Dr Fragen in the operating room


  • Transferring IMAP Messages

    Well I’m on to my final phase in transferring from my own server to @DreamHost. Actually, transferring mail and not loosing messages jacked up my anxiety level significantly. I’ve done a lot of testing and found that imapsync works great.
    After tweaking the command, I came up with the following.
    perl imapsync --host1 localhost --user1 myserveruser --password1 MASKED --host2 x.x.x.x --user2 user@dreamhostdomain.com --password2 MASKED --authmech2 PLAIN --authmech1 CRAM-MD5 --usecache --delete2 --expunge2 --delete2folders --pidfilelocking
    This command will use caching and delete messages/folders on the destination that don’t correspond to the origination. Doing it this way I could test as much as I wanted. It also helps to have an extra domain to test with.
    So I added the domain to use DreamHost’s DNS and hosting, set the nameservers to DreamHost and waited for propagation to complete. I had a small glitch in moving the mail accounts over from one domain to another in DreamHost but @DreamHostCare help is awesome. Once that got straightened out I just ran the above command for all users and sent out the new information for their email clients.
    So far it’s worked entirely as expected. This was my first test as I have another domain to transfer that has more users.
    Hopefully now all I have to do is get used to DreamHost’s spam filtering.
    x.x.x.x is the IP of my mail server on DreamHost.

  • Not Running a Server

    I’ve been running my own server for over 5 years now. It has been a great and sometimes frustrating experience. I think I’ve finally decided to let the pros do the server administration and just focus on the other stuff. The other stuff being coding, writing, and playing with technology.
    I’m looking into @Dreamhost. They seem to offer a wealth of features at a reasonable price. Honestly what gives me the most anxiety is transferring all the old IMAP email over to the new host. There’s a wiki entry about transferring email and using imapsync. I really need to investigate this.
    Wish me luck. Updates to follow.

  • WordPress, WebDAV and htaccess

    So I moved my WordPress install to my domain root and the WordPress specific htaccess instructions have borked my WebDAV. Fortunately a little googling and I鈥檝e got a solution.
    Since running a multisite install, my htaccess rewrites a lot. Turning off the RewriteEngine inside he WebDAV direcetory solves this issue.
    [code lang=shell]
    <IfModule mod_rewrite.c>
    RewriteEngine Off
    Thanks Tim

  • chroot'd SFTP on Mac OS X server

    So here you are finding that you need to grant someone else SFTP access to your server. There are lots of reasons to do this, in my case it’s because I needed to grant access to someone’s web designer. We initially worked it out by him emailing me files and me SFTP’ing them up to the server in the correct location. Now he needs direct access to fix some things and I want to give him only what he needs without compromising security. Enter the chroot jail. After lots of googling and some encouragement from the Mac OS X Server email list, I’ve got it working. Here’s how it works.
    First, you should create the new user in Workgroup Admin and either assign them access privileges for SSH via Server Admin or assign them to a group that has SSH access privileges. Further discussion is below.
    From the Terminal, start off right.

    sudo cp /etc/sshd_config /etc/sshd_config.bkup sudo chown root / sudo chmod 755 / sudo mkdir -p /chroot/user/scratchpad sudo chown -R root /chroot sudo chown user /chroot/user/scratchpad sudo chmod -R 755 /chroot

    Every additional new user added will then be something along the lines of the following.

    sudo mkdir -p /chroot/user2/scratchpad sudo chown root /chroot/user2 sudo chown user2 /chroot/user2/scratchpad sudo chmod -R 755 /chroot/user2

    Every folder in the path to the chroot jail must be owned by root. I don’t think it matters what group the folder is in. What I did above was to

    1. backup /etc/sshd_config
    2. change ownership of the root directory to root
    3. change permissions of the root directory to 755
    4. create a chroot folder
    5. create a user folder inside the chroot folder
    6. create a folder inside the user folder that user can modify
    7. set ownership and permissions

    Now to edit /etc/sshd_config to the following.

    #Subsystem sftp /usr/libexec/sftp-server Subsystem sftp internal-sftp Match User user X11Forwarding no AllowTcpForwarding no ForceCommand internal-sftp ChrootDirectory /chroot/user
    Code language: PHP (php)

    This creates a chroot jail. When the user logs in will drop them into the folder /chroot/user, in that folder is a folder they can add things to /chroot/user/scratchpad.
    If you want to create a Group in Workgroup Admin for ‘Chroot Users’ then add the new users that you created in Workgroup Admin to the Group; you won’t have to keep editing the /etc/sshd_config file. Instead of the above, add the following. Make sure you add the ‘Chroot Users’ group to the SSH access ACL in Server Admin.

    #Subsystem sftp /usr/libexec/sftp-server Subsystem sftp internal-sftp Match Group chrootusers X11Forwarding no AllowTcpForwarding no ForceCommand internal-sftp ChrootDirectory /chroot/%u
    Code language: PHP (php)

    If you have more than one chroot group just repeat the Match Group setup again.
    To test whether the above is working, issue the following from the terminal.

    $ sftp user@domain.com Password: sftp>

    Getting in is one thing. Now you have to mount the folder you want to use. Unfortunately you can’t use a symlink inside of a chroot jail. This is where Homebrew is your best friend. I don’t know why I’ve never seen fit to install this before. After installation just issue the following commands.

    brew install bindfs

    You might have to restart. Now with an empty folder created in /chroot/user you can mount --bind to a folder outside of the chroot jail. For example

    sudo /usr/local/bin/bindfs -u user /Library/Server/Web/Sites/Server/Documents/mysite/yourfolder /chroot/user/scratchpad

    So far this seems to work here.
    Update for Mountain Lion Server
    As I’ve updated my server from Snow Leopard to Mountain Lion, there’s one extra step.
    From Workgroup Manager, you will need to create a home folder. Nothing really has to go into it, but it needs to be present. My settings are as follows.
    Mac OS X Server/Share Point URL:afp://myserver.example.com/Users
    Path to Home Folderusername
    Full Path/Network/Servers/myserver.example.com/Users/username
    After setting this up the first time it seems to auto-populate for every other user. You’ll have to go to the Home tab, select it and Save.

  • Squirrelmail Plugins

    Just an FYI post.
    I save all my added Squirrelmail plugins in /Users/Shared/squirrelmail_plugins/. Consequently if I need to reinstall any or all of them all I have to do is issue the following…
    sudo cp -R /Users/Shared/squirrelmail_plugins/PLUGIN_FOLDER
    sudo /usr/share/squirrelmail/config/conf.pl
    Activate the plugins, save, quit and you’re good to go.

  • Setting up WebDAV Share in Mac OS X Server

    As I attempt to transition from a laptop to an iPad, with no specific reason other than the iPad is sooooo kewl; I need to create my own online storage. Yes I have a Dropbox account, but I don’t control Dropbox.
    Here’s what I did, YMMV.

    1. From Server Admin, make new Web > Realm and set appropriate ACLs.
    2. Create a folder in location/volume where data for Share is physically located.
    3. Change permissions of folder to _www:admin (that’s what works for me)
    4. Create a symlink to the share folder in the folder where your web server looks to for the domain’s data.

    I know there’s probably a bit of information missing and if I showed images of the actual steps it might make things a bit clearer but I’m a little paranoid about my server and I don’t want to risk opening it up to further attack.
    All this needs to be done before OS X will allow a "Connect to Server..." and mount your WebDAV share.