Troubleshooting, debugging Apple Mail connections

For troubleshooting connectivity issues with Apple Mail and an IMAP type account:
Ensure Mail is not running. This presumes you(r account) is using SSL/TLS for security (thus port 993) as you should be.
While logged in as the user in question, use the Terminal to issue:

/Applications/ -LogSocketErrors YES -LogActivityOnHost -LogIMAPErrors YES -LogActivityOnPort 993 &> ~/Desktop/ConnectionLog.txt

Quit Mail from within the app after a minute or less. You can watch for activity (eg: to complete) in the Activity window.

For an Exchange account (which requires and uses Microsoft’s EWS),
ensure Mail is not running, and while logged in as the user in question, use the Terminal to issue:

/Applications/ -LogHTTPActivity YES -LogEWSAutodiscoveryActivity YES >& ~/Desktop/MailEWS.log

Use the Window menu in Mail to bring up the Activity window, and wait for connection(s) to complete. Or give it a minute.
Quit Mail from within the app, and check the log.

iOS 9 Calendar stops working, won’t sync with OS X Server-based Caldav server

As always, you accept any and all risk when making advanced changes on your (OS X) server. That said, I wanted to share the following solution that has solved the problem of my iPhone (updated to iOS 9 and then the iOS 9.0.1 patch without resolution) no longer connecting to/updating/syncing with Calendar (caldav) server hosted on OS X Server 10.9.5 (with all security udpates).

The following led me to a fix:

However, that’s missing the specifics you need for 10.9 server
The launchd plist for 10.9 OS X Server lives at
But do not edit that file.
Instead, it specified an include of:
/Library/Server/Calendar and Contacts/Config/caldavd-system.plist
which is where we need to make the change.

Stop calendar server by issuing – via the terminal,

sudo serveradmin stop calendar
cd /Library/Server/Calendar\ and\ Contacts/Config/

Make a backup of the existing file first !
sudo cp -p caldavd-system.plist caldavd-system.plist.bak

Edit caldavd-system.plist
For example,
sudo nano -w caldavd-system.plist
look for the item, <key>SSLCertificate</key>
and the line after it, <string>/etc/certificates/your.servernamae.SOMEUPPERCASEALPHANUMERICSTRING.cert.pem</string>

and leave those alone !
After the above string, add the following, with each line beginning with a tab (where you see initial whitespace):




Save the file (ctl w in nano) to commit the changes.
Start the calendar server while keeping an eye on the associated error log (eg. in another Terminal window, tail -f /var/log/caldavd/error.log )
sudo serveradmin start calendar

At this point, on my iPhone I deleted the caldav account setup and added the account back successfully, using SSL and without any errors. Calendar events that had been created on my Mac workstation but had failed to show up on my iPhone since the iOS 9 update events all showed up.

calendarserver.push.applepush.APNProviderFactory Connection to APN server lost: [Failure instance: Traceback: : [(‘SSL routines’, ‘SSL3_READ_BYTES’, ‘ssl handshake failure’)]

The following error was being logged on OS X Server (10.9.x) with calendar server in use, in /var/log/caldavd/error.log:

“caldav  [APNProviderProtocol (TLSMemoryBIOProtocol),client] [calendarserver.push.applepush.APNProviderFactory#info] Connection to APN server lost: [Failure instance: Traceback: <class ‘OpenSSL.SSL.Error’>: [(‘SSL routines’, ‘SSL3_READ_BYTES’, ‘ssl handshake failure’)]”

Before proceeding, ensure that you have a known-good, working SSL certificate. I’m using a commercial (purchased, not self-signed) certificate.

In my case, the following steps to remedied the above error:

Verify your ssl cert setup (I’m using a commercial one).

In, click on Calendar, and under “Settings” look for Push Notifications: Enabled
Hit the Edit button.

Use the Renew button in the pop-up dialog box, even if your current push certificate isn’t expired.
Stay in that same pop-up dialog, and click the arrow beside the bottom-most (small) text in grey, “Manage your certificates.” Log into Apple’s Push Certificates Portal,
and revoke any old expired certs. Heed the warnings stated there !

Back in the Server app, click on the very top item in the left-hand colum, your server name (eg: server) and UN-check the last check-box for “Enable Apple push notifications.”
Wait a full 30 seconds.
Check (click on, enable) that same box to enable Apple push notifications.

Check your log (tail -f /var/log/caldavd/error.log) and the errors should now be gone.

Office 2016 for Mac, and local storage of email

Office 2016 for the Mac – as you may or may not know by the time you read this – is currently available, via an Office365 subscription. See

With Office 2011 for Mac, your Outlook files were stored within your Documents folder, in the folder “Office 2011 Identities” inside of the “Microsoft User Data” (~/Documents/Microsoft User Data/Office 2011 Identities).

This has changed as of Office 2016. Local storage for Outlook 2016 is to be found within the (user’s) Library folder, in the “Group Containers” folder:
~/Username/Library/Group Containers/XXXXXXXXXX.Office/Outlook/Outlook\ 15\ Profiles/Main\ Profile/Data

(where “XXXXXXXXX” is a 10-digit alpha-numeric string).

pf & logging in 10.8 and 10.9

The pf firewall (see ) is an excellent tool and there are many reasons I prefer it to ipfw (which was the native/built-in option supplied in versions of Mac OS X prior to 10.7 . Not to be confused with the Application Firewall (see

The problem with pf in OS X is that logging is problematic – pretty much broken.
In an effort to remedy this situation, I went searching and found Charles Edge’s post here to be particularly helpful:

and just as much, the following post that he refers to:

The Emerging Threats ETOpen ruleset is a great discovery.

Now then: In order to achieve reliable logging for pf, I suggest using launchd with a LaunchDaemon plist as shown:

pflog plist






The script that is called (by the above plist) is simply:
/sbin/ifconfig pflog0 create
/usr/sbin/tcpdump -lnettti pflog0 | /usr/bin/logger -t pf -p

The flags/options chosen for tcpump are the ones I found to result in the most useful information being logged, for my needs. Read the manpage and adjust as desired.

Also note that adding a firewall entry for pf via pfctl, doesn’t appear to work. I suggest creating your own tables, configuring /etc/pf.conf appropriately (to refer to your custom tables, please DO leave any and all existing entries untouched) and then manually editing your custom table(s) (with due caution !), then using
sudo pfctl -f /etc/pf.conf

to invoke your changes.

0x00000002 error when attempting to add a provisioned printer for a PC bound to the domain

An example scenario is that  only one or two PCs can’t add a server-provisioned  – be it via GPO/Group Policy Preferences or some scripted method – and on the client, the “Connect to Printer” dialog says, “no driver found.”

When you try to manually add the shared printer, the error message contains the code “0x00000002”

Odds are good that your server is a 64-bit OS, and so is the printer driver you used.
Locate and download the 32-bit version of the driver for your 32-bit version of Windows 7, and use that when adding the printer.

VPN Setup with Zyxel USG devices – Zyxel router and client VPN configuration

This is going to be a very bare-bones post. My goal is to get right to the required details without much elaboration.

Please keep in mind that setting up a working VPN configuration is typically a process, and every vendor names and handles things differently. These settings may not be the most secure options for a VPN setup but they will work. Start with a working configuration first ! And then if you wish, alter only one parameter at a time, making sure they match at both ends (Zyxel USG router/firewall and VPN client). Do your research and understand what you are changing and why.

To begin, you will need a working network setup behind a Zyxel USG router/firewall with VPN functionality, and either – for Windows client workstations, the Zyxel VPN client software – or IPSecuritas for Mac OS (note that I won’t cover the config of IPSecuritas specifically here but it should be very easy to translate).
If you do use IPSecuritas please make sure to make a donation to the
developer !

The Zyxel client VPN software can be purchased online from Amazon or  Provantage,

One vital thing to keep in mind is that if your IP schema (LAN IP address type and range) at home – or any cafe or office you visit –
matches that of your main office that you want to connect to , the VPN connection will not work.
This is VPN 101 material: Your remote IP address schema must not match that of the network you wish to make a VPN connection to.

Zyxel USG configuration:
Connect to your Zyxel as usual ( https://ip.ofyour.zyxel )
Navigate to:
Configuration, Object, Address

Create an address for your local subnet, name it: LAN1_SUBNET
Interface: lan1

Create Address Object
Name: RemoteDynamicClient
Address Type: HOST
IP Address:

Now navigate to VPN, IPSec VPN:
VPN Gateway, choose Add
Click “Show Advanced Settings”

Enable (checkbox),
VPN Gateway Name: Dynamic_Tunnel
My Address, Interface: wan1

Peer Gateway Address:
Dynamic Address

Pre-Shared key. You need to make this LONG and complex.
Record it securely.

Phase 1 Settings:
SA Lifetime 86400
Negotiation Mode: Main
Encryption: 3DES, Authentication SHA1
Key Group: DH1

Enable (checkbox) Nat Traversal & Dead Peer Detection
Note that Extended Authentication does work but move on to that only after you have the rest working.
Click OK.

Go to the “VPN Connection” tab to the left.
If it isn’t, enable “Use Policy Route to control dynamic IPSec rules”
Click Add.
Click Show Advanced Settings.
Enable (checkbox)
Connection Name: Dynamic
VPN Gateway: Site-to-site with Dynamic Peer
VPN Gateway (select): Dynamic_Tunnel (you just set this up in the steps above)

Local Policy: LAN1_SUBNET
*Remote Policy: RemoteDynamicClient

Phase 2 Setting:
SA Lifetime: 86400
Active Protocol: Esp
Encapsulation: Tunnel
Encryption 3DES, Authentication SHA1

Leave the rest untouched.

Create new rule at the top
From any to Zywall
Source Any Destination Any
Service L2TP-VPN
If you want to debug your VPN enable logging, but otherwise there’s no need.

Add rule:
IPSec_VPN to any (Excluding Zywall)
source any, destination any, allow

With a USG 20 (but not a 100),
under Routing
Add Policy Route:
Incoming L2TP_VPN source any Destination Lan1__Subnet
source any, next-hop auto, SNAT outgoing interface

Zyxel VPN Client configuration:
Install the Zyxel VPN client, a reboot will be required.
You might like to customize your taskbar to always show the Zyxel VPN icon.

Right-click where it says “VPN Configuration” on the left and choose Wizard.
Choose “A router or a VPN gateway”
Enter the external static IP of your Zyxel in question, or FQDN if appropriately configured.
Enter the PSK (pre-shared key) you set up previously and safely recorded 🙂
Enter the IP private (internal) address of the remote network. This should match the IP schema for your main office that you are connecting to.
NB: Don’t try to choose a specific IP, just enter 0 for the final octet/number, ie:

Click Finish.
Now click on the listed “Gateway” on the left.
In the Authentication tab under IKE, change the settings to match those you set up under “Phase 1” on your Zyxel:
Click Apply at the upper-left.

Now click on “Tunnel” at the left (listed just underneath Gateway).
Under Addresses, correct the Subnet maks for your Remote LAN address setup.
Under ESP, don’t change anything but confirm they match  your Phase 2 settings on your Zyxel – they will by default.
PFS: Change to DH1

Optionally, click on the Advanced tab, and under Alternate servers,
enter the IP address of your (primary) internal DNS Server at the main office you’ll be connectin to via VPN.

Click Apply at the upper-left.

Right-click the Zyxel VPN icon and choose connect.
It works ! Or, it should based on the supplied info.

Windows XP, are you still using it ?

As you should know, Microsoft will no longer be supporting Windows XP as of this month (April 2014), in that the last patch they provide will be April 8th. *

There are a great number of reasons not to ignore this issue, whether XP is still in use in at home or in a business environment. Please see

“(Computers still running Windows XP) will be vulnerable to hackers once XP stops receiving security updates, with Microsoft warning earlier this year that hackers could use patches issued for Windows 7 or Windows 8 to scout for XP exploits.”

If you don’t already have a migration plan in place and well underway, you absolutely should ! (Picture a billboard-sized flashing neon sign and sirens for appropriate emphasis).

Here are some great tips if you are forced to eke out a few more days from your XP systems:

Note the last item, “Get on with your personal or organisational efforts to get rid of XP.”

Please contact us at the Core Solution Group if you need help with planning and migrating away from Windows XP, including backup of your data, computer hardware upgrades or replacement, and analysis of any software you rely on – be it versions & compatibility with Windows 7 or 8, or alternatives to outdated programs that won’t run on a newer version of Windows.

*For a not-insignificant cost, some organizations may opt for Microsoft’s Custom Support, which costs $200 per year per PC, and covers only patches ranked as “critical.”

OS X Mavericks is free, yes. But please look before you leap !

First and foremost, ensure that your Mac is compatible. You’ll want to have enough RAM (not just the minimum 2 GB, far better to go with more if you can), and ideally (we recomend) at least a 7200 RPM hard drive, better still – ideally – an SSD drive for the best responsiveness.

The listed requirements are as follows (see ):
OS X v10.6.8 or later, 2GB of memory , 8GB of available space
You’ll need an Apple ID if you don’t already have one (and you probably do if you’re using iTunes), see

The compatible hardware/model list is:
iMac (Mid 2007 or newer)
MacBook (Late 2008 Aluminum, or Early 2009 or newer)
MacBook Pro (Mid/Late 2007 or newer)
Xserve (Early 2009)”

Please – whatever you do – make sure you have a known-good, full backup (via Time Machine or your other backup method of choice) before you do anything.

It’s a good idea to read a little more about it, and Macworld has a great writeup here:

iOS 7 – what you need to know

If you have an Apple iOS device that didn’t come with iOS 7, and you’re considering the update, there are some things you should keep in mind before taking the leap:

It is not possible to undo this update.

Ensure that iOS 7 is permitted for use at work if you do use it in that capacity at all. If your workplace IT has’t tested and approved it for use, and you really do need it for work purposes – even if it’s “just email” – then I recommend you don’t take the risk because you’ll be on your own if  you find out after the fact that there’s a problem.

Keep in mind that iOS 6 has obtained FIPS 140-2 validation, iOS 7 has not – not yet, and it could take some time.
If this is a requirement for you, stop now and wait.

If you do go ahead: Backup your device via iTunes first.
I also recommend that you do a full power-cycle of the device prior to applying the update. Hold down the power button until a message and the slider for doing a full shutdown appears. Wait a few seconds and then use the power button to turn it back on.

There are a great many changes and some new features in iOS 7, I recommend having a read at

I’m using iOS 7 without issue and so far enjoying it very much !

— David