Host Corporate Email — Part 2
In part one of this four-part series, we took a look at configuring basic email service on OS X Server, determining which domains we'd receive mail for, and what kind of messages we'd allow to get through. This week, you'll decide whose mail you'll accept (and distribute), how much of it you can reasonably store, and where to put it all.
Setting Up Email User Accounts:
Moving away from Server Admin for a moment, where you've done all your mail service work up until now, open Workgroup Manager and choose "Accounts" from the toolbar. Select the "Users" icon from the strip above the left column (represented by a single silhouette), and highlight each user you wish to host email for. Select the "Mail" pane from the strip across the top right, and click "Enabled" button.
In the "Mail Server" field, fill in the name of your primary mail host to accept messages for each user, while under "Mail Access" you'll want to choose "IMAP only" to ensure messages can be properly synchronized to multiple devices. In between those two options, you'll need to choose a "Mail Quota" to determine how much email the server will store for that user. While quotas may be necessary for capacity planning, it's good to remember that the cost of disk space is relatively low compared to the expense and hassle of lost or deleted data.
Back in Server Admin, navigate to the mail settings "Quotas" pane. It makes sense to "Enable quota warnings" to alert users as they come close to their storage limits, and the preset threshold of 90% seems wise. The default setting to "Refuse messages larger than" 10MB makes little sense, though, when most Macintosh environments are in video or graphics production. Somewhere between 50-250MB is likely more appropriate, providing the timely mail delivery while still allowing exchange of media files.
Deciding On Email Storage Locations:
While you're determining how much space you can use to retain live email, it's a good time to think about just where on your server you'd like to put it all. Two tabs down from your quota settings is the "Advanced" pane, and skipping to the third option on the strip below are the email "Database" settings. OS X Server uses the open-sourced Cyrus IMAP system for mail access, and unless you specify otherwise, keeps the email database itself in /var/imap and user's messages in /var/spool/imap. The biggest problem with these locations is that they reside on (and without quotas could potentially fill) the boot volume. A better choice is to relocate them to a separate RAID partition or volume before you ever start the mail service. You can do so by simply clicking the "Choose..." button to the right of each option.
Securing Email Access:
In order to send or receive email, a client application must convince the server it's authorized to do so. In the early academic days of the internet, users collected their mail with plain text (or unencrypted) passwords, and sent mail from any available server. To fit the needs of the modern business world, however, requires the authentication options in the "Security" pane of the "Advanced" mail settings.
SMTP (or Simple Mail Transport Protocol) is what relays messages from their sender to their intended recipient. Unsecured SMTP servers (also known as open relays) are the source of most Spam, and a good way to get your mail server blacklisted so that others won't accept its messages. Check the "CRAM-MD5" box below the SMTP options to insure that only users with a valid, encrypted password can send mail through your server. While less commonly supported, Kerberos authentication (the security mechanism behind Open Directory) also makes sense for VPN or internal networks.
For IMAP, restricting who can collect email from server accounts is equally important. Again, CRAM-MD5 and Kerberos are reasonable options, while less secure methods only make sense if backwards compatibility with older systems is a priority.
Finally, to encrypt not just passwords but all of your email traffic from server to client, consider utilizing SSL certificates (most commonly used for web servers). If you already have one from a certificate authority, you can take advantage of it for email as well. Select "Use" (but not "Require" unless all your email devices support SSL) for SMTP and IMAP, then select the appropriate certificate from the pull-down menu. Hit "Save" in the bottom right, then "Start Mail" on the bottom left, and you're almost ready to start running your own corporate mail service.
Next Week: In part three, we'll configure DNS and MX records to properly direct email to your new email server.
Recommended Reading: You can learn more about SMTP, which carries all email across the internet, at Daniel J. Bernstein's excellent (and very detailed) reference site. For a better understanding of Cyrus System Administration, Dianna Mullet & Kevin Mullet offer a free chapter from their excellent (if slightly dated) volume "Managing IMAP".
