4elements web design & consultancy



  • dislike -3 05

    MacMini Server 2011 Part IV

    4elements | web design The Hague blog • MacMini Server 2011 Part IV

    On request, I did get many requests for this section, hereby the uncut version of Part IV: Settings. Still need to rewrite and change information, but that's for later.

    Part IV: Settings.

    ======= Webmin ========
    Post-Installation Wizard
    - Install Virtualmin
    - Install Virtualmin template
    - DNS need to setup,
    - PostgreSQL
    - MySQL

    goto your webmin url in safari or firefox.
    login with root and root password

    click on webmin, at the left. -> webmin configuration.
    click on webmin modules and select + install virtualmin
    Click on Return to Webmin configuration
    click on Webmin Themes -> Install theme
    click on Return to themes list
    select virtualmin template and click on change...

    page will reload and will be shown the new template.
    Click on webmin, left top
    click on "servers" from the left menu
    clcik on BIND DNS Server

    ======== DNS ========
    DNS module Configuration
    Display options:
    Reverse zone must exist? yes
    Zone file options:
    Serial number style: Date based (YYYYMMDDnn)

    DNS Configuration:
    Addresses and Topology
    Ports and addresses: Listed below
    Port number: 53
    Addresses: any

    Zone Defaults
    Allow transfers from.. default
    Refresh time: 10800
    Expiry time: 1209600
    Transfer retry time: 3600
    Negative cache time: 10800
    Default email address: email addes your like to use
    Default nameserver for master domains:
    and press save.

    than create an default master zone of the domain used for your host name.
    (this domain name will also be used for name server. aka mailserver)
    It should look like this.

    $ttl 10800 IN SOA (
    10800 ) IN A xx.xx.xx.xx IN A xx.xx.xx.xx IN A xx.xx.xx.xx IN A xx.xx.xx.xx 14400 IN A xx.xx.xx.xx 14400 IN A xx.xx.xx.xx 86400 IN NS 86400 IN NS IN MX 10

    Now goto your domain rigistar and add at the dns section - IP address here - IP address here
    it can take upto 24 hours before it's progressed.
    (depending on the domain rigistar you use)

    ======== PostgreSQL ========
    If you not already done it by now. start server and let it load.
    than quit the server (PostgreSQL will be configured and activated now)

    under unused modules at the right pick, PostgreSQL
    click on module configure

    Administrator login: _postgres
    password: set password to your root password.

    System configuration:
    Path to psql command: /usr/bin/psql
    Path to PostgreSQL shared libraries: /usr/lib/postgresql
    Initial PostgreSQL database: template1
    Command to start PostgreSQL: su _postgres -c "/usr/bin/pg_ctl -D/private/var/pgsql"
    Path to postmaster PID file: /private/var/pgsql/
    Paths to host access config file: /private/var/pgsql/pg_hba.conf
    Path to pg_dump command: /usr/bin/pg_dump
    Path to pg_restore command: /usr/bin/pg_restore
    press save and PostgreSQL webinterface is loading..

    ======== MySQL ========
    under server, click on MySQL
    enter your password.
    press save
    Click on Module Config -> system configure
    Path to mysqld command: /usr/local/mysql/bin/mysqld
    Click on save

    Mysql is done.

    ======== Post-Installation Wizard ========
    press on system information left bottom.

    Post-Installation Wizard
    Preload Virtualmin libraries? Yes
    Run MySQL database server? Yes
    Run PostgreSQL database server? Yes
    Change MySQL password Leave un-changed
    DNS: keep your hostname as main.
    enter as 2nd your ns02.#censored#
    (if you get an error, restart dns and try again)
    Password storage mode: store plain-text passwords

    ======== setting up continue webmin and virtualmin ========
    Before we set the other settings, first install all needed modules first.
    Module php pear:
    Module Ruby GEMS:

    amavisd: I have a rare copy... only downloadable from our site.
    Webmin -> webmin -> webmin configuration -> Webmin Modules

    ======== Feature or Plugin ========
    Our coal:

    Feature or Plugin
    + Administration user
    + Home directory
    + BIND DNS domain
    + Mail for domain
    + Apache website
    + Webalizer reporting
    + SSL website
    + Log file rotation
    + MySQL database
    + PostgreSQL database
    + ProFTPd virtual FTP
    - Spam filtering
    - Virus filtering
    + Webmin login
    + AWstats reporting Plugin
    + DAV Login Plugin

    Spam and virus will be handled by AwavisD-New and Clam Antivirus

    ======== PRO FTP ========
    webmin -> Un-used Modules -> proftp -> module config

    Path to ProFTPD config file: /usr/local/proftpd/etc/proftpd.conf
    Path to ProFTPD executable: /usr/local/proftpd/sbin/proftpd
    Path to ProFTPD PID file:/usr/local/proftpd/var/
    Path to ftpusers file None (was /etc/ftpusers)

    Before we can start ProFTPD, we need to make some OS X specific adjustments. Go ahead and open up the "ProFTPD Server" module under the "Servers" section. Select the "Edit Config Files" option. Look for the line that has the comment "Set the user and group under which the server will run." and comment out the next two lines so it looks like this:

    # Set the user and group under which the server will run.
    #User nobody
    #Group nogroup
    Click the "Save" button to return to the main menu. By now you should have a functional FTP server. However, thier are a couple of "tweaks" I like to do to make things work a little better. Lets start by removing the login delay.

    Click on "Networking Options" in the ProFTPD module's main menu.
    Change the "Do reverse DNS lookups of client" option to "No".
    Change the "Lookup remote ident username" option to "No".
    PASV port range: 60000 - 65535
    Click "Save" to save and return to the main menu.

    Lets allow the use of "CHMOD":
    In the main menu, under "Virtual Servers" click "Default server".
    Under "Per-directory and Per-command options" click "Commands SITE_CHMOD".
    Click "Access Control".
    Change the "Access Control Policy" option to "Allow all clients".
    Click "SITE_CHMOD".
    set FTP commands to All (or just what you like)

    Click "Save" to save. Then click "return to main menu".

    Limit Users to Home Directory:
    Click on "Files and Directoriess" in the main menu.
    Change the "Limit users to directories" option to "Home Directory".
    Click "Save" to save and return to the main menu".

    To avoid hack attacks, change the port number of proftp.
    I changed it from port 21 to XXXX (pick your own number)
    I also disabled anonymous ftp.

    Download config file.....

    -----> proftp settings file bijsluiten
    Starting ProFTPD Automaticly on Boot
    You probably want ProFTPD to start automaticly on boot instead of having to start it up manually each time. To setup an OS X startup item, just use Webmin.

    Open up Webmin, and go to the "Bootup and Shutdown" module under the "System" menu.
    Click on "Add a new bootup action script".
    Action Name: PROFTPD
    Script name: PROFTPD
    Bootup Commands: /usr/local/proftpd/sbin/proftpd
    Description: ProFTPD
    Provides: FTP
    Start Message: Starting ProFTPD
    Stop Message: Stopping ProFTPD
    Start at boot time?: Yes
    Click "Create"

    Shell /bin/false for FTP users is not included in /etc/shells, which may prevent FTP access.
    Create a group names ftp

    ======== SSH Server - OpenSSH_5.6 ========
    Allow authentication by password? No
    Allow login by root? No (before server setup - yes)
    Allow RSA (SSH 1) authentication? no

    Listen on port XXXX (pick your own number)
    Accept protocols SSH v2
    Deny members of groups deniedssh (create this group)

    User SSH Key Setup
    Setup SSH key for new Unix users? yes

    Host SSH Keys
    Create a, and
    under /private/etc/
    Use provided script (sh sshd-key-gen)

    Client Host Options
    Edit Host Options
    Port to connect to xxxxx (your own unique number here)
    Number of connection attempts 2
    Try SSH protocols 2 only

    Start server
    If you're not able to connect to ssh server, add Port XXXX (pick your own number)
    to the config file. (sometimes it won't copy from the settings)

    Open up Webmin, and go to the "Bootup and Shutdown" module under the "System" menu.
    Click on "Add a new bootup action script".
    Action Name: OPENSSH
    Script name: OPENSSH
    Bootup Commands: /usr/sbin/sshd
    Description: OpenSSH
    Provides: SSH
    Start Message: Starting OpenSSH
    Stop Message: Stopping OpenSSH
    Start at boot time?: Yes

    ======== SSH Server - SSH Login ========
    Other -> SSH Login:
    Module config.
    Port to connect to: XXXX (pick your own number)

    ======== Amavisd-new ========
    Path to AMaViSD-new amavisd: /usr/bin/amavisd
    Path to AMaViSD-new amavisd.conf: /etc/amavisd.conf
    Path to PID-File: /var/amavis/
    default Domain:
    Path to Amavis Start file: /etc/init.d/amavisd

    ======== Clam Antivirus ========
    Configuration category: ClamAV
    ClamAV system user: _clamav
    ClamAV system group: _clamav
    Daemon init script path: /usr/sbin/clamd
    Logfile path: /var/log/clamav.log
    Configuration file path: /etc/clamd.conf
    Main virus signatures database path: /var/clamav/main.cld
    Daily virus signatures database path: /var/clamav/daily.cvd

    Configuration category: Freshclam
    Configuration file path: /etc/freshclam.conf
    Logfile path: /var/log/freshclam.log
    Daemon init script path: /etc/cron.daily/freshclam

    Press save
    Than press backup

    ======== AWstats ========
    AWstats configuration directory: /Library/WebServer/awstats/wwwroot/cgi-bin/
    Full path to AWstats program:/Library/WebServer/awstats/wwwroot/cgi-bin/
    Full path to AWstats icons directory: /Library/WebServer/awstats/wwwroot/icon
    Full path to AWstats lang directory: /Library/WebServer/awstats/wwwroot/cgi-bin/lang
    Full path to AWstats lib directory: /Library/WebServer/awstats/wwwroot/cgi-bin/lib
    Full path to AWstats plugins directory: /Library/WebServer/awstats/wwwroot/cgi-bin/plugins

    ======== CVS Server ========
    Just click, "Initialize Repository" than "Setup"

    ======== Webalizer Logfile Analysis ========
    Configurable options:
    Automatically include logfiles from: Apache, Squid, ProFTPd

    System configuration:
    Path to webalizer command: /usr/local/bin/webalizer
    Path to webalizer configuration file: /usr/local/etc/webalizer.conf
    Sample webalizer configuration file: /usr/local/etc/webalizer.conf.sample

    ======== PHP manage ========
    Resource Limits:
    Maximum memory allocation 512M
    Maximum file upload size 64M
    Maximum input parsing time 360
    Maximum HTTP POST size 64M
    Maximum execution time 360

    Error Logging:
    Expression for error types: E_ALL & ~E_NOTICE

    Other Settings:
    Allow PHP scripts starting with <? ? YES

    ======== PHP Manuel ========







    ======== Perl ========
    Suggested Modules: Click install Selected Modules ans all will be included (small glidsh in webmin)

    ======== Log File Rotation ========
    webmin -> Un-used Modules -> Log File Rotation
    Path to logrotate configuration file: /usr/local/etc/logrotate.conf
    Path to logrotate program: /usr/local/sbin/logrotate

    ======== Amavisd ========
    #@local_domains_maps = ( [".$mydomain"] ); # list of all local domains
    @local_domains_maps = ( read_hash("/var/amavis/local_domains") );


    @local_domains_maps = ( [".$mydomain"] ); # list of all local domains
    #@local_domains_maps = ( read_hash("/var/amavis/local_domains") );

    forward_method => 'smtp:[]:10027',
    forward_method => 'smtp:[]:10025',

    uncomment $virus_admin if you would like to reseive emails (what's going on spam/virus wize)

    # $myhostname = ''; # must be a fully-qualified domain name!
    $myhostname = ''; # must be a fully-qualified domain name!

    ======== postgrey ========
    Open up Webmin, and go to the "Bootup and Shutdown" module under the "System" menu.
    Click on "Add a new bootup action script".
    Action Name: POSTGREY
    Script name: POSTGREY
    Bootup Commands: /var/spool/postfix/postgrey/postgrey --inet=10023 -d --user=postgrey --group=postgrey
    Description: POSTGREY
    Provides: filter
    Start Message: Starting postgrey
    Stop Message: Stopping postgrey
    Start at boot time?: Yes
    Click "Create"


    smtpd_recipient_restrictions = reject_unauth_pipelining,reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_mynetworks,permit_sasl_authenticated permit_auth_destination,reject_unauth_destination,check_sender_access hash:/etc/postfix/sender_access,reject_rbl_client,reject_rbl_client,reject_rbl_client,permit


    smtpd_recipient_restrictions = reject_unauth_pipelining,reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_mynetworks,permit_sasl_authenticated permit_auth_destination,reject_unauth_destination,check_sender_access hash:/etc/postfix/sender_access,reject_rbl_client,reject_rbl_client,reject_rbl_client,check_policy_service inet:

    ======== mail server ========
    check to see if your mailserver is running as should be

    Check your DNS

    ======== Webmin -> system ==========
    Apache Webserver

    Processes and Limits:
    Maximum requests per server process: 0
    Minimum spare server processes: 5
    Maximum spare server processes: 10
    Initial server processes: 5

    SSL Options:
    Fixed password: (pick a password for later on)

    Default Server: Virtual Server Options

    Directory Indexing:
    Directory index files

    SSL Options: Generate a .crt and .key file

    Step 1: Generate a Private Key

    The openssl toolkit is used to generate an RSA Private Key and CSR (Certificate Signing Request). It can also be used to generate self-signed certificates which can be used for testing purposes or internal usage.

    The first step is to create your RSA Private Key. This key is a 1024 bit RSA key which is encrypted using Triple-DES and stored in a PEM format so that it is readable as ASCII text.

    openssl genrsa -des3 -out server.key 1024

    Generating RSA private key, 1024 bit long modulus
    e is 65537 (0x10001)
    Enter PEM pass phrase:
    Verifying password - Enter PEM pass phrase:

    Step 2: Generate a CSR (Certificate Signing Request)

    Once the private key is generated a Certificate Signing Request can be generated. The CSR is then used in one of two ways. Ideally, the CSR will be sent to a Certificate Authority, such as Thawte or Verisign who will verify the identity of the requestor and issue a signed certificate. The second option is to self-sign the CSR, which will be demonstrated in the next section.

    During the generation of the CSR, you will be prompted for several pieces of information. These are the X.509 attributes of the certificate. One of the prompts will be for "Common Name (e.g., YOUR name)". It is important that this field be filled in with the fully qualified domain name of the server to be protected by SSL. If the website to be protected will be, then enter at this prompt. The command to generate the CSR is as follows:

    openssl req -new -key server.key -out server.csr

    Country Name (2 letter code) [GB]:CH
    State or Province Name (full name) [Berkshire]:Bern
    Locality Name (eg, city) [Newbury]:Oberdiessbach
    Organization Name (eg, company) [My Company Ltd]:Akadia AG
    Organizational Unit Name (eg, section) []:Information Technology
    Common Name (eg, your name or your server's hostname) []
    Email Address []:martin dot zahn at akadia dot ch
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:

    Step 3: Remove Passphrase from Key

    One unfortunate side-effect of the pass-phrased private key is that Apache will ask for the pass-phrase each time the web server is started. Obviously this is not necessarily convenient as someone will not always be around to type in the pass-phrase, such as after a reboot or crash. mod_ssl includes the ability to use an external program in place of the built-in pass-phrase dialog, however, this is not necessarily the most secure option either. It is possible to remove the Triple-DES encryption from the key, thereby no longer needing to type in a pass-phrase. If the private key is no longer encrypted, it is critical that this file only be readable by the root user! If your system is ever compromised and a third party obtains your unencrypted private key, the corresponding certificate will need to be revoked. With that being said, use the following command to remove the pass-phrase from the key:

    cp server.key
    openssl rsa -in -out server.key

    The newly created server.key file has no more passphrase in it.

    -rw-r--r-- 1 root root 745 Jun 29 12:19 server.csr
    -rw-r--r-- 1 root root 891 Jun 29 13:22 server.key
    -rw-r--r-- 1 root root 963 Jun 29 13:22

    Step 4: Generating a Self-Signed Certificate

    At this point you will need to generate a self-signed certificate because you either don't plan on having your certificate signed by a CA, or you wish to test your new SSL implementation while the CA is signing your certificate. This temporary certificate will generate an error in the client browser to the effect that the signing certificate authority is unknown and not trusted.

    To generate a temporary certificate which is good for 365 days, issue the following command:

    openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
    Signature ok
    subject=/C=CH/ST=Bern/L=Oberdiessbach/O=Akadia AG/OU=Information
    Technology/ dot zahn at akadia dot ch
    Getting Private key

    Step 5: Installing the Private Key and Certificate

    When Apache with mod_ssl is installed, it creates several directories in the Apache config directory. The location of this directory will differ depending on how Apache was compiled.

    cp server.crt /usr/local/apache/conf/ssl.crt
    cp server.key /usr/local/apache/conf/ssl.key

    Step 6: Configuring SSL Enabled Virtual Hosts

    SSLEngine on
    SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.crt
    SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server.key
    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
    CustomLog logs/ssl_request_log \
    "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

    Step 7: Restart Apache and Test

    apachectl stop
    apachectl start

    ======== check system configuration ========
    Bind ok....
    Postfix ok....
    Suexec, need to be changed.
    (Virtualmin -> Virtualmin configuration -> defaults for new domain. enter /home2 -> press save

    Bind ok....
    Postfix ok....
    Apache ok....
    Mysql ok....
    PostgreSQL ok....
    Logrotate ok....

    All is running, but we are not done yet.
    Now we will configure webmin and virtualmin.

    ======== Webmin ==========
    webmin -> Webmin Configuration
    start at boot time: yes

    Trusted Referrers:
    Referrer checking enabled? yes
    Trust links from unknown referrers: yes

    Support full PAM conversations? yes
    Use MD5 encryption for Webmin passwords (allows long passwords) YES

    ======== Webmin -> system ==========
    Disk Quotas, turn it on on the HD where your system runs on

    ======== Webmin -> system ==========
    Historic System Statistics: turn it on or leave it off. (

    ======== Webmin -> Usermin Configuration ==========
    install Usermin -> Un-used Modules -> Usermin Configuration -> click on "install Usermin"

    webmin -> Usermin Configuration
    start at boot time: yes

    Enable session authentication: yes
    Always require username and password: yes
    Support full PAM conversations? yes

    Available Modules:
    select you want to Usermin

    Access Control Options:
    Root directory for file chooser: User's home directory

    DAV Server:
    DAV enabled? Enabled
    Allow access to directory: User's home directory

    Restart usermin.

    ======== Webmin - Usermin -> PAM ==========
    PAM Authentication:
    cp /work/usermin-webmail-1.480/usermin-pam-osx /etc/pam.d/usermin
    cp /etc/pam.d/usermin /etc/pam.d/webmin
    For Dovecot
    cp /etc/pam.d/usermin /etc/pam.d/dovecot
    Open /etc/pam.d/dovecot and replace current listing with:

    # dovecot: auth account password session
    auth required
    auth sufficient
    auth sufficient
    auth required
    account required
    password required
    session required

    ======== Webmin -> Usermin -> Usermin Configuration ==========
    Read mail:
    Mail storage format for Inbox: Qmail style
    Sendmail mail file location: ~${USER}/Maildir

    PostgreSQL Database:
    Path to psql command: /usr/bin/psql
    Path to PostgreSQL shared libraries: /usr/lib/postgresql
    Path to pg_dump command: /usr/bin/pg_dump
    Path to pg_restore command: /usr/bin/pg_restore
    Only show databases owned by user? yes

    SSH Login:
    Port number for SSH: XXXX (pick your own number)

    Upload and Download:
    Limit uploads and downloads to home directory? yes

    ======== Virtualmin -> System Settings -> Features and Plugins ==========
    Select all except "Spam filtering" and "virus filtering" We use our own (remember)

    ======== Virtualmin -> System Settings -> Server Templates ==========
    mkdir /etc/skel
    I moved my own under construction html files to it.
    The moment a new accounts has been created the under construction page is shown by default.

    Default Settings:
    Home directory: Substitute variables in contents? Yes

    Bind DNS domain:
    Custom TTL: 10800
    Create new domains in view:
    Add SPF DNS record? Yes
    Does SPF record cover all senders? yes

    Mail for domain:
    Email message to send upon server creation: Message below ..
    Default quota for mail users: Unlimited

    Apache Website:
    Directives and settings for new websites:

    ServerName ${DOM}
    ServerAlias www.${DOM}
    DocumentRoot ${HOME}/public_html
    ErrorLog /var/log/virtualmin/${DOM}_error_log
    CustomLog /var/log/virtualmin/${DOM}_access_log combined
    ScriptAlias /cgi-bin/ ${HOME}/public_html/cgi-bin/
    DirectoryIndex index.html index.htm index.php index.php4 index.php5
    <.Directory ${HOME}/public_html>
    Options FollowSymLinks
    AllowOverride all
    Order allow,deny
    Allow from all
    <.Directory ${HOME}/public_html/cgi-bin>
    Options FollowSymLinks +ExecCGI
    AddHandler cgi-script .cgi .pl
    Allow from all

    Configure Webmin to use same SSL cert for IP? Yes
    Configure Usermin to use same SSL cert for IP? Yes
    PHP configuration variables for scripts: memory_limit 256M

    Webmin Login:
    Webmin group for domain owners: hosting

    ======== Virtualmin -> System Settings -> Account Plans ==========

    You may create what you want here.
    I'll add a "Pro Plan" with all on unlimited

    ======== Virtualmin -> System Settings -> Virtualmin Configuration ==========
    User interface settings:
    Columns to show: pick your own
    Feature columns to show: pick your own
    Show mailbox size in users list? Yes
    Allow editing of limits when creating server? Yes

    Defaults for new domains:
    Home directory base: /Users

    Actions upon Server and User creation:
    Notify other modules when updating server administrator Unix users? yes
    Notify other modules when updating mailbox Unix users? Yes
    Add users with no SSH access to deniedssh group? yes

    Advanced Options:
    Delete all email aliases when disabling mail? Yes
    Allow creation of sub-domains? Yes

    ======== Un-used Modules -> squid ==========
    Module configuration: _ options
    Encryption method for proxy passwords: md5base64

    system conf:
    Full path to squid config file: /usr/local/etc/squid.conf
    Squid executable: /usr/local/sbin/squid
    Full path to PID file: /usr/local/var/run/
    Full path to squid cache directory: /usr/local/var/cache
    Squid cachemgr.cgi executable: /usr/local/Cellar/squid/3.1.9/libexec/cachemgr.cgi
    Full path to squid log directory: /usr/local/var/logs
    Path to squidclient program: /usr/local/bin/squidclient

    ======== Squid Report Generator ========
    Module configuration.

    Full path to sarg executable: /usr/local/bin/sarg
    Full path to SARG configuration file: /usr/local/etc/sarg.conf

    ======== Apple OSX settings ========
    chmod 777 /Library/Logs

    ======== Web server ========
    There are 2 ways to setup apache. I choose to use the default settings of apache to work well with webmin.

    Specific setup for use with is easy accomplish.
    Both instruction will be posted on a later stage.

    ======== Mail server ========
    A complete solution will be provided. Stay tuned.
    (Below is the raw version, for those who requested.)

    ======== Dovecot IMAP/POP3 Server ========
    We will configure the mail our selves, but to get all config files created
    please launge "Admin Server" add mail and start the mail server. This will generate all files we need. (stop the mail server when generation is done)

    Dovecot server program: /usr/sbin/dovecotd
    Full path to Dovecot configuration file: /etc/dovecot/dovecot.conf
    Dovecot server PID file: /var/run/dovecot/

    Mail Files:
    Mail file location: Inbox and folders in ~/Maildir
    UIDL format: %08Xu%08Xv

    ======== Postfix Mail Server ========
    The message "group or other writable" means that another user (not the owner) is able to write. You can fix it with chmod. Example to remove group write permissions

    $ sudo chmod g-w /Library/Server/Mail/Data/mta

    Suggest to create a backup of /etc/postfix /etc/dovecot and /etc/apache2
    cd /etc
    /Developer/Tools/CpMac -r apache2 "apache2 backup"
    /Developer/Tools/CpMac -r postfix "postfix backup"
    /Developer/Tools/CpMac -r dovecot "dovecot backup"

    While it's possible to write all steps by hand, I decided to attach the config files.
    (change my files and copy them to the ment folders. i'll explain during the process)

    after copy:
    chown root:wheel /private/etc/postfix/*
    chmod g-w /var/lib/postfix

    cd /etc/postfix
    postmap hash:access
    postmap hash:transport
    postmap hash:sender_access

    General Options:
    What domains to receive mail for: $myhostname
    Network interfaces for receiving mail: All
    Local internet domain name: Default
    Mail queue directory: /var/spool/postfix
    rm -r /var/spool/postfix
    mkdir /var/spool/postfix

    Mail Aliases:
    Alias databases used by the local delivery agent: Map specifications: hash:/etc/postfix/aliases

    Canonical Mapping:
    Tables for recipient addresses: No map set

    Virtual Domains:
    Domain mapping lookup tables: hash:/etc/postfix/virtual

    Transport Mapping:
    Transport mapping lookup tables: Map specifications: hash:/etc/postfix/smtproutes

    Header Checks:
    Example header checks

    Body Checks:
    Message body checking tables: Map specifications: pcre:/etc/postfix/custom_body_checks
    Example body checks

    Local Delivery:
    Home-relative pathname of user mailbox file: Maildir/
    External command to use instead of mailbox delivery: /usr/libexec/dovecot/deliver
    Optional actual transport to use: None

    SMTP Server Options:
    Timeout in seconds for SMTP transactions: 300s
    Disable SMTP VRFY command: Yes
    Error count for closing connection: 20
    Restrictions on sends in HELO commands: permit_mynetworks,check_helo_access hash:/etc/postfix/access,permit_auth_destination,permit_sasl_authenticated,reject_non_fqdn_hostname,reject_invalid_hostname,permit
    Restrictions on sender addresses: permit_sasl_authenticated,permit_mynetworks,permit_auth_destination,reject_non_fqdn_sender,reject_unknown_sender_domain,permit
    Restrictions on recipient addresses: reject_unauth_pipelining,reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_mynetworks,permit_sasl_authenticated,permit_auth_destination,reject_unauth_destination,check_sender_access hash:/etc/postfix/sender_access,permit
    cd /etc/postfix
    postmap hash:sender_access
    postmap hash:access

    SMTP Authentication And Encryption:
    Handle non-compliant SMTP clients?: yes
    SMTP security options: none

    SMTP Client Restrictions:
    Client restrictions: Postfix default (allow all clients) (all off)

    data_directory = /var/lib/postfix
    rm /var/lib/postfix
    mkdir /var/lib/postfix
    chown _postfix /var/lib/postfix
    Show file (example domainnames)

    ==> virtual_transport = lmtp:unix:/var/imap/socket/lmtp

    Edit (/usr/libexec/postfix/
    change: /Library/Server/Mail/Data/mta/
    into: /var/lib/postfix/

    Show file (example domainnames)

    martijn broeders

    founder/ strategic creative at 4elements web design & consultancy
    e-mail: .(JavaScript must be enabled to view this email address)
    phone: 06 38 55 28 54
  • 1
    June 14, 2018 at

    You have made some good points there. I looked on the net to find out more about the issue and found most people will go along with your views on this website.

  • 2
    January 31, 2014 at

    I am in fact thankful to the holder of this web site who has shared this fantastic post at at this time.

  • 3
    January 26, 2014 at

    Have you ever considered about including a little bit more than just your articles? I mean, what you say is important and everything. Nevertheless just imagine if you added some great graphics or video clips to give your posts more, "pop"! Your content is excellent but with pics and clips, this website could definitely be one of the best in its field. Fantastic blog!

  • 4
    May 02, 2013 at

    You have a wonderful site here that was a quality read for me. Good info! Thanks!

  • 5
    martijn broeders's avatar
    martijn broeders
    April 25, 2013 at

    Should be working.

  • 6
    April 24, 2013 at

    Oh my goodness! Incredible article dude! Many thanks, However I am going through problems with your RSS. I don't understand why I can't subscribe to it.Is there anybody having identical RSS issues? Anybody who knows the solution will you kindly respond?Thanks!!

  • 7
    Como Fazer Um Site
    March 29, 2013 at

    Hello, I read your new stuff regularly. Your story-telling style is witty, keep up the good work!

  • 8
    martijn broeders's avatar
    martijn broeders
    March 07, 2013 at

    Hello carsten, Sorry for the late response. (blog is getting some spam so I need to check every entry before approving)Apple reserves memory and cpu for their own tasks. (like account manager, wiki a.o. apps from apple) But this makes other web related tasks and the server overall slower. By disabling you are in charge, what results in faster websites, mail and others...If you have any other question, please email me.Kind regards, Martijn

  • 9
    Carsten Hahn
    March 04, 2013 at

    Hi Martijn, i stuck at the beginning with the Server-Admin Screen where i have to disable "Dedicate system resources to server services". What should i do?BTW. What does this button do?Groetjes Carsten

  • 10
    martijn broeders's avatar
    martijn broeders
    March 04, 2013 at

    Hello carsten, Yes this tutorial is compatible. (paths, locations will be the same. Only some version numbers could be different (newer) but that's not a problem...)

  • 11
    carsten hahn
    March 01, 2013 at

    Hi, is your lion tutorial here compatible with mountain lion server? i got a new mac mini and cannot change to lion.groetjes from germanycarsten

  • 12
    February 23, 2013 at

    I have read a few excellent stuff here. Certainly value bookmarking for revisiting. I wonder how much attempt you set to make the sort of great informative site.

  • 13
    martijn broeders's avatar
    martijn broeders
    April 05, 2012 at

    @Eran, Thanks, I just send you an email on how to get your request working.

  • 14
    Eran Kendler
    April 05, 2012 at

    Fantastic work - was great to use, and works well.Was wondering if you can post your fix for webmin to work with Lion's apache, at the moment no ghosts showWill be highly appreciated.

  • 15
    martijn broeders's avatar
    martijn broeders
    January 20, 2012 at

    @Filip, Thanks. Depends, if you like to run your own mail server, multiple websites etc you would need to enable DNS on your MacMini Server.But you only need 1 static IP to get all running. (DNS e.a.)

  • 16
    January 20, 2012 at

    Wow great, thank you. I spent almost a week installing Lion server on my new mac mini. Failed so many times. Services didn't run properly etc... At the end I found out it was BT fault. Their router is rubbish so I swapped it with Airport Extreme and it is working fine since. I have one silly question, do I need to set Dns when all my dns entries are with company where I registered domain? Thanks

By - category

    By - date