Mac Mini

Apple Mac Mini

How-to
Burn a Debian installer CD
Partition the hard disk
Configure yaboot
Configure NFS
Configure SSL certificates
Configure an IMAP server
Configure an SMTP server
Make a Mini cluster
Configure a UPS

Configuring SMTP

Since I own my own domain, I can handle all my mail myself. This requires the use of an SMTP server to receive and send mail. (To access mail once it's arrived, one uses an IMAP server and client.)

Configuring the server

There are a few choices for an SMTP server: Exim, Postfix, qmail, and Sendmail. Exim is the default SMTP server for Debian systems, but I've never used it and know nothing about it. Postfix is quickly becomming most people's server of choice since it's generally regarded as a fast, easy-to-administer, and a secure alternative to Sendmail. I did look at Postfix briefly. However, to me, it seems just as complicated as Sendmail and I didn't feel like trying to figure out its voodoo. Since I've been using Sendmail for many years, I'm sticking with the "devil I know."

Having settled on Sendmail (for better or worse), you need the following packages installed: 
    apt-get install sendmail sendmail-base sendmail-bin sendmail-cf
(You should probably also remove Exim.)

Goals

The goals for an SMTP server (in order of importance) are:
  1. To be able to receive/send mail to/from the machine itself (obviously).
  2. To relay outgoing mail from any computer on my home LAN.
  3. To relay outgoing mail from any computer anywhere on the Internet as long as it successfully authenticates.
To relay mail means to accept mail for non-local delivery, i.e., mail is accepted and then forwarded to some other SMTP server. The use of an SMTP server that will relay must be restricted for use only by those authorized. If anybody can use a relaying SMTP server, then it's an open relay and it will be found and used by spammers.

Configuration files

The configuration files for Sendmail are mostly in the /etc/mail directory. The files, their purpose, and contents are:
/etc/mail/sendmail.mc
This is the main Sendmail configuration file. It includes: 
    include(`/etc/mail/tls/starttls.m4')
    include(`/etc/mail/sasl/sasl.m4')
    define(`confAUTH_OPTIONS',`A p y')
    define(`confBAD_RCPT_THROTTLE',3)
    define(`confCONNECTION_RATE_THROTTLE',5)
    define(`confDONT_PROBE_INTERFACES',true)
    define(`confNO_RCPT_ACTION', `add-to-undisclosed')
    define(`confTO_CONNECT', `1m')
    define(`confTO_DATABLOCK', `10m')
    define(`confTO_DATAFINAL', `15m')
    define(`confTO_FILEOPEN', `10s')
    define(`confTO_HELO', `1m')
    define(`confTO_ICONNECT', `1m')
    define(`confTO_INITIAL', `1m')
    define(`confTO_MAIL', `2m')
    define(`confTO_QUIT', `1m')
    define(`confTO_RCPT', `5m')
    define(`confTO_RSET', `1m')
    define(`PROCMAIL_MAILER_PATH',`/usr/bin/procmail')
    FEATURE(`access_db')
    FEATURE(`always_add_domain')
    FEATURE(`blacklist_recipients')
    FEATURE(`greet_pause')
    FEATURE(`local_procmail')
    FEATURE(`masquerade_envelope')
    FEATURE(`no_default_msa')
    FEATURE(`relay_entire_domain')
    FEATURE(`smrsh')
    FEATURE(`use_ct_file')
    FEATURE(`use_cw_file')
    MAILER(smtp)
    MAILER(procmail)
All of the conf options and what they mean can be found here. Of those, only one needs a little more explanation:
confAUTH_OPTIONS
A =  Support authentication for old/broken mailers.
p =  Don't offer either PLAIN or LOGIN authentication unless SSL is active.
y =  Forbid anonymous logins.

All of the confTO_ options are reductions in time from the default to help prevent wasting process resources.
I don't understand why the defaults are so large. For example, the default for confTO_HELO is 5 minutes. Why should it take any SMTP server 5 minutes to respond to a HELO command?
All of the FEATUREs and what they mean can be found here.

/etc/mail/local-host-names
This file contains all the domain names this machine is to receive mail for, one per line.

/etc/mail/trusted-users
Ordinarily, if a user sends mail having a From header containing an address that is different from the user's login, Sendmail adds a header warning that the user did this plus the user's real login.

As the sysadmin, you should add your own login to this file thus allowing you to reply as root, postmaster, webmaster, etc., without the warning header and revealing your real login.

/etc/mail/sasl/sasl.m4
This file contains the options for configuring authentication mechanisms.
confAUTH_REALM yourdomain.com
confAUTH_MECHANISMS   CRAM-MD5 DIGEST-MD5
TRUST_AUTH_MECH CRAM-MD5 DIGEST-MD5

/etc/mail/tls/starttls.m4
This file contains the options for configuring SSL (more accurately TLS):
confCACERT_PATH /etc/ssl/certs
confCACERT /etc/ssl/certs/cacert.crt
confSERVER_CERT /etc/ssl/certs/sendmail.crt
confSERVER_KEY /etc/ssl/private/sendmail.key
confTLS_SRV_OPTIONS   V

To get the files cacert.crt, sendmail.crt, and sendmail.key, see: Configure SSL certificates.

The confTLS_SRV_OPTIONS option with the value V says not to request certificates from SMTP clients.

Configuring SASL passwords

Unfortunately, one isn't able to use regular users and their passwords, i.e., /etc/passwd, for Sendmail so a seperate SASL user/password database needs to be created.
If I were able to figure out issue #1, then you could use regular users and their passwords.
For SASL, you need the following packages installed: 
    apt-get install libsasl2 libsasl2-modules sasl2-bin
SASL has the concept of realms. A realm is a namespace for users. By using realms, it's possible to have two or more users with the same IDs so long as they are in different realms. In the case of a simple home mail server, a single realm is sufficient. For simplicity, the name of the realm can be just the domain name.

To add users to the SASL database, use the following command: 
    saslpasswd2 -c -u yourdomain.com user

Reconfiguring Sendmail

Once you've got everything configured, you need to rebuild Sendmail's configuration files and databases, then reload Sendmail. To do that: 
    cd /etc/mail
    make
    /etc/init.d/sendmail reload

Testing

Once you've got Sendmail working, you should test it to make sure you're not running an open relay. You can use the Mail Relay Tester to do this. To perform the best testing, you should become an abuse.net registered user.

Open issues

There are a few things I want to do but still haven't able to figure out how to do:
  1. Ideally, I want to allow plain-text password authentication once SSL has been established rather than require either CRAM-MD5 or DIGEST-MD5 since they're not necessary while using SSL. I've tried adding LOGIN and PLAIN to confAUTH_MECHANISMS and TRUST_AUTH_MECH, tried various things with /etc/mail/Sendmail.conf.2, and nothing works.

  2. I never use my actual login name as an e-mail address so I'd like to have all mail sent to it to be rejected yet still have local mail sent to it (via /etc/aliases) be accepted. (Adding my login to the blacklisted recipients list rejects all mail.)

  3. I'd like the hostname of the Mini not to be used in headers generated for outgoing mail, i.e., I want it to list only mydomain.org rather than host.mydomain.org.
If you happen to know how to do any of the above, please contact me.


[SMTP server settings]
(Click for larger version.)

Configuring Apple's Mail client

Configuring Mail is straightforward. Create a new account and configure it using the "obvious" settings for Email Address, Incoming Mail Server, etc., then:
  1. Under Outgoing Mail Server (SMTP), click Server Settings....
  2. For Outgoing Mail Server, enter its name.
  3. Check Use Secure Sockets Layer (SSL).
  4. From the Authentication pop-up menu, select MD5 Challenge-Response.
  5. For User Name, enter: user@yourdomain.com
  6. For Password, enter your SASL password.
That's it.

[Personal] [Résumé] [Software] [Contact]
Last updated: June 4, 2005