Mail server install questions
Gerben Wierda
gerben.wierda at rna.nl
Sun Sep 8 17:29:50 UTC 2019
On 8 Sep 2019, at 18:10, Steven Smith <steve.t.smith at gmail.com> wrote:
>
>>> Also, I would like to influence the host, domain, and old for the auto-configuration. Is there a way to do that? I would like to run the mail-server configuration stage again with the correct names
>>
>> Answering myself: in Server.app: set 'Computer Name’ to th eFQDN (just as Host Name, so something like host.domain.tld and not just ‘Host’). /bin/hostname reports the 'Computer Name' field, not the ‘Host Name’ field.
>
> This out-of-scope for MacPorts, but here’s a few comments about what it sounds like you’re trying to do.
>
> Migration from old macOS Server.
>
> I’ve done this myself, trying to follow https://developer.apple.com/support/macos-server/macOS-Server-Service-Migration-Guide.pdf <https://developer.apple.com/support/macos-server/macOS-Server-Service-Migration-Guide.pdf>. This Apple migration guide is helpful, but deficient in several key aspects, e.g. DNS, VPN, Calendar and Contacts, and Mail. FWIW, here are my own notes on migration:
> • https://github.com/essandess/macOS-Open-Source-Server <https://github.com/essandess/macOS-Open-Source-Server>
> • https://github.com/essandess/macOS-Open-Source-Server/blob/master/macOS%20Server%20Migration%20Notes.md <https://github.com/essandess/macOS-Open-Source-Server/blob/master/macOS%20Server%20Migration%20Notes.md>
Yes, I found most of these over the months.
> Also, I could be wrong, but it sounds like your trying to migrate your services on the same server as your old, running Server.app version 5.7.
No. I have a brand new Mac mini late 2018 that is being setup up form a greenfield state. The old server is currently still running and I am building the new one until a cutover point when I will move mail to the new server (without the users noticing it, if I’m lucky). But much has to be done. The whole server and the remote backup for instance.
> This would be a Very Bad Idea. Rather, buy a new box,configure it as a sandbox,
What do you mean with 'configure it as a sandbox’? You mean, setit up independently? Yes, that is what I am doing.
> harden everything, migrate user data, then deploy.
Exactly, that is the plan.
For the local macOS accounts I’m still running them as ‘Mobile Accounts’ with PHD-like synchronisation set up using ChronoSync. Not ideal, but it works.
> Running a Mail Server.
>
> There is no more Server.app Mail server. If you decide to run one yourself, it means knowing what every line in the postfix and dovecot and rspamd configuration does, and knowing and checking the user and group permissions of all files and directories used for the mail server. You can’t assume that the MacPorts mail-server example—or any other—configuration is appropriate for your own network or users. You have to check it line-by-line and test it before you adopt and deploy it. If you’re not willing to embrace these steps, you should purchase a commercial mail server, or use a cloud service email provider, for which there are many options. Aside from the basic rtfm’s on the MTAs and MDAs, here’s a few helpful background links on configuring a BSD/Linux mail server:
>
> • https://www.c0ffee.net/blog/mail-server-guide/ <https://www.c0ffee.net/blog/mail-server-guide/>
> • https://arstechnica.com/information-technology/2014/02/how-to-run-your-own-e-mail-server-with-your-own-domain-part-1/ <https://arstechnica.com/information-technology/2014/02/how-to-run-your-own-e-mail-server-with-your-own-domain-part-1/>
>
> Whether or not you decide to run your own mail server, transitioning from the old Server.app version 5.7 that’s running a full suite of services means configuring a new box from bare metal up. You’ll need to do this step-by-step. One thing that’s still useful useful with the latest Server.app is TLS certificate management, whose cents can be dropped straight into the postfix and dovecot configuration used in the mail-server port.
Yes, that is the plan. I’ve set up smooth use of Letsencrypt certificates which are not just automatically updated, but also fully removes the no longer used cert from Keychain and Server. I’m using these for Mail and www.rna.nl <http://www.rna.nl/> and they are renewed smoothly without filling up my system with outdated ones (sadly, there is a little issue left, that is that it isn’t able yet to detect that when there still is a different certificate for the same FQDN (intermediate, to be exact, used for Messages and Open Directory, I still haven’t been able to figure out how to use the Letsencrypt certs for that, but maybe because of my Computer Name / Host Name mismatch). Script is here on GitLab:
Gerben Wierda / macOS-Server-certbot-deployhook <https://gitlab.com/gctwnl/macos-server-certbot-deployhook>
(Other thing there is a way to manage Virtualbox VMs for docker containers. Something I can get back to when I finally have migrated)
> Getting back to your specific MacPorts question above, yes, if you change your network settings the Portfile activation stage will detect this and change default settings appropriately. However, as mentioned, it’s on you to make sure the settings in this example configuration are the ones you actually want for your own network and mail server, and edit the actual configuration appropriately.
>
> I’ve had my own mail server transition from Server.app for about six months now, and it’s much nicer than the old one, and, I believe, more secure: postfix run in chroot, up-to-date MTA and MDA services, a blazingly fast anti-spam capability with much-improved spam/ham training workflow, and DKIM configured on the box. After I got it configured and running, I haven’t had to touch it through multiple MacPorts upgrades of postfix and dovecot.
Nice. I wish I was there already.
I was wondering, btw, how the situation was regarding push notifications to iOS devices.
I have decided to go to a more modern DNS setup (nsd/unbound) which works fine, but that means your mail-server startup, which loads dns-server (as this uses bind9) cannot be directly used. I wish you had not put DNS in the mail-server, it’s really not part of it (apple-server maybe, but not mail-server).
My local network already uses the new DNS setup. I have to tweak the Macports still, as the mix of chroot and logging is not yet optimal. For logging to work, the logging needs to be written inside the chroot. But that means a mix in the directory tree of settings (etc) and logging, or moving up in th etree and have a less separated chroot jail.
So, what is your setting for Host Name and Computer name in Server.app? Both FQDN?
G
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macports.org/pipermail/macports-users/attachments/20190908/1b912169/attachment.html>
More information about the macports-users
mailing list