For the past few years I’ve suffered this seemingly random problem when connecting to a Solaris or Mac OS X server via SSH: the connection would take forever to negotiate. It would connect, exchange keys, but then pause for up to a minute, plus or minus eternity, before proceeding with authentication. I finally took some time to figure out how to make it go away. Here’s what I did.

The problem seems to be related to forward and/or reverse DNS lookups. A large number of IP addresses given out on the networks that I connect from do not have proper name entries in the network owner’s DNS. By default, both Solaris and Mac OS X Server try to lookup DNS names before proceeding with authentication. Luckily, that behavior is easy to turn off.

On Solaris

Sun’s /etc/ssh/sshd_config file can have these options for disabling the time-wasting DNS lookup behavior:


LookupClientHostnames no
VerifyReverseMapping no


On Mac OS X Server

Apple deploys OpenSSH, and it’s /etc/sshd_config file can include this option:

UseDNS no


Update your sshd_config files with these options, or ask your sysadmin to do it for you, and you’ll be connecting instantly.

Finally! One of the banes of running Mac OS X Server has been that there is no easy way for users to manage their own vacation messages, which creates a support request every time someone takes a day off. Until now. Mac OS X Server 10.6, “Snow Leopard Server”, includes a web-based interface for users to manage their own vacation messages.

The new feature is implemented via the wiki/blog server. Wiki Server 2 has many new features. One of them is a user-customized home page called “My Page” that displays updated wiki content that the user has access to. My Page is also where the user can enable, schedule, and edit their vacation messages.

This excerpt is from the Mail Service Administration Guide, page 61:

Vacation Notices

If you enable server-side mail rules and the Wiki Server, mail users can add vacation notices through a web interface. How a user modifies their vacation notices:

1. Log into any wiki page they have access to.
2. Select My Page.
3. Select “settings.”
4. Select Vacation Notice.
5. To enable vacation notices, for Enabled, select On; to disable vacation notices, select Off.
6. Click the date next to Vacation Begins and then select the date when notifications will
   start being sent.
7. Click the date next to Returning On and then select the date when notifications will stop being sent.
8. In the Email Subject field, enter the subject line of the mail that will be sent.
9. In the Vacation Message area, enter the body of the mail that will be sent.
10. Click Save.

This feature alone provides a big incentive for sysadmins to upgrade to Snow Leopard Server. I look forward to never using sieveshell to set user vacation messages again!

Although Apple published a helpful list of TCP and UDP port numbers used by it’s products, it’s a little unclear as to which ones Workgroup Manager needs.

You can figure it out yourself by enabling firewall logging on your Mac OSX Server and watching as you fail to connect. Or, you can take my word for it — here are the ports that you need to allow access to:

1. TCP 625 for “Remote Directory Access”, as mentioned on the above page.
2. TCP 8175.

For the last port, the only option in the Server Admin firewall interface is to enable ports 8000-8999 for “Web Service, iTunes Radio streams”. If you are running other services on those ports that you want to protect, or if you’re just paranoid, you’ll want to add a custom rule for port 8175.
(more…)

The documentation for setting up sieve on Mac OS X server is sparse, at best:

To enable Sieve support:
1. Add the following entry in /etc/services/:
sieve 2000/tcp #Sieve mail filtering
2. Reload the mail service.

Right. This will enable the service, but it doesn’t configure it. This short article describes how to do both.

(more…)