Snow Leopard server is a good system, however it does still suffer nasty bugs and you have to learn small gotchas to make things work as expected.
Here’s a roundup on what I found.
Server
Q: is that true that many tools and settings depends on DNS?
A: yes. Please configure your DNS before anything else. And preferably remember to not stop this service unless you know what are you doing.
Q: occasionally upon reboot every user, especially admins, have to reauthenticate with the server for many servers. Is that normal?
A: it shouldn’t be, but can happen. Nobody knows why, tho.
Mailman
Q: setting up a new mailing list will cause it to appear as name@machine.domain.com, I want name@domain.com, how can I do that?
A: You can’t do this from Server Admin. You have to go into mailman mailing list preferences http://yourserver/mailman/admin/mailinglistname and change the host_name directive to include only the domain.
Also you may want to lowercase real_name directive. Note that there are also other methods that you can find on search engines, even though they didn’t worked for me. Also I had another problem where, upon reboot, even the tip I wrote failed and had to recreate all mailing list because Mailman didn’t found the virtual email addresses. I didn’t found consolidate FAQs to do this and official documentation doesn’t mention anything.
Q: by looking at the logs, it seems like that mailman can’t deliver external mail because the mail server refuses to relay. Also it seems that greylisting kicked in, what can I do about that?
A: open Server Admin, Mail, Settings, Relay. If you have 127.0.0.0 in Accept SMTP relays that’s not enough, try setting it at 127.0.0.1/32 and try again.
Q: when I drag users from my OD panel into a mailman mailing list, email addresses are screwed up, what can I do?
A: it seems normal. Just double click on the name and fill the proper email address, no big deal.
Mail services
Q: I keep seeing in my smtp logs that external connections are denied in some way, like the server responds that the service is not available.
A: just wait. This is an anti-spam technique called graylisting. Once the external smtp server tries to send an email again, it will be accepted and its IP inserted in a temporary table to allow following messages, until it expires.
Q: How can I add virtual domain users? I already have users in open directory, but they won’t receive email or I want them to receive email on multiple addresses.
A: open Workgroup Manager, select your user and user short name in Basic info tab add your email addresses. Beware though, read on before doing this operation.
Also remember to open Server Admin, Mail, Settings, Advanced, Hosting, and enable your domains in the second table.
Q: I added some short names to my users, however for some reason my accounts got screwed up.
A: this is a bug in Workgroup Manager in the underlying code. To properly add short names enable inspector and add them under dsAttrTypeNative.uid
VPN
Q: My L2TP over IPSec VPN stopped working for some reason. What can I do?
A: if log doesn’t tell you anything interesting this is unknown. Try using PPTP or reboot the server.
Q: how can I stop redirecting all the traffic from my machine to my VPN? I want only the proper traffic to be tunneled.
A: open Server Admin, VPN, Settings, Client Information, in Network Routing Definition add a new route of type Private containing the information of the remote local network.
Q: I don’t understand what kind of IP address should I give to VPN clients.
A: assign an IP range outside your DHCP one, this is important.
Web Services
Q: Apache doesn’t start. It keeps crashing
A: there are many reasons for this, but I would check out if error page and log files really exists on server, it doesn’t matter if they are disabled, do it.
Web settings from Server Admin is fragile as interface, and bugged out multiple times.
Please note that also you MUST fill every field in the General tab, even if you don’t use those settings.
Q: how can I protect with username and password a web directory?
A: you want something that Server Admin (and Apache) calls Realm. open Web, Sites, select your site, Realms, add one clicking the plus symbol to the left and proceed adding your users.
Screen sharing
Q: when I installed the server I could connect to it with Screen Sharing tool with no problems, now I need to connect, close the program and rerun it to see my screen, especially on login/logout. What can I do?
A: currently I have found no solution to this problem.
$1.99 domains with SSL purchase!
Pingback: iCoreTech Research Labs » Snow Leopard server FAQ roundup, part one | Mac Affinity
Hi,…
I have problems getting the mailman running normal.
The Server admin is displaying that it stopped.
But… it is running.
The thing is that we had some problems with a screwed up kerberos system.
Because of that we had to reconfigure a lot of stuff.
Now almost everything is up and running… except for mailman..
It seems to run, the mailsystem works. But i cant use the webinterface normally.
And administering is also a hassle..
So it seems that after poking around in newsgroups and everything we are not yet able to resolve things.
Can you give us a few hints?
Thank you
hi Martin,
I’m sorry that can’t help you there. Reading “screwed up kerberos”.. it just feel my worst nightmare on SL server, however:
it’s a dangerous operation but you can try demoting your server role to standalone directory and then promote it again. Make backups. Strong and working backups. And be sure that your DNS settings are correct before doing anything.
Hopefully Server Admin will try also to reconfigure Mailman, if that fails I suggest trying calling Apple. I’m sorry that can’t help further than this.
Pingback: Snow Leopard server FAQs, part 1 « iCoreTech Research Labs | Mac Affinity
Email system is work pretty well except for users who travel.
On the road or away from the office, user can send email to email addresses on the server but not to email addresses elsewhere in the Internet. I can manually correct this by adding their location (IP) to the accept relay list on the server. What a pain!! Where do you set things so that an authenticated user can relay?
Most other email servers offer a range of time periods after authentication to allow legal relays. Ie a renewal requirement that is most often associated with the success retrieval of POP or IMAP mail by that user.
This is a major failing — although I assume I have just not found the magic place to configure this.
hi Michael,
you can try this: http://www.icoretech.org/2009/09/reminder-outlook-vs-snow-leopard-servers-postfix/ to let authenticated users go through.
This didn’t work… once added, with my IP address removed from the “accept” list, the Snow Leopard client email message was “select another server…” or whatever error message. Putting the IP address back into the “accept” list and the message was sent immediately.
Is this a rare requirement that authenticated email users are not allowed to reply to the email messages they just received? I would think this is the norm and the act of rejecting should be the rare situation.
you didn’t specified what kind of error are you seeing, there are two possibilities:
1) blocking from relaying
2) blocking from greylisting
blocking from relaying means that postfix isn’t configured to accept relay by examining your mobile source address.
blocking from greylisting is a spam countermeasure that works this way:
when you try to send the mail the first time, the server responds that the service is currently unavailable and suggest to try later.
most spambots doesn’t try to resend the email therefore mission accomplished.
however legit mail clients and servers will try to resend the email at some point, greylist matches the ip that tried to send an email earlier and whitelist it.
whitelist is wiped once in a while and the addresses wiped are the ones that the server haven’t seen in a time frame.
so, to recap you should really check what kind of problem you have there, if it’s related to greylisting or relaying.
Thank you for the help and support.
The problem is really simple. I’ll illustrate as follows with very simple examples:
A user is on the road and has a valid email account on the Snow Leopard server.
1. He receives an email from someone else with an account on the same server. He replies. The email message is delivered to the sender.
2. He receives an email from someone with an email address other than our server — eg gmail.com. He replies. The email is not sent and a dialog box appears that asks if the user wants to use another server or try again or try later. The message is never sent.
This is pretty stupid for any email server software, but I assume has to do with relaying since the local address isn’t really a relay and the external address is.
We have just switched to Snow Leopard Server (we have been using Windows Server 2003) and have found the switch to be less than friendly. For example, the need to create a new user to have a new email address is rather old and not practical in today’s environments. It seems very Unixie old school.
However, it is allowing users to use their email address to both send and receive their email while travelling that is the current major problem. It should be a DEFAULT configuration of any email server to provide this service.
Michael
I should perhaps say that I have all spam processing turned off. We use and external MXtreme Mail Firewall to block all reply, spam, virus problems prior to reaching our Snow Leopard Server. We only receive email from a single source IP address and our users who might be location anywhere.
Michael
I hear you, however I might have an idea: what’s in your Accept SMTP relays network?
For example, check out my settings: http://img.skitch.com/20091026-g1g3rbxi5ma561keraq8q7epx5.png
Do you already have loopback (obviously) AND the ip address subnet of the lan interface?
The subnet (I use /24 now) I was using was giving me some troubles, especially with mailman. Worth a try.
Yes… I have the loopback address, the local ip address which is a routable Class 3 address and a few individual addresses of users’ home ip addresses.
Using your configuration, can you visit a friend and send mail to someone whose email account is not hosted on your server? It seems like the most normal thing to do. Could you imaging gmail only being able to send email to other gmail accounts?? It wouldn’t last long.
Michael
if it’s any use I posted my working postconf -n here http://gist.github.com/219262
Wow! what an notion ! What a concept ! Attractive .. Remarkable ? I typically don?t post in Blogs but your blog forced me to, incredible do the job.. wonderful ?
A simple solution is to enable VPN connections to the SL server. When you’re on the road, establish a VPN connection–you will be assigned by the VPN server a local IP address (that you should include in the SMTP Relay set-up) and your email will be relayed by the mail server.