I’ve finally got the iChat portion of my Mac Mini Server up and running. It turned out that some fairly important parts of the process were poorly documented (or not at all), so I decided to write down the process in the hope that someone setting it up in the future will have better luck with their search results than I did.
Initial DNS Setup
The very first thing I did, before I even took the Mac Mini out of the box, was get its domain name set up. I’m on a cable modem, which means that all of my computers have local IPs (192.168.x.x) and share the same external IP address, which is subject to change at any time. That’s obviously a problem for any kind of server, but fortunately it was solved long ago by dynamic DNS services. These work by giving you a subdomain such as orangeroad.ddnsservice.org, which resolves to your current IP, and automatically updating the DNS record whenever your IP changes. I signed up for an account with FreeDNS, which is supported by my router’s firmware, so it will automatically keep my subdomain on their service updated.
Next I logged into the administrative interface for the orange-road.com domain, which has been hosted for many years by the excellent Mac-centric hosting service MacHighway. I then created a CNAME record pointing frontier.orange-road.com to the fully qualified domain name from Free DNS. There were some other DNS changes needed later, but to avoid confusion I’ll cover them later, where they fit into the process.
Finally, when I started up Frontier for the first time I told it that its name was frontier.orange-road.com. The actual server has no knowledge of the Free DNS FQDN. I assigned it a static IP address in my local subnet, and then logged into the router to forward all the ports I’d need (there were quite a few) to that static local IP. With all this done, an outside request for frontier.orange-road.com will (so long as it’s for one of the forwarded ports) end up at the Mac Mini Server.
Getting a Signed SSL Certificate
When I set the server’s name, it automatically created a self-signed SSL certificate. In order to avoid potential problems from poorly designed software putting up scary warnings or possibly refusing connections via XMPP, I wanted to get this signed by a certification authority. A few days before I’d read an article which mentioned StartSSL, which issues free certificates.
On the server side, the software makes it very easy to export a special file called a Certificate Signing Request, and then import the signed certificate once it’s received from the CA. The process of actually getting certificate signed proved tricky, but thanks to StartSSL’s very helpful Eddy Nigg I was eventually able to manage it. The trick is that when you first go to their web site it seems like you’re requesting a signed certificate, but what you’re really doing is creating an entirely new certificate which identifies you for logging in to their system. Once that’s done, it’s simple to paste the contents of the CSR file exported by the Server app into a form and then download the signed certificate. The trick is to know ahead of time that it’s a two-stage process.
Setting up SRV Records
At this point my iChat service was up and running and I could use the XMPP address email@example.com. However, I wanted to make it just firstname.lastname@example.org, so that my IM address would be the same as the email address that I’ve had since 1996. To do this, I needed to create DNS SRV records to send XMPP traffic for orange-road.com along to frontier.orange-road.com (the actual orange-road.com machine is a web server in Colorado which would just ignore XMPP traffic).
The system my hosting provider uses to administer the orange-road.com domain, cPanel, doesn’t have a way to create SRV records so I wasn’t able to do this all myself as I did with the CNAME record earlier. I new that MacHighway wouldn’t be able to offer any support for this, so I carefully checked and re-checked and then submitted a support request asking them to manually enter the following lines into the record for the orange-road.com domain:
_xmpp-client._tcp.orange-road.com 14400 IN SRV 0 1 5222 frontier.orange-road.com
_xmpp-server._tcp.orange-road.com 14400 IN SRV 0 1 5269 frontier.orange-road.com
Once I got a reply from MacHighway support that the change had been made, I checked with dig and confirmed that everything was working perfectly on the DNS side. Note that if I had used the Free DNS FQDN it would have worked, but that would also have made it impossible for me to move to another dynamic DNS service should the need arise without bugging someone at MacHighway to make another manual change for me.
Fixing the Server’s Identity Crisis
At this point I discovered that as far as the iChat service was concerned it was still frontier.orange-road.com, and it was certainly not going to allow users of orange-road.com to connect! I needed to change the name that just the iChat service had for itself, without affecting anything else on the server, and this turned out to be the biggest headache of the whole process, mostly due to the general lack of documentation. After a great deal of searching and a few red herrings, I finally came up with the answer:
sudo serveradmin settings jabber:hostsCommaDelimitedString = "orange-road.com" (the iChat service is actually a variation of jabbered2).
Chat Room DNS Setup
The last thing I needed to do was create a DNS record for the multi-user chat part of the iChat service. This has its own subdomain, “rooms.” followed by whatever the host name is–in this case, rooms.orange-road.com. To get it working, I created another CNAME record which pointed to that Free DNS FQDN. That completed the setup, and if I ever need to change dynamic DNS services, or if I get a static IP at home, I can make all the necessary changes without have to involve anyone else.