DIYMacServer

Protect yourself against the new Trojan

Richard — Wed, 25 Jun 2008 18:17:07 +0000

While I still have my doubts about this news about a Trojan for OS X. I think it’s better to be safe than sorry, as my server has been hacked before, and I do use Apple’s Remote Desktop feature. I found this simple method that should prevent any issues coming in from that vulnerability. Just run the following command in a Terminal session:

sudo chmod -R u-s /System/Library/CoreServices/RemoteManagement/ARDAgent.app

This will disable the use of using this program to get root access. More on this on the TidBits website.

The other thing to help you prevent any Trojan is never to install any programs, how much fun they might be, on your server that you don’t need!

Updated the Apache documentation set

Richard — Sun, 15 Jun 2008 12:46:16 +0000

I found out that while I was installing the new Apache version that some of the documentation was still outdated or did not properly reflect the state of things on Leopard. For instance, I still referred to a blog post instead of a proper documentation page for compiling Apache on Leopard. The startup script still was done in the old fashioned way instead of using the new launchd daemon.

So I did a small overhaul of the Apache documentation and separated the Tiger and Leopard instructions as I’ve done with all the other stuff. I hope this makes it all a bit clearer.

Leopard:

Tiger:

For both:

Leopard:

Starting Apache at boot on Leopard

Tiger:

Starting Apache at boot on Tiger

Apache updated to 2.2.9

Richard — Sat, 14 Jun 2008 18:15:55 +0000

I got an email today from the Apache announcement mailing list that a new version was released today. I’ve downloaded version 2.2.9 and compiled it right away on my Leopard test machine. I was surprised that there weren’t any problems with the SSL module, there where no changes or fixes listed on the SSL module. It all worked as you normally would expect. It was almost like the the SSL issues on 2.2.6 and 2.2.8 never existed. The only problem I have with this is that I don’t know how or why the problem is solved.

I’ve even tried it on my production server to see if that would work and it did.

This version has besides several bugfixes tw osecurity fixes so please upgrade to this version whenever possible. Read all about the changes in the 2.2.9 changelog.

To help I’ve written some instructions on how to upgrade your Apache installation in the least painfull way with a possibility to go back if something goes wrong: Upgrading Apache

IMPORTANT: Courier-Auth updated to 0.60.6

Richard — Sun, 08 Jun 2008 19:55:09 +0000

There is a important security release of Courier-Auth, in the older versions Courier-Auth has an SQL injection exploit. This release should prevent any further security threaths. This release has the following changes:

Use mysql_set_character_set() instead of SET NAMES. This fixes a SQL injection possibility with MySQL databases that use non-Latin character sets.

This bug will affect you and I advise you to upgrade as soon as possible. I’ve upgraded al servers without a problem. If you want to upgrade your installation please read my upgrade instructions for Courier-auth.

Why have your own mail server

Richard — Thu, 05 Jun 2008 19:43:45 +0000

People often ask me why I have my own mail-server. Why spend all this time and money on having your own server when there are a lot of free email services that do everything you want and more for nothing. I don’t think I have to give you any examples you know the ones they mean. I tell them the following:

Because I can and because I like it!

I like to have my own mail-server because I like to be in control. I decide the features. I decide what happens with my email. I decide when email is spam. I decide the size of my inbox. I decide what is secure enough. I decide who gets access to my mail. Especially the last two are becoming more and more important when governments become more and more paranoid.

Another reason which, I guess, is only valid for geeks: It’s fun! You really get to understand the workings of email, spam filtering, and more. By configuring, tweaking and reading the log-files you really get to understand what happens and how you can improve your own mail-server.

Why did you choose to have your own mail-server ?

The benefit of having two Mac mini servers

Richard — Sun, 01 Jun 2008 13:45:08 +0000

Since having a Mac mini at Macminicolo.net I currently have the luxury position of having two Mac mini’s connected to the internet. This gives me the ability to try new configurations for the DIYMacServer setup.

The first thing I tried, now I’ve got everything migrated, was getting my home server to work as a backup MX server. I found out that it was pretty straightforward and adding one line to the main configuration made it work.

I’ve added it to the documentation set, so if you have the same luxury as I have and have more than one server connected you could use the this as well. Read how to do it here: Configuring a backup (relay) MX server.

Mac OS X 10.5.3 and security update 2008-003

Richard — Sat, 31 May 2008 09:52:11 +0000

I’ve just finished updating all my Mac’s with either Mac OSX 10.5.3 for the Leopard machines or the security update 2008-003 for the Tiger machines (yes I still have a Tiger machine for support purposes). Both updates went without any problem and my setup was not affected in a negative way. Every item had started after the reboot and worked according to expectations.

If you want to read more on what is affected in the updates I would suggest reading the Apple support site for the 10.5.3 update and the 2008-003 security update.

In case of doubt, please make a full bootable disk image backup with Cabon Copy Cloner.

Tis was my first major update of the server located in the Macminicolo.net datacenter. It’s a bit scary as I have had the experience of a freeze of the computer after a big update before. But it that time the server was sitting in a cupboard at home within reach. If that happens now I would be at the mercy of Brian. He normally responds very quickly on my emails and iChat request so it might take a bit longer to get the machine back online because he is in a very different time zone. Therefore I schedule these critical activities at a time where I know he is available.

Update: It is always good to wait a few days and monitor the blogosphere and forums to see if there are any major issues with the last update. It’s good to be prepared!

Courier-Auth updated to 0.60.5

Richard — Sun, 18 May 2008 17:28:45 +0000

In the continuing endeavour of improving the quality of his software Sam Varshavchik has released a small upgrade (bug-fix) to the Courrier-auth daemon. This release has the following changes:

Fix an authmysql bug with account names that do not have an explicit domain

This bug might have affected you as this is the module we use in our setup. If you want to upgrade your installation please read my upgrade instructions for Courier-auth.

Postfixadmin upgraded to 2.2.0

Richard — Sun, 11 May 2008 19:11:19 +0000

After more then 3 years there is a new release of Postfixadmin, the webbased tool to allow you to maintain your postfix mailserver installation. It assist in the creation of mail adresses and aliases.

New is the all in one interface where the super user and the domain admin will work. In the 2.1.0 there was a subdirectory called admin which needed to be secured extra. It is now an all in one interface.

The new version still has the same problem as the old one in sending the SMTP commands to fast which will result in the error:

BD5DAF029E: reject: DATA from localhost[127.0.0.1]: 503 5.5.0 : Data command rejected: Improper use of SMTP command pipelining; from= to= proto=ESMTP helo=

This will easily be solved by again editing the ‘functions.inc.php‘. Open the file and find the function ‘smtp_mail‘. Change the following code:

fputs ($fh, "EHLO $smtp_server\r\n");
$res = smtp_get_response($fh);
fputs ($fh, "MAIL FROM:<$from>\r\n”);
$res = smtp_get_response($fh);
fputs ($fh, “RCPT TO:<$to>\r\n”);
$res = smtp_get_response($fh);
fputs ($fh, “DATA\r\n”);
$res = smtp_get_response($fh);
fputs ($fh, “$data\r\n.\r\n”);
$res = smtp_get_response($fh);
fputs ($fh, “QUIT\r\n”);
$res = smtp_get_response($fh);
fclose ($fh);

into

fputs ($fh, "EHLO $smtp_server\r\n");
$res = smtp_get_response($fh);
usleep(10000);
fputs ($fh, "MAIL FROM:<$from>\r\n”);
$res = smtp_get_response($fh);
usleep(10000);
fputs ($fh, “RCPT TO:<$to>\r\n”);
$res = smtp_get_response($fh);
usleep(10000);
fputs ($fh, “DATA\r\n”);
$res = smtp_get_response($fh);
usleep(10000);
fputs ($fh, “$data\r\n.\r\n”);
$res = smtp_get_response($fh);
usleep(10000);
fputs ($fh, “QUIT\r\n”);
$res = smtp_get_response($fh);
fclose ($fh);

Full instructions on how to upgrade your current 2.1.0 installation to 2.2.0 can be found here: Upgrading Postfix Admin 2.1.0 to 2.2.0

Courier-Auth updated to 0.60.4

Richard — Sat, 10 May 2008 19:08:15 +0000

In the continuing endeavour of improving the quality of his software Sam Varshavchik has released an upgrade to the Courrier-auth daemon. This release has the following changes:

Cleaned up authmysql module — allow punctuation in userids and passwords
Dropped the unmaintained authvchkpw module

If you want to upgrade your installation please read my upgrade instructions for Courier-auth.