• HOME
• CONSULTANCY
• INSTALLATION
• SUPPORT
• HOSTED SERVICES
• RESCUE CENTRE
• TESTIMONIALS
• CONTACT

Lucid Nonsense

Postfix Settings in Snow Leopard

We’ve got a few servers that have been upgraded to Snow Leopard now and in general it has been a very smooth process. For basic servers in particular it’s pretty seamless. If you’ve got mail to transfer it will also convert existing mailboxes into the new dovecot mailbox format. This can take a while, so if you’ve got a lot of mail it’s worth making sure that you leave enough time for this to complete (for about 20GB of mail one of our test servers took around half an hour).

One initial that cropped up was that the script that Apple uses to convert the old cyrus mailboxes to dovecot format didn’t retain mail flags, so everyone suddenly had all of the mail in their Inboxes marked as unread again. I’m not sure whether this is a bug or a decision from Apple to speed up the conversion process as there are scripts that do preserve pretty much everything, although when we tested that script manually on some cyrus mailboxes it was very slow. If that is more important for you than speed it’s probably worth running that conversion stage using that script or one of the other’s linked to from the dovecot site.

The second obvious problem that we noticed was some slight changes in the settings in main.cf file (/etc/postfix/main.cf). The first change is with postfix style virtual users, a fairly common setup which requires you to manually edit both the main.cf file and a file that contains a list of virtual email users. Apple’s documentation for Snow Leopard’s mail system, as with Leopard’s, recommends using the file /etc/postfix/virtual to hold the list of virtual users. What’s strange is that Snow Leopard itself defaults to using the /etc/postfix/virtual_users, so with both a clean install and an upgrade (even when it previously had virtual users setup in /etc/postfix/virtual) this line in /etc/postfix/main.cf needs changing from:

virtual_alias_maps = hash:/etc/postfix/virtual_users

to:

virtual_alias_maps = hash:/etc/postfix/virtual

It’s not a big problem, and you can infact just use /etc/postfix/virtual_users if you prefer, but it seems odd that this doesn’t match with Apple’s documentation and also replaces the correct setting in previously working systems that have been upgraded from Leopard.

The second change that we found was needed in the main.cf file was to do with anti-spam measures, in particular this line, which again was present in both a clean install and an upgrade from Leopard:

smtpd_helo_restrictions = reject_invalid_helo_hostname reject_non_fqdn_helo_hostname

Th second command here, reject_non_fqdn_helo_hostname rejects mail that is sent without the EHLO or HELO hostname being fully qualified (eg. being set as server instead of server.example.com). This is a fairly common anti-spam measure, but can cause some mail clients that don’t send the EHLO/HELO hostname as fully qualified to be blocked from sending mail. In particular we found this happened with some older versions of Outlook. The problem is that this affects Outlook users who are already authenticating to the SMTP server and even those on our (fairly well secured) internal network. In most cases you can trust authenticated users, if not machines on your network, to not be sending spam, so for those users you really don’t want that command to apply. Changing the above line to the following (all on one line in main.cf but wrapped here) gets around this problem:

smtpd_helo_restrictions = permit_sasl_authenticated permit_mynetworks
reject_invalid_helo_hostname reject_non_fqdn_helo_hostname

The above command will allow authenticated SMTP users, and users on your allowed networks (set in Server Admin) to send mail, regardless of whether there mail client is sending a hostname that isn’t fully qualified.