krypted.com

Tiny Deathstars of Foulness

The OS X Server Book for Take Control is posted! Hope you find it useful! The book is available at https://www.takecontrolbooks.com/osx-server. ūüôā Screen Shot 2016-02-18 at 9.21.53 PM Thanks to Tony Williams ¬†for pointing out that it’s available. Hope you enjoy!

February 18th, 2016

Posted In: Mac OS X Server, Mac Security

Tags: , , ,

There are a number of ways to create groups in OS X Server 5, running on Yosemite or El Capitan. The first is using the Server app, the second is using Workgroup Manager (which requires a little work to get working in El Capitan), the third is using the Users & Groups System Preference pane and the fourth is using the command line. In this article we will look at creating groups in the Server app. Once a server has been an Open Directory Master all user and group accounts created will be in the Local Network Group when created in Server app. Before that, all user and group objects are stored locally when created in Server app. Once promoted to an Open Directory server, local groups must be created in Workgroup Manager, the Users & Groups System Preference pane or using a command line tool appropriate for group management.
 To create a new group, open the Server app and then click on Groups in the ACCOUNTS list of the Server app sidebar. From here, you can switch between the various directory domains accessible to the server using the drop-down list available. Click on the plus sign to create a local network group.
Screen Shot 2015-09-07 at 11.59.07 PM
At the New Group screen, provide a name for the group in the Full Name field. This can have spaces. Then create a short name for the group in the Group Name field. This should not have spaces.
Screen Shot 2015-09-07 at 11.59.07 PM
Click Done when you have supplied the appropriate information and the group is created. Once done, double-click on the group to see more options.
 Screen Shot 2015-09-08 at 12.00.18 AM
Here, use the plus sign (‚Äú+‚ÄĚ) to add members to the group or highlight members and use the minus sign (‚Äú-‚Äú) to remove users from the group. You can also choose to use the following options:
  • Mailing Lists:¬†Lists that are connected to the group.
  • Members: The users that are part of the group
  • Give this group a shared folder:¬†Creates a shared directory for the group, or a group with an ACL that grants all group members access.
  • Make group members Messages buddies:¬†Adds each group member to each other group members buddy list in the Messages client.
  • Enable group mailing list:¬†Enables a list using the short name of the group where all members receive emails to that address.
  • Create Group Wiki:¬†Opens the Wiki interface for creating a wiki for the group.
  • Keywords:¬†Keywords/tags to help locate users.
  • Notes:¬†Notes about users.
Once changes have been made, click Done to commit the changes.

October 3rd, 2015

Posted In: Mac OS X Server

Tags: , , , , ,

OS X Server, Server 5, El Capitan Server can have problems with Open Directory. Sometimes, you just need to reset your directory service. You can demote and restore the server if needed. But buyer beware, you may end up¬†screwing things up while the directory server is being demoted and you’re restoring a backup. Or if you haven’t built out the directory server, you may end up just demoting the server and starting over.¬†In this article, we’ll look at demoting the server. To get started demoting the Open Directory master, first open the Server app and then click on Open Directory. Screen Shot 2015-09-07 at 11.40.19 PM From the Open Directory screen, click on the minus button in the Servers section. When prompted to Delete the directory service, click on the Delete button. Screen Shot 2015-09-07 at 11.40.19 PM Once the process is complete, you’ll be able to setup a new directory server, back at the initial Open Directory screen. Screen Shot 2015-09-07 at 11.41.58 PM The logs will then show the following:
2015-09-08 04:41:24 +0000 slapconfig -destroyldapserver 2015-09-08 04:41:24 +0000 Deleting Cert Authority related data 2015-09-08 04:41:24 +0000 Removed directory at path /var/root/Library/Application Support/Certificate Authority/Krypted Open Directory Certificate Authority. 2015-09-08 04:41:24 +0000 command: /usr/sbin/xscertadmin add –reason 5 –issuer Krypted Open Directory Certificate Authority –serial 2842025604 2015-09-08 04:41:44 +0000 command: /bin/launchctl unload -w /System/Library/LaunchDaemons/com.apple.xscertd.plist 2015-09-08 04:41:44 +0000 command: /bin/launchctl unload -w /System/Library/LaunchDaemons/com.apple.xscertd-helper.plist 2015-09-08 04:41:44 +0000 command: /bin/launchctl unload -w /System/Library/LaunchDaemons/com.apple.xscertadmin.plist 2015-09-08 04:41:44 +0000 Stopping LDAP server (slapd) 2015-09-08 04:41:46 +0000 Stopping password server 2015-09-08 04:41:51 +0000 Removed all service principals from keytab for realm OSXSERVER.KRYPTED.COM 2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/__db.001. 2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/__db.002. 2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/__db.003. 2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/__db.004. 2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/__db.005. 2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/__db.006. 2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/altSecurityIdentities.bdb. 2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/apple-config-realname.bdb. 2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/apple-generateduid.bdb. 2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/apple-group-memberguid.bdb. 2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/apple-group-nestedgroup.bdb. 2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/apple-group-realname.bdb. 2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/apple-hwuuid.bdb. 2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/cn.bdb. 2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/DB_CONFIG. 2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/dn2id.bdb. 2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/entryCSN.bdb. 2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/entryUUID.bdb. 2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/gidNumber.bdb. 2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/givenName.bdb. 2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/id2entry.bdb. 2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/ipHostNumber.bdb. 2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/log.0000000001. 2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/macAddress.bdb. 2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/memberUid.bdb. 2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/objectClass.bdb. 2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/ou.bdb. 2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/sn.bdb. 2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/uid.bdb. 2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/openldap-data/uidNumber.bdb. 2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/authdata/__db.001. 2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/authdata/__db.002. 2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/authdata/__db.003. 2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/authdata/__db.004. 2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/authdata/__db.005. 2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/authdata/__db.006. 2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/authdata/alock. 2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/authdata/authGUID.bdb. 2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/authdata/DB_CONFIG. 2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/authdata/dn2id.bdb. 2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/authdata/draft-krbPrincipalAliases.bdb. 2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/authdata/draft-krbPrincipalName.bdb. 2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/authdata/entryCSN.bdb. 2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/authdata/entryUUID.bdb. 2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/authdata/id2entry.bdb. 2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/authdata/log.0000000001. 2015-09-08 04:41:51 +0000 Removed file at path /var/db/openldap/authdata/objectClass.bdb. 2015-09-08 04:41:51 +0000 Removed directory at path /var/db/openldap/authdata. 2015-09-08 04:41:51 +0000 Removed file at path /etc/openldap/slapd_macosxserver.conf. 2015-09-08 04:41:51 +0000 Removed file at path /etc/openldap/slapd.conf. 2015-09-08 04:41:51 +0000 Removed file at path /etc/openldap/rootDSE.ldif. 2015-09-08 04:41:51 +0000 Removed file at path /var/db/dslocal/nodes/Default/groups/com.apple.access_dsproxy.plist. 2015-09-08 04:41:51 +0000 Removed directory at path /etc/openldap/slapd.d/cn=config. 2015-09-08 04:41:51 +0000 Removed file at path /etc/openldap/slapd.d/cn=config.ldif. 2015-09-08 04:41:51 +0000 Removed directory at path /etc/openldap/slapd.d. 2015-09-08 04:41:51 +0000 Removed directory at path /etc/openldap/slapd.d.backup/cn=config. 2015-09-08 04:41:51 +0000 Removed file at path /etc/openldap/slapd.d.backup/cn=config.ldif. 2015-09-08 04:41:51 +0000 Removed directory at path /etc/openldap/slapd.d.backup. 2015-09-08 04:41:55 +0000 Stopping password server 2015-09-08 04:41:55 +0000 Removed file at path /Library/Preferences/com.apple.openldap.plist. Sep 7 23:43:23 osxserver com.apple.WebKit.WebContent[1064]: [23:43:23.061] <<<< VideoMentor >>>> videoMentorThreadForwardPlayback: (0x7fea1d938e40) startCursor PTS 0.033 > target startPTS 0.000; sending timestamp interval for that gap

October 2nd, 2015

Posted In: Mac OS X Server

Tags: , , , , , ,

Configuring Calendar Server in OS X¬†Server 5 (running on El Capitan or Yosemite) is a fairly simple and straight forward process. The Calendar Server is a CalDAV Server, leveraging HTTP and HTTPS, running on ports 8008 and 8443 respectively. To enable the Calendar service in OS X¬†Server (Server 5), open the Server application and click on Calendar in the SERVICES section of the sidebar. Screen Shot 2015-09-10 at 8.46.34 AM Once open, click on Enable invitations by email¬†to enable email notifications of invitations in the Calendar Server. Provide the email address and then click on the Next button. Screen Shot 2015-09-10 at 8.47.49 AM At the Configure Server Email Address screen, provide the type of incoming mail service in use, provide the address of the mail server and then the port number used, if not a standard port for HTTPS-based IMAP (or POP if you‚Äôd prefer), the user name and the valid password for the account. Then click on the Next button. Screen Shot 2015-09-10 at 8.48.19 AM At the outgoing mail server screen, provide the Outgoing Mail Server address, the port, whether or not SSL is in use (it should be if possible), the password protocol, the user name and the password. Then click on the Next button. Screen Shot 2015-09-10 at 8.48.58 AM At the Mail Account Summary screen, review the settings and if correct, click Finish. Back at the service configuration screen, click on the plus sign (‚Äú+‚ÄĚ) and provide a type of location, an address, a delegate, a name for the location, whether or not invitations to the resource are accepted and then enter the account name for any accounts that can manage the location‚Äôs calendar (they will auto-complete, so there‚Äôs no need to remember users and groups exactly). Click Done to complete the setup. Use the Resource setting in type to configure a resource instead of a location. The two are the same, except the Type field. Screen Shot 2015-09-10 at 8.50.07 AM There are a number of settings that can also be configured. But those are exposed only at the command line. To configure them, open the command line and then review the list of Calendar service settings using the list option of the serveradmin command: sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin settings calendar There are a number of settings for the Calendar service, including the following: calendar:DefaultLogLevel = “info” calendar:EnableAPNS = yes calendar:EnableSSL = yes calendar:DirectoryAddressBook:params:queryUserRecords = yes calendar:DirectoryAddressBook:params:queryPeopleRecords = yes calendar:EnableSearchAddressBook = yes calendar:HTTPPort = 80 calendar:AccountingCategories:HTTP = no calendar:AccountingCategories:Implicit Errors = no calendar:AccountingCategories:iTIP = no calendar:AccountingCategories:migration = no calendar:AccountingCategories:AutoScheduling = no calendar:AccountingCategories:iSchedule = no calendar:AccountingCategories:iTIP-VFREEBUSY = no calendar:Authentication:Digest:Enabled = yes calendar:Authentication:Digest:AllowedOverWireUnencrypted = yes calendar:Authentication:Kerberos:Enabled = yes calendar:Authentication:Kerberos:AllowedOverWireUnencrypted = yes calendar:Authentication:Wiki:Enabled = yes calendar:Authentication:Basic:Enabled = yes calendar:Authentication:Basic:AllowedOverWireUnencrypted = no calendar:EnableCardDAV = no calendar:Scheduling:iMIP:Sending:UseSSL = yes calendar:Scheduling:iMIP:Sending:Server = “osxserver.krypted.com” calendar:Scheduling:iMIP:Sending:Address = “com.apple.calendarserver@osxserver.krypted.com” calendar:Scheduling:iMIP:Sending:Username = “com.apple.calendarserver” calendar:Scheduling:iMIP:Sending:Password = “79PreYsZSFfZZC6v” calendar:Scheduling:iMIP:Sending:Port = 587 calendar:Scheduling:iMIP:Enabled = yes calendar:Scheduling:iMIP:Receiving:UseSSL = yes calendar:Scheduling:iMIP:Receiving:Server = “osxserver.krypted.com” calendar:Scheduling:iMIP:Receiving:Type = “imap” calendar:Scheduling:iMIP:Receiving:Username = “com.apple.calendarserver” calendar:Scheduling:iMIP:Receiving:Password = “79PreYsZSFfZZC6v” calendar:Scheduling:iMIP:Receiving:Port = 993 calendar:SSLPrivateKey = “” calendar:LogLevels = _empty_dictionary calendar:DataRoot = “/Library/Server/Calendar and Contacts/Data” calendar:ServerRoot = “/Library/Server/Calendar and Contacts” calendar:SSLCertificate = “” calendar:EnableCalDAV = no calendar:Notifications:Services:APNS:Enabled = yes calendar:SSLPort = 443 calendar:RedirectHTTPToHTTPS = yes calendar:SSLAuthorityChain = “” calendar:ServerHostName = “osxserver.krypted.com” One of the more common settings to configure is the port number that CalDAV runs on. To configure HTTP: sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin settings calendar:HTTPPort = 8008 For HTTPS: sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin settings calendar:SSLPort = 8443 You can then start the service using the start option: sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin start calendar Or to stop it: sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin stop calendar Or to get the status: sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin fullstatus calendar Full status indicates that the three services are running: calendar:readWriteSettingsVersion = 1‚Ä®calendar:setStateVersion = 1‚Ä®calendar:state = "RUNNING"‚Ä®calendar:contactsState = "RUNNING"‚Ä®calendar:calendarState = "RUNNING" Once the Calendar server is configured, use the Calendar application to communicate with the server. Open the Calendar application and click on the Calendar menu and select Add Account. From the Add Account¬†screen, click on Add CalDAV Account radio button and click Continue. Screen Shot 2015-09-10 at 10.47.30 AM CalDAV from the Account Type menu and then enter the User Name and password configured on the server, and add the address of the server if you don‚Äôt have any service records pointing to the server. The User Name is usually the name provided in Server app, followed by @ and then the address of the server. Screen Shot 2015-09-10 at 10.50.48 AM Once the server is configured it appears in the list of accounts in the sidebar of the Calendar app. Create calendars in the account and then to share a calendar, right-click on the calendar and click on Share Calendar‚Ķ Screen Shot 2015-09-10 at 10.58.02 AM At the Share Calendar screen, provide the name the calendar should appear as to others and anyone with whom you’d like to share your calendar with. Screen Shot 2015-09-10 at 10.59.05 AM Back at the Calendar Settings screen, use the settings to configure Availability and refresh rate of calendars, as seen above. Click on Server Settings to assign custom port numbers. Screen Shot 2015-09-10 at 11.00.46 AM Click on the Delegation tab to view any accounts you‚Äôve been given access to. Screen Shot 2015-09-10 at 11.01.10 AM Use the Edit button to configure who has delegated access to calendars, as opposed to configuring subscriptions. Overall, the Calendar service in El Capitan¬†Server is one of the easiest to configure. Most of the work goes into settings configured on client systems. This, as with Exchange, dedistributes administration, often making administration more complicated than with many other tools. But that‚Äôs a good thing; no one wants to access other peoples accounts, for calendars or mail for that matter, without those users knowing that it was done, as will happen when resetting passwords‚Ķ

October 1st, 2015

Posted In: Mac OS X Server

Tags: , , , , , , , , , , ,

There are four ways to create users in OS X¬†Server 5, running on El Capitan or Yosemite. The first is using the Server app, the second is using Workgroup Manager (which barely works in OS X El Capitan and won’t install in El Capitan by default), the third is using the Users & Groups System Preference pane and the fourth is using the command line. In this article we will look at creating users in the Server app. To do so, open the Server app and connect to your server. Then click on the Users entry in the ACCOUNTS list. The list of users is displayed, based on the directory domain(s) being browsed. A directory domain is a repository of account data, which can include local users, local network users and users in a shared directory service such as Open Directory and Active Directory. Screen Shot 2015-09-07 at 11.51.54 PM The drop-down list allows you to see objects that are stored locally as well as on a shared directory server. Therefore, clicking All Users will show all of the accounts accessible by the system. Click on the plus sign to create a new account. At this point, if the server has been promoted to an Open Directory Master, the account will be a local network account, with no way of choosing a different location to store the account in the Server app. Screen Shot 2013-10-05 at 8.52.44 PM When prompted, provide the following information about the new user:
  • Full Name: Usually the first and last name of the user.
  • Account Name: A shorter representation of that name with no spaces or special characters.
  • Email address: The email address to use if the account is going over quotas, has calendar invitations sent, or used for email hosted on the server, etc.
  • Password: The password the user will use to access services on the server.
  • Verify: The password a second time to make sure there are no spelling errors.
  • Allow user to administer this server: Optional field that grants the user administrative access to the server.
  • Home Folder: Optional field that by default creates local home directories for users that use the account but that also allows you to select a directory shared using the File Sharing service as a location for home folders. Each user in OS X has a home folder, this option defines whether that folder will reside on their computer or on a central server.
  • Limit Disk Usage To: Define the amount of space an account can take up on servers.
  • Keywords: Keywords, or tags, for the user.
  • Notes:¬†Any notes you want to enter into the user record.
Note: Optionally, you can also drag an image onto the image shown in the New User screen if you’d like the user to have an avatar.
Once the account details are as you would like, click on the Done button. The account will then be displayed in the list of available accounts. You can still create local accounts but must do so in the Users & Groups System Preference pane, through Workgroup Manager or through the command line. If the server has not been made an Open Directory server then you would be creating local users through the Server app. Once the account is created, highlight it and click on the cog wheel icon below the list of accounts. Here, you have the option to edit the account you just created, edit their access to services hosted on the server, configure email information and change their password. Screen Shot 2015-09-07 at 11.55.01 PM Click Edit User. Here, you have two new features. You can add the user to groups and use the checkbox for ‚Äúlog in‚ÄĚ to disable the account. Screen Shot 2015-09-07 at 11.55.41 PM Click Cancel and then using the cog wheel menu again, click on Edit Access to Services.¬†Here, uncheck each service that the user should not have access to. If the service isn‚Äôt running then it‚Äôs not a big deal. You can highlight multiple accounts concurrently and then use this option to disable services for users en masse.

September 30th, 2015

Posted In: Mac OS X Server

Tags: , , , , , , ,

The command to create and tear down an Open Directory environment is slapconfig. When you disable Open Directory from the Server app you aren‚Äôt actually removing users. To do so, you‚Äôd use slapconfig along with the -destroyldapserver. When run, you get a little insight into what‚Äôs happening behind the scenes. This results in the following: bash-3.2# slapconfig -destroyldapserver The logs are as follows: 2015-09-08 04:17:58 +0000 slapconfig -destroyldapserver 2015-09-08 04:17:58 +0000 Deleting Cert Authority related data 2015-09-08 04:17:58 +0000 Removed directory at path /var/root/Library/Application Support/Certificate Authority/Krypted Open Directory Certificate Authority. 2015-09-08 04:17:58 +0000 command: /usr/sbin/xscertadmin add –reason 5 –issuer Krypted Open Directory Certificate Authority –serial 3449505949 2015-09-08 04:18:19 +0000 command: /bin/launchctl unload -w /System/Library/LaunchDaemons/com.apple.xscertd.plist 2015-09-08 04:18:19 +0000 command: /bin/launchctl unload -w /System/Library/LaunchDaemons/com.apple.xscertd-helper.plist 2015-09-08 04:18:19 +0000 command: /bin/launchctl unload -w /System/Library/LaunchDaemons/com.apple.xscertadmin.plist 2015-09-08 04:18:19 +0000 Stopping LDAP server (slapd) 2015-09-08 04:18:20 +0000 Stopping password server 2015-09-08 04:18:24 +0000 Removed all service principals from keytab for realm OSXSERVER.KRYPTED.COM 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/__db.001. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/__db.002. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/__db.003. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/__db.004. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/__db.005. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/__db.006. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/altSecurityIdentities.bdb. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/apple-config-realname.bdb. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/apple-generateduid.bdb. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/apple-group-memberguid.bdb. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/apple-group-nestedgroup.bdb. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/apple-group-realname.bdb. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/apple-hwuuid.bdb. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/cn.bdb. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/DB_CONFIG. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/dn2id.bdb. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/entryCSN.bdb. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/entryUUID.bdb. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/gidNumber.bdb. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/givenName.bdb. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/id2entry.bdb. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/ipHostNumber.bdb. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/log.0000000001. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/macAddress.bdb. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/mail.bdb. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/memberUid.bdb. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/objectClass.bdb. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/ou.bdb. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/sn.bdb. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/uid.bdb. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/openldap-data/uidNumber.bdb. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/__db.001. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/__db.002. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/__db.003. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/__db.004. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/__db.005. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/__db.006. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/alock. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/authGUID.bdb. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/DB_CONFIG. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/dn2id.bdb. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/draft-krbPrincipalAliases.bdb. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/draft-krbPrincipalName.bdb. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/entryCSN.bdb. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/entryUUID.bdb. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/id2entry.bdb. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/log.0000000001. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/openldap/authdata/objectClass.bdb. 2015-09-08 04:18:24 +0000 Removed directory at path /var/db/openldap/authdata. 2015-09-08 04:18:24 +0000 Removed file at path /etc/openldap/slapd_macosxserver.conf. 2015-09-08 04:18:24 +0000 Removed file at path /etc/openldap/slapd.conf. 2015-09-08 04:18:24 +0000 Removed file at path /etc/openldap/rootDSE.ldif. 2015-09-08 04:18:24 +0000 Removed file at path /var/db/dslocal/nodes/Default/groups/com.apple.access_dsproxy.plist. 2015-09-08 04:18:24 +0000 Removed directory at path /etc/openldap/slapd.d/cn=config. 2015-09-08 04:18:24 +0000 Removed file at path /etc/openldap/slapd.d/cn=config.ldif. 2015-09-08 04:18:24 +0000 Removed directory at path /etc/openldap/slapd.d. 2015-09-08 04:18:24 +0000 Removed directory at path /etc/openldap/slapd.d.backup/cn=config. 2015-09-08 04:18:24 +0000 Removed file at path /etc/openldap/slapd.d.backup/cn=config.ldif. 2015-09-08 04:18:24 +0000 Removed directory at path /etc/openldap/slapd.d.backup. 2015-09-08 04:18:27 +0000 Stopping password server 2015-09-08 04:18:27 +0000 Removed file at path /etc/ntp_opendirectory.conf. 2015-09-08 04:18:27 +0000 Removed file at path /Library/Preferences/com.apple.openldap.plist.

September 28th, 2015

Posted In: Mac OS X Server

Tags: , , , , ,

Let‚Äôs start out with what‚Äôs actually available in the Server Admin CLI: serveradmin. The serveradmin command, followed by settings, followed by san shows a few pieces of information: bash-3.2# serveradmin settings san‚Ä®san:computers = _empty_array‚Ä®san:primaryController = "95C99FB1-80F2-5016-B9C3-BE3916E6E5DC"‚Ä®san:ownerEmail = "krypted@me.com"‚Ä®san:sanName = "krypted"‚Ä®san:desiredSearchPolicy:_array_index:0 = ""‚Ä®san:serialNumbers = _empty_array‚Ä®san:dsType = 0‚Ä®san:ownerName = "Charles Edge"‚Ä®san:managePrivateNetwork = yes‚Ä®san:metadataNetwork = "10.0.0.0/24"‚Ä®san:numberOfFibreChannelPorts = 2‚Ä®san:role = "CONTROLLER" Here, we see the metadata network, the GUID of the primary (active) MDC, the name of the SAN, an array of serial numbers (if applicable ‚Äď in a purely Mountain Lion/Mavericks SAN they aren‚Äôt), the owner info plugged in earlier and the metadata network interface being used. Next, we‚Äôll take a peak at the fsm process for each volume: bash-3.2# ps aux | grep fsm‚Ä®root 7030 0.7 0.7 2694708 62468 ?? Ss 10:18AM 0:03.08 /System/Library/Filesystems/acfs.fs/Contents/bin/fsm BettyWhite mdm.pretendco.lan 0‚Ä®root 6834 0.1 0.0 2478548 2940 ?? S 10:10AM 0:01.37 fsmpm -- -- /var/run/fsmpm-sync.6800 1800 Next, we can look at the version rev, which shows that the Server Revision is the same as in Mavericks, but the build number has incremented by 19 commits: bash-3.2# cvversions File System Server: Server Revision 5 Branch Head Created on Tue Sep¬†13 09:59:14 PDT¬†2015 Built in /SourceCache/XsanFS/XsanFS-527/buildinfo Host OS Version: Darwin 14.0.0 Darwin Kernel Version 14.0.0: Sat Sep¬†24 01:15:10 PDT 2015; root:xnu-2738.0.0.0.5~1/RELEASE_X86_64 x86_64 Next, we‚Äôll check out the contents of /Library/Preferences/Xsan. First the volume configuration file: bash-3.2# cat BettyWhite.cfg‚Ä®# Globals‚Ä®AllocationStrategy Round‚Ä®FileLocks Yes‚Ä®BufferCacheSize 32M‚Ä®Debug 0x0‚Ä®CaseInsensitive Yes‚Ä®EnableSpotlight Yes‚Ä®EnforceACLs Yes‚Ä®SpotlightSearchLevel ReadWrite‚Ä®FsBlockSize 16K‚Ä®GlobalSuperUser Yes‚Ä®InodeCacheSize 8K‚Ä®InodeExpandMin 0‚Ä®InodeExpandInc 0‚Ä®InodeExpandMax 0‚Ä®InodeDeleteMax 0‚Ä®InodeStripeWidth 0‚Ä®JournalSize 16M‚Ä®MaxConnections 139‚Ä®MaxLogSize 10M‚Ä®MaxLogs 4‚Ä®NamedStreams Yes‚Ä®Quotas Yes‚Ä®QuotaHistoryDays 7‚Ä®ThreadPoolSize 256‚Ä®UnixIdFabricationOnWindows Yes‚Ä®UnixNobodyUidOnWindows -2‚Ä®UnixNobodyGidOnWindows -2‚Ä®WindowsSecurity Yes‚Ä®# Disk Types‚Ä®[DiskType LUN2Type]‚Ä®Sectors 488355807‚Ä®SectorSize 512‚Ä®# Disks‚Ä®[Disk LUN2]‚Ä®Type LUN2Type‚Ä®Status UP‚Ä®# Stripe Groups‚Ä®[StripeGroup All]‚Ä®Status Up‚Ä®StripeBreadth 16‚Ä®Metadata Yes‚Ä®Journal Yes‚Ä®Exclusive No‚Ä®Read Enabled‚Ä®Write Enabled‚Ä®Rtmb 0‚Ä®Rtios 0‚Ä®RtmbReserve 0‚Ä®RtiosReserve 0‚Ä®RtTokenTimeout 0‚Ä®MultiPathMethod Rotate‚Ä®Node LUN2 0‚Ä®Affinity All The above is not the XML I was thinking we‚Äôd see, but the same format and variables previously available. The configuration for the SAN itself is XML though: bash-3.2# cat config.plist‚Ä®‚Ä®‚Ä® ‚Ä®‚Ä®computers‚Ä®‚Ä®desiredSearchPolicy‚Ä®‚Ä®‚Ä®‚Ä®dsType‚Ä®0‚Ä®managePrivateNetwork metadataNetwork‚Ä®10.0.0.0/24‚Ä®ownerEmail‚Ä®krypted@me.com‚Ä®ownerName‚Ä®Charles Edge‚Ä®primaryController‚Ä®95C99FB1-80F2-5016-B9C3-BE3916E6E5DC‚Ä®role‚Ä®CONTROLLER‚Ä®sanName‚Ä®krypted‚Ä®serialNumbers‚Ä®‚Ä®‚Ä® The automount file is a plist as well: bash-3.2# cat automount.plist‚Ä®‚Ä®‚Ä® ‚Ä®‚Ä®BettyWhite‚Ä®‚Ä®AutoMount‚Ä®rw‚Ä®MountOptions‚Ä®‚Ä®atimedelay‚Ä®no‚Ä®dircachesize‚Ä®10485760‚Ä®threads‚Ä®12‚Ä®‚Ä®‚Ä®‚Ä® The aux-data is also a plist: bash-3.2# cat BettyWhite-auxdata.plist‚Ä®‚Ä®‚Ä® ‚Ä®‚Ä®Config‚Ä®‚Ä®ClientDelayAccessTimeUpdates‚Ä®0‚Ä®ClientDirCacheSize‚Ä®10485760‚Ä®ClientThreadCount‚Ä®12‚Ä®StoragePoolIdealLUNCount‚Ä®4‚Ä®StoragePoolStripeBreadth‚Ä®16‚Ä®‚Ä®FailoverPriorities‚Ä®‚Ä®‚Ä®controllerUUID‚Ä®95C99FB1-80F2-5016-B9C3-BE3916E6E5DC‚Ä®enabled‚Ä®1‚Ä®‚Ä®‚Ä®‚Ä®¬† Next, cvadmin remains basically unchanged, with the addition of restartd/startd/stopd (managing the fem and the removal of : Xsanadmin (BettyWhite) > help‚Ä®Command summary:‚Ä®activate, debug, dirquotas, disks, down, fail, filelocks, fsmlist, help, latency-test, multipath, paths, proxy, qos, quit, quotas, quotacheck, quotareset, ras, repfl, repquota, repof, resetrpl, rollrj, select, show, start, stat, stop, up, who, ? activate [ | ] Activate a File System . This command may cause an FSM to activate. If the FSM is already active, no action is taken. debug [ [+/-] ] Get or Set (with ) the FSS Debug Flags. Enter debug with no value to get current setting and bit meanings. Value should be a valid number. Use 0x to indicate hexadecimal. If the ‚Äė+‚Äô or ‚Äė-‚Äô argument is used, only specified flags will be modified. ‚Äė+‚Äô will set and ‚Äė-‚Äô will disable the given flags. dirquotas <create|mark|destroy> The ‚Äėcreate‚Äô command turns the given directory into the root of a Directory Quota namespace. The command will not return until the current size value of the directory is tallied up. The ‚Äėmark‚Äô command also turns the given directory into the root of a Directory Quota namespace, but the current size value is left uninitialized.¬† The command ‚Äėquotacheck‚Äô should be run later to initialize it. The ‚Äėdestroy‚Äô command destroys the namespace associated with the given directory.¬† The directory‚Äôs contents are left unchanged. disks [refresh] Display the acfs Disk volumes visible to this machine. If the optional ‚Äúrefresh‚ÄĚ is used, the volumes will. be re-scanned by the fsmpm. disks [refresh] fsm Display the acfs meta-data Disk volumes in use by the fsm. If the optional ‚Äúrefresh‚ÄĚ is used, additional paths to these volumes may be added by the fsm. down Bring down stripe group . fail [ | ] Failover a File System . This command may cause a stand by FSM to activate. If the FSM is already active, the FSM will shut down. A stand-by FSM will take over or the FSM will be re-launched if it is stand-alone. fsmlist [] [on ] Display the state of FSM processes, running or not. Optionally specify a single to display. Optionally specify the host name or IP address of the system to list the FSM process(es) on. help (?)¬† This message. latency-test [ | all] [] Run an I/O latency test between the FSM process and one client or all clients.¬† The default test duration is 2 seconds. multipath < balance | cycle | rotate | static | sticky > Change the Multi Path method for stripe group to ‚Äúbalance‚ÄĚ, ‚Äúcycle‚ÄĚ, ‚Äúrotate‚ÄĚ, ‚Äústatic‚ÄĚ, or ‚Äústicky‚ÄĚ. paths Display the acfs Disk volumes visible to this machine grouped according to the ‚Äúcontroller‚ÄĚ identity. proxy [ long ] proxy who Display Disk Proxy Servers, and optionally the disks they serve, for this filesystem The ‚Äúwho‚ÄĚ option displays all proxy connections for the specified host. qos ¬† ¬† ¬† Display per-stripe group QOS statistics. quit¬† ¬† ¬† Exit filelocks Query cluster-wide file/record lock enforcement. Enter filelocks with no value to get current setting. Currently Cluster flocks are automatically used on Unix. Windows file/record locks are optional. quotas Get the current state of the quota system quotas get <user|group|dir|dirfiles> Get quota parameters for user, group, or directory . quotas set <user|group|dir|dirfiles> Set current quota parameters for user, group, or directory . can be the name of a user or group or the path to a directory. For users and groups, it can also be an integer interpreted as a uid or gid.¬† Setting the hardlim, softlim, and timelim to 0 disables quota enforcement for that user, group, or directory. The values for hardlim and softlim are expressed in bytes when setting user, group, or dir values.¬† When setting dirfiles values, they are numbers of regular file inodes. The value for timelim is expressed in minutes. quotacheck Recalculate the amount of space consumed (the current size field of the quota record) by all users, groups, and directory namespaces in the file system. This command can be run on an active file system although file updates (writes, truncates, etc.) will be delayed until quotacheck has completed. quotareset Like quotacheck, but deletes the quota database before performing the check. All limits and directory namespaces will be lost. Use with extreme caution. ras enq ‚Äúdetail string‚ÄĚ Generate an SNFS RAS event.¬† For internal use only. ras enq ‚Äúdetail string‚ÄĚ Generate a generic RAS event.¬† For internal use only. repquota Generate quota reports for all users, groups, and directory namespaces in the file system. Three files are generated: 1. quota_report.txt ‚Äď a ‚Äúpretty‚ÄĚ text file report. 2. quota_report.csv ‚Äď a comma delimited report suitable for Excel spreadsheets. 3. quota_regen.in ‚Äď a list of cvadmin commands that can be used to set up an identical quota database on another Xsan. repfl Generate a report of currently held locks on all connected acfs clients. repof Generate a report of currently open files on all connected acfs clients. resetrpl [clear] Repopulate Reverse Path Lookup (RPL) information. The optional ‚Äúclear‚ÄĚ argument causes existing RPL data to be cleared before starting repopulation. Note: ‚Äúresetrpl‚ÄĚ is only available when cvadmin is invoked with the -x option.¬† Running resetrpl may significantly delay FSM activation.¬† This command is not intended for general use.¬† Only run ‚Äúresetrpl‚ÄĚ when recommended by Technical Support. restartd [once] Stop and start the process. For internal use only. rollrj Force the FSM to start a new restore journal. This command is only used on a managed file system select [ | | none] Select the active File System . Typing ‚Äúselect none‚ÄĚ will de-select the current FSS. If the FSM is inactive (standing by) it cannot be selected. Using this command with no argument shows all active FSSs. show [ ] [ long ] Show all stripe groups or a specific stripe group . Adding the modifier ‚Äúlong‚ÄĚ shows more verbose information. start [on] [] Start the File System Service for . When running on an HA MDC, the local service is started and then an attempt is made to start the service on the peer MDC. Optionally specify the hostname or IP address to start the FSM on that MDC only. startd [once] Start the process. For internal use only. stat¬† ¬† ¬† Display the general status of the file system. stats [clear] Display read/write statistics for the file system. If clear, zero the stats after printing. stop [on] [] | Stop the File System Services for or . Stopping by name without specifying a hostname will stop all instances of the service, and will cancel any pending restart of the service on the local system. Stopping by name on a particular system will stop or cancel a restart of the service on that system.¬† Stopping by number only stops the service associated with the index. Indexes are displayed on the left side as ‚Äúnn>‚ÄĚ when. using the ‚Äúselect‚ÄĚ command. stopd Stop the process. For internal use only. up Bring up stripe group . If there are no stripe groups that have exclusively numeric names, the stripe group index number shown in the ‚Äúshow‚ÄĚ command may be used in place of . who [] [long] List clients attached to file system. In the short form, ‚Äúwho‚ÄĚ returns the following information: - acfs I.D. ¬† ¬† ¬† ‚Äď Client License Identifier - Type¬† ¬† ¬† ¬† ¬† ¬† ‚Äď Type of client connection FSM¬† ¬† ¬† ¬† ¬† ¬† ¬† ‚Äď File System Manager (FSM) connection ADM¬† ¬† ¬† ¬† ¬† ¬† ¬† ‚Äď Administrative (cvadmin) connection CLI¬† ¬† ¬† ¬† ¬† ¬† ¬† ‚Äď File system client connection. May be followed by a CLI type character: S ‚Äď Disk Proxy Server C ‚Äď Disk Proxy Client H ‚Äď Disk Proxy Hybrid Client - Location¬† ¬† ¬† ¬† ‚Äď Client‚Äôs hostname or IP address - Up Time ¬† ¬† ¬† ¬† ‚Äď Total time client has been connected to FSM - License Expires ‚Äď Date client‚Äôs license will expire In the long form, ‚Äúwho‚ÄĚ returns network path, build, latency and reconnect information, if available. Administrative and FSM clients return a limited set of information. Xsanadmin (BettyWhite) > select List FSS File System Services (* indicates service is in control of FS): 1>*BettyWhite[0]¬† ¬† ¬† ¬† located on 10.0.0.1:57724 (pid 7030)

September 25th, 2015

Posted In: Mac OS X, Mac OS X Server, Mac Security, Xsan

Tags: , , , , , ,

I’ve written plenty about OS X Server 5 here on krypted.com but way more effort went into the official documentation. There’s lots of nuggets here at: http://help.apple.com/serverapp/mac/getstarted/5.0/ Screen Shot 2015-09-22 at 11.45.23 PM Enjoy!

September 24th, 2015

Posted In: Mac OS X Server

Tags: , ,

Mail is one of the hardest services to manage. Actually, mail is pretty simple in and of itself: there‚Äôs protocols people use to access their mail (such as IMAP and POP), protocols used to communicate between mail servers and send mail (SMTP, SMTPS) and then there‚Äôs a database of mail and user information. In OS X¬†Server 5 for El Capitan and Yosemite, all of these are represented by a single ON button, so it really couldn‚Äôt be easier. But then there‚Äôs the ecoysystem and the evil spammers. As a systems administrator of a large number of mail servers, I firmly believe that there is a special kind of hell where only spam is served at every meal for spammers. Here, the evil spammers must also read every piece of spam ever sent for eternity. By the end (aka Ragnarok), they should have the chemically induced stamina of a 16 year old with the latest Sports Illustrated Swimsuit issue, enough pills of other types to not be able to use that stamina, plenty of African princes looking to donate large sums of money if only they can be helped out of their country (which should cost about 100,000 compared to a 5,000,000 payout, not a bad ROI, right?!?!?), have their conflicting stamina situation at the top of the search engines and of course, have lost all of the money made from their African princes due to getting their credit card hijacked by about 9,000 phishing scams. All in all, a special kind of hell‚Ķ ÔŅľ But back to the point of the article, setting up mail. The things that mail administrators need to focus on to keep that mail server flowing mail to and from everyone else in the world:
  • Static IP address. The WAN (and LAN probably) address should be static.
  • Port Forwards. Port forwards need to be configured on the gateway for the SMTP port at a minimum and more than likely other ports used to access mail on client devices (25, 143, etc)
  • DNS records. An MX record and some kind of mail.domain.com type of record should definitely be configured for the DNS servers that are authoritative for the domain. There should also be reverse records for the address of the server, usually created by the Internet Services Provider, or ISP, that match that record.
  • Check the RBLs. If you have a new IP address you‚Äôll be putting a DNS server on, check all the major Realtime BlackLists to make sure that some evil spammer hasn‚Äôt squatted on the IP before you got to it. This is true whether you‚Äôre in a colo, hosted on an IP you own or moving into space formerly occupied by a very standup company. A lot of IP addresses are blocked, as are blocks of IPs, so before moving mail to an IP, check it.
  • Mail filtration (message hygiene). OS X Server has a number of mail filters built in, including clam for viruses, the ability to leverage RBLs, block specific addresses and of course RBL checking. However, this is often not enough. Third party services such as MXLogic help to keep mail from coming into your network. You also end up with an external IP to send mail that can cache mail in the event the server is down and keep mail off your network in the event that it‚Äôs spam.
  • Backup. I am firmly of the belief that I‚Äôd rather not have data than not have that data backed up‚Ķ
Once all of that is taken care of (I‚Äôll add more as I think about it) then it‚Äôs time to enable the mail service in the Server app running on Yosemite. Actually, first let‚Äôs setup our SSL certificates. To do so, open the Server app and click on Certificates in the SERVER section of the sidebar. Here, use the ‚ÄúSecure services using‚ÄĚ drop-down list and click on Custom‚Ķ for each protocol to select the appropriate certificate to be used for the service. Screen Shot 2015-09-22 at 11.16.20 PM Click OK when they‚Äôre all configure.¬†Now let‚Äôs enable the mail service (or outsource mail). To do so, open the Server app and click on Mail in the SERVICES list in the sidebar. Mail2 At the configuration screen is a sparse number of settings:
  • Domains: Configures all of the domains the mail server will listen for mail for. Each account on the server has a short name and each domain name will be available for each short name. For example, an account with a shortname of charles will be available for email addresses of charles@pretendco.com and charles@krypted.com per the Domain Name listing below.Screen Shot 2015-09-22 at 11.17.27 PM
  • Authentication: Click Edit for a list of sources that accounts can authenticate against (e.g. Active Directory, Open Directory, Custom, Local, etc) and in some cases the specific password algorithms used for mail.Screen Shot 2015-09-22 at 11.18.12 PM
  • Push Notifications: If Push is configured previously there‚Äôs no need to use this option. Otherwise, use your institutional APNS account to configure Push Notifications.Screen Shot 2015-09-22 at 11.18.44 PM
  • Relay outgoing mail through ISP: Provide a server that all mail will get routed through from the server. For example, this might be an account with your Internet Services Provider (ISP), an account on an appliance that you own (such as a Barracuda) or with an external filtering service (such as MXLogic).Screen Shot 2015-09-22 at 11.19.42 PM
  • Limit mail to: Configure the total amount of mail a user can have in the mail store, in Megabytes.
  • Edit Filtering Settings: Configure antivirus, spam assassin and junk mail filters. The ‚ÄúEnable virus filtering‚ÄĚ checkbox enables clam. The ‚ÄúEnable blacklist filtering‚ÄĚ checks the RBL (or RBLs) of your choice to check whether a given server is a ‚Äúknown‚ÄĚ spammer and the ‚ÄúEnable junk mail filtering‚ÄĚ option enables spam assassin on the host, configuring it to block based on a score as selected using the slider.
Once you’ve configured the settings for the Mail service, click on the ON slider to enable the service. At this point, you should be able to telnet into port 25 of the host to verify that SMTP is listening, preferably from another mail server: telnet mail.krypted.com 25 You can also check that the mail services are running using the serveradmin command along with the fullstatus option for the mail service: sudo serveradmin fullstatus mail Which returns with some pretty verbose information about the service, including state, connections, running protocols and the rest of the following: mail:startedTime = ""
mail:setStateVersion = 1
mail:state = "STOPPED"
mail:protocolsArray:_array_index:0:status = "ON"
mail:protocolsArray:_array_index:0:kind = "INCOMING"
mail:protocolsArray:_array_index:0:protocol = "IMAP"
mail:protocolsArray:_array_index:0:state = "STOPPED"
mail:protocolsArray:_array_index:0:service = "MailAccess"
mail:protocolsArray:_array_index:0:error = ""
mail:protocolsArray:_array_index:1:status = "ON"
mail:protocolsArray:_array_index:1:kind = "INCOMING"
mail:protocolsArray:_array_index:1:protocol = "POP3"
mail:protocolsArray:_array_index:1:state = "STOPPED"
mail:protocolsArray:_array_index:1:service = "MailAccess"
mail:protocolsArray:_array_index:1:error = ""
mail:protocolsArray:_array_index:2:status = "ON"
mail:protocolsArray:_array_index:2:kind = "INCOMING"
mail:protocolsArray:_array_index:2:protocol = "SMTP"
mail:protocolsArray:_array_index:2:state = "STOPPED"
mail:protocolsArray:_array_index:2:service = "MailTransferAgent"
mail:protocolsArray:_array_index:2:error = ""
mail:protocolsArray:_array_index:3:status = "ON"
mail:protocolsArray:_array_index:3:kind = "OUTGOING"
mail:protocolsArray:_array_index:3:protocol = "SMTP"
mail:protocolsArray:_array_index:3:state = "STOPPED"
mail:protocolsArray:_array_index:3:service = "MailTransferAgent"
mail:protocolsArray:_array_index:3:error = ""
mail:protocolsArray:_array_index:4:status = "OFF"
mail:protocolsArray:_array_index:4:kind = "INCOMING"
mail:protocolsArray:_array_index:4:protocol = ""
mail:protocolsArray:_array_index:4:state = "STOPPED"
mail:protocolsArray:_array_index:4:service = "ListServer"
mail:protocolsArray:_array_index:4:error = ""
mail:protocolsArray:_array_index:5:status = "ON"
mail:protocolsArray:_array_index:5:kind = "INCOMING"
mail:protocolsArray:_array_index:5:protocol = ""
mail:protocolsArray:_array_index:5:state = "STOPPED"
mail:protocolsArray:_array_index:5:service = "JunkMailFilter"
mail:protocolsArray:_array_index:5:error = ""
mail:protocolsArray:_array_index:6:status = "ON"
mail:protocolsArray:_array_index:6:kind = "INCOMING"
mail:protocolsArray:_array_index:6:protocol = ""
mail:protocolsArray:_array_index:6:state = "STOPPED"
mail:protocolsArray:_array_index:6:service = "VirusScanner"
mail:protocolsArray:_array_index:6:error = ""
mail:protocolsArray:_array_index:7:status = "ON"
mail:protocolsArray:_array_index:7:kind = "INCOMING"
mail:protocolsArray:_array_index:7:protocol = ""
mail:protocolsArray:_array_index:7:state = "STOPPED"
mail:protocolsArray:_array_index:7:service = "VirusDatabaseUpdater"
mail:protocolsArray:_array_index:7:error = ""
mail:logPaths:Server Error Log = "/Library/Logs/Mail/mail-err.log"
mail:logPaths:IMAP Log = "/Library/Logs/Mail/mail-info.log"
mail:logPaths:Server Log = "/Library/Logs/Mail/mail-info.log"
mail:logPaths:POP Log = "/Library/Logs/Mail/mail-info.log"
mail:logPaths:SMTP Log = "/var/log/mail.log"
mail:logPaths:List Server Log = "/Library/Logs/Mail/listserver.log"
mail:logPaths:Migration Log = "/Library/Logs/MailMigration.log"
mail:logPaths:Virus Log = "/Library/Logs/Mail/clamav.log"
mail:logPaths:Amavisd Log = "/Library/Logs/Mail/amavis.log"
mail:logPaths:Virus DB Log = "/Library/Logs/Mail/freshclam.log"
mail:imapStartedTime = ""
mail:postfixStartedTime = ""
mail:servicePortsRestrictionInfo = _empty_array
mail:servicePortsAreRestricted = "NO"
mail:connectionCount = 0
mail:readWriteSettingsVersion = 1
mail:serviceStatus = "DISABLED" To stop the service: sudo serveradmin stop mail And to start it back up: sudo serveradmin start mail To configure some of the settings no longer in the GUI from previous versions, let’s look at the full list of options: sudo serveradmin settings mail One that is commonly changed is the subject line added to messages that are marked as spam by spam assassin. This is stored in mail:postfix:spam_subject_tag, so changing would be: sudo serveradmin settings mail:postfix:spam_subject_tag = "***DIEEVILSPAMMERSDIE*** " A number of admins also choose to disable greylisting, done using the mail:postfix:greylist_disable option: sudo serveradmin settings mail:postfix:greylist_disable = no To configure an email address for quarantined mail to go, use mail:postfix:virus_quarantine: sudo serveradmin settings mail:postfix:virus_quarantine = "diespammersdie@krypted.com" The administrator, by default, doesn’t get an email when an email containing a file infected with a virus is sent through the server. To enable this option: sudo serveradmin settings mail:postfix:virus_notify_admin = yes I also find a lot of Mac environments want to accept email of pretty much any size. By default, message size limits are enabled. To disable: sudo serveradmin settings mail:postfix:message_size_limit_enabled = yes Or even better, just set new limit: sudo serveradmin settings mail:postfix:message_size_limit = 10485760 And to configure the percentage of someone’s quota that kicks an alert (soft quota): sudo serveradmin settings mail:imap:quotawarn = 75 Additionally, the following arrays are pretty helpful, which used to have GUI options:
  • mail:postfix:mynetworks:_array_index:0 = ‚Äú127.0.0.0/8‚Ä≥ ‚Äď Add entries to this one to add ‚Äúlocal‚ÄĚ clients
  • mail:postfix:host_whitelist = _empty_array ‚Äď Add whitelisted hosts
  • mail:postfix:blacklist_from = _empty_array ‚Äď Add blacklisted hosts
  • mail:postfix:black_hole_domains:_array_index:0 = ‚Äúzen.spamhaus.org‚ÄĚ ‚Äď Add additional RBL Servers
The client side of the mail service is straight forward enough. If you are wondering where in this article we discuss using webmail, er, that’s not installed by default any longer. But the open source project previously used, roundcube, is still available for download and easily installed (the pre-reqs are all there, already). Check out the roundcube wiki installation page here for more info on that. Also, mail groups. I hope to have a post about that soon enough. Unless, of course, I get sidetracked with having a life. Which is arguably not very likely…

September 24th, 2015

Posted In: Mac OS X Server

Tags: , , , , , , , , , , , , ,

OS X¬†Server 5 (for El Capitan and Yosemite) sees little change with the FTP Service. Instead of sharing out each directory the new incantation of the FTP service allows administrators to share a single directory out. This directory can be any share that has previously been configured in the File Sharing service or a website configured in the Websites service. Screen Shot 2015-09-22 at 11.12.11 PM To setup FTP, first open the Server app and then click on the FTP service. Screen Shot 2015-09-22 at 11.12.37 PM Once open, use the Share: drop-down list to select a share that already exists (output of sharing -l basically) and click on one of the shares or Custom to create a new share for FTP. Then, set the permissions as appropriate on the share and hit the ON button for the FTP service. Now, let‚Äôs test from a client. I like to use the ftp command line interface built into OS X. To test, type ftp followed by the address of the site (and I like to put the username followed by @ before the hostname, as follows: ftp robin@elcapserver.krypted.lan When prompted, provide a password. Then, assuming your get the following, you‚Äôre in: 230 User robin logged in.‚Ä®Remote system type is UNIX‚Ä®Using binary mode to transfer files. Here, type ls to see a list of the directories contents. Or pwd to see what directory you are in (relative to the root of the ftp share). And of course, type get followed by the name of a file to transfer it locally: get myfile.txt Open a terminal window on the server and let‚Äôs look at the few options you have to configure FTP from the command line. We already discussed sharing -l to see a list of the available shares. Additionally, you can use the serveradmin command, where ftp is the name of the service. Let‚Äôs look at the status of the service, first: sudo serveradmin fullstatus ftp Now let‚Äôs look at status: sudo serveradmin status ftp Same thing, right? Let‚Äôs look at all the settings: sudo serveradmin settings ftp If you have spaces in the name of a share that you configure from the Server app the thing will fail. Good stuff, so use serveradmin to manually set shares with spaces or other special characters in the names: sudo serveradmin settings ftp:DocumentRoot = ‚Äú/Shared Items/Krypted‚ÄĚ Overall, this ftp implementation is meant for users who just need to access their web server where all the files live in a web root of some sort. Otherwise, I‚Äôd still recommend most people use a third party tool. But if you just need to log into one share and you don‚Äôt need a lot of fancy features on top of your protocols that haven‚Äôt changed much since 1985 then this implementation will still work for ya‚Äô without any extra work. Since we mentioned 1985, let‚Äôs look at some other things that are as old, although perhaps not as dated, as the FTP Protocol. Things from the year 1985:
  • Back To the Future is Released
  • Coke introduces one of the largest marketing fails of all time, New Coke. It is so bad it opens a hole in the Ozone, also discovered in this year by Al Gore
  • Rambo Part II and Rocky Part IV come out, Sly doesn‚Äôt come out
  • Mad Max Beyond Thunderdome teaches us that Tina Turner‚Äôs still got it ‚Äď Bill Schroeder doesn‚Äôt have it, no relation to Ricky, he leaves the hospital part-cyborg with the first artificial heart.
  • A View To A Kill finally ends the Roger Moore era of James Bond. Computer nerds, keep in mind, he saved Silicon Valley. This movie had Christopher Walken and Duran Duran. What more could you ask for? Oh, right ‚Äď Tanya Roberts! Oh, and Thomas Patrick Cavanaugh actually gets life for being a real spy.
  • Since Police Academy was a hit, the producers figured they‚Äôd screw it up by making a second movie: Police Academy 2 comes out
  • After watching Cocoon I now know I‚Äôll never have to grow old, so I can treat my body however I want‚Ķ
  • The unabomber is at the half way point of his career with 2 bombings this year, The Rainbow Warrior sinks (no known relation to the unabomber, unless he was a French antieco-terrorist), flight 847 is hijacked and Gorbachev becomes the leader of the largest pain in President Reagan‚Äôs bung hole: Russia (OMG Commies ‚Äď Run!!!). In order to pay for the tail end of the cold war, Reagan lowers taxes and sends America into debt for the first time since 1914, a debt we are still in (evil Democrats, always incurring more American debt!). Meanwhile, Margaret Thatcher has shoulder pads surgically implanted because health care is free in Great Britain and all. Actually, National Health Service contributes little to England‚Äôs national debt, which was about as low in percentage of GDP as it had been since before WWI under her and due to her terms as PM. It was at its highest in the early 1800s, far before shoulder pads were in fashion‚Ķ Having said that, the US, who went into debt for the first time had to sell Reagan‚Äôs autobiography rights in order to pay for his colon surgery since there‚Äôs not NHS here‚Ķ He could have asked Gotti, who became the leader of the Gambinos in 1985 for a loan, but I hear he was too busy playing Tetris, which also came out in 1985‚Ķ
  • British Telecom phases out red telephone boxes ‚Äď almost as a result a single season of Dr. Who airs on TV.
  • In 1985, Paul Simon, Stevie Wonder, Ray Charles, Bob Dylan, Michael Jackson, Billy Joel, Cyndi Lauper, Willie Nelson, Lionel Richie, Smokey Robinson, Kenny Rogers, Diana Ross, Paul Simon, Bruce Springsteen, Tina Turner, Daryl Hall, Kenny Loggins, Huey Lewis and of course Al Jarreau sang We Are The World. Prince wouldn‚Äôt show and Waylon Jennings stormed out. Jane Fonda hosted a HBO special in between workout videos. Live Aid happens too, and is far cooler. But, at least Rich Ramirez (the Night Stalker) got nabbed in LA.Top singles on the charts include Madonna, Wham!, Simple Minds, Duran Duran, Phil Collins, Dire Straits, Starship, Lionel Richie, Foreigner and REO Speedwagon.
  • Top TV shows include the sweaters from the Cosby Show, Family Ties, Murder She Wrote, Dynasty, The Golden Girls, Miami Vice, Cheers, Knots Landing, Growing Pains and of course, DALLAS
  • The Ford Taurus and the Mercury Sable bring a new low point to American automobile engineering ‚Äď luckily The Nintendo came out and no one cared for a decade or more‚Ķ
  • The Commodore Amiga is launched.
  • The Free Software Foundation is founded by rms, author of great cookie recipes, tips on women and GNU Manifestos.
  • And most importantly, Steve Jobs starts NeXT

September 24th, 2015

Posted In: Mac OS X Server

Tags: , , , , , , , ,

Next Page »