password Server).

I wasn't able to get Kerberos working, but believe that it can be done. If you're successful, please post the solution as a feature request at trac.macports.org. FWIW, I kept around a breadcrumbs reference file for imap kerberos authentication in https://github.com/macports/macport...iles/prefix/etc/dovecot/imap.keytab.README.sh. There's a comparable one for postfix.

  • The mail-server comes with bind, I use nsd/unbound instead (I already had that running)

You're not the only one who pointed this out. The latest version omits the bind9 load.


  • I want to migrate the data of the old server to the new, but not via a mail client. So, it is Maildir format in dovecot2 for now (I also suspect Maildir is slower but less brittle than mdbox)

AFAIK, the only way to do that is to use a client (Mail) to copy-and-paste from the old server into the new server, independent of the Maildir format.

Also, it's your mail server, so you'll have to configure how you want anyway. The MacPorts mail-server configuration is just a working example.


  • I use postscreen in front of postfix's smtpd

Ditto on previous. Configure your mail server how you want to configure it.

It is all very slow going because the config files as installed by MacPorts are a mix of old Server.app files, existing defaults, and specific choices and it is a steep learning curve having to learn dovecot etc when the only thing I ever did before myself was a bit of postfix configuration. And the documentation is hard to find.

See the references in `port notes mail-server`. Also commands like `postconf` and `doveconf`can cut through the comment clutter.

Because it's your own deployed mail server, it's important to go through the configuration line-by-line and sanity check your design choices and security.

But, at this point, I have dovecot and postfix running, the mail client can authenticate using CRAM-MD5 inside TLS, the certificate is the letsencrypt one. The mail client can send mail to himself.

Would you please post the steps you took to get CRAM-MD5 working as a feature request at trac.macports.org ? I stopped at PAM plus TLS, so getting that in would be good to have.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.