Lion server forward proxy

Hi,
is there an easy way to setup Lion server on a mac mini with the internal Apache web server as forward proxy? Bearing in mind that mac mini only has one ethernet port (I guess virtual ethernet port can be used if two interfaces are necessary)?
looking further ahaed - is there any benefit in running a proxy setup with enhanced content filtering capabilities or is the parental control through profile manager sufficient to fulfill that task?
best
-H

Apache's forward proxy doesn't require multiple interfaces, so that's not an issue, but IIRC you can't do this via the GUI. That means you're down to editing Apache's configuration files directly, in which case you can do anything that Apache can normally do.
As for the filtering, that's up to you - you'll need to decide on the amount of filtering paranoia you want to implement, and whether Parental Control provides sufficient coverage, whether you want to roll your own, or subscribe to a commercial solution.

Similar Messages

Mac OS X Server Forward Proxy(Web Caching)...setup a website for the proxy???

My office is a Mac environment with a couple of windows pcs. To save on bandwidth i would like to setup a Mac OS X Snow leopard server with a web caching proxy, forward proxy. I read this link from apple
Server Admin 10.6 Help: Configuring Web Service Proxy Settings
i understand that to set this up i must enable it on my Mac Server and also on the clients(end user) web browser. What i don't understand is this part:
"When setting up a forward proxy, make sure you create and enable a website for the proxy. You might want to disable logging on the proxy site or configure the site to record its access log in a separate file from your other sites’ access logs. The site does not need to be on port 80 but setting up web clients is easier if its browsers use port 80 by default."
Create and enable a website for the proxy??? I don't understand, why do i need a website for web caching? Shouldn't the settings in the web browser direct the http requests to the mac server and it does the rest, what has a website got to do with it and what type of website?How?
Please help, thank you in advance

SL Server

Long time until Forward Proxy shows new content

Dear all,
I have a BorderManager server setup with version 3.9 SP2 and on the server we have HTTP Proxy server / Forward Proxy setup for a webserver somewhere in out network.
When we refresh the content on the webserver (flash content) it takes a very long time before this new content is show on the client side of the HTTP Proxy Server / Forward Proxy.
How can I tune the performance for this proxy?
Your suggestions are very much appreciated.
Rgds,
Zeger

On 12/09/2009 10:36 PM, zegerw wrote:
>
> Dear all,
>
> I have a BorderManager server setup with version 3.9 SP2 and on the
> server we have HTTP Proxy server / Forward Proxy setup for a webserver
> somewhere in out network.
>
> When we refresh the content on the webserver (flash content) it takes a
> very long time before this new content is show on the client side of the
> HTTP Proxy Server / Forward Proxy.
>
> How can I tune the performance for this proxy?
>
> Your suggestions are very much appreciated.
>
> Rgds,
> Zeger
>
>
What you have to do is to properly configure your webserver and use the
appropriate http headers. BM just will follow whatever the webserver
tells him to do.

Set Up Proxy Server on OSX Mountain Lion Server.app

Hi,
Can anyone help me on how to set up a proxy server or forward proxy on OS X Mountain Lion Server.app? without using Squid
a step by step instruction would be helpfull
Thank you
Regards
a.w

There is no way to set up a proxy server in Server.app. For generic instructions, see, for example, this:
mod_proxy - Apache HTTP Server

Mac Mini as forward proxy server

I realize there are other questions out there regarding this issue, but I hadn't noticed anyone else looking to solve the same problem as I am, thus the new question. Apologies if it is viewed as redundant.
I'd like to set up my 2011 Mac Mini Server (running Mountain Lion) as a forward proxy. Most items I see on the web regarding this seem to want to use the forward proxy to filter websites and ports, I want to do just the opposite. I want to use the proxy server to bypass a restrictive firewall (of which I do not have control) using a high speed unfettered wireless connection. (So, internal NIC = Ethernet, external NIC = WiFi). I'm assuming that Apache can do this, I have limited (read - 0) experience with proxy setup and configuration - but given the right web links with a little context, I'll be OK. Can anyone point me in the right direction? At stake are connections to iCloud, TeamViewer, Google Drive, Windows Azure, submissions to the Apple App Store and Windows Live Marketplace, etc - so many of these connections do not occur on port 80 by default - which is why I need to open up more than just an HTTP proxy. Perhaps a transparent proxy would be a better choice? Thoughts?

From what I understand from your post, this may be easier for you to accomplish using either a VPN tunnel or an SSH tunnel. VPN can be configured using the Server application and is quite easy, SSH can be configured using "Remote Management" (I think) and then you'd just have to set up your client. VPN would tunnel all traffic and SSH would tunnel specific ports.

Apache 2.2 21 forward Proxy 2 way SSL for weblogic server as a client

Hi All,
Currently, i am trying to implement a forward SSL proxy. The client will hit my apache server which in return will hit a IIS Server.
scenarios 1
client(weblogic)--*2 way SSL*Apache(forward proxy)*2 way SSL*-- IIS
If i were to implement 1 way ssl, i am able to see the content of the website.
client(weblogic) --- Apache(forward proxy) --- IIS
If i were to launch the web browser from the client machine (with the client certificate imported in the browser), i am able to view the content in the IIS. But if i were to simulate the connection from weblogic server, it just give me end of file exception (response contain no data) on the logs.
Below is my configuration
Listen 8080
<VirtualHost default:8080>
ServerName serverA
ErrorLog "logs/ssl_error_log"
CustomLog "logs/ssl_access_log" common
SSLProxyEngine On
SSLProxyMachineCertificateFile /certificate/servercert.cer
SSLProxyCACertificateFile /certificate/rootCA.cer
SSLProxyVerify require
SSLProxyVerifyDepth 10
ProxyRequests On
ProxyVia On
AllowConnect 12345
<Proxy *>
Order allow,deny
Allow from all
</Proxy>
</VirtualHost>
For 2 way SSL, will the client forward their client certificate to my apache proxy server and apache will on the client behalf forward the client certificate to the IIS server for authenication?
Or the SSL authenication still happen between the client (weblogic) and the end server (IIS) bypassing the proxy server.
Please help.

It is a domain wide setting. Can you not create a new domain? I do not think that you can handle it from web.xml. I have never seen such thing in web.xml.

Setting up a Reverse proxy on lion server

Can someone point an osx server newb like me to some documents/how to on setting up a reverse proxy on lion server. It appears apples docs online are still for SL
Many thanks
Stephen

Lion server is so frustrating. Good grief.
It broke my setup. So I tried to re-follow the instructions at http://www.bensoftware.com/securityspy/helpssl.html to setup a reverse proxy to wrap an otherwise insecure connection into an SSL connection.
I can get the SSL part working (connections to https://127.0.0.1 work) but it's not proxying. Per the instructions, I put the following two lines near the bottom of the httpd-ssl.conf file:
RewriteEngine On
RewriteRule ^/(.*) http://127.0.0.1:8000/$1 [P]
Just above </VirtualHost>
Instead of getting the proxy, I get the same regular SSL connection page displayed ("Hello world"). In other words, after getting the SSL stuff setup, adding these two lines didn't do anything. Any idea what I'm doing wrong?

How To Install A (Almost) Working Lion Server With Profile Management/SSL/OD/Mail/iCal/Address Book/VNC/Web/etc.

I recently installed a fresh version of Lion Server after attempting to fix a broken upgrade. With some help from others, I've managed to get all the new features working and have kept notes, having found that many or most of the necessary installation steps for both the OS and its services are almost entirely undocumented. When you get them working, they work great, but the entire process is very fragile, with simple setup steps causing breaks or even malicious behaviors. In case this is useful to others, here are my notes.
Start with an erased, virgin, single guid partitioned drive. Not an upgrade. Not simply a repartitioned drive. Erased. Clean. Anything else can and probably will break the Lion Server install, as I discovered myself more than once. Before erasing my drive, I already had Lion and made a Lion install DVD from instructions widely available on the web. I suppose you could also boot into the Lion recovery partition and use disk utility to erase the OS X partition then install a new partition, but I cut a DVD. The bottom line is to erase any old OS partitions. And of course to have multiple, independent backups: I use both Time Machine with a modified StdExclusions.plist and Carbon Copy Cloner.
Also, if you will be running your own personal cloud, you will want to know your domain name ahead of time, as this will be propagated everywhere throughout server, and changing anything related to SSL on Lion Server is a nightmare that I haven't figured out. If you don't yet have a domain name, go drop ten dollars at namecheap.com or wherever and reserve one before you start. Soemday someone will document how to change this stuff without breaking Lion Server, but we're not there yet. I'll assume the top-level domain name "domain.com" here.
Given good backups, a Lion Install DVD (or Recovery Partition), and a domain name, here are the steps, apparently all of which must be more-or-less strictly followed in this order.
DVD>Disk Utility>Erase Disk [or Recovery Partition>Disk Utility>Erase Partition]
DVD>Install Lion
Reboot, hopefully Lion install kicks in
Update, update, update Lion (NOT Lion Server yet) until no more updates
System Preferences>Network>Static IP on the LAN (say 10.0.1.2) and Computer name ("server" is a good standbye)
Terminal>$ sudo scutil --set HostName server.domain.com
App Store>Install Lion Server and run through the Setup
Download install Server Admin Tools, then update, update, update until no more updates
Server Admin>DNS>Zones [IF THIS WASN'T AUTOMAGICALLY CREATED (mine wasn't): Add zone domain.com with Nameserver "server.domain.com." (that's a FQDN terminated with a period) and a Mail Exchanger (MX record) "server.domain.com." with priority 10. Add Record>Add Machine (A record) server.domain.com pointing to the server's static IP. You can add fancier DNS aliases and a simpler MX record below after you get through the crucial steps.]
System Prefs>Network>Advanced>Set your DNS server to 127.0.0.1
A few DNS set-up steps and these most important steps:
A. Check that the Unix command "hostname" returns the correct hostname and you can see this hostname in Server.app>Hardware>Network
B. Check that DNS works: the unix commands "host server.domain.com" and "host 10.0.1.2" (assuming that that's your static IP) should point to each other. Do not proceed until DNS works.
C. Get Apple Push Notification Services CA via Server.app>Hardware>Settings><Click toggle, Edit... get a new cert ...>
D. Server.app>Profile Manager>Configure... [Magic script should create OD Master, signed SSL cert]
E. Server.app>Hardware>Settings>SSL Certificate> [Check to make sure it's set to the one just created]
F. Using Server.app, turn on the web, then Server.app>Profile Manager> [Click on hyperlink to get to web page, e.g. server.domain.com/profilemanager] Upper RHS pull-down, install Trust Profile
G. Keychain Access>System>Certificates [Find the automatically generated cert "Domain", the one that is a "Root certificate authority", Highlight and Export as .cer, email to all iOS devices, and click on the authority on the device. It should be entered as a trusted CA on all iOS devices. While you're at it, highlight and Export... as a .cer the certificate "IntermediateCA_SERVER.DOMAIN.COM_1", which is listed an an "Intermediate CA" -- you will use this to establish secure SSL connections with remote browsers hitting your server.]
H. iOS on LAN: browse to server.domain.com/mydevices> [click on LHS Install trust cert, then RHS Enroll device.
I. Test from web browser server.domain.com/mydevices: Lock Device to test
J. ??? Profit
12. Server Admin>DNS>Zones> Add convenient DNS alias records if necessary, e.g., mail.domain.com, smtp.domain.com, www.domain.com. If you want to refer to your box using the convenient shorthand "domain.com", you must enter the A record (NOT alias) "domain.com." FQDN pointing to the server's fixed IP. You can also enter the convenient short MX record "domain.com." with priority 11. This will all work on the LAN -- all these settings must be mirrored on the outside internet using the service from which you registered domain.com.
You are now ready to begin turning on your services. Here are a few important details and gotchas setting up cloud services.
Firewall
Server Admin>Firewall>Services> Open up all ports needed by whichever services you want to run and set up your router (assuming that your server sits behind a router) to port forward these ports to your router's LAN IP. This is most a straightforward exercise in grepping for the correct ports on this page, but there are several jaw-droppingly undocumented omissions of crucial ports for Push Services and Device Enrollment. If you want to enroll your iOS devices, make sure port 1640 is open. If you want Push Notifications to work (you do), then ports 2195, 2196, 5218, and 5223 must be open. The Unix commands "lsof -i :5218" and "nmap -p 5218 server.domain.com" (nmap available from Macports after installing Xcode from the App Store) help show which ports are open.
SSH
Do this with strong security. Server.app to turn on remote logins (open port 22), but edit /etc/sshd_config to turn off root and password logins.
PermitRootLogin no
PasswordAuthentication no
ChallengeResponseAuthentication no
I'm note sure if toggling the Allow remote logins will load this config file or, run "sudo launchctl unload -w /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist ; sudo launchctl load -w /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist" to restart the server's ssh daemon.
Then use ssh-keygen on remote client to generate public/private keys that can be used to remotely login to the server.
client$ ssh-keygen -t rsa -b 2048 -C client_name
[Securely copy ~/.ssh/id_rsa.pub from client to server.]
server$ cat id_rsa.pub > ~/.ssh/known_hosts
I also like DenyHosts, which emails detected ssh attacks to [email protected]. It's amazing how many ssh attacks there are on any open port 22. Not really an added security feature if you've turned off password logins, but good to monitor. Here's a Lion Server diff for the config file /usr/share/denyhosts:
$ diff denyhosts.cfg-dist denyhosts.cfg
12c12
< SECURE_LOG = /var/log/secure
> #SECURE_LOG = /var/log/secure
22a23
> SECURE_LOG = /var/log/secure.log
34c35
< HOSTS_DENY = /etc/hosts.deny
> #HOSTS_DENY = /etc/hosts.deny
40a42,44
> #
> # Mac OS X Lion Server
> HOSTS_DENY = /private/etc/hosts.deny
195c199
< LOCK_FILE = /var/lock/subsys/denyhosts
> #LOCK_FILE = /var/lock/subsys/denyhosts
202a207,208
> LOCK_FILE = /var/denyhosts/denyhosts.pid
> #
219c225
< ADMIN_EMAIL =
> ADMIN_EMAIL = [email protected]
286c292
< #SYSLOG_REPORT=YES
> SYSLOG_REPORT=YES
Network Accounts
User Server.app to create your network accounts; do not use Workgroup Manager. If you use Workgroup Manager, as I did, then your accounts will not have email addresses specified and iCal Server WILL NOT COMPLETELY WORK. Well, at least collaboration through network accounts will be handled clunkily through email, not automatically as they should. If you create a network account using Workgroup Manager, then edit that account using Server.app to specify the email to which iCal invitations may be sent. Server.app doesn't say anything about this, but that's one thing that email address entry is used for. This still isn't quite solid on Lion Server, as my Open Directory logs on a freshly installed Lion Server are filled with errors that read:
2011-12-12 15:05:52.425 EST - Module: SystemCache - Misconfiguration detected in hash 'Kerberos':
     User 'uname' (/LDAPv3/127.0.0.1) - ID 1031 - UUID 98B4DF30-09CF-42F1-6C31-9D55FE4A0812 - SID S-0-8-83-8930552043-0845248631-7065481045-9092
Oh well.
Email
Email aliases are handled with the file /private/etc/postfix/aliases. Do something like this
root:           myname
admin:          myname
sysadmin:       myname
certadmin:      myname
webmaster:      myname
my_alternate:   myname
Then run "sudo newaliases". If your ISP is Comcast or some other large provider, you probably must proxy your outgoing mail through their SMTP servers to avoid being blocked as a spammer (a lot of SMTP servers will block email from Comcast/whatever IP addresses that isn't sent by Comcast). Use Server.app>Mail to enter your account information. Even then, the Lion Server default setup may fail using this proxy. I had to do this with the file /private/etc/postfix/main.cf:
cd /etc/postfix
sudo cp ./main.cf ./main.cf.no_smtp_sasl_security_options
sudo echo 'smtp_sasl_security_options = noanonymous' >> ./main.cf
sudo serveradmin stop mail
sudo serveradmin start mail
Finally, make sure that you're running a blacklisting srevice yourself! Server Admin>Mail>Filter> Use spamhaus.org as a blacklister. Finally, set up mail to use strong Kerberos/MD5 settings under on Server Admin>Mail>Advanced. Turn off password and clear logins. The settings should be set to "Use" your SSL cert, NOT "Require". "Require" consistently breaks things for me.
If you already installed the server's Trust Certificate as described above (and opened up the correct ports), email to your account should be pushed out to all clients.
iCal Server
Server.app>Calendar>Turn ON and Allow Email Invitations, Edit... . Whatever you do, do NOT enter your own email account information in this GUI. You must enter the account information for local user com.apple.calendarserver, and the password for this account, which is stored in the System keychain: Keychain Access>System> Item com.apple.servermgr_calendar. Double-click and Show Password, copy and paste into Server.app dialog. This is all described in depth here. If you enter your own account information here (DO NOT!), the iCal Server will delete all Emails in your Inbox just as soon as it reads them, exactly like it works for user com.apple.calendarserver. Believe me, you don't want to discover this "feature", which I expect will be more tightly controlled in some future update.
Web
The functionality of Server.app's Web management is pretty limited and awful, but a few changes to the file /etc/apache2/httpd.conf will give you a pretty capable and flexible web server, just one that you must manage by hand. Here's a diff for httpd.conf:
$ diff httpd.conf.default httpd.conf
95c95
< #LoadModule ssl_module libexec/apache2/mod_ssl.so
> LoadModule ssl_module libexec/apache2/mod_ssl.so
111c111
< #LoadModule php5_module libexec/apache2/libphp5.so
> LoadModule php5_module libexec/apache2/libphp5.so
139,140c139,140
< #LoadModule auth_digest_apple_module libexec/apache2/mod_auth_digest_apple.so
< #LoadModule encoding_module libexec/apache2/mod_encoding.so
> LoadModule auth_digest_apple_module libexec/apache2/mod_auth_digest_apple.so
> LoadModule encoding_module libexec/apache2/mod_encoding.so
146c146
< #LoadModule xsendfile_module libexec/apache2/mod_xsendfile.so
> LoadModule xsendfile_module libexec/apache2/mod_xsendfile.so
177c177
< ServerAdmin [email protected]
> ServerAdmin [email protected]
186c186
< #ServerName www.example.com:80
> ServerName domain.com:443
677a678,680
> # Server-specific configuration
> # sudo apachectl -D WEBSERVICE_ON -D MACOSXSERVER -k restart
> Include /etc/apache2/mydomain/*.conf
I did "sudo mkdir /etc/apache2/mydomain" and add specific config files for various web pages to host. For example, here's a config file that will host the entire contents of an EyeTV DVR, all password controlled with htdigest ("htdigest ~uname/.htdigest EyeTV uname"). Browsing to https://server.domain.com/eyetv points to /Users/uname/Sites/EyeTV, in which there's an index.php script that can read and display the EyeTV archive at https://server.domain.com/eyetv_archive. If you want Apache username accounts with twiddles as in https://server.domain.com/~uname, specify "UserDir Sites" in the configuration file.
Alias /eyetv /Users/uname/Sites/EyeTV
<Directory "/Users/uname/Sites/EyeTV">
    AuthType Digest
    AuthName "EyeTV"
    AuthUserFile /Users/uname/.htdigest
    AuthGroupFile /dev/null
    Require user uname
    Options Indexes MultiViews
    AllowOverride All
    Order allow,deny
    Allow from all
</Directory>
Alias /eyetv_archive "/Volumes/Macintosh HD2/Documents/EyeTV Archive"
<Directory "/Volumes/Macintosh HD2/Documents/EyeTV Archive">
    AuthType Digest
    AuthName "EyeTV"
    AuthUserFile /Users/uname/.htdigest
    AuthGroupFile /dev/null
    Require user uname
    Options Indexes MultiViews
    AllowOverride All
    Order allow,deny
    Allow from all
</Directory>
I think you can turn Web off/on in Server.app to relaunch apached, or simply "sudo apachectl -D WEBSERVICE_ON -D MACOSXSERVER -k restart".
Securely copy to all desired remote clients the file IntermediateCA_SERVER.DOMAIN.COM_1.cer, which you exported from System Keychain above. Add this certificate to your remote keychain and trust it, allowing secure connections between remote clients and your server. Also on remote clients: Firefox>Advanced>Encryption>View Certificates>Authorities>Import...> Import this certificate into your browser. Now there should be a secure connection to https://server.domain.com without any SSL warnings.
One caveat is that there should be a nice way to establish secure SSL to https://domain.com and https://www.domain.com, but the automagically created SSL certificate only knows about server.domain.com. I attempted to follow this advice when I originally created the cert and add these additional domains (under "Subject Alternate Name Extension"), but the cert creation UI failed when I did this, so I just gave up. I hope that by the time these certs expire, someone posts some documentation on how to manage and change Lion Server SSL scripts AFTER the server has been promoted to an Open Directory Master. In the meantime, it would be much appreciated if anyone can post either how to add these additional domain names to the existing cert, or generate and/or sign a cert with a self-created Keychain Access root certificate authority. In my experience, any attempt to mess with the SSL certs automatically generated just breaks Lion Server.
Finally, if you don't want a little Apple logo as your web page icon, create your own 16×16 PNG and copy it to the file /Library/Server/Web/Data/Sites/Default/favicon.ico. And request that all web-crawling robots go away with the file /Library/Server/Web/Data/Sites/Default/robots.txt:
User-agent: *
Disallow: /
Misc
VNC easily works with iOS devices -- use a good passphrase. Edit /System/Library/LaunchDaemons/org.postgresql.postgres.plist and set "listen_addresses=127.0.0.1" to allow PostgreSQL connections over localhost. I've also downloaded snort/base/swatch to build an intrusion detection system, and used Macports's squid+privoxy to build a privacy-enhanced ad-blocking proxy server.

Privacy Enhancing Filtering Proxy and SSH Tunnel
Lion Server comes with its own web proxy, but chaining Squid and Privoxy together provides a capable and effective web proxy that can block ads and malicious scripts, and conceal information used to track you around the web. I've posted a simple way to build and use a privacy enhancing web proxy here. While you're at it, configure your OS and browsers to block Adobe Flash cookies and block Flash access to your camera, microphone, and peer networks. Read this WSJ article series to understand how this impacts your privacy. If you configure it to allow use for anyone on your LAN, be sure to open up ports 3128, 8118, and 8123 on your firewall.
If you've set up ssh and/or VPN as above, you can securely tunnel in to your proxy from anywhere. The syntax for ssh tunnels is a little obscure, so I wrote a little ssh tunnel script with a simpler flexible syntax. This script also allows secure tunnels to other services like VNC (port 5900). If you save this to a file ./ssht (and chmod a+x ./ssht), example syntax to establish an ssh tunnel through localhost:8080 (or, e.g., localhost:5901 for secure VNC Screen Sharing connects) looks like:
$ ./ssht 8080:[email protected]:3128
$ ./ssht 8080:alice@:
$ ./ssht 8080:
$ ./ssht 8018::8123
$ ./ssht 5901::5900 [Use the address localhost:5901 for secure VNC connects using OS X's Screen Sharing or Chicken of the VNC (sudo port install cotvnc)]
$ vi ./ssht
#!/bin/sh
# SSH tunnel to squid/whatever proxy: ssht [-p ssh_port] [localhost_port:][user_name@][ip_address][:remotehost][:remote_port]
USERNAME_DEFAULT=username
HOSTNAME_DEFAULT=domain.com
SSHPORT_DEFAULT=22
# SSH port forwarding specs, e.g. 8080:localhost:3128
LOCALHOSTPORT_DEFAULT=8080      # Default is http proxy 8080
REMOTEHOST_DEFAULT=localhost    # Default is localhost
REMOTEPORT_DEFAULT=3128         # Default is Squid port
# Parse ssh port and tunnel details if specified
SSHPORT=$SSHPORT_DEFAULT
TUNNEL_DETAILS=$LOCALHOSTPORT_DEFAULT:$USERNAME_DEFAULT@$HOSTNAME_DEFAULT:$REMOT EHOST_DEFAULT:$REMOTEPORT_DEFAULT
while [ "$1" != "" ]
do
case $1
in
    -p) shift;                  # -p option
        SSHPORT=$1;
        shift;;
     *) TUNNEL_DETAILS=$1;      # 1st argument option
        shift;;
esac
done
# Get local and remote ports, username, and hostname from the command line argument: localhost_port:user_name@ip_address:remote_host:remote_port
shopt -s extglob                        # needed for +(pattern) syntax; man sh
LOCALHOSTPORT=$LOCALHOSTPORT_DEFAULT
USERNAME=$USERNAME_DEFAULT
HOSTNAME=$HOSTNAME_DEFAULT
REMOTEHOST=$REMOTEHOST_DEFAULT
REMOTEPORT=$REMOTEPORT_DEFAULT
# LOCALHOSTPORT
CDR=${TUNNEL_DETAILS#+([0-9]):}         # delete shortest leading +([0-9]):
CAR=${TUNNEL_DETAILS%%$CDR}             # cut this string from TUNNEL_DETAILS
CAR=${CAR%:}                            # delete :
if [ "$CAR" != "" ]                     # leading or trailing port specified
then
    LOCALHOSTPORT=$CAR
fi
TUNNEL_DETAILS=$CDR
# REMOTEPORT
CDR=${TUNNEL_DETAILS%:+([0-9])}         # delete shortest trailing :+([0-9])
CAR=${TUNNEL_DETAILS##$CDR}             # cut this string from TUNNEL_DETAILS
CAR=${CAR#:}                            # delete :
if [ "$CAR" != "" ]                     # leading or trailing port specified
then
    REMOTEPORT=$CAR
fi
TUNNEL_DETAILS=$CDR
# REMOTEHOST
CDR=${TUNNEL_DETAILS%:*}                # delete shortest trailing :*
CAR=${TUNNEL_DETAILS##$CDR}             # cut this string from TUNNEL_DETAILS
CAR=${CAR#:}                            # delete :
if [ "$CAR" != "" ]                     # leading or trailing port specified
then
    REMOTEHOST=$CAR
fi
TUNNEL_DETAILS=$CDR
# USERNAME
CDR=${TUNNEL_DETAILS#*@}                # delete shortest leading +([0-9]):
CAR=${TUNNEL_DETAILS%%$CDR}             # cut this string from TUNNEL_DETAILS
CAR=${CAR%@}                            # delete @
if [ "$CAR" != "" ]                     # leading or trailing port specified
then
    USERNAME=$CAR
fi
TUNNEL_DETAILS=$CDR
# HOSTNAME
HOSTNAME=$TUNNEL_DETAILS
if [ "$HOSTNAME" == "" ]                # no hostname given
then
    HOSTNAME=$HOSTNAME_DEFAULT
fi
ssh -p $SSHPORT -L $LOCALHOSTPORT:$REMOTEHOST:$REMOTEPORT -l $USERNAME $HOSTNAME -f -C -q -N \
    && echo "SSH tunnel established via $LOCALHOSTPORT:$REMOTEHOST:$REMOTEPORT\n\tto $USERNAME@$HOSTNAME:$SSHPORT." \
    || echo "SSH tunnel FAIL."

Upgrade from Lion Server to ML 10.8.1 Broke Mail server!

....10.8.1 OD seems to work, files and AFP available, but Mail server not working correctly. Now users don't see mail, postfix issues numerous errors about missing system_user_maps and delivers no mail? Must recover mails! Help! Where should I look, and what to read for Diagnosis ?
After upgrade in place from SL to Lion to ML. most services did not work correctly; except for Mail and DNS and OD.   Reinstalled.   Now most everything seems to work including Card Services, Calendars, Wiki, Web, DNS, OD. But Mail is off and missing??? No delivery of INcoming mail, No Sending Mail, no IMAP Mail login for users.
On Mail configuration in Server.App: Turned off All Filtering. Have rebooted Server several times, Restarted Mailserver from Server,app and Terninal.   Same Results. Somewhere along the line from Server 10.5 to SL to Lion to 10.8 incoming Maill started going to [email protected] rather than simply [email protected].
    Is it possible that virtual domains are fuzzing up the works? The error logs use the longer virtual domain (with the sevrer name prefix) rather than the domain name?
Here are some sample Log messages:
From SYStem Log:
Sep 7 19:33:56 plg1.plg-law.com postfix/cleanup[1998]: warning: 8273B199E3F8: recipient_canonical_maps map lookup problem for [email protected]
Sep 7 19:33:56 plg1.plg-law.com postfix/pickup[1324]: warning: maildrop/ECF3A196A4FE: error writing 8273B199E3F8: queue file write error
Sep 7 19:33:58 plg1.plg-law.com postfix/pickup[1324]: warning: E5AC9199E3F9: message has been queued for 1 days
Sep 7 19:33:58 plg1.plg-law.com postfix/cleanup[1998]: warning: hash:/etc/postfix/system_user_maps is unavailable. open database /etc/postfix/system_user_maps.db: No such file or directory
Sep 7 19:33:58 plg1.plg-law.com postfix/cleanup[1998]: warning: hash:/etc/postfix/system_user_maps lookup error for "[email protected]"
Sep 7 19:33:58 plg1.plg-law.com postfix/cleanup[1998]: warning: E5AC9199E3F9: recipient_canonical_maps map lookup problem for [email protected]
Sep 7 19:33:58 plg1.plg-law.com postfix/pickup[1324]: warning: maildrop/ED4AB196A4FF: error writing E5AC9199E3F9: queue file write error
Sep 7 19:33:59 plg1.plg-law.com postfix/cleanup[1998]: warning: hash:/etc/postfix/system_user_maps is unavailable. open database /etc/postfix/system_user_maps.db: No such file or directory
Sep 7 19:33:59 plg1.plg-law.com postfix/cleanup[1998]: warning: hash:/etc/postfix/system_user_maps lookup error for "[email protected]"
Sep 7 19:33:59 plg1.plg-law.com postfix/cleanup[1998]: warning: 385DD199E3FB: recipient_canonical_maps map lookup problem for [email protected]
Sep 7 19:33:59 plg1.plg-law.com postfix/pickup[1324]: warning: maildrop/EE2A9199B211: error writing 385DD199E3FB: queue file write error
From SMTP Log:
Sep 7 19:35:24 plg1.plg-law.com postfix/pickup[1324]: 3652E199E487: uid=78 from=<_mailman>
Sep 7 19:35:24 plg1.plg-law.com postfix/cleanup[1998]: warning: hash:/etc/postfix/system_user_maps is unavailable. open database /etc/postfix/system_user_maps.db: No such file or directory
Sep 7 19:35:24 plg1.plg-law.com postfix/cleanup[1998]: warning: hash:/etc/postfix/system_user_maps lookup error for "[email protected]"
Sep 7 19:35:24 plg1.plg-law.com postfix/cleanup[1998]: warning: 3652E199E487: recipient_canonical_maps map lookup problem for [email protected]
Sep 7 19:35:24 plg1.plg-law.com postfix/pickup[1324]: warning: maildrop/8E82B199AD06: error writing 3652E199E487: queue file write error

here's my configured postfix main.cf file from /etc/postfix/main.cf   (mountain lion server 10.8.1)
Server.app should have somewhat configured it correctly for you in someways, but something got messed up in the import script I guess.
Hope this helps...
# Global Postfix configuration file. This file lists only a subset
# of all parameters. For the syntax, and for a complete parameter
# list, see the postconf(5) manual page (command: "man 5 postconf").
# For common configuration examples, see BASIC_CONFIGURATION_README
# and STANDARD_CONFIGURATION_README. To find these documents, use
# the command "postconf html_directory readme_directory", or go to
# http://www.postfix.org/.
# For best results, change no more than 2-3 parameters at a time,
# and test if Postfix still works after every change.
# SOFT BOUNCE
# The soft_bounce parameter provides a limited safety net for
# testing. When soft_bounce is enabled, mail will remain queued that
# would otherwise bounce. This parameter disables locally-generated
# bounces, and prevents the SMTP server from rejecting mail permanently
# (by changing 5xx replies into 4xx replies). However, soft_bounce
# is no cure for address rewriting mistakes or mail routing mistakes.
#soft_bounce = no
# LOCAL PATHNAME INFORMATION
# The queue_directory specifies the location of the Postfix queue.
# This is also the root directory of Postfix daemons that run chrooted.
# See the files in examples/chroot-setup for setting up Postfix chroot
# environments on different UNIX systems.
queue_directory = /Library/Server/Mail/Data/spool
# The command_directory parameter specifies the location of all
# postXXX commands.
command_directory = /usr/sbin
# The daemon_directory parameter specifies the location of all Postfix
# daemon programs (i.e. programs listed in the master.cf file). This
# directory must be owned by root.
daemon_directory = /usr/libexec/postfix
# The data_directory parameter specifies the location of Postfix-writable
# data files (caches, random numbers). This directory must be owned
# by the mail_owner account (see below).
data_directory = /Library/Server/Mail/Data/mta
# QUEUE AND PROCESS OWNERSHIP
# The mail_owner parameter specifies the owner of the Postfix queue
# and of most Postfix daemon processes. Specify the name of a user
# account THAT DOES NOT SHARE ITS USER OR GROUP ID WITH OTHER ACCOUNTS
# AND THAT OWNS NO OTHER FILES OR PROCESSES ON THE SYSTEM. In
# particular, don't specify nobody or daemon. PLEASE USE A DEDICATED
# USER.
mail_owner = _postfix
# The default_privs parameter specifies the default rights used by
# the local delivery agent for delivery to external file or command.
# These rights are used in the absence of a recipient user context.
# DO NOT SPECIFY A PRIVILEGED USER OR THE POSTFIX OWNER.
#default_privs = nobody
# INTERNET HOST AND DOMAIN NAMES
# The myhostname parameter specifies the internet hostname of this
# mail system. The default is to use the fully-qualified domain name
# from gethostname(). $myhostname is used as a default value for many
# other configuration parameters.
#myhostname = host.domain.tld
#myhostname = virtual.domain.tld
# The mydomain parameter specifies the local internet domain name.
# The default is to use $myhostname minus the first component.
# $mydomain is used as a default value for many other configuration
# parameters.
#mydomain = domain.tld
# SENDING MAIL
# The myorigin parameter specifies the domain that locally-posted
# mail appears to come from. The default is to append $myhostname,
# which is fine for small sites. If you run a domain with multiple
# machines, you should (1) change this to $mydomain and (2) set up
# a domain-wide alias database that aliases each user to
# [email protected].
# For the sake of consistency between sender and recipient addresses,
# myorigin also specifies the default domain name that is appended
# to recipient addresses that have no @domain part.
#myorigin = $myhostname
#myorigin = $mydomain
# RECEIVING MAIL
# The inet_interfaces parameter specifies the network interface
# addresses that this mail system receives mail on. By default,
# the software claims all active interfaces on the machine. The
# parameter also controls delivery of mail to user@[ip.address].
# See also the proxy_interfaces parameter, for network addresses that
# are forwarded to us via a proxy or network address translator.
# Note: you need to stop/start Postfix when this parameter changes.
#inet_interfaces = all
#inet_interfaces = $myhostname
#inet_interfaces = $myhostname, localhost
# The proxy_interfaces parameter specifies the network interface
# addresses that this mail system receives mail on by way of a
# proxy or network address translation unit. This setting extends
# the address list specified with the inet_interfaces parameter.
# You must specify your proxy/NAT addresses when your system is a
# backup MX host for other domains, otherwise mail delivery loops
# will happen when the primary MX host is down.
#proxy_interfaces =
#proxy_interfaces = 1.2.3.4
# The mydestination parameter specifies the list of domains that this
# machine considers itself the final destination for.
# These domains are routed to the delivery agent specified with the
# local_transport parameter setting. By default, that is the UNIX
# compatible delivery agent that lookups all recipients in /etc/passwd
# and /etc/aliases or their equivalent.
# The default is $myhostname + localhost.$mydomain. On a mail domain
# gateway, you should also include $mydomain.
# Do not specify the names of virtual domains - those domains are
# specified elsewhere (see VIRTUAL_README).
# Do not specify the names of domains that this machine is backup MX
# host for. Specify those names via the relay_domains settings for
# the SMTP server, or use permit_mx_backup if you are lazy (see
# STANDARD_CONFIGURATION_README).
# The local machine is always the final destination for mail addressed
# to user@[the.net.work.address] of an interface that the mail system
# receives mail on (see the inet_interfaces parameter).
# Specify a list of host or domain names, /file/name or type:table
# patterns, separated by commas and/or whitespace. A /file/name
# pattern is replaced by its contents; a type:table is matched when
# a name matches a lookup key (the right-hand side is ignored).
# Continue long lines by starting the next line with whitespace.
# See also below, section "REJECTING MAIL FOR UNKNOWN LOCAL USERS".
#mydestination = $myhostname, localhost.$mydomain, localhost
#mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
#mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain,
#          mail.$mydomain, www.$mydomain, ftp.$mydomain
# REJECTING MAIL FOR UNKNOWN LOCAL USERS
# The local_recipient_maps parameter specifies optional lookup tables
# with all names or addresses of users that are local with respect
# to $mydestination, $inet_interfaces or $proxy_interfaces.
# If this parameter is defined, then the SMTP server will reject
# mail for unknown local users. This parameter is defined by default.
# To turn off local recipient checking in the SMTP server, specify
# local_recipient_maps = (i.e. empty).
# The default setting assumes that you use the default Postfix local
# delivery agent for local delivery. You need to update the
# local_recipient_maps setting if:
# - You define $mydestination domain recipients in files other than
#   /etc/passwd, /etc/aliases, or the $virtual_alias_maps files.
#   For example, you define $mydestination domain recipients in
#   the $virtual_mailbox_maps files.
# - You redefine the local delivery agent in master.cf.
# - You redefine the "local_transport" setting in main.cf.
# - You use the "luser_relay", "mailbox_transport", or "fallback_transport"
#   feature of the Postfix local delivery agent (see local(8)).
# Details are described in the LOCAL_RECIPIENT_README file.
# Beware: if the Postfix SMTP server runs chrooted, you probably have
# to access the passwd file via the proxymap service, in order to
# overcome chroot restrictions. The alternative, having a copy of
# the system passwd file in the chroot jail is just not practical.
# The right-hand side of the lookup tables is conveniently ignored.
# In the left-hand side, specify a bare username, an @domain.tld
# wild-card, or specify a [email protected] address.
#local_recipient_maps = unix:passwd.byname $alias_maps
#local_recipient_maps = proxy:unix:passwd.byname $alias_maps
#local_recipient_maps =
# The unknown_local_recipient_reject_code specifies the SMTP server
# response code when a recipient domain matches $mydestination or
# ${proxy,inet}_interfaces, while $local_recipient_maps is non-empty
# and the recipient address or address local-part is not found.
# The default setting is 550 (reject mail) but it is safer to start
# with 450 (try again later) until you are certain that your
# local_recipient_maps settings are OK.
unknown_local_recipient_reject_code = 550
# TRUST AND RELAY CONTROL
# The mynetworks parameter specifies the list of "trusted" SMTP
# clients that have more privileges than "strangers".
# In particular, "trusted" SMTP clients are allowed to relay mail
# through Postfix. See the smtpd_recipient_restrictions parameter
# in postconf(5).
# You can specify the list of "trusted" network addresses by hand
# or you can let Postfix do it for you (which is the default).
# By default (mynetworks_style = subnet), Postfix "trusts" SMTP
# clients in the same IP subnetworks as the local machine.
# On Linux, this does works correctly only with interfaces specified
# with the "ifconfig" command.
# Specify "mynetworks_style = class" when Postfix should "trust" SMTP
# clients in the same IP class A/B/C networks as the local machine.
# Don't do this with a dialup site - it would cause Postfix to "trust"
# your entire provider's network. Instead, specify an explicit
# mynetworks list by hand, as described below.
# Specify "mynetworks_style = host" when Postfix should "trust"
# only the local machine.
#mynetworks_style = class
#mynetworks_style = subnet
#mynetworks_style = host
# Alternatively, you can specify the mynetworks list by hand, in
# which case Postfix ignores the mynetworks_style setting.
# Specify an explicit list of network/netmask patterns, where the
# mask specifies the number of bits in the network part of a host
# address.
# You can also specify the absolute pathname of a pattern file instead
# of listing the patterns here. Specify type:table for table-based lookups
# (the value on the table right-hand side is not used).
#mynetworks = 168.100.189.0/28, 127.0.0.0/8
#mynetworks = $config_directory/mynetworks
#mynetworks = hash:/etc/postfix/network_table
# The relay_domains parameter restricts what destinations this system will
# relay mail to. See the smtpd_recipient_restrictions description in
# postconf(5) for detailed information.
# By default, Postfix relays mail
# - from "trusted" clients (IP address matches $mynetworks) to any destination,
# - from "untrusted" clients to destinations that match $relay_domains or
#   subdomains thereof, except addresses with sender-specified routing.
# The default relay_domains value is $mydestination.
# In addition to the above, the Postfix SMTP server by default accepts mail
# that Postfix is final destination for:
# - destinations that match $inet_interfaces or $proxy_interfaces,
# - destinations that match $mydestination
# - destinations that match $virtual_alias_domains,
# - destinations that match $virtual_mailbox_domains.
# These destinations do not need to be listed in $relay_domains.
# Specify a list of hosts or domains, /file/name patterns or type:name
# lookup tables, separated by commas and/or whitespace. Continue
# long lines by starting the next line with whitespace. A file name
# is replaced by its contents; a type:name table is matched when a
# (parent) domain appears as lookup key.
# NOTE: Postfix will not automatically forward mail for domains that
# list this system as their primary or backup MX host. See the
# permit_mx_backup restriction description in postconf(5).
#relay_domains = $mydestination
# INTERNET OR INTRANET
# The relayhost parameter specifies the default host to send mail to
# when no entry is matched in the optional transport(5) table. When
# no relayhost is given, mail is routed directly to the destination.
# On an intranet, specify the organizational domain name. If your
# internal DNS uses no MX records, specify the name of the intranet
# gateway host instead.
# In the case of SMTP, specify a domain, host, host:port, [host]:port,
# [address] or [address]:port; the form [host] turns off MX lookups.
# If you're connected via UUCP, see also the default_transport parameter.
#relayhost = $mydomain
#relayhost = [gateway.my.domain]
#relayhost = [mailserver.isp.tld]
#relayhost = uucphost
#relayhost = [an.ip.add.ress]
# REJECTING UNKNOWN RELAY USERS
# The relay_recipient_maps parameter specifies optional lookup tables
# with all addresses in the domains that match $relay_domains.
# If this parameter is defined, then the SMTP server will reject
# mail for unknown relay users. This feature is off by default.
# The right-hand side of the lookup tables is conveniently ignored.
# In the left-hand side, specify an @domain.tld wild-card, or specify
# a [email protected] address.
#relay_recipient_maps = hash:/etc/postfix/relay_recipients
# INPUT RATE CONTROL
# The in_flow_delay configuration parameter implements mail input
# flow control. This feature is turned on by default, although it
# still needs further development (it's disabled on SCO UNIX due
# to an SCO bug).
# A Postfix process will pause for $in_flow_delay seconds before
# accepting a new message, when the message arrival rate exceeds the
# message delivery rate. With the default 100 SMTP server process
# limit, this limits the mail inflow to 100 messages a second more
# than the number of messages delivered per second.
# Specify 0 to disable the feature. Valid delays are 0..10.
#in_flow_delay = 1s
# ADDRESS REWRITING
# The ADDRESS_REWRITING_README document gives information about
# address masquerading or other forms of address rewriting including
# username->Firstname.Lastname mapping.
# ADDRESS REDIRECTION (VIRTUAL DOMAIN)
# The VIRTUAL_README document gives information about the many forms
# of domain hosting that Postfix supports.
# "USER HAS MOVED" BOUNCE MESSAGES
# See the discussion in the ADDRESS_REWRITING_README document.
# TRANSPORT MAP
# See the discussion in the ADDRESS_REWRITING_README document.
# ALIAS DATABASE
# The alias_maps parameter specifies the list of alias databases used
# by the local delivery agent. The default list is system dependent.
# On systems with NIS, the default is to search the local alias
# database, then the NIS alias database. See aliases(5) for syntax
# details.
# If you change the alias database, run "postalias /etc/aliases" (or
# wherever your system stores the mail alias file), or simply run
# "newaliases" to build the necessary DBM or DB file.
# It will take a minute or so before changes become visible. Use
# "postfix reload" to eliminate the delay.
#alias_maps = dbm:/etc/aliases
#alias_maps = hash:/etc/aliases
#alias_maps = hash:/etc/aliases, nis:mail.aliases
#alias_maps = netinfo:/aliases
# The alias_database parameter specifies the alias database(s) that
# are built with "newaliases" or "sendmail -bi". This is a separate
# configuration parameter, because alias_maps (see above) may specify
# tables that are not necessarily all under control by Postfix.
#alias_database = dbm:/etc/aliases
#alias_database = dbm:/etc/mail/aliases
#alias_database = hash:/etc/aliases
#alias_database = hash:/etc/aliases, hash:/opt/majordomo/aliases
# ADDRESS EXTENSIONS (e.g., user+foo)
# The recipient_delimiter parameter specifies the separator between
# user names and address extensions (user+foo). See canonical(5),
# local(8), relocated(5) and virtual(5) for the effects this has on
# aliases, canonical, virtual, relocated and .forward file lookups.
# Basically, the software tries user+foo and .forward+foo before
# trying user and .forward.
#recipient_delimiter = +
# DELIVERY TO MAILBOX
# The home_mailbox parameter specifies the optional pathname of a
# mailbox file relative to a user's home directory. The default
# mailbox file is /var/spool/mail/user or /var/mail/user. Specify
# "Maildir/" for qmail-style delivery (the / is required).
#home_mailbox = Mailbox
#home_mailbox = Maildir/
# The mail_spool_directory parameter specifies the directory where
# UNIX-style mailboxes are kept. The default setting depends on the
# system type.
#mail_spool_directory = /var/mail
#mail_spool_directory = /var/spool/mail
# The mailbox_command parameter specifies the optional external
# command to use instead of mailbox delivery. The command is run as
# the recipient with proper HOME, SHELL and LOGNAME environment settings.
# Exception: delivery for root is done as $default_user.
# Other environment variables of interest: USER (recipient username),
# EXTENSION (address extension), DOMAIN (domain part of address),
# and LOCAL (the address localpart).
# Unlike other Postfix configuration parameters, the mailbox_command
# parameter is not subjected to $parameter substitutions. This is to
# make it easier to specify shell syntax (see example below).
# Avoid shell meta characters because they will force Postfix to run
# an expensive shell process. Procmail alone is expensive enough.
# IF YOU USE THIS TO DELIVER MAIL SYSTEM-WIDE, YOU MUST SET UP AN
# ALIAS THAT FORWARDS MAIL FOR ROOT TO A REAL USER.
#mailbox_command = /some/where/procmail
#mailbox_command = /some/where/procmail -a "$EXTENSION"
# The mailbox_transport specifies the optional transport in master.cf
# to use after processing aliases and .forward files. This parameter
# has precedence over the mailbox_command, fallback_transport and
# luser_relay parameters.
# Specify a string of the form transport:nexthop, where transport is
# the name of a mail delivery transport defined in master.cf. The
# :nexthop part is optional. For more details see the sample transport
# configuration file.
# NOTE: if you use this feature for accounts not in the UNIX password
# file, then you must update the "local_recipient_maps" setting in
# the main.cf file, otherwise the SMTP server will reject mail for
# non-UNIX accounts with "User unknown in local recipient table".
#mailbox_transport = lmtp:unix:/file/name
#mailbox_transport = cyrus
# The fallback_transport specifies the optional transport in master.cf
# to use for recipients that are not found in the UNIX passwd database.
# This parameter has precedence over the luser_relay parameter.
# Specify a string of the form transport:nexthop, where transport is
# the name of a mail delivery transport defined in master.cf. The
# :nexthop part is optional. For more details see the sample transport
# configuration file.
# NOTE: if you use this feature for accounts not in the UNIX password
# file, then you must update the "local_recipient_maps" setting in
# the main.cf file, otherwise the SMTP server will reject mail for
# non-UNIX accounts with "User unknown in local recipient table".
#fallback_transport = lmtp:unix:/file/name
#fallback_transport = cyrus
#fallback_transport =
# The luser_relay parameter specifies an optional destination address
# for unknown recipients. By default, mail for unknown@$mydestination,
# unknown@[$inet_interfaces] or unknown@[$proxy_interfaces] is returned
# as undeliverable.
# The following expansions are done on luser_relay: $user (recipient
# username), $shell (recipient shell), $home (recipient home directory),
# $recipient (full recipient address), $extension (recipient address
# extension), $domain (recipient domain), $local (entire recipient
# localpart), $recipient_delimiter. Specify ${name?value} or
# ${name:value} to expand value only when $name does (does not) exist.
# luser_relay works only for the default Postfix local delivery agent.
# NOTE: if you use this feature for accounts not in the UNIX password
# file, then you must specify "local_recipient_maps =" (i.e. empty) in
# the main.cf file, otherwise the SMTP server will reject mail for
# non-UNIX accounts with "User unknown in local recipient table".
#luser_relay = [email protected]
#luser_relay = [email protected]
#luser_relay = admin+$local
# JUNK MAIL CONTROLS
# The controls listed here are only a very small subset. The file
# SMTPD_ACCESS_README provides an overview.
# The header_checks parameter specifies an optional table with patterns
# that each logical message header is matched against, including
# headers that span multiple physical lines.
# By default, these patterns also apply to MIME headers and to the
# headers of attached messages. With older Postfix versions, MIME and
# attached message headers were treated as body text.
# For details, see "man header_checks".
#header_checks = regexp:/etc/postfix/header_checks
# FAST ETRN SERVICE
# Postfix maintains per-destination logfiles with information about
# deferred mail, so that mail can be flushed quickly with the SMTP
# "ETRN domain.tld" command, or by executing "sendmail -qRdomain.tld".
# See the ETRN_README document for a detailed description.
# The fast_flush_domains parameter controls what destinations are
# eligible for this service. By default, they are all domains that
# this server is willing to relay mail to.
#fast_flush_domains = $relay_domains
# SHOW SOFTWARE VERSION OR NOT
# The smtpd_banner parameter specifies the text that follows the 220
# code in the SMTP server's greeting banner. Some people like to see
# the mail version advertised. By default, Postfix shows no version.
# You MUST specify $myhostname at the start of the text. That is an
# RFC requirement. Postfix itself does not care.
#smtpd_banner = $myhostname ESMTP $mail_name
#smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
# PARALLEL DELIVERY TO THE SAME DESTINATION
# How many parallel deliveries to the same user or domain? With local
# delivery, it does not make sense to do massively parallel delivery
# to the same user, because mailbox updates must happen sequentially,
# and expensive pipelines in .forward files can cause disasters when
# too many are run at the same time. With SMTP deliveries, 10
# simultaneous connections to the same domain could be sufficient to
# raise eyebrows.
# Each message delivery transport has its XXX_destination_concurrency_limit
# parameter. The default is $default_destination_concurrency_limit for
# most delivery transports. For the local delivery agent the default is 2.
#local_destination_concurrency_limit = 2
#default_destination_concurrency_limit = 20
# DEBUGGING CONTROL
# The debug_peer_level parameter specifies the increment in verbose
# logging level when an SMTP client or server host name or address
# matches a pattern in the debug_peer_list parameter.
debug_peer_level = 2
# The debug_peer_list parameter specifies an optional list of domain
# or network patterns, /file/name patterns or type:name tables. When
# an SMTP client or server host name or address matches a pattern,
# increase the verbose logging level by the amount specified in the
# debug_peer_level parameter.
#debug_peer_list = 127.0.0.1
#debug_peer_list = some.domain
# The debugger_command specifies the external command that is executed
# when a Postfix daemon program is run with the -D option.
# Use "command .. & sleep 5" so that the debugger can attach before
# the process marches on. If you use an X-based debugger, be sure to
# set up your XAUTHORITY environment variable before starting Postfix.
debugger_command =
           PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
           xxgdb $daemon_directory/$process_name $process_id & sleep 5
# If you can't use X, use this to capture the call stack when a
# daemon crashes. The result is in a file in the configuration
# directory, and is named after the process name and the process ID.
# debugger_command =
#          PATH=/bin:/usr/bin:/usr/local/bin; export PATH; (echo cont;
#          echo where) | gdb $daemon_directory/$process_name $process_id 2>&1
#          >$config_directory/$process_name.$process_id.log & sleep 5
# Another possibility is to run gdb under a detached screen session.
# To attach to the screen sesssion, su root and run "screen -r
# <id_string>" where <id_string> uniquely matches one of the detached
# sessions (from "screen -list").
# debugger_command =
#          PATH=/bin:/usr/bin:/sbin:/usr/sbin; export PATH; screen
#          -dmS $process_name gdb $daemon_directory/$process_name
#          $process_id & sleep 1
# INSTALL-TIME CONFIGURATION INFORMATION
# The following parameters are used when installing a new Postfix version.
# sendmail_path: The full pathname of the Postfix sendmail command.
# This is the Sendmail-compatible mail posting interface.
sendmail_path = /usr/sbin/sendmail
# newaliases_path: The full pathname of the Postfix newaliases command.
# This is the Sendmail-compatible command to build alias databases.
newaliases_path = /usr/bin/newaliases
# mailq_path: The full pathname of the Postfix mailq command. This
# is the Sendmail-compatible mail queue listing command.
mailq_path = /usr/bin/mailq
# setgid_group: The group for mail submission and queue management
# commands. This must be a group name with a numerical group ID that
# is not shared with other accounts, not even with the Postfix account.
setgid_group = _postdrop
# html_directory: The location of the Postfix HTML documentation.
html_directory = /usr/share/doc/postfix/html
# manpage_directory: The location of the Postfix on-line manual pages.
manpage_directory = /usr/share/man
# sample_directory: The location of the Postfix sample configuration files.
# This parameter is obsolete as of Postfix 2.1.
sample_directory = /usr/share/doc/postfix/examples
# readme_directory: The location of the Postfix README files.
readme_directory = /usr/share/doc/postfix
#======================================================================
# dovecot
dovecot_destination_recipient_limit = 1
# default mailbox size limit set to no limit
mailbox_size_limit = 0
# List of ciphers or cipher types to exclude from the SMTP server cipher
# list at all TLS security levels.
smtpd_tls_exclude_ciphers = SSLv2, aNULL, ADH, eNULL
# Protect SSL/TLS encryption keys
tls_random_source = dev:/dev/urandom
# (APPLE) Credentials for using URLAUTH with IMAP servers.
imap_submit_cred_file = /Library/Server/Mail/Config/postfix/submit.cred
# (APPLE) The SACL cache caches the results of Mail Service ACL lookups.
# Tune these to make the cache more responsive to changes in the SACL.
# The cache is only in memory, so bouncing the sacl-cache service clears it.
use_sacl_cache = yes
# sacl_cache_positive_expire_time = 7d
# sacl_cache_negative_expire_time = 1d
# sacl_cache_disabled_expire_time = 1m
#======================================================================
mydomain_fallback = localhost
message_size_limit = 104857600
biff = no
mynetworks = 127.0.0.0/8,www.yourvirtaldomain.com
smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated reject_rbl_client zen.spamhaus.org permit
recipient_delimiter = +
smtpd_tls_ciphers = medium
inet_protocols = all
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
recipient_canonical_maps = hash:/etc/postfix/system_user_maps
smtpd_use_pw_server = yes
smtpd_sasl_auth_enable = yes
content_filter = smtp-amavis:[127.0.0.1]:10024
inet_interfaces = loopback-only
smtpd_helo_required = yes
smtpd_pw_server_security_options = cram-md5,gssapi
header_checks = pcre:/etc/postfix/custom_header_checks
smtpd_tls_CAfile = /etc/certificates/computer.yourdomain.com.D800DD955D66179EEA4321DAA0617A19FFCD1 5C1.chain.pem
smtpd_helo_restrictions = reject_invalid_helo_hostname reject_non_fqdn_helo_hostname
relayhost =
smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks reject_unauth_destination check_policy_service unix:private/policy permit
smtpd_enforce_tls = no
smtpd_use_tls = yes
enable_server_options = yes
smtpd_tls_key_file = /etc/certificates/computer.yourdomain.com.D800DD955D66179EEA4321DAA0617A19FFCD1 5C1.key.pem
smtpd_tls_cert_file = /etc/certificates/computer.yourdomain.com.D800DD955D66179EEA4321DAA0617A19FFCD1 5C1.cert.pem
mydomain = yourdomain.com
virtual_alias_maps = $virtual_maps hash:/etc/postfix/virtual_users
virus_db_update_enabled = 1
mailbox_transport = dovecot
postscreen_dnsbl_sites = zen.spamhaus.org*2
maps_rbl_domains =
virtual_alias_domains = $virtual_alias_maps hash:/etc/postfix/virtual_domains
config_directory = /Library/Server/Mail/Config/postfix

Many Lion Server Problems

I think I have run into most of the Lion Server issues mentioned so far and perhaps a few self inflicted new ones.
1) Upgrade from Snow Leopard worked except the migration failed. Naturally I did not have a backup of the server configuration.
2) Manual configuration has many problems related to the machine name. I was using a linux box for DNS and a private LAN DNS name space. My router is configured to forward many services to my OSX Server box. Somehow I could not configure Lion Mail to operate. The machine name, Internet name, local internet name, etc. are very confusing and different things happen depending upon using Server or Server Admin. In Snow Leopard I could use a command line utility to set the return mail address to my MX record but under Lion I had to eliminate the private LAN name space, configure Lion to be the DNS before I could get e-mail to operate correctly from both IMAP and WEB mail.
3) Once you attempt to use Open Directory the only way to correct a failed configuration is to re-install from scratch.
4) If LDAP and the Password process fail to launch then they ping on/off every 10 seconds forever. Only a re-install from scratch is the fix. When this happens it appears that the permissions on the boot drive are hopelessly broken. I do not mess with the permissions but now I am pondering a nightly permissions repair script.
5) Using self signed certificates seems to cause many problems. If I use them for the mail server everything is OK. If I use them for Open Directory I cannot seem to get the other systems to connect.
6) Under Snow Leopard I could see all users and their pictures on the remote Mac's. I can't find this on Lion.
7) Open Directory quit after a week of operation requiring a clean install from my backup. I turned off Reserve Server Resources. I hope this helps.
8) Timeouts on Lion seem to be infinite. Once one application falls into a timeout you eventually must power cycle the whole machine.
9) The first time a user users mail I have to force kill it and restart before it performs the initial configuration. This has happened 3 times so far.
10) Manually editing user permissions from Finder within the Admin account (i.e. correcting my old user directories to match my new user ID's) is an exercise in futility. Using the command line seems to be the only reliable way.
11) I still cannot get profiles to work but I am afraid to try because the server seems to fragile.
12) Carbon Copy Cloner is a required tool with Lion. As soon as you have something working, make a fresh backup so you do not have to redownload everything. I now make a nightly backup of the boot drive with CCC and cron.
13) Some settings only take affect on a reboot, when you are making/testing changes this causes an interesting phase delay between making a change and observing an effect.
My system is a Mac Mini with 8GB and 24TB of RAID storage on Firewire.
It hosts home directories, e-mail, wiki's, etc for my wife & kids. All data is on the Mini so the other macs at home are bare except for OS and Apps.
This upgrade has caused more trouble than all other system upgrades I have ever done. It is making me think seriously about making another stab at LDAP/OD on Linux for my home server.

You might want to take a look at the much more functional AirPort Utility 5.6 for Mac OS X Lion on a "test" Mac to see if that works better for you. Oddly, 5.6 was released on the same day as AirPort Utility 6.0.
You can keep both 5.6 and 6.0 on a Mac (You cannot delete 6.0).

A stable, fast reliable VNC connection to Lion or Lion server

I hope this post help people with VNC setup from non Mac machines to a Mac running Lion or Lion Server 10.7.4.
Apple has changed quite a few things in Lion regrading VNC and screen sharing. As a consequence many VNC viewers are no longer compatible until the VNC software is upgraded to be Lion compatible. You will find many posts about this topic in this forum, eg
https://discussions.apple.com/thread/3289794?start=0&tstart=0
Often, the result is that the user can't proceed beyond the gray login screen (screen locks up etc).
This post describes how configure Real VNCs VNC server on Lion Server 10.7.4 to work in conjunction! with ARD, thus allowing you to keep screen sharing enabled and still use ARD from client if that is desired)
Download the VNC server at (Version 5! necessary)
http://www.realvnc.com/download/vnc/latest/
and install the VNC server on the host (the computer you want to login to via VNC)
Single User Host setup
==================
- Install the VNC server and follow the intsruction
(If you your Mac is configured for remote management, screen sharing, remote apple events the installation may complete with error stating to contact the manufacturer....ignore the error as it most likely caused by a port conflict because VNC server and ARD (or apple scrren sgaring both use port 5900 per default), the software was still completely and correctly installed.
- start VNC Server by opening Finder -> Applications -> Real VNC -> VNC Server (User Mode)
You will see a small VNC icon in the top tsak bar of the screen.
(if you open the "information Center" the issues tab will show a port 5900 conflict)
- open VNCserver Options and select the connections tab:
+Change the default port from 5900 to 5901 and serve Java viewer on Port from 5800 to 5801
+ Change Authetication to "Mac password"
+ Select Encryption "always on"
- Selct the expert tab
+scroll down to the bottom of the list and change "StopUserModeOnSwitchOut" to "no"
(this settings prevents the VNC server to be stopped automatically if you have Fast Switching User Mode enabled on the host.)
- select "Apply"
(now if you open the Information Center" again, the port conflict problem should be solved.
- select "open" from the VNC server menu:
If the configuration was succesful, thw window will show a check mark in a green box stating everything is ok.
- In addition you will find the address that the client user will need to connect to the VNC server on the host
it will say something like "VNC viewer user can connect using the address 192.168.x.y:1"
Note: If you start several VNC servers, each session will need a dedicated port (like 5902, 5903 etc)
Router/Firewall Settings:
===================
Depending on the router/firewall you use your ports may have been automatically configured for you (airPort extreme for example).
You need to open port 5901 and 5801 and forward these ports to the IP address of the host. If ARD was alredy working in your setup, you can copy the port coniguration for ports 5900, 3283 and 3306 that are used by ARD and implement the same rules for the new port used by VNC 5901.
Review the settings of your firewall/router.
VNC client
========
- download the VNC client for your OS from
http://www.realvnc.com/download/viewer/
and follow the install instructions.
- Start the VNC client on your client PC (Windows for example) and enter the address that the VNC server reported to you earlier (192.168.x.y:1)
- Encryption : "Let VNC Server choose"
- select "connect"
- enter your Mac username and password that was setup on your host
you are now connected via VNC to your host.
You can also configure the VNC server to allow other users to login to the same! VNC session using their user credentials (friends/family or serverAdmins that want to share access to the host)
To do this open the options dialog box on the VNC server host computer and select "configure" next to authentication.
- add the users that are supposed to get access to your VNC session using their own credentials. (make sure this is what you really want, otherwise read on in the multi user section of this post)
Multi User Host Setup
=================
If multiple users are supposed to access the host computer using their own credentials logging into their own! desktop, follow these instructions:
- first enable Fast User Switching on your host computer by going to
System preferences -> User/Groups -> Login Options and select the check box "show fast user switching menu as..."
- For each user on the host that should be reached via a VNC session start VNC server (user) as described before and assign a new port number to the new user like 5902 etc.
- repeat the configuration outlined above for each user (eg. "StopUserModeOnSwitchOut" to "no")
(note initilally when you start the VNC server for the first time again, you will get notified that a port conflict exists again....this disappears as soon as the new port is configured)
now another user can login via VNC into his own desktop using the server address : "191.168..x.y.:2"
Final notes:
=========
I spent hours trying to get a variety of VNC viewers to work with the new screen sharing/VNC implementation in Lion and finally gave up. I called Apple Enterprise support and they confirmed that "a majority of the existing VNC products are not compatible with the new VNC implementation in Lion yet and that Apple recommends ARD". The discussion on what other non Mac users (Windows, Linux) should do did not go anywhere....
I have tested the above configuration with the free version VNC server 5 on the host and the free version VNC viewer 5 on a client. It worked flawlessly, fast, reproducable and very stable. You need to be aware that depending on the features you want (number of desktops, users etc) that you may have to purchase the personal or enterprise edition for the server.
The featurs are described here:
http://www.realvnc.com/products/vnc/
I personally installed the enterprise edition after I verified that the free editions worked stable and reliably as I needed them to work.
I hope you now have a stable VNC link into your Lion host from the platform of your choice !

I'm using the free VNC edition from RealVNC on Mt. Lion (10.8.5) and the basic information is in this article for Lion is confirmed for the VNC Server 5.0.6 (r113416) on Mt. Lion.
The main Options... window shows the Connections tab and I just changed my port to something other than 5900 and the port conflict went away.
The Free edition does not allow Mac password and encryption can't be enabled. (Ya gotta pay for that.)
Connected to it from my iPod Touch using Mocha VNC with no problems.

Lion Server issues

I recently set up a Lion Server to test it out as a home server but I seem to be running into a lot of issues. All computers are running OS X 10.7.2
What I'm attempting to accomplish:
I'm attempting to create a network test user with a remote home folder (on the server) and log in to that test users account from my macbook pro. I would like that account to use mobile sync to copy over documents and pictures whenever the user logs on and off. I would also like to be able to VPN into my server while out and about to screen share & share files. This test user is simply for testing purposes as of now, once I get it all working I want to set this same config up for my current local users.
What I've done:
I've configured the server to manage domain accounts, and given my server a static IP of 192.168.1.105. I configured it's hostname as a Internet hostname and registered that hostname with Dyndns.com pointing to my External IP address. I also set up my Linksys router with the DynDNS information so that it updates my Dyndns account with my external IP, and port forwarded every VPN port on Apple's list of ports. Server admin tools have been installed, DNS is turned on, and its configured as an Open Directory Master. My macbook pro's dns settings are configured so that it sends everything through the server, and the server is set up to forward all inquries out of my router that it isnt authoritative for. The MBP is bound to the Open Directory and is allowing network accounts to log in. I set up a shared folder on the server that can be used as a home folder.
Issues I've run into:
My network account (Test user) cant log in on my MBP unless it creates a local home folder, which I dont want it to do (i want it to use the shared folder i set up on the server). When I attempt to log in I either get an error, or it shakes, not allowing it to log in. I cannot get the VPN to work, but I'm not too worried about it at this point, I'd rather get the users up and running first. I've spent a ton of time attempting to figure this out and its getting very frustrating. I followed the setup guide provided by wegotserved.com and anandtech.com. If anyone has any suggestions, or see's something I'm doing wrong I appreciate any input.

Yeah, I can log into the server using the OD account I created called test user just fine, I just cant get on my wireless client (macbook pro) with the OD test user account.

Configuring postfix on Mountain Lion Server

I'm trying to upgrade from Snow Leopard Server to Mountain Lion Server and did an install of Mountain Lion Server on top of a working instance of Snow Leopard Server. The "crippled" GUI on Mountain Lion Server is forcing me into using terminal to configure Postfix to handle incoming email.
I would like to configure Postfix to only accept email that is forwarded from a gmail business account. The public email address is [email protected] which is received by Google Mail, goes through their spam filters and then is auto-forwarded to [email protected]
The server WAN domain is nonpublic.com The ip address is 96.231.165.126
The server LAN is nonpublic.local The ip address is 10.6.18.201
The server is a MacMini running Mountain Lion Server 10.6.8 hostname server so the FQDN is server.public.com.
The network on the MacMini is configured to handle both LAN and WAN traffic through the 1GB physical ethernet port which plugs into a CISCO 3750 switch. The external traffic to the WAN flows through the switch as tagged packets. The LAN traffic is not tagged. The VLAN connection is running 802.1q
When an email is sent through the WAN to [email protected] the Postfix SMTP log shows:
Jun 7 19:29:22 server.public.com postfix/smtpd[42181]: connect from cisco.public.com[96.231.165.123]
Jun 7 19:29:22 server.public.com postfix/smtpd[42181]: disconnect from cisco.public.com[96.231.165.123]
I can send emails from a client on the LAN through this server with no problems. The incoming mail server can connect to the machine via the Cisco router/switch but Postfix just shows "cisco" as the connection (that's the router's DNS name) and provides no more info. I suspect Postfix possibly doesn't like the 802.1q connection and drops the SMTP request to connect on port 25.
I have turned on "debug" logging in Postfix, but that is all that appears in the SMTP log file
I've spent most of the week reading through everything I can find on how to install and configure postfix on Mountain Lion Server and work around the cripled GUI in the "server" application. I'm barely OK using Terminal and not familiar at all with configuring Postfix directling editing the config file.
What is the best approach to configure Postfix to allow SMTP connections from the outside to deliver incoming email that is forwarded from gmail.com?
I did find an "aliases" file in /etc/postfix/aliases but I'm not sure how to add the aliases and if adding aliases with a text editor is going to cause the "server" app problems and if the changes will be lost when the machine is restarted.
Any help would be appreciated.

MrHoffman, thank you for your response to my challenge to get the new test server working. This is a migration from Snow Leopard Server to Mountain Lion Server.
Here is the "checkhostname" test results:
blue:~ admin$ sudo changeip -checkhostname
Password:
Primary address     = 96.231.165.211
Current HostName    = blue.pderby.com
DNS HostName        = blue.pderby.com
The names match. There is nothing to change.
dirserv:success = "success"
blue:~ admin$
Here is the response from postconf -n
blue:~ admin$ postconf -n
biff = no
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin xxgdb $daemon_directory/$process_name $process_id & sleep 5
dovecot_destination_recipient_limit = 1
html_directory = /usr/share/doc/postfix/html
imap_submit_cred_file = /Library/Server/Mail/Config/postfix/submit.cred
inet_interfaces = loopback-only
inet_protocols = all
mail_owner = _postfix
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
message_size_limit = 10485760
mydomain_fallback = localhost
newaliases_path = /usr/bin/newaliases
queue_directory = /Library/Server/Mail/Data/spool
readme_directory = /usr/share/doc/postfix
recipient_delimiter = +
sample_directory = /usr/share/doc/postfix/examples
sendmail_path = /usr/sbin/sendmail
setgid_group = _postdrop
smtpd_tls_ciphers = medium
smtpd_tls_exclude_ciphers = SSLv2, aNULL, ADH, eNULL
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
use_sacl_cache = yes
blue:~ admin$
I agree that I should change the LAN domain from .local to something like .internal or whatever.   I've been running with .local for 5 years on snow leopard server and never had any problems so that was a low priority.
I hope I'm just not seeing some obvious setting in main.cf

Fresh Install of Mountain Lion how do I export users from Lion Server

I've been having some issues with Lion Server, mainly Kerberos related and Profile Manager. So I want to start fresh with Mountain Lion.
I've installed ML and Server, and profile manager is working now for the first time (yay!)
Now I want to Import all my existing Open Directory users from Lion, I don't want to Import the entire OD though because I think some of my kerberos issues will just get carried over to ML.
I would like to just export the Users to a file then use ML server to import users from file, but I can't see an option to export in Lion Server, I have tried doing it from WGM on Lion but the 'users' file is not recognised by ML server

Great thanks for the reply, I'll try it tonight when everyone has logged off.
Yeah I was very pleased initially with kerberos on Lion, it worked great to start with, now I'm just getting expired tickets for a default realm when some users log in, yet other users continue to work fine.
I was planning to slowly install Mountain Lion Server and test is thouroghly but I've had a bit of a disaster that if forcing me to go live with ML server quicker than I wanted to!
Basically because on Lion Server I have all the Service Data on a separate drive, and I upgraded to ML server on a backup copy of Lion Server just to see what it was like, though now I've rebooted the original Lion drive but half of the services are now screwwed up because the ML Server must have changed them, so things like Wiki Server and Profile Manager are now broken from the Lion Server boot, they just show "Error Reading Settings"
I realise now I should have moved the Service data back to the local drive before doing a test upgrade so I wouldn't have messed it up! but now it seems like my best way forward is a fresh install of ML Server

VPN to Mountain Lion Server issues

Hi,
I checked a lot of VPN threads here today, but I wasn't able to find a solution for my problem just now. I try to connect by VPN to my Mountain Lion Server, but I get an error message that the VPN server is not responding. I get this message from iPhone and Mac. The Mountain Lion Server is a new installation, no upgrade from an older server.
Some informations on my setup:
I installed the server with a hostname like myserver.mycompany.com and option 3 (internet access), as I want to use it for email at a later stage. All services are working fine (except VPN). DNS is active, but basically it only contains the adress myserver.mycompany.com and forwards everything else to our router.
I changed the DNS settings of our domain ( hosted by an ISP - so not in the local DNS ! ). I created a subdomain vpn.mycompany.com which points to the static IP of our router.
In the router I opened the UDP ports 500, 1701 and 4500, and for 1701 i made the same thing for TCP (I found this in a forum, but I think this is not necessary?), the ports are pointing to the ip of the os x server.
In OS X Server I started VPN for L2TP using the vpn.mycompany.com hostname, and a shared secret.
When I try to connect with I client from outside I try to connect using L2TP via vpn.mycompany.com using the shared secred and user-id and password. The user-id is created in OS X Mountain Lion server and is configured to use VPN service. When trying to connect I get the error message "L2TP-VPN server is not repsonding...".
In the log file of the server I see some entries for each connect:
Oct 10 20:21:45 myserver.mycompany.com racoon[13873]: Connecting.
Oct 10 20:21:45 myserver.mycompany.com racoon[13873]: IPSec Phase1 started (Initiated by peer).
Oct 10 20:21:45 myserver.mycompany.com racoon[13873]: IKE Packet: receive success. (Responder, Main-Mode message 1).
Oct 10 20:21:45 myserver.mycompany.com racoon[13873]: IKE Packet: transmit success. (Responder, Main-Mode message 2).
Oct 10 20:21:45 myserver.mycompany.com racoon[13873]: IKE Packet: receive success. (Responder, Main-Mode message 3).
Oct 10 20:21:45 myserver.mycompany.com racoon[13873]: IKE Packet: transmit success. (Responder, Main-Mode message 4).
Oct 10 20:21:48 myserver.mycompany.com racoon[13873]: IKE Packet: transmit success. (Phase1 Retransmit).
Oct 10 20:22:06 --- last message repeated 2 times ---
Oct 10 20:22:06 myserver.mycompany.com com.apple.SecurityServer[17]: Succeeded authorizing right 'system.privilege.admin' by client '/Applications/Server.app/Contents/ServerRoot/usr/libexec/ServerEventAgent' [2967] for authorization created by '/Applications/Server.app/Contents/ServerRoot/usr/libexec/ServerEventAgent' [2967] (2,0)
Oct 10 20:22:06 myserver.mycompany.com com.apple.SecurityServer[17]: Succeeded authorizing right 'system.privilege.admin' by client '/Library/PrivilegedHelperTools/com.apple.serverd' [1716] for authorization created by '/Applications/Server.app/Contents/ServerRoot/usr/libexec/ServerEventAgent' [2967] (100000,0)
Oct 10 20:22:06 myserver.mycompany.com racoon[13873]: IKE Packet: transmit success. (Phase1 Retransmit).
No more entries in log file now. Anyone any ideas what's going wrong. Might there be a problem as I use another servername outside as inside (vpn... instead of myserver...)?
Thanks!

Solved, first of all we tested to establish the VPN connection locally by adding the ip address of the server to /etc/hosts for vpn.mycompany.com. The VPN connected without problems then, so it was clear that it is a firewall/router problem, and not a server problem.
After that we studied some more documentations and found that we don't have to open port 50, but ip protocoll 50 (ESP) on the firewall. After that was done, the connection was working from the internet as well.

Lion server forward proxy

Similar Messages

Maybe you are looking for