DMZ'd Mini Server VPN/Mail Problems

[rainman::|:|]

Hi all--

I haven't been working in the server arena much in years. I'm currently assembling the logistics of a new small non-profit, and we'll need all of the standard coordination (sharedrives, VPN, Calendar services, etc). Since we'll only have a few employees at first, I'm also wanting to host our website and email on the server. I just bought the base-line Mac Mini server, planning to up the RAM to 16gb soon, but just setting it up for now.

I walked through configuration pretty easily, enabling all of the services we'll use, and then tried to set up port forwarding on my DSL router. Of course, the router is CenturyLink standard gear, and only allows like 16 ports to forward. Not enough for all services for the server. So I've got it on DMZ until I can buy a better router (or hardware firewall). Yeah, I know it's not the safest, but it'll work for now.

Set up my domain to point to my IP address, and sure enough, Web, Calendar, and Mail services connect just fine, using the downloaded config file from mydomain.org/mydevices.

Few problems. First, VPN server isn't connecting, it says there was no response from the server. I'm not sure where to look for logs related to this, it just says "cannot connect to server."

Secondly, mail services don't seem to be connecting with the internet. I pointed my MX record on my domain name to mydomain.org and enabled Mail Services properly, which is all I thought I'd need to do. Am I missing a step here? I haven't set up rDNS yet, but that shouldn't prohibit me from receiving test emails at the server.

Lastly, this is just a mild annoyance, but visiting mydomain.org/mydevices on my iPhone won't let me log in - says "incorrect username and password." Odd, as the username and password work just fine on my Macbook Pro. We'll be issuing Macbooks and iPhones to staff, so I'd like to see this work, but it's a lesser issue.

I've tried googling this all, but Mountain Lion server is less documented, and I'm not sure I'm understanding all I see (again, it's been a long time since I did any server admin). Thanks!

 

[matspekkie]

Hi all--

I haven't been working in the server arena much in years. I'm currently assembling the logistics of a new small non-profit, and we'll need all of the standard coordination (sharedrives, VPN, Calendar services, etc). Since we'll only have a few employees at first, I'm also wanting to host our website and email on the server. I just bought the base-line Mac Mini server, planning to up the RAM to 16gb soon, but just setting it up for now.

I walked through configuration pretty easily, enabling all of the services we'll use, and then tried to set up port forwarding on my DSL router. Of course, the router is CenturyLink standard gear, and only allows like 16 ports to forward. Not enough for all services for the server. So I've got it on DMZ until I can buy a better router (or hardware firewall). Yeah, I know it's not the safest, but it'll work for now.

Set up my domain to point to my IP address, and sure enough, Web, Calendar, and Mail services connect just fine, using the downloaded config file from mydomain.org/mydevices.

Few problems. First, VPN server isn't connecting, it says there was no response from the server. I'm not sure where to look for logs related to this, it just says "cannot connect to server."

Secondly, mail services don't seem to be connecting with the internet. I pointed my MX record on my domain name to mydomain.org and enabled Mail Services properly, which is all I thought I'd need to do. Am I missing a step here? I haven't set up rDNS yet, but that shouldn't prohibit me from receiving test emails at the server.

Lastly, this is just a mild annoyance, but visiting mydomain.org/mydevices on my iPhone won't let me log in - says "incorrect username and password." Odd, as the username and password work just fine on my Macbook Pro. We'll be issuing Macbooks and iPhones to staff, so I'd like to see this work, but it's a lesser issue.

I've tried googling this all, but Mountain Lion server is less documented, and I'm not sure I'm understanding all I see (again, it's been a long time since I did any server admin). Thanks!

First of all it's a very bad idea to do dmz of course since you are sharing your shares with the internet right now. I would suggest you te get an extreme airport this will be very easy to for opening the right ports for you. As for the mail are you pointing the mx record to the full qualified domain name??? like server.mydomain.org? and set that to a low priority. Also make sure dhcp hands out your server as dns server.

 

[rainman::|:|]

First of all it's a very bad idea to do dmz of course since you are sharing your shares with the internet right now. I would suggest you te get an extreme airport this will be very easy to for opening the right ports for you. As for the mail are you pointing the mx record to the full qualified domain name??? like server.mydomain.org? and set that to a low priority. Also make sure dhcp hands out your server as dns server.

Hi, thanks, I know it's not good practice, but I don't really have an IT budget right now - the router/modem that was supplied is 4-port 1gb ethernet + b/g/n, well within the needs for now (in a couple of months I'll totally be springing for some add-ons, including a better network structure).

I have the MX record pointing to simply mydomain.org - I did not set up any subdomains, I have two aliases for mail. and smtp. (they were pre-set up, actually) in my CNAME, and I can't make my MX record the same as a CNAME, so I just did mydomain.org, priority 5. Do I need a subdomain assigned as well?

Web server works wonderfully (opted out of using a stack, activated built-in PHP, installed MySQL and phpmyadmin for Joomla! on the built-in Apache install - and as I said, logging in through various services works fine, except VPN (based on either domain name or IP).

DNS on the server has already configured itself as a name server forwards and backwards (although the router manages overall DHCP as it's got a better antenna for b/g/n, I've obviously assigned the server a static IP - could this be the issue somehow?), and I added a "mail record" there as mydomain.org. My user profile login name on the server is firstlast while my email is first@mydomain.org, could that be a problem?

Sorry for the stupid questions, but I didn't find Server to be as documented as I had hoped, although it does offer nice integration.

 

[rainman::|:|]

One problem solved...

uPNP was turned on in my router, fixing that got the VPN issue solved. Still confused as to why the server isn't sending or receiving external mail.

 

[matspekkie]

I have the MX record pointing to simply mydomain.org - I did not set up any subdomains, I have two aliases for mail. and smtp. (they were pre-set up, actually) in my CNAME, and I can't make my MX record the same as a CNAME, so I just did mydomain.org, priority 5. Do I need a subdomain assigned as well?

make an A record containing your wan ip to fqdn like server.mydomain.org then you should be able to make an mx record point that to server.mydomain.org

DNS on the server has already configured itself as a name server forwards and backwards (although the router manages overall DHCP as it's got a better antenna for b/g/n, I've obviously assigned the server a static IP - could this be the issue somehow?)

first DNS server on clients should be your server this you can set on most routers.

and I added a "mail record" there as mydomain.org. My user profile login name on the server is firstlast while my email is first@mydomain.org, could that be a problem?

No this does not matter.

----------

(I have the MX record pointing to simply mydomain.org - I did not set up any subdomains, I have two aliases for mail. and smtp. (they were pre-set up, actually) in my CNAME, and I can't make my MX record the same as a CNAME, so I just did mydomain.org, priority 5. Do I need a subdomain assigned as well? )

make an A record containing your wan ip to fqdn like server.mydomain.org then you should be able to make an mx record point that to server.mydomain.org

(DNS on the server has already configured itself as a name server forwards and backwards (although the router manages overall DHCP as it's got a better antenna for b/g/n, I've obviously assigned the server a static IP - could this be the issue somehow?)

first DNS server on clients should be your server this you can set on most routers.

(and I added a "mail record" there as mydomain.org. My user profile login name on the server is firstlast while my email is first@mydomain.org, could that be a problem? )

No this does not matter.

 

[hitechabyss]

A few words of caution and personal experience setting this up

First, if you're running a web server (especially with PHP enabled) open to the internet odds are you will get hacked. PHP needs to be kept current with frequent patches, and at least from my experience, is the easiest way to be 0wn3d. SSH w/o pre-shared keys is another way (and weak root passwords). Make sure you test your mail server config so you're not an open relay, and config your DNS server to prevent recursive lookups (ML has a setting for that).

That way, smtp, dns, and web are better isolated from your internal network, an accidental config option can't share your files to the internet, etc. You'd then forward from the DMZ to the internet network server (fw rules limiting ports to just the bare minimum).

Since you're on a budget, check out using VirtualBox, VMware Fusion or Parallels and install your DMZ services in a Mac OS X Server VM. It's not as secure as a completely separate physical server, but you can set up it up in non-persistent mode after it's configured to your liking so if you do get hacked, you cycle the VM and the state is restored as you left it. Caveats apply (remember to switch to persistent mode for updates, changes, and don't store data you want to keep on here).

Depending on the free resources on your server corei5 or i7 mini w/8GB memory is plenty. You can have the bare metal Mac OS X provide internal services to users (email, internal web, dns, dhcp, wiki, etc).

I haven't tried this yet, but adding more NICs to your mac-mini via the USB-Ethernet adapter from apple might be a good way to segment your DMZ VM (bind the VM to the USB adapter interface and enable firewall rules to prevent direct inbound traffic to bare metal OS).

This sounds complicated, but once you get 0wn3d, and have to spend countless hours undoing what they did, you'll end up right back to where you are now (setting up a new server from scratch).

Good luck.

 

[rainman::|:|]

Thanks, that's an interesting idea, I'll look into VMing - I was already considering a USB ethernet connection to divide things up. Security is going to be a pain, and in the end, I'm going to need to get a serious router to un-DMZ the thing, just opening the ports I need to. I think I've got all of the other issues locked down, with the exception of PHP (disappointing that they don't push PHP updates, but I've seen that argument enough times). I have a feeling as we hire more employees and VPN use increases, I'll be moving to a traditional web host soon enough.

I do have one final issue that's been vexing me for some time. Our ISP blocks port 25, and I've unblocked it with them for the server, so email is flowing properly. However, that same ISP is very popular here in town, my own residential connection is through them (Centurylink, formerly Qwest). They don't allow unblocking of port 25 on residential connections, and it'd be a pain to do so anyway, as many of our employees will be using them for residential access.

All of my other email accounts roll to port 587 when 25 fails (on outgoing email, of course). I cannot for the life of me figure out how to open port 587 on the server, however, despite editing the postfix config file as suggested on many forums. I can certainly send email when I'm on the same network as the server, but sending from home is impossible. As many other ISPs are blocking port 25, I think this is going to be a bigger issue. Is there something to opening port 587 I'm not seeing? I'm surprised Apple didn't include this as a GUI option.

Thanks!