After many un-sucessfull attempts at using the search functionality (Spotlight), I decided to do some research on other methods for searching for files on the OSX platform. I came across the “locate” command for the Terminal.

I had never used this command before so I did some reading and I ran

1

sudo /usr/libexec/locate.updatedb

this ran the initial database rebuild which added many new entries into its database. I then ran

1

locate 'File Name here.txt'

and came up with a nice list of files on the users computer, however the problem was that all of the files we found were older revisions of the file that he had lost. I decided that the only way we were going to find his file was to use a much more aggressive approach.

I decided to use the “find” command, this works similar to the “locate” command but it searches the folder, directory or entire volume that you want. It allows you to be as specific or as vague as you want as well. For example

1

find / -name 'filename.txt'

will search the entire volume for a file with the name filename.txt. You can also search for wildcards as well

1

find . -name '*.txt'

which will generate a list of all of the text files on the computer. Notice I used a period here instead of a slash, these are where you can customize the location of the search.

So I let this run, the “find” command is considerably slower than the “locate” command because it does not use a database rather it searches live through the hard drive on the system that you are using. After about 20 minutes letting it scan the entire hard drive, every user account and every directory we came up with a few more results but again nothing that had his new content. I was really hoping that at this point he had accidentally deleted it or something.

I decided to ask him for a phrase located in the text file that could be used as a search term. To search for a phrase in a text document in the terminal run

1

find . -name '*.xlsx' -exec grep -li 'ethiopia' {} \;

this will find any reference to the word ethiopia located in a Excel file. I let this run and again slow but effective it revealed more results but nothing. I explained to the gentleman that I could try looking at the tape backups but it would take me some time. He asked me if I could do that.

It was a long walk back upstairs, I loaded the first tape into the drive and got ready. I began the search. Not 10 minutes later did I get a phone call back saying, that he had found the file on a thumb drive that he had. Go figure, turns out that no matter how many cool ways there are to search a hard drive none of them will index a thumb drive in someones pocket.

Comments like, the Apple TV should have included a Tuner and a DVR, or the Apple Hi-Fi should have been made as a more portable unit with more functionality.  I guess no matter what the product is there are two truths, it’s not meant to be a perfect product for everyone simply the masses and with every product no matter how intuitive or ingenious there is always room for improvement.

The good thing about the iPad is that Apple has figured out another way to sell great content. The iPod  brought us the iTunes music store. The Apple TV brought us movies that we could rent. The iPhone brought us the App Store. Now the iPad brings yet another venue the iBook Store. Trying hard to compete with devices like the Kindle, Apple has staked claim on yet another content niche.

Soon enough there will be keynote presentations where Apple will claim that they are the largest Music, Video and Book content provider in the world and at that time the iPad will be more of a modern institution rather than a foreign entity. So what you can do with the iPad, you can do many good things. Listen to music, watch videos, browse the internet, use apps, read books, play games and more. Could it do more? Sure, it could. Will it eventually? Sure it will.

The bad thing about the iPad is that it is not what everyone really wanted when they were first thinking about what this product would eventually be. Who knows, maybe there is a tablet computer rolling around in Job’s head. But for those of us, myself included who were hoping for a computer, a graphics tablet, a stylus interface, and a breakthrough in how we look at performing our day to day tasks, well we will have to keep dreaming, and hoping for the future. For some of us with the cash, we can live the dream now by getting the ModBook by Axiotron. This device is what many Mac fans were expecting.

From the perspective of a systems administrator, this could be a technical and logistical nightmare when you consider people doing work on these on secured networks where encryption is important. From a hardware perspective if you ever had to perform your own battery replacement or even from the philosophical angle, is this a computer, or is it just a cool content viewer. If it is the later, then will or should IT Departments support such a device.

The Ugly thing that I believe is more of a philosophical debate is the slow agonizing death of the printed word in its truest format. While we all know Print Media is dying and we have known that for a long time, many will argue that bookstores and books are not going anywhere while that may be true I lived in a state recently and witnessed the death of its last newspaper.

Thats right, in the state of Maine every newspaper has gone out of business. I am not saying that the iPad is or will kill off traditional media or that it has but its just one device closer to its extinction. Perhaps I am just nostalgic for the days when I used to like to read the comics as a kid, getting them out of the middle of the sunday paper, was and always will be a special memory for me.

No matter what, side of the fence you land on, Apple has made a smart move by entering into this market. Apple is a company and I am sure they have a plan for everything that they do. They have methodically created each new device over the past 4 years and released each one with a new content store. Perhaps Apple is planning a takeover of all digital content, and its syndication rights. Only one man knows and it certainly is not me. For now I will just sit back and watch my Apple stock soar, thanks Steve.

Great, another strange Apple bug I thought until someone was able to forward me the bounced email to my personal email account. Further insight in the error showed that the message was getting bounced back due to a blank subject line. As you can see from the example below its due to a blank or empty subject heading.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

=====================================
This is the mail system at host mail.xxxxxxx.org.
 
I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.
 
For further assistance, please send mail to postmaster.
 
If you do so, please include this problem report. You can
delete your own text from the attached returned message.
 
The mail system
 
<user@domain.org>: host
mail.domain.org http://xx.xxx.xxx.xxx said: 550 5.7.1 empty subject
=====================================

Yes, apparently Apple has added this as an actual “Feature”. You can turn this off however by commenting out the only line of code in the file /etc/postfix/custom_header_checks. Turn off the mail service before you do this. Once the mail service is off edit the file using sudo pico.

1
2
3
4
5

/^subject: *$/ REJECT empty subject header in /etc/
 
into:
 
#/^subject: *$/ REJECT empty subject header in /etc/

Start mail back up again and you will notice that the blank subject line blues are gone away.

However in 10.6.2 there is a detachment from the way you authenticate. You create access for each blog based on the settings in the web interface rather than in Workgroup Manager. This threw me off a bit the first time due to the fact that I had already had our previous wiki server split up into groups using workgroup manager.

Here is how I migrated our wiki, the default directory for wiki and blogs on 10.5 and 10.6 is

1

/Library/Collaboration

Inside that folder, you’ll find a Groups folder of interest. You’ll want to repeat the following procedure for each group:

1
2
3
4
5
6
7

sudo serveradmin stop teams
sudo mv <Group Folder from Backup> /Library/Collaboration/Groups/
sudo chown -R _teamsserver:_teamsserver /Library/Collaboration/Groups/<group_directory>
sudo rm /Library/Collaboration/dataVersion.plist
sudo rm /Library/Collaboration/globalIndex.db
sudo rm /Library/Application Support/Apple/WikiServer/directoryIndex.db
sudo serveradmin start teams

Once you complete those steps, you’ll need to login as an administrator and set the permissions for the wiki(s). 10.6 removes the privileges for wikis from Workgroup Manager and instead allows for security management via the wiki web interface.

Once we were done with the wiki, we had to migrate over DNS this was a little bit scary however retyping our DNS records was equally as scary. I decided to try to migrate the settings since it was sanctioned by Apple.

Basically the first step was to stop DNS service on your Snow Leopard server. I then created a backup of my DNS config files that lived on my Snow Leopard server in the event that everything went bad.

1

mkdir /var/backups/dns; cp -r /etc/dns /var/named /etc/named.conf /var/backupsdns

I then preceded to copy the following files and folders from Leopard server into the same locations on Snow Leopard Server

1
2
3

/etc/dns
/etc/named.conf
/var/named

Once done start DNS via the command line on Snow Leopard server

1

sudo serveradmin start dns

Next I urge you if you are going to try this test, test, test, test and test again. I got it almost 100% however there are a few fields in the DNS settings in Server Admin that do not exist in 10.5 Server. Also I did notice that it messed up my FQDN’s in some places. Tell me your migration headache story, or lack thereof.

The one great thing about 10.5.8 was the development of Mailbfr this was an amazing script that would help you backup your entire mailstore, recover email accounts, repair quotas, and of course rebuild or repair the entire mail-store. This was an invaluable tool, however since switching we have had to come up with our own solution.

We tried at first to get RSYNC running however this did not work because we did not have the permission to copy the mailstore with the permissions in tact. The reason is that while the root account does have access to look at the mailstore the secondary user on the mailstore folder is the mail user itself. Without running the script as each user then its near impossible to use RSYNC to move the mailstore or to even perform a simple backup.

Our solution was to create a backup script that use SCP with SCP we were able to move our mail-store to another drive on the server. It copies the store over and it resets the permissions to the administrator account. This solution works very well however after some time with a large mailstore you will run out of space on the target volume. Unlike RSYNC which uses hard links to save space SCP creates a new copy of the mailstore each time it is run.

In order to save space on the backup volume the oldest 2 weeks worth of backed up email gets dumped to DVD and removed from the drive on a monthly basis. This is fine but not optimal. Here is a copy of the script that we use on our server.

1
2
3
4
5
6

#!/bin/bash
echo backup started daily backup `date` >> /Volumes/EMAIL\ BACKUP/Backup/Logs/Backup_log.txt
 
scp -r /Volumes/Mailstore-Location/spool /Volumes/EMAIL\ BACKUP/Email-Backups/$(date +%d)-$(date +%m)-$(date +%Y)backup 
 
echo backup daily backup completed `date` >> /Volumes/EMAIL\ BACKUP/Backup/Logs/Backup_log.txt

This will backup the mailstore and then log each time that it does so. To recover an email to the original mailstore is not as hard as it seems. Navigate to the backed up mailstore destination and match up the name of the folder to the users UID of which you want to recover. For example if the users UID is 7458-58713-952554-544226 then you would look for a folder with the same name. Once in the folder you can copy or look at individual email files. Find the ones or one that you need and copy it to the folder of the original mailstore. In order to do this you will have to use sudo. For example this is how you would restore the entire folder

1

sudo scp -r "Volumes/EMAIL\ BACKUP/Email-Backups/7458-58713-952554-544226/.*" "/Volumes/Mailstore-Location/spool/7458-58713-952554-544226/.*"

Until Mailbfr comes back for Dovecot this is how we are protecting ourself against the accidental loss of email. I am not saying that this is the best method it is simply the one we are using. If you have another solution that works bette than please let me know and share your own experience!

If you poke around the bind config files on your OS X Server, you’ll be able to see how apple has set them up so that you can edit them directly without confusing the GUI. /var/named contains zone files that you may edit, and they include corresponding files in /var/named/zones which you should not edit. They’ve done something similar for /etc/named.conf and the files in /etc/dns/.

Having said that, I recommend not doing both internal and external resolving for split-horizon DNS on your server, mainly because:

1. It’s kind of complicated, and you lose any convenience you had when you were able to use the GUI exclusively
2. You have NAT, which makes it even more complicated
3. There are solutions available from third parties that are better-performing, cheap/free, and more robust

In my organization, we use DNS in Mac OS X Server extensively for the internal part of a split-horizon setup. We use the “Advanced DNS” part of a network solutions account for the external part. It comes free with the domains we’ve purchased, and has redundancy and speed far greater than what I could justify for hosting a handful or externally-resolving names myself.

You need to reconfigure BIND to use “views” with two different versions of your zone file, such that access from inside your network gives the 192.168.1/24 (internal) addresses, but requests forwarded from outside (via your 2-Wire router) give out your static public IP.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

acl internal {
    127.0.0.0/8;
    192.168.1.0/24;
};
 
view "internal" {
    match-clients { internal; };
    zone "mydomain.com" {
        type master;
        file "/etc/bind/internal/db.mydomain.com";
     };
};
 
view "external" {
    match-clients { any; };
    zone "mydomain.com" {
        type master;
        file "/etc/bind/external/db.mydomain.com";
    };
};

For more information check this out it is a How To with more detailed instructions for Split Horizon DNS configuration.

To start with you must enable Sieve on your server to do this, start Server Admin, Mail > Settings > Advanced: Tick “PLAIN” on IMAP/POP and save it. Mail > Settings > Filters: Tick “Enable Server Side mail rules”, save it and restart the mail service. once your done here you will be able to use the built in web based interface for handling server side rules. However you can also install your own!

SquirrelMail is the default webmailer in SLS. You can use the plugin avelsieve to manage server side mail rules. Download avelsieve (I recommend version 1.9.9) and unpack in directory /usr/share/squirrelmail/plugins (so that directory avelsieve is within the plugins dir). Note that you also need to download javascript_libs plugin, if you use a recent version (>=1.9.8) of avelsieve. If you need the javascript_libs plugin, also unpack it in squirrelmail’s plugins dir. Then edit the file plugins/avelsieve/config/config.php (copy config_sample.php to config.php if not exisiting).

Change the authentication mechanism to

$sieve_preferred_sasl_mech = 'PLAIN';

Edit file /usr/share/squirrelmail/config/config.php and register the plugin(s)

$plugins[0] = 'avelsieve'; $plugins[1] = 'javascript_libs'; //

only if using a newer version of avelsieve. See avelsieve page Access the Webmailer (http://<SLS_server_name>/webmail/ and check the filter connection.

SquirrelMail is the default webmailer in SLS. You can use the plugin avelsieve to manage server side mail rules. Download avelsieve (I recommend version 1.9.9) and unpack in directory /usr/share/squirrelmail/plugins (so that directory avelsieve is within the plugins dir).Note that you also need to download javascript_libs plugin, if you use a recent version (>=1.9.8) of avelsieve.If you need the javascript_libs plugin, also unpack it in squirrelmail’s plugins dir.

Then edit the file plugins/avelsieve/config/config.php (copy config_sample.php to config.php if not exisiting).Change the authentication mechanism to

$sieve_preferred_sasl_mech = 'PLAIN';

Edit file /usr/share/squirrelmail/config/config.php and register the

plugin(s):$plugins[0] = 'avelsieve';$plugins[1] = 'javascript_libs'; //

only if using a newer version of avelsieve. See avelsieve page Access the Webmailer (http://<SLS_server_name>/webmail/ and check the filter connection.

Roundcube: Sorrily Apple decided to use the old-fashioned, ugly SquirrelMail webmailer and not RoundCube. RoundCube is much nicer and also the “managesieve” plugin available for it is much better than avelsieve in SquirrelMail. Luckily you can install RoundCube on your SLS without harming the default installation.

Enable managesieve plugin ManageSieve plugin comes with RoundCube. To enable it, edit file roundcube/config/main.inc.php:

$rcmail_config['plugins'] = array('managesieve');

Then edit file plugins/managesieve/lib/Net/Sieve.php comment line

var $supportedAuthMethods=.... (comment with //)

uncomment line

var $supportedAuthMethods=array( 'PLAIN' , 'Login' );

Set timezone:

date.timezone = Europe/Berlin

Now test roundcube by accessing http:///roundcube/ Login as a user you like to change server side rules for. Click on “Settings” in the upper right corner, then on Filter. If you see the page and no error occurs, you are successfully connected to the sieve backend of IMAP! You now can create your rules.

The good thing is, that every rule managing application (Apple web rule management, SquirrelMail, RoundCube) you use, store its own file. So one app is not overwriting the others config file. This is of importance if you enable the apple built-in crippled rule management and store the rules, there. This creates an own file “wiki_server_rules.sieve” in your sieve script dir and enables it by the link dovecot.sieve -> wiki_server_rules.sieve

I found Roundcube to be extremely easy to setup, however sort of hard to configure and tweak for use on an OSX Server. The biggest drawback to the old mail system was that while everyone had email accounts they were local accounts meaning their was no LDAP database at work so there was no way to have an auto complete or global LDAP address book that most of the people at our organization really craved. I decided that when moving to 10.6.2 we would have to get this feature established and I am documenting this here clearly as I found there was limited documentation for and I know there are many people using 10.6.2 and Roundcube together.

Once Roundcube is installed head over to main.inc.php in the Roundcube config directory. I wanted the user to have access to the LDAP address book and also have the ability to have their own so on this line make sure that SQL is chosen as the primarty type of address book if this is your intent.

1

$rcmail_config['address_book_type'] = 'sql';

in the main.inc.php file the LDAP settings are kind of tricky. It gives you an example of a functional LDAP setup below for an organization named Verisign locate these lines in the main.inc.php file

1
2
3

// In order to enable public ldap search, configure an array like the Verisign
// example further below. if you would like to test, simply uncomment the example.
$rcmail_config['ldap_public'] = array(Verisign);

Notice that the third line is un-commented meaning that it is an active setting. Which means that what we are about to do below will not register until we comment out this line otherwise there will be two active configurations and neither will work this really tripped me up and had me stumped for days until I realized that I had two

1

 $rcmail_config['ldap_public']

attributes at work at the same time so next comment this out as below.

1
2
3

// In order to enable public ldap search, configure an array like the Verisign
// example further below. if you would like to test, simply uncomment the example.
// $rcmail_config['ldap_public'] = array(Verisign);

Once this is done go down to the example below and start uncommenting the LDAP configuration lines one by one and filling out the information as you go here is an example of my configuration for the Name use whatever name you want the address book to show up as in the roundcube address book area. Your host name should be the fully qualified domain name of your directory server. Your default port on an ODM is 389. Only use TLS if you are using a secure SSL connection and always use User Specific so that the user is what is causing the OD Bind during lookups rather than the Directory Admin.

1
2
3
4
5
6

$rcmail_config['ldap_public']['Verisign'] = array(
  'name'          => 'Company Name',
  'hosts'         => array('fullyqualified.domainofdirectoryserver.com'),
  'port'          => 389,
  'use_tls'	    => false,
  'user_specific' => true,

Next you must define the Base Search DN which is always your fully qualified domain name split up using dc= so if your directory name was directory.verisign.com then your base dn would be dc=directory, dc=verisign, dc=com. Here is what is not documented in many places it took me a long time to figure out that the Bind DN must have an active user or the directory admins UID here as well as cn=users, so that it knows how to find that user. I also configured mine to be non writable because I was unsure how safe this would be with the ODM.

1
2
3
4

  'base_dn'       => 'dc=fullyqualified,dc=domainofdirectoryserver,dc=com',
  'bind_dn'       => 'uid=DirAdmin,cn=users,dc=fullyqualified,dc=domainofdirectoryserver,dc=com',
  'bind_pass'     => 'DirAdmin_Password',
  'writable'      => false,

In order to get an actual accurate listing in the address book you must tweak the settings to include the specific user settings int he ODM LDAP directory.

1
2
3
4
5
6
7
8
9
10
11
12
13

  'LDAP_Object_Classes' => array("top","person","inetOrgPerson","abxldapPerson"), 
  'required_fields'     => array("givenName", "cn", "sn", "mail"),    
  'LDAP_rdn'      => 'mail', 
  'ldap_version'  => 3,      
  'search_fields' => array('givenName', 'cn', 'sn', 'mail'),  // fields to search in
  'name_field'    => 'cn',    
  'email_field'   => 'mail',  
  'surname_field' => 'sn',   
  'firstname_field' => 'givenName', 
  'sort'          => 'givenName',    
  'scope'         => 'sub',  
  'filter'        => 'givenName=*',     
  'fuzzy_search'  => true);

These settings will help you establish the correct mappings to Last Name, First Name, Email Address and Full Name or Given Name. These settings were very hard to find as there was limited documentation on both Apples part and on the Roundcube forums. Once done here I set it up to auto complete from the sql address book first and then to default over to the LDAP address book.

1
2
3

// An ordered array of the ids of the addressbooks that should be searched
// when populating address autocomplete fields server-side. ex: array('sql','Verisign');
$rcmail_config['autocomplete_addressbooks'] = array('sql','Verisign');

In parting my only piece of advice is to use the configuration here and remove the term Verisign and replace that variable with one that makes sense for you and your organization. Lastly if this does not work make sure that you have the correct domain name of the server and also ensure that you have enabled users to access the LDAP directory in Workgroup Manager.

I setup the 10.6.2 Snow Leopard server clean before I did anything I setup DNS on the server and manually retyped and rechecked all of the DNS records from the 10.5 server to the 10.6.2 server. Once I verified that the DNS records were set. I checked the server’s DNS by running sudo changeip -checkhostname and it came back clean. Great good to go, or so I thought.

I had setup split horizon DNS on the server, the Open Directory Master, has already been setup on a single use Mac Mini Server. The Mac Mini Server is running the ODM and DNS. The DNS on the Mini is self referencing and my router has the public ip mapped to the private. The new Mail server (10.6.2) also running DNS had a record pointing to the public ip of the ODM. Great, next step bind the mail server to the ODM so that I can start to migrate mail accounts.

I was working on this project around 10:00pm in the evening not knowing how long that it would take to migrate the accounts from Cyrus to Dovecot, but I had studied the Apple upgrade instructions for weeks prior so I felt like I had it totally under control. I followed the instructions and used the code from page 42 of the manual.

1

sudo /usr/libexec/dovecot/migrate_mail_data.pl --moveMail 0 --cyrusBin "/Volumes/10.5 Server Volume Name/usr/bin/cyrus/bin" --database "/Volumes/10.5 Server Volume Name/var/imap" --sourceSpool "/Volumes/10.5 Server Volume Name/var/spool/imap" --targetSpool "/var/spool/imap/dovecot/mail"

The script will tell you if your doing something wrong, which is helpful. My biggest question was how long would it take to migrate 30GB of mail to the new mail server. The answer, exactly two hours. I had decided that instead of using a firewire cable to connect the two servers together that I would simply pop the HD out of the old mail server and put it into the new server. This made a huge difference in the time of migration.

Once it finished I turned on mail, and everything started working fine. Great! I cleaned up my tools and logged out of the server and went home around 2am. The next few days were pure hell. As mentioned above I decided to use split horizon DNS. It was my first attempt at doing this and what I had noticed in the logs were a myriad of disconnect warnings every 5 min the mail server was getting disconnected from the ODM and then reconnecting causing some major issues.

The log files were filling up so fast that they were causing kernel panics, I had to reboot the server many times once every couple of hours, I decided to call Apple. The Apple representative captured my logs, and promptly told me that I would have to reformat the hard drive and completely start over. I told him that this was a clean install and that no way would I be starting over. He offered no other solution or advice other than telling me that it was not normal for a new server to have kernel panics this early in the game.

I decided to check my DNS turns out that the route statement in the router, was not properly entered. It was getting to the server but it was unable to retain a connection. I re-entered the route statement correctly and then rebooted the router. Almost immediately the issues stopped. Apple has come a long way in their migration capabilities if your ever having issues with your 10.6.2 mail service DNS is almost always the culprit!