[CalendarServer-users] Apple's Contacts client doesn't like nonstandard ports

Sun Jan 24 22:46:02 PST 2016

> On Jan 24, 2016, at 2:53 PM, Kyle Silfer <kyle at rtoads.com> wrote:
> 
> Here’s another piece of info I found out by trial and error and have been meaning to report.
> 
> Apple's Contacts client refuses to connect on nonstandard ports (for example, it wants 8843 for SSL). You have the option to change the port number after it fails its initial connect, but it doesn't really work. Once I matched the port number, it worked fine for newer clients (although not with the OS X 10.6 Address Book).

Depending on your server-side / DNS setup, you may have more reliable results by using the 'manual' connection setup in Contacts; the one where you specify username, password, and server, instead of email address and password.

A CardDAV client can try multiple things when setting up an account, including looking for DNS SRV records and looking for /.well-known configuration. Both of these can help mitigate problems when using 'automatic' setup, when the server that doesn't have an IP address returned by a request for a DNS A (address) record for the email address domain. More info on these techniques can be found here: https://tools.ietf.org/html/rfc6764 <https://tools.ietf.org/html/rfc6764>. In my experience this can usually be shortcut by supplying user at servername instead of email address.

> Because calendarserver delivers both Contacts and Calendars on the same port (8443 by default), it becomes necessary to do something like redirect port 8843 to 8443 either on the host (using rinetd in Linux) or using NAT on an external device.

For me, Contacts has no problem accessing 443, which in my case is also reverse proxied to Calendar & Contacts server.

sudo lsof -n -l -P | grep Contacts:
Contacts  7509      501   61u  IPv4 0x98ff3c379420f4ff      0t0  TCP 192.168.2.89:52097->1.2.3.4:443 (ESTABLISHED)

I also experimented with forcing Contacts to use other ports. If you're game, give some of this a try and report back.

1) On the client, add two lines to the end of /etc/pf.conf to block outbound packets to the server on ports 443 and 8443:

block out quick on en0 proto tcp from any to 1.2.3.4 port 443
block out quick on en0 proto tcp from any to 1.2.3.4 port 8443

2) Load rules & enable pf if it wasn't already enabled.
sudo pfctl -Fa -f /etc/pf.conf
sudo pfctl -e

3) double check:
╭─ andre at foci ~
╰─ $ nc -v -G 2 -z example.com 443 2>&1 | tail -n 1 
nc: connectx to example.com port 443 (tcp) failed: Operation timed out
╭─ andre at foci ~
╰─ $ nc -v -G 2 -z example.com 8443 2>&1 | tail -n 1
nc: connectx to example.com port 8443 (tcp) failed: Operation timed out
╭─ andre at foci ~
╰─ $ nc -v -G 2 -z example.com 8843 2>&1 | tail -n 1
Connection to example.com port 8843 [tcp/*] succeeded!

4) Add Contacts account in 'manual' mode, specifying user at servername instead of email address. The client did fine by default (when the server accepted 443, 8443, 8443), and with 443 blocked. When I blocked 8443, account setup failed the first time, and worked the second time. Weird.

5) Disable the block rules by commenting the two lines you added to /etc/pf.conf, then
sudo pfctl -Fa -f /etc/pf.conf

-dre

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.macosforge.org/pipermail/calendarserver-users/attachments/20160124/2f2447a0/attachment.html>