Tiny Deathstars of Foulness

Configuring Calendar Server in Yosemite Server is a fairly simple and straight forward process. The Calendar Server is a CalDAV Server, leveraging HTTP and HTTPS, running on ports 8008 and 8443 respectively. To enable the Calendar service in Yosemite Server, open the Server application and click on Calendar in the SERVICES section of the sidebar. Calendar1 Once open, click on Edit to enable email notifications of invitations in the Calendar Server. Provide the email address and then click on the Next button. Calendar2 At the Configure Server Email Address screen, provide the type of incoming mail service in use, provide the address of the mail server and then the port number used, if not a standard port for HTTPS-based IMAP (or POP if you’d prefer), the user name and the valid password for the account. Then click on the Next button. Calendar3 At the outgoing mail server screen, provide the Outgoing Mail Server address, the port, whether or not SSL is in use (it should be if possible), the password protocol, the user name and the password. Then click on the Next button. Calendar4 At the Mail Account Summary screen, review the settings and if correct, click Finish. Back at the service configuration screen, click on the plus sign (“+”) and provide a type of location, an address, a delegate, a name for the location, whether or not invitations to the resource are accepted and then enter the account name for any accounts that can manage the location’s calendar (they will auto-complete, so there’s no need to remember users and groups exactly). Click Done to complete the setup. Use the Resource setting in type to configure a resource instead of a location. The two are the same, except the Type field. Calendar5 There are a number of settings that can also be configured. But those are exposed only at the command line. To configure them, open the command line and then review the list of Calendar service settings using the list option of the serveradmin command: sudo serveradmin settings calendar There are a number of settings for the Calendar service, including the following: calendar:SSLCertificate = "/etc/certificates/Server Fallback SSL Certificate.11C002258ECABBFB37846C9B0CEA59391D4759AD.cert.pem" calendar:EnableCalDAV = yes calendar:Notifications:Services:APNS:CardDAV:CertificatePath = "/Library/Server/Calendar and Contacts/Config/Certificates/" calendar:Notifications:Services:APNS:CardDAV:PrivateKeyPath = "/Library/Server/Calendar and Contacts/Config/Certificates/" calendar:Notifications:Services:APNS:CardDAV:AuthorityChainPath = "/Library/Server/Calendar and Contacts/Config/Certificates/" calendar:Notifications:Services:APNS:CalDAV:CertificatePath = "/Library/Server/Calendar and Contacts/Config/Certificates/" calendar:Notifications:Services:APNS:CalDAV:PrivateKeyPath = "/Library/Server/Calendar and Contacts/Config/Certificates/" calendar:Notifications:Services:APNS:CalDAV:AuthorityChainPath = "/Library/Server/Calendar and Contacts/Config/Certificates/" calendar:Notifications:Services:APNS:Enabled = yes calendar:SSLAuthorityChain = "/etc/certificates/Server Fallback SSL Certificate.11C002258ECABBFB37846C9B0CEA59391D4759AD.chain.pem" calendar:DefaultLogLevel = "warn" calendar:Authentication:Digest:Enabled = yes calendar:Authentication:Digest:AllowedOverWireUnencrypted = yes calendar:Authentication:Kerberos:Enabled = yes calendar:Authentication:Kerberos:AllowedOverWireUnencrypted = yes calendar:Authentication:Wiki:Enabled = yes calendar:Authentication:Basic:Enabled = yes calendar:Authentication:Basic:AllowedOverWireUnencrypted = no calendar:ServerHostName = "" calendar:Scheduling:iMIP:Sending:UseSSL = yes calendar:Scheduling:iMIP:Sending:Server = "" calendar:Scheduling:iMIP:Sending:Address = "" calendar:Scheduling:iMIP:Sending:Username = "admin" calendar:Scheduling:iMIP:Sending:Password = "Mitroae123" calendar:Scheduling:iMIP:Sending:Port = 465 calendar:Scheduling:iMIP:Enabled = yes calendar:Scheduling:iMIP:Receiving:UseSSL = yes calendar:Scheduling:iMIP:Receiving:Server = "" calendar:Scheduling:iMIP:Receiving:Type = "imap" calendar:Scheduling:iMIP:Receiving:Username = "krypted" calendar:Scheduling:iMIP:Receiving:Password = "Mitroae123" calendar:Scheduling:iMIP:Receiving:Port = 993 calendar:DataRoot = "/Library/Server/Calendar and Contacts/Data" calendar:EnableCardDAV = no calendar:SSLPort = 8443 calendar:LogLevels = _empty_dictionary calendar:DirectoryAddressBook:params:queryUserRecords = no calendar:DirectoryAddressBook:params:queryPeopleRecords = no calendar:SSLPrivateKey = "/etc/certificates/Server Fallback SSL Certificate.11C002258ECABBFB37846C9B0CEA59391D4759AD.key.pem" calendar:EnableSSL = yes calendar:RedirectHTTPToHTTPS = yes calendar:EnableAPNS = yes calendar:EnableSearchAddressBook = no calendar:HTTPPort = 8008 One of the more common settings to configure is the port number that CalDAV runs on. To configure HTTP: sudo serveradmin settings calendar:HTTPPort = 8008 For HTTPS: sudo serveradmin settings calendar:SSLPort = 8443 You can then start the service using the start option: sudo serveradmin start calendar Or to stop it: sudo serveradmin stop calendar Or to get the status: sudo serveradmin fullstatus calendar Full status indicates that the three services are running: calendar:readWriteSettingsVersion = 1
calendar:setStateVersion = 1
calendar:state = "RUNNING"
calendar:contactsState = "RUNNING"
calendar:calendarState = "RUNNING" Once the Calendar server is configured, use the Calendar application to communicate with the server. Open the Calendar application and click on the Calendar menu and select Preferences. From the Preferences screen, click on Accounts to bring up a list of accounts. Here, click on the plus sign (“+”) to bring up the “Add an Account” screen. Calendar6 At the “Add an Account” screen, select Add CalDAV Account. Calendar7 CalDAV from the Account Type menu and then enter the User Name and password configured on the server, and add the address of the server if you don’t have any service records pointing to the server. The User Name is usually the name provided in Server app, followed by @ and then the address of the server. Calendar8 Once the server is configured it appears in the list of accounts in the sidebar of the Calendar app. Create calendars in the account and then to share a calendar, right-click on the calendar and click on Share Calendar… Calendar9 At the Share Calendar screen, provide the name the calendar should appear as to others and click on the plus sign (“+”) and enter any accounts to delegate administration to. Calendar10 Back at the Calendar Settings screen, use the settings to configure Availability and refresh rate of calendars, as seen above. Click on Server Settings to assign custom port numbers. Calendar11 Click on the Delegation tab to view any accounts you’ve been given access to. Calendar12 Use the Edit button to configure who has delegated access to calendars, as opposed to configuring subscriptions. Overall, the Calendar service in Yosemite Server is one of the easiest to configure. Most of the work goes into settings configured on client systems. This, as with Exchange, dedistributes administration, often making administration more complicated than with many other tools. But that’s a good thing; no one wants to access other peoples accounts, for calendars or mail for that matter, without those users knowing that it was done, as will happen when resetting passwords…

October 16th, 2014

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , , , , , , , , ,

Mail is one of the hardest services to manage. Actually, mail is pretty simple in and of itself: there’s protocols people use to access their mail (such as IMAP and POP), protocols used to communicate between mail servers and send mail (SMTP, SMTPS) and then there’s a database of mail and user information. In Mavericks Server, all of these are represented by a single ON button, so it really couldn’t be easier. But then there’s the ecoysystem and the evil spammers. As a systems administrator of a large number of mail servers, I firmly believe that there is a special kind of hell where only spam is served at every meal for spammers. Here, the evil spammers must also read every piece of spam ever sent for eternity. By the end (aka Ragnarok), they should have the chemically induced stamina of a 16 year old with the latest Sports Illustrated Swimsuit issue, enough pills of other types to not be able to use that stamina, plenty of African princes looking to donate large sums of money if only they can be helped out of their country (which should cost about 100,000 compared to a 5,000,000 payout, not a bad ROI, right?!?!?), have their conflicting stamina situation at the top of the search engines and of course, have lost all of the money made from their African princes due to getting their credit card hijacked by about 9,000 phishing scams. All in all, a special kind of hell…

But back to the point of the article, setting up mail. The things that mail administrators need to focus on to keep that mail server flowing mail to and from everyone else in the world:
  • Static IP address. The WAN (and LAN probably) address should be static.
  • Port Forwards. Port forwards need to be configured on the gateway for the SMTP port at a minimum and more than likely other ports used to access mail on client devices (25, 143, etc)
  • DNS records. An MX record and some kind of type of record should definitely be configured for the DNS servers that are authoritative for the domain. There should also be reverse records for the address of the server, usually created by the Internet Services Provider, or ISP, that match that record.
  • Check the RBLs. If you have a new IP address you’ll be putting a DNS server on, check all the major Realtime BlackLists to make sure that some evil spammer hasn’t squatted on the IP before you got to it. This is true whether you’re in a colo, hosted on an IP you own or moving into space formerly occupied by a very standup company. A lot of IP addresses are blocked, as are blocks of IPs, so before moving mail to an IP, check it.
  • Mail filtration (message hygiene). OS X Server has a number of mail filters built in, including clam for viruses, the ability to leverage RBLs, block specific addresses and of course RBL checking. However, this is often not enough. Third party services such as MXLogic help to keep mail from coming into your network. You also end up with an external IP to send mail that can cache mail in the event the server is down and keep mail off your network in the event that it’s spam.
  • Backup. I am firmly of the belief that I’d rather not have data than not have that data backed up…
Once all of that is taken care of (I’ll add more as I think about it) then it’s time to enable the mail service in Server app 3. Actually, first let’s setup our SSL certificates. To do so, open the Server app and click on Certificates in the SERVER section of the sidebar. Here, use the “Secure services using” drop-down list and click on Custom… for each protocol to select the appropriate certificate to be used for the service. Screen Shot 2013-10-06 at 9.04.25 PM Click OK when they’re all configure. Now let’s enable the mail service (or outsource mail). To do so, open the Server app and click on Mail in the SERVICES list in the sidebar. Screen Shot 2013-10-06 at 9.05.02 PMAt the configuration screen is a sparse number of settings:
  • Provide mail for: Configures all of the domains the mail server will listen for mail for. Each account on the server has a short name and each domain name will be available for each short name. For example, an account with a shortname of charles will be available for email addresses of and per the Domain Name listing below.Screen Shot 2013-10-06 at 9.05.45 PM
  • Authentication: Click Edit for a list of sources that accounts can authenticate against (e.g. Active Directory, Open Directory, Custom, Local, etc) and in some cases the specific password algorithms used for mail.Screen Shot 2013-10-06 at 9.06.17 PM
  • Push Notifications: If Push is configured previously there’s no need to use this option. Otherwise, use your institutional APNS account to configure Push Notifications.Screen Shot 2013-10-06 at 9.07.25 PM
  • Relay outgoing mail through ISP: Provide a server that all mail will get routed through from the server. For example, this might be an account with your Internet Services Provider (ISP), an account on an appliance that you own (such as a Barracuda) or with an external filtering service (such as MXLogic).Screen Shot 2013-10-06 at 9.07.57 PM
  • Limit mail to: Configure the total amount of mail a user can have in the mail store, in Megabytes.
  • Edit Filtering Settings: Configure antivirus, spam assassin and junk mail filters. The “Enable virus filtering” checkbox enables clam. The “Enable blacklist filtering” checks the RBL (or RBLs) of your choice to check whether a given server is a “known” spammer and the “Enable junk mail filtering” option enables spam assassin on the host, configuring it to block based on a score as selected using the slider.Screen Shot 2013-10-06 at 9.08.44 PM
Once you’ve configured the settings for the Mail service, click on the ON slider to enable the service. At this point, you should be able to telnet into port 25 of the host to verify that SMTP is listening, preferably from another mail server: telnet 25 You can also check that the mail services are running using the serveradmin command along with the fullstatus option for the mail service: sudo serveradmin fullstatus mail Which returns with some pretty verbose information about the service, including state, connections, running protocols and the rest of the following: mail:startedTime = "" mail:setStateVersion = 1 mail:state = "STOPPED" mail:protocolsArray:_array_index:0:status = "ON" mail:protocolsArray:_array_index:0:kind = "INCOMING" mail:protocolsArray:_array_index:0:protocol = "IMAP" mail:protocolsArray:_array_index:0:state = "STOPPED" mail:protocolsArray:_array_index:0:service = "MailAccess" mail:protocolsArray:_array_index:0:error = "" mail:protocolsArray:_array_index:1:status = "ON" mail:protocolsArray:_array_index:1:kind = "INCOMING" mail:protocolsArray:_array_index:1:protocol = "POP3" mail:protocolsArray:_array_index:1:state = "STOPPED" mail:protocolsArray:_array_index:1:service = "MailAccess" mail:protocolsArray:_array_index:1:error = "" mail:protocolsArray:_array_index:2:status = "ON" mail:protocolsArray:_array_index:2:kind = "INCOMING" mail:protocolsArray:_array_index:2:protocol = "SMTP" mail:protocolsArray:_array_index:2:state = "STOPPED" mail:protocolsArray:_array_index:2:service = "MailTransferAgent" mail:protocolsArray:_array_index:2:error = "" mail:protocolsArray:_array_index:3:status = "ON" mail:protocolsArray:_array_index:3:kind = "OUTGOING" mail:protocolsArray:_array_index:3:protocol = "SMTP" mail:protocolsArray:_array_index:3:state = "STOPPED" mail:protocolsArray:_array_index:3:service = "MailTransferAgent" mail:protocolsArray:_array_index:3:error = "" mail:protocolsArray:_array_index:4:status = "OFF" mail:protocolsArray:_array_index:4:kind = "INCOMING" mail:protocolsArray:_array_index:4:protocol = "" mail:protocolsArray:_array_index:4:state = "STOPPED" mail:protocolsArray:_array_index:4:service = "ListServer" mail:protocolsArray:_array_index:4:error = "" mail:protocolsArray:_array_index:5:status = "ON" mail:protocolsArray:_array_index:5:kind = "INCOMING" mail:protocolsArray:_array_index:5:protocol = "" mail:protocolsArray:_array_index:5:state = "STOPPED" mail:protocolsArray:_array_index:5:service = "JunkMailFilter" mail:protocolsArray:_array_index:5:error = "" mail:protocolsArray:_array_index:6:status = "ON" mail:protocolsArray:_array_index:6:kind = "INCOMING" mail:protocolsArray:_array_index:6:protocol = "" mail:protocolsArray:_array_index:6:state = "STOPPED" mail:protocolsArray:_array_index:6:service = "VirusScanner" mail:protocolsArray:_array_index:6:error = "" mail:protocolsArray:_array_index:7:status = "ON" mail:protocolsArray:_array_index:7:kind = "INCOMING" mail:protocolsArray:_array_index:7:protocol = "" mail:protocolsArray:_array_index:7:state = "STOPPED" mail:protocolsArray:_array_index:7:service = "VirusDatabaseUpdater" mail:protocolsArray:_array_index:7:error = "" mail:logPaths:Server Error Log = "/Library/Logs/Mail/mail-err.log" mail:logPaths:IMAP Log = "/Library/Logs/Mail/mail-info.log" mail:logPaths:Server Log = "/Library/Logs/Mail/mail-info.log" mail:logPaths:POP Log = "/Library/Logs/Mail/mail-info.log" mail:logPaths:SMTP Log = "/var/log/mail.log" mail:logPaths:List Server Log = "/Library/Logs/Mail/listserver.log" mail:logPaths:Migration Log = "/Library/Logs/MailMigration.log" mail:logPaths:Virus Log = "/Library/Logs/Mail/clamav.log" mail:logPaths:Amavisd Log = "/Library/Logs/Mail/amavis.log" mail:logPaths:Virus DB Log = "/Library/Logs/Mail/freshclam.log" mail:imapStartedTime = "" mail:postfixStartedTime = "" mail:servicePortsRestrictionInfo = _empty_array mail:servicePortsAreRestricted = "NO" mail:connectionCount = 0 mail:readWriteSettingsVersion = 1 mail:serviceStatus = "DISABLED" To stop the service: sudo serveradmin stop mail And to start it back up: sudo serveradmin start mail To configure some of the settings no longer in the GUI from previous versions, let’s look at the full list of options: sudo serveradmin settings mail One that is commonly changed is the subject line added to messages that are marked as spam by spam assassin. This is stored in mail:postfix:spam_subject_tag, so changing would be: sudo serveradmin settings mail:postfix:spam_subject_tag = "***DIEEVILSPAMMERSDIE*** " A number of admins also choose to disable greylisting, done using the mail:postfix:greylist_disable option: sudo serveradmin settings mail:postfix:greylist_disable = no To configure an email address for quarantined mail to go, use mail:postfix:virus_quarantine: sudo serveradmin settings mail:postfix:virus_quarantine = "" The administrator, by default, doesn’t get an email when an email containing a file infected with a virus is sent through the server. To enable this option: sudo serveradmin settings mail:postfix:virus_notify_admin = yes I also find a lot of Mac environments want to accept email of pretty much any size. By default, message size limits are enabled. To disable: sudo serveradmin settings mail:postfix:message_size_limit_enabled = yes Or even better, just set new limit: sudo serveradmin settings mail:postfix:message_size_limit = 10485760 And to configure the percentage of someone’s quota that kicks an alert (soft quota): sudo serveradmin settings mail:imap:quotawarn = 75 Additionally, the following arrays are pretty helpful, which used to have GUI options:
  • mail:postfix:mynetworks:_array_index:0 = “” – Add entries to this one to add “local” clients
  • mail:postfix:host_whitelist = _empty_array – Add whitelisted hosts
  • mail:postfix:blacklist_from = _empty_array – Add blacklisted hosts
  • mail:postfix:black_hole_domains:_array_index:0 = “” – Add additional RBL Servers
The client side of the mail service is straight forward enough. If you are wondering where in this article we discuss using webmail, er, that’s not installed by default any longer. But the open source project previously used, roundcube, is still available for download and easily installed (the pre-reqs are all there, already). Check out the roundcube wiki installation page here for more info on that. Also, mail groups. I hope to have a post about that soon enough. Unless, of course, I get sidetracked with having a life. Which is arguably not very likely…

October 23rd, 2013

Posted In: Kerio, Mac OS X, Mac OS X Server

Tags: , , , , , , , , , , , , , , , ,

When you setup a Kerio server, by default there’s a feature called AutoExpunge. This feature keeps mail clients from showing a message with a strikethrough through it when a message is marked for deletion. Once items are processed the message is moved to deleted and the strikethrough message is removed from the folder it was deleted from. Many users can get confused by this, so Kerio built a feature called AutoExpunge. That AutoExpunge feature instead of striking through messages just tosses them. That causes you to be unable to undo a delete. To disable AutoExpunge, stop Kerio Mail Server and then look for AutoExpungeOnDelete option in /usr/local/Kerio/mailserver/mailserver.cfg (I like to back that file up before making any changes). Then change the value for that from 1 to 0. Then save your changes to the file and start Kerio Connect back up. Once started, test that you can undo a delete and if so, you’re good to go! Note: If you change settings like this when the mail server is running then it can revert the settings back as the daemon is running. If that happens to you, double-check that the service is stopped before editing the file.

April 23rd, 2013

Posted In: Kerio, Mac OS X Server

Tags: , , , ,

If you have a web host that supports cPanel (a number do) then moving to Google Apps for Mail couldn’t be simpler. Just log in to your cPanel account and click on the Mail icon in the top left corner. From here, click on the last item in the list, Modify Mail Exchanger (MX Entry). Then click on change an MX Entry. In the Change MX for… drop down list, select the appropriate domain (if you only have one then there should be only the one to change and then enter in the to: field, clicking Change when you are done. According to the TTL value you will then need to wait for DNS replication to occur (it can take up 72 hours in some cases). In the meantime, mail should start to flow into your Google Apps mailboxes. The next step is to actually migrate your mail. Assuming your administrator supports IMAP for your mailboxes this should be a fairly straight forward process. From the Google Apps administrative dashboard click on Advanced Tools in the blue toolbar. Then click on Migrate mail from mail server on the Advanced page and you will see a screen asking you to enter some information about your source IMAP server (the one that currently has all your data). In the Host field, type your domain name. cPanel uses Exim, which can work with the Dovecot setting in the Server software: field. Then enter 143 into the port number field (unless you use a different port) and if you use an IMAP prefix enter it now. You will also need to enter a maximum number of connections (according to how much data you want it to attempt to migrate at once). Now you select the users whose data you will be moving. Click Next, and then choose whether to upload one or many accounts. Assuming one, you would simply enter the originating user name, target user name (in most cases these are the same) and then the password of the mailbox in cPanel. This means you need to know all your passwords, or reset them at the time of migration. Assuming many users, you would do the same thing in a csv file, creating a spreadsheet with username, source username, and source password as the columns and then populating the information from cPanel. Once done, save as csv and then use this screen to upload the file. Whichever option you chose, click on Start Migration to migrate the mail and then wait for the migration to complete. If mail will not migrate using the stock example, searching Google for answers is a start but many may need to script solutions using the Google Apps email migration API. POP mail will stay in the mailbox it was downloaded into. However, once you are done, POP users might end up redownloading mail. Contacts and calendars should be stored on your local devices and if you wish to migrate those you can (although this is going to be a more complicated process). You will also need to change the local settings if you haven’t built a CNAME in DNS to point your old incoming and outgoing server addresses to the incoming addresses that Google uses. Client configuration should be a username of the full email address, the password you entered into your Google Apps domain dashboard and the incoming server name of The outgoing mail server (SMTP) will be and it will require authentication with the same information used for incoming (POP or IMAP) mail.

July 10th, 2009

Posted In: Mac OS X

Tags: , , , , , , , , , , , , , ,