Sign in Subscribe
macos

Migration & Retirement of MacOS Server Mail Service

Notes on replacement and migration from macOS Server Mail service to Ubuntu based equivalent

John Hartley

4 min read
Migration & Retirement of MacOS Server Mail Service

Status:

November 2024 - Biting the bullet and writing notes along the way to replace macOS Mail services

Up to MacOS High Sierra Apple had its macOS Server product which allowed users to self host:

  • Mail - using tuned Postfix/Dovecot/amavis/ClamAV implementation
  • OpenDirectory - based on OpenLDAP
  • CalDAV/CardDAV - Calender and Address services
  • Messages/XMPP - Federated Messaging service based
  • File Sharing Services - which were folding to macOS
  • Profile Services - for user device profile management

Apple published notice and guideance in via support note and while most if services had relatively simple single server replacements, the Mail service did not, as it was built from quite a few components.

Though long retired I continued to use macOS Mail Services, as its replacement was more complicated than other services and email has been functionally stable for a long time.

So "if it ain't broke, then don't fix it"....

In 2024 this is no longer the case:

  • ClamAV Version Obselete - so no longer getting virus signature updates
  • SSL Security Fixes - there have signficiant number of SSL related security fixes that are no longer being provided with macOS High Sierra
  • SSL Encryption Algorithms - SSL has also had new and more secure algorihims added and older ones are no longer considered secure
  • IOS 18.X has broken iPhone/iPad IMAP pickup - the macOS Server Dovecot IMAP implementation now has issues with latest iPhone / iPad Mail client, and while this appears to be client but, a fix from Apple has not been forthcoming, so other option is to update Dovecot IMAP server to newer release

So time has come to look to replace macOS Server Mail services and retire it,

Mail Replacement Requirements & Options

The macOS Server Mail services are build from the following Open Source components:

  • Postfix - mature and widely deployed Simple Mail Transport Protocol (SMTP) based Mail Transfer Agent (MTA). This is responsible for sending mail across different organisations mail servers.
  • Dovecot - mature and widely deployed Internet Message Access Protcol (IMAP) server. This is responsible for providing user mail retieval service, also known as mail delivery agent (MDA).
  • amavis - provide interface between MTA and MDA to allow anti-virus scanning agent (such as ClamAV)
  • ClamAV - an mail content virus scanner
  • Spamhaus - provides online email delivery restrictions database to help filter out email spanners etc

So like for like replacemet should provide these services and also allow integration with LDAP for checking valid email recipients to replace Open Directory service and for SSL use LetsEncrypt certificate service to get certificates.

So building a replacement email server which features equivant to the macOS Mail Services requires integration of quite a few components and is not just a matter of running an Postfix / Dovebot based service as this will not have the additional and valuable anti-virus and anti-spam features that macOS Mail Service provided.

Next option is what to run the replacement on. Candidiates include macOS, FreeBSD or Linux Distribution. Why my bias would be to run the mail services on FreeBSD, looking into available documentation on this indicate that this option would appear to need a combination of Ports and Source Build build components to get the various parts working. For Ubuntu Linux it seems that the component parts can be deployed using apt based binary distributions, which greatly simplifies install and configuration of soluion.

On this basis I have opted for Ubuntu based replacement strategy.

Installing and Configuring Mail Server parts on Ubuntu

As there are quite a few moving parts lets do in small steps:

  1. Install based Ubuntu 24.04 Server - I disabled ipv6, by editing /etc/default/grub and adding "ipv6.disable=1" as option in the "default command line".
  2. Install LetsEncrypt certificates, using DNS based challenge (or "wildcard" support). As per LetsEncrypt starter page, the LetEncrypt "certbot" is now installed via "snap" (rather then "apt").
  3. Install Postfix (apt install postfix) and configure domain, ipv4 only, ssl via LetsEncypt certicates, submission/submissions ports
  4. Install Dovecot (apt install dovecot-core dovecot-imapd dovecot-lmtd) and configure Postfix / Dovecot integration

Postfix & Dovecot Integration

To create a configuration as much like OS X Server as possible, the model I used was to have Postfix / Dovecot integrated via Local Mail Transfer Protcol (lmtp). In this model traffic received is forwarded from Postfix to Dovecot via lmtp and SASL (Authentication) responsibility is handed via Dovecot.

This simplifys things as you only have to specifies details for managemenet authentication with Dovecot.

By default Dovecot will deliver emai into users local home directory, but in this case we want the email to be delivered into consolidated area, this model is called "virtual mail".

The following configuation items need set:

  • Postfix
#
# main.cf
#
smtputf8_enable = no
mailbox_transport = lmtp:unix:private/dovecot-lmtp
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
  • Dovecot
#
# /etc/dovecot/conf.d/10-mail.conf
#

mail_location = maildir:/var/mail/data/%u/Maildir

#
# /etc/dovecot/conf.d/10-master.conf
#

service lmtp {
 unix_listener /var/spool/postfix/private/dovecot-lmtp {
  mode = 0600
  user = postfix
  group = postfix
 }
 user = vmail
}

service auth {
  unix_listener /var/spool/postfix/private/auth {
   mode = 0660
   user = postfix
   group = postfix
  }
 }
 

 #
 # /etc/dovecot/conf.d/20-lmtp.conf
 #
 
# Enable utf8 support
# lmtp_utf8 = yes

#
# /etc/dovecot/conf.d/10-auth.conf
#

# disable_plaintext_auth = yes
# auth_mechanisms = plain
auth_mechanisms = plain login

#
# /etc/dovecot/conf.d/10-ssl.conf
#

# ssl = yes
ssl = required

ssl_cert = </etc/letsencrypt/live/HOST.DOMAIN.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/HOST.DOMAIN.com/privkey.pem

ssl_min_protocol = TLSv1.2
# ssl_protocols = !SSLv3 !TLSv1 !TLSv1.1
ssl_prefer_server_ciphers = yes

Using virtual mailboxes involves adding uid/group - vmail:vmail

Links & References:

macOS Server Overview - provides details on what macOS Server provided before its gradual retirement started...

Apple macOS Server Notice - Apple's suggestion for replacement of macOS Server services

"macOS Server - Service Migration Guide" - Apple's developer documentation on macOS Server migration guide, which is notable for its absense of information on Mail Services

Apple Community Discussion on Mail Server Migration/Replacement - with Mail service retirement, users where left to try to figure out how to replace service. Some tried to do this while still on macOS, as discussed here. Users also recognised that replacement needs more than a single server and some elected to commercial offerings and others to try to roll their own, as discussed here.

Redhat Postfix Deployment Documentation - useful set of instructions as gets to the core Postfix configuration file setup

FreeBSD Postfix Guide - an example FreeBSD Postfix / Dovecot guide, appears complicated...

Ubuntu Postfix / Dovecot Guides - this set of Ubuntu apt based guides seems more digestible... and covers amavis and ClamAV in addition to Postfix and Dovecot

Ubuntu Postfix / Dovecot / OpenLDAP Guides - to maintain user details from OS X Server, need to manage authentication via LDAP, this "LDAP managed mail server with Postfix and Dovecot for multiple domains" provide good guideance.

Image - from Quicksilver Messenger Service - Happy Trails Cover Art