Web services was always easy to install on macOS Server and it’s no different on a Synology. To do so, open Package Manager from the home screen.
Click All in the sidebar and enter web into the search box.
Click Web Station.
Click Install. This installs a few dependencies. Click Open once the install is finished.
Click General Settings. Note that the default web server is Nginx. You can install Apache and then Apache will be available in the HTTP back-end server list. If you’ll be using a different service (Apache) then do the switch before you proceed.
Otherwise (or after you switch to Apache), click on Virtual Host.
Click on Create.
Click into the hostname field and provide the name of the site. The ports can stay as are unless you’d like to customize the port that a site runs on. Then select a document root. This is where you’ll place your index.html or index.php file that sits at the root of a site.
Select the back-end server (e.g. Nginx or Apache 2.4) and then the PHP Profile (I usually stick with the default profile unless I’m using a method in PHP that’s unsupported in 7.x).
Click OK. And that’s it. Put your web directory into the document root, and viola – you have a new web server.
krypted March 30th, 2018
Posted In: Synology
Apache, configure, nxginx, Synology, web server
In an earlier article, I mentioned that MAMP Pro was still the best native GUI for managing web services on the Mac, now that macOS Server will no longer serve up those patchy services. After we cover the management in this article, you’ll likely understand why it comes it at $59.
So you’ve installed MAMP. And you need more than the few basic buttons available there. So MAMP Pro came with it and you can try it for a couple of weeks for free. When you open MAMP Pro, you’ll see a screen where you can perform a number of management tasks. This is a more traditional side-bar-driven screen that will look like what Server Admin might have looked like before the web services screen got simplified in macOS Server.
The Hosts item in SETTINGS will show you each host installed on the server. Think of a host as a site. Each web server can serve up a virtually unlimited number of websites. You can configure an IP binding to the site, or hav
If you click on the plus sign, you can add a site. In this example, I’ll add www.krypted.com and then click on create. When doing so, you can configure a database for each site (e.g. if you’re doing multi-tenant hosting), build a site off a template, or select a root directory for the site.
The Apache tab of each host allows you to configure host-specific settings, including enabling options for directives such as Indexes, Includes, SymLink following, and CGI. More options than were in macOS Server for sure. You can also order allows, allow overrides, add new directives, set the index (or the default page of each site), add additional virtualhosts (such as krypted.com for www.krypted.com), and add a server admin email address.
These were Apache-centric settings for each host. Click on the Nginx tab if you’re using Nginx instead of Apache. Nginx is a bit less “patchy” so there are a fewer options here. But they’re similar: Configure an index, add parameters, and a feature not available in the GUI options for Apache: allow or deny access based on IP.
The SSL tab allows you to generate a CSR, upload the cert and key file, and force connections to use https.
The Extras tab allows you to automatically install standard web packages. For example, here we’ll select WordPress.
Click on the Databases tab. To connect a site to a database, enter the name of the database when prompted. Note: the site itself will need credentials in order to connect, and if you’ve setup an “Extra” in the above step, the database will automatically be configured.
Next, let’s configure the ports used by the web servers. The previous settings were per-site. The rest that we cover in this article will be per-server, as these are global settings applied to the daemons themselves. Each of those services will have a port or ports associated with them. For example, the standard web port used is 80 or 443 for SSL-based connections and the standard port for MySQL is 3306. For publicly-facing sites these would be the standard ports, and given how common they are, there’s a button for “Set ports to 80, 81, 443, 7443, 3306”. Otherwise, you can enter each independently. Because the attaching of daemons is done here, this is also where you configure the user that services run as, as well as when to start the services and truncate log files.
The Editor option configures how the editor appears, which we’ll cover last in this article. The Editing option manages how the editor works (e.g. things like tabs, autocompletes, etc.
The Fonts & Colors tab allows you to select each color assigned to various types of text.
The Default Apps tab allows you to configure which app is opened when opening each type of file supported.
Again, we’ll look at the editor later in this article. First, let’s finish getting the web server setup. Click on Apache. Here, you can load new Apache mods you download from the interwebs. I should mention that an important security step in locking down a publicly-facing web server is to disable all of the mods you don’t absolutely need.
At the bottom of this screen, there’s also a handle little link to the directory with your logs, so you can read through them if needed.
The Nginx option underneath is similar. Access to log files is there, as is the ability to enable installed Nginx mods.
The MySQL option also provides access to some straight-forward command-line options, but in a nice GUI. Here, you can configure a root password for MySQL ( which does this: Reset A Lost MySQL Password
), enable phpMyAdmin, MySQL Workbench, and Sequel Pro-based administration, enable network access to the MySQL Service (using ports configured in the Ports section of the app) which I cover at Allow Remote Connections To MySQL
, and view logs.
The Dynamic DNS options are cool. Click there, and if your web server is behind a DHCP address, you can configure a dynamic DNS service including DNS-O-Matic, no-ip.com, dyn.com, easydns.com, etc. This way when you reboot and get a new IP address from your ISP, it’ll update the service automatically.
Memcached is a distributed memory object caching system. It’s used to make sites appear faster or to distribute caching between servers for systems that, for example, get clustered. It’s included here for a reason, I’m sure of it! Either way, I actually use it for a few things and like the fact that it’s there. To enable, simply choose how much memory to give it, configure the logging level (usually low unless you’re troubleshooting), and gain access to logs. If you check the “Include Memcached server in GroupStart” then memcache will fire up when you start your web services.
Click postfix. Here, you configure your server to route mail through an email account. If you run this from the command line, you can also configure your server to be a mail server; however, when you do that you’re likely to get mail bouncing all over the place. So if the server or a service on the server is supposed to send mail, it’s usually best to route through something like a gmail account.
The Languages section allows you to configure how PHP, Python, Perl, and Ruby work on the server. For PHP, you can configure which version of PHP is installed, configure a version of PHP for hosts, enable caching (different than memcached), enable a few basic extensions (I’ve been playing with oauth a lot recently), choose logging options, and have a simple way to see the logs.
Since you’re running on a Mac, you already have Python, but if you click on the Python option, you can make the version of Python bundled with Mac is 2.7.10 instead of 2.7.13.
Click on Perl to do the same.
Click on Ruby to do the same.
The editor is also pretty easy to use. Simply use the plus sign to add a file you’d like to edit. Keep in mind when browsing that everything MAMP Pro needs is self-contained in the /Applications/MAMP directory, so it should be pretty easy to find files for editing.
And that’s it. This seems like a lot of stuff, but between sites like ServerFault and other Apache/Nginx articles, you’ll likely find most of the things you need. It’s worth mentioning that I consider this another baby step to just managing Apache using config files. macOS Server tried hard to reduce the complexity of where different settings and options are derived from; MAMP Pro makes no allusion that web server management should be so simple. That’s one of the things I like about it. It’s like you went from riding in a buggy on the back of a bike to riding with training wheels. The more you know, the better off you are.
krypted March 10th, 2018
Posted In: Mac OS X, Mac OS X Server, Mac Security, WordPress
Apache, Apple, configure, httpd, macos server, memcached, mods, nginx, perl, python, replace a Mac server with apache, Ruby
IFTTT makes the possibilities practically endless for what you can do with an Amazon Echo running Alexa. IFTTT provides workflows that connect Alexa to many of the most popular cloud services on the Internet. For example, Alexa can make a spreadsheet of all the songs you listen to using your Prime account, Email you a shopping list, sync To-Dos to Evernote, find your phone, set reminders on your phone, extend Alexa to manage your TV using Harmony, run Wink shortcuts, print files, manage a Wemo bulb (Belkin), control otherwise unsupported thermostats, control items within apps (e.g. make all your Hue lights a given color), time things (e.g. turn on the air conditioning for an hour), lock a door using an otherwise unsupported lock (e.g. with a Smarthings), do random things (e.g. assign a random color to a Hue light), interface with Google Calendar, and so much more.
Basically, if a service can interact with IFTTT using an API, then your Alexa can be made to talk to it. But first, let’s connect your Amazon Echo to IFTTT. To get started, first go to the Alexa channel on IFTTT at Amazon Alexa Channel on IFTTT
When the page loads, click Connect.
You’ll then be prompted to sign into IFTTT using your Amazon account. Enter your username and password and then click “Sign in using our secure server”.
You’ll then be prompted to trust IFTTT from Amazon. Click Okay.
Then you’ll be able to setup recipes. Let’s say you’d like to put your shopping list on a Slack channel so you can be judged even more harshly than you already are…
krypted May 30th, 2016
Posted In: Alexa, Home Automation
alexa, amazon echo, API, configure, link, slack, wemo
DNS is DNS. And named is named. Except in OS X Server. Sometimes. The configuration files for the DNS services in OS X Server are stored in /Library/Server/named. This represents a faux root of named configuration data, similar to how that configuration data is stored in /var/named on most other platforms. Having the data in /Library/Server/ makes it more portable across systems. The current version of BIND is 9.9.7-P2.
Traditionally, you would edit this configuration data by simply editing the configuration files, and that’s absolutely still an option. In OS X Server 5 (for El Capitan and Yosemite), a new command is available at /Applications/Server.app/Contents/ServerRoot/System/Library/PrivateFrameworks/DNSManager.framework called dnsconfig. The dnsconfig command appears simple at first. However, the options available are actually far more complicated than they initially appear. The verbs available include help (show help information), list (show the contents of configurations and zone files), add (create records and zones) and delete (remove records and zones).
To view data available in the service, use the list verb. Options available when using the list verb include –acl (show ACLs), –view (show BIND view data), –zone (show domains configured in the service), –rr (show resource records) and –rrtype (show types of resource records). For example, let’s say you have a domain called pretendco.lan and you would like to view information about that zone. You could use the dnsconfig command along with the list verb and then the –zone option and the domain name:
/Applications/Server.app/Contents/ServerRoot/System/Library/PrivateFrameworks/DNSManager.framework/dnsconfig list --zone=pretendco.lan
The output would show you information about the listed zone, usually including View data:
To see a specific record, use the –rr option, followed by = and then the fqdn, so to see ecserver.pretendco.lan:
/Applications/Server.app/Contents/ServerRoot/System/Library/PrivateFrameworks/DNSManager.framework/dnsconfig list --rr=ecserver.pretendco.lan
By default views are enabled and a view called com.apple.ServerAdmin.DNS.public is created when the DNS server first starts up. You can create other views to control what different requests from different subnets see; however, even if you don’t create any views, you’ll need to add the –view option followed by the name of the view (–view=com.apple.ServerAdmin.DNS.public) to any records that you want to create. To create a record, use the add verb. You can add a view (–view), a zone (–zone) or a record (–rr). Let’s start by adding a record to the pretendco.lan from our previous example. In this case we’ll add an A record called www that points to the IP address of 192.168.210.201:
/Applications/Server.app/Contents/ServerRoot/System/Library/PrivateFrameworks/DNSManager.framework/dnsconfig add --view=com.apple.ServerAdmin.DNS.public --zone=pretendco.lan --rr=www A 192.168.210.201
You can add a zone, by providing the –view to add the zone to and not providing a –rr option. Let’s add krypted.lan:
/Applications/Server.app/Contents/ServerRoot/System/Library/PrivateFrameworks/DNSManager.framework/dnsconfig add --view=com.apple.ServerAdmin.DNS.public --zone=krypted.lan
Use the delete verb to remove the data just created:
/Applications/Server.app/Contents/ServerRoot/System/Library/PrivateFrameworks/DNSManager.framework/dnsconfig delete --view=com.apple.ServerAdmin.DNS.public --zone=krypted.lan
Or to delete that one www record earlier, just swap the add with a delete:
/Applications/Server.app/Contents/ServerRoot/System/Library/PrivateFrameworks/DNSManager.framework/dnsconfig delete --view=com.apple.ServerAdmin.DNS.public --zone=pretendco.lan --rr=www A 192.168.210.201
Exit codes would be “Zone krypted.lan removed.” and “Removed 1 resource record.” respectively for the two commands. You can also use the –option option when creating objects, along with the following options (each taken as a value followed by an =, with this information taken by the help page):
- allow-transfer Takes one or more address match list entry. Address match list entries consist of any of these forms: IP addresses, Subnets or Keywords.
- allow-recursion Takes one or more address match list entry.
- allow-update Takes one or more address match list entry.
- allow-query Takes one or more address match list entry.
- allow-query-cache Takes one or more address match list entry.
- forwarders Takes one or more IP addresses, e.g. 10.1.1.1
- directory Takes a directory path
- tkey-gssapi-credential Takes a kerberos service principal
- tkey-domain Takes a kerberos realm
- update-policy Takes one complete update-policy entry where you can grant or deny various matched objects and specify the dentity of the user/machine that is allowed/disallowed to update.. You can also identify match-type (Type of match to be used in evaulating the entry) and match-name (Name used to match) as well as rr-types (Resource record types that can be updated)
Overall, this command is one of the better updates we’ve seen from Apple when it comes to managing DNS in a long time. It shows a commitment to continuing to make the service better, when you add records or remove them you can instantly refresh the Server app and see the updates. It’s clear a lot of work went into this and it’s a great tool for when you’re imaging systems and want to create records back on a server or when you’re trying to script the creation of a bulk list of records (e.g. from a cached file from a downed host). It also makes working with Views as easy as I’ve seen it in most platforms and is overall a breeze to work with as compared to using the serveradmin command to populate objects so the GUI doesn’t break when you update records by hitting files directly.
krypted October 5th, 2015
Posted In: Mac OS X Server
bind, configure, dns server, Mac Server, named, OS X Server, pretendco, server, zones
OS X Server 5 (for El Capitan and Yosemite) sees little change with the FTP Service. Instead of sharing out each directory the new incantation of the FTP service allows administrators to share a single directory out. This directory can be any share that has previously been configured in the File Sharing service or a website configured in the Websites service.
To setup FTP, first open the Server app and then click on the FTP service.
Once open, use the Share: drop-down list to select a share that already exists (output of sharing -l basically) and click on one of the shares or Custom to create a new share for FTP. Then, set the permissions as appropriate on the share and hit the ON button for the FTP service.
Now, let’s test from a client. I like to use the ftp command line interface built into OS X. To test, type ftp followed by the address of the site (and I like to put the username followed by @ before the hostname, as follows:
When prompted, provide a password. Then, assuming your get the following, you’re in:
230 User robin logged in.
Remote system type is UNIX
Using binary mode to transfer files.
Here, type ls to see a list of the directories contents. Or pwd to see what directory you are in (relative to the root of the ftp share). And of course, type get followed by the name of a file to transfer it locally:
Open a terminal window on the server and let’s look at the few options you have to configure FTP from the command line. We already discussed sharing -l to see a list of the available shares. Additionally, you can use the serveradmin command, where ftp is the name of the service. Let’s look at the status of the service, first:
sudo serveradmin fullstatus ftp
Now let’s look at status:
sudo serveradmin status ftp
Same thing, right? Let’s look at all the settings:
sudo serveradmin settings ftp
If you have spaces in the name of a share that you configure from the Server app the thing will fail. Good stuff, so use serveradmin to manually set shares with spaces or other special characters in the names:
sudo serveradmin settings ftp:DocumentRoot = “/Shared Items/Krypted”
Overall, this ftp implementation is meant for users who just need to access their web server where all the files live in a web root of some sort. Otherwise, I’d still recommend most people use a third party tool. But if you just need to log into one share and you don’t need a lot of fancy features on top of your protocols that haven’t changed much since 1985 then this implementation will still work for ya’ without any extra work.
Since we mentioned 1985, let’s look at some other things that are as old, although perhaps not as dated, as the FTP Protocol. Things from the year 1985:
- Back To the Future is Released
- Coke introduces one of the largest marketing fails of all time, New Coke. It is so bad it opens a hole in the Ozone, also discovered in this year by Al Gore
- Rambo Part II and Rocky Part IV come out, Sly doesn’t come out
- Mad Max Beyond Thunderdome teaches us that Tina Turner’s still got it – Bill Schroeder doesn’t have it, no relation to Ricky, he leaves the hospital part-cyborg with the first artificial heart.
- A View To A Kill finally ends the Roger Moore era of James Bond. Computer nerds, keep in mind, he saved Silicon Valley. This movie had Christopher Walken and Duran Duran. What more could you ask for? Oh, right – Tanya Roberts! Oh, and Thomas Patrick Cavanaugh actually gets life for being a real spy.
- Since Police Academy was a hit, the producers figured they’d screw it up by making a second movie: Police Academy 2 comes out
- After watching Cocoon I now know I’ll never have to grow old, so I can treat my body however I want…
- The unabomber is at the half way point of his career with 2 bombings this year, The Rainbow Warrior sinks (no known relation to the unabomber, unless he was a French antieco-terrorist), flight 847 is hijacked and Gorbachev becomes the leader of the largest pain in President Reagan’s bung hole: Russia (OMG Commies – Run!!!). In order to pay for the tail end of the cold war, Reagan lowers taxes and sends America into debt for the first time since 1914, a debt we are still in (evil Democrats, always incurring more American debt!). Meanwhile, Margaret Thatcher has shoulder pads surgically implanted because health care is free in Great Britain and all. Actually, National Health Service contributes little to England’s national debt, which was about as low in percentage of GDP as it had been since before WWI under her and due to her terms as PM. It was at its highest in the early 1800s, far before shoulder pads were in fashion… Having said that, the US, who went into debt for the first time had to sell Reagan’s autobiography rights in order to pay for his colon surgery since there’s not NHS here… He could have asked Gotti, who became the leader of the Gambinos in 1985 for a loan, but I hear he was too busy playing Tetris, which also came out in 1985…
- British Telecom phases out red telephone boxes – almost as a result a single season of Dr. Who airs on TV.
- In 1985, Paul Simon, Stevie Wonder, Ray Charles, Bob Dylan, Michael Jackson, Billy Joel, Cyndi Lauper, Willie Nelson, Lionel Richie, Smokey Robinson, Kenny Rogers, Diana Ross, Paul Simon, Bruce Springsteen, Tina Turner, Daryl Hall, Kenny Loggins, Huey Lewis and of course Al Jarreau sang We Are The World. Prince wouldn’t show and Waylon Jennings stormed out. Jane Fonda hosted a HBO special in between workout videos. Live Aid happens too, and is far cooler. But, at least Rich Ramirez (the Night Stalker) got nabbed in LA.Top singles on the charts include Madonna, Wham!, Simple Minds, Duran Duran, Phil Collins, Dire Straits, Starship, Lionel Richie, Foreigner and REO Speedwagon.
- Top TV shows include the sweaters from the Cosby Show, Family Ties, Murder She Wrote, Dynasty, The Golden Girls, Miami Vice, Cheers, Knots Landing, Growing Pains and of course, DALLAS
- The Ford Taurus and the Mercury Sable bring a new low point to American automobile engineering – luckily The Nintendo came out and no one cared for a decade or more…
- The Commodore Amiga is launched.
- The Free Software Foundation is founded by rms, author of great cookie recipes, tips on women and GNU Manifestos.
- And most importantly, Steve Jobs starts NeXT
krypted September 24th, 2015
Posted In: Mac OS X Server
Apple, configure, enable, FTP, Mac Servers, OS X Server, server 5, server.app, service
The tools to automate OS X firewall events from the command line are still stored in /usr/libexec/ApplicationFirewall. And you will still use socketfilterfw there for much of the heavy lifting. However, now there are much more helpful and functional options in socketfilterfw that will allow you to more easily script the firewall.
Some tricks I’ve picked up with the Mac Firewall/alf scripting:
- Configure the firewall fully before turning it on (especially if you’re doing so through something like Casper, FileWave, Munki, or Absolute Manage where you might kick yourself out of your session otherwise).
- Whatever you do, you can always reset things back to defaults by removing the com.apple.alf.plist file from /Library/Preferences replacing it with the default plist from /usr/libexec/ApplicationFirewall/com.apple.alf.plist.
- Configure global settings, then per-application settings, then enable the firewall. If a remote system, do ;wait; and then enable the first time to make sure everything works before enabling the firewall for good.
- To debug, use the following command: “/usr/libexec/ApplicationFirewall/socketfilterfw -d”
In /usr/libexec/ApplicationFirewall is the Firewall command, the binary of the actual application layer firewall and socketfilterfw, which configures the firewall. To configure the firewall to block all incoming traffic:
/usr/libexec/ApplicationFirewall/socketfilterfw --setblockall on
To see if block all is enabled:
The output would be as follows, if successful:
Firewall is set to block all non-essential incoming connections
A couple of global options that can be set. Stealth Mode:
/usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on
To check if stealth mode is enabled:
/usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on
You can also control the verbosity of logs, using throttled, brief or detail. For example, if you need to troubleshoot some issues, you might set the logging to detail using the following command:
/usr/libexec/ApplicationFirewall/socketfilterfw --setloggingopt: detail
To start the firewall:
/usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on
While it would be nice to think that that was going to be everything for everyone, it just so happens that some environments actually need to allow traffic. Therefore, traffic can be allowed per signed binary. To allow signed applications:
/usr/libexec/ApplicationFirewall/socketfilterfw --setallowsigned on
To check if you allow signed apps:
This will allow all TRUSTEDAPPS. The –listapps option shows the status of each filtered application:
To check if an app is blocked:
/usr/libexec/ApplicationFirewall/socketfilterfw –getappblocked /Applications/MyApp.app/Contents/MacOS/myapp
This shows the number of exceptions, explicitly allowed apps and signed exceptions as well as process names and allowed app statuses. There is also a list of TRUSTEDAPPS, which will initially be populated by Apple tools with sharing capabilities (e.g. httpd & smbd). If you are enabling the firewall using a script, first sign your applications that need to allow sharing but are not in the TRUSTEDAPPS section by using the -s option along with the application binary (not the .app bundle):
/usr/libexec/ApplicationFirewall/socketfilterfw -s /Applications/MyApp.app/Contents/MacOS/myapp
Once signed, verify the signature:
/usr/libexec/ApplicationFirewall/socketfilterfw -v /Applications/MyApp.app/Contents/MacOS/myapp
Once signed, trust the application using the –add option:
/usr/libexec/ApplicationFirewall/socketfilterfw --add /Applications/MyApp.app/Contents/MacOS/myapp
To see a list of trusted applications. You can do so by using the -l option as follows (the output is pretty ugly and needs to be parsed better):
If, in the course of your testing, you determine the firewall just isn’t for you, disable it:
/usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate off
To sanity check whether it’s started:
Or to manually stop it using launchctl (should start again with a reboot):
launchctl unload /System/Library/LaunchAgents/com.apple.alf.useragent.plist
launchctl unload /System/Library/LaunchDaemons/com.apple.alf.agent.plist
If you disable the firewalll using launchctl, you may need to restart services for them to work again.
krypted July 16th, 2015
Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment
applicationlayerfirewall, configure, defaults, firewall, global state, MAC, mac firewall, socketfilterfw, start, stop
Configuring Calendar Server in Mavericks Server (OS X Server 3) is a fairly simple and straight forward process. The Calendar Server is a CalDAV Server, leveraging HTTP and HTTPS, running on ports 8008 and 8443 respectively. To enable the Calendar service in Mavericks Server, open the Server application and click on Calendar in the SERVICES section of the sidebar.
Once open, click on Edit to enable email notifications of invitations in the Calendar Server. Provide the email address and then click on the Next button.
At the Configure Server Email Address screen, provide the type of incoming mail service in use, provide the address of the mail server and then the port number used, if not a standard port for HTTPS-based IMAP (or POP if you’d prefer), the user name and the valid password for the account. Then click on the Next button.
At the outgoing mail server screen, provide the Outgoing Mail Server address, the port, whether or not SSL is in use (it should be if possible), the password protocol, the user name and the password. Then click on the Next button.
At the Mail Account Summary screen, review the settings and if correct, click Finish. Back at the service configuration screen, click on the plus sign (“+”) and provide a type of location, a name for the location, whether or not invitations to the resource are accepted and then enter the account name for any accounts that can manage the location’s calendar (they will auto-complete, so there’s no need to remember users and groups exactly). Click Done to complete the setup. Use the Resource setting in type to configure a resource instead of a location. The two are the same, except the Type field.
There are a number of settings that can also be configured. But those are exposed only at the command line. To configure them, open the command line and then review the list of Calendar service settings using the list option of the serveradmin command:
sudo serveradmin settings calendar
There are a number of settings for the Calendar service, including the following:
calendar:SSLCertificate = "/etc/certificates/mavserver.pretendco.lan.10E6CDF9F6E84992B97360B6EE7BA159684DCB75.cert.pem"
calendar:EnableCalDAV = no
calendar:Notifications:Services:APNS:CalDAV:CertificatePath = "/Library/Server/Calendar and Contacts/Config/Certificates/apns:com.apple.calendar.cert.pem"
calendar:Notifications:Services:APNS:CalDAV:PrivateKeyPath = "/Library/Server/Calendar and Contacts/Config/Certificates/apns:com.apple.calendar.key.pem"
calendar:Notifications:Services:APNS:CalDAV:AuthorityChainPath = "/Library/Server/Calendar and Contacts/Config/Certificates/apns:com.apple.calendar.chain.pem"
calendar:Notifications:Services:APNS:CardDAV:CertificatePath = "/Library/Server/Calendar and Contacts/Config/Certificates/apns:com.apple.contact.cert.pem"
calendar:Notifications:Services:APNS:CardDAV:PrivateKeyPath = "/Library/Server/Calendar and Contacts/Config/Certificates/apns:com.apple.contact.key.pem"
calendar:Notifications:Services:APNS:CardDAV:AuthorityChainPath = "/Library/Server/Calendar and Contacts/Config/Certificates/apns:com.apple.contact.chain.pem"
calendar:Notifications:Services:APNS:Enabled = yes
calendar:EnableAPNS = yes
calendar:DefaultLogLevel = "warn"
calendar:Authentication:Digest:Enabled = yes
calendar:Authentication:Digest:AllowedOverWireUnencrypted = yes
calendar:Authentication:Kerberos:Enabled = yes
calendar:Authentication:Kerberos:AllowedOverWireUnencrypted = yes
calendar:Authentication:Wiki:Enabled = yes
calendar:Authentication:Basic:Enabled = yes
calendar:Authentication:Basic:AllowedOverWireUnencrypted = no
calendar:DataRoot = "/Library/Server/Calendar and Contacts/Data"
calendar:Scheduling:iMIP:Sending:Server = "mavserver.pretendco.lan"
calendar:Scheduling:iMIP:Sending:UseSSL = yes
calendar:Scheduling:iMIP:Sending:Username = "com.apple.calendarserver"
calendar:Scheduling:iMIP:Sending:Address = "email@example.com"
calendar:Scheduling:iMIP:Sending:Password = "JAdMTWx9Bh9JaaGm"
calendar:Scheduling:iMIP:Sending:Port = 587
calendar:Scheduling:iMIP:Enabled = yes
calendar:Scheduling:iMIP:Receiving:Server = "mavserver.pretendco.lan"
calendar:Scheduling:iMIP:Receiving:UseSSL = yes
calendar:Scheduling:iMIP:Receiving:Username = "com.apple.calendarserver"
calendar:Scheduling:iMIP:Receiving:Type = "imap"
calendar:Scheduling:iMIP:Receiving:Password = "JAdMTWx9Bh9JaaGm"
calendar:Scheduling:iMIP:Receiving:Port = 993
calendar:ServerHostName = "mavserver.pretendco.lan"
calendar:EnableCardDAV = yes
calendar:SSLPort = 8443
calendar:LogLevels = _empty_dictionary
calendar:DirectoryAddressBook:params:queryPeopleRecords = no
calendar:DirectoryAddressBook:params:queryUserRecords = no
calendar:SSLPrivateKey = "/etc/certificates/mavserver.pretendco.lan.10E6CDF9F6E84992B97360B6EE7BA159684DCB75.key.pem"
calendar:EnableSSL = yes
calendar:RedirectHTTPToHTTPS = yes
calendar:SSLAuthorityChain = "/etc/certificates/mavserver.pretendco.lan.10E6CDF9F6E84992B97360B6EE7BA159684DCB75.chain.pem"
calendar:EnableSearchAddressBook = no
calendar:HTTPPort = 8008
One of the more common settings to configure is the port number that CalDAV runs on. To configure HTTP:
sudo serveradmin settings calendar:HTTPPort = 8008
sudo serveradmin settings calendar:SSLPort = 8443
You can then start the service using the start option:
sudo serveradmin start calendar
Or to stop it:
sudo serveradmin stop calendar
Or to get the status:
sudo serveradmin fullstatus calendar
Full status indicates that the three services are running:
calendar:readWriteSettingsVersion = 1
calendar:setStateVersion = 1
calendar:state = "RUNNING"
calendar:contactsState = "RUNNING"
calendar:calendarState = "RUNNING"
Once the Calendar server is configured, use the Calendar application to communicate with the server. Open the Calendar application and click on the Calendar menu and select Preferences. From the Preferences screen, click on Accounts to bring up a list of accounts. Here, click on the plus sign (“+”) to bring up the “Add an Account” screen.
At the “Add an Account” screen, select Add CalDAV Account.
CalDAV from the Account Type menu and then enter the User Name and password configured on the server, and add the address of the server if you don’t have any service records pointing to the server. The User Name is usually the name provided in Server app, followed by @ and then the address of the server.
Once the server is configured it appears in the list of accounts in the sidebar of the Calendar app. Create calendars in the account and then to share a calendar, right-click on the calendar and click on Share Calendar…
At the Share Calendar screen, provide the name the calendar should appear as to others and click on the plus sign (“+”) and enter any accounts to delegate administration to.
Back at the Calendar Settings screen, use the settings to configure Availability and refresh rate of calendars, as seen above. Click on Server Settings to assign custom port numbers.
Click on the Delegation tab to view any accounts you’ve been given access to.
Use the Edit button to configure who has delegated access to calendars, as opposed to configuring subscriptions.
Overall, the Calendar service in Mavericks Server is one of the easiest to configure. Most of the work goes into settings configured on client systems. This, as with Exchange, dedistributes administration, often making administration more complicated than with many other tools. But that’s a good thing; no one wants to access other peoples accounts, for calendars or mail for that matter, without those users knowing that it was done, as will happen when resetting passwords…
krypted October 23rd, 2013
Posted In: Mac OS X Server
caldav, Calendar Server Configuration, calendar:EnableSSL, configure, delegate calendars, Mac OS X Server, Mavericks Server, server 2.2, serveradmin settings calendar, setup CalDAV client for iCal Server, setup the iCal Service, twisted
You shouldn’t have to reboot your ESX servers very often. But when you do, you might want the virtual machines to start up automatically. To configure a virtual machine to start up (or shut down) automatically select the host and click on the Configuration tab.
Then click on virtual machine Startup/Shutdown and click on Properties, selecting “Allow virtual machines to start and stop automatically with the system”. As I mentioned in a previous article, you can also configure the operating system to start after a brief delay by providing a Default Startup Delay time, allowing time for booting systems to run scripts or to throw them into Safe Mode. You can also configure automated shutdown options at this screen as well.
Also use the Move Up and Move Down options to indicate what order virtual machines start when the system starts. Click Save and the configs are written to the system.
krypted June 10th, 2013
Posted In: VMware, Windows Server
configure, ESX, esxi, properties, safe mode, shutdown, startup, VM, VMware
Next Page »
Mail is one of the hardest services to manage. Actually, mail is pretty simple in and of itself: there’s protocols people use to access their mail (such as IMAP and POP), protocols used to communicate between mail servers and send mail (SMTP, SMTPS) and then there’s a database of mail and user information. In Mount Lion Server, all of these are represented by a single ON button, so it really couldn’t be easier. But then there’s the ecoysystem and the evil spammers.
As a systems administrator of a large number of mail servers, I firmly believe that there is a special kind of hell where only spam is served at every meal for spammers. Here, the evil spammers must also read every piece of spam ever sent for eternity. By the end (aka Ragnarok), they should be fairly well hung, have chemically induced stamina of a 16 year old with the latest Sports Illustrated Swimsuit issue, enough pills of other types to not be able to use that stamina, plenty of African princes looking to donate large sums of money if only they can be helped out of their country (which should cost about 100,000 compared to a 5,000,000 payout, not a bad ROI, right?!?!?), have their conflicting stamina situation at the top of the search engines and of course, have lost all of the money made from their African princes due to getting their credit card hijacked by about 9,000 phishing scams. All in all, a special kind of hell…
But back to the point of the article, setting up mail… The things that mail administrators need to focus on to keep that mail server flowing mail to and from everyone else in the world:
- Static IP address. The WAN (and LAN probably) address should be static.
- Port Forwards. Port forwards need to be configured on the gateway for the SMTP port at a minimum and more than likely other ports used to access mail on client devices (25, 143, etc)
- DNS records. An MX record and some kind of mail.domain.com type of record should definitely be configured for the DNS servers that are authoritative for the domain. There should also be reverse records for the address of the server, usually created by the Internet Services Provider, or ISP, that match that record.
- Check the RBLs. If you have a new IP address you’ll be putting a DNS server on, check all the major Realtime BlackLists to make sure that some evil spammer hasn’t squatted on the IP before you got to it. This is true whether you’re in a colo, hosted on an IP you own or moving into space formerly occupied by a very standup company. A lot of IP addresses are blocked, as are blocks of IPs, so before moving mail to an IP, check it.
- Mail filtration (message hygiene). OS X Server has a number of mail filters built in, including clam for viruses, the ability to leverage RBLs, block specific addresses and of course RBL checking. However, this is often not enough. Third party services such as MXLogic help to keep mail from coming into your network. You also end up with an external IP to send mail that can cache mail in the event the server is down and keep mail off your network in the event that it’s spam.
- Backup. I am firmly of the belief that I’d rather not have data than not have that data backed up…
Once all of that is taken care of (I’ll add more as I think about it) then it’s time to enable the mail service. Actually, first let’s setup our SSL certificates. To do so, open the Server app and click on the name of the server in the HARDWARE section of the sidebar. Then click on the Settings tab and then the Edit button beside the SSL Certificate entry. Here, use the Certificate drop-down list for each protocol to select the appropriate certificate to be used for the service.
Click OK when they’re all configure. Now let’s enable the mail service (or outsource mail). To do so, open the Server app and click on Mail in the SERVICES list in the sidebar.
At the configuration screen is a sparse number of settings:
- Provide mail for: Configures all of the domains the mail server will listen for mail for. Each account on the server has a short name and each domain name will be available for each short name. For example, an account with a shortname of charles will be available for email addresses of firstname.lastname@example.org and email@example.com per the Domain Name listing below.
- Authentication: Click Edit for a list of sources that accounts can authenticate against (e.g. Active Directory, Open Directory, Custom, Local, etc) and in some cases the specific password algorithms used for mail.
- Relay outgoing mail through ISP: Provide a server that all mail will get routed through from the server. For example, this might be an account with your Internet Services Provider (ISP), an account on an appliance that you own (such as a Barracuda) or with an external filtering service (such as MXLogic).
- Limit mail to: Configure the total amount of mail a user can have in the mail store, in Megabytes.
- Edit Filtering Settings: Configure antivirus, spam assassin and junk mail filters. The “Enable virus filtering” checkbox enables clam. The “Enable blacklist filtering” checks the RBL (or RBLs) of your choice to check whether a given server is a “known” spammer and the “Enable junk mail filtering” option enables spam assassin on the host, configuring it to block based on a score as selected using the slider.
Once you’ve configured the settings for the Mail service, click on the ON slider to enable the service. At this point, you should be able to telnet into port 25 of the host to verify that SMTP is listening, preferably from another mail server:
telnet mail.krypted.com 25
You can also check that the mail services are running using the serveradmin command along with the fullstatus option for the mail service:
sudo serveradmin fullstatus mail
Which returns with some pretty verbose information about the service, including state, connections, running protocols and the rest of the following:
mail:setStateVersion = 1
mail:readWriteSettingsVersion = 1
mail:connectionCount = 0
mail:servicePortsRestrictionInfo = _empty_array
mail:protocolsArray:_array_index:0:status = "ON"
mail:protocolsArray:_array_index:0:kind = "INCOMING"
mail:protocolsArray:_array_index:0:protocol = "IMAP"
mail:protocolsArray:_array_index:0:state = "RUNNING"
mail:protocolsArray:_array_index:0:error = ""
mail:protocolsArray:_array_index:1:status = "ON"
mail:protocolsArray:_array_index:1:kind = "INCOMING"
mail:protocolsArray:_array_index:1:protocol = "POP3"
mail:protocolsArray:_array_index:1:state = "RUNNING"
mail:protocolsArray:_array_index:1:error = ""
mail:protocolsArray:_array_index:2:status = "ON"
mail:protocolsArray:_array_index:2:kind = "INCOMING"
mail:protocolsArray:_array_index:2:protocol = "SMTP"
mail:protocolsArray:_array_index:2:state = "RUNNING"
mail:protocolsArray:_array_index:2:error = ""
mail:protocolsArray:_array_index:3:status = "ON"
mail:protocolsArray:_array_index:3:kind = "OUTGOING"
mail:protocolsArray:_array_index:3:protocol = "SMTP"
mail:protocolsArray:_array_index:3:state = "RUNNING"
mail:protocolsArray:_array_index:3:error = ""
mail:protocolsArray:_array_index:4:status = "ON"
mail:protocolsArray:_array_index:4:kind = "INCOMING"
mail:protocolsArray:_array_index:4:protocol = "Junk_mail_filter"
mail:protocolsArray:_array_index:4:state = "STOPPED"
mail:protocolsArray:_array_index:4:error = ""
mail:protocolsArray:_array_index:5:status = "ON"
mail:protocolsArray:_array_index:5:kind = "INCOMING"
mail:protocolsArray:_array_index:5:protocol = "Virus_scanner"
mail:protocolsArray:_array_index:5:state = "STOPPED"
mail:protocolsArray:_array_index:5:error = ""
mail:startedTime = "2012-07-30 18:14:26 +0000"
mail:logPaths:IMAP Log = "/Library/Logs/Mail/mailaccess.log"
mail:logPaths:Server Log = "/Library/Logs/Mail/mailaccess.log"
mail:logPaths:POP Log = "/Library/Logs/Mail/mailaccess.log"
mail:logPaths:SMTP Log = "/var/log/mail.log"
mail:logPaths:Migration Log = "/Library/Logs/MailMigration.log"
mail:logPaths:Virus Log = "/Library/Logs/Mail/clamav.log"
mail:logPaths:Amavisd Log = "/Library/Logs/Mail/amavis.log"
mail:logPaths:Virus DB Log = "/Library/Logs/Mail/freshclam.log"
mail:imapStartedTime = "2012-07-30 18:14:26 +0000"
mail:servicePortsAreRestricted = "NO"
mail:state = "RUNNING"
mail:postfixStartedTime = "2012-07-30 18:14:49 +0000"
To stop the service:
sudo serveradmin stop mail
And to start it back up:
sudo serveradmin start mail
To configure some of the settings no longer in the GUI from previous versions, let’s look at the full list of options:
sudo serveradmin settings mail
One that is commonly changed is the subject line added to messages that are marked as spam by spam assassin. This is stored in mail:postfix:spam_subject_tag, so changing would be:
sudo serveradmin settings mail:postfix:spam_subject_tag = "***DIEEVILSPAMMERSDIE*** "
A number of admins also choose to disable greylisting, done using the mail:postfix:greylist_disable option:
sudo serveradmin settings mail:postfix:greylist_disable = no
To configure an email address for quarantined mail to go, use mail:postfix:virus_quarantine:
sudo serveradmin settings mail:postfix:virus_quarantine = "firstname.lastname@example.org"
The administrator, by default, doesn’t get an email when an email containing a file infected with a virus is sent through the server. To enable this option:
sudo serveradmin settings mail:postfix:virus_notify_admin = yes
I also find a lot of Mac environments want to accept email of pretty much any size. By default, message size limits are enabled. To disable:
sudo serveradmin settings mail:postfix:message_size_limit_enabled = yes
Or even better, just set new limit:
sudo serveradmin settings mail:postfix:message_size_limit = 10485760
And to configure the percentage of someone’s quota that kicks an alert (soft quota):
sudo serveradmin settings mail:imap:quotawarn = 75
Additionally, the following arrays are pretty helpful, which used to have GUI options:
- mail:postfix:mynetworks:_array_index:0 = “127.0.0.0/8” – Add entries to this one to add “local” clients
- mail:postfix:host_whitelist = _empty_array – Add whitelisted hosts
- mail:postfix:blacklist_from = _empty_array – Add blacklisted hosts
- mail:postfix:black_hole_domains:_array_index:0 = “zen.spamhaus.org” – Add additional RBL Servers
The client side of the mail service is straight forward enough. If you are wondering where in this article we discuss using webmail, er, that’s not installed by default any longer. But the open source project previously used, roundcube, is still available for download and easily installed (the pre-reqs are all there, already). Check out the roundcube wiki installation page
here for more info on that. Also, mail groups. I hope to have a post about that soon enough. Unless, of course, I get sidetracked with having a life. Which is arguably not very likely…
krypted July 31st, 2012
Posted In: Mac OS X, Mac OS X Server, Mac Security
configure, Mac OS X Server, mail, mail groups, Mail Server, mountain lion, os x mountain lion server, postfix, roundcube, server.app, serveradmin, webmail, wiki