Category Archives: Kerio

Active Directory cloud Consulting iPhone Kerio Mac OS X Mac OS X Server Mac Security Mass Deployment Microsoft Exchange Server Network Infrastructure Windows Server

Dig TTL While Preparing For A Migration

Any time doing a migration of data from one IP to another where that data has a DNS record that points users towards the data, we need to keep the amount of time it takes to repoint the record to a minimum. To see the TTL of a given record, let’s run dig using +trace, +nocmd to turn off showing the version and query options, +noall to turn off display flags, +answer to still show the answer section of my reponse and most importantly for these purposes +ttlid to toggle showing the TTL on. Here, we’ll use these to lookup the TTL for the www.krypted.com A record:

dig +trace +nocmd +noall +answer +ttlid a www.krypted.com

The output follows the CNAME (as many a www record happen to be) to the A record and shows the TTL value (3600) for each:

www.krypted.com. 3600 IN CNAME krypted.com.
krypted.com. 3600 IN A 199.19.85.14

We can also lookup the MX using the same structure, just swapping out the a for an MX and the FQDN with just the domain name itself:

dig +trace +nocmd +noall +answer +ttlid mx krypted.com

The response is a similar output where

krypted.com. 3600 IN MX 0 smtp.secureserver.net.
krypted.com. 3600 IN MX 10 mailstore1.secureserver.net.

Kerio Mac OS X Mac OS X Server

Configure the Mail Service in Mavericks Server

Mail is one of the hardest services to manage. Actually, mail is pretty simple in and of itself: there’s protocols people use to access their mail (such as IMAP and POP), protocols used to communicate between mail servers and send mail (SMTP, SMTPS) and then there’s a database of mail and user information. In Mavericks Server, all of these are represented by a single ON button, so it really couldn’t be easier. But then there’s the ecoysystem and the evil spammers.

As a systems administrator of a large number of mail servers, I firmly believe that there is a special kind of hell where only spam is served at every meal for spammers. Here, the evil spammers must also read every piece of spam ever sent for eternity. By the end (aka Ragnarok), they should have the chemically induced stamina of a 16 year old with the latest Sports Illustrated Swimsuit issue, enough pills of other types to not be able to use that stamina, plenty of African princes looking to donate large sums of money if only they can be helped out of their country (which should cost about 100,000 compared to a 5,000,000 payout, not a bad ROI, right?!?!?), have their conflicting stamina situation at the top of the search engines and of course, have lost all of the money made from their African princes due to getting their credit card hijacked by about 9,000 phishing scams. All in all, a special kind of hell…

But back to the point of the article, setting up mail. The things that mail administrators need to focus on to keep that mail server flowing mail to and from everyone else in the world:

  • Static IP address. The WAN (and LAN probably) address should be static.
  • Port Forwards. Port forwards need to be configured on the gateway for the SMTP port at a minimum and more than likely other ports used to access mail on client devices (25, 143, etc)
  • DNS records. An MX record and some kind of mail.domain.com type of record should definitely be configured for the DNS servers that are authoritative for the domain. There should also be reverse records for the address of the server, usually created by the Internet Services Provider, or ISP, that match that record.
  • Check the RBLs. If you have a new IP address you’ll be putting a DNS server on, check all the major Realtime BlackLists to make sure that some evil spammer hasn’t squatted on the IP before you got to it. This is true whether you’re in a colo, hosted on an IP you own or moving into space formerly occupied by a very standup company. A lot of IP addresses are blocked, as are blocks of IPs, so before moving mail to an IP, check it.
  • Mail filtration (message hygiene). OS X Server has a number of mail filters built in, including clam for viruses, the ability to leverage RBLs, block specific addresses and of course RBL checking. However, this is often not enough. Third party services such as MXLogic help to keep mail from coming into your network. You also end up with an external IP to send mail that can cache mail in the event the server is down and keep mail off your network in the event that it’s spam.
  • Backup. I am firmly of the belief that I’d rather not have data than not have that data backed up…

Once all of that is taken care of (I’ll add more as I think about it) then it’s time to enable the mail service in Server app 3. Actually, first let’s setup our SSL certificates. To do so, open the Server app and click on Certificates in the SERVER section of the sidebar. Here, use the “Secure services using” drop-down list and click on Custom… for each protocol to select the appropriate certificate to be used for the service.

Screen Shot 2013-10-06 at 9.04.25 PM

Click OK when they’re all configure. Now let’s enable the mail service (or outsource mail). To do so, open the Server app and click on Mail in the SERVICES list in the sidebar.

Screen Shot 2013-10-06 at 9.05.02 PMAt the configuration screen is a sparse number of settings:

  • Provide mail for: Configures all of the domains the mail server will listen for mail for. Each account on the server has a short name and each domain name will be available for each short name. For example, an account with a shortname of charles will be available for email addresses of charles@pretendco.com and charles@krypted.com per the Domain Name listing below.Screen Shot 2013-10-06 at 9.05.45 PM
  • Authentication: Click Edit for a list of sources that accounts can authenticate against (e.g. Active Directory, Open Directory, Custom, Local, etc) and in some cases the specific password algorithms used for mail.Screen Shot 2013-10-06 at 9.06.17 PM
  • Push Notifications: If Push is configured previously there’s no need to use this option. Otherwise, use your institutional APNS account to configure Push Notifications.Screen Shot 2013-10-06 at 9.07.25 PM
  • Relay outgoing mail through ISP: Provide a server that all mail will get routed through from the server. For example, this might be an account with your Internet Services Provider (ISP), an account on an appliance that you own (such as a Barracuda) or with an external filtering service (such as MXLogic).Screen Shot 2013-10-06 at 9.07.57 PM
  • Limit mail to: Configure the total amount of mail a user can have in the mail store, in Megabytes.
  • Edit Filtering Settings: Configure antivirus, spam assassin and junk mail filters. The “Enable virus filtering” checkbox enables clam. The “Enable blacklist filtering” checks the RBL (or RBLs) of your choice to check whether a given server is a “known” spammer and the “Enable junk mail filtering” option enables spam assassin on the host, configuring it to block based on a score as selected using the slider.Screen Shot 2013-10-06 at 9.08.44 PM

Once you’ve configured the settings for the Mail service, click on the ON slider to enable the service. At this point, you should be able to telnet into port 25 of the host to verify that SMTP is listening, preferably from another mail server:

telnet mail.krypted.com 25

You can also check that the mail services are running using the serveradmin command along with the fullstatus option for the mail service:

sudo serveradmin fullstatus mail

Which returns with some pretty verbose information about the service, including state, connections, running protocols and the rest of the following:

mail:startedTime = ""
mail:setStateVersion = 1
mail:state = "STOPPED"
mail:protocolsArray:_array_index:0:status = "ON"
mail:protocolsArray:_array_index:0:kind = "INCOMING"
mail:protocolsArray:_array_index:0:protocol = "IMAP"
mail:protocolsArray:_array_index:0:state = "STOPPED"
mail:protocolsArray:_array_index:0:service = "MailAccess"
mail:protocolsArray:_array_index:0:error = ""
mail:protocolsArray:_array_index:1:status = "ON"
mail:protocolsArray:_array_index:1:kind = "INCOMING"
mail:protocolsArray:_array_index:1:protocol = "POP3"
mail:protocolsArray:_array_index:1:state = "STOPPED"
mail:protocolsArray:_array_index:1:service = "MailAccess"
mail:protocolsArray:_array_index:1:error = ""
mail:protocolsArray:_array_index:2:status = "ON"
mail:protocolsArray:_array_index:2:kind = "INCOMING"
mail:protocolsArray:_array_index:2:protocol = "SMTP"
mail:protocolsArray:_array_index:2:state = "STOPPED"
mail:protocolsArray:_array_index:2:service = "MailTransferAgent"
mail:protocolsArray:_array_index:2:error = ""
mail:protocolsArray:_array_index:3:status = "ON"
mail:protocolsArray:_array_index:3:kind = "OUTGOING"
mail:protocolsArray:_array_index:3:protocol = "SMTP"
mail:protocolsArray:_array_index:3:state = "STOPPED"
mail:protocolsArray:_array_index:3:service = "MailTransferAgent"
mail:protocolsArray:_array_index:3:error = ""
mail:protocolsArray:_array_index:4:status = "OFF"
mail:protocolsArray:_array_index:4:kind = "INCOMING"
mail:protocolsArray:_array_index:4:protocol = ""
mail:protocolsArray:_array_index:4:state = "STOPPED"
mail:protocolsArray:_array_index:4:service = "ListServer"
mail:protocolsArray:_array_index:4:error = ""
mail:protocolsArray:_array_index:5:status = "ON"
mail:protocolsArray:_array_index:5:kind = "INCOMING"
mail:protocolsArray:_array_index:5:protocol = ""
mail:protocolsArray:_array_index:5:state = "STOPPED"
mail:protocolsArray:_array_index:5:service = "JunkMailFilter"
mail:protocolsArray:_array_index:5:error = ""
mail:protocolsArray:_array_index:6:status = "ON"
mail:protocolsArray:_array_index:6:kind = "INCOMING"
mail:protocolsArray:_array_index:6:protocol = ""
mail:protocolsArray:_array_index:6:state = "STOPPED"
mail:protocolsArray:_array_index:6:service = "VirusScanner"
mail:protocolsArray:_array_index:6:error = ""
mail:protocolsArray:_array_index:7:status = "ON"
mail:protocolsArray:_array_index:7:kind = "INCOMING"
mail:protocolsArray:_array_index:7:protocol = ""
mail:protocolsArray:_array_index:7:state = "STOPPED"
mail:protocolsArray:_array_index:7:service = "VirusDatabaseUpdater"
mail:protocolsArray:_array_index:7:error = ""
mail:logPaths:Server Error Log = "/Library/Logs/Mail/mail-err.log"
mail:logPaths:IMAP Log = "/Library/Logs/Mail/mail-info.log"
mail:logPaths:Server Log = "/Library/Logs/Mail/mail-info.log"
mail:logPaths:POP Log = "/Library/Logs/Mail/mail-info.log"
mail:logPaths:SMTP Log = "/var/log/mail.log"
mail:logPaths:List Server Log = "/Library/Logs/Mail/listserver.log"
mail:logPaths:Migration Log = "/Library/Logs/MailMigration.log"
mail:logPaths:Virus Log = "/Library/Logs/Mail/clamav.log"
mail:logPaths:Amavisd Log = "/Library/Logs/Mail/amavis.log"
mail:logPaths:Virus DB Log = "/Library/Logs/Mail/freshclam.log"
mail:imapStartedTime = ""
mail:postfixStartedTime = ""
mail:servicePortsRestrictionInfo = _empty_array
mail:servicePortsAreRestricted = "NO"
mail:connectionCount = 0
mail:readWriteSettingsVersion = 1
mail:serviceStatus = "DISABLED"

To stop the service:

sudo serveradmin stop mail

And to start it back up:

sudo serveradmin start mail

To configure some of the settings no longer in the GUI from previous versions, let’s look at the full list of options:

sudo serveradmin settings mail

One that is commonly changed is the subject line added to messages that are marked as spam by spam assassin. This is stored in mail:postfix:spam_subject_tag, so changing would be:

sudo serveradmin settings mail:postfix:spam_subject_tag = "***DIEEVILSPAMMERSDIE*** "

A number of admins also choose to disable greylisting, done using the mail:postfix:greylist_disable option:

sudo serveradmin settings mail:postfix:greylist_disable = no

To configure an email address for quarantined mail to go, use mail:postfix:virus_quarantine:

sudo serveradmin settings mail:postfix:virus_quarantine = "diespammersdie@krypted.com"

The administrator, by default, doesn’t get an email when an email containing a file infected with a virus is sent through the server. To enable this option:

sudo serveradmin settings mail:postfix:virus_notify_admin = yes

I also find a lot of Mac environments want to accept email of pretty much any size. By default, message size limits are enabled. To disable:

sudo serveradmin settings mail:postfix:message_size_limit_enabled = yes

Or even better, just set new limit:

sudo serveradmin settings mail:postfix:message_size_limit = 10485760

And to configure the percentage of someone’s quota that kicks an alert (soft quota):

sudo serveradmin settings mail:imap:quotawarn = 75

Additionally, the following arrays are pretty helpful, which used to have GUI options:

  • mail:postfix:mynetworks:_array_index:0 = “127.0.0.0/8″ – Add entries to this one to add “local” clients
  • mail:postfix:host_whitelist = _empty_array – Add whitelisted hosts
  • mail:postfix:blacklist_from = _empty_array – Add blacklisted hosts
  • mail:postfix:black_hole_domains:_array_index:0 = “zen.spamhaus.org” – Add additional RBL Servers

The client side of the mail service is straight forward enough. If you are wondering where in this article we discuss using webmail, er, that’s not installed by default any longer. But the open source project previously used, roundcube, is still available for download and easily installed (the pre-reqs are all there, already). Check out the roundcube wiki installation page here for more info on that. Also, mail groups. I hope to have a post about that soon enough. Unless, of course, I get sidetracked with having a life. Which is arguably not very likely…

Kerio Mac OS X Mac OS X Server

Resolving Corrupt journal.db Files in Kerio

Sometimes it seems like sqlite just isn’t equipped for some tasks. Sometimes it seems like some developers aren’t. Sometimes it ends up being a mystery as to what is really going on behind the scenes. Like watching CNN on a television right next to Fox News at the gym. Both can’t be reality. But what is real, is that journabl.db files get corrupt in Kerio all the time. And the logs often say something about SQLITE_CORRUPT &/or “database disk image is malformed”. To correct, first stop the Kerio server, then nuke the .journal.db file. Assuming the mail store is /usr/local/kerio/mailserver/store/mail on a Mac (swap /usr/local with /opt if using Linux) then the command to do so would be:

rm /usr/local/kerio/mailserver/store/mail/.journal.db

Then start up Kerio and the .journal.db file will automatically rebuild and the errors about some malformed whatnot should be out of those logs.

Kerio Mac OS X Microsoft Exchange Server

Disabling Attachment Preview In Apple Mail

I recently had a situation where an email had a bunch of corrupt attachments. Each time one of the attachments was clicked on before the Mail app could mark the message as read the Preview of the attachment crashed the application. Turns out this was because opening the email automatically was attempting to display the image preview. Turns out I just needed to disable preview in mail long enough to get the messages deleted. To do so write the DisableInlineAttachmentViewing key as true into com.apple.mail as follows:

defaults write com.apple.mail DisableInlineAttachmentViewing -bool true

To then disable this option, set the key to false:

defaults write com.apple.mail DisableInlineAttachmentViewing -bool false

Kerio Mac OS X Mac OS X Server Mac Security Mass Deployment Network Infrastructure

A Little More About afctl in OS X Server

Awhile back I wrote an article on managing the Adaptive Firewall built into Mountain Lion Server at http://krypted.com/mac-os-x-server/managing-lion-servers-adaptive-firewall-from-the-command-line. It’s worth mentioning that when you use this command you’re basically editing some text files. These include the blacklist, blockedHosts and whitelist folders at possibly the shortest folder at this depth in the file system that I’ve ever had the good luck to need to use /var/db/af (okay, okay, I’m sure we’ve all made /a/b/c and that’s shorter, but this is pretty close).

You should use afctl to add and remove machines from these lists. The -w option in afctl used to add a host to a whitelist will cause the host to appear in the /var/db/af/whitelist file. The -a option used to blacklist a host will add it to the /var/db/af/blacklist file. Hosts that are flagged are dropped into /var/db/af/blockedHosts and when you remove those hosts with the -r option they are removed from that file.

I think that pretty much beats that poor afctl horse to death. Simple is good sometimes!

Kerio Mac OS X Server

Can't Undo Deletes in Kerio

When you setup a Kerio server, by default there’s a feature called AutoExpunge. This feature keeps mail clients from showing a message with a strikethrough through it when a message is marked for deletion. Once items are processed the message is moved to deleted and the strikethrough message is removed from the folder it was deleted from. Many users can get confused by this, so Kerio built a feature called AutoExpunge. That AutoExpunge feature instead of striking through messages just tosses them. That causes you to be unable to undo a delete.

To disable AutoExpunge, stop Kerio Mail Server and then look for AutoExpungeOnDelete option in /usr/local/Kerio/mailserver/mailserver.cfg (I like to back that file up before making any changes). Then change the value for that from 1 to 0. Then save your changes to the file and start Kerio Connect back up. Once started, test that you can undo a delete and if so, you’re good to go!

Note: If you change settings like this when the mail server is running then it can revert the settings back as the daemon is running. If that happens to you, double-check that the service is stopped before editing the file.

Kerio Mac OS X Mac OS X Server

Increasing The Maximum Connections In Kerio Connect

Kerio has a few maximums set by default. There are also a few items that are not in the Kerio Connection Administration page. When using IMAP (and some other services), you can increase the maximum number of allowed connections to allow users to be able to connect to your servers using the variety of devices they likely now have. We’ll look at doing this with IMAP (given that each account accessed by each user is likely using at minimum 2 connections) but you can do this with many other services as well.

To increase the total number of available IMAP connections:

  • Open the Kerio Connect Administration page.
  • Click on the Configuration disclosure box to see Services.
  • Click on Services.
  • From the Services page, double-click on IMAP.
  • At the IMAP box, click on the Access tab.
  • Increase the field for Maximum number of concurrent connections.
  • Click OK.
  • Click Restart to restart the IMAP service.

Screen Shot 2013-04-03 at 8.44.28 AM

Now, let’s say that all of the IMAP connections are coming from what the server sees as the same IP (somewhat common with certain types of routers). Well, there’s also a setting not exposed in the web configuration tool that limits the total number of connections available for a given IP address, so let’s go ahead and increase that as well. To do so, open the mailserver.cfg file located in /usr/local/kerio/mailserver. Here, look in the service-imap table and find the MaxConnectionsIP variable. Change that to, let’s say 300 and then save the changes and restart the IMAP service again. Now you’re done. Good luck!

Kerio Mac OS X Mac OS X Server Microsoft Exchange Server MobileMe Ubuntu Unix

Converting pst Files to mbox

Large scale mail migrations can be tricky. There is a shareware app that can be used to migrate pst files from the pst format into mbox, which can then be used with Mac OS X http://www.littlemachines.com.

If the migration process needs to be automated (they all seem to at scale) then a script could be written to crawl users, finds the pst files and then convert them. Or it could be done on the client side using a self-destructing launchd item. Conversion syntax for libpst would be something like the following:

readpst -o /output/folder /server/path/user.pst

Before you can use readpst, it needs to be built via libpst on the system that will run any scripts. Download libpst from http://alioth.debian.org/frs/?group_id=30390. This can be done with curl:

curl http://alioth.debian.org/frs/download.php/2492/libpst-0.5.3.tar.gz --O libpst-0.5.3.tar.gz

Next, extract the tar:

tar -zxvf libpst-0.5.3.tar.gz

Then cd into the new directory:

cd libpst-0.5.3

Then make libpst:

make

And now readpst should be available to convert mailboxes. This could be run from a centralized server or distributed to clients.

Kerio Mac OS X Mac OS X Server Mac Security

Using OpenSSL to Test Connectivity

Almost wrote this up again and then realized I already did once (sure it was a few years ago but luckily not much changes with some of the command line stuff). Check it out here:
http://krypted.com/mac-os-x/using-openssl-to-test-connectivity

If you want to see more on openssl check this one out too:
http://krypted.com/unix/openssl-and-signatures

Business Consulting Kerio Mac OS X Mac OS X Server Mac Security Mass Deployment

Backup Planning

The two attached files are a sample checklist and a sample backup calculator to be used in conjunction with the talk I’m giving at MacSysAdmin, which has been moved up to 10:45 in the morning today.