SME Server:Documentation:Administration Manual:Booklet

From SME Server
Revision as of 14:56, 20 April 2007 by Berdie (talk | contribs)
Jump to navigation Jump to search


Template:Overview

Welcome to Koozali SME Server 10

Congratulations on choosing the Koozali SME Server as your network and communications server!

Koozali SME Server is an open-source Linux server distribution designed to be:

  • Simple to setup and use: Installation and basic configuration can take less than 20 minutes, and every standard configuration option can be set via a web-based interface.
  • Secure and stable to operate: Koozali SME Server only includes what is necessary. Stability comes from using proven, supported rpm packages and from an update system that notifies you with available updates.
  • Cross-platform and extendable to meet future needs: SME Server already has everything necessary to provide the core services most people need to network Linux, Macintosh, and Windows systems.
  • Completely free to use: any support users can offer is however much appreciated.
  • Download the ISO from http://wiki.contribs.org/SME_Server:Download

The heart of Koozali SME Server is based on the GPL'd so open sources of the unsupported developer release of SME 7.0 alpha from Mitel, who are the copyright holder for much of what makes SME Server what it is. Mitel's commercial offering is known as the "Mitel Managed Application Server", and in the past it was originally conceived as "e-Smith". Mitel has been very generous to fund development of early alpha and beta versions and to keep to the spirit of the GPL by sharing their source code freely.

Koozali SME Server 10 is an RPM-based distribution that uses many packages from CentOS, EPEL, Remi-safe and OpenFusion: (RepoForge is now deprecated). CentOS 7 is built from publicly available open source Red Hat Enterprise Linux SRPMS and aims to be binary compatible. RepoForge is a collaborative effort of several RPM packagers that build RPMs not included with CentOS. Almost all of the packages that SME Server includes from these upstream vendors are included unmodified. The purpose of doing so is to take advantage of the stability that comes from the huge user base that uses these packages, for security, and to allow automatic updates as soon as an update is available from the upstream vendor. What Koozali adds to this solid base is easy and secure ways to adminster and manage all of it in a way that incorporates best practices and ease of use. This means that people not expert in server administration and Linux can safely manage an Internet-connected server. Security updates from Redhat/Centos should be available until 2024 for Centos 7.

About This Manual

This manual walks you step-by-step through the straightforward process of installing and configuring your Koozali SME Server. The Appendices and Glossary provide background information on subjects related to networking and the Internet and are intended to supplement chapters in the main section of this document.

Production

This document was revised on the wiki at https://wiki.koozali.org/

History

Originally released in 1999 as "e-smith Server and Gateway", right from the start the SME Server adopted the principles that it still follows: simplicity of administration, security by default, and using proven foundations. Originally based on the free version of Red Hat, in early production it rapidly moved to version 4.0 and was widely adopted. The e-smith company was bought-in by the Enterprise communications supplier Mitel, who offered unified office servers based upon the e-smith, renamed to "Managed Application Server", and continued up to version 6.0.

Mitel later generously donated the 6.0 code base back to the community, who eventually continued with version 6.x point releases. By then development had moved to a CentOS base, the same used by Oracle Unbreakable Linux: see here. We may again opt for a new code base moving forward.

Below are listed the last few generations of Koozali SME Server still showing as in use, point releases are not included. Please note that only the latest release (v.10 pending) is supported with security updates.

Why "Koozali"? The word "Koozali" approximates to the Swahili for "rebirth"

  • rc1 Mar 2021 - release candidate 1 of Koozali SME Server 10.0 which is based on CentOS 7.0
  • 30 Jun 2014 - The stable release of Koozali SME Server 9.0 which is based on CentOS 6.5
  • 25 May 2012 - The stable release of SME Server 8.0 which is based on CentOS 5.8

Before that there was a long series of version 7:

  • 4 March 2006 - The stable release of SME Server 7.0 which is based on CentOS 4.3

Early versions were published by e-smith, Mitel and contribs.org.

Documentation has been continuously developed, and the earlier releases form the underlying basis for this manual.

The current version of Koozali SME Server has moved on a very long way from its ancestors, but still follows the same core principles.

Endorsements

This is the official documentation for SME Server and is endorsed by the developers at https://wiki.koozali.org/

Acknowledgements

Thank you to the developers that create and maintain the SME Server distribution. And thank you to the companies and people that support the developers.

Software Licensing Terms and Conditions

The Koozali SME Server is licensed under the General Public License (GPL). This means that you are free to use, and alter the software. If you do alter any of the packages, you must make the source code (with patches please) freely available. The agreement is found on the ISO. Acceptance of this agreement is required during the software installation.

Support-licensing.png


Koozali SME Server users may copy and redistribute this software. The text of the GPL license may be found at http://www.fsf.org/licensing/licenses/gpl.html. Some packages may have an alternate open source licence. The applicable license for each software module is specifically identified and can be seen by running the rpm -qiv packagename command, from the command line. Details on other open source licences can be obtained here: http://www.opensource.org/licenses/.

About Our Example Company: The Pagan Vegan

In this manual, we use examples of a catering and event-planning company, The Pagan Vegan or TPV, that configures, administers and makes use of their server. As far as we know, no company of this name exists.

What's New

For the most complete list of information about changes that have been made in SME Server, see the release notes that accompany your download.

Server version 10.x Features

The Koozali SME Server server and gateway installs automatically on a PC, converting it to an industrial-strength communications server that optionally allows all of the computers on your network to share a single Internet connection.

In one simple, easy-to-install package, you get:

  • A high performance email server that handles email to and from your users.
  • Enhanced security features that reduce the risk of intrusion.
  • Let's Encrypt support.
  • A central file server enabling seamless information exchange among Windows, Macintosh and Unix machines.
  • A web server to host your company web and/or intranet site.
  • Browser based server-manager software that makes it easy to add new user accounts, control remote access, configure network printers, set up workgroups and connect additional networks.
  • Special services that speed web and Internet access, improving the performance of your network.
  • A shared email address book that is maintained automatically.
  • i-bays, a unique communications and collaborative facility that makes it easy for users to work together on projects.
  • Quota Management - you have the ability to set a limit on the amount of a disk space a user can use for files and e-mail.
  • USB printer support.
  • Secure email: POP3/SSL, IMAP/SSL, SMTP/SSL, SMTP AUTH over SMTP/SSL.
  • Horde Groupware from horde.org has been upgraded to the latest version, including the Webmail client
  • SMTP Email reception is handled by qpsmtpd enablng powerful filtering and functionality via plugins. An advanced but simple to use plugin system is provided to enable easy install of extra functionality and write local rules. Almost all features are implemented via plugins.
  • Antivirus email and hard drive scanning is provided by ClamAV. Virus definitions are kept up to date automatically, and program updates will be available automatically via the software installer (yum).
  • Email attachment handling: Including the ability to block EXE, ZIP, PIF and automatic conversion of TNEF or UUENCODE encoded attachments to MIME.
  • Spam Filtering with Spamassassin. Automatic tagging with X-spam-status headers, and optional filtering and subject tagging. Configurable rejection levels.
  • Much reduced requirement for reboots on system software changes with dedicated events on the installation and update of key components.
  • Encryption standards corresponding to the industry standards for 2021.
  • Enhancement to the pseudonyms panel. You are able to send (e.g.) support@domain1 and support@domain2 to different places, and you can enter pseudonyms of pseudonyms.
  • Yum based Software installer panel. Approved contribs and official updates can be installed in the server-manager. Selectable "Automatically install updates" option.


The role of the Koozali SME Server

Your Koozali SME Server can manage your connection to the Internet by routing Internet data packets to and from your network (which allows all the computers on your network to share a single Internet connection) and by providing security for your network, minimizing the risk of intrusions. When one of your local computers contacts the Internet, or is contacted by an outside machine on the Internet, the SME Server not only routes that connection, but seamlessly interposes itself into the communication. This prevents a direct connection from being established between an external computer on the Internet and a computer on your local network thereby significantly reducing the risk of intrusion onto your network.

Your server also provides services - including e-mail, web access and a powerful file sharing and collaboration feature called "i-bays" - that allow you to communicate better internally and with the rest of the world using the Internet.

Throughout this user's guide, the word gateway is used to mean the device that acts as the interface between your local, internal network and the external world.

Server and gateway mode.png

Illustration of flow for Server and Gateway and Private Server and Gateway Modes


If you prefer, you can also run your SME Server in "server-only" mode. In "server-only" mode, your server provides your network with services, but not the routing and security functions associated with the role of "gateway". The server-only mode is typically used for networks already behind a firewall. In that configuration, the firewall fulfills the role of gateway, providing routing and network security.

Server only mode.png

Illustration of flow for Server only Mode


Once installed, your SME Server can be configured and managed remotely. Routine administration is handled from your desktop using a web-based interface, so only on rare occasions will you require direct access to the server computer. Once installation is complete, most customers put the server in an out-of-the-way place like a utility closet. If you wish, you can disconnect the keyboard and monitor. (Note that some computers may not operate correctly without an attached keyboard.)


Information.png Tip:
More About Ethernet

Appendix A: Introduction to the Ethernet Local Area Network (LAN), briefly explains ethernet, ethernet components and typical ethernet configuration.


Your Internet Service Provider (ISP)

Your Internet Service Provider or ISP is your connection to the Internet - it routes Internet data packets to and from your server. It also provides other essential services. This section of the user's guide reviews what ISPs offer and what the implications are in choosing among the various options available to you. While your ISP can also assist you in selecting and arranging the right Internet services for your organization, it's important to know the general range of services available, since not all ISPs offer all services.


Warning.png Warning:
If you are operating the product in "server-only" mode and want to use it for email services or to provide websites accessible on the internet, you will need to review your gateway/firewall documentation and perhaps consult with your ISP regarding your configuration. For example, depending on your plans for the server, your ISP may need to publish DNS records associating your mail and/or web servers with your firewall IP address. You may also need to configure your firewall for port forwarding of services.

In server-only mode, the single Ethernet connection to the local network is "trusted" as being secure and packet filtering is disabled. For that reason, a server-only server must always be behind a local firewall. You should not directly connect such a system to the Internet via an Internet Service Provider.


Different forms of connectivity

Connectivity, also referred to as Internet access type, refers to the physical connection between your site and your ISP. How you connect to your ISP affects the speed of your Internet connection, which, in turn, impacts such things as how quickly your web site is displayed to visitors.

Dedicated connectivity refers to a full-time connection to your ISP and this is the usual way of connecting at this time.

Dedicated connections are generally faster and may allow you to use the full range of services on your server. There are several common types of dedicated connectivity:

  • ADSL(2) provides relatively fast data transmission over phone lines.
  • FTTC (fibre to the cabinet) provides potentially very fast conenction via optical cables to the street cabinet and copper phone wires to the dwelling/office.
  • FTTP (fibre to the premises) where available offers very fast direct-to-premises optical connections which may be shared amongst dwellings/offices.
  • Direct optical connection via suppliers will have a terminator in the premises and can offer gigabit speeds or above.
  • Cable connection links you to your cable company, which provides you with many (though not all) of the same services as a traditional ISP. The speed of transmission over a cable network can vary widely (from quite fast to very slow) based in part on the usage within your neighborhood.
  • 4G and soon 5G connection over the mobile network is an option in some rural situations that are outside the reach of fast physical connections.
  • Satellite connectivity: connection either one way (down only, with up over a physical link) or more commonly now two-way. This has had the problem of high latency when used with geo-stationary satellites. New low-earth satellite constellations are becoming available that solve this issue.

Dial-up

  • Where all else fails, connection can be via dialup modems. With dialup connectivity, your server is not usually permanently connected to the Internet. Rather, it connects to your ISP over a phone line using a modem or ISDN adapter . Because your connection to the Internet is not permanent, some of the services on your server cannot be provided to the outside world. For example, having your server host your external company web site would create a problem because whenever your server was not connected to the Internet, the web site would not be available. (However, it could certainly host an intranet web site because the local network would always be connected.)

The IP address

An IP address is an identifying number assigned to all devices connected to the Internet, and is used in routing information from one device to another. Like your phone number, your IP address enables other people to reach you. In our standard configuration, your ISP only needs to allocate one IP address for your network. It is assigned to your server, which will accept all the Internet data packets intended for your network and distribute them to the appropriate computer - much like an office receptionist is able to accept incoming calls and direct them to the appropriate extension.

IPv4 and IPv6 addressing

Everything in this manual to date refers to IPv4 (IP version 4) addressing. The world is running out -- well, technically-speaking has run out -- of IPv4 addresses. Various strategies have been adopted by ISPs to obscure and work-round this issue and much of the world is still running on IPv4.

Nonetheless IPv6 addresses will have to be used at some future point, although few ISPs offer direct IP6 connectivity even in 2021. For now, all in this manual concerns IPv4 -- the underlying system is however fully IPv6 capable. Considerable extra work is called for, so as to integrate that support into the system, and this is not a priority for now; eventually of course it will be. If you wish to contribute to this work, please consider volunteering or offering code.


Static versus dynamic IP addressing

A static IP address never changes. It is permanently assigned to your server by your ISP.


Important.png Note:
Static IP addressing is preferable to dynamic IP addressing because it makes it easier for users on the Internet to connect to your services.


Dynamic IP address assignment means that your IP address is assigned to you only temporarily and may be changed by your ISP. This makes it more difficult to ensure continuity of service to your network. Consider again our telephone number analogy. When your telephone number changes, you are able to place outgoing calls. However, until your new phone number is registered with Directory Services, other people are unable to look up your new number and place calls to you. Similarly, whenever your IP address changes, a record associating your server with its new IP address must be published with the equivalent of Directory Services (known as Domain Name Service or DNS) before incoming traffic can find you.

If your IP address is dynamically assigned and you have a dedicated connection to your ISP (for example, with a typical cablemodem), you may find it helpful to use a dynamic DNS service . We strongly recommend you review Appendix B: Dynamic DNS services for more information about this worthwhile option.

Routable versus non-routable IP addresses

If an IP address is analogous to your phone number, then a routable IP address is the equivalent of a full telephone number complete with country code and area code such as +1-613-555-1234. Using the same analogy, a non-routable address is the equivalent of an office extension. If your server is assigned a non-routable address, it cannot directly receive incoming Internet connections, which limits the services that it can provide to your site.

The following three groups of IPv4 addresses are reserved for non-routeable use:

10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255


The first and last of these groups are preferred for private networks:

"In August 2012, ARIN began allocating “172” address space to internet service, wireless, and content providers. There have been reports from the community that many network operators are denying access to devices having IP addresses from within the entire 172 /8 range. As a result, any device with a 172.x.x.x IP address may have difficulty reaching some sites on the global Internet." See ARIN for more on this.


Warning.png Warning:
If you wish to join two networks via VPN is is IMPERATIVE that they are on different IP blocks, e.g 192.168.100.0 and 192.168.200.0, for trafic to be routed between them.


Arranging connectivity with your ISP

If you are going to be using your server in "server and gateway" mode, you will need to arrange for a connection to the Internet. Your ISP will help you connect your site and provide you with services that enable you to take advantage of the Internet (e.g. e-mail delivery). To some extent, the type of connection used determines the services needed. Therefore, we guide you first through arranging connectivity and then direct you to the appropriate list of services for each type of connection. The terms used in the following sections are defined at the end of this chapter.

To connect your site to the Internet, you not only need to arrange your physical connection (modem, ISDN, DSL, cable modem, etc.), but you also need to ensure that your server can locate the appropriate devices at your ISP's site. Your ISP will give you this information (e.g. IP addresses for their devices) which must eventually be entered into your server console (a straightforward process covered in a later chapter). Many ISPs use a DHCP server which can directly configure your server with some or all of these parameters.

Ordering a corporate ADSL or other commercial dedicated connection

Typically, your ISP will arrange for and configure your external hub and router. Alternatively, you may be required to install that hardware yourself under their direction. If a special phone line is required, the ISP will typically arrange that. It is most typical with corporate service that you receive a routable, static IP address. In fact, usually you will be allocated a block of routable, static IP addresses for your corporation - you will need only one for your server.

Network1.png

Information provided to you by your ISP:

  • static IP address (or block of addresses from which you choose one)
  • IP address of router ("gateway IP address")
  • subnet mask

Order services from: Service List A

Ordering cablemodem or residential ADSL service

Typically, your cable company or ADSL provider will install a configured cablemodem or ADSL router at your site. If you do not have cable access, your cable company will install it for you. ADSL connects to the ISP via a conventional phone line. If you require an additional phone line, it is typical for you to arrange that yourself. There are three possible configurations when ordering cablemodem or residential ADSL services.

Network2.png


Important.png Note:
In the tables below, please keep the following information in mind:
  • ISPs often supply the items marked * to your server by DHCP.
  • Some ISPs block outgoing HTTP connections, forcing you to use their proxy server. This interferes in a few minor ways with your server (e.g., the test for Internet connectivity will fail erroneously). However, using the ISP's proxy server will normally work fine.


1. You receive a routable, static IP address

Information provided to you by your ISP:

  • static IP address
  • IP address of cablemodem or ADSL router ("gateway IP address")
  • subnet mask

Order services from: Service List A

2. You receive a routable, dynamically assigned IP address and you elect to use a dynamic DNS service (We encourage you to review Appendix B: Dynamic DNS Services for a discussion of dynamic DNS services.)

Information provided to you by your ISP:

  • gateway IP address*
  • subnet mask*

Information provided by dynamic DNS service:

  • DNS service account name
  • DNS service password

Order services from: Service List B

3. You receive a routable, dynamically assigned IP address and you elect not to use a dynamic DNS service OR your IP address is non-routable.

Information provided to you by your ISP:

  • IP address of cablemodem or ADSL router ("gateway IP address")*
  • subnet mask*

Order services from: Service List D

Ordering a dialup connection

It is typical for you to purchase and install your own modem or ISDN adapter for your dialup connection. (Be sure to use a Linux-compatible modem - ~WinModems will not work.) Your modem connects to your ISP over a conventional phone line. If you require an additional phone line, it is typical for you to arrange that yourself.

Network3.png

Your ISDN adapter will connect to the ISDN connection installed by your ISP or local telecommunications provider. The software can work with external ISDN adapters and includes support for passive ISDN cards.


Warning.png Warning:
While the software includes experimental support for ISDN cards, we do not provide technical support for the use of these cards as they have not yet been tested in a wide enough variety of environments.


There are two possible configurations with dialup service:

1. Your ISP is able to meet all of the following three conditions:

  • you receive a routable, static IP address
  • your ISP will provide a secondary mail server for your domain, which receives e-mail when your server is not connected.
  • your ISP is able to accept the "ETRN command". (This command is used by the server to retrieve the mail held by the ISP's secondary mail server.)

Information provided to you by your ISP:

  • static IP address
  • dialup access number
  • dialup account name
  • dialup account password

Order services from: Service List C

2. Your ISP is unable to meet all three of the above conditions

Information provided to you by your ISP:

  • dialup access number
  • dialup account name
  • dialup account password

Order services from: Service List D

Arranging Services From Your ISP

In each of the previous sections on connectivity, we direct you to the appropriate list of services that should be ordered from your ISP.

Service List A
  • domain name set up and hosting
  • publication of DNS address records for your web server, FTP server and e-mail server
  • publication of DNS mail (MX) records
  • secondary mail server (optional)
  • Internet news server (optional)
Service List B

Services to order from ISP:

  • secondary mail server (optional)
  • Internet news server (optional)

Services From Dynamic DNS Service

  • domain name (depending on the service purchased, your dynamic DNS service may restrict what your domain name can be)
  • publication of DNS address records for your web server, FTP server and e-mail server
  • publication of DNS mail (MX) records
Service List C
  • PPP dialup access (with static IP)
  • domain name
  • publication of DNS address records for your e-mail server*
  • publication of DNS mail (MX) records
  • secondary mail server (ETRN must be supported)
  • Internet news server (optional)

Your web and FTP servers are available to the external world only when your server is connected to the Internet. DNS address records for web and FTP servers only need to be published if it is likely that someone external to your site will need to connect to them for a particular reason.

Service List D

Please read the important notes (below) on the limitations of this configuration.

  • PPP dialup access (if you are using dialup connectivity)
  • POP mailbox (with generous size limitation)
  • domain name - route all mail for domain name to the single POP mailbox
  • Internet news server (optional)


Warning.png Warning:
Note on Service List D (Multidrop Mail)
Service list D is applied to configurations where the publication of DNS records is not practical either because your IP address changes frequently or because it is non-routable. Because there is no published address receiving incoming network connections, this configuration does not allow you to host a web page or FTP site using your SME Server.

In this case, e-mail is handled using a method called "multidrop", which involves temporarily storing all e-mail messages addressed to your domain in a POP mailbox at your ISP until your server connects and fetches them. Your POP mailbox must be large enough to hold the e-mail for your organization until it is fetched. If your primary ISP cannot supply this, you can use another ISP for your e-mail hosting.

As e-mail messages are delivered into the POP mailbox at your ISP, some of the addressee information is removed. To determine to whom the e-mail message is addressed, your server uses several heuristics. This works very well for normal person-to-person e-mail. However, messages from mailing lists (and other sources where the user's account name is not present in the headers) cannot be delivered. Any e-mail that cannot be delivered will be returned to the sender. If the e-mail cannot be returned to sender, it will be directed to the system administrator.

Some ISPs add a header to each e-mail message as it enters the POP mailbox to assist in determining the addressee. One common header tag is: "X-Delivered-To". If your ISP does this, make note of the header tag used so that you can configure your server to look for it (explained in a later section).

Because of the potential problems involved with delivery of e-mail to multidrop mailboxes, we strongly encourage you to consider other means of mail delivery before resorting to using multidrop.


Terms used in ordering connectivity and services

See Glossary

Hardware Requirements of the SME Server

Warning.png Warning:
Version 10.0 of SME Server is based on CentOS 7, version 9 is based on CentOS 6.5. SME server 10 and SME server 9 are not compatible with i586 architecture.


The minimum hardware requirements of the SME Server are modest compared with other server software available today. However, because of its critical role in your office, selecting an appropriate host computer is important. While most desktop computers will run Koozali SME Server, server-grade computers are designed to run continuously and are a good choice for critical infrastructure. The hardware requirements of the host computer depend on such things as the number of users on your network, whether you plan to use the proxy server on the server, and the speed of your Internet connection.

When you consider the requirements, please be aware of the following notes:

  • The server ships with the remote access services disabled by default. Enabling webmail will increase the resource requirements of your server, in particular the memory requirement. Other remote access services, such as SSH and VPNs, are also processor-intensive. You should consider a fast processor speed if you intend to make significant use of these services.
  • The server should work with any x86-64 compatible CPU that can run Centos 7 for SME Server 10. Note that AMD desktop (as against server-grade) processors have not been tested by upstream, and a notice will be displayed accordingly: however many users are employing them satisfactorily at all levels of utilisation.
  • The amount of available RAM is one of the most important considerations for server performance as it reduces the load on the disks. If a tradeoff is required, extra RAM will usually be more beneficial than a faster CPU.
  • For a dedicated connection in server and gateway mode, your server requires two ethernet adapters (also called network adapters or network interface cards). For a dialup connection or server-only mode, one ethernet adapter is needed.


Important.png Note:
Version 10.0 of Koozali SME Server is based on CentOS 7. It is important that any hardware chosen for the server has been tested for compatibility before deployment. We expect that all hardware which is marked as "Certified" or "Compatible" for RedHat Enterprise Linux Update 7 on the RedHat Hardware Compatibility web site, located at: RHEL7, will function correctly with Koozali SME Server 10.0. We cannot recommend the use of server hardware which is not listed as "Certified" or "Compatible" although it may very well work.


4.1. Minimum Hardware Requirements

The following information outlines what we consider the bare minimum system that will function as a basic file/print server and network gateway. Note that we do not believe such a system will provide satisfactory performance for features such as webmail, remote access via VPN, Virus and Spam Scanners, which are CPU intensive will not perform well on this platform. To utilize all the features of SME Server 10.0, please have a look at the 'Recommended' Hardware Requirements. Note: as Koozali SME Server is based on CentOS 7, the hardware requirements and support for CentOS 7 also apply here.

Table 4.1 Minimum Hardware Requirements
Category Specifications
Architecture PCI-based x86-64 compatible processor
Processor speed 1800 MHz
RAM 2048 MB to install and run while disabling Clam AV, 4096 MB to effectively run all services including Clam AV, more memory is better.
Hard Drive SATA/PATA or SCSI - at least 10/20GB (or 2 TB disk)
SCSI adapter SCSI adapter must appear on the supported list (only necessary for SCSI systems)
Ethernet adapter(s) The ethernet adapters installed on your server must appear on the supported list.
Modem (for dialup only) Only modems that are Linux-compatible may be used. WinModems are not supported.
CD-ROM drive SATA, ATAPI or SCSI
USB drive or key USB2 is recommended for the install, as issues may arise with booting from USB3 keys or drives. USB3 drives are faster for backup etc.
Monitor any
Graphics card any supported

4.2. Recommended Hardware Requirements

The following information is what we would suggest is the recommended minimum to utilize all the features of SME Server 10. How many users this configuration will support depends on how heavily the server will be utilized, but should be sufficient for at least 25 users.


Table 4.2. Recommended Hardware Requirement
Category Specifications
Architecture PCIe-based x86-64 compatible processor
Processor speed multi Core 2GHz
RAM At least 4 GB for all services, 8 GB supports most likely applications, more will be utilised if available
Hard Drive One or more SSD/NVMe/SATA/PATA or SCSI - at least 50 GB for the system, and more for the space needed by your data. Server-grade drives are strongly recommended for critical servers.
SCSI adapter SCSI adapter must appear on the supported list (only necessary for SCSI systems)
Ethernet adapter(s) The ethernet adapters installed on your server must appear on the supported list.
Modem (for dialup only) Only modems that are Linux-compatible may be used. WinModems are not supported.
CD-ROM drive SATA,ATAPI or SCSI - optional if installer is put on USB key
USB drive or key USB2 is recommended for the install, as issues may arise with booting from USB3 keys or drives. USB3 drives are faster for backup etc.
Monitor any
Graphics card any supported

4.3. Hard Drive Configuration

For default RAID configuration options as chosen by the installer, please see here: [RAID settings]

Do please note that the installer expects drives to be empty. Previously used drives should be wiped before being used for an install: this is sometimes tricky depending on which operating system was previously installed. Please see Here.

Do also note that selecting "Default Configuration" for storage from the text or GUI installer will override the SME defined automatic boot configuration for RAID! To recover from this a reboot will be necessary to reimplement the configuration before starting the installation.

4.4. Supported Ethernet or SCSI Adapters, or Tape Drives

Either one ethernet adapter (in the case of dialup connectivity or server-only mode) or two ethernet adapters (for dedicated connections in server and gateway mode) must be installed on your SME Server. Your ethernet adapters must be supported by Red Hat Enterprise Linux 7.

If the computer you plan to use for your server has a SCSI hard disk, your SCSI adapter must be supported by Red Hat Enterprise Linux 7.

If you intend to use the tape backup capabilities of the SME Server, you must have a tape drive that is supported by Red Hat Enterprise Linux 7.

4.5. Virtualisation requirements

  • Virtualbox
  • Proxmox
  • Linux KVM
  • VMWare
  • etc.

You can virtualize the Koozali SME Server on any computer when your processor has amd-v or vtx instructions. You need these instructions to use more than one core in the virtualised guest. Note: sometimes although supported, this has to be enabled in the BIOS.

The amount of memory is a miminum of 2GB for the guest to be comfortable, and at least 4 GB with a lot of contribs installed; as always with memory more is usually better.

For more detailed information on a virtualized SME Server, please see the Virtual_SME_Server page.

Installing And Configuring Your SME Server Software

The following sections explain in detail the process of installing the SME Server software.


  Note:
It is recommnded that a user take note of details in the [| Release Notes for SME10 - Installing ] and in particular the section covering [| Known Issues ]



  Note:
If you have previously installed and configured a server and are reinstalling the software, please be aware that you should use the procedure described here in order to preserve your existing configuration and data. Simply performing a new installation will erase all previously existing user accounts, user directories, i-bay contents and web site and configuration parameters. If you have not already done so, you may - depending on the size of the data - wish to back up the contents of your server onto one of your desktop computers. You can do so easily by selecting "Backup or restore" from the server manager, as explained in chapter 10.1.


Install Targets

Koozali SME Server 10 can be installed on physical or virtual hardware, either on a local virtual host such as Proxmox, Linux KVM or Virtual Box, or in a cloud instance.

The installer will generally pick the correct options for the install but these can be overwritten if you have another preference, please see the install boot options below and the RAID page https://wiki.koozali.org/Raid for more details.

When the installer sees a single disk whether on virtual or physical hardware it will not install any RAID functions for obvious reasons, but LVM will be selected: you may prefer to not use LVM depending on your deployment plan. This can be specified as shown below.

Licensing Terms and Conditions

In installing the SME Server software, you are agreeing to the open source licensing terms and conditions associated with it. You can read these terms and conditions in Chapter 1.2. of this guide under the title Software Licensing Terms and Conditions .

RAID Support (Disk Mirroring and striping)

With SME Server, you have the ability to set up disk mirroring and striping, also called RAID. In disk mirroring, your data is written to two separate hard disks installed in your server. One is the mirror of the other. Should the primary disk experience a hardware failure, the mirror disk will continue operations as if nothing had happened. All of your data will be protected from the single disk failure. This does NOT replace the need for backups! Other levels of RAID offer similar protections with more disks incorporated.

RAID can be accomplished through either software or hardware. For software RAID options please see this page: https://wiki.koozali.org/Raid

Software RAID

The SME Server comes by default with RAID disk mirroring or striping: the level of RAID depends on the number of drives installed. The server is configured to accept any number of drives and will function properly. You can verify the RAID status from the console. If you later wish to add more drives, just add them and instruct the server via the console to create the mirror. It will take some time to build so do it during scheduled maintenance. They can be either SCSI or SATA or even IDE drives, but we strongly advise they are the same size and type or the result will be fixed by the smallest disk.

We strongly recommend that you consult the current technical information on SME Raid at http://wiki.contribs.org/Raid before commencing an install.

Hardware RAID

With hardware RAID, you use a special RAID disk controller to perform the actual striping across multiple disks. As RAID is performed in dedicated hardware, the performance may be faster than software mirroring, depending on the capabilities of the various hardware. Additionally Hardware RAID can simplify configuration and array rebuilds because to the operating system, the entire RAID disk system looks like one single disk. You should be able to use any supported SATA or SCSI hardware RAID controller. NB: other options than mirroring may be supported by the controller.


Upgrading From A Previous Version

Upgrading is somewhat more complex than a clean install on a system as settings and data from the old system need to be preserved. For this reason, we start with the Upgrade procedures.

Please make sure to be familiar with - https://wiki.koozali.org/SME_Server:10.1 - in particular Known issues updating from SME10.0

Upgrade from 9.x to 10.x
  Note:
In-place upgrades to SME 10.x using yum or CD are NOT supported due to design constraints imposed by CentOS and the move to systemd.

It is necessary to backup the old server and then restore to the new server. Contribs will need to be reinstalled.


With a physical server the simplest way to do this is via a Console Backup to a USB disk attached to the old server. Alternatively use one of the Backup & Restore options available in the Server Manager panel, i.e. backup to desktop, or backup to workstation (either to attached USB or network share). Other non-standard options exist to Backup virtual servers that do not have USB ports etc, and Restore to similar virtual systems, e.g. using SSH. Many virtual servers can also be configured to pass-through USB ports from the host to the hosted machines allowing a USB drive to be mounted, but this is an advanced topic and cannot be covered here: consult the documentation of the virtual host system in use.


  Tip:
The Restore from USB on first boot function (on a newly installed SME 10 server), will only utilise backups that are saved as smeserver.tgz files, which are the Console Backup to USB or the Server Manager backup to Desktop. The Server Manager "Backup to Workstation" (either to USB or network share) creates a "backupdate.dar" type filename (or multiple split parts) and cannot be used to restore using the "Restore on first boot" function, it can only be used for restores from the Server Manager. The new install must have its backup to workstation configured as per the old install.



  Note:
It is highly recommended that USB drives to be used for backing up SME 9.x servers prior to an upgrade to 10.n be formatted with a Linux file system. When formatting a USB to use for restore it can be type FAT or FAT32, and is preferred to be ext3 or ext4. If ext4 it should not be formatted with an OS more recent than RHEL6 for SME9; this is because ext4 has seen multiple incompatible options added with time that are not back-compatible with earlier releases. So, the simple way is to mount the USB dive to the SME 9.x server you wish to back up and format it ext 3 or 4. Ensure that is is then unmounted. The USB drive must not be mounted before running console/Server Manager backup or the backup will fail to find the drive.


Upgrade via Console backup to USB drive
  • Log in as admin and Backup the old server via a Console Backup to an attached USB disk. This may take many hours, even days, if you have a lot of data on your server, depending on USB port speed, USB drive speed, and types of files being backed up, i.e. whether already compressed or not etc. Typically for 250Gb of data on your server hard drive, 2 to 4 hours. Multiple terabytes may take multiple days.
  • Install the Koozali SME 10.x OS on the new hardware (on the new server).
  • Select to do a Restore on first boot of the newly installed Koozali SME Server 10. Only attach the USB containing the backup file, when asked on first reboot. Restore may take a few hours or longer depending on data size etc. Make sure you wait for the Restore complete message.
Upgrade via server manager backup to Desktop or Workstation (USB or network)
  • On the old server in Server Manager, configure the required backup in the Backup or Restore panel. Schedule the backup to run at a suitable time. This backup can be to a workstation desktop for systems with a smaller amount of data, which creates a smeserver.tgz backup file, or to a locally connected USB drive or to a network share, and creates xx...xx.dar files, split into multiple parts if configured & data size is large. This may take many hours to run depending on data size, file size, etc.
  • On the new Koozali SME10 server, manually configure the identical backup job in the Server Manager Backup or Restore panel. The backup job MUST point to the exact same location that the original backup file is saved to.
  • Select the Restore function within Server Manager & select the full backup you want to restore from. This may take many hours to run depending on data size, network speed etc. Make sure you wait for the Restore complete message.
  • Basic networking configuration of the new and/or restored Koozali SME 10 server will be required if different from original server.
Upgrade using command line restore via ssh or USB
  • It is possible to use the command line to transfer a backup file via ssh (or USB) to the new server and then to run the restore. Standard and non standard backup concepts and procedures are outlined in the Backup server config Howto, http://wiki.contribs.org/Backup_server_config If using any non standard method, then the integrity of your SME server data cannot be guaranteed.
  • To do a standard backup & restore using CLI, on the old server log in as admin and perform the Console Backup to USB drive (to a locally connected USB). Alternatively using suitable commands, a smeserver.tgz backup file could be created & saved to the / folder, refer Howto.
  • Install the Koozali SME 10.x OS from CD on the new hardware (on new server).
  • Answer No when asked if you want to restore from USB during the first boot.
  • If you created or have the backup file on the old server, transfer the smeserver.tgz backup file via ssh from your old server to your new server. Both servers must be connected & remote access enabled
  • On the old server do:
scp -P zzzz /smeserver.tgz newserverIP:/

(where zzzz = port number)

  • If you saved the backup file to USB, then transfer the smeserver.tgz backup file from USB to your new server
  • Log in as root or a root user on the new server & do:
mount /media/usbdisk
cp /media/usbdisk/Backup-date-folder/smeserver.tgz /

(replace usbdisk with actual mount point name and Backup-date-folder with actual folder date name)

  • After the backup file has been copied to the new server, on the new server do:
cd /
signal-event pre-restore
tar -C / -xzvf smeserver.tgz
/sbin/e-smith/signal-event post-upgrade
/sbin/e-smith/signal-event reboot
  • Before restarting the new server, disconnect old server from network (as you will have clashes due to duplicate IPs)
  • On new server do:
cd /
rm smeserver.tgz
  • Note the backup & restore may take many hours or even days to complete depending on data size etc.
  • After restore, the Configuration of the new server should be identical to the old server.
  • Note with two servers connected during ssh copying operations, basic networking configuration (IP address at least) of the new unrestored SME10 server will need to be temporarily different to the old server to avoid clashes.
Migrate using the Lazy Admin Tools
  • Lazy Admin Tools provide a set of shell scripts that will archive all the important system files and restore them into a newly installed system, this is well documented in the Wiki. The various aspects of the system are saved in different files so that parts can be restored without having to restore all. An example might be to restore the users, but not the domains. It does not backup the data, but the wiki documentation provides sample commands to copy the data from one system to another using scp and/or rsync. All contribs must be re-installed, and any associated data (usually in /home/e-smith/db configuration files) may be copied across as required.
Reinstall Contribs after restore

Add-on contrib RPM packages will need to be re-installed on the new SME 10.x server as these are NOT included in the backup. Contrib data and configuration is included in backups and will be restored, but its usefulness will depend on the contrib design being unchanged between older (SME9/el6) & SME10/el7 package versions. Due to major changes in the underlying system files, this may not work, and is contrib dependent.

Delete and Reconfigure Manual tweaks

Other manual tweaks e.g. custom templates or scripts, will need to be deleted and recreated in line with SME 10.x template code and base code.

Where extensive modifications have been made to the "old server (eg SME9.2)", it is recommended to carry out a test backup and restore upgrade first, to discover any problems and ascertain suitable fixes and workarounds. Removing contribs and custom templates before upgrading is recommended.

Installing the Software

  Tip:
For Koozali SME Server 10 there are options that can be appended to the initial command to specify whether LVM, RAID and XFS are used. See below.



  Tip:
You have some command Line Options that you can use to set some parameters such as LVM (activated by default), SME9 only - software Raid option (none,0,1,5,6). You can use the function keys F1 to F5 to get more information about different boot options. For SME9 only see Booting



  Tip:
A user reported install failing to complete with no readily found reason, went through a number of attempts finally found resetting systems Graphic Resolution to a lower than default, set to 800x600 enabled the install to complete without error see Bugzilla:12432



After showing the boot prompt for some time SME will start the installation process automatically. By default the option to test the installation medium will be selected, and the system will then proceed to the graphical mode install. Alternatively you can select to go directly to the install, either in graphical or text mode.

In text mode: you choose which language you want to use for the following installation process.


Step 1: Insert the USB or CD-ROM media.

Step 2: You will be given the option of testing the media before beginning installation. Choose Test this media and install... to test the media and after success run the installer or choose the top option for the default graphical mode install or the second option for the text mode install as you prefer.


  Note:
The graphical mode screens are shown below. The text mode installer uses text-based screens but follows the same sequence: see Text-mode installer sequence



  Note:
The installation shown below is for the full iso image. The net install image follows the same sequence in either mode but the network MUST be enabled for the machine to download its executables



  Note:
At this time if you select the first menu item and press the tab key you will be able to append options to the menu items commands.

Currently these are:

  • nolvm - Do not enable LVM
  • noraid - Do not enable RAID (this is the default for a single target disk installation)
  • noxfs - Do not use XFS as the default filesystem as is standard for CentOS 7

These are added to the end of the line starting with vmlinuz with a space left between them. An example screen for the nolvm option is shown below.


Step 3: The screen below will appear. Select the language you would like to use during the installation process. Select Continue when finished. The following steps can be done in any order.

Step 4a: Enable the network if desired: required for net install. It is enabled using the switch on the right. Select Done when finished.


Network enabled:

Step 4b: Select the keyboard defaults to use. Select Done when finished.


Install


  Warning:
At this juncture the partioning scheme and treatment of multiple disks is automated by the customised Koozali install routines and any options you have set as above, eg 3 HDs equals RAID 1 with a hotspare: See the wiki Raid. If you select the item "Installation Destination" those customised setups will be removed and the installer will fall back to the standard install of auto partitioning where the default CentOS scheme is used ie EFI if needed, boot and one huge LVM using all the remaining space on ALL disks are treated as one and a single large LVM. If you are sure of the process you may enter the "Installation Destination" section and setup your customised partioning, Raid, LVM and file system.

Beware if you do this an above-average understanding and knowledge of the procedure is required


Step 5: You are informed that no disks will be formatted and hence data lost until Begin Installation is selected. You must choose Begin Installation to proceed.


  Warning:
The installation process formats and erases all attached hard drives. USB hard drives are considered non-removable drives. Removable drives are USB pen drives and floppy/cd rom drives. The installer ignores all removable drives and uses all non-removable drives that are at least 2Gb in size.

If you have multiple hard drives, be sure to back them up prior to starting the installation process. Be sure to unplug USB drives.


Step 6: Specify the network connection: usually this will have been detected correctly and just needs the enable slider to be actioned. Select which time zone you are in, and check the keyboard is correct. Each step is finished by selecting Done. The installation process will now automatically proceed to install the necessary packages.

Step 7: Finishing the installation is automatic and may take some time. At the end of the process, you will be prompted to remove the CD and then to reboot your computer; if this is a virtual install, use the host management software to eject the virtual CD image before proceeding.


  Warning:
The installation (or upgrade) process rewrites the boot sector on your hard drive. This may cause machines with BIOS boot sector virus detection to not boot unattended. This detection should be disabled in your system's BIOS.


Restart after install

On restart, when rebooting from the installed Koozali SME Server Linux image, you will see this screen:

Option: Restoring a Backup

The next screen offers you the opportunity to restore from tar backup. If you have a tar backup (usually smeserver.tgz) you are prompted if you wish to restore. Enter your media, CD, DVD, USB Disk or Tape drive

If you have a DAR backup you must perform your restore from the server-manager after intial configuration.

Configuring your Koozali SME Server

  Tip:
To change configuration settings, you have set during install, at a later date you can login as admin user to your server console and choose the option to Reconfigure your server. You will be take through the configuration routine just like during installation. Make your necessary changes or use the Keep option to preserve the settings you have set previously.


Once your system has restarted (so that it is no longer booting from the installation CD), you are ready to configure your system.

If your ISP provided you with a summary of your configuration choices and network information, we suggest that you keep it handy while completing the screens in the configuration section of the server console.

There are several types of configuration parameters that must be entered into your server:

  • the system password
  • the type of ethernet adapters (network interface cards, or NICs) that will be used by your server to communicate with the internal network and the Internet (or external network). Typically, the server software will detect this information automatically. (Note that if you are connecting to the Internet with a dialup connection, you only need one ethernet adapter.)
  • configuration for the internal (local) network - you must provide information about your internal network so that your server can communicate with other machines on your local network.
  • operation mode - you must select whether your server will operate in server and gateway mode or server-only mode.
  • configuration for the external network/Internet - you must configure your server so that it can communicate with your ISP either by a dedicated connection or using a dialup connection (only for server and gateway mode).
  • miscellaneous information - there are several final items to configure, such as whether to allow your users to use a proxy server, whether to provide status reporting to Contribs.org, and whether you wish to secure the server console so that it can only be accessed using the administrator's password.

As you select a given configuration parameter, you will be presented only with the screens necessary for your given configuration. Each screen will provide you with a simple, detailed explanation of the required information.


  Note:
As you move through the configuration screens, you will notice that there is a "Keep" option which will allow you to keep the choices you may have made previously. Obviously, when you are configuring your system for the first time, many of these choices will not have been made, but if you later go back to re-configure the system, this option can save time.


Setting Your Administrator Password

As shown in the image below, the first thing you will be asked to do is to set the system password. This is the password you will enter to access the web-based server manager. Depending on how you configure the system, you may also need to enter this password to access the server console. It is extremely important that you choose a good password and keep that password secret.

Anyone who gains access to this password has the power to make any change to your server!

After you enter the password once, you will be asked to type it again to confirm that the password was recorded correctly. The password will also be examined to determine how strong it is from a security point-of-view. If it is found to be weak (for instance, a dictionary word), you will see an additional screen asking if you really want to use this password. You will have the option to go back and change to a stronger password or to continue using the weaker password.


  Warning:
You can use any ASCII printable characters in the administrator password. As this password gives someone total control over your server, you should choose a password that cannot be guessed easily. A good password should contain mixed upper- and lower-case letters, numbers and punctuation, yet also be easy to remember. An example might be "IwmSMES!" as in "I want my SME Server!" (Please don't use this example as your password!)


Configuring Your System Name and Domain Name

As shown below, your next step is to enter the primary domain name that will be associated with your SME Server. (You can later configure other virtual domains that work with the server.)

Next you need to provide a name for your server. You should think carefully about this as changing it later may create additional work. (For instance, Windows client computers may be mapping drives to your server using its name. Those clients would need to remap the drive using the new name.)


  Tip:
You should make the system name as unique as possible in case you someday decide to link your server to another server using an IPSEC VPN. When you do, each server will need a unique name. Using some type of theme, such as location names, may be an effective way to ensure unique names.


Configuring Your Local Network

Selecting Your Local Ethernet Adapter

An ethernet adapter - also called an ethernet card or network interface card (NIC) - is a special piece of hardware that serves as the interface between a computer and the ethernet network. It connects your computer and the ethernet, allowing the computer to communicate with other computers and devices on the network.

A computer needs a special software program, called an "ethernet driver", to use an ethernet adapter. Which ethernet driver is required depends on which ethernet adapter is installed on your computer.

You will first need to select the appropriate driver for the ethernet adapter connected to your local network, a shown in the screen below:

If you are using a PCI ethernet adapter that appears on our supported list, it is likely that your server will be able to detect your hardware automatically and you will simply be able to choose option 1, "Use xxxx (for chipset yyyy)", where 'xxxx' and 'yyyy' are specific to your hardware. If the software fails to detect it correctly, you can manually select the appropriate driver for your ethernet adapter from a list of drivers or from a list of ethernet adapter models. After the appropriate driver is selected, select "OK" and proceed to the next screen.

As of SME Server 9.1, (virtual) servers with only 1 ethernet adapter will have an additional option to select a 'Fake ethernet adapter' as Local ethernet adapter. Selecting this fake ethernet adapter as your local ethernet adapter will allow you to operate SME Server in server-gateway mode with only 1 real ethernet adapter, profiting from all the features the server-gateway operation mode provides, such as security features and firewall (See below 'operation mode'). The fake ethernet adapter will be used as your local ethernet adapter and the real network card will be used as the WAN interface. This is especially useful for (virtual, hosted or cloud) SME Sever installations with providers that only provide 1 physical network interface with a virtual server offering (VPS).

Configuring Local Network Parameters

Your SME Server needs information about your local network in order to communicate with the other computers on your network. This includes the IP address and the subnet mask on your server's internal interface. Because your server acts as a gateway and firewall, these will differ from the IP address and subnet mask on the external interface.


  Warning:
If you configure your server in server-gateway mode make sure the IP address for the internal interface and the one for the external interface are in different ranges that do not overlap. Unless you know why you don't want to do so, it is best to use addresses from the ARIN reserved IPv4 blocks as follows:
  • 10.0.0.0/8 IP addresses: 10.0.0.0 – 10.255.255.255
  • 172.16.0.0/12 IP addresses: 172.16.0.0 – 172.31.255.255
  • 192.168.0.0/16 IP addresses: 192.168.0.0 – 192.168.255.255

Do please note "that only a portion of the “172” and the “192” address ranges are designated for private use. The remaining addresses are considered “public,” and thus are routable on the global Internet". The 172 block can be problematic and is perhaps best avoided.


If you plan to operate in server and gateway mode (explained in greater detail below), your server will act as a relay between your local network and the Internet. Because no computer on your local network, other than your server, directly interacts with the external world, the IP addresses assigned to those computers need only be unique with regards to your local network. (It doesn't matter if a computer on someone else's local network uses the same IP address, because the two machines will not be in direct contact.) As a result, we are able to use special "non-routable IP addresses" for your local network, including the internal interface of your server.

If you have no reason to prefer one set of IP addresses over another for your local network, your server will prompt you with default parameters that are probably appropriate in your situation.


  Tip:
If you are installing servers at multiple sites within your organization, you may find it useful for later troubleshooting to use different network addresses for each site. Additionally, if you ever want to establish an IPSEC VPN between the servers, each server will need to use a different range of IP addresses. Even if you are not planning to use a VPN right now, it would be safest to use unique network addresses for each location.


If, however, you are operating your server in "server-only" mode and there are already servers on your network, you will need to obtain an unused IP address for your local network.


  Tip:
The careful admin will "ping" the intended address from any available workstation on the network to be certain it is not in use.


Next, you will be prompted to enter the subnet mask for your local network. If you are adding your server to an existing network, you will need to use the subnet mask used by the local network. Otherwise, unless you have a specific need for some other setting, you can accept the default setting.

Operation Mode

After configuring your SME Server for your local network, you will see the following screen. This is where you select your server's operation mode.

Option 1: Server and gateway mode

In server and gateway mode, your server provides services (such as e-mail, web services, file and print sharing) to your network and also acts as a gateway between your internal network and the outside world. The fact that it serves as a "gateway" means it has separate interfaces with each network, and provides security and routing.

If you configure your server to operate in server and gateway mode, your server will require either:

  • two ethernet adapters (one to communicate with the local network and the other to communicate with the external network/Internet)
  • one ethernet adapter (for the local network) and a modem for a dialup connection, or a fibre modem for a fast connection

With server and gateway mode, there are a number of extra parameters that will need to be configured. These will be discussed in the next section.

Option 2: Private server and gateway

This mode is a variation of option 1 and provides the same functionality with the following differences:

  • our web server is not visible to anyone outside of the local network.
  • our mail server is not accessible from outside of the local network.
  • Additional firewall rules have been configured to drop packets for various services (such as 'ping' requests).

All services are available on the internal network. The differences are entirely in how your server is seen by the external world.

You would select this mode if you wish to use the server only as a gateway, but do not wish to publish any services to the external Internet.

Option 3: Server-only mode

Server-only mode is appropriate if you do not wish to use the gateway capabilities of your server. In this configuration, your server connects only to the local network and does not connect directly to the outside world (although it may connect indirectly through your firewall or another server). Most ports are open.


  Warning:
SME 9.2 ISO only, DO NOT enable nic bonding on an initial install when server only mode is selected. See HERE for details


  Warning:
Because the server "trusts" the local network to be secure in server-only mode, it must be behind a firewall of some type. Under no conditions should it in server-only mode be directly connected to the Internet.


Your network will resemble the image below:

If you have a connection to the Internet by way of another gateway or corporate firewall, you can configure your server to provide services (including e-mail, web services, file and print-sharing) to your network. In this instance, you do not need your server to provide the gateway role because that role is fulfilled by your firewall. If you select Option 3, " Server-only mode - protected network ", your server will provide your local network with web, e-mail, file and print-sharing.

On the next configuration screen, you should enter the IP address for the Internet gateway on your local network. If you do not have an Internet connection, simply leave this configuration screen blank.

Configuring Server and Gateway Mode

If you are configuring your server to operate in server and gateway mode, you must select one of two Internet connection types - a dedicated connection (such as ADSL or cable modem) or a dialup connection (in which case you will be connecting to your ISP via a modem).

The next step after selecting a connection type is to enter the specific parameters representing that connection.

Server and Gateway Mode - Dedicated

How you configure your server's external interface depends on whether you are using a dedicated connection or a dialup connection. Therefore, if you configured your server for "server and gateway mode - dedicated connection" you will be presented with very different configuration screens than if you configured the server for "server and gateway - dialup connection" (as discussed in the next section).

Configuring Your External Ethernet Adapter

As you did previously with your local ethernet adapter, you need to configure the driver for your external ethernet adapter. As before, the software will attempt to detect the card. If it correctly identifies the card, you can proceed using Option 1, "Keep current driver". If it does not, you will need to manually select the driver.

Assigning Your Ethernet Adapters to Network Connection

To communicate successfully, your server needs to know which ethernet adapter connects it to the internal network and which adapter connects it to the external network/Internet. Your server will make this designation automatically - the first ethernet adapter (in position "eth0") will normally be assigned to the local, internal network and the second ethernet adapter (in position "eth1") will normally be assigned to the external network/Internet. In the event that this assumption is incorrect, this screen allows you to easily swap that designation.

If you don't know which ethernet adapter is designated to eth0 and which is designated to eth1, we suggest you leave it in the default configuration while completing the rest of the screens. You will later have the opportunity to "Test Internet Access" from the server console. If your test fails at that time, return to this screen, swap the card assignment and retry the test.


  Tip:
If you are using two different network interface cards, you will see which driver is associated with eth0 and which is associated with eth1. This information can help you determine which card is eth0 and which is eth1. If you have two cards that use the identical driver you will see a screen such as the one above where the actual driver is not listed.


Configuring Your External Interface

With a dedicated connection in server and gateway mode, you will be presented with the following screen:

Your server must know three additional things to communicate on the Internet:

  • its own unique IP address so that Internet data packets can reach it.
  • a subnet mask (also called a netmask) which looks like an IP address and allows other computers to infer your network address from your IP address.
  • the IP address of the external gateway for your server. This is the IP address of the router on your server's external network. It identifies the computer that your server should contact in order to exchange information with the rest of the Internet.

Normally, you would need to know this information and enter it into the server console. However, most ISPs are capable of automatically assigning these configuration parameters to your server using a DHCP server or PPPoE .

If you have a static IP address and your ISP is configuring your server using DHCP or PPPoE, select Option 1, 2 or 3 depending upon how you will be connecting to your ISP. When you first connect to your ISP, your server will automatically be given its external interface configuration parameters.

If your ISP is providing you with a dynamic IP address, the ISP will configure this through DHCP or PPPoE and your server will be re-configured automatically whenever your IP address changes. If you plan to use a Dynamic DNS service, select Option 2. Otherwise, select Option 1.

There are some very good reasons to use a dynamic DNS service if you have a dynamically assigned IP address. It is a simple, affordable way to ensure continuity of service when your IP address changes. Please read the next section on dynamic DNS for more information about dynamic DNS.

If you are using ADSL and need PPP over Ethernet, choose Option 3. You will then be asked for the user name and password you use to connect to your ISP. Note that some ISPs require you to enter their domain name as well as your user name.

If you have a static IP address and your ISP does not offer DHCP or PPPoE, then your ISP will give you the static IP address, subnet mask (or netmask), and the gateway IP address of the device that your server should connect to in order to communicate with the Internet. Assuming you have this information on hand, you can go ahead and select Option 4. Successive screens will prompt you to enter each parameter.


  Tip:
What is PPPoE?

PPPoE is the Point-to-Point Protocol over Ethernet . Essentially, it is an implementation of the popular PPP protocol used for dialup connections - only configured to run over an Ethernet connection. Many ISPs that provide fibre and ADSL connections use PPPoE as the method of connecting their customers to the Internet over ADSL.



Configuring the Server for Server and Gateway Mode - Dialup Access

If you select dialup access, successive screens will ask you for the following information:

  • information regarding the modem or ISDN connection with your ISP, such as the serial port your modem is connected to *2
  • modem or ISDN initialization screen - most users can simply leave this blank, but with some particular modems or ISDN cards, additional information may need to be entered here
  • the dialup access phone number
  • username
  • password
  • connection policy

This last item may be of special interest. As shown in the screen below, you can configure what type of policy you wish to have in place during typical work hours. If you are in a small office and wish to share your phone line between your computer and phone or fax, you may wish to minimize the time you are online. This is also true if your ISP charges a fee on a per-minute basis. On the other hand, if you have a separate phone line or unlimited time with your ISP, you might want to have long connection times or a continuous connection.


  Warning:
If you are using a dial-on-demand link to your ISP, please be aware that you can incur very steep phone charges due to dialup connection attempts to the ISP. We are aware of at least one case in which a failed modem link at the ISP resulted in several thousand connection attempts over a couple of days - and a hefty phone bill. If your telephone carrier charges you per-call or per-minute fees, we suggest that you contact your ISP and ask whether it is willing to assume responsibility if a failure at their end results in a large phone bill.


After configuring this policy for "work" hours, you can then configure the policy for time outside of office hours and additionally for the weekend. Notice that you do have the choice of never, which would allow you to restrict your system from connecting on weekends or during off-hours.

The connection policy defines several choices including Short, Medium or Long. These specify how long the server should wait before disconnecting the dialup connection. If your office only shares a single phone line, the Short option minimizes the amount of connection time and frees up the phone line for later use. The down side to this is that if someone is reading a long page on the web site or steps away from their computer for a brief moment, when they want to then go to another web page, the server will probably have disconnected and will need to redial and connect. On the other hand, setting the Long connection time will result in users experiencing fewer delays while waiting for the server to reconnect. However, the phone line will used for a larger amount of time.

There are two separate timeout values configured by each choice. One value is the length of time since the last HTTP (web) packet went through the server. The other is a more general timeout for any other types of packets. The difference is there because it is assumed that people reading a web page may take longer to go on to another web page, whereas users connecting to another service (such as ssh or POP3 to an external server) probably will be more active than someone using a web browser. The timeout values are shown in the table below.

Choice HTTP Timeout Other Timeout
Short 3 minutes 30 seconds
Medium 10 minutes 5 minutes
Long 20 minutes 10 minutes

Note that there is also the option for a Continuous dial-up connection. Choosing this option is basically equivalent to creating a permanent or dedicated connection, but only doing so through the use of a dial-up connection and a modem or ISDN adapter. One example of this use might be to set a Continuous connection policy during work hours and then some variable policy during off-hours and the weekend. Assuming that your ISP is okay with this arrangement and you can afford to do so financially, these settings would give your users the fastest response time as the connection would always be online.

#2 Your modem documentation may indicate which serial port is used by the modem. You may also be able to visually identify which port your modem uses.

Dialup phone numbers with # and * characters

bugzilla:4592


  Warning:
When entering your dialup phone number the default allowable character set does not include # and/or *. If your country uses dialup phone numbers with # and/or * you will need to edit the following script


nano /usr/lib/perl5/site_perl/esmith/console/configure.pm


  Note:
As of SME Server 9.x, the path to the esmith perl libraries is /usr/share/vendor_perl/esmith.


Section


DIALUP_ACCESS_NUMBER:


Change line 1398 "if ($choice =~ /^[-,0-9]+$/)"

To "if ($choice =~ /^[-,\#\*0-9]+$/)"

Which allows '#' and '*' in the Dialup phone number

save changes.

Configuring Your DHCP Server

You now will be prompted regarding DHCP service. Your SME Server can be configured to provide DHCP service to your internal network. The DHCP server can automatically configure the other computers on your internal network with such parameters as non-routable IP address, subnet mask and gateway IP address. This reduces the risk of error and simplifies the process of configuring your network.

We recommend configuring your server to use DHCP to configure all of your network clients. IMPORTANT! You should not do this if there is an existing DHCP server on your network as there should typically be only one DHCP server per network.

Configuring the DHCP Address Range

Before the DHCP server is able to assign IP addresses to the computers on your network, you need to tell it what range of IP addresses it can safely distribute. As above, this section is pre-configured with defaults that are appropriate in most situations. If you have fewer than 180 machines on your local network and no reason to prefer one range of IP addresses over another, you can simply accept the defaults for these screens. Client IP Addresses are handed out at the high end of the range.

The Server Console

When installing a new server or wanting to reconfigure an existing one, from the login prompt enter the username "admin" using the "root" password, the opening screen of the SME Server server console will appear:


  Tip:
If logged in as root, at the command prompt enter the command "console", you will see the server console screen above.



  Note:
Any time that you login to your system as the "admin" user you will see the server console. This is true even when connecting to the server remotely using a tool such as ssh (discussed later in the chapter on Remote Access).


The server console provides you with basic, direct access to your server. From the server console you can get the following information and perform the following tasks:

Option 1: Check status of this server

Provides you with uptime information about your server.

Option 2: Configure this server

Allows you to view and modify the configuration information you entered during the original installation (ethernet cards, IP address information, DHCP, DNS, domain names, etc.).

Option 3: Test internet access

Allows you to test your Internet access.

Option 4: Reboot, shutdown or reconfigure you server

Allows you to smoothly reboot, reconfigure or shut down your server.

Option 5: Manage disk redundancy

Allows you to manage and view the current RAID status.

For more information see the Raid howto

Option 6: Access server manager

Provides you with a means to access the web-based server manager using a text-based browser. This is the same interface to which you can connect from another system using a normal graphical browser. This option merely allows you to perform these functions directly from the server console.

Using the Text-based Browser

For Option 4, Access server manager with text-mode browser, the server uses a text-based browser called lynx to allow you to access the web-based server manager from the server console. Navigation is primarily with the arrow keys - up and down to move through the page, right arrow to follow a link, left arrow to go back. Lynx has a wide range of other commands which you can learn about through the online help available at http://lynx.browser.org/ Note that for security reasons some regular features of lynx are disabled when you are browsing from the server console (such as the ability to specify an external URL). Type 'q' (for 'quit') to exit the text-based browser.

Accessing the Linux Root Prompt

If you are an expert user and would like to do advanced modifications to the configuration of your server, you can access the Linux operating system underlying the SME Server software by logging in as the user "root". If your server is displaying the server console and not a login prompt, you can press Alt-F2 to switch to another screen with a login prompt. To switch back, press Alt-F1. You should always ensure that you log out from the root account when you are finished and before you switch back to the server console.

The password for the "root" user is whatever password is currently set for the administrator of the server. Note that this is the same password as that used by the "admin" user account.

Be aware that this ability to switch between the server console and a login prompt is only available when you have physical access to the server. If you connect in remotely as the "admin" user and see the server console, you will not be able to switch to a login prompt in that window. (You can, however, open up another remote connection to your server and login as the "root" user.) Note that remote administrative access is disabled by default and must be specifically enabled through the Remote Access panel of the server manager.


  Note:
If you are not familiar with working from the Linux prompt, you may be interested in trying a file management tool called Midnight Commander. It allows you to perform many file operations through a menu-driven interface. Simply type mc at the command prompt. Press the function key "F1" for help and "F10" to quit.


Option 7: View support and licensing information

Displays the GNU General Public License (the license governing the distribution and use of SME Server software) and information on how to contact Contribs.org for support.

Option 8: Perform backup to USB device

Attach a USB Device and follow the prompts.

The compression level of the backup *.tgz file can be altered by the "db configuration setprop backupconsole CompressionLevel=value" this then will decrease or increase the time taken to create the backup.

To regulate the speed of compression using the specified digit n, where `-1' indicates the fastest compression method (less compression) and or `-9' indicates the slowest compression method (optimal compression). The default compression level is `-6' (that is, biased towards high compression at expense of speed).

Setting level of compression via custom db setting

db configuration setprop backupconsole CompressionLevel=-9

To restore this type of USB Backup, perform a clean install and when prompted if you wish to restore attach the USB Drive.


  Warning:
If the USB Drive is left attached during the install it will be formatted!!





  Note:
The console backup to USB device is an independent method not related to the server-manager backup options.


SME_Server:Documentation:Administration_Manual:Chapter10


Configuring the Computers on Your Network

What Order to do Things

For efficiency, we recommend you configure your desktop computers in the following order:

Step 1: First, configure one of your desktop computers to work with TCP/IP (using the information in this chapter).

Step 2: With TCP/IP up and running on one of your computers, you can now access the server manager over the web and create your employees' user accounts. The next chapter, explains this simple process.

Step 3: Once e-mail accounts are created, you can ensure that all the computers on your network are configured for TCP/IP, e-mail, web browsing and LDAP using the information in this chapter and the User Manual.

This chapter helps you configure software and hardware supplied by other companies and for that reason is not as specific as the rest of this guide. Given the wide range of computers, operating systems and software applications, we cannot accurately explain the process of configuring each of them. If your computers and applications came with manuals, they might be useful supplements to this chapter. Technical problems encountered in networking your desktop computers and applications are best resolved with the vendors who support them for you.


  Warning:
This chapter demonstrates only one of the many possible ways to configure your client computers and is provided here as an example.


Configuring Your Desktop Operating System

The dialog box where you configure your desktop differs from operating system to operating system and version to version. As an example, in Microsoft Windows Seven, client configuration occurs in the "Properties" dialog box associated with the TCP/IP protocol for your ethernet adapter. If a TCP/IP protocol is not yet associated with your ethernet adapter, you may need to add one before you can configure its properties with the following information.


  Tip:
To get there, go to the notification area at the bottom right, click on the icon network, select open "network and sharing center" then use the link "connection to the local network" and finally the Properties tab.


Item Description What to enter
enable TCP/IP protocol All your computers must communicate on the network using the TCP/IP protocol. In Windows you add a TCP/IP protocol. In Apple, open TCP/IP Control Panel.
disable non-TCP/IP protocols Unless an application relies on a non- TCP/IP protocol, disable all other protocols. Turn "off" other networking protocols (e.g. NetBeui, etc.)
enable DHCP service See section below In Windows, enable "Obtain an IP address service automatically". In Apple, select "DHCP server".


  Note:
We strongly recommend that you configure all clients machines using DHCP rather than manually using static IP addresses. Should you ever need to change network settings or troubleshoot your network later, you will find it much easier to work in an environment where addresses are automatically assigned.


On a Windows seven system, the window will look like the image below.

Automatic DHCP Service

Your server provides a DHCP server that assigns each of the computers on your network an IP address, subnet mask, gateway IP address and DNS IP address(es). For a more detailed explanation of DHCP, consult the section in the|Chapter 5 called "Configuring Your DHCP Server".


  Note:
In some rare cases, you may want to use a static IP address for a particular client machine. The typical approach is to manually enter this IP address into the network properties of the specific machine. The negative side of this approach is that you cannot easily change or alter network settings without having to go in and modify the information on the client machine. However, it is possible to provide this static IP address directly through DHCP rather than manually configuring the client computer. To do so, you will first need to determine the Ethernet address of the client computer (usually through the network properties). Next you will go to the Hostnames and addresses web panel of the server manager and enter the information there.



  Warning:
Only One DHCP Server

It is imperative that no other DHCP server is on your network. If a former DHCP server configured your computers, you should remove that DHCP server from your network. Leave DHCP enabled, and reboot each computer. New IP addresses, netmasks, gateway IP addresses and DNS addresses will be assigned automatically by the server DHCP server.


Manual entry for computers not using DHCP service

As noted above, we strongly recommend that you perform all your client configuration using DHCP. It is even possible to assign a static IP address through the Hostnames and addresses web panel of the server manager that will be distributed through your DHCP server. However, if your computers do not support DHCP, you must manually enter the following information into your TCP/IP properties:

Item Description What to enter
IP address Manually enter this information (see paragraph below). You must assign a different, unique IP address to computers not accepting DHCP (see note below).
subnet mask (or netmask) Manually enter this number. The default subnet mask (or netmask) is "255.255.255.0".
gateway IP address Enter the IP address for the server or, in the case of server-only mode, enter the IP address for your network's gateway (e.g. the firewall or network router). If you are running in server and gateway mode, your server is your local network's gateway. Enter its IP address here: the default is "192.168.1.1". If you are running in server-only mode, enter the IP address for the device interfacing with your external network(i.e the box of your Internet Service Provider for example).
IP addresses of your domain name servers Manually enter this information. Normally you would just add the IP address for your server - the default used in the server console is "192.168.1.1". If you have a firewall other than your server that restricts internal queries to Internet DNS servers, you may need to enter additional DNS servers here.

It is critical that every computer on your network has a unique IP address and that you don't assign two computers the same address. In enabling DHCP service in the server console, you designated a range of IP addresses for DHCP assignment. You also allocated a block of IP addresses for manual assignment. If you accepted the defaults pre-configured into the server console, IP addresses 192.168.1.2 through 192.168.1.64 will have been set aside for manual entry. To avoid duplication, use only those IP addresses when manually assigning IP addresses to your computers.

After configuring the TCP/IP parameters, you may need to reboot your desktop computer to implement the configuration changes. (For example, most Windows systems need to be rebooted after the TCP/IP configuration has been changed.) Once the settings take effect, your computer will be connected to the server and to the Internet.

MS Windows workgroup configuration

See Windows 10 Support, Windows 8 Support and Windows 7 Support for detailed version specific help.

If you are using a Microsoft operating system, you must ensure that your workgroup is the same as the workgroup name of your server. (In a subsequent chapter, we'll explain how this can be set using the web-based server manager.) Go to the "start menu", right click on computer, select "Properties", select the link "change Settings", then click on "Change" Tab. In the field for "Workgroup", type your "workgroup".

  • For Windows 10 See Windows 10 support page for specific details Go to the "start menu", right click on computer, select "System", select the link "System Info", then click on "Change settings" Tab. In the field for "Computer name, domain and workgroup settings", type your "workgroup".
  • For Windows 7
  • For Windows 8

Go to the Top right corner of your Desktop, select "settings" and then "PC Info", select the link "change Settings", then click on "Change" Tab.. Enter your "workgroup" value in the Worgroup field and select "OK".

MS Windows Domain configuration

See Windows 10 Support and Windows 8 Support and Windows 7 Support for detailed version specific help.

SME Server can be configured to be the "Workgroup and Domain Controller" for your network, here users do not need accounts on individual PC's but authenticate against the Server. (In a subsequent chapter, we'll explain how this can be set using the web-based server manager.)

See bugzilla:7172 re registery entries to facilitate the joining of Windows 7 and Windows 8 PCs to a SME Server "Workgroup and Domain Controller" also Slow Login with Win7 and Win8 and forum entry http://forums.contribs.org/index.php/topic,49229.0.html for further info.

Connecting to a Domain

See Windows 10 Support and Windows 8 Support and Windows 7 Support for detailed version specific help.

  • For Windows 7

To connect a windows Seven client to your domain, Go to the "start menu", right click on computer, select "Properties", select the link "change Settings", then click on "Change" Tab. Enter your servers "Domain" value in the domain field and 'Connect'. Enter the username of admin(*) with the servers admin password when asked, and you should get back the response 'Connected to workgroup'.

(*) Admin or any user in the 'Domain Admins' group can join the domain.

  • For Windows 8

To connect a windows 8 client to your SME Server Domain, Go to the Top right corner of your Desktop, select "settings" and then "PC Info", select the link "change Settings", then click on "Change" Tab.. Enter your servers "Domain" value in the domain field and 'Connect'. Enter the username of admin(*) with the servers admin password when asked, and You should get back the response 'Connected to Domain'. Reboot the computer to reach the Domain.

(*) Admin or any user in the 'Domain Admins' group can join the domain.

Setting Windows Admin Rights

If you are using SME Server as a domain controller and the windows workstations have joined the domain then by adding users to special groups you are able to change the rights a users has on that workstation. See Here for details.

Setting up network drives

If you are using SME Server as a domain controller and the workstations have joined the domain you can automate drive mapping and syncronise the PC time with the netlogon.bat file

Note: Chapter 13 has a method for admin to edit the netlogon.bat file without using the command line.

nano -w /home/e-smith/files/samba/netlogon/netlogon.bat
REM To set the time when clients logon to the domain:
net time \\servername /set /yes
REM To map a home directory to drive h:
net use h: /home /persistent:no
net use j: \\servername\ibay1 /persistent:no
net use p: \\servername\ibay2 /persistent:no
if exist Z: net use Z: /del /yes

and reset file to dos format

unix2dos /home/e-smith/files/samba/netlogon/netlogon.bat

On-going Administration using the server-manager

The server-manager is your SME Server control panel for administrative tasks. The server-manager can be accessed via a web browser from any client connected to the same local network using a variety of URL formats:

If you had chosen the server name "nemo" and IP-address 192.168.1.99 during initial configuration you gain access with---https://192.168.1.99/server-manager or https://nemo/server-manager. ---


  Note:
For security reasons, you are only able to access the server-manager through a web browser on the local network. Remote access is only possible using remote access tools such as ssh and PPTP or by allowing access to IP ranges set in Security > Remote Access


 

When you arrive at the correct URL, you'll be asked to enter your user name (which is always "admin") and the password you created during the installation process. Enter that information and click "OK" to be taken to the server-manager. It will look like the screen shown above. In the next five chapters, we'll explain each of the administrative functions. The links are grouped together under four headings: Collaboration, Administration, Security, Configuration and Miscellaneous.

Collaboration

Users

User accounts should be set up for each person in your organization. A user account includes separate, password-protected email and file storage areas.

If this is the first time you are setting up user accounts for your organization, you will need to establish what your naming convention will be. Let's assume you've decided that the account name should consist of first initial and last name. So, if you have an employee named Fred Frog, Fred's user account would be "ffrog". Assuming your domain name is tofu-dog.com, Fred's email address would be "ffrog@tofu-dog.com". Fred's file directory on the server would also be named "ffrog". There are some basic rules built into the server as to what constitutes a valid account name. The account name must contain only lower-case letters and numbers and should start with a lower-case letter (not a number).

User account names are limited to twelve characters to maintain consistency with various versions of Windows. Longer names can be created for email through the >Pseudonyms panel. For your information, pseudonyms of "firstname.lastname" and "firstname_lastname" are automatically created for each account.


 

In the "User Accounts" section of the server-manager, you will see a list of your current accounts. If you haven't already created any accounts, select "Click here" and fill in the requested information - the account name (the part of the email address that comes before "@"), the person's name, address, department, company and phone number. As a convenience, the defaults that you entered in the "Directory" section of the server-manager appear each time you create a new account. You can, if necessary, modify the information for each user as you create the account.

From the list of user accounts, you can easily modify or remove a user account (by clicking on "modify" or "remove" next to the user name) or set the user's password. User accounts are locked out and cannot be used until you set the initial password for each account . As a reminder of this, user accounts appear in red until the password is changed. (In the example shown here, the administrator has not yet changed the password for user "Sally Salmon").


  Note:
If you want someone to have an email address at your company, but want the messages forwarded to another external email address, you can create the user account but set the email delivery option in the user account to 'Forward to address below' and enter the external address. If you leave the user account locked out, the user will not be able to access services on your server, but the email will be delivered to the external email address.


Disabling User Accounts

There may be times when you do not wish to delete a user account but instead merely want to disable it. For instance, when an employee leaves the company, you may want to immediately remove their access to the server, but still keep their files or email address active until the information can be examined. To disable any user account on your server, just click on the Lock Account link on the User Accounts server-manager panel. As soon as you click the link, the account will be locked out. The user will no longer be able to retrieve email or connect to any files or other resources on the server.

When an account is disabled, email will still be received for that user name, but the user will be unable to retrieve the email. As noted above, if a user account is set to forward email to an external email address, the email will be forwarded to that external address. To prevent this, you will need to modify the properties for that user account.

To re-enable the user account, you need to reset the password using the link on the User Accounts server-manager panel.

Changing User Passwords

Once they have an active account, your users can set their own passwords by accessing the user-password URL which is only accessible from Local Networks. They do this through their web browsers by visiting the URL www.yourdomain.xxx/user-password (where "www.yourdomain.xxx" is the web server name you entered into the server console). The staff at The Pagan Vegan would visit the URL www.yourdomain.xxx/user-password .

To make the change, a user would enter his or her account name (the characters before "@"), the old password and the new password (to ensure accuracy, the screen asks for the new password twice). Note that changing the password for a user in the server-manager overrides any previous password entered by your user. Therefore, when a user forgets his password, simply reset it in the server- manager.

 


  Note:
There is no way for the administrator to recover a forgotten password for a user. All they can do is set a new password for the user.


 


  Note:
Password strength checking is too strong. How do I change it?

First a warning - Far too many systems out there have weak passwords and they will be broken into. Educating your users on the necessity of strong passwords is the best option. If that fails, here is how you change the password strength checking from 'strong' to 'normal', which was the setting in previous versions of SME. Be careful to use the exact capitalization.

 config setprop passwordstrength Users normal
 config setprop passwordstrength Ibays normal

It is also possible, but strongly discouraged, to disable password strength checking by setting to 'none'


The following settings are available to specify the password strength on SME Server:

setting explanation
strong The password is passed through Cracklib for dictionary type word checking as well as requiring upper case, lower case, number, non alpha and a mimimum length of 7 characters.
normal The password requires upper case, lower case, number, non alpha and a minimum length of 7 characters.
none The password can be anything as no checking is done.

Please note that "none" does not mean no password, it just means no password strength checking, so you can enter any (weak) password you want as long as it is at least 7 characters long.

Groups

This screen allows you to create, remove or change user groups, which are simply lists of people with a shared interest - for example, they work in the same department or are collaborating on a project. The user group function serves two purposes in the SME Server: it permits email to be sent conveniently to a group of users, and it allows the system administrator to associate groups of users with a single information bay (i-bay).

 

Creating a new group is a simple three-step process. You enter the group name (as with account names, these should begin with a lower-case letter and consist only of lower-case letters and numbers), followed by a brief description. Finally, check the boxes next to the names of the users who should be associated with that group.


  Warning:
When you create a group, you are required to assign at least one user to that group. If you fail to do so, the group will not be created and you will receive an error message.


bugzilla:6934 After you add (or remove) a user account from a group, the user must log out and log back in for those changes to take effect. Until the user does so, he or she will still have their old group membership information. For instance, suppose you create a new group "sales" and assign user "ffrog" (Fred Frog) to that group. You then create a new i-bay called "salesinfo" that only the "sales" group can access, until Fred logs out and then logs back in he will not have access to the new "sales" group and its ibay "salesinfo".


  Note:
A windows user who is still logged into a Windows PC and tries to connect to the new i-bay through Windows Explorer. They will receive a permission-denied error. They must log out of Windows (they do not need to shut down or reboot, just log out) and login again. Now they should be able to go through Windows Explorer and access the "salesinfo" i-bay without any problem.


Setting Windows Admin Rights

If you are using SME Server as a domain controller and the windows workstations have joined the domain then by adding users to special groups you are able to change the rights a users has on that workstation.

The domain always has three groups created, assigned as follows:

Group Description Domain Rights
Domain Admins admin
Domain Users shared (everyone)
Domain Guests nobody

If you create a group and name it whatever you want but put one of the above for the description then the newly created group will replace the above mapping. So if you create a group called "admins" and give it a description of "Domain Admins" then anyone you assign to this group will be a domain admin and also a local admin on ANY box that has joined the domain.

You can also create a less privileged group "Power Users"
see https://ss64.com/nt/syntax-security_groups.html and https://www.howtogeek.com/school/windows-network-sharing/lesson1/all/ for the rights granted to the different groups.

Quotas

By default, there is no size limit on the files a user may store on the server nor the amount of email that can be received. However, if you wish to limit the disk space a particular user account can use, you may do so on the " Quotas " panel in the server-manager. As shown in the image below, you will see a list of user accounts, the actual disk space they are using and the quotas, if any, set for that user account.

 


  Warning:
Note that the quotas apply to all files that a user stores on the server. This includes not just their home directory, but also all files that they may put into any of the i-bays.


There are two quotas that can be applied to each user account:

  • Limit with grace period - when a user's disk usage exceeds this limit, an email warning message will be sent to the user account each night until the disk usage is brought back under the limit.
  • Absolute limit - when a user's disk usage hits this limit, the user will no longer be able to save files to the server or receive email.

Note that if the user account exceeds the "Limit with grace period" for seven consecutive days, the account will be treated as if it exceeded the absolute limit and will no longer be able to save files or receive email.


  Warning:
Email for the user account is not lost! It is held in the delivery queue and will be delivered to the user when their disk usage drops back below their absolute limit (or the "limit with grace period" if they were locked out due to seven days above that limit).


  Note:
In certains cases you have some mailboxes which can't delivery messages and the qmail log say:
deferral: Temporary_error_on_maildir_delivery._(#4.3.0)/

It is probably that your users want to go beyond the upper limit of their quota, so you have to increase it. This could solve their problems. see bugzilla:7738


By selecting " Modify " you are able to set a quota (in Megabytes) for a particular user account. Note that you do not have to set both limits for a user account and can choose to set only one of the limits.

If you set a limit and later wish to disable the quota for a given user account, all you need to do is set the limit to "0".

Pseudonyms

Any user who has an account on your SME Server will be able to receive email sent to that user ID. For instance, if you have a user named Fred Frog with the user account "ffrog", his primary email address will be "ffrog@mycompany.xxx".

Likewise, when you create a group account, that group account name functions as an email alias, so that messages addressed to the group ID will be sent to all members of the group. If, for example, you create a group called "sales", messages to "sales@mycompany.xxx" will be distributed automatically to all members of that group. As you add and remove members to the group, your server automatically updates the email alias.

In addition to user and group accounts, your server also automatically creates several pseudonyms . For instance, for each user account, the server creates two separate pseudonyms using the first and last names of the user. These two pseudonyms are in the form of "firstname.lastname" and "firstname_lastname". Hence, when you create the user account "ffrog" for a user with the name Fred Frog, he will also be able to receive email sent to "fred.frog@mycompany.xxx" and "fred_frog@mycompany.xxx".

Additionally, your server creates a special pseudonym called "everyone" that includes all user accounts on the system. Two other pseudonyms, "postmaster" and "mailer-daemon" are created pointing to the "admin" user.

If you wish to modify or remove any of these pseudonyms, or create new ones, you can use the web panel found under the "Collaboration" section of the server-manager, as shown below.


  Note:
The special pseudonyms of "everyone", "postmaster" and "mailer-daemon" will only be visible after you have either added a user account to the system or have added a custom pseudonym. Until that time, these three pseudonyms are there, but will not be visible on the Pseudonyms web panel.


 

As noted on the screen below, there are some restrictions on the text content of the names. Pseudonyms can be linked to existing user or group accounts. In the example shown, a pseudonym for webmaster is being set to point to ffrog.

 

Practical usage guidelines

An SME Server has only one name set, meaning only one occurrence of a name can be in the system, whether it be a user, a group, a pseudonym or an ibay. Therefore whenever you create a user account and you have multiple domains, then that user will apply to all domains automatically.

So the user account "sales" will receive email for:

  • sales@domain1
  • sales@domain2
  • sales@domain3
  • sales@domain4

The problem with this is that you cannot have different people using the same user account name to collect email.

Using the pseudonyms panel is the only way that SME Server can distribute email for the same user "name@different-domain" names, but you need to use it in conjunction with the correct underlying naming concepts.

The golden rule is never allocate unique user names to end users accounts as these will no longer be available for globalname@domain type email address usage.

  • create your domains eg domain1, domain2, domain3, domain4 and configure those domains to use different ibays for the web content. You can even setup different groups to allow only different users to access each ibay to update web content etc.
  • create user accounts user1, user2, user3, user4 as needed for users who want to use the email address "sales", but keep in mind they will use the login name user1 rather than sales (the login names could be johnb, johnb2, johnw, johnm etc)
  • create user accounts user5, user6, user7, user8 as needed for users who want to use the email address "info", but keep in mind they will use the login name user5 etc rather than info
  • create user accounts user9, user10, user11, user12 as needed for users who want to use the email address "accounts", but keep in mind they will use the login name user9 etc rather than accounts
  • create pseudonyms eg
    • sales@domain1 which forwards to user1
    • sales@domain2 which forwards to user2
    • sales@domain3 which forwards to user3
    • sales@domain4 which forwards to user4
    • info@domain1 which forwards to user5
    • info@domain2 which forwards to user6
    • info@domain3 which forwards to user7
    • info@domain4 which forwards to user8
    • accounts@domain1 which forwards to user9
    • accounts@domain2 which forwards to user10
    • accounts@domain3 which forwards to user11
    • accounts@domain4 which forwards to user12

ie. in the pseudonyms field type the whole pseudonym name as sales@domain1

Note do not use sales, info or accounts for any other purpose ie. as user account names or group names or pseudonym names (on its own) or ibay names.

If your want your end users to use webmail then they login in using the URL https://domain1/webmail https://domain2/webmail https://domain3/webmail https://domain4/webmail

If you want webmail to be configured for the correct domain for the correct end user the first time they use it, then you will need to do that manually yourself before issuing the login details to the user, eg login to webmail as the end user eg user1 (for domain1) and setup the profile for that user to show the return email address of sales@domain1 login to webmail as the end user eg user2 (for domain2) and setup the profile for that user to show the return email address of sales@domain2

Do the same for all other webmail accounts that will be issued configuring the profile and return address as applicable.

If you don't configure webmail profiles manually then they will have the default return address of loginusername@domain1 (or the main domain name of the server if different).

Summary eg For user1 for domain1

The user account will be user1 (eg johnb) and the person uses that name (& corresponding password) to login to the server or to webmail. The email address for the user will be the same as the pseudonym ie sales@domain1 and that is the address the user should publish and use as the return email address. Obviously the name before the @domain is different to their login username, that's the compromise to be accepted if using sme this way. It is quite common in practise, as users often have different "position related" pseudonyms anyway eg manager@domain1 forwards to user1.

As the user account user1 has been created on the server, then that will also work as a valid email address ie user1@domain1 will deliver email to user1, but note also that email "inadvertantly" sent to user1@domain2 or user1@domain3 or user1@domain4 will also be sent to user1. This is not usually a problem as you simply don't tell user1 that any other hosted domain addresses will work for that name.


Alternative configuration of users

If the above method is not acceptable/desirable, then the only other way you could setup users is to have only one occurrence of a user name in the system eg john, john1, john2, john3, johnb, johnb1, johnb2, johnw, johnws etc, similar to what ISP's do anyway.

Every username will be a valid (email address) for every domain hosted on your server, but you only tell the end user about their domain eg john@domain1 john2@domain1 john3@domain2 johnb@domain1 johnb2@domain2 johnb3@domain3 etc

but john@domain2 and john@domain3 etc will still work.

Any email sent to any of the addresses will automatically be received by the end user account, and the user account name and login name will be the same. There is no need to configure pseudonyms in that case.

You will still need to configure Webmail profiles manually for each domain that is different to the default domain.


The ultimate answer to having separately administered domains and identical user names at different domains, is to host only one domain on each SME Server ie have a different server for every domain. There are posts in the contribs.org forums explaining how to do this and forward/delegate email for different domains from one gateway server to other server-only boxes on the same LAN using the same Internet connection.

See this thread for details http://forums.contribs.org/index.php?topic=30953.0

Removing the default SME server behaviour to auto create pseudonyms. In this scenario (multiple domains) you may not require or desire the need of the default behaviour of auto creation of pseudonyms.

To achieve this comment with an # at beginning the line 793 into
 /usr/lib/perl5/site_perl/esmith/FormMagick/Panel/useraccounts.pm


  Note:
Please not that the path to esmith perl libraries has changed as of SME Server 9.x to /usr/share/perl5/vendor_perl/esmith.


the line should be like

#    $accountdb->create_user_auto_pseudonyms($acctName);

Information Bays

The i-bay (information bay) feature of the SME Server is a simple, very flexible and powerful way for you to share information with others. It is such a rich and important feature that we've devoted Chapter 14 entirely to dealing with Information Bays.

Administration

Backup or restore

You can easily back up the contents of your SME Server using one of three methods. They are controlled through the web panel shown below.


  Note:
The console backup to USB device is an independent method not related to these options. SME_Server:Documentation:Administration_Manual:Chapter6#Option_8:_Perform_backup_to_USB_device

When prompted if you wish to restore from a backup during a new install, it is the console backup it is refering to. The following backup methods are restored from the server manager.


 

You have seven actions you can perform, each of which is described in the following sections.

To desktop

Backup to desktop

The first type of backup allows you to save a snapshot of your server configuration onto your desktop computer. This will save all user accounts, user directories, i-bay contents and web content, as well as the configuration parameters entered using the server console and the server manager. The web panel shows you the size of the backup file so that you can verify whether sufficient space exists on your desktop machine.

When you choose Backup to desktop, a browser window will appear that will allow you to name the file and select the location on your desktop where the file will be saved.

Please be aware that there is a 2GB limit on backup to desktop, use backup to workstation to perform large backups to locally attached USB disks or network shares.

The compression level of the backup *.tgz file can be altered by the "db configuration setprop backupconsole CompressionLevel=value" this then will decrease or increase the time taken to create the backup.

To regulate the speed of compression using the specified digit n, where `-1' indicates the fastest compression method (less compression) and or `-9' indicates the slowest compression method (optimal compression). The default compression level is `-6' (that is, biased towards high compression at expense of speed).

Setting level of compression via custom db setting

db configuration setprop backupconsole CompressionLevel=-9

Restore from desktop

Restore from Desktop was removed in version 7.4

Ideally you should restore on a freshly installed server. Therefore, if you are planning to do a restore, you should first re-install the SME Server software and then perform the "Restore from backup" when prompted, ensure you have copied the backup file to to an attached USB disk, CD or DVD

To Tape
  Warning:
Be aware that you must use a supported tape drive and that a tape must be inserted in the drive for the backup to work.


Configure tape backup

The second type of backup involves configuring your system to perform a daily full system backup to a tape drive using a software package called flexbackup . If you wish to activate this option, check the box next to Enable Tape Backup and then specify the time at which you wish the backup to occur and the time at which reminder notices should be sent.


  Note:
Reminder e-mail messages for tape backups are automatically sent to the e-mail address that is configured to receive administrative notices. This is normally the user admin, but you can change this in the server manager.


Restore from tape

If you are performing regular backups, you can also restore user data and configuration settings by using the Restore from tape option. After you press the Perform button, the system will read the files from tape and overwrite any currently existing files. You must reboot your system after the restore for the changes to take effect. Note that in order to restore data from tape, you must have first checked off Enable Tape Backup and scheduled nightly backups. If you have not done this, you will not be able to restore from tape using the server manager.


  Warning:
Note that this restore procedure only restores user data and configuration information. It does not restore system files. If you experienced a serious system crash, you should first re-install the SME Server software and then perform a restore from tape.


To Workstation or USB Drive

Backup to workstation provides for daily full or incremental backup on LAN workstation (via nfs or cifs) or local usb disk, and full or selective restore with use of dar program.


  Note:
When using a CIFS mount you need to be aware of limitations in the characters you can choose in your password. According to the man mount.cifs page comma's should be avoided, but users have also noticed that leading spaces and exclamation marks should not be used. For more details see bugzilla:4850.



  Note:
To enable backup via nfs you will need to install nfs-utils from base: yum install nfs-utils

For further information please see this bug http://bugs.contribs.org/show_bug.cgi?id=7006 bugzilla:4850.


The main features of backup with dar aside use of session timeout are:

Incremental backup. This means that you can backup and restore data for the period of time you want : one day, three days, one week, one month, 100 days... and restore your system at any state it was during this period of time. This probably has no utility to do full restore of the system as it was one month ago, but restoring a file lost by a user two or three weeks ago can be useful. And restoring a safe system more than one day old can be needed.

The second function is keeping more than one set of backup (a set is full backup data and all data of next daily incremental backups) with automatic rotation. e.g. you can do only nightly full backups but keep three sets of backup for security reason (as being able to restore the system as it was 72h ago).

The third function is selective restore of any saved file or directory, exactly as it was for any of the saved days in your sets. Not only you can restore a lost file at it's last state, but also say : make restore of the most recent version of the file before this given date... Selective restore is not an easy thing to manage by hand, and providing this in a simple way with panels is useful. Dar permits to manage selective restore and e-smith-backup with dar panels tries to keep this function as simple as possible to use.


  Tip:
For a comprehensive explanation with multiple examples see Backup_with_dar


Configure workstation backup

Configure your backup destination and options to suit your situation.

Verify workstation backup

This option allows you to verify that the backup was completed successfully.

Restore from workstation

This option allows you to restore a complete backup. This should ideally only be performed on a clean install.

Selective file restore from workstation

This option allows you to restore a single file. You have the option of restricting the file to a date range.

Use WOL to power on Workstation

Wake On Lan can be used to power up the backup target workstation before starting the backup.

To use WOL there simply needs to be a new variable added to the backupwk section of the configuration database, nothing else is required. This variable holds the MAC address of the target workstation, if the MAC address is 00:4E:89:F5:FD:2B use:

db configuration setprop backupwk SmbHostMAC 00:4E:89:F5:FD:2B

There is also the ability to specify how long to wait between the WOL packet being sent and attempting to start the backup process. The default wait time is 300 seconds, this can be varied via another configuration database setting. It is recommended to not set the wait period below 300 seconds. To set the wait time to 600 seconds:

db configuration setprop backupwk SmbHostDelay 600

The target system must support, and be set up to respond to, the WOL "magic packets". The network infrastructure must also support WOL packets. WOL should work across the local network without problem. WOL packets are not routeable so it won't work across the internet without additional support from hardware and/or software such as a VPN tunnel. Getting WOL to work across the internet is beyond the scope of this documentation but there are plenty of resources available elsewhere. Most wireless connected devices do not work with WOL.

Note that there is no checking that the supplied MAC address is the correct one for the IP address/hostname of the target workstation. MAC address's are effectively static but IP address's/hostnames can change particularly if the target gets its IP address via DHCP. It is quite possible to have the correct target woken up and be ready but the backup to fail because the IP address has changed. However SME's DHCP server very rarely changes the IP address of a given MAC address.

To stop using WOL simply delete the SmbHostMAC variable:

db configuration delprop backupwk SmbHostMAC

and to be tidy if the optional delay parameter has been set:

 db configuration delprop backupwk SmbHostDelay

View log files

This panel allows you to view the system log files on you server. As shown in the image below, you select the log file that you want to view and press the "View Log File" button. Without any filter options, you will see the entire log file.

 

You will probably find the log file of most interest to be messages where most of the system services write log messages. If you enter any text in the " Filter Pattern " box, only lines of the log file containing that text will be displayed. If you enter any text in the " Highlight Pattern " box, that text will be shown in bold. Both options can be used together. Be aware that the filter is case-sensitive.

As an example, if you were interested in messages relating to DHCP, you could examine the log file messages with a filter pattern of DHCP. This will show you all DHCP-related messages. If you further add a highlight pattern of DHCPACK, the messages relating to DHCP acknowledgements will appear in bold.

Mail log file analysis

If you are using your SME Server to send and receive e-mail, there are now a number of reports available that can help you analyze your system's performance. While the default setting provides basic statistics, if you pop up the menu, you will see a range of other options. If you suspect that there is a problem with the delivery of your e-mail, you can use these reports to see how your system is operating. The information can also help you decide how best to optimize your system.

 

Reboot or shutdown

If you need to shut down or reboot your server, using this screen will ensure that the shutdown sequence occurs gracefully, preserving all configuration and information on your server. There is a similar function in the server console as well. Note that this screen initiates the shutdown or reboot immediately after you click the "Perform" button.

 

Security

Remote Access

If you're an advanced user, the SME Server provides several different ways to access the underlying operating system, either from a computer on your internal network or from a computer outside your site on the Internet. Additionally, you have the ability to access your computer network securely from a remote computer. All of these operations are configured from the screen shown below in the server manager.

Each of these remote access methods is described below.

   


VPN

(awaiting full integration)


Remote Management

To allow access to the /server-manager from remote networks add allowed IP addresses to the Remote Management section.

To allow a single computer (or network of computers behind a firewall) add its IP and the netmask.

223.102.19.24   255.255.255.255
SSH

If you need to connect directly to your server and login from a remote system belonging to you, we strongly encourage you to use ssh. In addition to UNIX and Linux systems, ssh client software is now also available for Windows and Macintosh systems. (See the section below.)


  Tip:
Configuring SSH access as public will result in lots of script based login attempts which consume bandwidth, CPU and generate log noise. A new iptables rule which blocks repeated connection attempts to the configured sshd port.

It is set to reject connections when there have been 3 or more requests in the previous 15 minutes. By design only IP outside your local network will blocked if too many attempts are done. See AutoBlock_SSH


If you do not have any reason to allow remote access, we suggest you set this to No access.

SSH (secure shell) provides a secure, encrypted way to login to a remote machine across a network or to copy files from a local machine to a server. Many people do not realize that many programs such as telnet and ftp transmit your password in plain, unencrypted text across your network or the Internet. ssh and its companion program scp provide a secure way to login or copy files. The ssh protocol was originally invented by SSH Communications Security which sells commercial ssh servers, clients, and other related products. The protocol itself has two versions - SSH1 and SSH2 - both of which are supported by most clients and servers today. For more information about SSH Communications Security and its commercial products, visit http://www.ssh.com/.

OpenSSH, included with the SME Server, is a free version of the ssh tools and protocol. The server provides the ssh client programs as well as an ssh server daemon and supports both the SSH1 and SSH2 protocols. For more information about OpenSSH, visit http://www.openssh.com/.

Once ssh is enabled, you should be able to connect to your server simply by launching the ssh client on your remote system and ensuring that it is pointed to the external domain name or IP address for your server. In the default configuration, you should next be prompted for your user name. After you enter admin and your administrative password, you will be in the server console. From here you can change the server configuration, access the server manager through a text browser or perform other server console tasks.

If you do enable ssh access, you have additional configuration options:

  • Allow administrative command line access over ssh - This allows someone to connect to your server and login as "root" with the administrative password. The user would then have full access to the underlying operating system. This can be useful if someone is providing remote support for your system. In most cases we recommend setting this to No.
  • Allow ssh using standard passwords - If you choose Yes (the default), users will be able to connect to the server using a standard user name and password. This may be a concern from a security point of view, in that someone wishing to break into your system could connect to your ssh server and repeatedly enter user names and passwords in an attempt to find a valid combination. A more secure way to allow ssh access is called RSA Authentication and involves the copying of an ssh key from the client to the server. See the User Manual for details
  • TCP Port for secure shell access - Change the port the ssh client connects to the server, choose a random free port eg. 822. This provides some protection from casual attacks on the usual port of 22 and reduce log noise, but will not deter a serious attacker.


  Note:
By default, only two user names can be used to login remotely to the server: admin (to access the server console) and root (to use the Linux shell). Regular users are not permitted to login to the server itself. If you give another user the ability to login remotely to the server, you will need to access the underlying Linux operating system and manually change the user's shell.


  • SSH clients

A number of different free software programs provide ssh clients for use in a Windows, Macintosh or Linux environment. Several are extensions of existing telnet programs that include ssh functionality. A list of known clients can be found online at https://www.ssh.com/ssh/client, PuTTY being the most popular for Windows as it meets most requirements and is regularly updated. Linux workstations normally have direct ssh capability.

A commercial ssh client is available from SSH Communications Security at: http://www.ssh.com/products/ssh/download.html. Note that the client is free for evaluation, academic and certain non-commercial uses.

Do note that the SSH protocol also supports SFTP (an alternate secure FTP) and SCP (secure copy). WinSCP is one example of a Windows client that supports both for GUI Files transfer via the shell.

FTPs

Another way to upload or download files to and from your server is to enable a protocol called FTP, or "file transfer protocol". This screen enables you to set your policy for FTP. Note that allowing liberal FTP access to your server does reduce your security. You have two options that you can set here.

FTP is now FTPs by default, or FTP over TLS, and this setting is forced. If for any reason you want or need to be less secure than that, then please check the wiki on how to do so. Plain FTP does not use encryption and so is trivially cracked, we strongly recommend you use the default FTPs.

FTP user account access: Private FTP access allows only people on your internal network to write files to your server. Public FTP access allows users both inside and outside your local network to read or write files on your server, provided they have an account and password. If, for example, you want to be able to update your web site from home using FTP, you would choose the "Public" setting. We strongly recommend you leave this as Private unless you have a specific reason to do so.

FTP access limits: This allows you to set an overall site-wide policy for FTP access. The setting you choose here will override all other FTP settings on your server . For example, if you choose "Disable public FTP access" here and then later configure an i-bay to allow public FTP access from the Internet, such access will be forbidden. Note that one of the choices here allows you to completely disable any use of FTP.


Local networks

Your SME Server provides services to machines on the local network and it gives machines on that network special privileges and access. For example, only machines connected to the local network can access the mail server on your server to send mail. When you configured your server, you provided it with sufficient information to deduce its own local network. Machines on the network are automatically identified by the server as being eligible for these privileges and access.

If your company only has one network that is being serviced by the server, you do not need to add any information here.

Some advanced users may wish to extend privileges to more than one network of computers. If you would like your server to identify one or more additional networks for those privileges, you will be asked to enter those network IDs and the subnet mask for each network here.

 


  Note:
Depending on the architecture of your network infrastructure, the instructions for configuring the client machines on that additional network may be different than the instructions outlined in the chapter in this user guide. If you have questions regarding adding another network, you may wish to contact Contribs.org and visit the forums.


Port forwarding

Your SME Server provides the ability to forward its ports to other machines.

 

You can use the panel shown above to modify your firewall rules so as to open a specific port (or range of ports) on this server and forward it to another port on another host. Doing so will permit incoming traffic to directly access a private host on your LAN.


  Warning:
Misuse of this feature can seriously compromise the security of your network. Do not use this feature lightly, or without fully understanding the implications of your actions.


Proxy settings

Your SME Server has a transparent HTTP and SMTP proxy.

HTTP Proxy

The server's HTTP proxy works to reduce overall uplink usage by caching recently-visited pages. It is transparent to web browsers using this server as their gateway.

SMTP Proxy

The server's transparent SMTP proxy works to reduce virus traffic from infected client hosts by forcing all outgoing SMTP traffic through this server. If you wish to use an alternate SMTP server, and this server is your gateway to it, disable this proxy.

- Disabled. Clients behind SME Server are allowed to connect to any SMTP server anywhere in the world (that allow them to).

- Blocked. This forces all SMTP traffic to go through the server and be authenticated. All attempts to connect to any SMTP Server other than the SME Server will be blocked and treated as if there is no SMTP server on the other end. (This is the new default)

- Enabled. Any attempt to connect to an SMTP Server other than the SME Server will be redirected to the SME Server. If someone attempts to connect to an external smtp server (gmail for example) it will be redirected to the sme server. If they then have it set to authenticate to that external server instead of passing the user/pass to the external server it will pass it to the sme server and fail. (This is the old default)

Note: The server (by default) now requires email clients (other than webmail) to authenticate and will not allow auth to occur over an unsecure link. If for example you are using thunderbird then you must set the authentication method to normal password. Leave the connection security at starttls or ssl/tls.

 

Miscellaneous

Support and licensing

This Panel displays a copy of the license under which SME Server is released.


Online manual

In the top right corner of the server-manager there is a 'Question mark' This is a link that will list the online Documentation Available. Note that you must be connected to the Internet to read the online user guide.

Other Administration Notes

Accessing administrative areas of your server via Windows file sharing: To access administrative areas of your server using Windows file sharing, you must be logged into your network as "admin" with the server system password. This applies particularly to the NETLOGON share (where you use netlogon.bat file), the Primary share (where the main web site is stored) and any i-bays that are writable only by the user admin. <math>Insert formula here</math>

Configuration

Software Installer Panel

The Software installer Panel allows you to configure and install updates to SME Server. You can install additional software from enabled repositories by setting 'Manage individual packages' to enabled.

 

Set date and time

Accessing this section allows you to set the system date and time either manually or using a network time server. Pull-down menus for month and time zone ensure accurate entry. The server manager will reset the time automatically during daylight savings time. There are worldwide time zones with multiple selections for countries with multiple time zones. (including standard time zones, states/provinces and even cities). This ensures that regional variations in time zones and daylight savings time are accurately reflected.

 

Instead of setting the time manually, you can use a network time server. A time server is a device on the Internet that keeps accurate time and is able to communicate the time to other computers over the Internet using the Network Time Protocol (NTP) . Many organizations around the world provide Internet time servers for free.


  Warning:
After you start using a network time server, you should NOT set the time or date manually. If you do so, the network time synchronization will no longer function.


This screen in the server manager allows you to configure your server to connect regularly to a time server and synchronize the clock on the server with the time provided by the time server. To do this, simply check the box for "Enable NTP Service", add the domain name or IP address of the time server in the space provided and click "Save NTP Settings". Using a time server is optional but doing so can greatly increase the accuracy of your system. For more information about using or becoming a network time server, visit http://www.pool.ntp.org


  Tip:
In order to make sure the network time server is set to your timezone, you should go through this screen once and manually set the time to be correct and with the correct timezone. After doing that, go back to this panel and set the server to use a network time server.


Workgroup

If you are using a computer on a local network and you wish to access the server via Windows file sharing, it is important that you are logged onto the same workgroup as your SME Server. This screen allows you to enter the name of the Windows workgroup the server should appear in. You should also enter the Windows server name. In order that you may later connect multiple locations using IPSEC VPNs, we suggest that you use a different name for each server. If you wish you can change the workgroup name to correspond with an existing workgroup.

 

Macintosh users need only enter a server name or accept the defaults.

Also in this section, you can specify whether the server should be the domain master for your Windows workgroup. Most sites should choose "Yes" unless you are adding an server to an existing network which already has a domain master.


  Warning:
If you have a Windows NT server or Windows 2000 server on your network that is functioning as a network server, you should answer "no" as that other server will act as the domain master.


If you do configure your system to be the domain master, a special Windows share called NETLOGON is created with a DOS batch file called netlogon.bat. This batch file is executed by Windows clients that have been configured to "Logon to domain". The netlogon.bat file we provide by default does very little, but advanced users can, if they wish, modify this script to set environment variables for their clients or provide automatic drive mappings.

As the NETLOGON share is only writable by the "admin" user, you modify the netlogon.bat script by logging on to a Windows system as "admin", connecting to the share and then modifying the script using a Windows text editor. Be aware that the NETLOGON share will not be visible in Network Neighborhood or other similar tools. As the "admin" user, you will need to connect to the share or map a drive to it, by using the specific path:

\\servername\NETLOGON\

The sample file contains a few examples of setting the system time for each machine and also for mapping a common drive for all Windows client.

Note: The Chapter 7 has a method for admin to edit the netlogon.bat file using the command line.

Directory

Your SME Server provides an easy mechanism for creating a company directory. Each time you create or delete an e-mail account, your directory will be automatically updated with the new information.

 

In this section of the server manager, you specify the default directory information for new accounts - the user's department, company, street address, city and phone number. Each time you create an e-mail account, the fields will contain the information entered here as the default. If you wish, you can change the information for each user.

At any time in the future, you can change the default information and have the new information apply to all new users or to all existing users as well. The field to do this is located near the bottom of the screen. Choosing "update with new defaults" is a convenient one-click method of revising your directory when, for example, your company has moved to a new address.

Printers

Your SME Server enables all users on your network to easily share a printer. The printer can be either locally attached to a parallel or USB port on your server or can be a network printer. All the server needs is some basic information: the printer name (which can be anything you want, as long as it starts with a lower-case letter and consists only of lower-case letters and numbers, with no spaces), a brief description (for example, "the printer down the hall") and the location of the printer - whether it's on the network or directly connected to your server through a parallel or USB port.

 

If you choose "Network printer", you will see an additional screen that will ask for the hostname or IP address and the network printer name. Enter that information where requested. For the network printer name, you can use the default setting, raw, unless you have some reason to do otherwise. (raw is the name used by most network printers for their main print queues.)


  Note:
For maximum flexibility in making changes later, we suggest that you enter the hostname for a network printer here and enter the IP address of the printer through the Hostnames and addresses panel of the server manager. This allows you to have one central location listing IP addresses and allowing you to make changes. Note that many modern network printers can be configured automatically. To do so, enter their hostname, IP address and Ethernet address in the Hostnames and addresses panel.


Note also that the server printing system does not perform any filtering and passes the print requests directly from the client computers to the printer in the "raw" or "pass-through" machines. For this reason, the SME Server does not have a list of "supported printers". Most printers are supported as long as the appropriate driver is installed in the operating system on your client computers.

However, there are some newer printers that only have a Windows driver available and rely heavily on that operating system to perform their print functions. These printers cannot be used on the server. If you are concerned about whether your printer will work with your server, you can visit Red Hat's Hardware Compatibility List (http://hardware.redhat.com/hcl/) or explore the information found at LinuxPrinting.org.

As a final item, you should be aware that in order to use the printers available through your server a user must be logged in to their client system with a user name and password that is valid on the server. For instance, if a user is logged in as tturtle on their Windows desktop and that user account does not exist on the server, the user will not be able to print to the printers managed by the server. Either the user will have to logout and log back in as a valid user or the tturtle account will need to be created on the server.

Hostnames and addresses

When you installed your SME Server, you were asked to provide a name for your system. That name and several other "standard" names are automatically configured in your system's host table during the installation process. This host table is consulted as part of the name resolution process. The "Hostnames and address" web panel allows you to modify this table and specify different host "names" for each domain on your system, as well as to control how those names resolve both for systems on your local network and also for systems on the larger Internet.

For instance, when someone tries to connect to "www.mycompany.xxx", they will be taken to wherever "www" has been set to point to. As seen in the image below, this screen in the server manager allows you to view these default settings, and also to modify the configuration.

 

Modify Hostname

Using the Hostnames Panel Suppose, for example, your company's web site was hosted at some other location, such as on your ISP's web servers. If you wanted "www.mycompany.xxx" to point to your ISP's server, you would modify the entry here by clicking the "Modify..." link next to "www". The image below shows the screen in which you would perform the task:


 


You would first change the location to "Remote" and then enter the IP address or Fully Qualified Domain Name (FQDN) of your ISP's server in the field marked "IP Address or FQDN". See Bugzilla: 6297

Rename Server

If you were to rename a SME server (eg. myserver.mydomain.com) for any reason, you would go to the server console (logged in as admin) and choose configure the server and change the name and then reboot. However, the various parts of the server listed in server-manager (Hostnames and addresses) would still show the old name and would not be able to be deleted. See Bugzilla: 5953

To remove old entries:

db hosts delprop myserver.mydomain.com static

To check:

db hosts show

Creating New Hostnames

Creating new hostnames simply involves selecting one of the links at the top of the Hostnames and addresses panel and filling out the appropriate fields.

Note that if your system is configured with any virtual domains, you will have the choice of the domain in which you want to create the hostname. This allows you, for instance, to have "www.tofu-dog.com" pointing to one IP address and "www.mycompany.xxx" pointing to a completely separate IP address.

The hostnames you can create on this panel fall into three categories and are available from the drop box "Location":See Bugzilla: 6297

Self: Additional names for your server: For instance, you might want to set up "intranet.mycompany.xxx" to point to your server. All you do here is enter the hostname and, if appropriate, choose the domain for the hostname.

Remote: As mentioned in the example earlier, you might want to point a hostname such as "www" to a remote system. While "www" is created by default, you can create other names such as "home", "research", or any other appropriate name. In the form, you simply enter the hostname, choose the domain, and enter the remote IP address or FQDN. See Bugzilla: 6295

Local: This screen is a bit more complicated because you have more options. At a basic level, you can create a hostname in a domain that points to another computer on your local network. To do this, just type in the hostname and enter the IP address in the "Local IP" field. For instance, you might want "research" to point to a computer system inside your network.

Where this gets complicated is when you want "research.mycompany.xxx" to be accessible both inside and outside your local network. The challenge is that your local IP addresses are only accessible inside your network. For that reason, the target computer system will need to have two network interface cards - one connected to the internal network and one connected to the external network.


  Note:
At this stage, one cannot create a Hostname under local using a FQDN. However, it is possible to point to a local machine entering the FQDN of this machine as "remote" if this FQDN is valid.


Reserving IP Addresses Through DHCP

Another task you can perform through this panel is to reserve an IP address for a given system based on its Ethernet address. For instance, you might have another intranet web server within your company that you want to always have the same IP address. One method of assigning that address is to manually configure the client machine to have a static IP address. The negative aspect of doing this is that if you later want to change the network settings for that machine, you must manually go and configure that machine. An example would be if one of your DNS servers changed its IP address. Additionally, you have to keep track somewhere of the fact that you have assigned a specific IP address to that machine.

Rather than configuring the machine manually, you can reserve an IP address from the DHCP server for that specific machine. This has the same result as manually configuring a static IP address, but offers two benefits. First, you have one location to keep track of all assigned static address. Second, through the DHCP server you will provide network settings. If you wish to change those settings, the change can be simply done on your server. All DHCP clients will then receive those updated changes when they renew their DHCP-provided addresses.

To reserve an IP address, you must first determine the Ethernet address of your client system. Windows NT/2000 users can type the command

ipconfig /all

Windows 95/98 users can run the command

winipcfg

Linux/UNIX users can type

ifconfig

Once you have determined the client's Ethernet address, click on the link to create a new hostname for a local host. Add the hostname of the target system, the Ethernet address along with the desired IP address into the web panel. From this point on specified IP address will only be provided to a client system with the matching Ethernet address.

Domains

When you create a domain using this section of the server manager, your SME Server will be able to receive e-mail and host a web site for that domain.

 

To create a domain, fill in the domain name and a description of the site. You then tell the server where to find the content for that domain - it can be the same as your primary web site, or you can create a new set of web pages and store them in one of your i-bays. Clicking the arrow in the "Content" field will show you a list of your current i-bays and allow you to make a selection. This feature allows you to host multiple web sites from a single server. Be aware that you can point the domain to either the primary web site or to one of the i-bays . You cannot point a domain to a subdirectory that you simply create inside of the primary web site file area. You need to use an i-bay instead.


  Note:
When you are entering the name for the domain, you should supply the fully-qualified domain name . This is the full name of the domain, including any extensions like ".com", but without any prefixes like "www" or "ftp". For instance, you can create a virtual domain by entering "tofu-bird.com", but not by entering "tofu-bird" or "www.tofu-bird.com".


Public DNS Records

Once you have created a domain, your server will be automatically configured to answer to web requests for www.domainname.xxx and will accept e-mail for your virtual domain as well.

In most cases the DNS for the server is not handled by the server but by some Internet DNS servers. So, the default is to pass DNS requests for anything but the primary domain to the Internet DNS servers.

The primary domain is resolved locally as we generate (fairly) complete DNS records for that domain, including all local hostnames.

The new settings are there to allow for various configurations:

  • Simple setup where the SME Server is a gateway, but DNS is handled by Internet DNS servers
  • Moderately complex setup where the SME Server DNS should take preference over the Internet DNS records. You need to be careful here as the external world view will not match the internal world view. That's why it is not the default.
  • Complex setup where some domains are handled by internal/corporate DNS servers and we want to choose those in preference to the Internet DNS servers. This is a conscious decision to run a split-horizon/internal fake root where the Internet and Intranet have different DNS records.

If you set a domain to "Resolve locally", the only DNS records seen will be the ones entered on the SME Server. However, since you need to set up the Internet DNS servers with the correct information anyway, why duplicate the work to enter it locally?

Note that in all cases the server will act as a DNS cache/proxy/forwarder and so all domains will actually _technically_ be "resolve locally", but the dns cache will forward them to the chosen DNS servers.


  Warning:
While the server is prepared to offer web and e-mail services for this domain, there is one more step that must occur. In order for users on the Internet to successfully connect to your machine using the domain, you will need to work with your ISP or whoever controls the DNS entries for your domain to have the appropriate DNS entries pointed to the IP address of your server. For instance, your ISP will need to configure an MX record for the domain in order for you to receive inbound e-mail to that domain.

See Appendix B. DNS for more information.


E-mail

As shown below, this section of the server manager allows you to specify the protocol used to retrieve e-mail from your ISP and configure other settings regarding the retrieval of e-mail.

There is a comprehensive email howto with alternative and advanced suggestions.

 

E-mail Access

 

  • POP and IMAP server access: The options are "Private" and "Secure Public". The former allows access only from your local network. The latter allows access from anywhere on the Internet.
  • Enable/Disable Webmail: With this option you can enable or disable the webmail component of your server. More information can be found in the Chapter on Webmail.
E-mail Filtering

Extra types of email attachments can be blocked with the instructions at Virus_blocking_tutorial

 

 

E-mail Retrieval

 

 

Your choice of e-mail retrieval mode will depend on the arrangements you made with your Internet service provider:

  • If you have a dedicated connection, set E-mail retrieval mode to "Standard". The secondary mail server setting does not operate in this mode and any attempt to set one will not be accepted. See ETRN or multidrop for use of secondary mail server.
  • If you arranged "ETRN" support with your ISP, choose that setting and then scroll down to the field that asks for the IP address or hostname of your ISP's secondary mail server. This secondary mail server will provide temporary e-mail storage when your server is not connected to the Internet.
  • If you arranged "multidrop" mail service from your ISP, choose "multidrop" and then scroll down to the field that asks for the IP address or hostname of your ISP's secondary mail server. This secondary mail server will receive all e-mail for your domain and store it in a single POP mailbox. Further down the screen, you will need to specify the user account and password assigned by your ISP for this POP mailbox. Your server will periodically fetch this mail and distribute it to individual POP mailboxes on the server. (Note that due to problems receiving mail for mailing lists, we strongly encourage people to NOT use multi-drop e-mail.)

If you want to forward e-mail to another mail server for processing, enter the mail server IP address in the box marked Delegate mail server . A common use for this is if your server is receiving inbound e-mail from the Internet, but you would like to pass that mail to a different mail server on your internal network.


  Note:
Delegate mail server implies that all mail which is accepted is passed on to the delegate mail server (IOW, that other guy is the mail server, I'm not, so I expect him to do everything, eg spam filtering)


If you intend to have an external mail server handle mail for your domain, just send the mail directly to that mail server, via the MX record for your domain.

If you have a dialup connection, the server allows you to control how frequently it fetches e-mail from your ISP. This is particularly useful in situations where you incur phone or Internet charges each time your system contacts your ISP. The default settings are every 15 minutes during standard office hours and every hour outside normal office hours on weekdays or on weekends. The fields allow you to customize those settings.

Finally, if you have "multidrop" mail service you need to select the sort method used by the server to decide which user each message should be delivered to. Your server has a default method for this (it examines various headers such as "To" and "Resent-To") which works in most circumstances but is not suitable for certain purposes such as mailing list messages. Some ISPs add a header to each e-mail message which can help your server determine the correct recipient. If your ISP does not add a header to multidrop e-mail, select the "Default" sort method and ignore the "select sort header" field. If your ISP does add a header to multidrop e-mail, then select "Specify below" and enter the header tag provided by your ISP. Because you will experience problems with mailing-lists when using multi-drop e-mail, we strongly recommend that you work with your ISP to have a special header added to each message. The "Default" sort method should be only used as a last resort.

E-mail Delivery

This screen presents you with additional options for controlling how your system handles e-mail.

 

  • Forwarding address for administrative notices: The default address for administrative notices (i.e. undeliverable mail, backup notifications and other status/error messages) is "admin". If you'd like those messages to be sent elsewhere, enter the address here. Note, This option has been moved to the Collaboration > User > admin panel.


  Note:
Be aware that all messages sent to postmaster, root or mailer-daemon at your domain are sent to either admin or the address that you enter in this field.


  • E-mail to unknown users: This field allows you to choose whether incoming messages to unknown users are bounced back to the sender or forwarded to the system administrator. Some users prefer the latter setting because it allows them to catch and reroute e-mail that was incorrectly addressed.


  Note:
If you choose to have messages forwarded to the system administrator, they will be sent to either "admin" or the e-mail address specified in the forwarding address field mentioned above.


  • Internet provider's SMTP server: Normally the server will send outgoing messages directly to their intended destination. If, however, you have an unreliable connection or are using a residential Internet service, it may be advisable to route e-mail via your provider's SMTP server. In that case, you should enter the SMTP server's hostname or IP address here.

In fact, if you have a temporary dial-up connection to the Internet, you may find that you need to use your ISP's mail server in order to deliver mail to some locations. As a reaction to the huge volume of unsolicited commercial e-mail ("spam"), many Internet sites are refusing direct SMTP connections from IP addresses that are known to be temporary dial-up accounts. For this reason, you may need to use your ISP's mail server since it will have a permanent connection to the Internet.

Antivirus (ClamAV)

Default for SME8 is Sunday morning. With SME8.1 ISO (or as soon as smeserver-clamav-2.2.0-13.sme is released) default will be Saturday morning.

When set to occur weekly Clamav weekly scan has been configured to run Saturday morning (typically between 00:00 to 01:00 local time). Users with large systems may wish to only schedule a weekly AV scan (taking place on Saturday morning) in order to avoid overlap with disk-check scheduled on Sunday morning. Bugzilla:7656

Review Configuration

This section of the server manager summarizes how your server is configured. This is the data that you entered during the installation process and possibly changed later through the server console or the server manager. As you can see from the screen below, this is essentially a report that you can print out for your records. You do not have the ability to make changes from this screen.

 

Information Bays (i-bays)

  Note:
See contrib SharedFolders it offers more flexibility on file permissions as it supports ACL. There're also some additional options in the Server-manager panel.

Use with caution, this is not part of a default SME server install and requires additional setup and configuration changes.


 

Information bays, or i-bays, are a unique feature built into your SME Server. i-bays are a powerful, simple, flexible mechanism for creating distinct information-sharing sites. The network administrator can define several characteristics for each new i-bay they create:

  • write access: the administrator can control access to the i-bay by associating the i-bay with a group. All groups previously created in the groups section of the server manager will appear in the drop-down menu under "group" in this section. In addition, two default groups will always appear - "administrator" and "everyone" (meaning all users, whether on the local network or on the Internet).
  • user access via file-sharing or FTP: The administrator can also control who has the ability to save a file into or modify the contents of the files in the i-bay (write access) and who has the ability to view the contents of the i-bay (read access). The administrator can specify whether the entire group can write to the i-bay or whether the administrator alone has the power to save files to the i-bay. Similarly, the administrator can control whether group members only can read the contents of the i-bay or whether the contents can be read by anyone.
  • password protection: the administrator can specify whether a password is required to access an i-bay from the Internet and what that password will be.


  Note:
If you select Password Required, users who connect to the i-bay via FTP, HTTP or HTTPS will be prompted to supply that particular i-bay's username and password. The user name is always the name of the i-bay and the password is whatever the administrator assigns to that i-bay - not the individual user's password. Note that, as with user accounts, i-bay accounts are locked out by default. If a password is required, users will not be able to access the i-bay until the administrator sets the password.


i-bays are simple to create and manage. The "Information bays" section of the server manager shows all current i-bays, the name of each i-bay and a description of its contents. In this section, you can delete an i-bay (which will delete all contents of the i-bay directory) and, if the i-bay requires a password, you can set it here. As with your user account directory, any i-bay that requires a password will appear in red until that password has been changed from "default" (the i-bay for Samson's Farms in the following image is an example of this).


  Note:
When you create an i-bay, the name may be up to 12 characters long #4  and may contain only lower-case letters, numbers, periods and underscores. The i-bay name should also start with a lower-case letter. For example, johnson, sales and client3.prj8 are all valid names, while 3associates, John Smith and Bus-Partner are not. Finally, an i-bay cannot use the same name as an existing user or group account. It must be unique. Note that there are two special names, primary and public, which are in use by the system and cannot be used for an i-bay name.


#4This 12-character restriction ensures that the i-bay can be shared correctly to all Windows machines.

i-bay Directories

Each i-bay has three directories - html, files and cgi-bin. Each directory is briefly outlined below:

  • cgi-bin: This directory is set aside to hold "CGI scripts" used for that i-bay's web pages. CGI scripts are tools used in advanced web site creation and are not discussed here.
  • files: This directory holds files that can be accessed either locally only or publicly. It can be used for such things as a company download site, a company-wide file sharing server, or a document sharing site for a specific customer. When someone connects to the i-bay using FTP, they will see the files in this directory.
  • html: When an i-bay is accessed using a web browser (via http), the user will enter the html directory and the web browser will automatically open the index file (usually index.html or index.htm) in that i-bay. In other words, it will display the web page associated with that i-bay. This means you can have different web sites running on your server, each associated with a specific i-bay. This can be very powerful and useful, as you will see in the upcoming examples.


  Warning:
Once a user account, group account, or ibay has been created, no directory or sub-directory within an ibay may be created that duplicates one of those names.



  Tip:
Generally, you can think of the html directory as the place to put all files, images and documents that you would like to be accessible through the web . The files directory is for all files that you want people to access through FTP or regular file sharing. Note that you can have as many subdirectories as you wish underneath either html or files but you cannot create additional directories at the top level of the i-bay.



  Note:
If an i-bay is set for no public access via web or anonymous ftp, users connecting to the i-bay through Windows or Macintosh file sharing will see only the contents of the files directory. However, if the i-bay settings are later changed to allow public access through web or anonymous ftp, users will then see the top-level directory of the i-bay with the three subdirectories of html, files and cgi-bin. The items they were used to seeing before will now be found in the files directory.


Accessing the i-bays

You can access the contents of an i-bay using a web browser, Windows file sharing smb/cifs , or FTP.

  • accessing an i-bay using a web browser (via http or https): To view an i-bay using a browser, enter "www.yourdomain.xxx/i-bayname". For example, the URL for Samson's Farms i-bay is "www.tofu-dog.com/samfarms". Assuming you are entitled to access this i-bay, you will see the index.html page in the html directory in the Samson's Farms i-bay. If a password is required to see the contents of the i-bay, a password dialog box will appear before the contents of the i-bay are served to the web browser.
  • accessing an i-bay via Windows file sharing and smb/cifs: To access the i-bay using Windows file sharing or smb/cifs, simply navigate to the server over your network browser (in Windows, this would be via "Network Neighborhood") and select the i-bay you want to enter from those appearing. You can only access an i-bay in this way if you are on the local network.
  • accessing an i-bay via the FTP server: To access the i-bay using FTP, you use your FTP client to connect to your server and use the i-bay name as the login id. If the i-bay requires a password, you will need to enter the i-bay password as well. If you are using a command-line or graphical FTP client, you will usually be prompted for the login username and password. If you are using a web browser, you will need to enter a FTP URL. This will be in one of the following forms, depending on whether or not a password is required:
 ftp://ibayname@ftp.domainname
 ftp://ibayname:password@ftp.domainname


  Warning:
Be aware that FTP transmits all passwords in the clear without encryption and can therefore be a security risk. If you are concerned about security, we suggest you consider the scp "secure copy" command associated with ssh as an alternative to FTP.


  • Note that users accessing the i-bay via FTP in this manner are not able to upload files to the i-bay. They can only download files from the i-bay to their client.
  • It is possible to upload files using FTP, but to do so you must login to the server with a valid user name, not the i-bay name. That user account must be a member of the group that has been given write permission for the i-bay (configured on the i-bay screen). You would then change to the i-bay directory (using the ftp command "cd ../../ibays/ibayname"). You will now be able to upload files from your FTP client to the appropriate directories.

In the next few sections, we will take a look at some examples of i-bays that have been created by our hypothetical catering and event-planning company, The Pagan Vegan, to demonstrate their capabilities.

Creating an i-bay

No matter how you are going to use an i-bay, the process of creating an i-bay starts by clicking on the "Click here" link at the top of the Information Bays panel in the server manager. You will be presented with the form shown in the image below.

 

You now need to fill out the form providing the information and making the choices described below. Note that the ftp access described below can be overridden by the FTP access limits setting on the Remote access panel of the server manager. If you choose to "Disable public FTP access" there, ftp access for individual i-bays will not be allowed, even though you will appear to be able to enable it from the i-bay configuration screen.

  • Information bay name: This is the short name of the i-bay (subject to the 12-character length restriction mentioned earlier). The i-bay name will be what users will enter in the URL after the hostname to access the i-bay from the web. For instance, if public access is enabled, an i-bay named 'intranet' can be accessed by the Pagan Vegan staff at 'http://www.tofu-dog.com/intranet/'.
  • Brief description: This text will appear in various administrative screens and can be a useful reminder of the i-bay content.
  • Group: Ownership of the i-bay content is assigned to an existing group. The group ownership plays a role in the next setting for user access.
  • User access: You need to decide who will be able to add and modify content in the i-bay and who will be able to read the content.
  • Public access: Here you set what type of public access you wish to have for the i-bay. If the i-bay is just to be used by a small group of users, you can leave public access set to the default of None . If you want others to be able to access the i-bay via web or anonymous ftp, you can choose to allow access to just the local network or the wider Internet. You also can choose whether or not you wish to require a password.


  Note:
If you choose one of the modes of Public access via web or anonymous ftp that requires a password, public access will not be available until you set the i-bay password from the main information bay panel in the server manager. Once you do so, users can access the i-bay through their web browser or ftp by using the i-bay name and i-bay password, rather than their own user name and password.


  • Execution of CGI scripts: If you want to use CGI scripts to add functionality to your web site, you can execute those scripts from the cgi-bin directory of your i-bay. However, for security reasons you must first choose enabled here to allow such scripts to be executed.
  • Force secure connections: Provides an option to force https per ibay, so that on navigation to an individual ibay using http an automatic redirection to https is forced. iBays that do not have force secure connections enabled are not effected and retain the default http connection protocol.

Once done filling out the form, click the Create button and the server manager will create your i-bay. If you wish to change these settings at any later point, you can click on Modify next to the i-bay name in the information bays panel of the server manager.

Modifying an i-bay

At any point in time you can modify the attributes of an i-bay (except for its name) by clicking on the " Modify " link next to the i-bay name on the "Information bays" panel of the server manager. For instance, you can easily change the description, group ownership, and access methods. There are, however, a few items to be aware of when modifying i-bays:

  • If an i-bay is set for no public access via web or anonymous ftp, users connecting to the i-bay through Windows or Macintosh file sharing will see only the contents of the files directory. However, if the i-bay settings are later changed to allow public access through web or anonymous ftp, users connecting through file sharing will then see the top-level directory of the i-bay with the three subdirectories of html, files and cgi-bin. The items they were used to seeing before will now be found in the files directory. This may disrupt Windows shortcuts and configuration settings. (The good news is that simply changing the public access setting back to "None" will return i-bay file sharing access to its previous configuration.)
  • After an i-bay is modified, all Macintosh users will be disconnected from the i-bay and will need to reconnect. All Macintosh users will receive an alert stating that they will be disconnected in 5 minutes.

Outside of those concerns, you can modify the i-bay as often as you wish. If you wish to change the actual name of the i-bay, you will need to remove the i-bay and create it again. (Note that this will delete the contents of the i-bay, so make sure you have backed up the i-bay data before you remove it.)

An i-bay Used as a Customer Site: The Miles Gabriel Art Exposition

"The Pagan Vegan" (TPV) has found that customers like having access to a customized web page which summarizes all of the information pertaining to their particular event. The company finds it reduces the risk of miscommunication and improves its image and reputation. The ".html" files in the i-bay's html directory are based on a template that TPV uses for each customer. Creating each web site is a straightforward, fill-in-the-blanks process.

 

TPV has chosen a naming convention for i-bays that customers can easily remember - first initial, last name. Because it contains important customer information, only the site administrator can save files into this i-bay. To prevent others from accessing the customer's i-bay, a password is required to enter the site. (TPV created individual passwords and securely provided them to their customers.)

 

Miles Gabriel has contacted The Pagan Vegan to cater an art exposition. The Pagan Vegan has created an i-bay specifically for Mr. Gabriel's account called "mgabriel". Mr. Gabriel accesses the site with the URL www.tofu-dog.com/mgabriel . As you can see, Mr. Gabriel has access to a summary of his event information. He can check at any time to ensure the arrangements are correct. For example, at midnight tonight he can access his i-bay to show his spouse the design used for his invitations!

An i-bay Used as a Shared Network Drive

Having a shared network drive can be very helpful as a way of storing and sharing documents company-wide. TPV uses an i-bay for a company-wide network drive to hold documents to which all employees should have access. All employees can read and write files to this directory. The i-bay is accessed via Windows file sharing, ~AppleTalk or FTP. To access using file sharing, simply access the server over the network (via Network Neighborhood) and open the appropriate i-bay . You will see the files located in the files directory and can then open them or copy them to your system.


  Note:
This is only true if the i-bay has been set to allow public access via web or anonymous ftp. If an i-bay is set for no public access via web or anonymous ftp, users connecting to the i-bay through Windows or Macintosh file sharing will simply see the contents of the files directory. However, if the i-bay settings are later changed to allow public access through web or anonymous ftp, users will then see the top-level directory of the i-bay with the three subdirectories of html, files and cgi-bin. The items they were used to seeing before will now be found in the files directory.


As an example, when the staff of The Pagan Vegan goes into their Network Neighborhood, they double-click on "E-smith-server" as shown in:

 

They will then see a list of i-bays accessible through Windows file sharing. When they click on one of them called "sharedfiles", they see the three folders inside of the i-bay:

 

When they go inside of files, they will then see the list of documents provided there:

 

As you can see in this example, The Pagan Vegan has several files in this directory for company use. Providing a centralized location for company documents (such as expense report templates) ensures that everyone always has access to these documents and uses the most up-to-date version.

An i-bay Used as an Intranet: The Pagan Vegan "Vegemite"

The Pagan Vegan has created an i-bay for its company newsletter / intranet. The company has found this to be a good way for employees to express themselves and share information.

 

In keeping with TPV's culture, the newsletter is very casual. The company has a high degree of trust in its employees, and, as a result, employees are given full access to the contents of the intranet so anyone on staff can revise it. A more typical company might want the intranet to be created by a particular staff member and "checked in" by the administrator (write access "administrator only"). The intranet is, of course, viewable only from the internal network. No password is required. To access the intranet, TPV employees use their web browsers to access the URL www.tofu-dog.com/intranet/filename.htm.

 

This particular newsletter was created using a desktop office application called LibreOffice (similar to Microsoft Office). The files were created as typical word processing documents, saved into ".html" format and then transferred into the html directory of the "intranet" i-bay using Windows file sharing. Starting with just a blank document, it took only about an hour to create the main page and the other pages that make up this newsletter.

An i-bay Used to Expedite Processes: Samson's Farms

Samson's Organic Farms delivers fresh produce to The Pagan Vegan every week. Samson's and TPV use an i-bay to improve the ordering and delivery process. TPV has created an i-bay for Samson's called "samfarms". It is accessible to the external Internet but password-protected so that only staff at TPV and Samson's Farms can read it. Anyone on TPV's local network can write to it.

 

Here's how the process works:

  • Each week, Mr. Samson updates his online order sheet to include only produce that will be ripe and ready for the next delivery date. He saves it in ".html" format and e-mails it to The Pagan Vegan's administrator.
  • Upon receiving the e-mail, TPV's administrator saves the file directly into the html directory of the "samfarms" i-bay.
  • The chef accesses the samfarms i-bay, reviews what produce will be available, and plans menus.
  • The chef's assistant then reviews the menus, checks against existing inventory and determines what should be ordered. The assistant enters TPV's order directly onto the order sheet in the samfarms i-bay using an HTML editor.
  • The day before delivery, the chef reviews his assistant's order (as shown in the image below) using a web browser and makes any last minute adjustments.

 

  • On the day of delivery, Samson's shipping staff accesses the i-bay over the Internet, prints out TPV's order from the samfarms i-bay, and fills it.

An i-bay Used as Your Customer Download Site

When customers hire The Pagan Vegan to plan events, they need to review a great deal of information - menu options, catalogues from various vendors for event stationary, table-setting rentals, etc. Often customers want several days to review it all. TPV has only a limited number of catalogues for loan, so it decided to provide customers with access to this information online. To accomplish this, TPV created a download i-bay, called "menus", where customers can download the catalogue files themselves and view the contents on their desktop machines.

 

TPV set the i-bay for Administrator-only write access, viewable over the entire Internet, with no password required. A customer accesses the site using the FTP client in their web browser to login as the i-bay user name by entering the URL ftp://menus@ftp.tofu-dog.com . This is what the customer sees:

 

When the cursor is placed over a file name, the full name of the file appears. To download a particular file, the customer simply clicks on the file name. A browser window allows the customer to select a destination directory for the file on his or her local hard drive.

SME Manual Appendix

The following Appendix pages are included for your information.

Appendix A. Introduction to the Ethernet Local Area Network (LAN)

A local area network (LAN) is the system of wires and other hardware that connects the computers within your office and allows them to communicate with one another. An ethernet LAN is the most common type. Ethernet refers both to a kind of connection and to a protocol for how Internet data packets travel around your network.

The hub, a common component of an ethernet, serves as a point of interface between computers on the network. Each computer on your network is connected to the hub using an ethernet network cable. Different hubs operate at different speeds: slower hubs, operating at 100 Mb/sec, are suitable for small networks; faster hubs, operating at 1 Gb/sec, are suitable for larger networks. Switching 100Mb/1 Gb hubs can operate at either speed, and provide a good way to upgrade your network gradually.

An ethernet adapter, also called an ethernet card or network interface card (NIC), connects each computer to the ethernet LAN. An server with a dedicated Internet connection requires two ethernet adapters; one connects it to your LAN and the other connects it to the external network that leads to your ISP. If your server connects to your ISP using a modem or ISDN adapter, it only requires one ethernet adapter. A router ensures that Internet data packets (e.g. e-mail, web page information, etc.) reach the appropriate computers on your network. Routing is one of the functions performed by the server in server and gateway mode.

Allowing a third party, such as a systems integrator or networking company, to install your ethernet can be a good idea. It can help you select, procure and install the appropriate ethernet adapters, hub and cables. There are also various how-to guides available in bookstores if you are committed to installing it on your own.

Appendix B. DNS

DNS or the Domain Name Service is a distributed system of servers designed to translate human-readable names into computer routable IP addresses.

DNS Basics

SME, by design, does not respond to DNS queries from outside your local network, and cannot be used as a public DNS server for anyone outside your location.

If you want your SME server to be available to users outside your office using a name instead of your IP address, you MUST:

  • Register your domain name with a Registrar
  • Configure your host names on a publicly accessible DNS Server

Note: you can avoid 'Registering' your domain name if you use #Dynamic DNS Services

Imagine the following scenario:

Root_DNS
 |     Registrar
 |    /   DNS Server
 |   /   /            Other_DNS
 |  |   /            /
 Internet---Other_ISP---Remote_User
     |
 Your_ISP---Your_ISPs_DNS
     |
    SME
     |
 Local_User


Let's assume that

  • SME has IP Address a.b.c.d
  • SME has domain name mysmeserver.com
  • Remote_User is configured to use Other_DNS for DNS lookups

If Remote_User tries to browse to http://mysmeserver.com, his computer asks Other_DNS how to find 'mysmeserver.com'. Other_DNS server then

  • asks the Root_DNS servers for the Registrar in charge of 'mysmeserver.com'
  • asks the Registrar for the DNS_Server that will answer queries about 'mysmeserver.com'
  • asks the DNS_Server for the IP address of 'mysmeserver.com'
  • saves the answer in its local cache for the amount of time specified by the administrator of the DNS record at DNS_Server.

If, on the other hand, Remote_User asks for information about your IP address (a.b.c.d), his DNS server

  • asks the Root_DNS servers where d.c.b.a.in-addr.arpa is registered.
  • asks the Registrar where to get more info about d.c.b.a.in-addr.arpa. This is probably but not necessarily Your_ISPs_DNS.
  • asks the host indicated by the Registrar (probably Your_ISPs_DNS) what name belongs to 'd.c.b.a.in-addr.arpa'. The return value is almost always a generic filler based on your IP address unless you contact your ISP and ask them to change the PTR data for your IP address.

Basically, PTR records are managed by the organization that controls the IP address (which makes sense, if you think about it).

If Local_User tries to open http://mysmeserver.com (assuming a default SME installation with DHCP and therefore DNS provided by the SME server):

  • If mysmeserver.com is configured for Local resolution, the SME server returns the data that has been configured locally.
  • If mysmeserver.com is configured to use Internet DNS Servers, the SME proceeds just as the first example from Root_DNS to Registrar to DNS_Server to local cache (actually, it checks the local cache first...)


So, for you to host a public web server at your own location you need:

  • An ISP to provide connectivity
  • A DNS Registrar where you can 'register' your domain name and publish the addresses of your DNS servers.
  • A DNS service provider who will respond to queries about your domain

Some ISP's provide registration and DNS hosting capabilities as part of the connectivity package.

Some ISP's provide DNS hosting but not Registration as part of the connectivity package.

Some Registrars provide DNS hosting as part of the registration.

Sometimes you will need 3 separate vendors for these separate services.

If you have already registered your domain name, find out if your Registrar provides DNS hosting services, and if so, how to configure them. They'll provide you with a web address where you can configure your DNS.

If they do NOT provide DNS hosting services, your ISP might. Ask them. If so, configure your DNS on their servers, then edit the Registrar page to point to the DNS servers indicated by your ISP.

If neither your Registrar nor your ISP provides DNS hosting, you'll need to find a 3rd party vendor to do this. See #DNS_Service_Providers below.

If you have not yet registered your domain name, try to find a Registrar who provides free DNS services.

PTR Records

PTR Records (or Pointer records, or Reverse DNS records) are used by internet hosts to convert an IP address into a name - sometimes for information only, sometimes for identity verification.

PTR records are constructed by reversing your IP address and appending the special suffix 'in-addr.arpa'. For example, the PTR record for a.b.c.d is d.c.b.a.in-addr.arpa.

A DNS lookup for a PTR record looks just like a DNS lookup for a domain name at this point - Root_DNS, Registrar, DNS_Server, except that the return value will be a host name instead of an IP address.

With very few exceptions all PTR records are registered to the ISP that controls the IP block in question, so frequently the ONLY way to change your PTR records is to contact your ISP and request that they be changed.

PTR records are only rarely used for their original purpose of verifying the identity of a particular computer - this is now done with SSL certificates and Trust Authorities.

The PTR record for your SME Server only becomes important if you plan to deliver email directly from your SME to recipient email servers (without using your ISP's mail server as a relay). Some email providers will not accept your email if the name returned by the 'reverse lookup' of your IP address does not in its turn result in your IP address when it, itself is looked up. It doesn't necessarily need to match your configured domain name, but it has to work both ways.

For example, if the nslookup d.c.b.a.in-addr.arpa (the reverse lookup for your IP) returns dsl-a-b-c-d.mycity.myispsname.com then before trying to send email directly from your SME to the Internet at large you want to make sure that nslookup dsl-a-b-c-d.mycity.myispsname.com returns your a.b.c.d and not an error or some other address.


SPF Records

SPF (Sender Policy Framework) records are added to the DNS zone record for domain names. Many receiving mail servers now require sending mail servers to have properly configured SPF records for the domain(s) being sent from. Failure to have SPF records can result in mail being rejected by mail servers eg Hotmail servers will reject mail that comes from mail servers without SPF records.

The SPF entries are added to your external DNS records which are hosted by your connectivity ISP. They are not configured on the sme server.

See here.

Here is a test site where you can check if SPF records are configured for your domain.

Different providers have different mail acceptance policies.

Look for tech support pages for the provider.


References:

http://forums.contribs.org/index.php/topic,21631.0.html

http://forums.contribs.org/index.php/topic,31726.0.html

http://forums.contribs.org/index.php/topic,34664.0.html

http://forums.contribs.org/index.php/topic,40009.0.html

http://forums.contribs.org/index.php/topic,42373.0.html

Dynamic DNS Services

If your IP address is assigned dynamically, you may find it helpful to use a dynamic DNS service. A dynamic DNS service provides you with an automated way to notify them whenever your IP address changes so that they can immediately publish new DNS records for your domain. Without dynamic DNS, you would have to contact your ISP to have them change your DNS records, and your web site and other services would be unavailable for several days until the change was processed. You can easily enable the usage of a dynamic DNS service by selecting it on your server console.


  Warning:
Pre-configured Dynamic DNS Service is no longer integrated into SME Server core functionality due to its rapidly changing providers. If you need this service, please refer to the "smeserver-dyndns" contrib.



If your IP address is assigned dynamically and you intend to receive all your e-mail directly (rather than having it stored at an ISP and retrieving it via POP or IMAP), but you decide not to use a dynamic DNS service, you should implement multidrop e-mail as your e-mail solution as this will ensure that no e-mail is misdirected to another IP address (See Some important notes on Service list D (multidrop mail) in| Chapter 3.)


  Note:
Dynamic DNS services are not perfect. They merely point hostnames to IP addresses. If your system receives an IP address via DHCP or PPPoE, it will automatically update the dynamic DNS service each time it comes online. However, when your server disconnects from the Internet, with most dynamic DNS services your server does not indicate that it is offline in any way to the dynamic DNS service. If your system is offline for a period of time, it is possible that someone else will be assigned your IP address by your ISP. If this occurs, with most dynamic DNS services this other system will now start receiving your e-mail and web page requests until your server comes back online and updates the service with your new IP address. There is not much you can do about this, but you should be aware of this fact if there is any chance your system will be offline for a long period of time.



  Note:
If you are using an IP address whether dynamically allocated or fixed, but located within a DSL block assigned to a provider of home connectivity services it may very well be blocked by mainline ISPs, so that you are not able to send email from it. The solution is to use a smarthost to relay your email, this being provided by your connectivity provider, check their documentation. The smarthost settings can be configured in the Server Manager email settings. This issue as noted applies to both fixed and dynamic IP addresses.


DNS Service Providers

Here is a brief list of vendors who provide DNS service hosting. The inclusion of a vendor here does not constitute endorsement by the SME developers.

Appendix C. Proxy Servers

The server comes with a proxy server called Squid which can proxy the web (HTTP), FTP and Gopher protocols. Proxy servers temporarily store information from the Internet on the hard drive of the server, allowing other users to access it directly from that hard drive. For example, when an employee visits a web page, the web proxy server will store that web page. Subsequent visitors to that web page will read it from your proxy server's hard drive, rather than over the Internet. This slightly reduces the network performance for the first visitor to that web page, but can enhance the performance for subsequent visitors.

Many gateway systems require the use of proxy servers, but with the server it is optional. Networked applications such as web browsers will work perfectly without proxying, due to the IP masquerading capability of the server.

In general, we recommend that proxying be disabled in your network applications. Using the proxy server can benefit the organization if you have a slow Internet connection and you've installed your server software on a fast computer. In this case, reading from the hard drive will be faster than reading from the Internet. Remember, though, that a proxy server benefits the second and subsequent visitors to a site but not the first visitor, so this benefit only applies if your users tend to visit the same sites repeatedly.

A proxy server is generally not appropriate if you have a fast Internet connection and you've installed your server software on a lower- or mid-level computer. In this case, reading from the hard drive of the computer may not be faster than over the Internet. It also offers no benefit to your organization if employees at your site do not tend to visit the same web pages.

Appendix D. Technical Support

If you are having difficulty configuring another vendor's hardware or software, we recommend you refer to the manual or contact the vendor for that product.

The SME Server is open source software, Koozali.org encourages users to freely share copies of our software.

Developers may wish to note that additional documentation, including HOWTO documents and a FAQ, can be found on our development web site - http://wiki.koozali.org/. There are also links there to other web sites relating to the server.

Glossary

Below are some useful terms and their brief definitions. For more information refer to the many sites on the Internet offering expansion.


ADSL and ADSL2 (or 'DSL')

Asymmetric Digital Subscriber Line. ADSL is a technology to transmit digital 
information at high bandwidths across existing copper phone lines.  Download 
speeds are typically much faster than upload speeds (hence the term "asymmetric").

Domain Name

This refers to the unique name attached to your organization on the Internet. 
For example, "tofu-dog.com" or "contribs.org". If you don't have a domain name, 
your ISP can help you select one, ensure it is available, and register it.

DNS

Domain Name Service. Refers to the software and protocols involved in translating 
domain names to IP addresses. Your server provides DNS lookup services for your local
network, and your ISP typically also provides you with the IP addresses of DNS servers. 
These servers do not need to be configured into your server as the DNS server that is 
provided with your server will correctly resolve all local and Internet names.

ETRN

ETRN is a command used for dialup solutions in order to retrieve e-mail temporarily 
stored at your ISP

Gateway IP Address

 A gateway is the device on your network that forwards packets to and from the Internet.
 The gateway IP address is the IP address for that device.

i-bay

Information Bay. A mechanism for creating intranets, extranets, shared directories 
and other resources

ISDN

Integrated Services Digital Network. Digital modem line. Provides higher speeds than
K56/V90. Single channel ISDN provides speeds of 56K to 64K. Dual channel ISDN 
provides speeds of 110K to 128K. Now mostly replaced with versions of DSL.

ISO

1. International Organization for Standardization. 
Relevant link: http://www.iso.org - ISO Home Page 
2. ISO followed by a number is used to identify one of the published ISO standards.
Relevant link: http://www.standardsglossary.com - ISO Standards Glossary, lists all the 
international standards published by ISO and provides a quick reference for looking 
up the topic of an ISO standard.
3. A file containing a complete release of SME Server that is downloaded and 
burned to CD. The CD is then used to install the SME Server Operating System

ISP

 Internet Service Provider

LDAP

 Lightweight Directory Access Protocol

PPTP (see VPN)

 Point-to-Point Tunneling Protocol 
 Warning: PPTP is completely insecure, deprecated and should be avoided.

RAID1

 Disk mirroring

SCSI

 Small Computer Systems Interface

SME

 Small and Medium Enterprise

SSH

 Secure shell. A secure, encrypted way to log in to a remote machine across a network,
 or to copy files from a local machine to a server. 
 It also supports secure file transfer via sFTP or SCP.

VDSL and VDSL2

 Very high-speed Digital Subscriber Line. 
 VDSL can provide up to 52 Mbit/s down and 16 Mbit/s up. 
 VDSL2 can reach rates up to 300+ Mbit/s downstream and upstream.

VPN

 Virtual Private Network
 Currently directly supported protocol is OpenVPN. 
 IPsec/xl2tpd are available as contribs.
 Userspace Wireguard support is coming soon, Wireguard is now part of the Linux kernel.