Languages

Archived - Mac OS X Server 10.2: How to Prevent Open SMTP Relay ("spam" Forwarding)

Mac OS X Server 10.2 Mail Service can be configured to prevent open SMTP relay while still allowing local users to send mail. This document explains how.
This article has been archived and is no longer updated by Apple.
Note: If you are using Mac OS X Server 10.1.3-10.1.5, stop here and see technical document 106762, "Mac OS X Server 10.1: How to Set up Restricted SMTP Relay for Apple Mail Server".


Getting started

If you are using Mac OS X Server version 10.2 to 10.2.3, you should update to version 10.2.4 or later. Important changes have been made to the way the Mail Service handles mail. All instructions in this document assume Mac OS X Server 10.2.4 or later. By default, the Mail Service is configured not to allow open relay and not to send email to the Internet outside of your domain. It will, however, accept mail for all local users from any sender. You may follow the steps below to expand email sending capability while still preventing open relay.

Phase I: Outgoing Mail
    1. Open Server Settings and connect to the server.
    2. Click the Internet tab.
    3. Click the Mail Service button and choose Configure Host Settings (Mail Service must be running).
    4. Click the Outgoing Mail tab.
    5. Select Allow Outgoing Mail from the pop-up menu.
    6. Click the Save button.

Now the Mail Service will allow the server to send mail to the Internet. It will also allow anyone who first authenticates using the CRAM-MD5 protocol to send mail to the Internet. It will still accept mail for local users from any sender.

Phase II: Restricting Outgoing Mail by IP Address or Range

If you would like to allow your users to be able to send mail to the Internet without authenticating, follow these steps.
    1. Click the Incoming Mail tab in the Configure Host Settings window.
    2. SMTP relay should be allowed for "only hosts in this list" by default. The loopback address (127.0.0.1) and the server's primary IP address are in the list by default.

    Note: Do not remove the loopback address from the list. This is a special address and needs to be allowed to relay. Its presence does not present a security risk.

    3. Click the Add button and add the IP addresses of any computers you wish to allow to send mail without authenticating. You can add an entire network by using an IP address/netmask format.

    Examples:
    To add 10.0.0.0 through 10.255.255.255, type: 10.0.0.0/255.0.0.0
    To add 172.16.0.0 through 172.16.255.255, type: 172.16.0.0/255.255.0.0
    To add 192.168.0.0 through 192.168.0.255, type: 192.168.0.0/255.255.255.0

    4. Click the Save button and close the window.

Now the Mail Service will allow anyone connecting from an allowed IP address to send mail to the Internet. It will also allow anyone who first authenticates using the CRAM-MD5 protocol to send mail to the Internet. It will accept mail for local users from any sender.

Phase III: Outgoing Mail From Any Authenticated User

If you would like to allow users who are NOT in the list of allowed IP address to send mail to the Internet if they authenticate using ANY method, follow these steps.
    1. Click the Mail Service button and choose Configure Mail Service.
    2. Click the Protocols tab.
    3. Click the SMTP Options button.
    4. Select the "Require authenticated SMTP using CRAM-MD5" checkbox.
    5. Select the "Allow PLAIN and LOGIN authentication" checkbox.
    6. Deselect the "Require authenticated SMTP using CRAM-MD5" checkbox.
    7. Click the Save button and close both windows.

Now the Mail Service will allow anyone connecting from an allowed IP address to send mail to the Internet. It will also allow anyone who first authenticates by any method to send mail to the Internet. It will accept mail for local users from any sender.

Notes:
    1. CRAM-MD5 authentication requires a Password Server with CRAM-MD5 enabled and the individual users must be set to use Password Server passwords. The users must have a CRAM-MD5 (sometimes called MD5 Challenge-Response) capable mail application (such as Apple Mail) as well.

    2. PLAIN and LOGIN may be enabled even when CRAM-MD5 authentication is not required (CRAM-MD5 is always enabled in the Mail Service, you can only require it or not require it). Most mail clients support PLAIN or LOGIN authentication.

Warning: PLAIN and LOGIN transmit the username and password in "plain text" format and pose a security risk. If possible, clients should be encouraged to use CRAM-MD5 instead.
Last Modified: Feb 17, 2012
Print this page
  • Last Modified: Feb 17, 2012
  • Article: TA21127
  • Views:

    9961

Additional Product Support Information