I’ve finally got the iChat por­tion of my Mac Mini Server up and run­ning. It turned out that some fairly impor­tant parts of the process were poorly doc­u­mented (or not at all), so I decided to write down the process in the hope that some­one set­ting it up in the future will have bet­ter luck with their search results than I did.

Ini­tial DNS Setup

The very first thing I did, before I even took the Mac Mini out of the box, was get its domain name set up. I’m on a cable modem, which means that all of my com­put­ers have local IPs (192.168.x.x) and share the same exter­nal IP address, which is sub­ject to change at any time. That’s obvi­ously a prob­lem for any kind of server, but for­tu­nately it was solved long ago by dynamic DNS ser­vices. These work by giv­ing you a sub­do­main such as orangeroad.ddnsservice.org, which resolves to your cur­rent IP, and auto­mat­i­cally updat­ing the DNS record when­ever your IP changes. I signed up for an account with FreeDNS, which is sup­ported by my router’s firmware, so it will auto­mat­i­cally keep my sub­do­main on their ser­vice updated.

Next I logged into the admin­is­tra­tive inter­face for the orange-road.com domain, which has been hosted for many years by the excel­lent Mac-centric host­ing ser­vice MacHigh­way. I then cre­ated a CNAME record point­ing frontier.orange-road.com to the fully qual­i­fied domain name from Free DNS. There were some other DNS changes needed later, but to avoid con­fu­sion I’ll cover them later, where they fit into the process.

Finally, when I started up Fron­tier for the first time I told it that its name was frontier.orange-road.com. The actual server has no knowl­edge of the Free DNS FQDN. I assigned it a sta­tic IP address in my local sub­net, and then logged into the router to for­ward all the ports I’d need (there were quite a few) to that sta­tic local IP. With all this done, an out­side request for frontier.orange-road.com will (so long as it’s for one of the for­warded ports) end up at the Mac Mini Server.

Get­ting a Signed SSL Certificate

When I set the server’s name, it auto­mat­i­cally cre­ated a self-signed SSL cer­tifi­cate. In order to avoid poten­tial prob­lems from poorly designed soft­ware putting up scary warn­ings or pos­si­bly refus­ing con­nec­tions via XMPP, I wanted to get this signed by a cer­ti­fi­ca­tion author­ity. A few days before I’d read an arti­cle which men­tioned StartSSL, which issues free certificates.

On the server side, the soft­ware makes it very easy to export a spe­cial file called a Cer­tifi­cate Sign­ing Request, and then import the signed cer­tifi­cate once it’s received from the CA. The process of actu­ally get­ting cer­tifi­cate signed proved tricky, but thanks to StartSSL’s very help­ful Eddy Nigg I was even­tu­ally able to man­age it. The trick is that when you first go to their web site it seems like you’re request­ing a signed cer­tifi­cate, but what you’re really doing is cre­at­ing an entirely new cer­tifi­cate which iden­ti­fies you for log­ging in to their sys­tem. Once that’s done, it’s sim­ple to paste the con­tents of the CSR file exported by the Server app into a form and then down­load the signed cer­tifi­cate. The trick is to know ahead of time that it’s a two-stage process.

Set­ting up SRV Records

At this point my iChat ser­vice was up and run­ning and I could use the XMPP address khagler@frontier.orange-road.com. How­ever, I wanted to make it just khagler@orange-road.com, so that my IM address would be the same as the email address that I’ve had since 1996. To do this, I needed to cre­ate DNS SRV records to send XMPP traf­fic for orange-road.com along to frontier.orange-road.com (the actual orange-road.com machine is a web server in Col­orado which would just ignore XMPP traffic).

The sys­tem my host­ing provider uses to admin­is­ter the orange-road.com domain, cPanel, doesn’t have a way to cre­ate SRV records so I wasn’t able to do this all myself as I did with the CNAME record ear­lier. I new that MacHigh­way wouldn’t be able to offer any sup­port for this, so I care­fully checked and re-checked and then sub­mit­ted a sup­port request ask­ing them to man­u­ally enter the fol­low­ing lines into the record for the orange-road.com domain:

_xmpp-client._tcp.orange-road.com 14400 IN SRV	0 1 5222 frontier.orange-road.com
_xmpp-server._tcp.orange-road.com 14400 IN SRV	0 1 5269 frontier.orange-road.com

Once I got a reply from MacHigh­way sup­port that the change had been made, I checked with dig and con­firmed that every­thing was work­ing per­fectly on the DNS side. Note that if I had used the Free DNS FQDN it would have worked, but that would also have made it impos­si­ble for me to move to another dynamic DNS ser­vice should the need arise with­out bug­ging some­one at MacHigh­way to make another man­ual change for me.

Fix­ing the Server’s Iden­tity Crisis

At this point I dis­cov­ered that as far as the iChat ser­vice was con­cerned it was still frontier.orange-road.com, and it was cer­tainly not going to allow users of orange-road.com to con­nect! I needed to change the name that just the iChat ser­vice had for itself, with­out affect­ing any­thing else on the server, and this turned out to be the biggest headache of the whole process, mostly due to the gen­eral lack of doc­u­men­ta­tion. After a great deal of search­ing and a few red her­rings, I finally came up with the answer: sudo serveradmin settings jabber:hostsCommaDelimitedString = "orange-road.com" (the iChat ser­vice is actu­ally a vari­a­tion of jabbered2).

Chat Room DNS Setup

The last thing I needed to do was cre­ate a DNS record for the multi-user chat part of the iChat ser­vice. This has its own sub­do­main, “rooms.” fol­lowed by what­ever the host name is–in this case, rooms.orange-road.com. To get it work­ing, I cre­ated another CNAME record which pointed to that Free DNS FQDN. That com­pleted the setup, and if I ever need to change dynamic DNS ser­vices, or if I get a sta­tic IP at home, I can make all the nec­es­sary changes with­out have to involve any­one else.

The three patents Microsoft is ham­mer­ing the Nook with—and why they may be invalid.

Microsoft’s com­plaint against Barnes & Noble’s Android-based Nook devices has been nar­rowed down to just three patents, with the US Inter­na­tional Trade Com­mis­sion hav­ing to decide whether Nook devices infringe on sev­eral patented meth­ods of inter­act­ing with and down­load­ing elec­tronic doc­u­ments. Barnes & Noble is also ask­ing the ITC to declare the patents invalid because they cover obvi­ous and triv­ial functionality.

Microsoft’s ITC com­plaint, which was filed in March 2011 and tar­gets Fox­conn and Inven­tec in addi­tion to Barnes & Noble, cited five patents. One 1994 patent related to “new vari­eties of child win­dow con­trols [that] are pro­vided as sys­tem resources that appli­ca­tion pro­grams may exploit,” and a 1997 patent related to how browsers load and dis­play con­tent in portable com­put­ers with lim­ited dis­play areas have since been dropped from the case.

[Ars Tech­nica]

Here’s the sen­tence in the arti­cle that explains what this is really all about: “The rul­ing will be an impor­tant one in Microsoft’s quest to extract money from every Android hard­ware ven­dor.” In other words, hav­ing dis­mally flopped in their every attempt to develop a mobile device, Microsoft has given up on com­pe­ti­tion and turned to extort­ing money from com­pa­nies that actu­ally can develop use­ful devices.

Ear­lier this week I added this Mac Mini Server, which I named Fron­tier, to my home net­work. It’s a bit strange after so many years of work­ing with Macs, and help­ing to admin­is­ter Win­dows and Linux servers, but this is actu­ally my first Mac server!

I got it pri­mar­ily as a file server for scanned pho­tos, but I’ve also enabled the iChat Server, which is Apple’s front end for the pop­u­lar XMPP server jab­berd. The idea is that once I’ve got some DNS stuff straight­ened out I’ll finally have the same address for instant mes­sages that I do for email.

The Akismet plu­gin, which I use to block com­ment spam here, has a dis­play of how much com­ment spam I’ve received. The amount has been going up ever since I turned com­ment­ing back on, with the total spam for Jan­u­ary being 2,279. That’s more than twice the amount of email spam I received in the same period, despite have had the same email address (widely dis­trib­uted across mul­ti­ple web­sites) for six­teen years. I don’t really see why peo­ple would bother gen­er­at­ing so much com­ment spam–I can’t even remem­ber the last time I saw a spam com­ment get through to somebody’s weblog.

“I just hap­pened to glance over and saw this huge chain­saw rip­ping down the side of my door.”. “I just hap­pened to glance over and saw this huge chain­saw rip­ping down the side of my door.”

[…]

If the pur­pose of these raids is to take dan­ger­ous peo­ple by sur­prise before they can shoot back at police, how exactly does tak­ing the door down with a chain­saw fit that strat­egy? [The Agi­ta­tor]

As sev­eral peo­ple pointed out in the com­ments on that post, there is really noth­ing more ide­ally suited to mak­ing an armed cit­i­zen empty their gun through their front door than some maniac cut­ting through it with a chain­saw! As tac­tics to use against an armed drug dealer, I can’t think of any­thing more incred­i­bly stupid.

On the other hand, what this sort of thing is very good for is ter­ror­iz­ing a mother and her very young daugh­ter and mak­ing sure that they will never make the mis­take of think­ing they live in any­thing other than a hideously oppres­sive police state. That, I think, is the real pur­pose of these raids–they’ve got noth­ing to do with polic­ing, and every­thing to do with state terrorism.

Sadly, it could have been even worse. They’re not called the Fed­eral Baby Incin­er­a­tors for nothing.