IFTTT makes the possibilities practically endless for what you can do with an Amazon Echo running Alexa. IFTTT provides workflows that connect Alexa to many of the most popular cloud services on the Internet. For example, Alexa can make a spreadsheet of all the songs you listen to using your Prime account, Email you a shopping list, sync To-Dos to Evernote, find your phone, set reminders on your phone, extend Alexa to manage your TV using Harmony, run Wink shortcuts, print files, manage a Wemo bulb (Belkin), control otherwise unsupported thermostats, control items within apps (e.g. make all your Hue lights a given color), time things (e.g. turn on the air conditioning for an hour), lock a door using an otherwise unsupported lock (e.g. with a Smarthings), do random things (e.g. assign a random color to a Hue light), interface with Google Calendar, and so much more.
Basically, if a service can interact with IFTTT using an API, then your Alexa can be made to talk to it. But first, let’s connect your Amazon Echo to IFTTT. To get started, first go to the Alexa channel on IFTTT at Amazon Alexa Channel on IFTTT
When the page loads, click Connect.
You’ll then be prompted to sign into IFTTT using your Amazon account. Enter your username and password and then click “Sign in using our secure server”.
You’ll then be prompted to trust IFTTT from Amazon. Click Okay.
Then you’ll be able to setup recipes. Let’s say you’d like to put your shopping list on a Slack channel so you can be judged even more harshly than you already are…
krypted May 30th, 2016
Posted In: Alexa, Home Automation
alexa, amazon echo, API, configure, link, slack, wemo
DNS is DNS. And named is named. Except in OS X Server. Sometimes. The configuration files for the DNS services in OS X Server are stored in /Library/Server/named. This represents a faux root of named configuration data, similar to how that configuration data is stored in /var/named on most other platforms. Having the data in /Library/Server/ makes it more portable across systems. The current version of BIND is 9.9.7-P2.
Traditionally, you would edit this configuration data by simply editing the configuration files, and that’s absolutely still an option. In OS X Server 5 (for El Capitan and Yosemite), a new command is available at /Applications/Server.app/Contents/ServerRoot/System/Library/PrivateFrameworks/DNSManager.framework called dnsconfig. The dnsconfig command appears simple at first. However, the options available are actually far more complicated than they initially appear. The verbs available include help (show help information), list (show the contents of configurations and zone files), add (create records and zones) and delete (remove records and zones).
To view data available in the service, use the list verb. Options available when using the list verb include –acl (show ACLs), –view (show BIND view data), –zone (show domains configured in the service), –rr (show resource records) and –rrtype (show types of resource records). For example, let’s say you have a domain called pretendco.lan and you would like to view information about that zone. You could use the dnsconfig command along with the list verb and then the –zone option and the domain name:
/Applications/Server.app/Contents/ServerRoot/System/Library/PrivateFrameworks/DNSManager.framework/dnsconfig list --zone=pretendco.lan
The output would show you information about the listed zone, usually including View data:
To see a specific record, use the –rr option, followed by = and then the fqdn, so to see ecserver.pretendco.lan:
/Applications/Server.app/Contents/ServerRoot/System/Library/PrivateFrameworks/DNSManager.framework/dnsconfig list --rr=ecserver.pretendco.lan
By default views are enabled and a view called com.apple.ServerAdmin.DNS.public is created when the DNS server first starts up. You can create other views to control what different requests from different subnets see; however, even if you don’t create any views, you’ll need to add the –view option followed by the name of the view (–view=com.apple.ServerAdmin.DNS.public) to any records that you want to create. To create a record, use the add verb. You can add a view (–view), a zone (–zone) or a record (–rr). Let’s start by adding a record to the pretendco.lan from our previous example. In this case we’ll add an A record called www that points to the IP address of 192.168.210.201:
/Applications/Server.app/Contents/ServerRoot/System/Library/PrivateFrameworks/DNSManager.framework/dnsconfig add --view=com.apple.ServerAdmin.DNS.public --zone=pretendco.lan --rr=www A 192.168.210.201
You can add a zone, by providing the –view to add the zone to and not providing a –rr option. Let’s add krypted.lan:
/Applications/Server.app/Contents/ServerRoot/System/Library/PrivateFrameworks/DNSManager.framework/dnsconfig add --view=com.apple.ServerAdmin.DNS.public --zone=krypted.lan
Use the delete verb to remove the data just created:
/Applications/Server.app/Contents/ServerRoot/System/Library/PrivateFrameworks/DNSManager.framework/dnsconfig delete --view=com.apple.ServerAdmin.DNS.public --zone=krypted.lan
Or to delete that one www record earlier, just swap the add with a delete:
/Applications/Server.app/Contents/ServerRoot/System/Library/PrivateFrameworks/DNSManager.framework/dnsconfig delete --view=com.apple.ServerAdmin.DNS.public --zone=pretendco.lan --rr=www A 192.168.210.201
Exit codes would be “Zone krypted.lan removed.” and “Removed 1 resource record.” respectively for the two commands. You can also use the –option option when creating objects, along with the following options (each taken as a value followed by an =, with this information taken by the help page):
- allow-transfer Takes one or more address match list entry. Address match list entries consist of any of these forms: IP addresses, Subnets or Keywords.
- allow-recursion Takes one or more address match list entry.
- allow-update Takes one or more address match list entry.
- allow-query Takes one or more address match list entry.
- allow-query-cache Takes one or more address match list entry.
- forwarders Takes one or more IP addresses, e.g. 10.1.1.1
- directory Takes a directory path
- tkey-gssapi-credential Takes a kerberos service principal
- tkey-domain Takes a kerberos realm
- update-policy Takes one complete update-policy entry where you can grant or deny various matched objects and specify the dentity of the user/machine that is allowed/disallowed to update.. You can also identify match-type (Type of match to be used in evaulating the entry) and match-name (Name used to match) as well as rr-types (Resource record types that can be updated)
Overall, this command is one of the better updates we’ve seen from Apple when it comes to managing DNS in a long time. It shows a commitment to continuing to make the service better, when you add records or remove them you can instantly refresh the Server app and see the updates. It’s clear a lot of work went into this and it’s a great tool for when you’re imaging systems and want to create records back on a server or when you’re trying to script the creation of a bulk list of records (e.g. from a cached file from a downed host). It also makes working with Views as easy as I’ve seen it in most platforms and is overall a breeze to work with as compared to using the serveradmin command to populate objects so the GUI doesn’t break when you update records by hitting files directly.
krypted October 5th, 2015
Posted In: Mac OS X Server
bind, configure, dns server, Mac Server, named, OS X Server, pretendco, server, zones
OS X Server 5 (for El Capitan and Yosemite) sees little change with the FTP Service. Instead of sharing out each directory the new incantation of the FTP service allows administrators to share a single directory out. This directory can be any share that has previously been configured in the File Sharing service or a website configured in the Websites service.
To setup FTP, first open the Server app and then click on the FTP service.
Once open, use the Share: drop-down list to select a share that already exists (output of sharing -l basically) and click on one of the shares or Custom to create a new share for FTP. Then, set the permissions as appropriate on the share and hit the ON button for the FTP service.
Now, let’s test from a client. I like to use the ftp command line interface built into OS X. To test, type ftp followed by the address of the site (and I like to put the username followed by @ before the hostname, as follows:
When prompted, provide a password. Then, assuming your get the following, you’re in:
230 User robin logged in.
Remote system type is UNIX
Using binary mode to transfer files.
Here, type ls to see a list of the directories contents. Or pwd to see what directory you are in (relative to the root of the ftp share). And of course, type get followed by the name of a file to transfer it locally:
Open a terminal window on the server and let’s look at the few options you have to configure FTP from the command line. We already discussed sharing -l to see a list of the available shares. Additionally, you can use the serveradmin command, where ftp is the name of the service. Let’s look at the status of the service, first:
sudo serveradmin fullstatus ftp
Now let’s look at status:
sudo serveradmin status ftp
Same thing, right? Let’s look at all the settings:
sudo serveradmin settings ftp
If you have spaces in the name of a share that you configure from the Server app the thing will fail. Good stuff, so use serveradmin to manually set shares with spaces or other special characters in the names:
sudo serveradmin settings ftp:DocumentRoot = “/Shared Items/Krypted”
Overall, this ftp implementation is meant for users who just need to access their web server where all the files live in a web root of some sort. Otherwise, I’d still recommend most people use a third party tool. But if you just need to log into one share and you don’t need a lot of fancy features on top of your protocols that haven’t changed much since 1985 then this implementation will still work for ya’ without any extra work.
Since we mentioned 1985, let’s look at some other things that are as old, although perhaps not as dated, as the FTP Protocol. Things from the year 1985:
- Back To the Future is Released
- Coke introduces one of the largest marketing fails of all time, New Coke. It is so bad it opens a hole in the Ozone, also discovered in this year by Al Gore
- Rambo Part II and Rocky Part IV come out, Sly doesn’t come out
- Mad Max Beyond Thunderdome teaches us that Tina Turner’s still got it – Bill Schroeder doesn’t have it, no relation to Ricky, he leaves the hospital part-cyborg with the first artificial heart.
- A View To A Kill finally ends the Roger Moore era of James Bond. Computer nerds, keep in mind, he saved Silicon Valley. This movie had Christopher Walken and Duran Duran. What more could you ask for? Oh, right – Tanya Roberts! Oh, and Thomas Patrick Cavanaugh actually gets life for being a real spy.
- Since Police Academy was a hit, the producers figured they’d screw it up by making a second movie: Police Academy 2 comes out
- After watching Cocoon I now know I’ll never have to grow old, so I can treat my body however I want…
- The unabomber is at the half way point of his career with 2 bombings this year, The Rainbow Warrior sinks (no known relation to the unabomber, unless he was a French antieco-terrorist), flight 847 is hijacked and Gorbachev becomes the leader of the largest pain in President Reagan’s bung hole: Russia (OMG Commies – Run!!!). In order to pay for the tail end of the cold war, Reagan lowers taxes and sends America into debt for the first time since 1914, a debt we are still in (evil Democrats, always incurring more American debt!). Meanwhile, Margaret Thatcher has shoulder pads surgically implanted because health care is free in Great Britain and all. Actually, National Health Service contributes little to England’s national debt, which was about as low in percentage of GDP as it had been since before WWI under her and due to her terms as PM. It was at its highest in the early 1800s, far before shoulder pads were in fashion… Having said that, the US, who went into debt for the first time had to sell Reagan’s autobiography rights in order to pay for his colon surgery since there’s not NHS here… He could have asked Gotti, who became the leader of the Gambinos in 1985 for a loan, but I hear he was too busy playing Tetris, which also came out in 1985…
- British Telecom phases out red telephone boxes – almost as a result a single season of Dr. Who airs on TV.
- In 1985, Paul Simon, Stevie Wonder, Ray Charles, Bob Dylan, Michael Jackson, Billy Joel, Cyndi Lauper, Willie Nelson, Lionel Richie, Smokey Robinson, Kenny Rogers, Diana Ross, Paul Simon, Bruce Springsteen, Tina Turner, Daryl Hall, Kenny Loggins, Huey Lewis and of course Al Jarreau sang We Are The World. Prince wouldn’t show and Waylon Jennings stormed out. Jane Fonda hosted a HBO special in between workout videos. Live Aid happens too, and is far cooler. But, at least Rich Ramirez (the Night Stalker) got nabbed in LA.Top singles on the charts include Madonna, Wham!, Simple Minds, Duran Duran, Phil Collins, Dire Straits, Starship, Lionel Richie, Foreigner and REO Speedwagon.
- Top TV shows include the sweaters from the Cosby Show, Family Ties, Murder She Wrote, Dynasty, The Golden Girls, Miami Vice, Cheers, Knots Landing, Growing Pains and of course, DALLAS
- The Ford Taurus and the Mercury Sable bring a new low point to American automobile engineering – luckily The Nintendo came out and no one cared for a decade or more…
- The Commodore Amiga is launched.
- The Free Software Foundation is founded by rms, author of great cookie recipes, tips on women and GNU Manifestos.
- And most importantly, Steve Jobs starts NeXT
krypted September 24th, 2015
Posted In: Mac OS X Server
Apple, configure, enable, FTP, Mac Servers, OS X Server, server 5, server.app, service
The tools to automate OS X firewall events from the command line are still stored in /usr/libexec/ApplicationFirewall. And you will still use socketfilterfw there for much of the heavy lifting. However, now there are much more helpful and functional options in socketfilterfw that will allow you to more easily script the firewall.
Some tricks I’ve picked up with the Mac Firewall/alf scripting:
- Configure the firewall fully before turning it on (especially if you’re doing so through something like Casper, FileWave, Munki, or Absolute Manage where you might kick yourself out of your session otherwise).
- Whatever you do, you can always reset things back to defaults by removing the com.apple.alf.plist file from /Library/Preferences replacing it with the default plist from /usr/libexec/ApplicationFirewall/com.apple.alf.plist.
- Configure global settings, then per-application settings, then enable the firewall. If a remote system, do ;wait; and then enable the first time to make sure everything works before enabling the firewall for good.
- To debug, use the following command: “/usr/libexec/ApplicationFirewall/socketfilterfw -d”
In /usr/libexec/ApplicationFirewall is the Firewall command, the binary of the actual application layer firewall and socketfilterfw, which configures the firewall. To configure the firewall to block all incoming traffic:
/usr/libexec/ApplicationFirewall/socketfilterfw --setblockall on
To see if block all is enabled:
The output would be as follows, if successful:
Firewall is set to block all non-essential incoming connections
A couple of global options that can be set. Stealth Mode:
/usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on
To check if stealth mode is enabled:
/usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on
You can also control the verbosity of logs, using throttled, brief or detail. For example, if you need to troubleshoot some issues, you might set the logging to detail using the following command:
/usr/libexec/ApplicationFirewall/socketfilterfw --setloggingopt: detail
To start the firewall:
/usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on
While it would be nice to think that that was going to be everything for everyone, it just so happens that some environments actually need to allow traffic. Therefore, traffic can be allowed per signed binary. To allow signed applications:
/usr/libexec/ApplicationFirewall/socketfilterfw --setallowsigned on
To check if you allow signed apps:
This will allow all TRUSTEDAPPS. The –listapps option shows the status of each filtered application:
To check if an app is blocked:
/usr/libexec/ApplicationFirewall/socketfilterfw –getappblocked /Applications/MyApp.app/Contents/MacOS/myapp
This shows the number of exceptions, explicitly allowed apps and signed exceptions as well as process names and allowed app statuses. There is also a list of TRUSTEDAPPS, which will initially be populated by Apple tools with sharing capabilities (e.g. httpd & smbd). If you are enabling the firewall using a script, first sign your applications that need to allow sharing but are not in the TRUSTEDAPPS section by using the -s option along with the application binary (not the .app bundle):
/usr/libexec/ApplicationFirewall/socketfilterfw -s /Applications/MyApp.app/Contents/MacOS/myapp
Once signed, verify the signature:
/usr/libexec/ApplicationFirewall/socketfilterfw -v /Applications/MyApp.app/Contents/MacOS/myapp
Once signed, trust the application using the –add option:
/usr/libexec/ApplicationFirewall/socketfilterfw --add /Applications/MyApp.app/Contents/MacOS/myapp
To see a list of trusted applications. You can do so by using the -l option as follows (the output is pretty ugly and needs to be parsed better):
If, in the course of your testing, you determine the firewall just isn’t for you, disable it:
/usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate off
To sanity check whether it’s started:
Or to manually stop it using launchctl (should start again with a reboot):
launchctl unload /System/Library/LaunchAgents/com.apple.alf.useragent.plist
launchctl unload /System/Library/LaunchDaemons/com.apple.alf.agent.plist
If you disable the firewalll using launchctl, you may need to restart services for them to work again.
krypted July 16th, 2015
Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment
applicationlayerfirewall, configure, defaults, firewall, global state, MAC, mac firewall, socketfilterfw, start, stop
Configuring Calendar Server in Mavericks Server (OS X Server 3) is a fairly simple and straight forward process. The Calendar Server is a CalDAV Server, leveraging HTTP and HTTPS, running on ports 8008 and 8443 respectively. To enable the Calendar service in Mavericks Server, open the Server application and click on Calendar in the SERVICES section of the sidebar.
Once open, click on Edit to enable email notifications of invitations in the Calendar Server. Provide the email address and then click on the Next button.
At the Configure Server Email Address screen, provide the type of incoming mail service in use, provide the address of the mail server and then the port number used, if not a standard port for HTTPS-based IMAP (or POP if you’d prefer), the user name and the valid password for the account. Then click on the Next button.
At the outgoing mail server screen, provide the Outgoing Mail Server address, the port, whether or not SSL is in use (it should be if possible), the password protocol, the user name and the password. Then click on the Next button.
At the Mail Account Summary screen, review the settings and if correct, click Finish. Back at the service configuration screen, click on the plus sign (“+”) and provide a type of location, a name for the location, whether or not invitations to the resource are accepted and then enter the account name for any accounts that can manage the location’s calendar (they will auto-complete, so there’s no need to remember users and groups exactly). Click Done to complete the setup. Use the Resource setting in type to configure a resource instead of a location. The two are the same, except the Type field.
There are a number of settings that can also be configured. But those are exposed only at the command line. To configure them, open the command line and then review the list of Calendar service settings using the list option of the serveradmin command:
sudo serveradmin settings calendar
There are a number of settings for the Calendar service, including the following:
calendar:SSLCertificate = "/etc/certificates/mavserver.pretendco.lan.10E6CDF9F6E84992B97360B6EE7BA159684DCB75.cert.pem"
calendar:EnableCalDAV = no
calendar:Notifications:Services:APNS:CalDAV:CertificatePath = "/Library/Server/Calendar and Contacts/Config/Certificates/apns:com.apple.calendar.cert.pem"
calendar:Notifications:Services:APNS:CalDAV:PrivateKeyPath = "/Library/Server/Calendar and Contacts/Config/Certificates/apns:com.apple.calendar.key.pem"
calendar:Notifications:Services:APNS:CalDAV:AuthorityChainPath = "/Library/Server/Calendar and Contacts/Config/Certificates/apns:com.apple.calendar.chain.pem"
calendar:Notifications:Services:APNS:CardDAV:CertificatePath = "/Library/Server/Calendar and Contacts/Config/Certificates/apns:com.apple.contact.cert.pem"
calendar:Notifications:Services:APNS:CardDAV:PrivateKeyPath = "/Library/Server/Calendar and Contacts/Config/Certificates/apns:com.apple.contact.key.pem"
calendar:Notifications:Services:APNS:CardDAV:AuthorityChainPath = "/Library/Server/Calendar and Contacts/Config/Certificates/apns:com.apple.contact.chain.pem"
calendar:Notifications:Services:APNS:Enabled = yes
calendar:EnableAPNS = yes
calendar:DefaultLogLevel = "warn"
calendar:Authentication:Digest:Enabled = yes
calendar:Authentication:Digest:AllowedOverWireUnencrypted = yes
calendar:Authentication:Kerberos:Enabled = yes
calendar:Authentication:Kerberos:AllowedOverWireUnencrypted = yes
calendar:Authentication:Wiki:Enabled = yes
calendar:Authentication:Basic:Enabled = yes
calendar:Authentication:Basic:AllowedOverWireUnencrypted = no
calendar:DataRoot = "/Library/Server/Calendar and Contacts/Data"
calendar:Scheduling:iMIP:Sending:Server = "mavserver.pretendco.lan"
calendar:Scheduling:iMIP:Sending:UseSSL = yes
calendar:Scheduling:iMIP:Sending:Username = "com.apple.calendarserver"
calendar:Scheduling:iMIP:Sending:Address = "email@example.com"
calendar:Scheduling:iMIP:Sending:Password = "JAdMTWx9Bh9JaaGm"
calendar:Scheduling:iMIP:Sending:Port = 587
calendar:Scheduling:iMIP:Enabled = yes
calendar:Scheduling:iMIP:Receiving:Server = "mavserver.pretendco.lan"
calendar:Scheduling:iMIP:Receiving:UseSSL = yes
calendar:Scheduling:iMIP:Receiving:Username = "com.apple.calendarserver"
calendar:Scheduling:iMIP:Receiving:Type = "imap"
calendar:Scheduling:iMIP:Receiving:Password = "JAdMTWx9Bh9JaaGm"
calendar:Scheduling:iMIP:Receiving:Port = 993
calendar:ServerHostName = "mavserver.pretendco.lan"
calendar:EnableCardDAV = yes
calendar:SSLPort = 8443
calendar:LogLevels = _empty_dictionary
calendar:DirectoryAddressBook:params:queryPeopleRecords = no
calendar:DirectoryAddressBook:params:queryUserRecords = no
calendar:SSLPrivateKey = "/etc/certificates/mavserver.pretendco.lan.10E6CDF9F6E84992B97360B6EE7BA159684DCB75.key.pem"
calendar:EnableSSL = yes
calendar:RedirectHTTPToHTTPS = yes
calendar:SSLAuthorityChain = "/etc/certificates/mavserver.pretendco.lan.10E6CDF9F6E84992B97360B6EE7BA159684DCB75.chain.pem"
calendar:EnableSearchAddressBook = no
calendar:HTTPPort = 8008
One of the more common settings to configure is the port number that CalDAV runs on. To configure HTTP:
sudo serveradmin settings calendar:HTTPPort = 8008
sudo serveradmin settings calendar:SSLPort = 8443
You can then start the service using the start option:
sudo serveradmin start calendar
Or to stop it:
sudo serveradmin stop calendar
Or to get the status:
sudo serveradmin fullstatus calendar
Full status indicates that the three services are running:
calendar:readWriteSettingsVersion = 1
calendar:setStateVersion = 1
calendar:state = "RUNNING"
calendar:contactsState = "RUNNING"
calendar:calendarState = "RUNNING"
Once the Calendar server is configured, use the Calendar application to communicate with the server. Open the Calendar application and click on the Calendar menu and select Preferences. From the Preferences screen, click on Accounts to bring up a list of accounts. Here, click on the plus sign (“+”) to bring up the “Add an Account” screen.
At the “Add an Account” screen, select Add CalDAV Account.
CalDAV from the Account Type menu and then enter the User Name and password configured on the server, and add the address of the server if you don’t have any service records pointing to the server. The User Name is usually the name provided in Server app, followed by @ and then the address of the server.
Once the server is configured it appears in the list of accounts in the sidebar of the Calendar app. Create calendars in the account and then to share a calendar, right-click on the calendar and click on Share Calendar…
At the Share Calendar screen, provide the name the calendar should appear as to others and click on the plus sign (“+”) and enter any accounts to delegate administration to.
Back at the Calendar Settings screen, use the settings to configure Availability and refresh rate of calendars, as seen above. Click on Server Settings to assign custom port numbers.
Click on the Delegation tab to view any accounts you’ve been given access to.
Use the Edit button to configure who has delegated access to calendars, as opposed to configuring subscriptions.
Overall, the Calendar service in Mavericks Server is one of the easiest to configure. Most of the work goes into settings configured on client systems. This, as with Exchange, dedistributes administration, often making administration more complicated than with many other tools. But that’s a good thing; no one wants to access other peoples accounts, for calendars or mail for that matter, without those users knowing that it was done, as will happen when resetting passwords…
krypted October 23rd, 2013
Posted In: Mac OS X Server
caldav, Calendar Server Configuration, calendar:EnableSSL, configure, delegate calendars, Mac OS X Server, Mavericks Server, server 2.2, serveradmin settings calendar, setup CalDAV client for iCal Server, setup the iCal Service, twisted
You shouldn’t have to reboot your ESX servers very often. But when you do, you might want the virtual machines to start up automatically. To configure a virtual machine to start up (or shut down) automatically select the host and click on the Configuration tab.
Then click on virtual machine Startup/Shutdown and click on Properties, selecting “Allow virtual machines to start and stop automatically with the system”. As I mentioned in a previous article, you can also configure the operating system to start after a brief delay by providing a Default Startup Delay time, allowing time for booting systems to run scripts or to throw them into Safe Mode. You can also configure automated shutdown options at this screen as well.
Also use the Move Up and Move Down options to indicate what order virtual machines start when the system starts. Click Save and the configs are written to the system.
krypted June 10th, 2013
Posted In: VMware, Windows Server
configure, ESX, esxi, properties, safe mode, shutdown, startup, VM, VMware
Mail is one of the hardest services to manage. Actually, mail is pretty simple in and of itself: there’s protocols people use to access their mail (such as IMAP and POP), protocols used to communicate between mail servers and send mail (SMTP, SMTPS) and then there’s a database of mail and user information. In Mount Lion Server, all of these are represented by a single ON button, so it really couldn’t be easier. But then there’s the ecoysystem and the evil spammers.
As a systems administrator of a large number of mail servers, I firmly believe that there is a special kind of hell where only spam is served at every meal for spammers. Here, the evil spammers must also read every piece of spam ever sent for eternity. By the end (aka Ragnarok), they should be fairly well hung, have chemically induced stamina of a 16 year old with the latest Sports Illustrated Swimsuit issue, enough pills of other types to not be able to use that stamina, plenty of African princes looking to donate large sums of money if only they can be helped out of their country (which should cost about 100,000 compared to a 5,000,000 payout, not a bad ROI, right?!?!?), have their conflicting stamina situation at the top of the search engines and of course, have lost all of the money made from their African princes due to getting their credit card hijacked by about 9,000 phishing scams. All in all, a special kind of hell…
But back to the point of the article, setting up mail… The things that mail administrators need to focus on to keep that mail server flowing mail to and from everyone else in the world:
- Static IP address. The WAN (and LAN probably) address should be static.
- Port Forwards. Port forwards need to be configured on the gateway for the SMTP port at a minimum and more than likely other ports used to access mail on client devices (25, 143, etc)
- DNS records. An MX record and some kind of mail.domain.com type of record should definitely be configured for the DNS servers that are authoritative for the domain. There should also be reverse records for the address of the server, usually created by the Internet Services Provider, or ISP, that match that record.
- Check the RBLs. If you have a new IP address you’ll be putting a DNS server on, check all the major Realtime BlackLists to make sure that some evil spammer hasn’t squatted on the IP before you got to it. This is true whether you’re in a colo, hosted on an IP you own or moving into space formerly occupied by a very standup company. A lot of IP addresses are blocked, as are blocks of IPs, so before moving mail to an IP, check it.
- Mail filtration (message hygiene). OS X Server has a number of mail filters built in, including clam for viruses, the ability to leverage RBLs, block specific addresses and of course RBL checking. However, this is often not enough. Third party services such as MXLogic help to keep mail from coming into your network. You also end up with an external IP to send mail that can cache mail in the event the server is down and keep mail off your network in the event that it’s spam.
- Backup. I am firmly of the belief that I’d rather not have data than not have that data backed up…
Once all of that is taken care of (I’ll add more as I think about it) then it’s time to enable the mail service. Actually, first let’s setup our SSL certificates. To do so, open the Server app and click on the name of the server in the HARDWARE section of the sidebar. Then click on the Settings tab and then the Edit button beside the SSL Certificate entry. Here, use the Certificate drop-down list for each protocol to select the appropriate certificate to be used for the service.
Click OK when they’re all configure. Now let’s enable the mail service (or outsource mail). To do so, open the Server app and click on Mail in the SERVICES list in the sidebar.
At the configuration screen is a sparse number of settings:
- Provide mail for: Configures all of the domains the mail server will listen for mail for. Each account on the server has a short name and each domain name will be available for each short name. For example, an account with a shortname of charles will be available for email addresses of firstname.lastname@example.org and email@example.com per the Domain Name listing below.
- Authentication: Click Edit for a list of sources that accounts can authenticate against (e.g. Active Directory, Open Directory, Custom, Local, etc) and in some cases the specific password algorithms used for mail.
- Relay outgoing mail through ISP: Provide a server that all mail will get routed through from the server. For example, this might be an account with your Internet Services Provider (ISP), an account on an appliance that you own (such as a Barracuda) or with an external filtering service (such as MXLogic).
- Limit mail to: Configure the total amount of mail a user can have in the mail store, in Megabytes.
- Edit Filtering Settings: Configure antivirus, spam assassin and junk mail filters. The “Enable virus filtering” checkbox enables clam. The “Enable blacklist filtering” checks the RBL (or RBLs) of your choice to check whether a given server is a “known” spammer and the “Enable junk mail filtering” option enables spam assassin on the host, configuring it to block based on a score as selected using the slider.
Once you’ve configured the settings for the Mail service, click on the ON slider to enable the service. At this point, you should be able to telnet into port 25 of the host to verify that SMTP is listening, preferably from another mail server:
telnet mail.krypted.com 25
You can also check that the mail services are running using the serveradmin command along with the fullstatus option for the mail service:
sudo serveradmin fullstatus mail
Which returns with some pretty verbose information about the service, including state, connections, running protocols and the rest of the following:
mail:setStateVersion = 1
mail:readWriteSettingsVersion = 1
mail:connectionCount = 0
mail:servicePortsRestrictionInfo = _empty_array
mail:protocolsArray:_array_index:0:status = "ON"
mail:protocolsArray:_array_index:0:kind = "INCOMING"
mail:protocolsArray:_array_index:0:protocol = "IMAP"
mail:protocolsArray:_array_index:0:state = "RUNNING"
mail:protocolsArray:_array_index:0:error = ""
mail:protocolsArray:_array_index:1:status = "ON"
mail:protocolsArray:_array_index:1:kind = "INCOMING"
mail:protocolsArray:_array_index:1:protocol = "POP3"
mail:protocolsArray:_array_index:1:state = "RUNNING"
mail:protocolsArray:_array_index:1:error = ""
mail:protocolsArray:_array_index:2:status = "ON"
mail:protocolsArray:_array_index:2:kind = "INCOMING"
mail:protocolsArray:_array_index:2:protocol = "SMTP"
mail:protocolsArray:_array_index:2:state = "RUNNING"
mail:protocolsArray:_array_index:2:error = ""
mail:protocolsArray:_array_index:3:status = "ON"
mail:protocolsArray:_array_index:3:kind = "OUTGOING"
mail:protocolsArray:_array_index:3:protocol = "SMTP"
mail:protocolsArray:_array_index:3:state = "RUNNING"
mail:protocolsArray:_array_index:3:error = ""
mail:protocolsArray:_array_index:4:status = "ON"
mail:protocolsArray:_array_index:4:kind = "INCOMING"
mail:protocolsArray:_array_index:4:protocol = "Junk_mail_filter"
mail:protocolsArray:_array_index:4:state = "STOPPED"
mail:protocolsArray:_array_index:4:error = ""
mail:protocolsArray:_array_index:5:status = "ON"
mail:protocolsArray:_array_index:5:kind = "INCOMING"
mail:protocolsArray:_array_index:5:protocol = "Virus_scanner"
mail:protocolsArray:_array_index:5:state = "STOPPED"
mail:protocolsArray:_array_index:5:error = ""
mail:startedTime = "2012-07-30 18:14:26 +0000"
mail:logPaths:IMAP Log = "/Library/Logs/Mail/mailaccess.log"
mail:logPaths:Server Log = "/Library/Logs/Mail/mailaccess.log"
mail:logPaths:POP Log = "/Library/Logs/Mail/mailaccess.log"
mail:logPaths:SMTP Log = "/var/log/mail.log"
mail:logPaths:Migration Log = "/Library/Logs/MailMigration.log"
mail:logPaths:Virus Log = "/Library/Logs/Mail/clamav.log"
mail:logPaths:Amavisd Log = "/Library/Logs/Mail/amavis.log"
mail:logPaths:Virus DB Log = "/Library/Logs/Mail/freshclam.log"
mail:imapStartedTime = "2012-07-30 18:14:26 +0000"
mail:servicePortsAreRestricted = "NO"
mail:state = "RUNNING"
mail:postfixStartedTime = "2012-07-30 18:14:49 +0000"
To stop the service:
sudo serveradmin stop mail
And to start it back up:
sudo serveradmin start mail
To configure some of the settings no longer in the GUI from previous versions, let’s look at the full list of options:
sudo serveradmin settings mail
One that is commonly changed is the subject line added to messages that are marked as spam by spam assassin. This is stored in mail:postfix:spam_subject_tag, so changing would be:
sudo serveradmin settings mail:postfix:spam_subject_tag = "***DIEEVILSPAMMERSDIE*** "
A number of admins also choose to disable greylisting, done using the mail:postfix:greylist_disable option:
sudo serveradmin settings mail:postfix:greylist_disable = no
To configure an email address for quarantined mail to go, use mail:postfix:virus_quarantine:
sudo serveradmin settings mail:postfix:virus_quarantine = "firstname.lastname@example.org"
The administrator, by default, doesn’t get an email when an email containing a file infected with a virus is sent through the server. To enable this option:
sudo serveradmin settings mail:postfix:virus_notify_admin = yes
I also find a lot of Mac environments want to accept email of pretty much any size. By default, message size limits are enabled. To disable:
sudo serveradmin settings mail:postfix:message_size_limit_enabled = yes
Or even better, just set new limit:
sudo serveradmin settings mail:postfix:message_size_limit = 10485760
And to configure the percentage of someone’s quota that kicks an alert (soft quota):
sudo serveradmin settings mail:imap:quotawarn = 75
Additionally, the following arrays are pretty helpful, which used to have GUI options:
- mail:postfix:mynetworks:_array_index:0 = “127.0.0.0/8” – Add entries to this one to add “local” clients
- mail:postfix:host_whitelist = _empty_array – Add whitelisted hosts
- mail:postfix:blacklist_from = _empty_array – Add blacklisted hosts
- mail:postfix:black_hole_domains:_array_index:0 = “zen.spamhaus.org” – Add additional RBL Servers
The client side of the mail service is straight forward enough. If you are wondering where in this article we discuss using webmail, er, that’s not installed by default any longer. But the open source project previously used, roundcube, is still available for download and easily installed (the pre-reqs are all there, already). Check out the roundcube wiki installation page
here for more info on that. Also, mail groups. I hope to have a post about that soon enough. Unless, of course, I get sidetracked with having a life. Which is arguably not very likely…
krypted July 31st, 2012
Posted In: Mac OS X, Mac OS X Server, Mac Security
configure, Mac OS X Server, mail, mail groups, Mail Server, mountain lion, os x mountain lion server, postfix, roundcube, server.app, serveradmin, webmail, wiki
I love Notification Center on my phone. I think it’s great to receive a simple list of items that have changed since the last time I looked at the phone. I can also quickly dismiss the screen so the fact that there’s often 20 or more items in the list when I’ve been sitting at my computer for 10 minutes and not looking at the phone doesn’t really bum me out much.
In Mountain Lion, Notification Center comes to the Mac. What I’ve grown to love on the iPhone, I’m not sold on for OS X. You see, the alerts that pop up on the screen are great for a phone, because if you’re looking at your phone (hopefully not while driving) then you’re likely multitasking. Since most mobile solutions are so great for multi-tasking, many of us have gotten used to multi-tasking on our mobile devices and then plugging into a keyboard when we need to do something that requires focus. Or at least that’s my workflow.
By default, Notification Center assumes the same level of multi-tasking is done on desktops as on mobile devices. But with some tuning, Notification Center can be even more useful. For example, when I’m writing I like to cut down the distractions. Doing so helps me to stay focused. And when I’m trying to keep the distractions down, there are certain things that should still jar me out of my otherwise focused state. By default, Notification Center pops up alerts on my screen that tell me that things have happened with some of my apps, such as I got an email, a calendar event is prompting or there was a tweet about me. But Notification Center allows me to configure what kinds of alerts I want to see. For example, I might want an alert about a Reminder to come through and not have tweets pop up on my screen while I’m writing. To disable one of the applications allowed to pop up an alert on the screen, open the Notifications System Preference pane and find the application in the list provided.
Then select None to disable notifications. The default setting for each app is to provide what is known as a Banner. A Banner is a prompt that informs users that an event has occurred with a supported app and then goes away. You can also set each app to provide an Alert, which is a banner that doesn’t go away on its own but must be clicked on to disappear.
You can also configure options that make Notifications a little more useful. These are configured per app and include the following:
- Show in Notification Center: Indicates the number of items for each app that are shown in the Notification Center at a time. The default is 5 and this shows you, for example, the subject, sender and first few lines of emails or the name and sender of Tweets that have information about you.
- Badge app icon: Removes the red indicator for each app. For example, when unchecked for mail you’ll no longer see how many unread emails you have.
- Play sound when receiving notifications: Enables an audible alert (ding, ding) that a notification is waiting for you.
Overall, I think it’s really awesome that I now have a feature that is very iOS-centric sitting right here on my Mac. I do think it’s a bit verbose by default, but then, that’s my workflow – the developers are probably targeting the people who feel multi-tasking is healthy on every single computing device you touch. I don’t necessarily agree, but I dig it anyway. So me and my 2 apps that still have notifications enable are going to use this feature, if a bit less verbosely than most!
krypted July 25th, 2012
Posted In: Mac OS X
configure, features, how to, Lion, Mac OS X, manage, mountain lion, Notification Center, os x 10.8, setup
Next Page »
At this point, most Mac admins know to how to enable ntp on a Mac OS X Server and set clients to the server. Most Mac admins also know how to use managed preferences to set ntp as well. We all know that time is pretty important and most are using ntp at this point.
Network time should, almost by definition, be continuous, which allows ntpd in Mac OS X can update clocks in small denominations. Thus, managing corrections with little overhead or impact to the system enables ntp to be an inexpensive method for managing clocks. But ntp is also built to keep things running smoothly even when there are a lot of corrections. When there are a lot of corrections made by ntp, these are tracked and can be seen using the ntpdc command. The ntpdc is used to view and set the state of the ntp daemon and is interactive. To enter the interactive environment, simply type ntpdc at a terminal prompt:
Once you are in the ntpdc interactive environment you will need to use one of the many verbs provided for ntpdc. One such verb is looping, used to “display loop filter information:”
offset: 0.017866 s
frequency: -499.996 ppm
poll adjust: 13
watchdog timer: 209 s
The above output has four items of interest:
- Offset: How far off the client is from the server (drift is natural, so all zeros in this category typically represent the server being offline).
- Frequency: Frequency external signals can offset correction of the kernel clock
- Poll adjust: Used to Increase or decrease the polling interval. The range is -30 to 30. 13 is an increase of 13 seconds whereas -30 would represent a decrease of 30 seconds.
- Watchdog timer: The time since the last update to the system.
: To make it easier to parse, you can run looping with a online option, placing output into a single comma seperated line.
There are other verbs as well, which allow you to add servers (addserver), show peers (showpeer), set a password to use for password requests (passed), see various statistics (sysstats, sysinfo, stats, instates, ctlstats, clockstat, iostats) and set encryption keys (keyid, trustedkey, untrustedkey, etc). There’s a pretty good bit you can with these verbs; just run help to see a full list of supported verbs (my favorite verb other than looping is fudge).
You can also check ntp information on the fly using the ntpq command. Here, ntpq -p will show you the name, IP address and other information live:
remote refid st t when poll reach delay offset jitter
*time.apple.com 220.127.116.11 2 u 181m 512 376 32.169 17.084 0.315
Windows clients using Active Directory domains automatically get time from domain controllers. If a client is part of an Open Directory or SMB-based domain, you can add a NTP server by clicking on the time in the system tray (bottom right corner of the Windows screen). Click on Internet Time. Click the check box for Automatically synchronize with an Internet time server. Enter the name or IP of the ntp server. Click the Update Now button.
When finished, you’ll see a note that Your time has been successfully synchronized.
For clients other than Windows, it makes little sense to set ntp settings with a GPO, given that systems not in Active Directory won’t really use them. And most environments that don’t have a directory service are pretty small. But this isn’t to say that you won’t want to deploy these settings en masse. Much as you can use the /etc/ntp.conf file or the systemsetup -setnetworktimeserver command to configure a time server in Mac OS X you can use the registry to do so in Windows. If you can use the registry to configure a setting you can then use regedit or regedit32 to set the keys programatically.
But if you choose to, the keys are in HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW32TimeParameters (most notably is the NtpServer key) or you can use w32tm with the /config option. Once configured, reset the time to that of the time server to test. This can be tested with w32tm:
w32tm /resync /rediscover
Mac OS X and Windows can use an ntp-based server, but given that ntp is so widely used, what else? Using ntp with appliances can help with authentication protocols and also assist with triangulating issues from within log files. So, how about a Cisco IOS device. SSH into one and let’s get started. First off, run the enable command and then provide a password:
Then, go into config mode:
Now we’re going to use the ntp command and issue and update calendar to tell IOS to update the hardware clock from the software clock:
Then we’ll specify our ntp server(s):
ntp server 10.0.0.88
: Just run the ntp server command twice if you want to specify a second ntp server.
Then exit config mode:
And write your new settings into memory:
krypted June 9th, 2011
Posted In: Mac OS X, Mac OS X Server, Mac Security, Ubuntu, Unix, Windows XP
cisco, clients, configure, Mac OS X, ntp, w32tm, windows