krypted.com

Tiny Deathstars of Foulness

Configuring Calendar Server in Yosemite Server is a fairly simple and straight forward process. The Calendar Server is a CalDAV Server, leveraging HTTP and HTTPS, running on ports 8008 and 8443 respectively. To enable the Calendar service in Yosemite Server, open the Server application and click on Calendar in the SERVICES section of the sidebar.

Calendar1

Once open, click on Edit to enable email notifications of invitations in the Calendar Server. Provide the email address and then click on the Next button.

Calendar2

At the Configure Server Email Address screen, provide the type of incoming mail service in use, provide the address of the mail server and then the port number used, if not a standard port for HTTPS-based IMAP (or POP if you’d prefer), the user name and the valid password for the account. Then click on the Next button.

Calendar3

At the outgoing mail server screen, provide the Outgoing Mail Server address, the port, whether or not SSL is in use (it should be if possible), the password protocol, the user name and the password. Then click on the Next button.

Calendar4

At the Mail Account Summary screen, review the settings and if correct, click Finish. Back at the service configuration screen, click on the plus sign (“+”) and provide a type of location, an address, a delegate, a name for the location, whether or not invitations to the resource are accepted and then enter the account name for any accounts that can manage the location’s calendar (they will auto-complete, so there’s no need to remember users and groups exactly). Click Done to complete the setup. Use the Resource setting in type to configure a resource instead of a location. The two are the same, except the Type field.

Calendar5

There are a number of settings that can also be configured. But those are exposed only at the command line. To configure them, open the command line and then review the list of Calendar service settings using the list option of the serveradmin command:

sudo serveradmin settings calendar

There are a number of settings for the Calendar service, including the following:

calendar:SSLCertificate = "/etc/certificates/Server Fallback SSL Certificate.11C002258ECABBFB37846C9B0CEA59391D4759AD.cert.pem"
calendar:EnableCalDAV = yes
calendar:Notifications:Services:APNS:CardDAV:CertificatePath = "/Library/Server/Calendar and Contacts/Config/Certificates/apns:com.apple.contact.cert.pem"
calendar:Notifications:Services:APNS:CardDAV:PrivateKeyPath = "/Library/Server/Calendar and Contacts/Config/Certificates/apns:com.apple.contact.key.pem"
calendar:Notifications:Services:APNS:CardDAV:AuthorityChainPath = "/Library/Server/Calendar and Contacts/Config/Certificates/apns:com.apple.contact.chain.pem"
calendar:Notifications:Services:APNS:CalDAV:CertificatePath = "/Library/Server/Calendar and Contacts/Config/Certificates/apns:com.apple.calendar.cert.pem"
calendar:Notifications:Services:APNS:CalDAV:PrivateKeyPath = "/Library/Server/Calendar and Contacts/Config/Certificates/apns:com.apple.calendar.key.pem"
calendar:Notifications:Services:APNS:CalDAV:AuthorityChainPath = "/Library/Server/Calendar and Contacts/Config/Certificates/apns:com.apple.calendar.chain.pem"
calendar:Notifications:Services:APNS:Enabled = yes
calendar:SSLAuthorityChain = "/etc/certificates/Server Fallback SSL Certificate.11C002258ECABBFB37846C9B0CEA59391D4759AD.chain.pem"
calendar:DefaultLogLevel = "warn"
calendar:Authentication:Digest:Enabled = yes
calendar:Authentication:Digest:AllowedOverWireUnencrypted = yes
calendar:Authentication:Kerberos:Enabled = yes
calendar:Authentication:Kerberos:AllowedOverWireUnencrypted = yes
calendar:Authentication:Wiki:Enabled = yes
calendar:Authentication:Basic:Enabled = yes
calendar:Authentication:Basic:AllowedOverWireUnencrypted = no
calendar:ServerHostName = "mavserver.takecontrolbooks.com"
calendar:Scheduling:iMIP:Sending:UseSSL = yes
calendar:Scheduling:iMIP:Sending:Server = "mail.krypted.com"
calendar:Scheduling:iMIP:Sending:Address = "com.apple.calendarserver@calendar.krypted.com"
calendar:Scheduling:iMIP:Sending:Username = "admin"
calendar:Scheduling:iMIP:Sending:Password = "Mitroae123"
calendar:Scheduling:iMIP:Sending:Port = 465
calendar:Scheduling:iMIP:Enabled = yes
calendar:Scheduling:iMIP:Receiving:UseSSL = yes
calendar:Scheduling:iMIP:Receiving:Server = "mail.krypted.com"
calendar:Scheduling:iMIP:Receiving:Type = "imap"
calendar:Scheduling:iMIP:Receiving:Username = "krypted"
calendar:Scheduling:iMIP:Receiving:Password = "Mitroae123"
calendar:Scheduling:iMIP:Receiving:Port = 993
calendar:DataRoot = "/Library/Server/Calendar and Contacts/Data"
calendar:EnableCardDAV = no
calendar:SSLPort = 8443
calendar:LogLevels = _empty_dictionary
calendar:DirectoryAddressBook:params:queryUserRecords = no
calendar:DirectoryAddressBook:params:queryPeopleRecords = no
calendar:SSLPrivateKey = "/etc/certificates/Server Fallback SSL Certificate.11C002258ECABBFB37846C9B0CEA59391D4759AD.key.pem"
calendar:EnableSSL = yes
calendar:RedirectHTTPToHTTPS = yes
calendar:EnableAPNS = yes
calendar:EnableSearchAddressBook = no
calendar:HTTPPort = 8008

One of the more common settings to configure is the port number that CalDAV runs on. To configure HTTP:

sudo serveradmin settings calendar:HTTPPort = 8008

For HTTPS:

sudo serveradmin settings calendar:SSLPort = 8443

You can then start the service using the start option:

sudo serveradmin start calendar

Or to stop it:

sudo serveradmin stop calendar

Or to get the status:

sudo serveradmin fullstatus calendar

Full status indicates that the three services are running:

calendar:readWriteSettingsVersion = 1
calendar:setStateVersion = 1
calendar:state = "RUNNING"
calendar:contactsState = "RUNNING"
calendar:calendarState = "RUNNING"

Once the Calendar server is configured, use the Calendar application to communicate with the server. Open the Calendar application and click on the Calendar menu and select Preferences. From the Preferences screen, click on Accounts to bring up a list of accounts. Here, click on the plus sign (“+”) to bring up the “Add an Account” screen.

Calendar6

At the “Add an Account” screen, select Add CalDAV Account.

Calendar7

CalDAV from the Account Type menu and then enter the User Name and password configured on the server, and add the address of the server if you don’t have any service records pointing to the server. The User Name is usually the name provided in Server app, followed by @ and then the address of the server.

Calendar8

Once the server is configured it appears in the list of accounts in the sidebar of the Calendar app. Create calendars in the account and then to share a calendar, right-click on the calendar and click on Share Calendar…

Calendar9

At the Share Calendar screen, provide the name the calendar should appear as to others and click on the plus sign (“+”) and enter any accounts to delegate administration to.

Calendar10

Back at the Calendar Settings screen, use the settings to configure Availability and refresh rate of calendars, as seen above. Click on Server Settings to assign custom port numbers.

Calendar11

Click on the Delegation tab to view any accounts you’ve been given access to.

Calendar12

Use the Edit button to configure who has delegated access to calendars, as opposed to configuring subscriptions.

Overall, the Calendar service in Yosemite Server is one of the easiest to configure. Most of the work goes into settings configured on client systems. This, as with Exchange, dedistributes administration, often making administration more complicated than with many other tools. But that’s a good thing; no one wants to access other peoples accounts, for calendars or mail for that matter, without those users knowing that it was done, as will happen when resetting passwords…

October 16th, 2014

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , , , , , , , , ,

Mountain Lion Server comes with a few new alerting options previously unavailable in versions of OS X. The alerts are sent to administrators via servermgrd and configured in the Server app. To configure alerts in Mountain Lion Server, open the Server app and then click on Alerts in the Server app sidebar. Next, click on the Delivery tab.

At the Delivery screen, click on the Edit button for Email Addresses and enter every email address that should receive alerts sent from the server. Then click on the Edit button for Push Notifications. Here, check the box for each administrator of the server. The email address on file for the user then receives push notifications of events from the server.

Click on OK when you’ve configured all of the appropriate administrators for alerting. Then, check the boxes for Email and Push for each of the alerts you want to receive (you don’t have to check both for each entry). Options include:

  • Certificate expiration: One of the certificates installed on the system (including Push) will expire soon and needs to be updated.
  • Disk unreachable: A disk that was mounted on the server is no longer available (you will get these when you rotate offsite backup hard drives if using spinning or solid state disks)
  • S.M.A.R.T. status: A disk has an error with its S.M.A.R.T. What this really means usually is that it would be very smart to replace the disk that’s likely to fail soon
  • Disk space: The server is running out of hard drive space
  • Mail storage quota: A violation to the mail quota is exceeded
  • Virus detected: A virus was detected on the server
  • Network configuration change: The port state of the server changed, an IP address changed, etc.
  • Software updates: There are software updates available to be installed on the server computer

Some of these settings can be configured a little more granularly. For example, by default the disk space alert is sent when there is only 5% of the free space available on the server. To increase this to 10, edit the serveradmin settings to swap info:notifications:diskFull:freeSpaceThreshold with 10 rather than 5:

sudo serveradmin settings info:notifications:diskFull:freeSpaceThreshold = 10

To see a list of all notifications options run:

sudo serveradmin settings info:notifications

Which provides the following:

info:notifications:certificateExpiration:active = no
info:notifications:certificateExpiration:who = _empty_array
info:notifications:suAvailable:active = no
info:notifications:suAvailable:who = _empty_array
info:notifications:diskFull:active = no
info:notifications:diskFull:who = _empty_array
info:notifications:diskFull:freeSpaceThreshold = 5

Finally, as with previous versions of OS X Server, Mountain Lion Server has snmp built in. The configuration file for which is located in the /private/etc/snmp/snmpd.conf and the built-in LaunchDaemon is org.net-snmp.snmpd, where the actual binary being called is /usr/sbin/snmpd (and by default it’s called with a -f option). Once started, the default community name should be COMMUNITY (easily changed in the conf file) and to test, use the following command from a client (the client is 192.168.210.99 in the following example):

snmpwalk -On -v 1 -c COMMUNITY 192.168.210.99

August 4th, 2012

Posted In: Mac OS X, Mac OS X Server, Mac Security

Tags: , , , , , , , , ,

Out of Office responses to incoming email are an incredibly useful thing to have with any mail server. In Microsoft Exchange, these are sent by the server on behalf of each user when the user has enabled them. Out of Office messages can be configured using the Exchange web portal or using a standard mail client, which has up until now, usually be Outlook. In Lion, Apple has built in an Out of Office setting in Mail.app.

To configure an Out of Office message using Mail in Mac OS X 10.7, first configure the Mail client to communicate with the Exchange server. Then open Mail.app from /Applications. Right-click on the name of the account (or Inbox if you only use one account) and select Get Info from the contextual menu.


Click on the Out Of Office tab and check Send Out of Office Replies to enable the Out of Office message. A different message can be sent to users in your domain than to users outside of your domain; enter the Out of Office Response for users of each.

Out of Office replies will then be sent by the server on behalf of the user account.

July 9th, 2011

Posted In: Mac OS X, Mass Deployment

Tags: , , , , , , , ,

In a constant search for achieving comment nirvana for the sites I manage, I was recently looking into integrating WordPress (and a couple of other CMS engines) with Facebook. The sites are setup to only allow authenticated users to comment and it just seemed like with all of the single-sign on technology out there that it just didn’t have to be so annoying. After installing the OpenID integration it seemed like there still had to be a better way to allow even more people to authentication. How about Facebook?

Facebook has done a lot of work on making their API one of the best in the social networking world. The initial implementation of FBML was a little clunky (a client was an early adopter) but it proved to be one of the things that set them apart from the competition. And the API doesn’t just allow for embedding objects into Facebook, it allows for extending Facebook out as well. One of the best examples of this is for authentication.

Which brings us to actually making it work. The first thing to do is go grab an API key. To do so, visithttp://www.facebook.com/developers/apps.php and click on Set Up New Application (orhttp://www.facebook.com/developers/createapp.php?version=new). Provide the domain name and any other required fields and out pops an API key and a secret. The API key will be exposed but the secret will act as a password of sorts, much the same way many other key exchanges function. Copy these and do not give them out.

Once you have your key, go to your WordPress site and log into the admin page. From there, click on Plugins and then click on Add New. Search for WP-FacebookConnect. Install the one from Adam Hupp and then locate it in your sidebar (it will say Facebook Connect). Click on it and then provide the API Key and Secret and click on Update Options.

Now that it the plugin is installed and configured it’s time to add it to your theme. This part is a little more tricky than most but it can be as simple as a single paste. Copy this into your clipboard:

<?php do_action(‘fbc_display_login_button’) ?>

Now click on Appearance back in the sidebar and then click on Editor. In the Editor scroll towards the bottom (usually) and locate the form that takes in the comments, which likely begins with:

<div id=”comment-form”>

Now paste it in immediately above or somewhere inside the form, which means somewhere below the first line but above the following:

</div>

Once done, open one of your pages and you should see the Connect with your Facebook Account icon so you can authenticate using Facebook. You can also move the text around in the box by moving between areas in the comments.php file (in the themes screen). If you don’t see the Facebook icon then try accessing the site from another browser as you might still be logged into your administrative portal.

Finally, consider the strategy that you use for managing comments. You can still hold comments for approval, you can still approve once and give users unbridled commenting love and you can still scan comments for spam using one of the filters for doing so. That is according to you. But you now have an easy-to-authenticate to solution where visitors don’t have to sign up and get an email back, etc. But they can if you want, given that there are still at least 4 or 5 people (I believe they are in deep freeze somewhere) who don’t use Facebook, and you wouldn’t want to alienate them!

January 28th, 2010

Posted In: WordPress

Tags: , , , , , , ,

I originally posted this at http://www.318.com/TechJournal

Ever get an email from yourself that you didn’t send? Ever get spam from someone that you can’t reply to? Using the settings of an email program, it is possible to pretend to be anyone that you would like. If you want to send email from bill.gates@microsoft.com then that is entirely possible. Finding the address of who actually sent email is easy, but ensuring the identity of the sender is not part of standard email.

This is where the protocols for PGP, Pretty Good Privacy, and GPG, or GNU Privacy Guard, come into play. GPG and PGP are Open Source suites of applications allowing senders to digitally sign outgoing emails in such a way that it is highly unlikely that anyone else could have sent the message. In order to use their digital signature senders are required to enter a password to send the message.

It is also possible to use GPG to encrypt email using a shared password. This allows for forcing a password to both send and receive the message. Encrypting messages ensures both the identity of the sender and the identity of the receiver. Anyone that intercepts a message in transit or finds the message on either system at a later date can open the message without the password to do so.

GPG and PGP provide strong encryption measures to ensure privacy over public mediums of messaging. Email is not the only use for this. GPG can also be used to encrypt a file before using transferring it using other methods such as FTP or the web. The commercial version of PGP can also be set up to encrypt certain instant messaging traffic and an entire hard disk.

July 2nd, 2006

Posted In: Articles and Books, Business, Consulting, Kerio, Mac Security, Microsoft Exchange Server

Tags: ,