You’re an experienced Mac user. You’ve been on the Internet for a few years, and you’re thinking about a high speed cable modem or DSL connection for your home or business. And now you’re intrigued by the possibility of setting up your own Macintosh Internet servers.
You could run your own mailing list dedicated to a particular hobby or interest, rather than shelling out extra cash to your ISP every month and waiting days for them to fix every little problem. You could run your own Web site–no account quotas, no download limits–and serve FileMaker databases or other content your ISP can’t handle. Or you could build your own e-commerce site for your business, rather than paying some else a monthly fee and giving them a cut of every sale you make. You could even distribute MP3 audio files featuring your garage band.
The possibilities and flexibility of running your own servers can be intoxicating. I took the plunge almost four years ago with a dedicated ISDN line and never looked back. But running your own Internet services takes more technical savvy–and entails more responsibility–than simply surfing the Web or figuring out how to get the best image from your scanner. You can’t be intimidated by the technical details of how the Internet, email, and the Web work. But, for the most part, you’ll find setting up Internet services using Macs is still easier than with any other computing platform.
Pick the subject you’d like to read more about:
IP Addresses and Internet Sharing
Learn Your Lines – Connection Technologies (DSL, cable modems, ISDN, and regular modems)
Dot Com – Master Your Domain (How to get your own dot-com address — and maintain it)
Utilities and Security
Also see the “”Wire It Up: Product Table””
Geoff Duncan (
) is a freelance consultant and writer near Seattle, Washington; he’s been running his own servers from home for over four years. Geoff is also the Technical Editor of TidBITS (
), the long-standing free online Macintosh newsletter.
IP Addresses and Internet Sharing
Before you contemplate running your own Internet services, you need to think about IP addresses.
IP Addresses and DNS
Briefly, IP addresses are the means by which computers on the Internet find each other, and every machine connected to the Internet has a unique IP address. IP addresses are usually expressed as “dotted quads,” a series of four numbers less than 256, separated by periods. You’ve probably seen hundreds of these: for example, www.macworld.com is more formally known as 184.108.40.206.
An IP address can have one or more names associated with it. These names are usually friendlier than the numbers–you’re more likely to remember www.macworld.com than 220.127.116.11. The Domain Name System, or DNS, is responsible for converting names to numbers and vice versa. When you try to connect to a machine using it’s name–whether to connect to an Web site, FTP server, or other service–your computer asks a DNS name server for the IP address associated with that name. If the DNS system returns a valid response, your computer can try to open a connection to the remote system; otherwise, the connection attempt fails before it’s even begun.
Static vs. Dynamic
IP addresses can be static or dynamic. A static IP address is always assigned to the same machine–the IP address for my desktop Macintosh has been constant for more than two years. But when you connect to an Internet service provider using a modem, you’re assigned an IP address from a pool of addresses dedicated to dialup users: each time you dial in, your computer will be assigned a different IP address. Dynamic IP addresses are a good thing–believe it or not, the Internet is quickly running out of available “IP space;” dynamic address pools allow online providers to use IP addresses more efficiently.
Servers Want Static IPs
Although IP addresses can be dynamically allocated, DNS names cannot. Although DNS names can be changed, it can take anywhere from a day to a week or more for changes to become effective across the majority of the Internet, depending how your domain is configured. This means that if you want people to be able to connect to your servers using a DNS name instead of a constantly-changing IP number, your servers need to be connected to the Internet using static IP addresses.
This has important implications for the type of high speed Internet service you select. Although high speed service offerings from cable companies, telephone companies, Internet service providers, and others vary widely in scope and price, the majority of these services are designed to meet the needs of non-technical Internet users with a single computer who are mainly concerned with sending and receiving email and getting high speed Web access. These packages aren’t meant for people who want to run their own servers. Some providers do not any sort of high-speed access with static IP numbers; others may only grant a single static IP address for your entire network (which may be enough; see below). Others will be happy to let you have as many static IP addresses as you like– for an added fee. Still others will give you as many static IPs as you like, for free, but won’t let you run any servers at all.
If your ISP will let you have static IP addresses, don’t ask for more than you need. If you think you might connect half a dozen machines directly to the Internet, it’s OK to ask for ten static IP addresses to allow some room for growth. But don’t ask for a full class C address space (254 static addresses). Allocated but unused IP addresses are one of the reasons the Internet is running out of address space.
Coping with a Single IP Address
If you can only get a single IP address but want to run your own servers, you essentially have two choices: run all your servers on the machine that owns the single IP address allocated to you by your upstream provider, or run a router at your single IP address that can redirect traffic appropriately to and from other machines.
These sorts of routers are increasingly common, and can exist as hardware devices or as software you run on the machine using your IP address. Essentially, you assign your single “real” IP address to the router, then assign arbitrary “fake” IP addresses to other machines on your network. The router then uses Network Address Translation (NAT) to make any traffic from your fake addresses appear to originate from the machine with the real IP address. When a response comes back from the Internet, the router receives the data then re-transmits it to the “fake” address on your network that originated the request. Viola! Using a single IP address, you can let more than one computer “see” the Internet transparently!
Unfortunately, just because those other computers can see the Internet doesn’t mean the Internet can see them–remember, so far as the Internet is concerned, you only have one IP address, and that’s all the Internet can communicate with. This fact is often billed as a security feature in NAT routers–
protect your network from malicious hackers!
–but it also makes it difficult to run servers. If you run a server and no one can connect to it, what’s the point?
Sustainable Softworks IPNetRouter (
http://www.sustworks.com/, $89) and Vicomsoft’s SoftRouter Plus and Internet Gateway (
http://www.vicomsoft.com/, starting at $149 and $215 respectively) are exceptions: they will allow selected Internet services–like HTTP for a Web server or SMTP for mail–to be redirected to another machine on your network that doesn’t have a “real” IP address. Personally, I only recommend these products to people with a strong knowledge of the Internet’s technical side: while they’re good products, they aren’t for the faint of heart.
Learn Your Lines – Connection Technologies
New always-on, high-speed connections often sport greater bandwidth capabilities than those utilized by large commercial Web sites only a few years ago. This is good. Unfortunately, the bulk of these services are designed for ordinary Web users rather than for folks providing their own services, so you’ll need to shop carefully and consider your options.
rely on existing cable networks in your neighborhood normally used to carry television signals. Cable modems can theoretically offer speeds as fast as 10Base-T Ethernet–10 megabits per second. Unfortunately, the reality of cable modems is always much slower–often around 1 megabit per second or less. Further, the bandwidth of a cable modem is shared among all the cable modem users in your local network segment, usually in your neighborhood. So, if other people in your area are downloading lots of data with their cable modems, less bandwidth is available to you. Furthermore, cable modems are almost always asymmetrical, meaning they offer more bandwidth for inbound traffic than for outbound traffic. (Remember: most high speed services are designed for Internet users who receive far more information than they transmit. The reverse is usually true for people who run their own servers.) A cable modem is unlikely to offer more than 1.5 megabits per second upstream to your users under the best of circumstances If you’ve been keeping up with the math, you’ll realize that 1.5 Mbps is as fast as a T1 Internet connection from the phone company–certainly nothing to sneeze at!–and cable modems are often inexpensive, usually between $35 and $60 per month after you’ve paid a somewhat hefty setup fee.
In terms of sheer bandwidth for the buck, cable modems are great. But there are downsides. That 1.5 Mbps upstream bandwidth is shared by anyone else in your area using a cable modem, and the vast majority of cable modem services do not allow you to choose the ISP or upstream network that offers you the best deal: you either accept Internet services from the cable company, or you can’t get a cable modem; if you don’t already have cable, you’ll have to pay to have it installed. Cable companies also often mandate you use cable modem hardware purchased from them, either a PCI card or a more expensive standalone Ethernet-capable router (which is usually the only option for Macs). Cable modem service usually comes with only a single static IP number, and while some cable companies will be happy to sell you additional IP numbers (and hardware) to handle more than one computer, they often specifically prohibit customers from running any sort of server. Many won’t allow you to register a domain or have a DNS name assigned to a machine on their network, and many even block inbound traffic for common services like SMTP (email), Web, and FTP. Technical support is another issue: it’s almost universally bad in the cable industry. (I personally can’t imagine buying network connectivity from a company that can’t return my calls or provide me a clear television picture.) If you’re considering a cable modem, read the customer agreement very carefully before spending any money, and specifically ask the cable company’s technical support staff if you can run your own servers. You might also ask if they know anything about Macs.
stands for Digital Subscriber Line, and is the latest high speed access method to hit the market. Unlike cable modems, DSL can use existing telephone lines, and, furthermore, because DSL service uses completely different frequencies than voice service, you can still use a line with DSL service for normal voice calls, modem use, and faxing. The amount of bandwidth a DSL connection provides varies with the quality of your local phone service, your distance from a central office, and the amount of money you’re willing to spend, but typically ranges from 144 Kbps (more than 2.5 times the speed of 56 Kbps) modem to 1.5 Mbps (as fast as a full T1 Internet connection). Although you have to buy DSL service from your local phone company, you don’t necessarily have to use your local telephone company as an Internet service provider: you may be able to find a better deal from a regional ISP, especially if you want to run your own servers and can find an ISP that caters to small businesses. Either way, the telephone company or the ISP will want to sell you their preferred DSL hardware in order to set up your connection as part of their setup cost. DSL service can be either asymmetric–ADSL, offering more bandwidth inbound than outbound–or fully symmetric, offering the same amount of outgoing bandwidth as incoming bandwidth.
DSL offerings vary widely: some providers offer only dynamic IP addresses, others offer a single static IP address, and others may offer several IPs, but charge you for more expensive “business services” if you need more than one IP number or want to run your own servers. Furthermore, many DSL service offerings are metered, perhaps charging $20 per month for up to 500 MB of data transfer, but then charging a penny for each additional megabyte during the month. That might be fine for your purposes, but my servers transmit 200 MB to 500 MB of data per day–and that doesn’t even consider inbound traffic. Suddenly I’d be paying an ISP $70 to $100 per month for Internet service, in addition to whatever I’d be paying the phone company for DSL in the first place (typically $30 to $60 per month). Metered DSL costs can add up quickly; unfortunately, unmetered, flat-rate DSL is comparatively rare. Again, read the customer agreements carefully before signing up for service.
stands for Integrated Digital Services Network, and is another high-speed service that runs over existing telephone lines (provided they qualify for service). ISDN isn’t as sexy as it used to be because it’s not as fast as cable modems or DSL services: either 64 Kbps or 128 Kbps (in some areas, 56 Kbps and 112 Kbps). ISDN also doesn’t use the phone network as efficiently as DSL–you can’t have normal voice service and ISDN on the same line–but it’s a reliable technology that’s often available at flat-rate pricing. But before you think of ISDN as slow and pokey, compare its pricing and availability to DSL options. And remember my home network which pushes 200 to 500 MB of data to the Internet every day? It’s connected to the Internet using an 128 Kbps ISDN line, and during the last year peaked at less than 20 percent total utilization for any given 10 minute period. You can do a lot with 128 Kbps–but I’m not serving video or dozens of MP3 files for my garage band, either..
What About Modems?
There’s no reason you can’t set up a dedicated Internet connection using a modem–people have done this for years. A 56 Kbps modem can be faster than low-end frame relay connections, although it will be susceptible to all the same connection problems modems face every day. For lightweight use, though, a dedicated Internet connection via a modem may be the most economical choice, and may be the only viable solutions for locations too far away from central offices and facilities modern high speed connections demand. There are also products (like Netopia’s
) which can deliver 112 Kbps or more using multiple 56 Kbps modems. Of course, you’d still have to pay for multiple telephone lines.
How Much Speed Do You Need?
Common sense dictates more bandwidth is always better– but it’s not always fun to pay for more bandwidth than you need. Consider how you’ll be using your line, what sort of data you’ll be serving, and how many simultaneous users you’re likely to have. My Web server pushes a fair bit of data each day to somewhere between 2,500 and 5,000 unique users. That’s not a heavy load at all for many sites, but my line hardly strains because each Web “hit” averages in just over 6K of material transferred. Some people might say my ISDN line only has enough bandwidth to keep up two 56 Kbps modems–and that would be true if my line had to sustain enough throughput to saturate those modem connections. But it doesn’t: I’m mainly serving small bits of information. If a user has to wait an extra second for that information to arrive, they’re hardly going to notice–especially if they’re a modem user, where it would take more than a second to receive that same 6K of data anyway. At that pace, my server can routinely handle over a dozen simultaneous users without one of them noticing a performance issue. The same users will wait even longer to load a Web page from Yahoo! or another “high end” server.
Conversely, if you’re planning to stream audio or video to Internet users, that stream is going to occupy a significant amount of your bandwidth for a significant length of time. If you serve more than one or two people simultaneously, overall performance of your connection will drop noticeably. If you expect to be in that situation frequently, a greater amount of bandwidth will be useful.
Routers, like modems, can sometimes use internal compression to increase bandwidth by decreasing the amount of data they need to transmit. Like other types of compression, this is particularly useful if you’re transferring text or other highly-compressible material, but doesn’t often help with media, QuickTime movies, or the like. For instance, my router can use Ascend LZS compression with my ISP’s router: although my ISDN connection can only sustain 128 Kbps, when I transfer a large text file, I routinely see apparent throughputs in the range of 300 Kbps. This helps with outbound traffic too, since few of the pages on my Web server are image-intensive.
Dot Com – Master Your Domain
If you want Internet users to be able to connect to your servers by name rather than by using numeric IP addresses, you’ll need to arrange to have DNS names assigned to your static IP addresses. If permitted under your terms of service, your upstream provider can assign DNS names to any static IP numbers on your network.
You could also register your own Internet domain, so that you’re responsible for any and all machines in that domain. For instance, my home network is quibble.com, and any machines in that domain are guaranteed to be in my office (or on my deck, if the weather’s nice and the wasps forgiving). I’ve also registered domains for clients.
Because I manage multiple domains, I also run my own DNS server, which acts as the final authority on translating IP addresses to numbers and vice versa for my network. (It also converts DNS names to IP addresses in response to any outbound DNS queries generated on my network–when I point a Web browser to www.macworld.com, my own DNS server on my Ethernet network converts to that to an IP address, rather than sending the query upstream to a DNS server at my ISP).
Registering domains in the .com, .net, or .org “namespaces” used to only be possible through Network Solutions, who had an exclusive contract to manage those spaces. You can still register domains through Network Solutions (currently priced at $70 for the first two years), but a variety of alternative registration authorities are also available. Your ISP may also be able to register a domain for you.
The complete details of managing your own DNS server are beyond the scope of this article, but it might be worth considering if you’re planning to host multiple domains, or manage more than a handful of IP addresses. You can also run a DNS server that doesn’t assign DNS names to any machines on your network, but merely looks up IP addresses when a computer on your network needs to connect to an external site. This may be considerably faster than relying on a name server on your ISP’s network. If you plan to run your own DNS service for machines on your network, you may need to get another party–like your ISP or another network provider–to act as a secondary DNS server. You can’t register a domain without having both a primary and secondary DNS server.
Several DNS servers are available for the Mac OS. The top-of-the-line product is Men & Mice’s
QuickDNS Pro 2.2.1
which offers a host of professional-level features and great performance. Other options include Apple’s aging
MacDNS, which can suffer from stability problems but is free, and the free
Nonsequitur, which garners good reports from users. Neither MacDNS or NonSequitur are as full-featured as QuickDNS Pro, but most small networks don’t need all the features of QuickDNS Pro anyway.
So, you’ve decided what kind of Internet connection best meets your needs and budget–now it’s time to think about server hardware!
Before you rush off to the online Apple Store to buy a 500 MHz G4 system with 100Base-T Ethernet to act as your Web server, consider what sort of material you plan to serve, what level of traffic you expect, and whether you need to acquire any additional hardware at all. This may fly in the face of conventional wisdom (and computer marketing!), but you don’t need a fast computer to run a Web server that sits at the end of a typical low-cost Internet connection.
First, consider bandwidth. The standard Ethernet built into Macs for the last several years theoretically runs at 10 Mbps. In practice, this is more like 3 to 4 Mbps, but that is nonetheless at least twice as fast as a high-speed T1 line from the phone company. And most current high speed Internet offerings only approach T1 speeds in their most expensive (and rarefied) incarnations. So, the Ethernet networking capabilities in old, pokey Macs can quite easily blow out even high speed Internet connections.
If you have Macs without Ethernet, you still have options. The first might be to check online auction sites or local user groups for cheap NuBus or PDS Ethernet cards. However, LocalTalk, that ancient serial networking technology, runs at 230 Kbps–almost twice the bandwidth of ISDN connections, and faster than many DSL offerings.
There are a couple complications. First of all, managing a serial port requires a fair bit of the Mac’s CPU time–and these are older, pokey Macs in the first place. Even with its comparatively good speed, LocalTalk connections are nowhere near as sprightly as Ethernet-based connections.
Secondly, communication with the Internet via LocalTalk requires a MacIP gateway, which encapsulates IP traffic in AppleTalk packets, then sends them to LocalTalk machines. IPNetRouter and the Vicomsoft products mentioned above offer MacIP services, as do some AppleTalk packages for hardware routers (including those from Netopia), but unless you’re already using one of these products, getting a MacIP gateway probably means more financial outlay than picking up a few used Ethernet cards, unless you’re dealing with a large number of LocalTalk-only Macs.
Nonetheless, MacIP and LocalTalk networking is a viable option–I hosted an SE/30 running LetterRip Pro on my network using MacIP for over two years. It was no speed demon, but it served several hundred mailing list subscribers on a high-volume mailing list with no difficulty. I also routinely connect to the Internet from my PowerBook using MacIP, mostly because LocalTalk cabling is inexpensive (I don’t care if the cats attack it) and can be much longer than 10Base-T Ethernet.
Unless you’re going to be providing processor- or disk-intensive services (media streaming, serious database searches, massive mailing lists, etc.) my best advice is to stick with older, inexpensive Macs for servers until you feel a need to upgrade them–if ever! Three-to-five year-old Power Macs are ideal for low- to mid-range server duties, and can often be acquired cheaply- or you may have one sitting around unused if you recently upgraded your main system. About half my servers are my former desktop systems: when I upgrade my main machine, the old one becomes yet another server.
Now it’s time to think about the software you’ll use to provide your own Internet services. Fortunately, a wide variety of Internet server software is available for the Mac OS; unfortunately, choosing the best combinations for your needs can involve considerable research and trial-and-error. My best advice is to think carefully before you purchase any server products–look before you leap. Generally, all the commercial products mentioned below have good technical support in case you get stuck, and virtually all these products have associated discussion lists covering tips, techniques, and general issues–they’re highly recommended for familiarizing yourself with the products’ capabilities and how other people are using them.
Do You Already Have a Web Server?
If you only plan to do light-weight Web serving from your network, you may already have all the Web server you need. Apple’s
Personal Web Sharing, which ships with the Mac OS, isn’t the most feature-laden Web server on the planet, but it’s quite capable, can communicate with any CGI application that works with WebSTAR or other standard Mac OS server, and offers authentication and HTTP upload capabilities. If all you plan to do is host some home pages and post some vacation snapshots, you don’t need to spend money on a Web server–even Personal Web Sharing is overkill. I once used Personal Web Sharing to stream a live video feed from an original Connectix QuickCam attached to an old PowerBook in my kitchen, just so I could catch my cats jumping up on the kitchen counters when they thought I wasn’t looking. Personal Web Sharing held up just fine.
If you’re planning to serve data from FileMaker databases but don’t need to support a tremendous number of users (or other features),
FileMaker Pro 4.x
has a built-in Web server in the form of the FileMaker Web Companion. It’ll happily serve plain HTML files, images, and other items in addition to database-generated pages marked up with FileMaker’s FDML. I wouldn’t recommend it for intensive Web server tasks, but for low-end meat-and-potatoes Web service, it might suffice.
WebSTAR Server Suite is a professional’s tool at a professional price–$600 for a new license–and some of it’s more-recently introduced features (email service) aren’t necessarily as mature as other products. Nonetheless, WebSTAR Server Suite is the only turnkey solution for all common server needs on the market–email, Web, and FTP–and it’s fully capable of serving high-end, demanding Web and network services.
AppleShare IP 6.x
is Apple Computer’s server offering for computers running the existing Mac OS–although Apple is strongly promoting the Unix-based Mac OS X Server for high-end server needs. AppleShare IP offers a cornucopia of services, providing high-speed file and print services that can run over either AppleTalk or TCP/IP, an integrated Web server (which can handle standard Mac OS CGI applications and WebSTAR plug-ins), and FTP server, plus support for SMTP, POP, and IMAP email. AppleShare IP also sports complete remote administration capabilities via the Web and truly scales up: according to Apple, AppleShare IP can handle service for hundreds of users, dozens of physical storage devices, and a large herd of printers. All this is probably overkill for the typical home office or small business–and it’s $1,000 for a 50 user license–but if you need to provide a variety of services for a large number of people and the cost doesn’t put you off, AppleShare IP deserves consideration.
If the main appeal of AppleShare IP is its support for AppleShare over IP–enabling users to mount file server volumes in the Finder using the Internet rather than AppleTalk–then look into Open Door Software’s ShareWay IP (
). ShareWay IP can make any AppleTalk Filing Protocol server–whether Personal File Sharing, early versions of AppleShare, or even AppleTalk servers running on other platforms–available via the Internet. Pricing varies depending on the features you need and the number of servers and users you need to support, but will almost certainly be less expensive than Apple’s full AppleShare IP package, and in some ways is more flexible.
from Stairways Software (the same folks who bring you Anarchie) is another combination server, providing FTP, Web, and even Gopher servers, although it does not offer any sort of email service. Nonetheless, for $35 ($95 for commercial use), NetPresenz is quite capable, and uses the Mac OS’s built-in Users and Groups file sharing privileges to control who does and doesn’t have access to Web pages and FTP directories. NetPresenz’s Web server supports the same CGI applications as any other standard Mac OS Web server (WebSTAR, etc.), although it doesn’t support WebSTAR plug-ins, include built-in options for dynamic content, or offer an incredibly high level of performance. Nonetheless, if you need Web and FTP service–or even just FTP service–NetPresenz is a reliable and economical option.
Although each of the server suites above offers FTP services that meet many needs, you need to look at Maxum Development’s
commercial FTP server (
) for more sophisticated FTP options. Rumpus offers load management, advanced security, scalable performance settings, account quotas, Web-based configuration, scheduled access, strong logging, and more. Standard and Pro versions are available, with the Pro version geared more toward the usage needs of ISPs.
Quid Pro Quo, from Social Engineering, is a professional-level Web server without WebSTAR’s price tag. Quid Pro Quo offers support for virtual hosting, IP multihoming, remote administration, full support for standard CGI applications as well as WebSTAR and MOSAPI Web server plug-ins (like Lasso and NetCloak; see below), a built-in search engine for local documents, good security settings (including support for the Mac OS Users & Groups settings, like NetPresenz), and more. Although a secure SSL version of Quid Pro Quo is available for folks who want to conduct e-commerce, Quid Pro Quo lacks WebSTAR’s extensive set of add-ons, such as an FTP server, email, a caching proxy server, and directory services. But if you don’t need those services–or prefer to provide them with other applications–Quid Pro Quo’s $129 price tag can be very appealing. Quid Pro Quo started off as a free Web server, and though it doesn’t have a large company behind it, over the last few years Quid Pro Quo’s proven to be more than a flash-in-the-pan product.
Another professional-level Web server is Tenon Intersystems’
WebTen, which is essentially the popular Unix
Web server Apache rolled into a Macintosh application. WebTen
includes just enough Unix emulation under its hood to provide
networking, a native storage system bypassing the pokey Mac OS, and
let Apache run under the Mac OS. WebTen offers no command line, no
cryptic shell commands, none of the potential security pitfalls of
complete Unix installation, and runs as a double-clickable Macintosh
application — potentially the best of both worlds. WebTen includes
FTP and proxy services, SSL 3.0 for secure transactions, and even
rolls in its own DNS server – version 3.0 will offer Web-based email
services – and WebTen goes a step further by offering access to NFS
volumes over the network. WebTen’s already-extensive functionality
can be extended via WebSTAR plug-ins; standard Mac OS CGIs (plus CGI
scripts written as Perl, command shell, or AppleScript scripts); and
a growing collection of Apache modules, which are more-or-less the
Apache equivalent to WebSTAR plug-ins and often offer similar
functionality. And WebTen definitely delivers the bytes, offering
better overall performance than any other server on the Mac OS or Mac
OS X Servers, although this is immaterial for most home and small
office Internet connections which can be saturated even by low-power
servers like Personal Web Sharing.
For all its power and its ability to tap into the strengths the
Apache open source community, WebTen can be an awkward hybrid of Mac
OS and Unix. All server configuration is done via a Web browser;
these facilities are complete but clumsy, never letting you forget
you’re dealing with something not born of the Macintosh.
(Alternatively, you can directly edit the text files controlling
WebTen’s configuration – just like Unix.) Since WebTen includes its
own file system and networking capabilities – and unavoidably
incorporates a lot of terminology and conventions from Unix – using
WebTen effectively means having a strong working knowledge both the
Mac OS and Unix/Apache worlds. If you have that expertise, WebTen’s
power and flexibility can be an outstanding value; without it, using
WebTen might be a confusing and frustrating experience.
Protect Your Mail Servers
Email Servers are, after Web servers, the most common service people with dedicated connections want to run for themselves. Why be limited to a handful of mailboxes or addresses supplied by your ISP–and be hamstrung with strict account quotas–when you could run your own server and have as many mailboxes as you like? Why not set up your own autoresponders, provide forwarding addresses or mailboxes for family and friends, or set up your own mailing lists?
Running your own mail server(s) can provide a number of new opportunities–but you need to be careful you don’t expose your servers to abuse from spammers and other malcontents. The primary danger of running your own mail server is that you must be certain it isn’t open to third party relaying. Back in the old days of the Internet, relaying was a good and necessary thing: backbone connections were rare and usually far away (in terms of network topography), so sending a mail message to a user on a remote network often meant passing it along through a series of mail servers between you and your correspondent. This relaying service was provided freely by the intervening networks, mostly as a courtesy.
These days, the Internet is far more interconnected, and mail servers can almost always talk directly to each other without relying on intervening relays. More significantly, the Internet is now deluged with spam, or unsolicited commercial email. Virtually nobody likes spam–especially network providers, whose mail servers are placed under heavy loads and have their disks filled up with hundreds or thousands of unwanted offers for everything from hair restoration formulas to long distance telephone service (and those are just examples I can use in a family-friendly publication). Sending spam violates the acceptable use policies of virtually every network on the planet, and administrators usually waste no time cancelling the accounts of users to distribute spam–in some cases, ISPs and spam recipients can even pursue legal action against spammers.
Thus, spammers with any twinkling of intelligence don’t use their ISP’s mail servers to distribute their garbage–they know they’ll be caught! Instead, they run their own mail servers on a machine connected to a dial-up account (usually acquired under false pretenses) or they use programs which scour the Internet looking for remote mail servers which allow third party relaying. As soon as they find an open relay, they swiftly begin pumping spam through it, and even tell other spammers about it. If that open relay happens to be on your network, the result is that your mail server and your network connection is being used to deliver spam. In addition to annoying hundreds, thousands, or tens of thousands of people, this will inevitably cost you real money and your network connection: if your upstream provider realizes your server is being abused, they’ll block email service to your server, or shut down your connection. You’ll get one warning at best.
Having an open relay is a problem even if spammers don’t discover it. Increasingly, services like the Open Relay Behavior Modification Service (ORBS [
]) search for open relays that could be abused by spammers, then add them to a globally-accessible blacklist. An increasing number of mail servers (including EIMS 2.2; see below) can tie into these blacklists and block mail from any servers they list. If your server is blacklisted, you and your users will be unable to send email to a large (and growing) number of Internet sites. Other blacklists–like the MAPS Realtime Blackhole List (RBL) and the MAPS Dialup User List (DUL) (aps.vix.com)- can be used to block mail from known spam-friendly networks or send directly from IP addresses in dialup modem pools.
All this doesn’t mean relaying is inherently bad–in fact, there are still many legitimate uses for email relaying. But an unsecured relay will inevitably be abused. As someone running an “endpoint network” that doesn’t provide email or other services to other networks downstream from you–you’re unlikely to require any sort of relaying capability. If you do, you’ll need to plan carefully so that only legitimate users can relay through your system, and it can’t be abused my spammers.
In addition to email servers built into products like WebSTAR Server Suite and AppleShare IP, standalone list server and mailing list products exist for the Mac OS.
Eudora Internet Mail Server, or EIMS, written by Glenn Anderson for Qualcomm, is the one of the longest-standing Internet email servers for the Mac OS, starting off life as the free MailShare, then becoming an Apple product under the name Apple Internet Mail Server (AIMS) in 1995, then shifting to Qualcomm and becoming EIMS in 1997. In a nutshell, EIMS offers POP and SMTP mail service, meaning you can use it to send and receive mail directly from other sites on the Internet, rather than using your ISP’s mail servers. There are two versions of EIMS, the free EIMS 1.3.1, which offers basic SMTP and POP services for a single domain, and the $249 commercial EIMS 2.2.2, which offers support for multiple domains, remote administration, and directory services; it can also automatically configure copies of Eudora on your network and utilize spam-fighting mail filters that can block mail from known open relays, spam-friendly networks, or sent directly from dial-up nodes (see above). All versions of EIMS are robust and stable (some folks using the commercial version of EIMS support tens of thousands of accounts), and require minimal hardware–for years, I ran EIMS on an SE/30 with absolutely no difficulties or load problems.. Neither version of EIMS offers an IMAP mail server, so if you have your heart set in using IMAP, you’ll need to look elsewhere. Both versions of EIMS can be set up to prevent relaying–thus preventing spammers from hijacking your servers–and can incorporate other security restrictions.
Stalker Internet Mail Server, or SIMS, is free mail server from Stalker Software that offers capabilities that aren’t available in the free version of EIMS–and even a few that aren’t available in the commercial version! SIMS offers POP and SMTP mail service, although like EIMS it doesn’t offer an IMAP mail server. SIMS also sports sophisticated anti-spam capabilities, AppleTalk-based mail, Web-based remote administration, account quotas, and support for multiple domains. SIMS has minimal system requirements, handles some features more neatly than EIMS (like autoreplies and simple mailing lists), and can even use the Mac OS’s Users and Groups authentication if you’ve already set up a particular machine the way you like it (say, for File Sharing or FTP use). Stalker also makes the commercial CommuniGate, which also offers support for intermittent Internet connections (such as dialup accounts), and also offers modules which add support for IMAP service as well as unexpected capabilities like pager, UUCP, fax, and even some pre-release voice telephony features.
Several add-on products are available for use with either EIMS or SIMS (and, often, both), including mailing list services, software to handle multiple domains, sophisticated forwarding, and the like. If you need something these products don’t offer, don’t despair: check out products like MailBurst (
) or AutoShare (see below).
Make Your List
Mailing List Servers are a category of mail server, but instead of providing services for local users like individual email addresses, POP mailboxes, or forwarding, mailing list servers distribute messages to lists of email addresses which can exist anywhere on the Internet. Mailing lists are usually focussed on a particular topic or subject area, which can virtually anything about which people can form a shared interest. Some mailing lists are high-traffic, free-wheeling discussions amongst hundreds or even thousands of people; others are moderated, meaning only messages approved by list administrator(s) are distributed to the entire mailing list. At a minimum, mailing list servers need to offer features for list management, automated subscription requests, public and moderated lists. Mailing lists can be among the most valuable resources on the Internet–you probably subscribe to a few mailing lists already–and if you start running your own Internet servers, you’ll doubtless subscribe to a few more to keep up on the software.
Because traditional mail servers and mailing list servers offer different features, you can’t choose to use one or the other. Further, since both types of programs use the same sets of Internet services, they often can’t be run on the same machine. In short, if you’re thinking of running a mailing list server, you’ll also need a separate SMTP mail server. In fact, this can be beneficial–it’s often useful to have an SMTP mail server act as a gateway for email that goes to your list server, since SMTP servers typically offer better account management, error reporting, security, and anti-spam features than mailing list servers.
LetterRip Pro, from Fog City Software (
http://www.fogcity.com, $395), is the leading mailing list server for the Macintosh, and offers superior performance and stability coupled with great ease-of-use. Creating and managing lists with LetterRip Pro is simple and straightforward, and its administration program can be run from any Macintosh with an Internet connection, so you can manage your server remotely. LetterRip is very well thought through (you can almost always count on LetterRip Pro to do the right thing), offers all the basic functionality you expect from mail servers, and is actively supported by Fog City and a fervent user community. However, what LetterRip gains through ease of use it tends to sacrifice in flexibility: it doesn’t try to be all things to all people. If you need to offer unusual mailing list services, you can extend LetterRip’s functionality through external programs (which can be written in AppleScript or other scripting languages), but that may not provide enough leeway, depending on your needs. LetterRip’s performance can’t be rivalled: it can easily accommodate large active lists on decade-old Macintoshes with minimal memory.
ListSTAR, from StarNine Software (
http://www.starnine.com/liststar/, $295) was the first commercial mailing list server for the Macintosh on the market, and still sports more flexibility than any other package, offering standard mailing list services along with sophisticated rule-based processing of messages that enable highly customized services–and you can also link into other applications with AppleScript or other scripting languages to extend ListSTAR’s potential even further. However, ListSTAR’s capabilities come at a price: ListSTAR’s interface is a convoluted series of nested dialog boxes which make sense once you get used to them but nevertheless require constant navigation and mouse clicking. ListSTAR offers no remote administration capabilities, and its SMTP engine is pokey by today’s standards, although it’s performance is still good enough for many large, high-volume lists. ListSTAR has also been neglected by StarNine, with no product updates since 1997; StarNine is currently completing work on ListSTAR 2.0 which may address many of ListSTAR’s current shortcomings, but it’s likely to be the product’s final update.
Utilities and Security
If you run your own Internet servers, you’re going to need a few basic tools to determine if your line is up, if your servers are responding, if remote networks are operating normally, and where incoming traffic originates. Sustainable Softworks
is a preferred utility for these purposes, combining commonly used tools like ping and traceroute with great DNS services, lookup functions like WhoIs and Finger, plus connection monitoring for your local system–it’s a kitchen sink of commonly-used utilities. It can also scan addresses looking for active machines and includes a handy subnet calculator, which is useful if you set up a lot of networks but is probably unneeded once you’ve got your own up and running. However, IPNetMonitor is slightly invasive–it modifies your Open Transport configuration, so uninstalling it or using different system software can be a hassle. Less full-featured but still useful is Mac TCP Watcher from Stairways Software, which is non-invasive and offers a traceroute tool, DNS lookups, and utilities to test connectivity, but lacks WhoIs and name server lookup features and other features of IP Net Monitor. For WhoIs lookups, you can use Stairway’s free (but unsupported) Finger program, but you still don’t get all the tools and flexibility of IPNetMonitor.
If you’re one of those people who has to get their hands dirty disassembling packets and analyzing your network down to the last minuscule detail, there’s only one tool for you: AG Group’s
EtherPeek. It has a higher geek factor than anything else mentioned here–the more you know about networking before you start using EtherPeek, the more you’ll get out of it. EtherPeek is the premiere utility for analyzing network traffic, offering summary statistics, packet filtering, comprehensive protocol decoding, and much, much more: it’s the essential tool for low-level packet analysis, security testing, network diagnostics, and network performance. Unfortunately, it’s $1,000 price tag puts it out of consideration for ordinary users, and it’s features are truly overkill for a home or small office network. But it’s there if you need it.
Securing Your Network
If you’re planning to run your Internet servers using Macintoshes, you’ve made a good decision from a security standpoint. Since Macs aren’t multi-user systems, they don’t have the sorts of services that are routinely exploited by hackers who break into sites running Unix or Windows NT systems. (In fact, the U.S. Army recently
changed its public Web server
from Windows NT to Mac OS specifically to foil miscreants who had been successfully attacking their site.
This doesn’t mean you can ignore security concerns: just because Macs don’t have security holes when they come out of the box doesn’t mean you can’t easily (or inadvertently) expose your network or your servers to hackers. Although volumes can be–and regularly are–written about network security, the following principles should get your started:
* Your servers are only as secure as your weakest password. If a hacker is determined to get into your systems, they’ll throw dictionaries at your password prompts, looking for any service–email, Web, FTP, anything–that has an easily breakable password. Don’t allow your users to use easily-guessed passwords like their last name, the name of their best friend or pet, or any word that can be looked up in a dictionary. I usually set users’ passwords myself, but otherwise I tell them to use passwords that combine short words, like something from a song lyric–“IfItsNot2Dear” might be derived from the Beatles’ “When I’m Sixty-Four.” I encourage users to use passwords which are at least eight characters long, use both upper and lower case letters, and include at least one digit.
* Consider a firewall. A firewall is a system on your network, either running as a program on a gateway computer, built into your router, or operating as a standalone device. Its purpose is to allow you to specify what sort of traffic is allowed in and out of your network. For instance, you may allow Internet users to send Web (HTTP) traffic to port 80 on your public Web server, but not to other systems. This would allow you to run private Web sites that are only visible on your private network–perhaps useful for a business or organization–without fear that Internet users could see those servers: any requests to them would be stopped by your firewall. Similarly, you could decide to block all ping packets to machines on your network–thus preventing hackers from knowing how many machines you have, or launching ping-based attacks against them (like the
Ping of Death, to which older Macs are not immune.
Firewalls aren’t as necessary on small Mac-only networks as they are in other environments–after all, the Mac OS effectively has its own built-in firewall. But if you find your network being probed by outside users, have non-Macintosh computers on your networks (heaven forbid), or need to monitor both inbound and outbound use of your network (perhaps to block inappropriate content), a firewall might be a good solution. Various software routers–like IPNetRouter and Vicomsoft products–include firewall capabilities, WebSTAR Server Suite’s Proxy Server can also prove useful, as might Maxum’s WebDoubler for a small network. Netopia and other companies also make standalone hardware devices that act as sophisticated firewalls. If you need to protect a single machine, look at Open Door’s DoorStop, which provides highly configurable security for a single Mac, or look at the recently-released NetBarrier from Intego. Pretty sure NetBarrier is a single-Mac program, yes? Firewalls are a complex topic; for a more detailed overview, see Chris Pepper’s article ”
What’s a Firewall, and Why You Should Care
” in TidBITS.
More Things to Think About
Overwhelmed yet? Good! That means you’ve got a reasonable grip on the reality of running your own servers on a dedicated connection. Keep in mind that very few home and small business networks have to deal with all the issues mentioned here–and virtually none have to use all the products mentioned so far! Your situation probably won’t be as complex as this article implies, so don’t be too intimidated.
One issue, however, you will undoubtedly face: how to make sure your servers are still running? Software programs crash, power goes out, cats play with your networking cables–plenty of things can go wrong at virtually any time. For months after setting up my network, I thought my servers had a “Geoff Detector”–they’d operate flawlessly while I was around, but if I so much as left to get groceries, something would crash. It was maddening.
The first thing to consider are Uninterruptable Power Supplies, or UPS’s. Basically, these are sizable batteries that kick in as soon as your AC current fades or disappears, keeping your servers running even if your power goes out. Most UPS’s also serve as surge protectors and line conditioners, helping protect your equipment from brownouts and power surges–this alone can significantly extend the life of your equipment if you live in an area with flaky power. The leading manufacturer is American Power Conversion (APC,
), who make a wide range of top-notch products. I have three UPS’s for my systems, and they’re all from APC–my desktop Mac, entire network, and Internet connection can remain functional for over an hour if I lose power. The downside to APC products is that their PowerChute Macintosh software is only capable of shutting down a single Macintosh in the event of a power failure (not enough if you buy a sizable UPS for multiple systems) and requires a free serial port (bad if your Macs don’t have serial ports), and is generally flaky. Tripp Lite (
) has recently released a version of it’s well-regarded PowerAlert UPS management software for the Macintosh, but I haven’t been able to evaluate it. Even without management software, however, so far as I’m concenred UPS’s are absolutely necessary equipment.
If you can keep your servers running even when the power’s off, you definitely want to make sure your server applications are running! A good solution for monitoring applications is Karl Pottie’s
Keep It Up, a shareware application that can monitor applications running on a Macintosh and re-launch them if necessary, or restart the Mac if too many relaunches have occurred. Keep It Up can also restart your Mac on a fixed schedule (say, 1 A.M. every Sunday morning), make sure a particular application (like a Web or email server) is always in the foreground, and offers Web-based remote administration for managing the applications running on your Mac. Karl also makes
AutoBoot, a control panel that’s supposed to restart your Mac in the event of a total system freeze. Some folks swear by it, but my results weren’t reliable.
Other options for keeping your Mac running include the PowerK
ey series and the
from Sophisticated Circuits. These are hardware devices–the Power Key Pro is essentially a smart, programmable power strip. You can configure various models of the Power Key to restart your Mac, restart after a power failure, monitor applications, or even launch programs or run scripts on a particular schedule. Power Key Pro models even offer telephone ring detection, so you can restart a crashed Macintosh simply by calling its PowerKey on the telephone, or trigger any other previously configured PowerKey event.
The PowerKey Rebound is a small ADB device that connects to your Macintosh: if it can’t communicate with the PowerKey Rebound software on your Mac, it assumes your system has crashed and performs the equivalent of pressing the Control, Command, and Power keys to restart the system. The Rebound can also perform application monitoring, determining whether applications are still running, or even if some particular applications (like WebSTAR) are experiencing error conditions and should be restarted. The current verison of the Rebound software adds enhanced logging, flexibility, and scripting support.
is another ADB-based product from Kernel Productions which always restarts the Mac by cycling its power on and off–this is more stressful on the hardware, but unless your Mac crashes very frequently, probably won’t make much difference in the long run. Lazarus generates HTML-formatted logs, which is handy if you’re trying to diagnose a system remotely and can access it via the Web.
MacCoach, from Neuron Data Systems, is also ADB-based and is very similar to the Rebound, but can generate HTML-formatted logs and claims to have “zero overhead” for application-monitoring–although none of the other solutions seem to have very much overhead.
The problem with all these products is that they require a Mac with an ADB port to perform some or all of their functions. If you have an iMac or another recent Macintosh without an ADB port, these products aren’t of any use. Sophisticated Circuits is working on similar products for USB-equipeed Macs; I haven’t heard of any pending solutions from other companies.
Always Back Up!
I know I probably sound like an old mother hen, but it really can’t be repeated often enough. If you’re thinking about running your own Internet servers, you’ll have at least two networked systems in your home or office. All the time you spend configuring them, authoring Web pages, setting up mailing lists, and getting your account info just right will be for naught if you don’t back up your data! A networked group of Macintoshes is the perfect setting for backups. I don’t care whether you back up to DAT tapes, writable CDs, or other removable media–with programs like Retrospect or BackJack, you can even back up your data to another site using your Internet connection. But, please, back up your data zealously–you won’t regret it.