Tiny Deathstars of Foulness

IFTTT makes the possibilities practically endless for what you can do with an Amazon Echo running Alexa. IFTTT provides workflows that connect Alexa to many of the most popular cloud services on the Internet. For example, Alexa can make a spreadsheet of all the songs you listen to using your Prime account, Email you a shopping list, sync To-Dos to Evernote, find your phone, set reminders on your phone, extend Alexa to manage your TV using Harmony, run Wink shortcuts, print files, manage a Wemo bulb (Belkin), control otherwise unsupported thermostats, control items within apps (e.g. make all your Hue lights a given color), time things (e.g. turn on the air conditioning for an hour), lock a door using an otherwise unsupported lock (e.g. with a Smarthings), do random things (e.g. assign a random color to a Hue light), interface with Google Calendar, and so much more. Basically, if a service can interact with IFTTT using an API, then your Alexa can be made to talk to it. But first, let’s connect your Amazon Echo to IFTTT. To get started, first go to the Alexa channel on IFTTT at Amazon Alexa Channel on IFTTT. When the page loads, click Connect. Screen Shot 2016-05-28 at 11.01.41 PM You’ll then be prompted to sign into IFTTT using your Amazon account. Enter your username and password and then click “Sign in using our secure server”. Screen Shot 2016-05-28 at 11.02.05 PM You’ll then be prompted to trust IFTTT from Amazon. Click Okay. Screen Shot 2016-05-28 at 11.02.17 PM Then you’ll be able to setup recipes. Let’s say you’d like to put your shopping list on a Slack channel so you can be judged even more harshly than you already are… Screen Shot 2016-05-28 at 11.18.36 PM Enjoy.

May 30th, 2016

Posted In: Alexa, Home Automation

Tags: , , , , , ,

DNS is DNS. And named is named. Except in OS X Server. Sometimes. The configuration files for the DNS services in OS X Server are stored in /Library/Server/named. This represents a faux root of named configuration data, similar to how that configuration data is stored in /var/named on most other platforms. Having the data in /Library/Server/ makes it more portable across systems. The current version of BIND is 9.9.7-P2. Traditionally, you would edit this configuration data by simply editing the configuration files, and that’s absolutely still an option. In OS X Server 5 (for El Capitan and Yosemite), a new command is available at /Applications/ called dnsconfig. The dnsconfig command appears simple at first. However, the options available are actually far more complicated than they initially appear. The verbs available include help (show help information), list (show the contents of configurations and zone files), add (create records and zones) and delete (remove records and zones). To view data available in the service, use the list verb. Options available when using the list verb include –acl (show ACLs), –view (show BIND view data), –zone (show domains configured in the service), –rr (show resource records) and –rrtype (show types of resource records). For example, let’s say you have a domain called pretendco.lan and you would like to view information about that zone. You could use the dnsconfig command along with the list verb and then the –zone option and the domain name: /Applications/ list --zone=pretendco.lan The output would show you information about the listed zone, usually including View data: Views: Zones: pretendco.lan Options: allow-transfer: none allow-update: none  To see a specific record, use the –rr option, followed by = and then the fqdn, so to see ecserver.pretendco.lan: /Applications/ list --rr=ecserver.pretendco.lan By default views are enabled and a view called is created when the DNS server first starts up. You can create other views to control what different requests from different subnets see; however, even if you don’t create any views, you’ll need to add the –view option followed by the name of the view (– to any records that you want to create. To create a record, use the add verb. You can add a view (–view), a zone (–zone) or a record (–rr). Let’s start by adding a record to the pretendco.lan from our previous example. In this case we’ll add an A record called www that points to the IP address of /Applications/ add --zone=pretendco.lan --rr=www A You can add a zone, by providing the –view to add the zone to and not providing a –rr option. Let’s add krypted.lan: /Applications/ add --zone=krypted.lan Use the delete verb to remove the data just created: /Applications/ delete --zone=krypted.lan Or to delete that one www record earlier, just swap the add with a delete: /Applications/ delete --zone=pretendco.lan --rr=www A Exit codes would be “Zone krypted.lan removed.” and “Removed 1 resource record.” respectively for the two commands. You can also use the –option option when creating objects, along with the following options (each taken as a value followed by an =, with this information taken by the help page):
  • allow-transfer Takes one or more address match list entry. Address match list entries consist of any of these forms: IP addresses, Subnets or Keywords.
  • allow-recursion Takes one or more address match list entry.
  • allow-update Takes one or more address match list entry.
  • allow-query Takes one or more address match list entry.
  • allow-query-cache Takes one or more address match list entry.
  • forwarders Takes one or more IP addresses, e.g.
  • directory Takes a directory path
  • tkey-gssapi-credential Takes a kerberos service principal
  • tkey-domain Takes a kerberos realm
  • update-policy Takes one complete update-policy entry where you can grant or deny various matched objects and specify the dentity of the user/machine that is allowed/disallowed to update.. You can also identify match-type (Type of match to be used in evaulating the entry) and match-name (Name used to match) as well as rr-types (Resource record types that can be updated)
Overall, this command is one of the better updates we’ve seen from Apple when it comes to managing DNS in a long time. It shows a commitment to continuing to make the service better, when you add records or remove them you can instantly refresh the Server app and see the updates. It’s clear a lot of work went into this and it’s a great tool for when you’re imaging systems and want to create records back on a server or when you’re trying to script the creation of a bulk list of records (e.g. from a cached file from a downed host). It also makes working with Views as easy as I’ve seen it in most platforms and is overall a breeze to work with as compared to using the serveradmin command to populate objects so the GUI doesn’t break when you update records by hitting files directly.

October 5th, 2015

Posted In: Mac OS X Server

Tags: , , , , , , , ,

OS X Server 5 (for El Capitan and Yosemite) sees little change with the FTP Service. Instead of sharing out each directory the new incantation of the FTP service allows administrators to share a single directory out. This directory can be any share that has previously been configured in the File Sharing service or a website configured in the Websites service. Screen Shot 2015-09-22 at 11.12.11 PM To setup FTP, first open the Server app and then click on the FTP service. Screen Shot 2015-09-22 at 11.12.37 PM Once open, use the Share: drop-down list to select a share that already exists (output of sharing -l basically) and click on one of the shares or Custom to create a new share for FTP. Then, set the permissions as appropriate on the share and hit the ON button for the FTP service. Now, let’s test from a client. I like to use the ftp command line interface built into OS X. To test, type ftp followed by the address of the site (and I like to put the username followed by @ before the hostname, as follows: ftp robin@elcapserver.krypted.lan When prompted, provide a password. Then, assuming your get the following, you’re in: 230 User robin logged in.
Remote system type is UNIX
Using binary mode to transfer files. Here, type ls to see a list of the directories contents. Or pwd to see what directory you are in (relative to the root of the ftp share). And of course, type get followed by the name of a file to transfer it locally: get myfile.txt Open a terminal window on the server and let’s look at the few options you have to configure FTP from the command line. We already discussed sharing -l to see a list of the available shares. Additionally, you can use the serveradmin command, where ftp is the name of the service. Let’s look at the status of the service, first: sudo serveradmin fullstatus ftp Now let’s look at status: sudo serveradmin status ftp Same thing, right? Let’s look at all the settings: sudo serveradmin settings ftp If you have spaces in the name of a share that you configure from the Server app the thing will fail. Good stuff, so use serveradmin to manually set shares with spaces or other special characters in the names: sudo serveradmin settings ftp:DocumentRoot = “/Shared Items/Krypted” Overall, this ftp implementation is meant for users who just need to access their web server where all the files live in a web root of some sort. Otherwise, I’d still recommend most people use a third party tool. But if you just need to log into one share and you don’t need a lot of fancy features on top of your protocols that haven’t changed much since 1985 then this implementation will still work for ya’ without any extra work. Since we mentioned 1985, let’s look at some other things that are as old, although perhaps not as dated, as the FTP Protocol. Things from the year 1985:
  • Back To the Future is Released
  • Coke introduces one of the largest marketing fails of all time, New Coke. It is so bad it opens a hole in the Ozone, also discovered in this year by Al Gore
  • Rambo Part II and Rocky Part IV come out, Sly doesn’t come out
  • Mad Max Beyond Thunderdome teaches us that Tina Turner’s still got it – Bill Schroeder doesn’t have it, no relation to Ricky, he leaves the hospital part-cyborg with the first artificial heart.
  • A View To A Kill finally ends the Roger Moore era of James Bond. Computer nerds, keep in mind, he saved Silicon Valley. This movie had Christopher Walken and Duran Duran. What more could you ask for? Oh, right – Tanya Roberts! Oh, and Thomas Patrick Cavanaugh actually gets life for being a real spy.
  • Since Police Academy was a hit, the producers figured they’d screw it up by making a second movie: Police Academy 2 comes out
  • After watching Cocoon I now know I’ll never have to grow old, so I can treat my body however I want…
  • The unabomber is at the half way point of his career with 2 bombings this year, The Rainbow Warrior sinks (no known relation to the unabomber, unless he was a French antieco-terrorist), flight 847 is hijacked and Gorbachev becomes the leader of the largest pain in President Reagan’s bung hole: Russia (OMG Commies – Run!!!). In order to pay for the tail end of the cold war, Reagan lowers taxes and sends America into debt for the first time since 1914, a debt we are still in (evil Democrats, always incurring more American debt!). Meanwhile, Margaret Thatcher has shoulder pads surgically implanted because health care is free in Great Britain and all. Actually, National Health Service contributes little to England’s national debt, which was about as low in percentage of GDP as it had been since before WWI under her and due to her terms as PM. It was at its highest in the early 1800s, far before shoulder pads were in fashion… Having said that, the US, who went into debt for the first time had to sell Reagan’s autobiography rights in order to pay for his colon surgery since there’s not NHS here… He could have asked Gotti, who became the leader of the Gambinos in 1985 for a loan, but I hear he was too busy playing Tetris, which also came out in 1985…
  • British Telecom phases out red telephone boxes – almost as a result a single season of Dr. Who airs on TV.
  • In 1985, Paul Simon, Stevie Wonder, Ray Charles, Bob Dylan, Michael Jackson, Billy Joel, Cyndi Lauper, Willie Nelson, Lionel Richie, Smokey Robinson, Kenny Rogers, Diana Ross, Paul Simon, Bruce Springsteen, Tina Turner, Daryl Hall, Kenny Loggins, Huey Lewis and of course Al Jarreau sang We Are The World. Prince wouldn’t show and Waylon Jennings stormed out. Jane Fonda hosted a HBO special in between workout videos. Live Aid happens too, and is far cooler. But, at least Rich Ramirez (the Night Stalker) got nabbed in LA.Top singles on the charts include Madonna, Wham!, Simple Minds, Duran Duran, Phil Collins, Dire Straits, Starship, Lionel Richie, Foreigner and REO Speedwagon.
  • Top TV shows include the sweaters from the Cosby Show, Family Ties, Murder She Wrote, Dynasty, The Golden Girls, Miami Vice, Cheers, Knots Landing, Growing Pains and of course, DALLAS
  • The Ford Taurus and the Mercury Sable bring a new low point to American automobile engineering – luckily The Nintendo came out and no one cared for a decade or more…
  • The Commodore Amiga is launched.
  • The Free Software Foundation is founded by rms, author of great cookie recipes, tips on women and GNU Manifestos.
  • And most importantly, Steve Jobs starts NeXT

September 24th, 2015

Posted In: Mac OS X Server

Tags: , , , , , , , ,

The tools to automate OS X firewall events from the command line are still stored in /usr/libexec/ApplicationFirewall. And you will still use socketfilterfw there for much of the heavy lifting. However, now there are much more helpful and functional options in socketfilterfw that will allow you to more easily script the firewall. Some tricks I’ve picked up with the Mac Firewall/alf scripting:
  • Configure the firewall fully before turning it on (especially if you’re doing so through something like Casper, FileWave, Munki, or Absolute Manage where you might kick yourself out of your session otherwise).
  • Whatever you do, you can always reset things back to defaults by removing the file from /Library/Preferences replacing it with the default plist from /usr/libexec/ApplicationFirewall/
  • Configure global settings, then per-application settings, then enable the firewall. If a remote system, do ;wait; and then enable the first time to make sure everything works before enabling the firewall for good.
  • To debug, use the following command: “/usr/libexec/ApplicationFirewall/socketfilterfw -d”
In /usr/libexec/ApplicationFirewall is the Firewall command, the binary of the actual application layer firewall and socketfilterfw, which configures the firewall. To configure the firewall to block all incoming traffic: /usr/libexec/ApplicationFirewall/socketfilterfw --setblockall on To see if block all is enabled: /usr/libexec/ApplicationFirewall/socketfilterfw --getblockall The output would be as follows, if successful: Firewall is set to block all non-essential incoming connections A couple of global options that can be set. Stealth Mode: /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on To check if stealth mode is enabled: /usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode Firewall logging: /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on You can also control the verbosity of logs, using throttled, brief or detail. For example, if you need to troubleshoot some issues, you might set the logging to detail using the following command: /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingopt: detail To start the firewall: /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on While it would be nice to think that that was going to be everything for everyone, it just so happens that some environments actually need to allow traffic. Therefore, traffic can be allowed per signed binary. To allow signed applications: /usr/libexec/ApplicationFirewall/socketfilterfw --setallowsigned on To check if you allow signed apps: /usr/libexec/ApplicationFirewall/socketfilterfw --getallowsigned This will allow all TRUSTEDAPPS. The –listapps option shows the status of each filtered application: /usr/libexec/ApplicationFirewall/socketfilterfw --listapps To check if an app is blocked: /usr/libexec/ApplicationFirewall/socketfilterfw –getappblocked /Applications/ This shows the number of exceptions, explicitly allowed apps and signed exceptions as well as process names and allowed app statuses. There is also a list of TRUSTEDAPPS, which will initially be populated by Apple tools with sharing capabilities (e.g. httpd & smbd). If you are enabling the firewall using a script, first sign your applications that need to allow sharing but are not in the TRUSTEDAPPS section by using the -s option along with the application binary (not the .app bundle): /usr/libexec/ApplicationFirewall/socketfilterfw -s /Applications/ Once signed, verify the signature: /usr/libexec/ApplicationFirewall/socketfilterfw -v /Applications/ Once signed, trust the application using the –add option: /usr/libexec/ApplicationFirewall/socketfilterfw --add /Applications/ To see a list of trusted applications. You can do so by using the -l option as follows (the output is pretty ugly and needs to be parsed better): /usr/libexec/ApplicationFirewall/socketfilterfw -l If, in the course of your testing, you determine the firewall just isn’t for you, disable it: /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate off To sanity check whether it’s started: /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate Or to manually stop it using launchctl (should start again with a reboot): launchctl unload /System/Library/LaunchAgents/ launchctl unload /System/Library/LaunchDaemons/ If you disable the firewalll using launchctl, you may need to restart services for them to work again.

July 16th, 2015

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , , , , , ,

Configuring Calendar Server in Mavericks Server (OS X Server 3) is a fairly simple and straight forward process. The Calendar Server is a CalDAV Server, leveraging HTTP and HTTPS, running on ports 8008 and 8443 respectively. To enable the Calendar service in Mavericks Server, open the Server application and click on Calendar in the SERVICES section of the sidebar. Screen Shot 2013-10-06 at 8.02.02 PMOnce open, click on Edit to enable email notifications of invitations in the Calendar Server. Provide the email address and then click on the Next button. Screen Shot 2013-10-06 at 8.02.28 PM At the Configure Server Email Address screen, provide the type of incoming mail service in use, provide the address of the mail server and then the port number used, if not a standard port for HTTPS-based IMAP (or POP if you’d prefer), the user name and the valid password for the account. Then click on the Next button. Screen Shot 2013-10-06 at 8.03.02 PMAt the outgoing mail server screen, provide the Outgoing Mail Server address, the port, whether or not SSL is in use (it should be if possible), the password protocol, the user name and the password. Then click on the Next button. Screen Shot 2013-10-06 at 8.03.42 PMAt the Mail Account Summary screen, review the settings and if correct, click Finish. Back at the service configuration screen, click on the plus sign (“+”) and provide a type of location, a name for the location, whether or not invitations to the resource are accepted and then enter the account name for any accounts that can manage the location’s calendar (they will auto-complete, so there’s no need to remember users and groups exactly). Click Done to complete the setup. Use the Resource setting in type to configure a resource instead of a location. The two are the same, except the Type field. Screen Shot 2013-10-06 at 8.04.36 PMThere are a number of settings that can also be configured. But those are exposed only at the command line. To configure them, open the command line and then review the list of Calendar service settings using the list option of the serveradmin command: sudo serveradmin settings calendar There are a number of settings for the Calendar service, including the following: calendar:SSLCertificate = "/etc/certificates/mavserver.pretendco.lan.10E6CDF9F6E84992B97360B6EE7BA159684DCB75.cert.pem" calendar:EnableCalDAV = no calendar:Notifications:Services:APNS:CalDAV:CertificatePath = "/Library/Server/Calendar and Contacts/Config/Certificates/" calendar:Notifications:Services:APNS:CalDAV:PrivateKeyPath = "/Library/Server/Calendar and Contacts/Config/Certificates/" calendar:Notifications:Services:APNS:CalDAV:AuthorityChainPath = "/Library/Server/Calendar and Contacts/Config/Certificates/" calendar:Notifications:Services:APNS:CardDAV:CertificatePath = "/Library/Server/Calendar and Contacts/Config/Certificates/" calendar:Notifications:Services:APNS:CardDAV:PrivateKeyPath = "/Library/Server/Calendar and Contacts/Config/Certificates/" calendar:Notifications:Services:APNS:CardDAV:AuthorityChainPath = "/Library/Server/Calendar and Contacts/Config/Certificates/" calendar:Notifications:Services:APNS:Enabled = yes calendar:EnableAPNS = yes calendar:DefaultLogLevel = "warn" calendar:Authentication:Digest:Enabled = yes calendar:Authentication:Digest:AllowedOverWireUnencrypted = yes calendar:Authentication:Kerberos:Enabled = yes calendar:Authentication:Kerberos:AllowedOverWireUnencrypted = yes calendar:Authentication:Wiki:Enabled = yes calendar:Authentication:Basic:Enabled = yes calendar:Authentication:Basic:AllowedOverWireUnencrypted = no calendar:DataRoot = "/Library/Server/Calendar and Contacts/Data" calendar:Scheduling:iMIP:Sending:Server = "mavserver.pretendco.lan" calendar:Scheduling:iMIP:Sending:UseSSL = yes calendar:Scheduling:iMIP:Sending:Username = "" calendar:Scheduling:iMIP:Sending:Address = "" calendar:Scheduling:iMIP:Sending:Password = "JAdMTWx9Bh9JaaGm" calendar:Scheduling:iMIP:Sending:Port = 587 calendar:Scheduling:iMIP:Enabled = yes calendar:Scheduling:iMIP:Receiving:Server = "mavserver.pretendco.lan" calendar:Scheduling:iMIP:Receiving:UseSSL = yes calendar:Scheduling:iMIP:Receiving:Username = "" calendar:Scheduling:iMIP:Receiving:Type = "imap" calendar:Scheduling:iMIP:Receiving:Password = "JAdMTWx9Bh9JaaGm" calendar:Scheduling:iMIP:Receiving:Port = 993 calendar:ServerHostName = "mavserver.pretendco.lan" calendar:EnableCardDAV = yes calendar:SSLPort = 8443 calendar:LogLevels = _empty_dictionary calendar:DirectoryAddressBook:params:queryPeopleRecords = no calendar:DirectoryAddressBook:params:queryUserRecords = no calendar:SSLPrivateKey = "/etc/certificates/mavserver.pretendco.lan.10E6CDF9F6E84992B97360B6EE7BA159684DCB75.key.pem" calendar:EnableSSL = yes calendar:RedirectHTTPToHTTPS = yes calendar:SSLAuthorityChain = "/etc/certificates/mavserver.pretendco.lan.10E6CDF9F6E84992B97360B6EE7BA159684DCB75.chain.pem" calendar:EnableSearchAddressBook = no calendar:HTTPPort = 8008 One of the more common settings to configure is the port number that CalDAV runs on. To configure HTTP: sudo serveradmin settings calendar:HTTPPort = 8008 For HTTPS: sudo serveradmin settings calendar:SSLPort = 8443 You can then start the service using the start option: sudo serveradmin start calendar Or to stop it: sudo serveradmin stop calendar Or to get the status: sudo serveradmin fullstatus calendar Full status indicates that the three services are running: calendar:readWriteSettingsVersion = 1 calendar:setStateVersion = 1 calendar:state = "RUNNING" calendar:contactsState = "RUNNING" calendar:calendarState = "RUNNING" Once the Calendar server is configured, use the Calendar application to communicate with the server. Open the Calendar application and click on the Calendar menu and select Preferences. From the Preferences screen, click on Accounts to bring up a list of accounts. Here, click on the plus sign (“+”) to bring up the “Add an Account” screen. Screen Shot 2013-10-06 at 8.08.17 PMAt the “Add an Account” screen, select Add CalDAV Account. Screen Shot 2013-10-06 at 8.09.18 PMCalDAV from the Account Type menu and then enter the User Name and password configured on the server, and add the address of the server if you don’t have any service records pointing to the server. The User Name is usually the name provided in Server app, followed by @ and then the address of the server. Screen Shot 2013-10-06 at 8.10.47 PMOnce the server is configured it appears in the list of accounts in the sidebar of the Calendar app. Create calendars in the account and then to share a calendar, right-click on the calendar and click on Share Calendar…   Screen Shot 2013-10-06 at 8.12.55 PM At the Share Calendar screen, provide the name the calendar should appear as to others and click on the plus sign (“+”) and enter any accounts to delegate administration to. Screen Shot 2013-10-06 at 8.15.52 PMBack at the Calendar Settings screen, use the settings to configure Availability and refresh rate of calendars, as seen above. Click on Server Settings to assign custom port numbers. Screen Shot 2013-10-06 at 8.14.20 PM Click on the Delegation tab to view any accounts you’ve been given access to. Screen Shot 2013-10-06 at 8.14.49 PM Use the Edit button to configure who has delegated access to calendars, as opposed to configuring subscriptions. Overall, the Calendar service in Mavericks Server is one of the easiest to configure. Most of the work goes into settings configured on client systems. This, as with Exchange, dedistributes administration, often making administration more complicated than with many other tools. But that’s a good thing; no one wants to access other peoples accounts, for calendars or mail for that matter, without those users knowing that it was done, as will happen when resetting passwords…

October 23rd, 2013

Posted In: Mac OS X Server

Tags: , , , , , , , , , , ,

You shouldn’t have to reboot your ESX servers very often. But when you do, you might want the virtual machines to start up automatically. To configure a virtual machine to start up (or shut down) automatically select the host and click on the Configuration tab. Then click on virtual machine Startup/Shutdown and click on Properties, selecting “Allow virtual machines to start and stop automatically with the system”. As I mentioned in a previous article, you can also configure the operating system to start after a brief delay by providing a Default Startup Delay time, allowing time for booting systems to run scripts or to throw them into Safe Mode. You can also configure automated shutdown options at this screen as well. Also use the Move Up and Move Down options to indicate what order virtual machines start when the system starts. Click Save and the configs are written to the system.

June 10th, 2013

Posted In: VMware, Windows Server

Tags: , , , , , , , ,

Mail is one of the hardest services to manage. Actually, mail is pretty simple in and of itself: there’s protocols people use to access their mail (such as IMAP and POP), protocols used to communicate between mail servers and send mail (SMTP, SMTPS)  and then there’s a database of mail and user information. In Mount Lion Server, all of these are represented by a single ON button, so it really couldn’t be easier. But then there’s the ecoysystem and the evil spammers. As a systems administrator of a large number of mail servers, I firmly believe that there is a special kind of hell where only spam is served at every meal for spammers. Here, the evil spammers must also read every piece of spam ever sent for eternity. By the end (aka Ragnarok), they should be fairly well hung, have chemically induced stamina of a 16 year old with the latest Sports Illustrated Swimsuit issue, enough pills of other types to not be able to use that stamina, plenty of African princes looking to donate large sums of money if only they can be helped out of their country (which should cost about 100,000 compared to a 5,000,000 payout, not a bad ROI, right?!?!?), have their conflicting stamina situation at the top of the search engines and of course, have lost all of the money made from their African princes due to getting their credit card hijacked by about 9,000 phishing scams. All in all, a special kind of hell…

But back to the point of the article, setting up mail… The things that mail administrators need to focus on to keep that mail server flowing mail to and from everyone else in the world:
  • Static IP address. The WAN (and LAN probably) address should be static.
  • Port Forwards. Port forwards need to be configured on the gateway for the SMTP port at a minimum and more than likely other ports used to access mail on client devices (25, 143, etc)
  • DNS records. An MX record and some kind of type of record should definitely be configured for the DNS servers that are authoritative for the domain. There should also be reverse records for the address of the server, usually created by the Internet Services Provider, or ISP, that match that record.
  • Check the RBLs. If you have a new IP address you’ll be putting a DNS server on, check all the major Realtime BlackLists to make sure that some evil spammer hasn’t squatted on the IP before you got to it. This is true whether you’re in a colo, hosted on an IP you own or moving into space formerly occupied by a very standup company. A lot of IP addresses are blocked, as are blocks of IPs, so before moving mail to an IP, check it.
  • Mail filtration (message hygiene). OS X Server has a number of mail filters built in, including clam for viruses, the ability to leverage RBLs, block specific addresses and of course RBL checking. However, this is often not enough. Third party services such as MXLogic help to keep mail from coming into your network. You also end up with an external IP to send mail that can cache mail in the event the server is down and keep mail off your network in the event that it’s spam.
  • Backup. I am firmly of the belief that I’d rather not have data than not have that data backed up…
Once all of that is taken care of (I’ll add more as I think about it) then it’s time to enable the mail service. Actually, first let’s setup our SSL certificates. To do so, open the Server app and click on the name of the server in the HARDWARE section of the sidebar. Then click on the Settings tab and then the Edit button beside the SSL Certificate entry. Here, use the Certificate drop-down list for each protocol to select the appropriate certificate to be used for the service. Click OK when they’re all configure. Now let’s enable the mail service (or outsource mail). To do so, open the Server app and click on Mail in the SERVICES list in the sidebar. At the configuration screen is a sparse number of settings:
  • Provide mail for: Configures all of the domains the mail server will listen for mail for. Each account on the server has a short name and each domain name will be available for each short name. For example, an account with a shortname of charles will be available for email addresses of and per the Domain Name listing below.
  • Authentication: Click Edit for a list of sources that accounts can authenticate against (e.g. Active Directory, Open Directory, Custom, Local, etc) and in some cases the specific password algorithms used for mail.
  • Relay outgoing mail through ISP: Provide a server that all mail will get routed through from the server. For example, this might be an account with your Internet Services Provider (ISP), an account on an appliance that you own (such as a Barracuda) or with an external filtering service (such as MXLogic).
  • Limit mail to: Configure the total amount of mail a user can have in the mail store, in Megabytes.
  • Edit Filtering Settings: Configure antivirus, spam assassin and junk mail filters. The “Enable virus filtering” checkbox enables clam. The “Enable blacklist filtering” checks the RBL (or RBLs) of your choice to check whether a given server is a “known” spammer and the “Enable junk mail filtering” option enables spam assassin on the host, configuring it to block based on a score as selected using the slider.
Once you’ve configured the settings for the Mail service, click on the ON slider to enable the service. At this point, you should be able to telnet into port 25 of the host to verify that SMTP is listening, preferably from another mail server: telnet 25 You can also check that the mail services are running using the serveradmin command along with the fullstatus option for the mail service: sudo serveradmin fullstatus mail Which returns with some pretty verbose information about the service, including state, connections, running protocols and the rest of the following: mail:setStateVersion = 1 mail:readWriteSettingsVersion = 1 mail:connectionCount = 0 mail:servicePortsRestrictionInfo = _empty_array mail:protocolsArray:_array_index:0:status = "ON" mail:protocolsArray:_array_index:0:kind = "INCOMING" mail:protocolsArray:_array_index:0:protocol = "IMAP" mail:protocolsArray:_array_index:0:state = "RUNNING" mail:protocolsArray:_array_index:0:error = "" mail:protocolsArray:_array_index:1:status = "ON" mail:protocolsArray:_array_index:1:kind = "INCOMING" mail:protocolsArray:_array_index:1:protocol = "POP3" mail:protocolsArray:_array_index:1:state = "RUNNING" mail:protocolsArray:_array_index:1:error = "" mail:protocolsArray:_array_index:2:status = "ON" mail:protocolsArray:_array_index:2:kind = "INCOMING" mail:protocolsArray:_array_index:2:protocol = "SMTP" mail:protocolsArray:_array_index:2:state = "RUNNING" mail:protocolsArray:_array_index:2:error = "" mail:protocolsArray:_array_index:3:status = "ON" mail:protocolsArray:_array_index:3:kind = "OUTGOING" mail:protocolsArray:_array_index:3:protocol = "SMTP" mail:protocolsArray:_array_index:3:state = "RUNNING" mail:protocolsArray:_array_index:3:error = "" mail:protocolsArray:_array_index:4:status = "ON" mail:protocolsArray:_array_index:4:kind = "INCOMING" mail:protocolsArray:_array_index:4:protocol = "Junk_mail_filter" mail:protocolsArray:_array_index:4:state = "STOPPED" mail:protocolsArray:_array_index:4:error = "" mail:protocolsArray:_array_index:5:status = "ON" mail:protocolsArray:_array_index:5:kind = "INCOMING" mail:protocolsArray:_array_index:5:protocol = "Virus_scanner" mail:protocolsArray:_array_index:5:state = "STOPPED" mail:protocolsArray:_array_index:5:error = "" mail:startedTime = "2012-07-30 18:14:26 +0000" mail:logPaths:IMAP Log = "/Library/Logs/Mail/mailaccess.log" mail:logPaths:Server Log = "/Library/Logs/Mail/mailaccess.log" mail:logPaths:POP Log = "/Library/Logs/Mail/mailaccess.log" mail:logPaths:SMTP Log = "/var/log/mail.log" mail:logPaths:Migration Log = "/Library/Logs/MailMigration.log" mail:logPaths:Virus Log = "/Library/Logs/Mail/clamav.log" mail:logPaths:Amavisd Log = "/Library/Logs/Mail/amavis.log" mail:logPaths:Virus DB Log = "/Library/Logs/Mail/freshclam.log" mail:imapStartedTime = "2012-07-30 18:14:26 +0000" mail:servicePortsAreRestricted = "NO" mail:state = "RUNNING" mail:postfixStartedTime = "2012-07-30 18:14:49 +0000" To stop the service: sudo serveradmin stop mail And to start it back up: sudo serveradmin start mail To configure some of the settings no longer in the GUI from previous versions, let’s look at the full list of options: sudo serveradmin settings mail One that is commonly changed is the subject line added to messages that are marked as spam by spam assassin. This is stored in mail:postfix:spam_subject_tag, so changing would be: sudo serveradmin settings mail:postfix:spam_subject_tag = "***DIEEVILSPAMMERSDIE*** " A number of admins also choose to disable greylisting, done using the mail:postfix:greylist_disable option: sudo serveradmin settings mail:postfix:greylist_disable = no To configure an email address for quarantined mail to go, use mail:postfix:virus_quarantine: sudo serveradmin settings mail:postfix:virus_quarantine = "" The administrator, by default, doesn’t get an email when an email containing a file infected with a virus is sent through the server. To enable this option: sudo serveradmin settings mail:postfix:virus_notify_admin = yes I also find a lot of Mac environments want to accept email of pretty much any size. By default, message size limits are enabled. To disable: sudo serveradmin settings mail:postfix:message_size_limit_enabled = yes Or even better, just set new limit: sudo serveradmin settings mail:postfix:message_size_limit = 10485760 And to configure the percentage of someone’s quota that kicks an alert (soft quota): sudo serveradmin settings mail:imap:quotawarn = 75 Additionally, the following arrays are pretty helpful, which used to have GUI options:
  • mail:postfix:mynetworks:_array_index:0 = “” – Add entries to this one to add “local” clients
  • mail:postfix:host_whitelist = _empty_array – Add whitelisted hosts
  • mail:postfix:blacklist_from = _empty_array – Add blacklisted hosts
  • mail:postfix:black_hole_domains:_array_index:0 = “” – Add additional RBL Servers
The client side of the mail service is straight forward enough. If you are wondering where in this article we discuss using webmail, er, that’s not installed by default any longer. But the open source project previously used, roundcube, is still available for download and easily installed (the pre-reqs are all there, already). Check out the roundcube wiki installation page here for more info on that. Also, mail groups. I hope to have a post about that soon enough. Unless, of course, I get sidetracked with having a life. Which is arguably not very likely…

July 31st, 2012

Posted In: Mac OS X, Mac OS X Server, Mac Security

Tags: , , , , , , , , , , , ,

Mountain Lion Server is now available on the OS X App Store and as with the last few updates there are some things missing that you might be expecting and depending on. First up, three major services are gone: Podcast Producer, RADIUS and dhcp. You can still do dhcp as you always did with OS X client as those features work on OS X Server, but the more granular controls available in OS X Server are now gone. The biggest impact of dhcp is probably in testing NetBoot services when there are network issues and you need to prove to network admins that it’s the network and not your server… I had written an article before about FTP still being in OS X Server from the command line, but now it’s back in the GUI, which should make many an administrator happy. NAT is also gone from the GUI, but natd and natutil are still available from the command line. Might as well just use the Sharing System Preference pane for such things though… Server Admin is now gone (long live Server Admin!) and Workgroup Manager is now a download to be performed and installed following installation. Support for Managed Preferences is gone, even though most manifests technically still work. Many services also got some pretty nice updates. These include:
  • Calendar – There are a few updates on the client side, but not on the server side. Most notably, the option to publish calendars is now gone. If you used that, it’s time to get used to manually exporting, copying to a share and then distributing links. This is going to likely cause more use of the Calendar server itself, to some degree. Also, it’s not iCal or iCal Server, it’s now Calendar and Calendar server. Seems to me that this isn’t obviously an Apple-centric naming structure as with most other things they do, but sometimes you’re gonna’ have that…
  • Contacts – Nope, it’s not called Address Book server, it’s the Contacts service. Same with the client side application.
  • DNS – DNS management is moved into the Server application. You can also now restrict who you do lookups for in the GUI. Under the hood very little changes.
  • File Sharing – Nothing really changes with file sharing, except the wiki integration described in the Wiki section in a little bit.
  • Firewall – The firewall option is gone, as is the ipfilter at the command line, but pf is easy to configure from the command line.
  • FTP – It’s a quick and easy single share solution from the GUI. Using the sharing command there’s still tons available to administrators.
  • Mail – Authentication mechanisms and domains are in the GUI, but very little changes otherwise.
  • Messages – The service name has changed from iChat to Messages in the GUI but is still jabber from the command line. The big change with this service is that the client side is now able to leverage iCloud to instant message mobile devices as well. Therefore, the text messaging component is client-side and has no impact on the jabber service itself.
  • NetInstall – The “NetInstall” service is NetBoot. It can host NetRestore or NetInstall images, but the heavy lifting for that stuff is done in System Image Utility. And the output of the SIU commands are now more scriptable through the automator command line interface. The NetInstall screen is now in Server app and is a good port from Server Admin in that it’s similar in look and feel to the NetBoot screen in Server Admin. A feature that isn’t in the GUI is diskless NetBoot, which is fine because I documented how to do it when I realized it would be an issue for a few customers.
  • Open Directory – Given that Server Admin is gone, something had to happen with Open Directory. The Open Directory screens have been moved to Server app where it’s fast to setup and tear down Open Directory. Open Directory based Users and Groups are also created through the Server App, although Workgroup Manager can be downloaded and used still. Immediately following upgrades, the add and remove users buttons are gone for previously stand-alone hosts. Also the Manage Network Accounts option is now gone from Server app, replaced with the traditional ON button supplied by Apple for other services.
  • Profile Manager – This deserves its own post, which is in the queue, but suffice it to say that while you can’t tell when looking in Server app, there are a number of upgrades to Profile Manager.
  • Software Update – Management of the service is moved from Server Admin to Server app. There are now fewer options in the GUI, but the same in the command line. Cascading is a little different.
  • Time Machine – Time Machine server is the same… The versions option from the Time Machine Server preference pane is gone and the layout is a little changed, but the server component is identical in functionality as well as look and feel.
  • VPN – Unless you add another supported VPN protocol there’s not much to do after fixing most issues in 10.7.4. Except fixing the last issue with search bases, seemingly resolved as it’s working for me pretty well.
  • Websites – There are more options in the GUI for new sites. The default site appears twice (once for 80 and once for 443), but there are more options, such as the Web App functionality that comes with a default Python “Hello World” app. Also the server is still called web from the serveradmin command line, but is now called Websites through the GUI.
  • Wiki – The wiki has themes again, although they’re just color schemes. And you can create your own custom banners and upload, which brings back two of the most common feature requests from people that hack the look and feel of the wiki in versions previous to Lion. But the most substantial aspect of the Wiki to change to me is the document management options, available to users in WebDAV or through the portal. This allows for a very mobile-friendly file management tool. Blogs and wikis for the most part stay the same and have a very clean upgrade process from Lion. The command line tools also feature some new options for indexing, etc., which many will find helpful.
  • Xsan – cvadmin, cvlabel, cvversions, etc are now stored in /System/Library/Filesystems/acfs.fs/Contents/bin/ and Xsan has its own entry in the Server app. Despite hearing people question its future, I’ve never seen as many questions flying around about how to do things with Xsan than I do now. Storage sales are up, monkey chatter on the web is up, deployments are being booked and Xsan looks here to stay. The Server app only really shows you a status of things, but the Xsan Admin app is now embedded in the Server app and available through the Server app Tools directory.

Configuring Websites in Server app

The Alerts options are much more robust in Mountain Lion than they were previously. You  can now get alerts on a myriad of things, incuding certs, disks, space, storage quotas, virus detection, network changes and software updates.

Configuring Alerts in Mountain Lion Server

The Server commands also moved and in fact the whole file and folder structure mostly fit nicely inside of the Server app. There are certain things that haven’t been dealt with in this regard such as NetBoot’s library, but for the most part Apple is getting Server to the point where it’s very self-contained. The ramification of which is that upgrades for future releases (and from Lion to Mountain Lion for that matter) are much simpler. Simply downloading a new version informs administrators that the app has been replaced and is good to go, service data in tact. In real world, this has been a little hit or miss but should prove to make our lives much easier in the future. Reducing scope, aligning with better development practices and all the work to merge all of the remaining services into Server app are huge undertakings. I would fully expect no further support or updates to Workgroup Manager, no more testing of managed preferences in deference to profiles and a few other culture shifts that still need to shake themselves out. Most of us are going to seem underwhelmed (if that’s a word, no it’s not ’cause I looked it up -> awesome video below --> ’cause affection has 2 fs, especially when you’re dealin’ with me). But here’s the thing, with an incremental update, you’re not going to get massive changes. Instead we will get slow and steady updates hopefully continuing to build faster towards a better end goal. What’s important is that the foundation is actually better now, given changes to other parts of OS X and so Server is likely now better positioned than ever for great new features in subsequent releases.
Oh, and did I forget to mention that Xgrid is gone. I guess no one really noticed anyway…

July 26th, 2012

Posted In: Mac OS X Server

Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

I love Notification Center on my phone. I think it’s great to receive a simple list of items that have changed since the last time I looked at the phone.  I can also quickly dismiss the screen so the fact that there’s often 20 or more items in the list when I’ve been sitting at my computer for 10 minutes and not looking at the phone doesn’t really bum me out much. In Mountain Lion, Notification Center comes to the Mac. What I’ve grown to love on the iPhone, I’m not sold on for OS X. You see, the alerts that pop up on the screen are great for a phone, because if you’re looking at your phone (hopefully not while driving) then you’re likely multitasking. Since most mobile solutions are so great for multi-tasking, many of us have gotten used to multi-tasking on our mobile devices and then plugging into a keyboard when we need to do something that requires focus. Or at least that’s my workflow. By default, Notification Center assumes the same level of multi-tasking is done on desktops as on mobile devices.  But with some tuning, Notification Center can be even more useful. For example, when I’m writing I like to cut down the distractions. Doing so helps me to stay focused. And when I’m trying to keep the distractions down, there are certain things that should still jar me out of my otherwise focused state. By default, Notification Center pops up alerts on my screen that tell me that things have happened with some of my apps, such as I got an email, a calendar event is prompting or there was a tweet about me. But Notification Center allows me to configure what kinds of alerts I want to see. For example, I might want an alert about a Reminder to come through and not have tweets pop up on my screen while I’m writing. To disable one of the applications allowed to pop up an alert on the screen, open the Notifications System Preference pane and find the application in the list provided. Then select None to disable notifications. The default setting for each app is to provide what is known as a Banner. A Banner is a prompt that informs users that an event has occurred with a supported app and then goes away. You can also set each app to provide an Alert, which is a banner that doesn’t go away on its own but must be clicked on to disappear. You can also configure options that make Notifications a little more useful. These are configured per app and include the following:
  • Show in Notification Center: Indicates the number of items for each app that are shown in the Notification Center at a time. The default is 5 and this shows you, for example, the subject, sender and first few lines of emails or the name and sender of Tweets that have information about you.
  • Badge app icon: Removes the red indicator for each app. For example, when unchecked for mail you’ll no longer see how many unread emails you have.
  • Play sound when receiving notifications: Enables an audible alert (ding, ding) that a notification is waiting for you.
Overall, I think it’s really awesome that I now have a feature that is very iOS-centric sitting right here on my Mac. I do think it’s a bit verbose by default, but then, that’s my workflow – the developers are probably targeting the people who feel multi-tasking is healthy on every single computing device you touch. I don’t necessarily agree, but I dig it anyway. So me and my 2 apps that still have notifications enable are going to use this feature, if a bit less verbosely than most!

July 25th, 2012

Posted In: Mac OS X

Tags: , , , , , , , , ,

At this point, most Mac admins know to how to enable ntp on a Mac OS X Server and set clients to the server. Most Mac admins also know how to use managed preferences to set ntp as well. We all know that time is pretty important and most are using ntp at this point. Network time should, almost by definition, be continuous, which allows ntpd in Mac OS X can update clocks in small denominations. Thus, managing corrections with little overhead or impact to the system enables ntp to be an inexpensive method for managing clocks. But ntp is also built to keep things running smoothly even when there are a lot of corrections. When there are a lot of corrections made by ntp, these are tracked and can be seen using the ntpdc command. The ntpdc is used to view and set the state of the ntp daemon and is interactive. To enter the interactive environment, simply type ntpdc at a terminal prompt: ntpdc Once you are in the ntpdc interactive environment you will need to use one of the many verbs provided for ntpdc. One such verb is looping, used to “display loop filter information:” ntpdc> loopinfo offset: 0.017866 s frequency: -499.996 ppm poll adjust: 13 watchdog timer: 209 s The above output has four items of interest:
  • Offset: How far off the client is from the server (drift is natural, so all zeros in this category typically represent the server being offline).
  • Frequency: Frequency external signals can offset correction of the kernel clock
  • Poll adjust: Used to Increase or decrease the polling interval. The range is -30 to 30. 13 is an increase of 13 seconds whereas -30 would represent a decrease of 30 seconds.
  • Watchdog timer: The time since the last update to the system.
Note: To make it easier to parse, you can run looping with a online option, placing output into a single comma seperated line. There are other verbs as well, which allow you to add servers (addserver), show peers (showpeer), set a password to use for password requests (passed), see various statistics (sysstats, sysinfo, stats, instates, ctlstats, clockstat, iostats) and set encryption keys (keyid, trustedkey, untrustedkey, etc). There’s a pretty good bit you can with these verbs; just run help to see a full list of supported verbs (my favorite verb other than looping is fudge). You can also check ntp information on the fly using the ntpq command. Here, ntpq -p will show you the name, IP address and other information live: ntpq -p Returns: remote refid st t when poll reach delay offset jitter ============================================================================== * 2 u 181m 512 376 32.169 17.084 0.315 Windows clients using Active Directory domains automatically get time from domain controllers. If a client is part of an Open Directory or SMB-based domain, you can add a NTP server by clicking on the time in the system tray (bottom right corner of the Windows screen). Click on Internet Time. Click the check box for Automatically synchronize with an Internet time server. Enter the name or IP of the ntp server. Click the Update Now button. When finished, you’ll see a note that Your time has been successfully synchronized. For clients other than Windows, it makes little sense to set ntp settings with a GPO, given that systems not in Active Directory won’t really use them. And most environments that don’t have a directory service are pretty small. But this isn’t to say that you won’t want to deploy these settings en masse. Much as you can use the /etc/ntp.conf file or the systemsetup -setnetworktimeserver command to configure a time server in Mac OS X you can use the registry to do so in Windows. If you can use the registry to configure a setting you can then use regedit or regedit32 to set the keys programatically. But if you choose to, the keys are in HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW32TimeParameters (most notably is the NtpServer key) or you can use w32tm with the /config option. Once configured, reset the time to that of the time server to test. This can be tested with w32tm: w32tm /resync /rediscover Mac OS X and Windows can use an ntp-based server, but given that ntp is so widely used, what else? Using ntp with appliances can help with authentication protocols and also assist with triangulating issues from within log files. So, how about a Cisco IOS device. SSH into one and let’s get started. First off, run the enable command and then provide a password: enable Then, go into config mode: config t Now we’re going to use the ntp command and issue and update calendar to tell IOS to update the hardware clock from the software clock: ntp update-calendar Then we’ll specify our ntp server(s): ntp server Note: Just run the ntp server command twice if you want to specify a second ntp server. Then exit config mode: exit And write your new settings into memory: wr mem

June 9th, 2011

Posted In: Mac OS X, Mac OS X Server, Mac Security, Ubuntu, Unix, Windows XP

Tags: , , , , , ,

Next Page »