Leopard being bad, or possibly me being bad.

[scorpioserve]

Well here is my situation, I have a mac that I am putting together for a client, and they have certain requirements as they all do, but I have reinstalled 3 times and still can not seem to get this kittycat to play nice, this is by no means the first server I have set up, in fact I have done about 50 of them and never really had too many problems; (That’s a Lie) but I have managed to get around problems before, this time I am stumped, so if you feel like reading one long winded write up, please continue.

[b]Client requirements and fixed infrastructure on site.[/b]
Customer has 15 client macs (leopard), they want to have a central file server, [b]AFP[/b], an [b]OD Master[/b], with [b]kerberos[/b], a [b]mail server[/b] to host [b]multiple domains[/b], and a [b]web server[/b] also with [b]multiple domains[/b]. Client macs need to connect to the internet through the server too.

I have an ADSL router connected to [b]en0[/b], and a wired/wireless broadband router connected to [b]en1[/b].
The ADSL Router has an internal IP Address of, [i]192.168.1.2/255.255.255.0[/i] and gets a dynamic Public IP from my ISP, over PPPoE, DHCP is disabled. Only the server connects to this router.
The TP-Link Wired/Wireless broadband router has an IP Address of [i]192.168.2.1/255.255.255.0[/i] there are 3 wired clients plugged into it, and the rest are wireless, and of course the second Network Interface of the server, DHCP is disabled.

I would like the client computers to connect to the [i]192.168.2[/i] subnet and for it to connect to the server as a gateway and to use NAT to get to the [i]192.168.1[/i] subnet to get internet, all through a firewall. Is this possible, I would assume so.

Ok from the top, I insert the os x server 10.5.0 disk and install, on a freshly formatted, HFS Extended partition, once done I reboot, and come to the
[b]”server configuration”[/b] pages, choose [b]”advanced”[/b], “continue”.
Enter my serial number etc. “continue”,
Enter all the registration information, “continue”.
Enter all the other answers, “continue”.
Enter my [b]Admin Account[/b] details, “continue”.
Network Address section,
I choose to manually enter my own details, for both network interfaces, “continue”.

en0: IP 192.168.1.100
Subnet: 255.255.255.0
Router: 192.168.1.2
DNS: 192.168.1.2

en1: IP 192.168.2.100
Subnet: 255.255.255.0
Router: 192.168.2.100
DNS: 192.168.1.100

“Continue”.
Then it asks about network names,
“[b]Primary DNS Name:[/b] osxserver.example.com”,
“[b]Computer Name:[/b] osxserver”,
Enable “Remote management” is [b]”on”[/b], “continue”.
Choose time zone, “continue”.
“[b]Directory Usage[/b]” is set to “[b]Standalone[/b]” server, “Continue”.
Click “Apply” and the system logs in.

First thing I do; at this point is ALL my software updates, and all the rebooting.

Okay so now I am fully updated to os x server 10.5.7 with all the other updates etc.
I start by opening “Server Admin”, connect server on [i]192.168.1.100[/i],
go to services and select “AFP, DHCP, DNS, FIREWALL, MAIL, MYSQL, NAT, OPEN DIRECTORY, VPN, WEB”. click “save”.
The list propagates on the left under the server.
I click on “dns”, “zones”, “add zone” “primary”.
“[b]Primary Zone Name:[/b] example.com.” Fully Qualified [b]ON[/b] (NOT REALLY of course)
“[b]Admin email:[/b] [email protected]”
“Allow Zone Transfers:” [b]OFF[/b]
“[b]Nameservers:[/b] osxserver”
“[b]Mail Exchangers:[/b] osxserver [10]”
arrow out the zone and click on the machine record.
“[b]Machine Name:[/b] osxserver.example.com.” Fully Qualified [b]ON[/b]
“[b]IP Address:[/b] [i]192.168.1.100[/i]”
Go back, check it all again and then, and only then, click “save” and “start” dns.

Quit “Server Admin”, Go to “System Preferences”, “Network”, [b]en0[/b] and change my dns server to [i]192.168.1.100[/i], “save” and reboot.
Login, go to terminal and run
[code]sudo changeip -checkhostname[/code]all comes back ok with [i]192.168.1.100[/i] as [b]osxserver.example.com[/b] (The names match there is nothing to change.)

Go back to “Server Admin” and remove the server [i]192.168.1.100[/i], now reconnect on address “[b]osxserver.example.com[/b]”.
Go to “Open Directory” and promote to ODM with default UID etc, but change “long name” and “short name” and enter a “password”.
It all comes up great. It auto completes the search base to “[b]dc=osxserver,dc=example,dc=com[/b]” and the realm of “[b]OSXSERVER.EXAMPLE.COM[/b]”.

Now I go change a few settings like under “[b]policy[/b]” I select
“[b]Password must differ from account name[/b]” and
“[b]contain at least one letter[/b]”,

under “[b]Binding[/b]” I select
“[b]Enable authenticated directory binding[/b]” and
“[b]Require authenticated binding between directory and clients[/b]”,

under “[b]security[/b]” I select
“[b]Disable clear text passwords[/b]”,
“[b]Digitally sign all packets (requires Kerberos)[/b]”,
“[b]Encrypt all packets (requires SSL or Kerberos)[/b]” and
“[b]Block man-in-the-middle attacks (requires Kerberos)[/b]”
and that is it, now I “save” that.

So far so good I hope, next I go to “AFP” and set “Authentication” to “Kerberos” and leave everything else as is. “save” and “start” service.
“MySql”, select “Allow network connections” ON and
“Set MySQL Root Password”, done “save” and “start” service.

Now for the fun.
I go to “NAT” and click “[b]Gateway Setup Assistant[/b]”, read the info and click “continue”, it warns me about my settings changing and I tell it to overwrite,
I select Ethernet as my WAN this is [b]en0[/b] connected to the adsl router, and click “continue”.
It now asks me to select the adapter for my LAN, I select [b]en1[/b], connected to the Broadband router and “continue”,
I enable the VPN and enter a “Shared Secret” and “continue”.
It tells me in the next window, that it will change my LAN IP to [i]192.168.1.1[/i] that is no good for my setup, but I allow this and click “continue”, it is not like it gives any alternative you know.

It sets it all up and turns on the VPN, NAT, Firewall and DHCP services. all good (sort of).
Now I have to go and alter some of what it has done, first is to go to my “[b]System Preferences[/b]” and click on “[b]network[/b]”, what it has done is set the service order and put my [b]en1[/b] above my [b]en0[/b] so it will not resolve dns if I go and [i]-checkhostname[/i], so I set them back to [b]en0[/b] first, and second [b]en1[/b], then I go to [b]en1[/b], that was [i]192.168.2.100[/i] and now is [i]192.168.1.1[/i] and set it back to where it was, the subnet remains at [i]255.255.255.0[/i] and the router changes from [i]192.168.2.100[/i] to [i]192.168.1.1[/i], so I set that back too, dns I set to [i]192.168.1.100[/i]. Quit System Preferences, go back to terminal and do a [i]-checkhostname[/i], cool all clear.
Now I go back to Server Admin and click on DHCP, it has auto set a subnet name of [i]192.168.1[/i] so I change that to [i]192.168.2[/i], the start ip I set to [i]192.168.2.220[/i] and end at [i]192.168.2.240[/i], it had auto set these at start of [i]192.168.1.1[/i] and end [i]192.168.1.123[/i], I can leave the subnet at [i]255.255.255.0[/i], The network interface is correct as is, on [b]en1[/b], and I change the router from [i]192.168.1.1[/i] to [i]192.168.2.100[/i].
Under the sub-menu of dns still in DHCP I see it has set the dns server as [i]192.168.1.1[/i], I change it to [i]192.168.1.100[/i] and a search domain of example.com
Under the LDAP subdirectory, it has nothing set so I set this as;
[b]Server Name OSXSERVER.EXAMPLE.COM[/b] and a
Search Base of [b]dc=osxserver,dc=example,dc=com[/b] and I leave
LDAP over SSL [b]off[/b] and the port blank to use the default.
Under the wins sub-directory I leave it as off or default. Click save to all, and it asks to reboot the dhcp service, ok

Now I go to VPN, Select Settings and it is all auto set [b]Enable L2TP over IPsec[/b] is [b]on[/b] and it has a start ip of [i]192.168.1.124[/i] and end of [i]192.168.1.254[/i], all i change is the start to [i]192.168.1.241[/i], under client information I set the dns server as [i]192.168.1.100[/i] and the search domain as [b]example.com[/b] now click save.

On to Firewall, settings address groups, i see it set to
any – any
192.168-net – 192.168.0.0/16
192.168.1-net – 192.168.1.1/255.255.255.0 I change this to 192.168.2.1/24
10.0.0 – 10.0.0/16
VPN-net – 192.168.1.1:255.255.255.0

under services all of them are set to “[b]Allow all traffic from “xxx.xxx.x…”[/b]” except for the “any” address group
This only has a couple of the ports on and they are set to “[b]Allow only traffic from “any” to these ports:[/b]”, I have to alter this to get mail working later on as there are not enough on.

Now I save everything and reboot, after reboot I check one of the client systems to check if it can see internet, nope, so I change the network details to [i]192.168.2.50[/i] subnet [i]255.255.255.0[/i] router to [i]192.168.2.1[/i] and the dns to [i]192.168.1.100[/i] still nope, reboot the client system and try again still nothing on internet, I try to ping [i]192.168.1.50[/i] yes that works, ping the router [i]192.168.2.1[/i] yes that works, ping the servers [b]en1[/b] NIC [i]192.168.2.100[/i] nope. So for now I have just left that alone for later, if anyone here knows why please let me know.

Next back at the server I go to setup mail, but first I do not have a static public ip address so I go to my custom dns account at dyndns and make sure that is all set and working, then I go to the web configuration of my adsl router and [b]port forward[/b] ports [i]25, 53, 80, 110, 143, 995[/i] on tcp and udp to [b]en0[/b] on the server [i]192.168.1.100[/i].
Next I install a copy of [b]DNSUpdate[/b] and add the user with my dyndns account datails, then add the host [b]example.com[/b] to the external interface with a host type of custom, I do not know what the “enable wildcard” does so I leave it off as with the “back mx” button. and save. ok so now I have a public ip that is forwarding back to the server each time it changes, cool.

Back in “[b]Server Admin[/b]” to set up mail service, under settings general
[b]Domain Name:[/b] example.com
[b]Host Name:[/b] osxserver.example.com
enable pop OFF
enable IMAP ON with 0 connections
Deliver to /var/mail when POP & IMAP are disabled OFF

enable SMTP ON
Allow incoming mail ON
All the rest OFF

[b]Relay tab[/b]
Accept SMTP relays only from these hosts and networks:
127.0.0.0/8
192.168.1.0/24
192.168.2.0/24
All the rest OFF

[b]Filters[/b]
Scan for junk ON with 3 hits
Junk mail should be DELIVERED and attach subject of ***POSSIBLE JUNK MAIL*** ON
Encapsulate as MIME attachment OFF
Scan for viruses ON
Infected messages should be BOUNCED and Notify Recipients ON
Update virus DB “2” times a day

[b]Quotas[/b] Tab OFF
[b]Mailing List[/b] Tab OFF
[b]Logging[/b] Tab Debug for all

[b]Advanced Tab / Security[/b] all OFF except for [b]SMTP[/b] and [b]IMAP[/b] – [b]Kerberos[/b] and [b]CRAM-MD5[/b]
[b]Advanced Tab / Hosting[/b] I want to host [b]multiple mail domains[/b] in the end, but for now I just want the main one working, so I set this to [b]Local Host Aliases[/b] (localhost, example.com, osxserver.example.com)
[b]Advanced Tab / Database[/b] I left this as default, on the 3rd try just in-case, but once I get it all working would like to set this up, figure I will need to use osx.topicdesk mailbfr for this.
[b]Advanced Tab / Clustering[/b], I WISH, but nothing set here.

OK Save and start service.

Go to [b]Workgroup Manager[/b] login with the [b]directory administrator account[/b] details, and set up only one account for testing purposes. This might seem strange but keep in mind that I would like to host [b]multiple websites[/b] with a webmaster for each in general, so it looks a bit odd.
[b]Name:[/b] “Webmaster example”
[b]User ID:[/b] default from OS
[b]Short Names:[/b] webmasterexample
[email protected]
Passwords
User Can Administer this server OFF
User Can Access Account ON

[b]Privileges[/b] tab is set to none, [b]advanced[/b] tab I only turned off the “[b]allow simultaneous login on managed computers[/b]” check box otherwise everything else is default, User Password Type is set to OD
Groups, Home, Print Quota, Info and Windows all set as default

[b]Mail[/b] Tab, is set to enabled,
[b]Mail Server:[/b] osxserver.example.com,
Mail Quota is 0 and
Mail Access is IMAP only,
not using alternate partition until i get over all these problems.

OK so in my opinion it should all now work, so I go to my [b]mail[/b] application on the server machine and add an [b]IMAP[/b] account with [b]cram md5[/b], and [b]smtp[/b] with [b]cram md5[/b] with no [b]ssl[/b], and I make sure the [b]username[/b] is set to [b][email protected][/b] and the incoming and outgoing mail servers are set to [b]osxserver.example.com[/b], go to connection doctor and I get a green light for both, cool.
So I send a mail to an account I have with my isp and the smtp log says no no no, my MTA has a poor reputation according to zen spamhaus, now this is probably due to my [b]dynamic ip[/b] address, so I go to spamhaus and check the error with them, they say that all i have to do is make sure that [b]authentication[/b] is on, and it already is using [b]cram md 5[/b], so I try [b]kerberos[/b], and the same thing happens, so i go back to [b]cram md5[/b] and set up an [b]ssl certificate[/b] that is [b]self signed[/b], not that I really know what i am doing in that, but I do it, and set the mail client to use it and still nope.
So I login to my email address with my ISP through their webmail system and try to send myself a message to [b][email protected][/b], and nothing comes in, the smtp log on my server says that I do not have a mailbox, so I send another one, this time to [b][email protected][/b], as it is set with the first short name in [b]WGM[/b] and it works, so that terrible, why is the other not working, how do I get more than one domain with more than one webmaster if the first short name needs to be webmaster. So I set a second account the same way as the first, but this time I set the account up and save first, then quit [b]WGM[/b] and reboot send a mail to the silly incorrect short name, that I do not even want, and it works as expected, well not really it delivered the mail into the same account as the webmaster account, and they are 2 separate accounts within the mail application. Anyway I leave that problem for now and I go back to [b]WGM[/b] and set the new short name with the @ symbol and . symbol with the correct domain like this [b][email protected][/b], try send a mail to that address and still it says, no such mailbox.

So I am stopping at this point, going to bed and hopefully when I awake there might be an answer, cause this is now day 4 at this. Thanks for reading. Sorry it was all so long. But I warned you in the beginning that I was long winded, and at least you do not have to guess what I have done. And my punctuation is terrible, sorry. english no me strong suit just only wan i know.

[guitar24t]

I believe you cannot access the internet because your dns server is not setup to forward non-authoritative lookups to other servers. Add these IPs under the forwarders list box on the dns setup tab
[code]208.67.222.222
208.67.220.220[/code]
These are OpenDNS servers’ ips and work well for WAN.

If I had to bet, I would say the problem with your mail accounts was the firewall. I have had multiple problems with OSX firewall. I got so fed up, I turned it off and all my problems went away (literally). I had allow all traffic and all the ports I needed open and still nothing worked. I then setup a WAN firewall (in a router) and now turn off all the firewalls on all my servers (windows, linux or mac!).

Try turning off the firewall and check sending your mail again. Also, verify the dns settings on the client machines are provided correctly from the DHCP.

Sorry for not being able to do more; I don’t do much with mail, but the write-up was very descriptive 😀
Good Luck, Robert

[Author]

Posts