European Union Flag
European Apple Users Information & Support
LOGIN
RSS Feed Icon
via fetchrss.com
The next event is:
CES 2018

On 9 January 2018
More events…

macOS 10.13 High Sierra
FREE
Amazon UK Mac Software Affiliate Link

Maclocks.com Love It-Lock It

How To Setup A Basic Web/Email Server With OS X/macOS + Server 5.x

Article ID = 210
Article Title = How To Setup A Basic Web/Email Server With OS X/macOS + Server 5.x
Article Author(s) = Graham Needham (BH)
Article Created On = 23rd November 2017
Article Last Updated = 28th November 2017
Article URL = http://www.macstrategy.com/article.php?210

Article Brief Description:
How to setup and configure a basic internet/web/email server using OS X / macOS and Server 5.x

How To Setup A Basic Web/Email Server With OS X / macOS + Server 5.x

Go through each of the following sections in order: Article versions:

Computer

Any Mac that can run OS X 10.10 Yosemite or later will do but we highly recommend the Mac mini - it is best to make sure the mini has:
  • The fastest processor you can afford - if you can get the older Mac mini (2010) with the quad core processor that is ideal
  • 16GB of RAM/memory - if you have an older Mac mini you may be able to upgrade it to 16GB
  • Solid State Drive (SSD) / Flash Storage - it is not recommended to run this kind of server from a Mac mini with a spinning hard disk, especially the slow 5400rpm versions
As of writing this article (23rd November 2017) you can get the following Mac mini for £1309 / €1609 / US$1399:
  • 3.0GHz Dual-Core Intel Core i7 (Turbo Boost up to 3.5GHz)
  • 16GB 1600MHz LPDDR3 SDRAM
  • 256GB PCIe-based Flash Storage

OS X / macOS + Server

If your computer did not come with OS X 10.10 Yosemite or later / Server 4.x or later you will need to obtain the software: NOTE: This article is written specifically for OS X 10.11 El Capitan and macOS 10.12 Sierra. Due to major changes in macOS 10.13 High Sierra / Server 5.4, parts of this article do not apply/are not correct. We plan to write an article specifically dealing with setting up macOS 10.13 High Sierra / Server 5.4.
SECURITY NOTE: Only the most recent versions of OS X / macOS are still supported with security updates. As a server is often open to the real world it is best to be running a supported OS:
Q. What are the current, supported versions of macOS / OS X?
A. macOS 10.13 (High Sierra), macOS 10.12 (Sierra) and OS X 10.11 (El Capitan) are supported by Apple.

Business Internet Connection (static IP + ability to serve web sites/email)

You need to host your server on an internet connection that allows for running a server - this is usually a business type service and not a "home broadband package" as the latter will use block server protocols/ports and may not allow the running of a server as per the "Terms And Conditions" of the service. A (business) internet connection usually consists of the following specific things:
  1. Real world, internet based static IP address (see our Basic Networking 101 article)
  2. A (business) internet connection that allows you to run a server - the service's "Terms And Conditions" specifically allow for running a server and no server ports/protocols are blocked
  3. A decent, guaranteed upload speed (which will be the speed people see when they access your server - not the download the speed
  4. A guaranteed uptime and either a proper, defined unlimited data service or a very high data cap based on the data that your server is likely to serve over the connection, over time
If you can't get a static IP you could consider using a dynamic IP address service but a real world, static IP address is so much better for a running a server: UK business internet connections If you can't get a business internet connection you could consider colocating your server (UK providers): USA providers:

Domain Name(s)

You will need at least one domain name e.g. your_domain_name.co.uk - you can purchase this from many domain providers. Recommended domain providers: Once you have a domain name, for each domain you need to configure the domain's DNS service to route the domain to your server:
  • An "A" name record for 'your_domain_name.co.uk' should point to your static IP
  • If you are hosting a web site on that domain you should also create a "CNAME" record for 'www.your_domain_name.co.uk' that points to 'your_domain_name.co.uk'
  • If you are hosting email on that domain you should also create a "Mail Exchange" (MX) record that points to your static IP

Additional Hardware

If you need to rack mount your Mac there are several options You should also consider an external hard disk for backing up your server:
  • External portable hard disks (small)
    • G-Tech G-Drive mobile 5400rpm USB 3 + FireWire 800
      • 500GB (model number = GDMOCEA5001ADB | part code = 0G02384)
        Buy it now at Amazon UK Buy it now at Amazon USA
      • 750GB (model number = GDMOCEA7501ADB | part code = 0G02388)
      • 1TB (model number = GDMOCEA10001ADB | part code = 0G02392)
        Buy it now at Amazon UK Buy it now at Amazon USA
    • G-Tech G-Drive mini 7200rpm USB 3 + FireWire 800
      • 500GB (model number = GDRMU3EA5001BDB | part code = 0G02569)
        Buy it now at Amazon UK Buy it now at Amazon USA
      • 750GB (model number = GDRMU3EA7501BDB | part code = 0G02573)
      • 1TB (model number = GDRMU3EA10001BDB | part code = 0G02577)
        Buy it now at Amazon UK Buy it now at Amazon USA
    • LaCie Rugged Triple USB 3 + FireWire 800
    • NOTE: We do not recommend the LaCie Rugged Triple 1.5TB or 2TB models as they use two hard disks in RAID 0 mode which is catastrophic for your data if either drive fails.
      • 500GB 5400rpm (part code = 301982) Buy it now at Amazon UK Buy it now at Amazon USA
      • 500GB 7200rpm (part code = 301983) Buy it now at Amazon UK Buy it now at Amazon USA
      • 1TB 5400rpm (part code = 301984)
        Buy it now at Amazon UK Buy it now at Amazon USA
  • External desktop hard disks (full size)
  • NOTE: Special information on using drives that are larger than 2TB.
NOTE: If you are going to use Time Machine for backups it is highly recommended to use encrypted Time Machine backups as it is usual for servers to be left unattended and so the risk of the backup drive being stolen is likely to increase.

Server Configuration

Initial Setup

  1. If you do not have OS X 10.10 / OS X 10.11 / macOS 10.12 download and install it:
  2. Especially if the Mac is not a brand new purchase, we highly recommend erase installing OS X / macOS to start with a perfectly clean installation/setup
  3. Go through the OS X / macOS setup using a strong password for the primary admin user
  4. SECURITY NOTE: Don't set up the primary admin user with the name "admin" or a person's name as these will be too easy to guess, phished or obtained from publicly available company details!
  5. Update OS X / macOS:
  6. Download, install or purchase OS X / macOS Server:

Initial Configuration

  1. Configure Apple menu > System Preferences > Network:
    • Wi-Fi > switch off
    • Keep ethernet, Wi-Fi and FireWire/ThunderBolt - remove all others ("-" button in bottom left)
    • Set service order (cog icon > Set Service Order > drag "Ethernet" to the top of the list)
    • TCP/IP > set static IP address + DNS servers
  2. Configure Apple menu > System Preferences > Sharing:
    • TICK "Remote Sharing"
    • Change computer name to something appropriate e.g. "Internet Server"
    • Under 'Allow access for:' set to "Only these users" and add the primary admin user you created on initial setup
    • TICK all items for admin user "can access this computer to:"
  3. Configure Finder preferences (in the Finder click on the Desktop and go to Finder menu > Preferences)
    • General - TICK all "Show these items on the desktop" and set 'New Finder windows show' "Applications" folder
    • Sidebar - set as required but recommended to:
      • UNTICK "All My Files"
      • UNTICK "iCloud Drive"
      • UNTICK "AirDrop"
      • UNTICK "Back to My Mac"
      • UNTICK "Bonjour computers"
      • TICK all items listed under "Devices"
  4. Setup the Dock up as required e.g. remove non-server application icons
  5. Configure Apple menu > System Preferences:
    • General:
      • Set scroll bars as required
      • TICK "Ask to keep changes when closing documents"
      • TICK "Close windows when quitting an application"
      • (if present) UNTICK "Allow Handoff between this Mac and your iCloud devices"
    • Screen Saver - set 'Start After' as required e.g. "5 Minutes"
    • Security & Privacy:
      • General tab > set Require password "immediately" after sleep or screen saver begins
      • General tab > set 'Allow apps downloaded from' to "App Store and identified developers
      • FileVault tab > turn FileVault on if you want to encrypt the internal boot drive
      • NOTE: If you FileVault encrypt the internal boot drive manually rebooting the Mac requires a physical presence at the Mac - you cannot control it remotely to startup and login - so if the Mac is colocated, not easily accessible or headless/no monitor you may want to consider not encrypted the internal boot drive!
      • Firewall tab > turn ON the Filewall
    • (if present) CDs & DVDs - set all to ignore
    • Energy Saver:
      • Set 'Computer sleep' to "Never"
      • Set 'Display sleep' as required e.g. "30 minutes"
      • UNTICK "Put hard disks to sleep when possible"
      • (if present) UNTICK "Allow power button to put the computer to sleep"
      • TICK "Wake for network access"
      • TICK "Start up automatically after a power failure"
      • (if present) UNTICK "Enable Power Nap"
    • App Store
      • TICK "Automatically check for Updates"
      • UNTICK "Download newly available updates in the background"
      • UNTICK "Install app updates"
      • (if present) UNTICK "Install OS X / macOS updates"
      • TICK "Install system data files and security updates"
    • Bluetooth - UNTICK "On" and untick "Show Bluetooth in menu bar"
      • If using Mac headless/no monitor click "Advanced…" and UNTICK all 3 open/wake items
    • Users & Groups > Login Options
      • Set 'Automatic login' to "Off"
      • Set 'Display Login window as' as "Name and password"
      • UNTICK all other items
    • (if present) Siri - turn OFF/UNTICK "Enable Siri"
    • Date & Time
      • Date & Time - TICK "Set date and time automatically"
      • Time Zone - UNTICK "Set time zone automatically using current location" if the server is not physically located in the timezone you want the server operating in
    • Time Machine - set as required
    • Startup Disk - make sure the correct startup disk is selected/highlighted
  6. Now restart the computer and untick "Reopen windows when logging back in"

Install/Setup Additional Applications

We recommend the following:
  1. A decent text editor that is better than TextEdit e.g. BBEdit (US$49.99)
  2. A launchd (plist) editor e.g. Lingon X (US$10.99)
  3. If you are going to install and use MySQL download a SQL graphical editor e.g. Sequel Pro (donationware)
  4. Add any new applications downloaded to the Dock
  5. Go to Macintosh HD > Utilities > Activity Monitor
    • Right click on Activity Monitor's icon in the Dock and select Dock Icon > Show CPU Usage
    • Right click on Activity Monitor's icon in the Dock and select Options > Keep in Dock
    • Right click on Activity Monitor's icon in the Dock and select Options > Open at Login

Enable The Root User

  1. Go to Apple menu > System Preferences > Users & Groups
  2. Click the lock icon to unlock it and enter your administrator name and password
  3. Click "Login Options" on the left and then click "Network Account Server: Join"
  4. Click "Open Directory Utility"
  5. Click the lock icon to unlock it and enter your administrator name and password
  6. Choose Edit > Enable Root User and then enter a strong root user password
  7. Logout
  8. Login as "root" with the password you have just set
  9. "Skip" the iCloud account setup
  10. Setup root's Finder preferences and Dock as required (see the initial configuration section above)
  11. Logout unticking "Reopen windows when logging back in"

Secure Safari

Go to Safari menu > Preferences
  1. General:
    • Set 'Safari opens with:' to "A new window"
    • Set 'New windows open with:' to "Empty Page"
    • Set 'New tabs open with:' to "Empty Page"
    • Set 'Homepage' to nothing (delete whatever is there)
    • UNTICK 'Open "safe" files after downloading'
  2. Autofill > UNTICK all items/everything
  3. Security > TICK all items/everything
  4. Advanced > TICK "Show full website address"

Initial Server Configuration

  1. Go to Macintosh HD > Applications > Server
  2. Enter your host name as required e.g. your_domain_name.co.uk
  3. Apple Push Notifications > leave fields blank and click "Continue"
  4. Click Finish when setup is complete
  5. You will be presented with the server "Overview"
  6. Click on "Settings" and configure access as required
  7. Your are highly recommended to turn on the OS X / macOS Server adaptive firewall
In the OS X / macOS Server application you should configure the following as required:
Alerts
Click on 'Alerts' on the left and then "Delivery" on the right:
  • Click "Edit Recipients" under "Email Recipients" and add email address(es) that you want alerts to be sent to
  • Under "Delivery Settings" we recommended turning on/TICKING:
    • Certificate
    • Disk
    • Mail
    • Network Configuration
    • Software Update
    • Time Machine
Certificates
Click on 'Certificates' on the left: For more information about obtaining official SSL secure certificates see our article about LetsEncrypt.
Users
Click on 'Users' on the left:
  • Add users as required (+ button at the bottom). For each user:
    • Add associated "Email addresses" as required
    • If the user is not going to administer the server make sure to UNTICK "administer this server"
    • If the user is only accessing services e.g. email set 'Home Folder' to "None - Services Only"
    • Add the user to "Groups" as required
    • NOTE: If you're going to use FTP to upload files why not set up an "ftpuser" or similar for that purpose (but make sure they have a 'Home Folder' set to "Local Only" or they will not be able to use the FTP service).
  • Once a user has been created in the main user list you can select a user and click the cog button at the bottom for:
    • Edit Access to Services… - if you click "Manage Service Access" here you can set on an individual basis what services can be accessed by that user otherwise all basic services are accessible to all users by default. It is recommended to manage services manually and set the services required for each individual user as required.
    • Edit Mail Options… - you can choose whether email for that user is stored locally or forwarded to a different address. You can also set an email limit (size of individual email) here for the individual user
Groups
Click on 'Groups' on the left:
  • Add groups as required - this is useful for setting group email addresses e.g. an email going to messages@your_domain_name.co.uk will be received by all the users in that group:
    • To create an email group, add a group, then right click on it choosing "Edit Group…"
    • For "Mailing Lists" add the group email address including the domain name
    • Add "Members" as required
Mail
Click on 'Mail' on the left:
  • For "Domains":
    • Add email domains as required
    • For each domain set the users that need email via that domain i.e. user_name@domain_name.com
  • Authentication: probably best to leave it on Automatic but you can customise it by clicking "Edit…" to the right - options are:
    • Automatic - will authenticate users against all accounts
    • Open Directory - open directory users only
    • Active Directory - Active Directory (AD) users only (if server is linked to one)
    • Local users - local user accounts only
    • Custom - customise the authentication options
  • Click "Edit Filtering Settings…"
    • Enable virus filtering
    • Enable blacklist filtering
    • Enable greylist filtering if required - see the notes on screen
    • Enable junk mail filtering
    NOTES for email clients:
    • Use any modern mail client
    • Set up accounts as POP or IMAP as required
    • Must login and add login for SMTP authentication
    • Must use SSL (see Certificates above)
Web Sites
Click on 'Websites' on the left:
  • TICK "Enable PHP" if required
  • The default web site is automatically setup for the domain you entered for the original server setup e.g. your_domain_name.co.uk
NOTE: Website data/folders are found in Macintosh HD > Library > Server > Web > Data > Sites - the default website is created in a folder called "Default" in that location. it is best not to delete or alter the contents of that folder.
NOTE: If you actually have a web site at your_domain_name.co.uk you can edit it's settings and set the "Store Site Files In" to point to a different folder in the web server Sites folder location
NOTE: Useful settings for each domain you add are:
  • To add a different domain e.g. www.your_domain_name.co.uk and/or www.youradditionaldomain.com click the + button and enter the settings for your domain
  • SSL Certificates: set a certificate if required and it is installed
  • Store Site Files In: use the default "Automatically create a new folder" option as this creates a correctly named folder with the right permissions in the Sites folder
  • Additional domains: this is great for two reasons
  1. you have multiple domains pointing to the same web site e.g. www.your_domain_name.com and www.your_domain_name.co.uk
  2. you can add the root domain e.g. your_domain_name.co.uk (without the www bit) so that accessing http://your_domain_name.co.uk works
  • Index Files: you can set the required index file name or have more than one and drag them in priority order
  • Edit Advanced Settings:
    • Generally you will want all of these unticked
    • Use custom error page: this looks like a great option but we couldn't get it to work
  • Once you domain has been created a folder appears in the Sites location. You can delete any default files found in there ready for your web site files to go in it.
FTP
  • Create an FTP user if not already created (services only user)
  • Click on 'FTP' on the left
  • Select "Websites Root" from the "Share:' pop-up menu and then add (+ button) your FTP user with the "Read & Write" privilege
  • Select each web site you are sharing from "Share:' pop-up menu and then add (+ button) your FTP user with the "Read & Write" privilege - you have do this for all the web sites
  • NOTE: Or you can login as root and use the Finder to add the user at the Sites folder level and copy all permissions to files and folders in this folder.
    NOTE: The primary login directory will be the one that is currently set in the FTP settings screen - be careful what you leave it on if you have more than one FTP share point.
    NOTE: If you copy files to the FTP folder(s) using the Finder the permissions will not be set correctly on the files you copy. Once you've copied the files go to your site folder, Get Info on it, unlock it (bottom right) and select "Apply to enclosed items…" from the wheel pop-up menu just to the left of the lock icon. This will propagate the permissions down to all the files/folders you've copied within that site folder. Use FTP from then on.
    SECURITY NOTE: Because the FTP user has to have a local share point to access the FTP service the FTP user will have the ability to physically login to the computer at the login screen and access the Finder (they can't access the server admin tools as they are not allowed to "administrate" the server but access to the Finder is bad enough - this is a major security risk if the server is not in a secure location e.g. server room/house. If it's not consider using a different method/software to get web site files on to the server.

Install And Configure MySQL

If you need to run MySQL:
  1. Download and install MySQL e.g. 5.7.x > Community Server "Mac OS X 10.12 (x86, 64-bit), DMG Archive" - check the OS requirements
  2. Go to Apple menu > System Prefernces > MySQL
    • TICK "Automatically Start MySQL Server on Startup" (if not already ticked)
    • Click "Start MySQL Server"
Set The MySQL Root Password
NOTE: This is not the same as the OS X / macOS root or admin password - this is a unique password to the MySQL root user, set a secure password and make sure you can remember what it is.
Login to OS X / macOS as root, go to Macintosh HD > Applications > Utilities > Terminal and issue this command: /usr/local/mysql/bin/mysqladmin -u root password 'yourpasswordhere' NOTE: Make sure you use the single 'quotes' surrounding the password!
Automate MySQL Dump Backups
  1. Login as root
  2. Create a "Backups" folder (in a relevant location usually the root of the primary hard disk will do)
  3. Use a text editor e.g. BBEdit to create a MySQL dump backup command file e.g.
  4. 
    #!/bin/bash
    

    # —
    # MySQL Back-up Script
    # —

    # Back-up All Databases
    /usr/local/mysql/bin/mysqldump --user=root --password=yourmysqlrootpassword -hlocalhost --all-databases --lock-tables | gzip > /Backups/sqlbackup_monday.sql.gz
    NOTE: Name it something like "mysql_backup_monday.command".
    NOTE: You can test the final command line works by pasting it directly into the Terminal and checking that a mysql dump backup file has been created.
  5. Use a launchd (plist) editor e.g. Lingon X to add a launchd automated task, running as root, to run the backup command you just created and pick a regular day and/or time. For example to trigger your mysql dump script to run every Monday at 01:00:
    • Create a new task
    • TICK "Enabled"
    • Set 'User' to "root"
    • Name = "com.your_domain_name.sqlbackupmonday.plist"
    • NOTE: plists are saved to Macintosh HD > private > var > root > Lirbary > LaunchAgents.
    • Run = point this to the location of the backup command script you created above
    • When tab > TICK "Scheduled"
    • Set schedule to "Day of week" + "Monday" + "01:00"
    • Click "Save"
    • To test it works, select it and click the "Test" button - if there are no error messages you can check the script has run correctly by checking that a mysql dump backup file has been created
  6. If you want a single mysql dump file that replaces itself each day you could just set the naming and launchd plist to run every weekday. But this may not be wise, because if something goes wrong, you only have the one backup dump file and if that is corrupted/bad the older ones are gone. Therefore, as per the recommendation above, create a "Monday" backup command script, duplicate that script in the Finder and edit the names to represent each day and add additional launchd plists to run each day - that way you have backups for every day. You could even go insofar as to create and run backup scripts at a different time of the day for example, weekly (02:00), monthly (03:00) and yearly (04:00). If you are manually creating/editing the launchd plist files:
    • Example launchd plist file:
    • Example launchd plist file
    • line 6 filename (must match the Finder name)
    • line 9 the command
    • lines 14, 16, 18 timing (day, hour and minute as required)
    • or lines 14, 16, 18 timing (hour, minute and weekday as required)
    • Move the plist file(s) to Macintosh HD > System > Library > LaunchDaemons
    • Restart the server
    • Login as root
    • In the Terminal run "launchctl list" to check your plist(s) have loaded (should show in the list with a status of "0" - zero)

Article Keywords: OS X OSX 1010 1011 macOS 1012 Yosemite El Capitan Sierra Server 4 5 internet web email SMTP POP PO3 IMAP secure SSL certificate apache php mysql ftp multiple virtual host hosts domain domains name names mail exchange A NAME CNAME DNS static IP colocate colocation co-locate co-location groups aliases alias backup time machine rack mount rackmount dump plist cron job cronjob launchd automate automatic regular

This article is © MacStrategy » a trading name of Burning Helix. Apple, the Apple logo, and Mac are trademarks of Apple Inc., registered in the U.S. and other countries. App Store is a service mark of Apple Inc.


If this information helped you or saved you time and/or money why not donate a little to us via PayPal?
All proceeds go directly to MacStrategy / Burning Helix Limited to help fund this web site.
If this information helped you or saved you time and/or money why not donate a little to us via PayPal?
All proceeds go directly to MacStrategy / Burning Helix Limited to help fund this web site.

Go to this
web page
to donate to us.