Difference between revisions of "SME Server:Documentation:FAQ:Section01"

From SME Server
Jump to navigationJump to search
Line 190: Line 190:
  
 
==Windows Client Computers==
 
==Windows Client Computers==
{{Warning box|msg=All versions of Windows prior to version 10 are unsupported by Microsoft unless you are paying them directly for support. Version 10 is a rolling edition which is continuously updated, so even early version of Windows 10 without updates are unsafe to use. Whatever our opinions of this situation may be, '''versions of Windows previous to v.10 are not safe to use on the public internet.''' We cannot support use of Windows previous to v.10. If you have an application that only runs on an earlier version be sure to lock it down from access outside of your network.
+
{{Warning box|msg=All versions of Windows prior to versions 10 and 8.1 are unsupported by Microsoft unless you are paying them directly for support. Version 10 is a rolling edition which is continuously updated, so even early version of Windows 10 without updates are unsafe to use. Windows 8.1 is in limited "extended support" until January 20, 2023. Whatever our opinions of this situation may be, '''versions of Windows previous to v.8.1 are not safe to use on the public internet.''' We cannot support use of Windows previous to v.8.1. If you have an application that only runs on an earlier version be sure to lock it down from access outside of your network.
 
}}
 
}}
 
*Windows 7 support for SME Server 8. See [[Windows_7_Support]]
 
*Windows 7 support for SME Server 8. See [[Windows_7_Support]]

Revision as of 15:38, 15 April 2021

Is this article helpful to you?
Please consider donating or volunteering
Thank you!

Section 1 - Mainly deals with configuration of various services once installation of the server software is complete.

Installer prompts for installation file location

Problems have been reported installing SME Server off a PATA CD-ROM drive. The system is able to boot from the CD-ROM drive but after that you get prompted by a message to specify the location where the installation image can be found. This might either mean that the disk is not readable or the CD-ROM drive is not recognized. If you have validated the disk and are sure that the disk passes you might try to add the all-generic-ide option to the boot prompt before starting the installer like this:

linux all-generic-ide

Installing with encrypted filesystem - SME10

In the installer for SME10, the option is given to modify the partitions created automagically. If you go into the (manual) partition edit screen then there is a tick box for the mainroot partition "encrypt data". If you tick then "update" then "done", then after allowing the installation to proceed it will ask for a passphrase. This is put in twice to verify it. Do not forget or lose this phrase else you will NOT be able to boot into your server.

Once the installation is complete, then at the beginning of every boot the system will ask for the passphrase. This means that you will always need a console on the server during the boot process.

Yum Updates

Which repositories should be enabled

You should only have the following repositories enabled (names as listed in server manager panel)

CentOS - os
CentOS - updates
SME Server - addons
SME Server - extras
SME Server - os
SME Server - updates.

The following command can be used to list the names & status of all configured repos.

/sbin/e-smith/audittools/repositories

As this command lists db entries, then the equivalent names of the default enabled repositories referred to above are (listed in the same order)

base: enabled
updates: enabled
smeaddons: enabled
smeextras: enabled
smeos: enabled
smeupdates: enabled

DO NOT enable SME Server - updates testing which is considered beta, unless

  • it is a TEST server NOT a production server or
  • you want to be part of a bug-testing group.

Additionally

  • SME Server - test is considered alpha
  • SME Server - dev contains automatically built rpms. It contains lots of experimental,

incomplete and mutually incompatible packages.


Warning.png Warning:
If upgrading from a system prior to 7.1 update 1, ie a 7.1 CD install or earlier,

you need to ensure you have the latest versions of the following rpms prior to applying the rest of the updates. This speeds up install process and avoids updates from centos that may be ahead of the distribution.

yum update dbus dbus-glib smeserver-support smeserver-yum yum yum-plugin-fastest-mirror python-sqlite 
signal-event post-upgrade; signal-event reboot



Important.png Note:
A system installed from the SME 7.1 CD will have the 5 repositories above enabled. A system installed from the SME 7.0 iso and updated to 7.1 or later will only have the 3 SME Server repositories enabled. After updating from SME 7.0 to SME 7.1.x you should enable the Centos - os & Centos - updates repositories in server-manager.


Reconfigure / post-upgrade and reboot

  • When is a post-upgrade and reboot required?

After installing a smeserver-* or e-smith-* rpm

If you are in any doubt or if after clicking Reconfigure the server does not actually reboot. You can run the following.

signal-event post-upgrade; signal-event reboot

Updating from SME 7.x to SME 7.2

See Updating_to_SME_7.2#Yum_Update

Warning in rkhunter email report

After upgrading to SME Server 7.4, the admin user may receive the following warning from rkhunter:

Warning: The SSH and rkhunter configuration options should be the same:
        SSH configuration option 'PermitRootLogin': yes
        Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': no

This warning message is not indicative of a software error or security issue and can be safely ignored. The issue is to be attended to in a future release. See this bug report for more information.

From June 2009 smeserver-rkhunter was removed from smeos and made a contrib.

You will need to either complete the removal with

rpm -e rkhunter

or re-add from smecontribs

yum install smeserver-rkhunter --enablerepo=smecontribs

Frequency

  • By default SME's yum implementation checks for update daily, this can be customized to check weekly:
config setprop yum check4updates weekly;signal-event yum-modify

or monthly:

config setprop yum check4updates monthly;signal-event yum-modify

or reset to default:

config delprop yum check4updates;signal-event yum-modify

General

  • Please Wait - Yum Running (prereposetup)

This means Yum is working out what updates are available. Occasionally such as when large sets of updates are released this could take 10+ minutes to complete

  • Yum doesn't seem to be working correctly. What do I do now?

If for some reason you can't get yum to work correctly, try:

yum clean metadata
or
yum clean all --enablerepo=*
then 
yum update
  • Fix for 'Metadata file does not match checksum'

Typical error message

http://apt.sw.be/fedora/3/en/i386/dag/repodata/primary.xml.gz: 
[Errno -1] Metadata file does not match checksum Trying other mirror.
Error: failure: repodata/primary.xml.gz from dag: [Errno 256] No more mirrors to try.

To flush the up stream proxies, using wget, run:

wget --cache=off http://apt.sw.be/fedora/3/en/i386/dag/repodata/filelists.xml.gz
wget --cache=off http://apt.sw.be/fedora/3/en/i386/dag/repodata/primary.xml.gz
wget --cache=off http://apt.sw.be/fedora/3/en/i386/dag/repodata/repomd.xml
yum update
  • Fix for 'Header is not complete'

Typical error message

---> Downloading header for php-mysql to pack into transaction set.
php-mysql-4.3.9-3.22.15.i 100% |=========================|  37 kB    00:00
http://sme-mirror.firewall-services.com/releases/7/smeupdates/i386/RPMS/php-mysql-4.3.9-3.22.15.i386.rpm: [Errno -1] Header is not complete.
Trying other mirror.

This is mostly due to external firewalls; there are known issues with Fortigate and Sonicwall appliances. Try disabling AV/Anti spyware check


  • An unclean shutdown during a system update can put the system into a state where it's difficult to recover.

find all the duplicate rpm's

rpm -qa | sort | less 

Then remove all the duplicate rpm's

rpm -e --nodeps rpmname

Install the newest rpms

yum install rpmname
signal-event post-upgrade; signal-event reboot
  • Where can I go to learn more about yum, and about how SME uses it?

SME Server:Adding_Software , man yum, http://linux.duke.edu/projects/yum/

Adding, removing or disabling repositories

  • What is the recommended way to add other yum repositories

The following code uses the dag repository as an example and sets the status to disabled. The repository is configured to be used via the command line with the --enablerepo= option


see dag repository


  • How do I remove yum repositories
db yum_repositories delete repositoryname
signal-event yum-modify
  • How do I disable the status of a repository to allow future use via command line with the --enablerepo= option
db yum_repositories setprop repositoryname status disabled
signal-event yum-modify

Other popular repositories

A list off other repositories can be found at Category:Yum_Repository.

Be careful updating software from these repositories. Only update packages by name eg.

yum update --enablerepo=reponame  packagename

Do not do a general update with the 3rd party repository enabled as it could update many packages that will overwrite SME versions.

Removing Software

If you wish to remove rpms from the command line use

rpm -e rpmname

yum remove rpmname, will work if the rpm to be removed is non essential, but what you consider non essential may differ to the system so it's best to use rpm -e

Hardware Compatibility List

List of Hardware that known have problems with SME Server

Maintaining a complete HCL is difficult, the following links will give a indication of hardware being used by SME Servers and upstream providers

Windows Client Computers

Warning.png Warning:
All versions of Windows prior to versions 10 and 8.1 are unsupported by Microsoft unless you are paying them directly for support. Version 10 is a rolling edition which is continuously updated, so even early version of Windows 10 without updates are unsafe to use. Windows 8.1 is in limited "extended support" until January 20, 2023. Whatever our opinions of this situation may be, versions of Windows previous to v.8.1 are not safe to use on the public internet. We cannot support use of Windows previous to v.8.1. If you have an application that only runs on an earlier version be sure to lock it down from access outside of your network.


Actually the SME Server 8.0 allows this windows client to reach the SME Server domain, Be aware you have to import the registery patch which you can download at http://your-sme-server/server-resources/regedit

Actually the SME Server 8.0 allows this windows client to reach the SME Server domain, Be aware you have to import the registery patch which you can download at http://your-sme-server/server-resources/regedit

  • Windows 7 cannot join to SME 7.x domains due to trust relationship issues. However, you can configure an optional unsupported update if Windows 7 support is critical for your environment.

More information is available here.

  • Offline files with Windows XP and Windows 7 clients problems?

Set the following registry key on the Windows Vista or Windows 7 client to prevent files from getting pulled down to the client again right after synchronizing changes to the server (due to Linux file systems having coarser timestamp resolution than Windows):

Create a DWORD value named RoundUpWriteTimeOnSync under the HKLM\Software\Microsoft\Windows\CurrentVersion\NetCache key (create the key if it does not exist) and set it to 1.

More information can be found here: [1]

  • Samba trust relationships lost?

This is a possible bug with an upgrade from SME6. After an upgrade, local workstations cannot log in. If you are experiencing this problem, please have a look at this bug for a fix, and provide followup: [2]

  • Windows XP Clients - Patch to logon to SME domain

This patch can be used when Windows XP clients won't be able to log on to the SME Server domain. The registry patch is located here: http://servername/server-resources/regedit/winxplogon.reg Double click on the winxplogon.reg file and the settings will be added to the Windows Registry.

  • Windows XP Clients - "domain is not available" error

If the client pc uses a Gigabit lan adapter, try [3]

  • How to disable password caching on Windows 95/98/ME/2000 Clients?

This patch can be used if you don't want Windows clients to remember password for shared folders on SME Server. The registry patch is located here: http://servername/server-resources/regedit/win98pwdcache.reg Just double click on the win98pwdcache.reg file and the settings will be added to the Windows Registry.

Note Although the filename seems to indicate that this patch will only work for Windows 98, but it also works in Windows 95, Windows ME and Windows 2000.

  • LDAP Directory Gives MAPI_E_CALL_FAIL Errors on Outlook 2002 or Outlook 2003

In Outlook 2002 or 2003 when someone tries to find a contact using the LDAP server, a message stating that "Unavailable critical extension" and then a second message saying "The search could not be completed. MAPI_E_CALL_FAIL" shows up and nothing shows up from the search. The directory works beautifully in Thunderbird 1.5 as well as Outlook 2000, but not 2002 or 2003. More information can be found here: [4] [5]

  • Where is the netlogon directory?

The netlogon directory is located on the SMESERVER at: /home/e-smith/files/samba/netlogon It can also be found by a client computer at: \\servername\netlogon

Web Applications

  • chmod 777

Using 777 is always wrong (despite the fact that many howtos recommend it). 0770 is sufficient, as long as www is a member of the group owning the directory, and is safer.

Use chown www /path/to/dir
and preferably put your app in /opt/app not in an ibay

  • Generic Instructions for Installing a Web Application

Web_Application_RPM

  • Wasn't mod_perl installed in previous versions? How do I install it?

It may have been, but it was not used so it is no longer included. If you do want to install it do the following:

Note The commands on a linux shell are case-sensitive, this means that Capital is not the same as capital.

 yum install mod_perl
 config setprop modPerl status enabled
 signal-event post-upgrade ; signal-event reboot

  • The directory structure is visible. How do I disable indexes in ibays?

SME Server 6.0, 6.0.1, and 6.5 all had the following for the ibays/html directory - "Options Indexes Includes". This would indicate that indexes were allowed for html directories. In SME Server 7.0 this is made a parameter and it defaults to enabled to be compatible with SME Server releases before SME Server 7.0 installations.

To disable indexes for an ibay in SME Server 7.0 do the following:

 db accounts setprop //ibayname// Indexes disabled 
 signal-event ibay-modify //ibayname// 

This issue was first reported here: [[6]]

  • I need to create (or install) a PHP application that needs access to the /tmp directory.
db accounts setprop ibayname PHPBaseDir /tmp/:/home/e-smith/files/ibays/ibayname/
signal-event ibay-modify ibayname

By default if you have PHP code in an IBAY, it can only run in that IBAY. The above commands will allow PHP code in the IBAY to run outside of its installed directory.

Here is a list of all the IBAY specific settings

Reset the root and admin password

1. Restart your server and at the beginning of the boot-up use the arrow keys to select the kernel you would like to boot into.

2. Press A , to allow you to append parameters to your grub boot settings.

3. Be careful not to change anything, only add the following after the A (Be sure to put a space before "single"):

  single

4. Press enter. you will be presented with a prompt.

5. At this prompt type the following two commands (each followed by a return). You will be asked to provide a new password. Reset both your root and your admin password and set them to the same value:

 passwd root
 passwd admin

Reboot your server and everything should be okay now.

File Size Limitations

  • Apache, the web server can only transfer or show files under 2G
  • Backup to USB Disk

FAT32 only supports file size of <4GB. It is recommended that you format your external usb drives to ext3 or ext4.

External DNS

To allow external users to communicate with your server, you must have correctly configured DNS records. Once you have purchased a domain, you should configure the following records (customised if necessary) to allow web and email communication:

1. An A record, myserver.mydomain.com, pointing to the external IP address of your server

2. A CNAME record, *.mydomain.com, pointing to the A record myserver.mydomain.com [this is a catchall that allows aliases such as www.mydomain.com and mail.mydomain.com to be resolved without having to create multiple CNAME records]

3. An MX record, pointing to myserver.mydomain.com, to allow for email delivery

If your registrar does not allow you to create DNS records, you may use a free service such as http://www.zoneedit.com or similar.

The example shown assumes that your server is operating in Server and Gateway mode and has a static external IP address. Depending on your network design and server configuration, the example may need to be modified. For example, if you use a Dynamic DNS service, you would need to modify the A record to point to your Dynamic DNS hostname, rather than a static IP address.

Domains

  • When I create a DOMAIN, I don't see anything listed in the HOSTNAMES AND ADDRESSES panel for that DOMAIN.

For a domain to be effective (for email or web), it needs to be configured as INTERNET DNS SERVERS (this is the default value). Since the domain resolves via INTERNET DNS SERVERS, no hostnames or addresses are created locally. For more info please visit the Administration Manual section regarding Domains: [[7]]

Delegate DNS

SME Allows for 3 Settings for DNS Resolution of a Domain

  1. Resolve Locally
  2. Internet DNS Servers
  3. Corporate DNS servers

If this is not sufficient, you can extended these for individual domains on your SME server (forwarding all DNS Queries for the specified domain to another server) as follows:

First, create the necessary virtual domains using server-manager::Configuration::Domains::Add Domain.

Then, (assuming your domain is called test.com and the actual DNS server is at a.b.c.d issue the following commands:

db domains setprop test.com Nameservers a.b.c.d
signal-event domain-modify

Check with

cat /var/service/dnscache/root/servers/test.com

DNS Forwarding

The dnscache service can be configured to forward all queries for a specific domain to an alternate server using the "domain-remote" record type in the domains db. This could be used to direct DNS for a domain to an internal DNS server connected to your network using a VPN or a custom route, or to direct your local active directory DNS to your Active Directory server, etc.

To forward all DNS for <domainname> to a specified remote DNS server (4.2.2.1 in this example):

db domains set <domainname> domain-remote Nameservers 4.2.2.1
signal-event domain-modify

As a side-effect, you can block DNS for a domain by configuring DNS forwarding to 'localhost'.

This command tells your SME to do all DNS lookups on <domainname> locally, but doesn't configure any corresponding DNS entries. Attempted lookups for the domain and all sub-domains will fail:

db domains set <domainname> domain-remote Nameservers localhost
signal-event domain-modify
  • 'domain-remote' entries do not appear in server-manager; they can be managed only from the command line.
  • Nameservers can be a comma-delimited list of servernames or IP addresses

Virus Scanning

  • When you elect to nightly scan your server for viruses the current default is to scan /home/e-smith/files

Note that early SME 7 Servers defaulted to /.

Also you may want to scan under /opt if you have installed contribs that store user data there

the db property to change to the default

config setprop clamav FilesystemScanFilesystems /home/e-smith/files

or to scan different areas of the server is

config setprop clamav FilesystemScanFilesystems "/home/e-smith/files /opt"
  • How do I exclude some directories from scanning

Set the db value to exclude more directories

The default

 config setprop clamav FilesystemScanExclude /proc,/sys,/usr/share,/var

Change with

config setprop clamav FilesystemScanExclude /proc,/sys,/usr/share,/var,/home/e-smith/files/ibays

After any change, run the signal-event for expand and regenerate configuration files, and restart pertinent services

signal-event clamav-update

Is this article helpful to you?
Please consider donating or volunteering
Thank you!

Proxy Pass

ProxyPass a domain

This section covers ProxyPass directives in the "domains" database

  • I want to pass some http requests to a server behind my SME Server or external to my site, how can I do this?

You can set a ProxyPass directive that will pass certain requests to an internal or external server that hosts the domain to be proxypassed:

db domains set proxypassdomain.com domain 
db domains setprop proxypassdomain.com Nameservers internet
db domains setprop proxypassdomain.com ProxyPassTarget http://xxx.xxx.xxx.xxx/
db domains setprop proxypassdomain.com TemplatePath ProxyPassVirtualHosts 
signal-event domain-create proxypassdomain.com

where proxypassdomain.com is the domain name hosted on the internal or external server and http://xxx.xxx.xxx.xxx/ is the IP address of the internal or external server eg 192.168.1.20 or 122.456.12.171 (it must be the publicly accessible IP if an external server)

To delete a ProxyPass directive that you previously set up:

db domains delete proxypassdomain.com
signal-event domain-delete proxypassdomain.com

Note that using the settings above 'TemplatePath' is set to 'ProxyPassVirtualHosts' which will read templates in:

/etc/e-smith/templates/etc/httpd/conf/httpd.conf/ProxyPassVirtualHosts

It is perfectly possible to use your own templates for more specialised settings:

cp -R /etc/e-smith/templates/etc/httpd/conf/httpd.conf/ProxyPassVirtualHosts /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/MyProxyPassHost

Now you can edit the templates in 'MyProxyPassHost' and use your own advanced settings as you require.

db domains setprop proxypassdomain.com TemplatePath MyProxyPassHost


Important.png Note:
If you have added the internal or external server's domain name as a virtual domain on the SME Server, you must remove it prior to issuing these commands. The server-manager domains panel will show the proxy pass entry but you will not be able to edit it, see bugzilla:1612


Also refer to these links for information regarding the proxypass virtual domain feature of SME server, from this thread http://forums.contribs.org/index.php/topic,47795.0.html

http://bugs.contribs.org/show_bug.cgi?id=999

http://forums.contribs.org/index.php?topic=47160.0

http://forums.contribs.org/index.php?topic=46975.0

From this forum post by Charlie Brady http://forums.contribs.org/index.php/topic,49181.msg245408.html#msg245408 is information about https access & expected behaviour re certificates

What happens is that the browser connects to the SME server, then negotiates SSL (verifies the certificate and starts encrypting the connection), then sends the request (hostname + URL). Apache in the SME server then proxies the connection (creates the connection to the internal webserver, passes the request, passes back the response). There's no way that the internal server's certificate can be presented to the browser and used to enable encryption.

ProxyPass a alias/directory/location

This section covers the db settings in the "accounts" database that generate ProxyPass directives in httpd.conf

You can do what you want by creating a custom template fragment that enables proxypass on ".../extra"; the notes from this forum discussion http://forums.contribs.org/index.php/topic,40075.0.html should help.

The following works on SME 7.5.1 and SME 8beta6 systems where the template fragment /etc/e-smith/templates/etc/httpd/conf/httpd.conf/35ProxyPass contains the appropriate code which is automatically generated by issuing the following db commands:

db accounts set extra ProxyPass
db accounts setprop extra Target http://192.168.1.35
db accounts setprop extra Description InternalServer
db accounts setprop extra HTTP on
db accounts setprop extra HTTPS on
db accounts setprop extra ValidFrom 80.90.100.0/24,74.125.93.105
expand-template /etc/httpd/conf/httpd.conf
sv t httpd-e-smith

Note: In the above commands set xxxx ProxyPass, setprop xxxx Target http://<target> and setprop xxxx Description <description> are required; all other lines are optional

Note: It doesn't look like these directives are going to work for HTTPS connections by default (they end up inside a "Listen 0.0.0.0:80" section in httpd.conf). It appears that 35ProxyPass is old (mentioned in a bug from year 2006), while ProxyPass SSL support was fixed in a later bug (in year 2007), by which time the ProxyPass code had been moved to the virtual domains templates.

Note: HTTP and HTTPS are set to yes by default, so there is no need to set it. Apart from that it is preferred to use no when you want it to be disabled, over on/off or enabled/disabled.

Refer to these forum posts:

http://forums.contribs.org/index.php/topic,47741.msg236017.html#msg236017

http://forums.contribs.org/index.php/topic,40075.0.html

ProxyPass for Exchange Outlook Web Access

Users wishing to implement this setup are strongly advised to read in full this forum thread http://forums.contribs.org/index.php/topic,40075.0.html from which the following information was obtained.

  • How can I configure Outlook Web Access access to an internal Exchange 2003 server ?

Issue the following commands (replace "a.b.c.d" with the LAN IP of your exchange server):

mkdir -p /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf
cd /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf
echo '# ProxyPass Support for Internal Exchange Server
        ProxyPreserveHost On
        #OWA % character in email subject fix
        RewriteEngine On
        RewriteMap percentsubject int:escape
        RewriteCond $1 ^/exchange/.*\%.*$
        RewriteRule (/exchange/.*) ${percentsubject:$1} [P]
        #OWA
        ProxyPass /exchange https://a.b.c.d/exchange
        ProxyPassReverse /exchange https://a.b.c.d/exchange
        ProxyPass /Exchange https://a.b.c.d/exchange
        ProxyPassReverse /Exchange https://a.b.c.d/exchange
        ProxyPass /exchweb https://a.b.c.d/exchweb
        ProxyPassReverse /exchweb https://a.b.c.d/exchweb
        ProxyPass /public https://a.b.c.d/public
        ProxyPassReverse /public https://a.b.c.d/public
        ProxyPass /iisadmpwd https://a.b.c.d/iisadmpwd
        ProxyPassReverse /iisadmpwd https://a.b.c.d/iisadmpwd
        #OMA
        ProxyPass /oma https://a.b.c.d/oma
        ProxyPassReverse /oma https://a.b.c.d/oma
        #ActiveSync (for WM5+ devices)
        ProxyPass /Microsoft-Server-ActiveSync https://a.b.c.d/Microsoft-Server-ActiveSync
        ProxyPassReverse /Microsoft-Server-ActiveSync https://a.b.c.d/Microsoft-Server-ActiveSync
        #Force 'RequestHeader' in order to get IE to work
# End of Exchange settings
' > 91ProxyPassOWA
expand-template /etc/httpd/conf/httpd.conf
sv restart httpd-e-smith

It is then possible to login to OWA at https://any.sme.domainname.com/exchange from Firefox (and presumably Opera or Safari), but not login using IE7.

In order to login from Internet Explorer it is necessary to disable "Integrated Windows authentication" in IIS on the Exchange Server as follows:

  • start the Internet Information Services (IIS) Manager on the Exchange 2003 server
  • Expand Web Sites
  • Expand Default Web Site
  • right-click on Exchange and select "Properties"
  • click on the Directory Security tab
  • click on the Edit button for "Authentication and access control"
  • remove the check from "Integrated Windows authentication"
  • Click OK
  • Click OK again

Note: no restarts were required on the Exchange server - as soon as the above changes are made it is possible to login successfully using Internet Explorer

  • References & More information:

The above information is based mostly on this post:

http://systembash.com/content/outlook-web-access-apache-proxy/

Note: The "RequestHeader" directive discussed here was unnecessary when tested on a SME 7.2 system

Here is an expanded entry that includes info on Exchange 2007:

http://www.utahsysadmin.com/2007/12/20/apache-reverseproxy-for-owa/

Here are the apache docs for mod_proxy and mod_headers:

http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#proxypass

http://httpd.apache.org/docs/2.0/mod/mod_proxy.html#proxypass

http://httpd.apache.org/docs/2.0/mod/mod_headers.html

  • User feedback & additional information re above method:

This method works well except that it was necessary to add a line or two to support /owa which is the directory expected for owa to run. It works with every domain hosted on the SME 7.4 server used. To limit it to one publically resolvable domain, was resolved as follows:

This applies to a SME 7.4 with more than one virtual host that has publically accessible FQDN. To achieve this ISP like setup, the SME server (and all other server) was configured with a ficticious domain like private.local and everything in the network setup such that it is not routable from outside. In this scenario, only the SME server is publically accessible (and behind a WAG54GP2 router with ports 80, 443 open). Using DYNDNS.ORG an account was created and two domains purchased:

domainA.com

domainB.co.nz

Use the DynDNS administrator to setup cnames like:

www.domainA.com -> domainA.com

remote.domainA.com -> domainA.com

www.domainB -> domainB.co.nz

Also note that DynDNS does not sell co.nz domains, these were purchased from domainz.com and pointed the DNS to the DynDNS DNS servers. In the end, any hosts point to the static IP address obtained from World Exchange for an extra $20. In this situation dynamic dns is not being used, but the DynDNS account existed, and it provided redundant DNS, so was easy to retain.

SME server was setup with add-ons like Wordpress etc. in each iBay as required such that www.domainA.com and www.domainB.co.nz go to different Wordpress blogs by default (refer to the FAQ on contribs.org and the instructons on wordpress.org to setup wordpress in an iBay).

On the LAN and on a 192.168.* address (non-routable) there is an Exchange server.

The requirements were to have the OWA component available from outside the LAN and a 'home office' webpage.

Making it slightly more difficult to implement, the requirement was for www.domainA.com to go to SME iBay and homeoffice.domainA.com to go to Windows server - iis.private.local and have iis.private.local/owa work correctly.

This is so that the IIS and Exchange server can be "hidden" behind Apache, and a single certificate obtained & utilised.

To achieve this, Apache must resolve everything to iBays, except the one virtual host and it's /owa directories.

1. Enable SSLProxy:

create a file /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/35SSLProxyEngine containing only the words "SSLProxyEngine on" on a single line, no quotes.

2. Using this threads info as above, except, include a VirtualHosts directive for the remote domain:

create a file /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/76ProxyPass

which looks like this:

# Forward remote.domainA.com to iis.private.local
 <VirtualHost 0.0.0.0:80>
 ServerName remote.domainA.com
 ProxyPass / http://iis.private.local/
 ProxyPassReverse / http://iis.private.local/
 </VirtualHost>
 <VirtualHost 0.0.0.0:443>
 ServerName remote.domainA.com
 ProxyPass / https://iis.private.local/
 ProxyPassReverse / https://iis.private.local/
# Preserve meta info in the http line as a resolvable request
 ProxyPreserveHost On
#OWA % character in email subject fix
 RewriteEngine On
 RewriteMap percentsubject int:escape
 RewriteCond $1 ^/exchange/.*\%.*$
 RewriteRule (/exchange/.*) ${percentsubject:$1} [P]
#OWA
 ProxyPass /exchange https://iis.private.local/exchange
 ProxyPassReverse /exchange https://iis.private.local/exchange
 ProxyPass /owa https://iis.private.local/owa
 ProxyPassReverse /owa https://iis.private.local/owa
 ProxyPass /Exchange https://iis.private.local/exchange
 ProxyPassReverse /Exchange https://iis.private.local/exchange
 ProxyPass /exchweb https://iis.private.local/exchweb
 ProxyPassReverse /exchweb https://iis.private.local/exchweb
 ProxyPass /public https://iis.private.local/public
 ProxyPassReverse /public https://iis.private.local/public
 ProxyPass /iisadmpwd https://iis.private.local/iisadmpwd
 ProxyPassReverse /iisadmpwd https://iis.private.local/iisadmpwd
#OMA
 ProxyPass /oma https://iis.private.local/oma
 ProxyPassReverse /oma https://iis.private.local/oma
#ActiveSync (for WM5+ devices)
 ProxyPass /Microsoft-Server-ActiveSync https://iis.private.local/Microsoft-Server-ActiveSync
 ProxyPassReverse /Microsoft-Server-ActiveSync https://iis.private.local/Microsoft-Server-ActiveSync
# End of Exchange settings
</VirtualHost>

where iis.private.local is the private instance of IIS. and remote.domainA.com is a publically addressable domain that resolves to the public side of the SME server. To be sure this works, you must be able to resolve iis.private.local from the sme server (add a hostname record with correct internal IP address). Ensure the Integrated Authentication is disabled for OWA (leave basic auth on).

3. Expand template & Restart the SME webserver

expand-template /etc/httpd/conf/httpd.conf
sv restart httpd-e-smith

Note: You can use IPaddresses, but this is cumbersome to maintain and open to error. All FQDN's must be resolvable internally and externally respectively. If this is confusing, start small. Also, IIS will not have a default page except to say the site is under construction, it is necessary to create a basic webpage with a link to the owa page to make usage easy.

Testing:

From another external computer at another location or internet cafe, go to http://www.domainA.com, it should go to the wordpress server as has been setup.

http://www.domainB.com should go to that other wordpress server as setup. If you access any https site, it should also give a certificate and open the respective wordpress server as has been setup.

If you access http://remote.domainA.com or https://remote.domainA.com it should go to the IIS server and no other address (this for example will allow you to sell webhosting without the possibility of customers accessing the IIS server). Next step is to create a default page on IIS that has useful information for the own home office and includes links to webmail for people who cannot remember long or confusing URLs etc.

  • Other useful resources:

http://bugs.contribs.org/show_bug.cgi?id=1612

The apache docs

Google

DNS Forwarding

The dnscache service can be configured to forward all queries for a specific domain to an alternate server, or to block DNS for a domain by configuring forwarding to 'localhost', without affecting any other services or configuration files. See Bugzilla:6848

This is done using the "domain-remote" record type in the domains db:

To forward all DNS for <domainname> to the specified remote DNS server:

db domains set <domainname> domain-remote Nameservers a.b.c.d
signal-event domain-modify

To block lookups for <domainname>:

db domains set <domainname> domain-remote Nameservers localhost
signal-event domain-modify

Shell Access

  • I need to give a user shell access to the SME Server.

Shell access should only be provided to users who have a *need* for it and can be trusted.

Before a user can have shell access Admin must enable ssh access at

server-manager -> Security -> Remote Access

You then enable shell access for a user by:

db accounts setprop username Shell /bin/bash
chsh -s /bin/bash username

Upgrading Server

  • What's the best way to upgrade to a new server ?

An article is written for this subject. Please visit: UpgradeDisk.

  • Do you want to move a running SME 7 Server installation to new hardware ?

There is a document that describes a method using the Affa contrib. Affa makes it possible to move with a minimal effort and minimal downtime of the production server. Please visit: Moving SME to new Hardware

Changing maximum Ibay, Account or Group name length

  • How do I change the default maximum (12 characters) name length of an I-Bay, account or group?

Enter following command on the console as root:

/sbin/e-smith/db configuration set maxIbayNameLength xx
/sbin/e-smith/db configuration set maxAcctNameLength xx
/sbin/e-smith/db configuration set maxGroupNameLength xx

where 'xx' is the new size e.g. 15.

Followed by:

/sbin/e-smith/signal-event console-save

Deletion of Users Ibays Groups

  • I can't delete & create a user for some reason. What do I do now?

If for some reason you can't delete & create a user, then first do:

signal-event user-delete <username>
db accounts delete <username>
  • I can't delete & create a ibay for some reason. What do I do now?

If for some reason you can't delete & create a ibay, then first do:

signal-event ibay-delete <ibayname>
db accounts delete <ibayname>
  • I can't delete & create a group for some reason. What do I do now?

If for some reason you can't delete & create a group, then first do:

signal-event group-delete <groupname>
db accounts delete <groupname>


  • I was looking in the home directory of a user and I see a hidden directory called ".junkmail". Do I need that? Can I delete it?

Don't remove or rename .junkmail folders.


Access denied to i-bay with newly created group

  • Problem: If I try to write to an i-bay immediately after creating a new group, and being a member of that group, and assigning that group access rights to the i-bay, access is denied. Changing the i-bay access to an older group of which I am a member, access is allowed as desired.
Workaround: log out after creating the group and then log back in

The issue seems to be with samba not SME. See Bugzilla:4961 Privileges are assigned upon logon in Linux, hence the need to log out and then log in again to receive the newly created group's privileges.

Change the User Password by command line

If you want to change password to your users by the command Line instead of the user panel of SME Server you can do it like this. For a large list of changes you should look to a contrib named lazy_admin_tools

perl -e "use esmith::util;esmith::util::setUserPassword( 'username', 'password');";  /sbin/e-smith/signal-event  password-modify username

run it for each user separately and replace

username

and

password

with the appropriate values for each of your users.

Password Strength Checking

  • How can I change password strength & what do the strength settings mean?


Warning.png Warning:
It is strongly advised not to set the password strength setting to none as this will lower the security of your server significantly.



Important.png Note:
PAM module requires passwords to be at least 6 characters long, so setting a password that is shorter than that may cause other problems later. SME server default settings enforce 7 character passwords.


The following settings are available to specify the password strength on SME Server:

setting explanation
strong The password is passed through Cracklib for dictionary type word checking as well as requiring upper case, lower case, number, non alpha and a mimimum length of 7 characters.
normal The password requires upper case, lower case, number, non alpha and a minimum length of 7 characters.
none The password can be anything as no checking is done.

Please note that "none" does not mean no password, it just means no password strength checking, so you can enter any (weak) password you want as long as it is at least 7 characters long.

To set password strength do:

config setprop passwordstrength Admin strengthvalue
config setprop passwordstrength Users strengthvalue
config setprop passwordstrength Ibays strengthvalue

where strengthvalue is one of the entries listed in the table above; either "strong", "normal" or "none" .

e.g.

config setprop passwordstrength Users normal

To review the current settings do:

config show passwordstrength

which should display something like:

passwordstrength=configuration
 Admin=strong
 Ibays=strong
 Users=strong

Alternatively, you can install the smeserver-password contrib discussed here: Password

This contrib will let you configure password strength and aging through a web panel in the server-manager.

Hard Drives, RAID's, USB Hard Drives

  • How should I setup my hard-drives?

We never recommend anything other than a single disk install or multiple disks of the same type. Anything else and you are following an unrecommended setup and you will need to navigate for yourself. Repeat, we never recommend anything other than a single disk install or multiple disks of the same type. If you're thinking of doing anything else (setup your own partitions), read this section again.

  • How should I setup my RAID?

A full article on RAID is found here: Raid


  • I want to use a hardware RAID. What do you suggest?

Please see the notes in the RAID article: Raid#Raid_Notes


  • How do I recover an SME Server with lvm drives

A full article on the recovery method is found here: Recovering_SME_Server_with_lvm_drives


  • I'm installing a RAID 5 but it seems to take a long time. Is there something wrong?

RAID 5 systems (those with 3+ disks) can take a long time during and after the install for everything to sync. Reportedly, it takes almost 2 hours before the disks finally finish syncing on 4 X 80GB disks.


  • If I boot my SMESERVER with a USB hard drive attached, it recognizes the drive. However, after unplugging the drive, then replugging, it no longer exists. Any ideas why?

Reportedly, some external usb hd's must be completely powered up before connecting the usb cable.


  • If I boot my SMESERVER with a USB hard drive attached, it doesn't recognize the drive. Any workarounds for this?

Some USB drives need to be plugged twice into the server to be recognized.


  • Further information regarding USB disks can be found in this HOW TO: USBDisks

Backups & Restores

  • AIT-1 Backup: buffer unreliable

An AIT-1 is unreliable if used with variable block size. Set the setting

config setprop flexbackup TapeBlocksize 512

AIT-2, DAT and LTO seem to work well with variable block size.


  • Slow tape backup performance may be improved by changing Flex backup settings
config setprop flexbackup Blocksize 256
config setprop flexbackup BufferMegs 16


  • In the ADMIN CONSOLE, there is an option to BACKUP TO USB but there are no restore options.

The RESTORE option is only visible on a new install. If you missed this during install, you can

config set PasswordSet no 
signal-event post-upgrade; signal-event reboot 

During reboot reconfiguration process you should see the new restore via USB backup option.

-NOW plug in the usb drive (Do not plug in the usb drive until you reach this point).
-pick YES or RESTORE (or whatever is presented to you)


Supervised Services

  • Many services on SME are supervised, to see which are type
ps ax |grep runsv

To control them read the sv manual

man sv
  • it seems that "sv u http-e-smith" gives no errors, even if the service fails to restart, so you need to use "sv s httpd-e-smith" to check if it fails (example: due to a httpd.conf error)

This is just the way that runsv (part of the runit package) works. The "sv u http-e-smith" only sends a message to runsv saying that we want the service to be up. runsv then will keep trying to get the service running.


Server-Manager

  • I can't access the server-manager. What do I do now?

There are many reasons why you wouldn't be to access the server-manager. First try:

signal-event post-upgrade;  signal-event reboot

If you still can't access, there are reports that a certificates mis-match might have occurred after update. In that case:

rm /home/e-smith/ssl.key/*.key
rm /home/e-smith/ssl.pem/*.pem
rm /home/e-smith/ssl.crt/*.crt
signal-event domain-modify; signal-event reboot


  • I used to access the SERVER-MANAGER with localhost:980 remotely via SSH tunnel and now I can't. What happened?

This feature has been deprecated a long time and finally removed in V7.2

If you really want to use this then forward 443 to localhost:443

ssh -L 443:localhost:443 root@ip-sme-or-hostname-sme

and then use this url in your web browser

https://localhost/server-manager/
  • Access with non standard ports

In certain cases which you are not root on the local computer, you can not redirect port < 1024, so you have to use port > 1024 as the example below.

ssh -L 9443:localhost:443 root@your-remote-ip -p 22
9443 : local port
443 : remote https port
your-remote-ip : the remote host (could be an ip or a domain name)
22 : this is the port where the ssh server is listening, you can change it in accordance with the remote server

Keep the terminal open, Then you need to use this specific URL in your WEB Browser to go to the server-manager

https://localhost:9443/server-manager
  • Using a ssh client, the /server-manager login screen is difficult to read

The text is white, so you need to adjust your ssh client to use a dark background


  • I've renamed my server with the ADMIN CONSOLE. The old name appears under the SERVER-MANAGER, HOSTNAMES panel. It cannot be deleted as there are no MODIFY/REMOVE links.
-login to the shell console
-type: db hosts setprop <local.mycompany.local> static no
-go to the HOSTNAMES & ADDRESSES panel and you should be able to modify/remove the name

Booting with SMP kernel after upgrade to version 7.2 from CD

  • I've upgraded and now the SMP kernel isn't available.

This is because when upgrading to 7.2 from CD, kernel modules are missing for SMP IF the output of "cat/proc/cpuinfo" does not show multiple processors. The SMP kernel, if not present, can be installed via yum using: Do:

yum install kernel-smp kmod-ppp-smp kmod-slip-smp kmod-appletalk-smp
signal-event post-upgrade
signal-event reboot

Details: http://bugs.contribs.org/show_bug.cgi?id=3095

  • I'm getting a kernel panic after upgrade from CD. What do I do now?

When upgrading with a CD, the upgrade will rewrite the grub.conf file. As a result, any additional boot arguments (i.e. acpi=off) will be lost during upgrade. Please edit the grub.conf file.


Special Characters

  • I get strange characters & letters when look at my file names.

If you get filenames that look like: "éèÃ.txt" It's most likely because the SME server isn't understanding special characters you may be using. You can change it to understand special characters in filenames by:

db configuration setprop smb UnixCharSet ISO8859-1
expand-template /etc/smb.conf
/etc/init.d/smb restart


Upstream proxy server configuration

SME Server allows you to proxy internet traffic for various components through an 'upstream' proxy server.

You might need to do this if:

  • Your SME server does not have direct access to the Internet
  • You have several sites and need centralized internet activity control and reporting
  • You are required to impose internet access restrictions on your users (at a school, for example)

Browser Access from LAN Workstations

  • How do I configure a mandatory upstream proxy server, there used to be a panel in earlier versions of sme server, but it's missing in sme7.x
config set SquidParent a.b.c.d
config set SquidParentPort nnn
signal-event post-upgrade
signal-event reboot

[The SquidParentPort setting is optional if the upstream proxy is on port 3128.]

Yum (system updates)

How do I get yum updates through a proxy server (in case my SME server does not have direct internet access)

Based on Bugzilla:2407:

mkdir -p /etc/e-smith/templates-custom/etc/yum.conf
cd /etc/e-smith/templates-custom/etc/yum.conf
echo '{
    my $YumProxy = $yum{'Proxy'} || "none";
    $OUT = ($YumProxy eq "none") ? "" : "proxy=$YumProxy";
}' > 10main_proxy
config setprop yum Proxy http://localhost:3128/
expand-template /etc/yum.conf

  • The code shown above should work (untested) if you have configured SquidParent for your server.
  • You could (alternatively) replace http://localhost:3128 with the address of your upstream proxy.


ClamAV / freshclam

How do I configure freshclam to download updates for ClamAV through a proxy server?

Based on examination of /etc/e-smith/templates/etc/freshclam.conf/ProxySettings:

config setprop clamav HTTPProxyServer localhost
config setprop clamav HTTPProxyPort 3128
config setprop clamav HTTPProxyUsername ""
config setprop clamav HTTPProxyPassword ""
expand-template /etc/freshclam.conf
sv t freshclam

  • The code shown will proxy ClamAV updates through your local squid proxy.
  • You could (alternatively) replace the values shown above with the values required for any upstream proxy.
  • Bugzilla:542


When freshclam is run:

[root@gateway0 ~]# freshclam
ClamAV update process started at Mon Nov 12 09:22:00 2012
main.cvd is up to date (version: 54, sigs: 1044387, f-level: 60, builder: sven)
daily.cvd is up to date (version: 15564, sigs: 284901, f-level: 63, builder: guitar)
bytecode.cld is up to date (version: 191, sigs: 37, f-level: 63, builder: neo)

The following may appear

[LibClamAV] Detected duplicate databases /var/clamav/daily.cvd and /var/clamav/daily.cld, please manually remove one of them
[LibClamAV] Detected duplicate databases /var/clamav/main.cvd and /var/clamav/main.cld, please manually remove one of them

If you just leave it, freshclam should take of this as it is just log noise. See Bugzilla:7164

Spamassassin

From http://wiki.apache.org/spamassassin/RuleUpdates:

What if I need update requests to go through a proxy server?
sa-update uses the LWP::UserAgent module, which allows certain environment variables to be set so that requests use defined proxy servers. The main one of interest is "http_proxy", which should be set to an URL defining the proxy. ie: export http_proxy='http://proxy.example.com:8080/'

On a sme server, this should work with export http_proxy='http://localhost:3128', which would need to be added to /etc/cron.daily/sa_update

curl, wget

For curl and wget to work correctly on a SME server without direct internet access, you must execute the following command in the same program or shell session beforehand:

export http_proxy=localhost:3128

eg:

export http_proxy=localhost:3128
curl http://www.google.com

ssh, ftp, telnet

Important.png Note:
ssh, ftp and telnet do not work via an http "upstream" proxy, although they may work in conjunction with tsocks (available from the dag repository)


Testing and Verification

You can verify that a particular program is being proxied through squid on your local SME server by searching /var/log/squid/access.log for access to the target web address originating from '127.0.0.1'.

That is, after executing these commands:

export http_proxy=localhost:3128
curl http://www.google.com

you should see an entry similary to the following /var/log/squid/access.log:

1329759611.923     64 127.0.0.1 TCP_MISS/301 726 GET http://www.google.com - DIRECT/74.125.113.94 text/html

Memory usage and limits

  • How much memory can sme server handle

SME server currently (v7.3) supports 16GB of RAM, with a maximum of 3GB per process. These limits can easily be increased to 64GB total and 4GB per process by installing and running the "hugemem" variant of the kernel

  • Why does my sme server always seem to be using all the memory, there is no spare memory left

Utilities such as top or htop always report that all available memory is being used. The Linux OS is designed to utilise all available memory all of the time. If other processes require more memory then it is made available to those processes. Fully utilising all the available memory is a good thing as it optimises the performanece of your server.

  • How can I tell if my sme server needs more memory

Watch the availabe swap memory usage eg using top, htop or ps -aux. If swap memory usage regularly exceeds 50% of the available swap memory, then you should add more physical RAM to your system. Other indications that additional RAM is required are "out of memory" messages in log files, and at times the server becomes inactive for a period, often related to spam & virus scanning & high email loads.