Note: This document describes versions 10.1.3 and 10.1.4. The procedure is different for versions 10.2 and later.
Steps to set up Restricted SMTP Relay
Important:
- 1. Before proceeding, you should read technical document 106763: "Mac OS X Server: Restricted SMTP Relay Helps Prevent Unsolicited Email"
2. This procedure will not work if you do not complete Step 11.
3. This document assumes a basic understanding of NetInfo Manager. If you are familiar with the Terminal, the niutil and kill commands, and process IDs, you may use those instead. See the "Advanced Administrators Only" section below.
Follow these steps to set up Restricted SMTP Relay:
- 1. If you have not already, update to version 10.1.4 and restart the server. See technical document 106704, "Mac OS X: How to Update Your Software".
2. Open the Server Admin application.
3. Be sure that MailServer is running.
4. Open NetInfo Manager (/Applications/Utilities/).
5. Navigate to the "config" directory in the local domain, located in the second column after "/".
6. Select the AppleMailServer directory in the next column. What you see should resemble Figure 1.
Figure 1 NetInfo Manager
7. Edit the "open_relay_addr_flag" property by entering the value of "1". This enables Restricted SMTP Relay.
Important: Next you must edit the "open_relay_addr_list" property, which contains a list of values that may be host names, IP addresses, or IP address ranges from which relaying is allowed. If the Mail Server starts up and these attributes are absent, it creates the attribute open_relay_addr_flag with a value of 0 and the attribute open_relay_addr_list with a value representing the IP address of the local server.
8. To add an additional value to the "open_relay_addr_list" property, choose "New Value" from the "Directory" menu and edit as desired (Figure 2). See the "Example values" section below for syntax examples.
Figure 2 Adding a new value
Figure 3 summarizes the attributes of the Apple Mail Server for the Restrict SMTP Relay feature.
Figure 3 Apple Mail Server attributes
9. Save the new settings and quit NetInfo Manager.
10. Stop and restart Apple Mail Server using Server Admin to enact the new settings.
11. Be sure the checkbox is deselected for "Deliver mail to local addresses only (no SMTP relay)" in the Configure Host Settings window of Server Admin (Figure 4). This must be done while Apple Mail Server is running. This allows the server the check the newly created SMTP relay list.
Figure 4 Server Admin
This completes the steps to configure the Restrict SMTP Relay feature. If you need to modify the list of hosts, the procedure can be repeated.
What Restricted SMTP Relay does
Once relay lists have been created and enabled, the Mail Server loads them into a local cache for verification against all incoming SMTP connections. All connections are checked against this list for remote mail delivery regardless of the originating "mail from:" value. Any user who attempts to relay mail from a host not in the approved list will have the message rejected by the server. A user wishing to relay mail from a non-approved host may do so by authenticating via SMTP AUTH (see "Additional Information" below). If you want to assure that your local email users are authenticated when they send email, you can enable the SMTP Authentication ("SMTP AUTH") feature.
The Mail Server reads and processes the open_relay_addr settings in Directory Services when it starts up or after receiving a HUP signal, on the first SMTP session. The ".Server.log" file notes the IP addresses or ranges and the host and domain names added to the valid relay list. Host names that cannot be resolved or malformed address ranges are not added to the relay list. Such a complication would also be noted in the log.
Example values for the host list
A variety of notations can be used for each entry in the open_relay_addr_list. Valid examples include:
- Host Names - myserver.example.com
- Domains - example.com
- Single IP Address - 192.168.123.55
- IP Address Range - 192.168.40.*
("*" represents entire range) - IP Address Range - 192.168.40-43.0-255
(Ranges explicitly stated) - IP Address Range: 192.168.40-43.*
(Mixed notation styles)
Advanced Administrators Only
When it starts up, Apple Mail Server creates attributes in local NetInfo that control the behavior of the Restricted SMTP Relay and SMTP AUTH features. You can edit these values in the Terminal with the niutil command.
1. To view default settings, execute this command as root:
niutil -read . /config/AppleMailServer
The resulting output:
name: AppleMailServer
smtp_plain_login_flag: 0
open_relay_addr_flag: 0
open_relay_addr_list: 17.221.41.168
The IP address is the address of the computer on which Apple Mail Server is running. You can enable the Restrict SMTP Relay feature with the following command:
niutil -createprop . /config/AppleMailServer open_relay_addr_flag 1
2. Deselect the checkbox for the "Deliver mail to local addresses only (no SMTP relay)" in the Configure Host Settings window in the Server Admin application (Figure 4). This cannot be achieved from the Terminal.
3. These NetInfo settings take effect when a HUP signal is received by the MailService process. To send the HUP signal:
kill -HUP `ps auxc | grep MailService | awk '{print $2}'`
Additional information
For additional information on this subject, see technical documents:
106760: "Mac OS X Server: How to Set up SMTP Authentication"
106761: "Mac OS X Server: About SMTP Authentication for Apple Mail Server"