I have been playing around with two pieces of software that promise to help bring back this lost functionality in an easy to use GUI tool and perhaps even restore a little sanity to running a website on Lion. The first application that I reviewed was called VirtualHostX.

VirtualHostX 3.0 is the easiest way to host and share multiple websites on your Mac. It’s the perfect solution for web designers working on more than one project at a time. (Aren’t we all?) No more nesting folders or asking the programmer across the cubicle for help. With VirtualHostX you can easily create and manage Apache virtual hosts with just a few clicks.

The other feature that I love about this tool is that you can share a private webpage or site that you are working on, that is not publicly available and share it with anyone publicly through a secure password protected connection. This is great if you need to show people updates of your site and their not on the local subnet. This tool allows you to code custom directives (If you need a list you can check out my last post Missing Manual). 

Out of the box this product works with popular platforms like WordPress and it uses the built in Apache that comes with OSX. Alternatively you can even set it to manage any instance of apache on your server.

Lastly you can even backup the changes that it makes to your system so that you can performa  seamless migration or just for your own peace of mind. I love this software and its an amazing alternative to using the Server app.

The other tool that I found that handles Apache administration on 10.7 is WebMon. Webmon does not look as cool as VirtualHostX however it does have greater support for Custom Directives out of the box in the form of GUI interface.

WebMon configures OS X’s built-in web server to support server-side includes, execCGI, PHP, SSL (including support for inserting Intermediate CA certs) and WebDAV, for multiple domains running on the same server.

With WebDAV turned on, your web server acts like an iDisk, allowing you to connect to the WebDAV folder remotely, securely, and directly from the Finder, so you can save, share, and distribute your files and folders. You can also use the WebDAV folder to share your iCal calendars.

WebMon also helps you set up the web server so that you can monitor its log file from a remote machine. WebMon is able to help you monitor any number of web servers from a single remote machine.

With WebMon you can setup and manage SSL Certificates, turn on CGI Support and much much more. This tool certainly restores almost all of the lost functionality . If you run multiple Web Servers than you might also like its built in monitoring service that makes sure that Apache is running soundly on other systems.

The great thing about both of these solutions is that they work well together, so you can use both or one of them but for the beginner web server administrator these tools restore a little more control when it comes to Apache administration.

I hope that you all found this article and walkthrough educational, as always please feel free to interact with me by posting questions and comments and I will answer them as best as I can. If you feel like any of this is wrong or could be improved upon also please leave a comment below, thanks!

The purpose of this entry is to talk about 10.7 server and show you how to accomplish everything that you could accomplish from the Server Admin application through commands using terminal or edits to system files in the operating system. Everything below requires that you be logged in as the root user on the server in order to avoid permission issues.

How to enable PHP 
Run this command to check if PHP is enabled on 10.7 server.

1

cat /etc/apache2/httpd.conf|grep libphp5.so

If the output is

1

LoadModule php5_module libexec/apache2/libphp5.so

and not

1

#LoadModule php5_module libexec/apache2/libphp5.so

then PHP is enabled. If it is the other way around with a # in the beginning of the line you can just edit the httpd.conf file manually with

1

sudo pico /etc/apache2/httpd.conf

and remove the bracket manually and then restart the web server with

1

sudo apachectl restart

Alternatively you can also enable this via a checkbox in the terrible server.app in 10.7.

How to change the default file type 
By default the landing page on all new sites is index.html if you would like to change this or the order in which a webpage searches for the index page then you need to change the default file type.

To do this edit the configuration file appropriate to your site name. Meaning you have to have already configured a site in the 10.7 server.app program once you have a site then you need to edit the site configuration file. If your site was called apple.com then your site configuration would be in /etc/apache2/sites/apple.com.conf or something like that.

You need to edit that file

1

pico /etc/apache2/sites/nameofyoursite.conf

look for the following in the file

1
2
3

<IfModule mod_dir.c>
    DirectoryIndex index.html
</IfModule>

If you want to change the main page to index.php instead of index.html then replace index.html with index.php. If you want to add it as a secondary load page then you can change it to this.

1
2
3

<IfModule mod_dir.c>
    DirectoryIndex index.html index.php
</IfModule>

once done save and restart apache.

1

sudo apachectl restart

How to enable .htaccess 
If you are going to be using mod_rewwrite at all for redirects or pretty permalinks (which is very common now) then you need to have this enabled. Again as stated before you have to have a site setup on the server through the server.app program. Once done locate your configuration file as outlined above and make the following changes.

1

pico /etc/apache2/sites/nameofyoursite.conf

Once your in the file look for something that looks similar to the following.

1
2
3
4
5
6

<Directory "/Users/yourname/Sites/">
     Options Indexes +MultiViews
     AllowOverride All
     Order allow,deny
     Allow from All
</Directory>

It won’t look exactly the same but what you want to do is replace it with what you see above that will enable the .htaccess or mod_rewrite the line of code that actually does this is the “AllowOverride All” command.

How to enable WebDav
To configure WebDAV Sharing for such users, follow these instructions before enabling any WebDAV share points.

Note: The instructions in this article include editing configuration files. You must have root access to edit these files. You should make a backup copy of each file prior to editing it.

This step is optional but highly recommended: Acquire and install a trusted SSL certificate, and use Server App to configure Web Service to use the certificate. You can use the server’s default, self-signed certificate for WebDAV Sharing, but iWork and other applications may warn that the certificate is “invalid”.

You need to edit the following configuration file

1

pico /etc/apache2/httpd_webdavsharing.conf

Find the line “AuthType Digest” change Digest to Basic. This makes WebDAV Sharing use Basic authentication, which is required for Active Directory users.

Now edit this configuration file

1

pico /etc/apache2/webapps/com.apple.webapp.webdavsharing.plist

find these lines

1
2

<key>sslPolicy</key>
<integer>0</integer>

Change the 0 to 1. This makes WebDAV Sharing require SSL, which is the only secure way to use Basic authentication. Advise users to configure the iWork clients on their iOS devices with an “https” WebDAV URL, like: https://example.com/webdav

How to enable the directory listing 
Again as stated before you have to have a site setup on the server through the server.app program. Once done locate your configuration file as outlined above and make the following changes.

You need to edit that file

1

pico /etc/apache2/sites/nameofyoursite.conf

find the words “AllowOverride” in that block where these words are you need to add this line. This line may already be in your file but it may be different simply update it to reflect these changes

1

Options -Indexes FollowSymLinks

How to enable SSI
If you need to use Server Side Includes in your scripts or website files then do the following to enable it.

1

sudo pico /etc/httpd/httpd.conf

look for these lines

1
2

# AddType text/html .shtml
# AddHandler server-parsed .shtml

Uncomment those 2 lines (remove the # in front of each of them). Now look in the same file for the following

1

Options FollowSymLinks

Add “Includes” to the 2nd line so it looks like

1

Options FollowSymLinks Includes

save the file and restart apache

1

sudo apachectl restart

How to enable VHOSTS
VHOSTS or Virtual Hosts enable you to have multiple domain names mapped to the same site or IP address. To enable this edit the httpd.conf file

1

sudo pico /etc/apache2/httpd.conf

find this line

1

#Include /private/etc/apache2/extra/httpd-vhosts.conf

change it to

1

Include /private/etc/apache2/extra/httpd-vhosts.conf

this will effectively enable VHOSTS. Now you should restart apache.

1

sudo apachectl restart

How to enable CGI
Again as stated before you have to have a site setup on the server through the server.app program. Once done locate your configuration file as outlined above and make the following changes.

1

pico /etc/apache2/sites/nameofyoursite.conf

Once your in the file look for something that looks similar to the following.

1

     Options Indexes +MultiViews

It won’t look exactly the same but what need to do is add “-ExecCGI” after “+MultiViews” it should look something like this.

1

     Options Indexes +MultiViews -ExecCGI

This will enable CGI and allow you to run CGI scripts in Apache. Now you should restart apache.

1

sudo apachectl restart

How to enable Logging
This one boggled my mind, by default website logging is not enabled and again there is no way to enable it in the GUI. You will want to have this enabled to catch errors and fix faulty code. To enable this again we are assuming you already have a site configured with the server.app program. Once done locate your configuration file as outlined above and make the following changes.

1

pico /etc/apache2/sites/nameofyoursite.conf

find the line “DocumentRoot”, Under that line paste the following

1
2

CustomLog "/var/log/apache2/access_log" combinedvhost
ErrorLog "/var/log/apache2/error_log"

it should now look like this

1
2
3

DocumentRoot "/path/to/your/website/"
CustomLog "/var/log/apache2/access_log" combinedvhost
ErrorLog "/var/log/apache2/error_log"

Now you should restart apache.

1

sudo apachectl restart

How to add a domain alias
This is a common thing that most web admins do to map domains to a single site. This again has been removed from the functionality of the server.app on 10.7 server but is a pretty easy to add. To enable this again we are assuming you already have a site configured with the server.app program. Once done locate your configuration file as outlined above and make the following changes.

1

pico /etc/apache2/sites/nameofyoursite.conf

in the site definition file, look for a line that says

1
2

ServerName example.com
ServerAlias www.example.com

where example.com is the domain of your site. You can have more than one alias, just separate them by a spaces on the same line like so.

1
2

ServerName example.com
ServerAlias www.example.com alias2.example.com alias3.example.com

Now you should restart apache.

1

sudo apachectl restart

How to restore factory settings to 10.7 Web Service
This one is important. As stated above you should be backing up these config files before you edit them and then making your changes. In the event that something went wrong you can always reset them back to the original settings.

Run this command

1

sudo serveradmin command web:command=restoreFactorySettings

I got this command by calling Apple directly they also suggested restarting the machine after the restore command, once the computer is back up turn off and then turn on web service to ensure it is working propperly.

Conclusion
All of these commands allow you to leverage Apache and accomplish the tasks that were once easy to accomplish with the Server Admin tool in 10.6 server. There are two options here, learn to love the command line or do not upgrade to 10.7 Lion. Apple is streamlining their GUI interfaces for their tools however there is still power under the hood. Do not be afraid to re-configure these systems Apache, PHP and MYSQL can be installed, modified and improved all from the command line and in some cases they work better after you do. Its not time to quit in my opinion its time to roll up our sleeves and start learning the core of what makes an OSX server truly great and that starts with understanding the open source software that comes bundled with them.

I hope that you all found this article and walkthrough educational, as always please feel free to interact with me by posting questions and comments and I will answer them as best as I can. If you feel like any of this is wrong or could be improved upon also please leave a comment below, thanks!

“I just setup a new server and within days we were on a corporate email blacklist, I contacted the company in question and asked why are we on your blacklist, why won’t you deliver our email. They shared with me an email log of thousands of emails being sent from my mail server through several legitimate email accounts. I ensured that my server was not an open relay so I asked these users, if they had indeed sent this many emails in one shot without any kind of unsubscribe link in the footer of their email. They had! I was so shocked, now what do I do?”

This is an uncomfortable and very perilous position. You want to allow your users to send email to get their job done however you as a systems administrator need to comply with the “Can Spam Act” passed by the FCC to ensure that email continues to flow. You also have companies out there who will block you for violating this act as a precaution on their part. All the while your users can not be bothered to learn about proper email procedures.

In my experience the only thing you can do at this point is to limit how many emails are allowed to be sent at any given time. If you are using OSX Server for Mail or Postfix for Sendmail then this walkthrough will talk about how to limit email recipients and stay off those dreaded blacklists.

Here are the basics that you should know, the following are all settings that can be added to the /etc/postfix/main.cf file of your postfix setup.

smtpd_recipient_limit (default 1000) parameter controls how many recipients the SMTP server will take per message delivery request. You can’t restrict this to a to/cc/bcc field – it’s for all recipients. For that you’d have to use a regular expression in header_checks to arbitrarily limit the length of each header to something reasonable.

smtpd_recipient_overshoot_limit (default 1000) The number of recipients that a remote SMTP client can send in excess of the hard limit specified with smtpd_recipient_limit, before the Postfix SMTP server increments the per-session error count for each excess recipient.

smtpd_hard_error_limit (default 20) parameter to know at what number of errors it will disconnect.

So you technically need to consider the 3 values here which affect both inbound & outbound mail. Then there’s the throttling tools.

smtpd_client_recipient_rate_limit (default: 0 no limit) The maximum number of recipient addresses that an SMTP client may specify in the time interval specified via anvil_rate_time_unit (default: 60s -careful adjusting this affects other things)” and note that this is “regardless of whether or not Postfix actually accepts those recipients” Those over will receive a 450 4.7.1 Error: too many recipients from [the.client.ip.address] It’s up to the client to deliver those recipients at some later time.

smtpd_client_connection_rate_limit (default: 0) The maximal number of connection attempts any client is allowed to make to this service per time unit. The time unit is specified with the anvil_rate_time_unit configuration parameter.

smtpd_client_message_rate_limit (default: 0) The maximal number of message delivery requests that any client is allowed to make to this service per time unit, regardless of whether or not Postfix actually accepts those messages. The time unit is specified with the anvil_rate_time_unit configuration parameter.

The purpose of these features are to limit abuse, as opposed to regulating legitimate mail traffic, but I use them that way in order to mitigate spam blacklisting. In my organization we limit the recipients from one email to 25 you can see the code from my sample /etc/postfix/main.cf. If your file does not have these values you can add them to the bottom of the file.

1
2
3
4
5
6
7
8
9
10

smtpd_recipient_limit = 50
smtpd_recipient_overshoot_limit = 51
smtpd_hard_error_limit = 20
smtpd_client_recipient_rate_limit = 50
smtpd_client_connection_rate_limit = 10
smtpd_client_message_rate_limit = 25
default_extra_recipient_limit = 50
duplicate_filter_limit = 50
default_destination_recipient_limit = 50
smtp_destination_recipient_limit = $default_destination_recipient_limit

Once done you need to restart postfix

sudo postfix reload

I hope that you all found this article and walkthrough educational, as always please feel free to interact with me by posting questions and comments and I will answer them as best as I can. If you feel like any of this is wrong or could be improved upon also please leave a comment below, thanks!

Installation & Configuration

1. Download and install the 64-bit 10.6+ version of MYSQL installer package together with the startup files here.

http://dev.mysql.com/downloads/mysql/

2. Mount the Disk Image (I mean open/double-click the DMG file) and install MySQL server by double-clicking the PKG file (in my case mysql-5.5.14-osx10.6-x86_64.pkg) and follow onscreen instructions. ( It will ask for Master password, as it installs MySQL server in /usr/local )

Current latest version is 5.5.14 which I’ll be using to install on my server.

Open the DMG and you will see that the first item is the MySQL software, the 2nd item allows MySQL to start when the Mac is booted and the third is a System Preference that allows start/stop operation and a preference to enable it to start on boot. Run all of these.

Once the installs are done you can start the mysql server right from the System Preferences which has a new preference in the “Other” category called “MySQL” click start and now it is running.

To find the MySQL version from the terminal, type at the prompt

1

/usr/local/mysql/bin/mysql -v

If you got the error: ERROR 2002 (HY000): Can’t connect to local MySQL server through socket ‘/tmp/mysql.sock’

then mysql was not started, go back to the System Preference and start the database.

3. Run the following commands

1
2
3

cd /usr/local/mysql
cp /usr/local/mysql/support-files/my-small.cnf /private/etc/my.cnf
open -e /private/etc/my.cnf

replace “/tmp/mysql.sock” with “/var/mysql/mysql.sock” at two places near the top.
Create a folder called “mysql” (if you don’t already have one) in the /var directory with the right permissions:

1
2
3
4

cd /var
mkdir mysql
sudo chown -R mysql mysql 
sudo chmod 775 mysql

This command will circumvent the dreaded mysql 2002 socket error.

1
2

sudo mkdir /var/mysql
sudo ln -s /tmp/mysql.sock /var/mysql/mysql.sock

4. Create your alias, this is important so that you can run MYSQL queries through the terminal.

1
2

alias mysql /usr/local/mysql/bin/mysql
alias mysqladmin /usr/local/mysql/bin/mysqladmin

optionally you can edit the ~/.profile file to make your aliases (This should be done as root)

1

pico ~/.profile

then add this line below

1

export PATH=/usr/local/mysql/bin:$PATH

*Please note /usr/local/mysql is only symlink to /usr/local/mysql-5.5.14-osx10.6-x86_64 which means when you upgrade to new version symlink will be changed to point to new version but won’t be deleting the older version. However you need to copy your data directory to new location to make sure your existing databases are intact post upgrade.

5. Set the master MYSQL password, there are 2 ways to do this one is a regular way and the other provides additional security and disables all other access

Regular Way

1

mysqladmin -u root password 'yourpasswordhere'

** use the single quotes. Then when login to mysql to test your password

1

mysql -u root -pyourpasswordhere

Secure Way

1
2
3
4
5
6
7
8
9

sudo mysql_secure_installation
 
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MySQL
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!
In order to log into MySQL to secure it, we'll need the current
password for the root user. If you've just installed MySQL, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.
Enter current password for root (enter for none):

Go ahead and just hit enter if this is a new installation and no password currently exists, follow the prompts to set up a new root password – this is a root password just for mysql separate from the root password of OS X you should set this.

You also get asked about:

• Removing anonymous users?
• Disallow root login remotely?
• Remove test database and access to it?
• Reload privilege tables now?
• If this is a new installation you can just answer yes to the questions.

Once the root user and password is set, you have to interact with mysql with the username and password, so access via command line is (note that there is no space between -p and the password)

1

mysql -u root -p[password]

Now that you have MYSQL running you need to start an instance or a main profile for MYSQL to run. I have found the easiest way to do this is to install PHPMYADMIN and since most people in my opinion (Again novice to intermediate MYSQL user here) use this great tool to navigate around MYSQL on a daily basis. Here is a brief walkthrough on how to install and configure PHPMYADMIN on 10.7 Lion Server

Installation & Configuration

1. Change the socket location in your PHP configuration by editing the php.ini file. You need to do a search and replace here. Search and replace all instances of

/var/mysql/mysql.sock

with

/tmp/mysql.sock

Once done you should be able to run the following command and it should reflect the new updated values you just applied.

1

grep .default_socket /etc/php.ini

while editing the php.ini file you need to comment out or enable the following extensions.

extension=php_mysql.dll
extension=php_mysqli.dll

To check your work again you can run this command to ensure they are enabled.

1

grep mysql /etc/php.ini|grep ext

Once done restart Apache

1

sudo apachectl restart

2. Download PHPMYADMIN to the default web directory in Lion

http://www.phpmyadmin.net/home_page/index.php

The full path is

/Library/Server/Web/Data/Sites/Default

I put my PHPMYADMIN in a folder called PHP so

/Library/Server/Web/Data/Sites/Default/PHP

and I could then browse to it by going to

http://server.domain.name/PHP/

this is assuming that you have already configured or turned on web services which I will not go into here since it is a very basic step. I will write a more in depth article and how to on the complexities of running an 10.7 web server in the future however.

Run this command on the PHP Config folder

1

chmod o+w /Library/Server/Web/Data/Sites/Default/PHP/config

3. Now we are ready to run the set up by going to

http://localhost/PHP/setup

The new server to be configured is the localhost, click new server and then the only other configurations are the local mysql user and the password.

Add in the username, by default “root” is assumed, add in the password, click on save and you are returned to the previous screen.

Make sure you click on save, then a config.inc.php is now in the /config directory, move this file to the root level of /phpmyadmin and then remove the empty /config directory.

Now going to http://localhost/PHP/ will now allow you to interact with your mysql databases.

I hope that you all found this article and walkthrough educational, as always please feel free to interact with me by posting questions and comments and I will answer them as best as I can. If you feel like any of this is wrong or could be improved upon also please leave a comment below, thanks!

Again, since I do not have any looming restrictions in my workplace I have found a piece of software that would never be allowed in larger Government facilities but works nicely for what I need. The problem, from time to time I need to re-image or re-core a massive amount of computers, sometimes hundreds of computers. I have a team of two, me and a Helpdesk Technician. This is a daunting task and since I do not like to work weekends, I find that Deploy Studio Server helps me keep my sanity in such situations.

This freeware tool can be used to create deployment files using Netboot, external USB or FireWire drives, or any AFP, SMB, or NFS sharepoint on the network. DeployStudio works with Mac OS X 10.4.11 to 10.6.8 at this point, and is updated regularly to include new OS versions. The package consists of DeployStudio Server, DeployStudio Assistant, DeployStudio Admin, and diffPackageMaker.

DeployStudio Server creates a network based deployment server containing the images. Assistant is used to configure the server and to create the NetInstall sets, while Admin is used to monitor deployments, manage disk images and scripts, enter configurations, and more. diffPackageMaker can look at the difference between two file system snapshots and create installation packages based on what has been changed or added.

I highly recommend using this fine product if you are in the fortunate position as myself and you are not under any pressure or regulations. This requires the use of an in-house server and it installs itself as a service on it. You configure the service to deploy images that you create, and the best part is that it can perform common tasks that will save you time after the re-imaging process is completed. Tasks like setting the computer name, setting up local accounts, binding the computer to a directory server and much more. I describe it as Apple Netboot + Apple Automater = Deploy Studio Server. This is a useful tool that I highly recommend. Check out this instructional video that goes over how to set it up and use it.

I use Deploy Studio Server in my workplace and can field any questions you may have regarding its functionality, setup and configuration and ease of use. Write me a comment below and I will be happy to help!

sudo launchctl unload /System/Library/LaunchDaemons/com.apple.hwmond.plist

which initially threw an odd error, looked at the list of loaded items by running launchctl list on the server and noticed that it was gone. I restarted my XServe and sure enough it had loaded itself. Figuring that there must be something in the OS automatically loading this on each reboot I started searching ways to modify or disable hwmond on my server. In my case I needed to stop the high CPU usage so badly that I was willing to make the tradeoff, of not having hardware monitoring enabled on my system for a modicum of stability for my users, and since this was an email server it seemed like a fair tradeoff. Especially since it looked like the hwmond process could be the process that would cause the most damage to my system if it was allowed to continue and then would be the thing to notify me that the hardware had failed due to extremely high CPU usage over a long period of time. I ran across a post made by Apple http://support.apple.com/kb/TS2066 and decided to take a read, basically the issue that this resolves is hwmond not working and having a tag in the plist file that disables hwmond. Since this was my goal I did the opposite of what the knowledge base suggested, instead of removing the said code from the plist, I put the code into the plist and then rebooted my XServe.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
          <key>Label</key>
          <string>com.apple.hwmond</string>
          <key>OnDemand</key>
          <false/>
          <key>Program</key>
          <string>/usr/sbin/hwmond</string>
          <key>ProgramArguments</key>
          <array>
                    <string>hwmond</string>
                    <string>-s255</string>
          </array>
          <key>ServiceIPC</key>
          <false/>
          <key>Disabled</key>
          <true/>
</dict>
</plist>

Once the server rebooted I was back in business. My server’s CPU usage was back to normal and life was grand. Three days later, I restarted my server for an update to Virusbarrier the software I use to help block unwanted attacks on my server, and the high CPU issue returned. I looked at the hwmond.plist file and sure enough it had been re-enabled. I applied the fix above and restarted and it seemed to take. Well this is by no means a permanent fix but then I found this forum post https://discussions.apple.com/thread/3138473?start=0&tstart=0 It seems as though Apple has been informed of the issue and they are working on a fix. But as an update sceptic I find myself chuckling inside, the 10.6.9 update will claim to fix the hwomond cpu issue but what new issues will lie lurking in the wings to terrorize my system? Only Apple knows or maybe they just don’t have a clue. Hopefully they will come up with a fix, until then I have learned my lesson, I will not update my system so cavalierly in the future. I welcome your feedback and let me know what you have done to combat this issue.

1. Migrating Mailman data from one server to another.
I had many problems making sure that mailing lists, users, and archives were preserved when moving from our old server to our new server. Here are the following things you must do in order to ensure that the lists are preserved.

You must backup the old mailman lists these are more than likely stored in the /var/mailman directory

sudo cp -Rp /var/mailman /Volumes/setting-backups/

Once your ready to restore the files to the new server run

sudo cp -Rp /Volumes/setting-backups/mailman /var

the -Rp flags relate to the fact that it is a folder and that you are going to restore the permissions, once your done you will need to login through SSH or on the server itself and run

cd /usr/share/mailman/bin
sudo ./genaliases

the ./genaliases command will take the lists, and it will generate aliases for them. This plagued me for a while before I realized that when you migrate to the server, this database needs to be built.

2. Change the hostname of of your Mailman Server
I have had to do this as well, normally the mailman web interface can be found at http://example.com/mailman/admin for the administrative side or http://example.com/mailman/listinfo for the list information side. If you are going to change the hostname of your server to example2.com then you will need to use the command line tools to move the lists over.

cd /usr/share/mailman/bin
./withlist -l -r fix_url $listname -v

This will update the host names for $listname from the main configuration file, and -v shows you what the changes are. Remember to change $listname with the actual name of your list, you will have to do this for every list you can however run all of the lists at once by running the command multiple times like so.

cd /usr/share/mailman/bin
./withlist -l -r fix_url $listname -v
./withlist -l -r fix_url $listname1 -v
./withlist -l -r fix_url $listname2 -v
./withlist -l -r fix_url $listname3 -v

3. Retrieving a text list of users subscribed to a list
I have seen this question asked in almost every forum that I have visited, there are multiple ways to do this however I recently found out that Mailman has a built in tool that will automatically grant you what your looking for in the form of an email daemon. First, you must be an administrator or moderator of the list in question. Second you must know the password to the administration area for the list in question.

You can get a list of users by sending an email to the list at $listname-request@yourdomain.com where $listname is the name of your mailing list. With the the following command in the subject line and the message body.

who $listpassword

where $listpassword is the password of the list in question, the list of users will be sent back to you in the form of an email.

4. Create a Mailman auditing script
These commands can be used to export a list of users and then have that list automatically emailed to you so that you can regularly be reminded to make sure that your mailman lists are free from errors, and or people that should no longer be on the lists. I have created two scripts that do this.

Script #1: The list querying script

#!/bin/bash
 
cd /usr/share/mailman/bin/
 
./list_members -f Internal > "/scripts/lists/audit/Internal.txt"
 
touch "/scripts/lists/Internal.txt"
 
echo -e "XXX Mailing List -- For Auditing Purposes \n\n This is an automated email, please check your list of subscribers for accuracy, if there is a change that needs to be made please contact XXX, at XXX@XXX.XXX, thank you. \n\n" >> "/scripts/lists/Internal.txt"
 
cat "/scripts/lists/audit/Internal.txt" >> "/scripts/lists/Internal.txt"
 
SUBJECT="XXX Mailing List"
 
EMAIL="XXX@XXX.XXX"
 
EMAILMESSAGE="/scripts/lists/Internal.txt"
 
mail -s "$SUBJECT" "$EMAIL" < "$EMAILMESSAGE"
 
rm "/scripts/lists/Internal.txt"

This script runs the commands and generates the list, it then adds on the email text above the list of users and then sends it out as an email. I would name this script the name of the list so for example $listname.sh and then chmod the script 700 so that it is executable. You will want to use the above template for each of your mailing lists and save this into multiple scripts.

Script #2: The the scheduled script

#!/bin/bash
 
cd "/scripts/"
 
./list1.sh
./list2.sh
./list3.sh
 
rm -R "/scripts/lists/audit"
mkdir "/scripts/lists/audit"

You will want to schedule this script, I have mine set to once a month, what it does is, it runs all the scripts listed each script above uses the first template to query Mailman, generate the lists, append with email text and then send out to the list moderators.

There is a bit of trial and error here, first of all the user account must have sudo rights, so you may need to add the user running these scripts to the sudoers file or make them an administrator. Scheduling is a matter of setting up a crontab, I am using

0	0	1	*	*	/bin/bash /scripts/run.sh

this will make sure that it runs on the first day of each month.

5. Reset the Mailman master password
I do this from time to time to make sure that I and the IT Staff at our organization have access to every list on the Mailman roster, but also as a security point, the password changes once every quarter. You can do this via the command line by running.

sudo /usr/share/mailman/bin/mmsitepass

It will prompt you to enter a password, and confirm. I suggest that you choose a strong password. You can also change a single list password through the command line as well.

sudo /usr/share/mailman/bin/withlist -l mylistnamehere
import sha
m.password = sha.new('supersecretpasswordhere').hexdigest()
m.Save()
{ctrl-D}

The above will change the admin lists password and encrypt it at the same time.

Well I hope you enjoyed my Mailman tips and tricks, please feel free to tell me of any other Mailman tricks that might help out the Mac community, as always comments are very welcome!

Alright first thing you have to understand put aside any notion of running mobile access server on any other server you may already have. Mobile access server is meant to run on a gateway server. A gateway server is a server that routes traffic to multiple destinations. Meaning its a stand alone server whose primary function is to keep your private data private.It translates public requests and serves up private content. You must run mobile access server on a separate server from the servers which contain your private data.

The second mental hurdle to get over is that yes, the gateway server or your mobile access server must be on the same subnet as the other private servers for which public requests will be relayed. The server has to have some sort of direct line of communication to the private server or servers in question. The next hurdle is DNS, yes DNS can be a huge headache but here are a few things to understand.

The Public DNS that will be routed through the gateway server should point to the gateway server.

The gateway server in turn should be able to resolve all of those DNS names into private IP addresses meaning you must have internal DNS setup with the appropriate zones and records. I learned this the hard way, the Mobile Access service looks to internal DNS do not point to an external private DNS server for internal DNS it must be running on the same server as the Mobile Access service.

The last hurdle is this once DNS is setup and the service is started and you feel like you have configured everything correctly and when your so exhausted and you go to try your Mobile Access server settings and they do not work the first time, do not be surprised as I said this is a very 1.0 feature. Be prepared to check, and re-check your settings. Be prepared to start and stop DNS multiple times. Mobile Access server is a great service and works great once configured correctly.

I am now open to field questions you may have reagarding setup or ideas for further posts to explain in more detail. I hope this at least clears up some of the misconceptions that I had with the service for you ahead of time.

After many un-sucessfull attempts at using the search functionality (Spotlight), I decided to do some research on other methods for searching for files on the OSX platform. I came across the “locate” command for the Terminal.

I had never used this command before so I did some reading and I ran

1

sudo /usr/libexec/locate.updatedb

this ran the initial database rebuild which added many new entries into its database. I then ran

1

locate 'File Name here.txt'

and came up with a nice list of files on the users computer, however the problem was that all of the files we found were older revisions of the file that he had lost. I decided that the only way we were going to find his file was to use a much more aggressive approach.

I decided to use the “find” command, this works similar to the “locate” command but it searches the folder, directory or

entire volume that you want. It allows you to be as specific or as vague as you want as well. For example

1

find / -name 'filename.txt'

will search the entire volume for a file with the name filename.txt. You can also search for wildcards as well

1

find . -name '*.txt'

which will generate a list of all of the text files on the computer. Notice I used a period here instead of a slash, these are where you can customize the location of the search.

So I let this run, the “find” command is considerably slower than the “locate” command because it does not use a database rather it searches live through the hard drive on the system that you are using. After about 20 minutes letting it scan the entire hard drive, every user account and every directory we came up with a few more results but again nothing that had his new content. I was really hoping that at this point he had accidentally deleted it or something.

I decided to ask him for a phrase located in the text file that could be used as a search term. To search for a phrase in a text document in the terminal run

1

find . -name '*.xlsx' -exec grep -li 'ethiopia' {} \;

this will find any reference to the word ethiopia located in a Excel file. I let this run and again slow but effective it revealed more results but nothing. I explained to the gentleman that I could try looking at the tape backups but it would take me some time. He asked me if I could do that.

It was a long walk back upstairs, I loaded the first tape into the drive and got ready. I began the search. Not 10 minutes later did I get a phone call back saying, that he had found the file on a thumb drive that he had. Go figure, turns out that no matter how many cool ways there are to search a hard drive none of them will index a thumb drive in someones pocket.

If you poke around the bind config files on your OS X Server, you’ll be able to see how apple has set them up so that you can edit them directly without confusing the GUI. /var/named contains zone files that you may edit, and they include corresponding files in /var/named/zones which you should not edit. They’ve done something similar for /etc/named.conf and the files in /etc/dns/.

Having said that, I recommend not doing both internal and external resolving for split-horizon DNS on your server, mainly because:

1. It’s kind of complicated, and you lose any convenience you had when you were able to use the GUI exclusively
2. You have NAT, which makes it even more complicated
3. There are solutions available from third parties that are better-performing, cheap/free, and more robust

In my organization, we use DNS in Mac OS X Server extensively for the internal part of a split-horizon setup. We use the “Advanced DNS” part of a network solutions account for the external part. It comes free with the domains we’ve purchased, and has redundancy and speed far greater than what I could justify for hosting a handful or externally-resolving names myself.

You need to reconfigure BIND to use “views” with two different versions of your zone file, such that access from inside your network gives the 192.168.1/24 (internal) addresses, but requests forwarded from outside (via your 2-Wire router) give out your static public IP.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

acl internal {
    127.0.0.0/8;
    192.168.1.0/24;
};
 
view "internal" {
    match-clients { internal; };
    zone "mydomain.com" {
        type master;
        file "/etc/bind/internal/db.mydomain.com";
     };
};
 
view "external" {
    match-clients { any; };
    zone "mydomain.com" {
        type master;
        file "/etc/bind/external/db.mydomain.com";
    };
};

For more information check this out it is a How To with more detailed instructions for Split Horizon DNS configuration.