krypted.com

Tiny Deathstars of Foulness

Mail is one of the hardest services to manage. Actually, mail is pretty simple in and of itself: there’s protocols people use to access their mail (such as IMAP and POP), protocols used to communicate between mail servers and send mail (SMTP, SMTPS) and then there’s a database of mail and user information. In Mavericks Server, all of these are represented by a single ON button, so it really couldn’t be easier. But then there’s the ecoysystem and the evil spammers.

As a systems administrator of a large number of mail servers, I firmly believe that there is a special kind of hell where only spam is served at every meal for spammers. Here, the evil spammers must also read every piece of spam ever sent for eternity. By the end (aka Ragnarok), they should have the chemically induced stamina of a 16 year old with the latest Sports Illustrated Swimsuit issue, enough pills of other types to not be able to use that stamina, plenty of African princes looking to donate large sums of money if only they can be helped out of their country (which should cost about 100,000 compared to a 5,000,000 payout, not a bad ROI, right?!?!?), have their conflicting stamina situation at the top of the search engines and of course, have lost all of the money made from their African princes due to getting their credit card hijacked by about 9,000 phishing scams. All in all, a special kind of hell…

But back to the point of the article, setting up mail. The things that mail administrators need to focus on to keep that mail server flowing mail to and from everyone else in the world:

  • Static IP address. The WAN (and LAN probably) address should be static.
  • Port Forwards. Port forwards need to be configured on the gateway for the SMTP port at a minimum and more than likely other ports used to access mail on client devices (25, 143, etc)
  • DNS records. An MX record and some kind of mail.domain.com type of record should definitely be configured for the DNS servers that are authoritative for the domain. There should also be reverse records for the address of the server, usually created by the Internet Services Provider, or ISP, that match that record.
  • Check the RBLs. If you have a new IP address you’ll be putting a DNS server on, check all the major Realtime BlackLists to make sure that some evil spammer hasn’t squatted on the IP before you got to it. This is true whether you’re in a colo, hosted on an IP you own or moving into space formerly occupied by a very standup company. A lot of IP addresses are blocked, as are blocks of IPs, so before moving mail to an IP, check it.
  • Mail filtration (message hygiene). OS X Server has a number of mail filters built in, including clam for viruses, the ability to leverage RBLs, block specific addresses and of course RBL checking. However, this is often not enough. Third party services such as MXLogic help to keep mail from coming into your network. You also end up with an external IP to send mail that can cache mail in the event the server is down and keep mail off your network in the event that it’s spam.
  • Backup. I am firmly of the belief that I’d rather not have data than not have that data backed up…

Once all of that is taken care of (I’ll add more as I think about it) then it’s time to enable the mail service in the Server app running on Yosemite. Actually, first let’s setup our SSL certificates. To do so, open the Server app and click on Certificates in the SERVER section of the sidebar. Here, use the “Secure services using” drop-down list and click on Custom… for each protocol to select the appropriate certificate to be used for the service.

Mail1

Click OK when they’re all configure. Now let’s enable the mail service (or outsource mail). To do so, open the Server app and click on Mail in the SERVICES list in the sidebar.

Mail2

At the configuration screen is a sparse number of settings:

  • Provide mail for: Configures all of the domains the mail server will listen for mail for. Each account on the server has a short name and each domain name will be available for each short name. For example, an account with a shortname of charles will be available for email addresses of charles@pretendco.com and charles@krypted.com per the Domain Name listing below.Mail3
  • Authentication: Click Edit for a list of sources that accounts can authenticate against (e.g. Active Directory, Open Directory, Custom, Local, etc) and in some cases the specific password algorithms used for mail.Mail4
  • Push Notifications: If Push is configured previously there’s no need to use this option. Otherwise, use your institutional APNS account to configure Push Notifications.Mail5
  • Relay outgoing mail through ISP: Provide a server that all mail will get routed through from the server. For example, this might be an account with your Internet Services Provider (ISP), an account on an appliance that you own (such as a Barracuda) or with an external filtering service (such as MXLogic).Mail6
  • Limit mail to: Configure the total amount of mail a user can have in the mail store, in Megabytes.
  • Edit Filtering Settings: Configure antivirus, spam assassin and junk mail filters. The “Enable virus filtering” checkbox enables clam. The “Enable blacklist filtering” checks the RBL (or RBLs) of your choice to check whether a given server is a “known” spammer and the “Enable junk mail filtering” option enables spam assassin on the host, configuring it to block based on a score as selected using the slider.

Once you’ve configured the settings for the Mail service, click on the ON slider to enable the service. At this point, you should be able to telnet into port 25 of the host to verify that SMTP is listening, preferably from another mail server:

telnet mail.krypted.com 25

You can also check that the mail services are running using the serveradmin command along with the fullstatus option for the mail service:

sudo serveradmin fullstatus mail

Which returns with some pretty verbose information about the service, including state, connections, running protocols and the rest of the following:

mail:startedTime = ""
mail:setStateVersion = 1
mail:state = "STOPPED"
mail:protocolsArray:_array_index:0:status = "ON"
mail:protocolsArray:_array_index:0:kind = "INCOMING"
mail:protocolsArray:_array_index:0:protocol = "IMAP"
mail:protocolsArray:_array_index:0:state = "STOPPED"
mail:protocolsArray:_array_index:0:service = "MailAccess"
mail:protocolsArray:_array_index:0:error = ""
mail:protocolsArray:_array_index:1:status = "ON"
mail:protocolsArray:_array_index:1:kind = "INCOMING"
mail:protocolsArray:_array_index:1:protocol = "POP3"
mail:protocolsArray:_array_index:1:state = "STOPPED"
mail:protocolsArray:_array_index:1:service = "MailAccess"
mail:protocolsArray:_array_index:1:error = ""
mail:protocolsArray:_array_index:2:status = "ON"
mail:protocolsArray:_array_index:2:kind = "INCOMING"
mail:protocolsArray:_array_index:2:protocol = "SMTP"
mail:protocolsArray:_array_index:2:state = "STOPPED"
mail:protocolsArray:_array_index:2:service = "MailTransferAgent"
mail:protocolsArray:_array_index:2:error = ""
mail:protocolsArray:_array_index:3:status = "ON"
mail:protocolsArray:_array_index:3:kind = "OUTGOING"
mail:protocolsArray:_array_index:3:protocol = "SMTP"
mail:protocolsArray:_array_index:3:state = "STOPPED"
mail:protocolsArray:_array_index:3:service = "MailTransferAgent"
mail:protocolsArray:_array_index:3:error = ""
mail:protocolsArray:_array_index:4:status = "OFF"
mail:protocolsArray:_array_index:4:kind = "INCOMING"
mail:protocolsArray:_array_index:4:protocol = ""
mail:protocolsArray:_array_index:4:state = "STOPPED"
mail:protocolsArray:_array_index:4:service = "ListServer"
mail:protocolsArray:_array_index:4:error = ""
mail:protocolsArray:_array_index:5:status = "ON"
mail:protocolsArray:_array_index:5:kind = "INCOMING"
mail:protocolsArray:_array_index:5:protocol = ""
mail:protocolsArray:_array_index:5:state = "STOPPED"
mail:protocolsArray:_array_index:5:service = "JunkMailFilter"
mail:protocolsArray:_array_index:5:error = ""
mail:protocolsArray:_array_index:6:status = "ON"
mail:protocolsArray:_array_index:6:kind = "INCOMING"
mail:protocolsArray:_array_index:6:protocol = ""
mail:protocolsArray:_array_index:6:state = "STOPPED"
mail:protocolsArray:_array_index:6:service = "VirusScanner"
mail:protocolsArray:_array_index:6:error = ""
mail:protocolsArray:_array_index:7:status = "ON"
mail:protocolsArray:_array_index:7:kind = "INCOMING"
mail:protocolsArray:_array_index:7:protocol = ""
mail:protocolsArray:_array_index:7:state = "STOPPED"
mail:protocolsArray:_array_index:7:service = "VirusDatabaseUpdater"
mail:protocolsArray:_array_index:7:error = ""
mail:logPaths:Server Error Log = "/Library/Logs/Mail/mail-err.log"
mail:logPaths:IMAP Log = "/Library/Logs/Mail/mail-info.log"
mail:logPaths:Server Log = "/Library/Logs/Mail/mail-info.log"
mail:logPaths:POP Log = "/Library/Logs/Mail/mail-info.log"
mail:logPaths:SMTP Log = "/var/log/mail.log"
mail:logPaths:List Server Log = "/Library/Logs/Mail/listserver.log"
mail:logPaths:Migration Log = "/Library/Logs/MailMigration.log"
mail:logPaths:Virus Log = "/Library/Logs/Mail/clamav.log"
mail:logPaths:Amavisd Log = "/Library/Logs/Mail/amavis.log"
mail:logPaths:Virus DB Log = "/Library/Logs/Mail/freshclam.log"
mail:imapStartedTime = ""
mail:postfixStartedTime = ""
mail:servicePortsRestrictionInfo = _empty_array
mail:servicePortsAreRestricted = "NO"
mail:connectionCount = 0
mail:readWriteSettingsVersion = 1
mail:serviceStatus = "DISABLED"

To stop the service:

sudo serveradmin stop mail

And to start it back up:

sudo serveradmin start mail

To configure some of the settings no longer in the GUI from previous versions, let’s look at the full list of options:

sudo serveradmin settings mail

One that is commonly changed is the subject line added to messages that are marked as spam by spam assassin. This is stored in mail:postfix:spam_subject_tag, so changing would be:

sudo serveradmin settings mail:postfix:spam_subject_tag = "***DIEEVILSPAMMERSDIE*** "

A number of admins also choose to disable greylisting, done using the mail:postfix:greylist_disable option:

sudo serveradmin settings mail:postfix:greylist_disable = no

To configure an email address for quarantined mail to go, use mail:postfix:virus_quarantine:

sudo serveradmin settings mail:postfix:virus_quarantine = "diespammersdie@krypted.com"

The administrator, by default, doesn’t get an email when an email containing a file infected with a virus is sent through the server. To enable this option:

sudo serveradmin settings mail:postfix:virus_notify_admin = yes

I also find a lot of Mac environments want to accept email of pretty much any size. By default, message size limits are enabled. To disable:

sudo serveradmin settings mail:postfix:message_size_limit_enabled = yes

Or even better, just set new limit:

sudo serveradmin settings mail:postfix:message_size_limit = 10485760

And to configure the percentage of someone’s quota that kicks an alert (soft quota):

sudo serveradmin settings mail:imap:quotawarn = 75

Additionally, the following arrays are pretty helpful, which used to have GUI options:

  • mail:postfix:mynetworks:_array_index:0 = “127.0.0.0/8″ – Add entries to this one to add “local” clients
  • mail:postfix:host_whitelist = _empty_array – Add whitelisted hosts
  • mail:postfix:blacklist_from = _empty_array – Add blacklisted hosts
  • mail:postfix:black_hole_domains:_array_index:0 = “zen.spamhaus.org” – Add additional RBL Servers

The client side of the mail service is straight forward enough. If you are wondering where in this article we discuss using webmail, er, that’s not installed by default any longer. But the open source project previously used, roundcube, is still available for download and easily installed (the pre-reqs are all there, already). Check out the roundcube wiki installation page here for more info on that. Also, mail groups. I hope to have a post about that soon enough. Unless, of course, I get sidetracked with having a life. Which is arguably not very likely…

October 17th, 2014

Posted In: Mac OS X, Mac OS X Server, Mac Security, Microsoft Exchange Server

Tags: , , , , , , , , , , , , , ,

Push Notifications can be used in most every service OS X Mavericks Server (Server 3) can run. Any service that requires Push Notifications will provide the ability to setup APNS during the configuration of the service. But at this point, I usually just set up Push Notifications when I setup a new server.
Screen Shot 2013-10-05 at 8.16.40 AMTo enable Push Notifications for services, you’ll first need to have a valid AppleID. Once you have an AppleID, open the Server app and then click on the name of the server. At the Overview screen, click on Settings.

Screen Shot 2013-10-05 at 8.16.52 AM

At the Settings screen for your server, click on the check-box for “Enable Apple push notifications.”

Screen Shot 2013-10-05 at 8.17.07 AM

At the Apple Push Notification Services certificate screen, enter an AppleID if you have not yet configured APNS and click on OK. The Apple Push Notification Service certificate will then be configured.

Screen Shot 2013-10-05 at 8.17.31 AM

The certificate is valid for one year, by default. Administrators receive an alert when the certificate is due to expire. To renew, open the same screen and click on the Renew button.

October 23rd, 2013

Posted In: Mac OS X Server

Tags: , , , , , , , , , , ,

The terminal-notifier command is a tool used for sending messages and actions to the Notification Center. It’s a gem, so to set it up we’ll first run the gem command to install it by name:

gem install terminal-notifier

Once installed, run the command along with the -message option followed by a quoted message:

terminal-notifier -message "Hello world"

This produces a message from Notification Center as follows:

terminalnotifier1

The title on the screen though, says Terminal. We want to change the title to something else. To do so, add the -title option. Adding the -title option along with a quoted title then displays a title in the top of the notification.

terminalnotifier2

You can also add a subtitle, which allows for you to, for example, add the name of the app in either of the two fields along with the action you’re performing in the other. For example, if you wanted to add Notification Center alerts to TripWire you could do something like this:

terminal-notifier -message "There were no updates today" -title "TripWire" -subtitle "Drive Scanned"

I like to add sound to some, done using the cleverly named -sound option. Sounds include: blow, bottle, frog, funk, glass, hero, morse, ping, pop, purr, sosumi, submarine and tink. In the following example, I’m going to go ahead and do pretty much the same thing but have a command expand into the message and have it make the pop sound:

terminal-notifier -message `cat mylog.file` -title "TripWire" -subtitle "Drive Scanned" -sound pop

You can add a -group number, which is like a process ID for notifications:

terminal-notifier -message `cat mylog.file` -title "TripWire" -subtitle "Drive Scanned" -sound pop -group 101

You can then list the jobs that you fired off by the -group ID supplied earlier. For example, the following command:

terminal-notifier -list 101

Shows output as follows:

GroupID Title Subtitle Message Delivered At
101 TripWire Drive Scanned There were no updates today 2013-09-22 20:19:53 +0000

You can then remove a job by the same ID using the -remove option:

terminal-notifier -remove 101

You can also invoke actions using the -open and -execute options as well as the -activate option. Open fires up a web page, execute runs a shell script and activate opens an application. We’ll start with the script by adding -execute and linking to a shell script, that will run when someone clicks on the notification dialog:

terminal-notifier -message `cat mylog.file` -title "TripWire" -subtitle "Drive Scanned" -sound pop -group 101 -execute /scripts/champagne.sh

The -open instead of execute will fire off a web page:

terminal-notifier -message `cat mylog.file` -title "TripWire" -subtitle "Drive Scanned" -sound pop -group 101 -open http://www.krypted.com

Or use -activate to fire up an app, following it with the bundle ID:

terminal-notifier -message `cat mylog.file` -title "TripWire" -subtitle "Drive Scanned" -sound pop -group 101 -activate com.microsoft.word

Thanks to Peter for bringing this tool to my attention. I haven’t figured out how to make it persistent yet, working on that.

September 24th, 2013

Posted In: Mac OS X, Mac OS X Server, Mac Security

Tags: , , , ,

Mountain Lion Server comes with a few new alerting options previously unavailable in versions of OS X. The alerts are sent to administrators via servermgrd and configured in the Server app. To configure alerts in Mountain Lion Server, open the Server app and then click on Alerts in the Server app sidebar. Next, click on the Delivery tab.

At the Delivery screen, click on the Edit button for Email Addresses and enter every email address that should receive alerts sent from the server. Then click on the Edit button for Push Notifications. Here, check the box for each administrator of the server. The email address on file for the user then receives push notifications of events from the server.

Click on OK when you’ve configured all of the appropriate administrators for alerting. Then, check the boxes for Email and Push for each of the alerts you want to receive (you don’t have to check both for each entry). Options include:

  • Certificate expiration: One of the certificates installed on the system (including Push) will expire soon and needs to be updated.
  • Disk unreachable: A disk that was mounted on the server is no longer available (you will get these when you rotate offsite backup hard drives if using spinning or solid state disks)
  • S.M.A.R.T. status: A disk has an error with its S.M.A.R.T. What this really means usually is that it would be very smart to replace the disk that’s likely to fail soon
  • Disk space: The server is running out of hard drive space
  • Mail storage quota: A violation to the mail quota is exceeded
  • Virus detected: A virus was detected on the server
  • Network configuration change: The port state of the server changed, an IP address changed, etc.
  • Software updates: There are software updates available to be installed on the server computer

Some of these settings can be configured a little more granularly. For example, by default the disk space alert is sent when there is only 5% of the free space available on the server. To increase this to 10, edit the serveradmin settings to swap info:notifications:diskFull:freeSpaceThreshold with 10 rather than 5:

sudo serveradmin settings info:notifications:diskFull:freeSpaceThreshold = 10

To see a list of all notifications options run:

sudo serveradmin settings info:notifications

Which provides the following:

info:notifications:certificateExpiration:active = no
info:notifications:certificateExpiration:who = _empty_array
info:notifications:suAvailable:active = no
info:notifications:suAvailable:who = _empty_array
info:notifications:diskFull:active = no
info:notifications:diskFull:who = _empty_array
info:notifications:diskFull:freeSpaceThreshold = 5

Finally, as with previous versions of OS X Server, Mountain Lion Server has snmp built in. The configuration file for which is located in the /private/etc/snmp/snmpd.conf and the built-in LaunchDaemon is org.net-snmp.snmpd, where the actual binary being called is /usr/sbin/snmpd (and by default it’s called with a -f option). Once started, the default community name should be COMMUNITY (easily changed in the conf file) and to test, use the following command from a client (the client is 192.168.210.99 in the following example):

snmpwalk -On -v 1 -c COMMUNITY 192.168.210.99

August 4th, 2012

Posted In: Mac OS X, Mac OS X Server, Mac Security

Tags: , , , , , , , , ,

Previously we looked at installing Git on Mac OS X. Now let’s take a look at using it. The first step is to add a new local git repository that looks to a remote repository. In the following example I’m going to add a local repository called custom-safari based on the git repository at packages/custom-safari on git.krypted.com.

git remote add custom-safari git://krypted.com/packages/custom-safari.git

Next make sure you’re using the latest from the repository:

git pull

Then checkout from the master git branch:

git checkout -b custom-safari/master

Now pull the files you’ve checked out:

git pull custom-safari master

Now you can do your work. Edit the files, wok on them and when you’re done we’ll look at putting them back in the repository. Before all commits, make sure to know which files are the most recent:

git status

Commit your changes:

git commit -a

Finally, push your changes back to your master:

git push

Once you’ve started working with git you may find that you would like to customize a few of the settings to make life a little easier. For these, check out the alias.st, alias.ci, alisas.co and alias.br, which can be really helpful.

Add colors:

git config –global color.ui auto

If you screw up and want to reset your local repository:

git checkout -f

Figure out what changed:

git diff

November 22nd, 2009

Posted In: Mac OS X, Mac OS X Server, Mac Security, Ubuntu, Unix

Tags: , , , , , ,