After a mail delivery connection is made and the message is accepted for local delivery (relayed mail isn’t screened), the mail server can screen it before delivery.
Greylist filtering
Greylist filtering is enabled by default when mail service is turned on. With greylist filtering, Mail service records the IP address of the server sending the message, the email address of the sender, and the recipient’s email address into a local database. The first time a particular combination of these three attributes is recorded, Mail service then rejects the message with a temporary error and logs this into mail.log. For the next 60 seconds, any any other messages sent with the same attributes are also rejected. If the same message is sent again after 60 seconds, it’s accepted for delivery.
This works because legitimate SMTP servers, upon receipt of the temporary error, will requeue the message and retry to deliver the message at a later time. Junk mail servers rarely follow this requirement. This means that the first time a particular set of those three atributes is used the message will be delayed until the sending server resends the message, but the message will go through. Subsequent messages are delivered immediately.
You can add a list of known good servers, known as a whitelist. Messages from these servers will be excused from the default greylist filtering.
Blacklist filtering (optional)
Your server’s Mail service can explicitly reject mail from other Mail servers that are blacklisted as open relays by a blacklist server. Your Mail service uses the blacklist server operated by The Spamhaus Project (www.spamhaus.org). You can specify a different blacklist server. Blacklist servers are also known as Real-time Blacklist (RBL) servers or black-hole servers.
Blocking unsolicited mail from blacklisted senders might not be completely accurate. Sometimes it prevents receiving valid mail from Mail servers that are configured incorrectly.
Virus filtering (optional)
The Mail server uses ClamAV (www.clamav.net) to scan mail messages for viruses. Messages suspected of containing viruses aren’t delivered but are stored on the server in the /var/virusmails/ folder, and a notice is sent to the email address designated for alert messages in the Information pane of the Server app. The server periodically deletes the mail in the /var/virusmails/ folder.
The virus definitions are kept up to date using a process called freshclam, which gets updated definitions from the Internet.
Junk mail filtering (optional)
The Mail server uses SpamAssassin (spamassassin.apache.org) to analyze the text of a message and score the probability of it being junk mail. Each message is analyzed and word frequency statistics are saved. Mail messages that contain a higher number of words found in junk mail receive a higher score for probably being junk mail. Messages suspected of being junk mail are marked ***JUNK MAIL*** and delivered. The recipient can decide if a message is really junk mail and deal with it accordingly. Many mail clients use the ratings that SpamAssassin adds as a guide in classifying mail for the user.
OS X Server lets you set the tolerance of the filtering, as follows:
Aggressive | The junk mail filter tolerates few signs of being junk mail. |
Moderate | The junk mail filter tolerates some signs of being junk mail. |
Cautious | The junk mail filter marks an incoming message as junk mail only if it contains many signs of being junk mail. |