SME Server:10.1

From SME Server
Revision as of 08:36, 14 September 2022 by Trex (talk | contribs) (Add extra warning re 2.4 syntax)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search


Koozali SME Server 10.1 Release Notes "Justine"

The Koozali SME Server development team is pleased to announce the release of SME Server 10.1 which will be the next major release of SME Server. Code named "Justine"

This release is based on CentOS 7. CentOS 7.# has an EOL of 30 June 2024.


Important.png Note:
Koozali SME Server users should upgrade production servers to this Release





Warning.png Warning:
Contrib users please ensure you are aware of changes and impact that updateing to httpd 2.4 syntax may have to your contribs, see Known Issues


Some notes on Koozali SME Server 10 can be found at https://wiki.contribs.org/SME_Server_10.0_Development

SME10 Roadmap https://wiki.contribs.org/SME10_Roadmap

Bug reports and reports of potential bugs should be raised in the bug tracker (and only there, please);

     https://bugs.koozali.org/

Release notes for Koozali SME Server 10.1 can be found here https://lists.contribs.org/pipermail/updatesannounce/2022-September/000479.html

Koozali Foundation Inc.


The Koozali SME Server project

The Koozali Foundation Inc. is a nonprofit corporation that governs the open source Koozali SME Server project. Koozali SME Server is a stable, secure and easy to use/manage linux server that provides common server functionalities out of the box. Many open source contributions are available that can extend the default server functionality making Koozali SME Server an even more powerful and flexible business server solution. Thousands of Koozali SME Severs have been deployed as real or virtual servers and in the cloud to serve many small to medium enterprises, and this number is growing day by day. The Koozali SME Server is free to use but it takes a lot of effort and money to develop, make, and maintain. We therefore ask you for your considerations.

Volunteering

Koozali Foundation Inc. together with its community hosted at https://contribs.org is a collaborative effort of volunteers. You too can contribute to the development and continuity of the Koozali SME Server project as described on our volunteering page. Everybody is welcome to join the already 4000+ member contribs.org community and can contribute with any skill set.

Financial donations

You can also show your support by making financial donations. The preferred way to make financial donations is using the donate option in the forums. You are free to choose any amount and frequency, being monthly, yearly or only once. The benefit of donating through your forums account is that your forum user name will receive a badge, showing your donation status. If you do not have a forum account, you can create one, or select the below PayPal option to make your donations.

Commercial usage

Organizations that use Koozali SME Server for their business, provide professional services related to SME Server or in any other way benefit commercially from the Koozali SME Server project, are kindly requested to consider regular financial donations that reflect their business benefits.

Koozali Foundation Inc. is happy to supply an invoice for any donations received. For more information on invoicing please send a mail to treasurer@koozali.org.

Thank you for your considerations and support!

Download

Koozali SME Server : STABLE releases
Version DVD ISO Checksum Netinstall ISO Checksum
SME Server 10.1
Release notes
Addendum

EOL June 30th, 2024

x86_64 MD5 SHA1 x86_64 MD5 SHA1
Direct link to the Koozali SME Server mirrors and how to become a mirror.

SME Server requires a DVD/CD, a USB Stick/Disk can also be used.

The Koozali Foundation Inc. would like to thank all of our sponsors and partners.


About SME Server

SME Server is the leading Linux distribution for small and medium enterprises. SME Server is brought to you by Koozali Foundation, Inc., a non-profit corporation that exists to provide marketing and legal support for SME Server.

SME Server is freely available under the GNU General Public License and is only possible through the efforts of the SME Server community.

However, the availability and quality of SME Server is dependent on meeting our expenses, such as hosting costs, server hardware, etc.

As such, we ask for a donation to offset costs and fund further development.

a) If you are a school, a church, a non-profit organisation or an individual using SME Server for private purposes, we would appreciate you to contribute within your means toward the costs associated with hosting, maintenance and development.

b) If you are a company or an integrator and you are deploying SME Server in the course of your work to generate revenue, we expect you to make a donation commensurate with the level of revenue you generate and the number of servers your have in the field. Please, help the project

Please visit https://wiki.koozali.org/Donate to donate.

Koozali Inc is happy to supply an invoice for any donations received, simply email treasurer at koozali.org

Notes

In-place upgrades are not supported. It is necessary to backup and then restore. (Remember, testing purpose only and note warnings),

Restore of a sme9 console or workstation backup is now fully supported

Single disk install no longer creates a degraded Raid1 array, Two or more disks will be created as a Raid1-6 array, see wiki https://wiki.contribs.org/Raid

The spare handling for RAID arrays is now implemented.

Support for further Raid configuration on install is now implemented - see wiki

New Server-Manager Framework, Mojolicious, is now well on the way to full implementation

USB installs are once again fully supported, Note: it is important to use proposed apps to create the boot media See: https://wiki.koozali.org/Install_From_USB

Netinstall is once again fully supported, additional repos easily added

Install to a system supporting a UEFI BIOS is also now fully supported

Console backup, and workstation backup to removable storages is now fully supported.

Thanks

A plethora of other under the hood changes, too numerous to list

The work that has gone into getting SME 10 to this stage has been enormous, an attempt to list and detail the work that has been done in recent months would not do justice to the effort contributed by the following,

Thank you one and all:

  • Jean Phillipe Pialasse
  • Michel Begue
  • Brian Read
  • Catton Durbrow
  • Chris Sansom-Ninnes
  • Jean-pierre Odion
  • Zsolt Vasarhelyi
  • John Crisp
  • Terry Fage

there have also been many others who have done what they can, thank you:

The changes that have been implemented to ensure the Koozali Sme Server way is fully implemented have been far reaching, far to many to try and list, suffice to say long live "Justine".

Installing

Hardware requirements

Installation procedure

https://wiki.centos.org/AdditionalResources/HardwareList
https://access.redhat.com/documentation/en_us/red_hat_enterprise_linux/7/html/installation_guide/sect-installation-planning-hardware-compatibility-x86

Upgrading

Important.png Note:
In-place upgrades from SME 9.# to SME 10.x using yum or CD are not supported due to design constraints imposed by CentOS.

It is necessary to backup the old server & then restore to the new server. Contribs will need to be reinstalled.


The simplest way to do this is via a Console Backup to attached USB disk on the old server( or if using a virtual machine, and USB is no t available, you can try adding a virtual drive as SATA). Alternatively use one of the Backup & Restore options available in server manager panel, ie backup to desktop, or backup to workstation (either to attached USB or network share). Other non standard options exist to Backup virtual servers that do not have USB ports etc, & Restore to similar virtual systems, eg using ssh. If you have a lot of contribs that have files to backup that are not in standard backup, you can give a try to Migratehelper.


Information.png Tip:
The Restore from USB on first boot function (on a newly installed SME 10 server), will only utilise backups that are saved as smeserver.tgz files, which are the Console backup to USB or the server manager backup to Desktop. The server manager backup to Workstation (either to USB or network share) creates a "backupdate.dar" type filename (or multiple split parts) & cannot be used to restore using the Restore on first boot function, it can only be used for restores from server manager.



Information.png Tip:
After a Restore to new hardware, networking may not be functional. This is caused by the restored NIC settings being incorrect for the NIC's in the new hardware. To fix this, login as admin & from the console menu select Configure this server. Step through the screens & choose the new hardware network card (NIC) drivers, & leave other settings unchanged.


Upgrade via Console backup to USB drive

  • Log in as admin & Backup the old server via a Console Backup to attached USB disk. This may take many hours if you have a lot of data on your server, depending on USB port speed, USB drive speed, & types of files being backed up ie whether already compressed or not etc. Typically for 250Gb of data on your server hard drive, 2 to 4 hours.
  • Install the SME 10.x OS from CD on the new hardware (on new server).
  • Select to do a Restore on first boot of the newly installed SME Server 10. Only attach USB containing the backup file, when asked on first reboot. Restore may take a few hours depending on data size etc. Make sure you wait for the Restore complete message.
  • If necessary use the consol to adjust some parameters, e.g. network cards and network addressé This will be needed particularly if you have the old SME9 still running at the same IP, or simply if you install on new hardware to make your restored configuration aware of this new hardware.
  • A reboot is necessary after the restore, even if you did not alter the configuration, to have all services running as planned, failure to do so will leave you with only standard services running.


Information.png Tip:
You can dismiss the restore from USB on initial boot and access it later from the console as long as you do not create new group on you freshly intalled SME10.x.


Upgrade via server manager backup to Desktop or Workstation (USB or network)

  • On the old server in server manager, configure the required backup in the Backup or Restore panel. Schedule the backup to run at a suitable time. This backup can be to a workstation desktop for systems with a smaller amount of data, which creates a smeserver.tgz backup file, or to a locally connected USB drive or to a network share, & creates xx...xx.dar files, split into multiple parts if configured & data size is large. This may take many hours to run depending on data size etc.
  • On the new SME10 server, manually configure the identical backup job in the server manager Backup or Restore panel. The backup job MUST point to the exact same location that the original backup file is saved to.
  • Select the Restore function within server manager & select the full backup you want to restore from. This may take many hours to run depending on data size, network speed etc. Make sure you wait for the Restore complete message.
  • Basic networking configuration of the new and/or restored SME10 server will be required if different from original server.

Upgrade using command line restore via ssh or USB

  • It is possible to use the command line to transfer a backup file via ssh (or USB) to the new server & then to run the restore. Standard & non standard backup concepts & procedures are outlined in the Backup server config Howto, http://wiki.contribs.org/Backup_server_config If using any non standard method, then the integrity of your SME server data cannot be guaranteed.
  • To do a standard backup & restore using CLI, on the old server log in as admin & perform the Console Backup to USB drive (to a locally connected USB). Alternatively using suitable commands, a smeserver.tgz backup file could be created & saved to / folder, refer Howto.
  • Install the SME 10.x OS from CD on the new hardware (on new server).
  • Answer No when asked if you want to restore from USB during the first boot.


  • If you created or have the backup file on the old server, transfer the smeserver.tgz backup file via ssh from your old server to your new server. Both servers must be connected & remote access enabled
  • On the old server do:
scp -P zzzz /smeserver.tgz newserverIP:/

(where zzzz = port number)


  • If you saved the backup file to USB, then transfer the smeserver.tgz backup file from USB to your new server
  • Log in as root or a root user on the new server & do:
mount /media/usbdisk
cp /media/usbdisk/Backup-date-folder/smeserver.tgz /

(replace usbdisk with actual mount point name & Backup-date-folder with actual folder date name)

  • After the backup file has been copied to the new server, on the new server do:
cd /
signal-event pre-restore
tar -C / -xzvf smeserver.tgz
/sbin/e-smith/signal-event post-upgrade
/sbin/e-smith/signal-event reboot
  • Before restarting the new server, disconnect old server from network (as you will have clashes due to duplicate IPs)
  • On new server do:
cd /
rm smeserver.tgz
  • Note the backup & restore may take many hours to complete depending on data size etc.
  • After restore, the Configuration of the new server should be identical to the old server.
  • Note with two servers connected during ssh copying operations, basic networking configuration of the new unrestored SME9 server will need to be temporarily different to the old server to avoid clashes

Reinstall Contribs after restore

Add on contrib rpm packages will need to be re-installed on the new SME 9.x server as these are NOT included in the backup. Contrib data & configuration is included in backups & will be restored, but its usefulness will depend on the contrib design being unchanged between older (SME7/el4 or SME8/el5) & SME9/el6 package versions.

Delete & Reconfigure Manual tweaks

Other manual tweaks eg custom templates or scripts, will need to be deleted & recreated in line with SME 10.x template code & base code.

Where extensive modifications have been made to the "old server (eg SME9.2)", it is recommended to carry out a test backup & restore upgrade first, to discover any problems & ascertain suitable fixes & workarounds. Removing contribs & custom templates before upgrading is recommended.

Known issues upgrade from SME9

I can not ssh/rsync/scp/sshfs from my SME9 to SME10 to migrate

A the reason is we enforced only stronger ciphers as default in /etc/ssh/ssh_config. Short way is to add a supported cipher on both systems :aes256-ctr, aes192-ctr or aes128-ctr

[root@mySME9]#ssh root@mysme10 -c aes256-ctr
[root@mySME9]#sshfs -o Ciphers=aes256-ctr root@mysme10:/media/extra /mnt/backup/
[root@mySME9]#rsync  -e "ssh -c aes256-ctr" -av /var/spool/spamd/ root@mysme10:/var/spool/spamd/
[root@mySME9]#scp -c aes256-ctr  /etc/zabbix/zabbix_agentd.conf root@5.39.81.171:/etc/zabbix
High CPU load for ssl-param /dovecot on initial boot

A 4096 Diffie-Hellman parameter is being generated on first launch of dovecot which handles IMAP and POP access. Depending on your CPU and entropy availability, this could take up to 48 hours, if you reboot the job will restart until completion.

No access to http or server-manager

We stopped using PHP module for apache, and switched to php-fpm. If you left any templates-custom including options related to php module, please remove them and restart httpd-e-smith.

mkdir /root/httpd.conf
mv /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf /root/httpd.conf/
systemctl restart httpd-e-smith.service

You can generally debug issues with httpd by issuing the following command, this will output what is wrong in the file

httpd -t

and you can then to a a search with the pattern of the error pointed to find what fragment seems problematic

grep -r "pattern"  /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf
I need a newer/supported version of PHP

Command line interface reports:

# php -v
PHP 5.4.16 (cli) (built: Apr  1 2020 04:07:17) 

But apache uses by default php-fpm with version PHP 7.4. Also, please note that PHP 5.4 provided with SME 10 is still maintained by Red-Hat as they backport every security patches.

I can not access to my ibay from my windows XP

Windows XP and Windows 7 are software no longer supported by Microsoft, you are encouraged to migrate. That said, they are expecting the SMB1 protocol, and SME 10 uses SMB2 and SMB3. A workaround could be to allow SMB1 on the server using the correct property in the configuration, but this is at your own risks.

I can navigate to my server using its ip, but the netbios name does not work, and it does not show in my network

Netbios is deprecated and is part of the SMB1 protocol. You can workaround that using the contrib WSSD See https://wiki.contribs.org/Wsdd

I am not able to update - I get some el6 packages proposed to be part of the updates

There are chances you have some old el6 centos6 rhel6 repos still configured. Start with this :

yum update smeserver-yum --disablerepo=* --enablerepo=smeos,smeupdates
signal-event yum-modify

If the issue remains, then check your configured repo, remove those with reference to 6.

db yum_repositories print
db yum_repositories delete repoForEL6

And install them using the extrarepositories packages https://wiki.contribs.org/Extrarepositories

db yum_repositories show
I am not able to update and yum seems to try to resolve to ip v6

You have network connectivity issue or most probably dns issue. start with simple tests to more complexes. First you need to use plain ip, to exclude dns issues.

Do I have access to my ISP or to my local gateway in case something else is doing the gateway on my LAN

 ping your.gate.way.ip

Do I have access to the internet. Try a ping to a known IP.

# ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
64 bytes from 1.1.1.1: icmp_seq=1 ttl=58 time=6.11 ms

Is DNS working ?

# dig google.com +short
16.58.213.174
# dig mirror.centos.org +short
212.69.166.138

Then fix your network/dns

Impossible to install got error ValueError: name already in use

This is because you already have a SME 9 (most probably) installation on your disk with LVM. To avoid this, either boot in rescue mode to wipe the partition, either use the partitioning tool at screen 2 to create your own partition. Beware auto partitioning at this stage is not SME with raid or other options you had chosen but default CentOS ie EFI if needed, boot and one huge LVM with all the remaining space on ALL disks include

I do not have the default raid 1 after the server installed as I expected; I have set default partitioning in the gui

Beware auto partitioning in the installer GUI is not SME with raid or other options you had chosen at boot time but default CentOS ie EFI if needed, boot and one huge LVM with all the remaining space on ALL disks include. Going into the partitioning tool will erase all previous settings chosen at boot time of the installer for SME.


Known issues updating from SME10.0

Unable to access to a specific folder in my ibay using http

We used to rely heavily on mod_compat with SME10.0 to keep the exact same acccess syntax as SME9 and httpd 2.2. This seemed to be an easy and simple solution but this leads to multiple issues:

  1. few web projects use httaccess testing for presence of mod_authz_core (httpd 2.4 auth module), and force the new syntax, leading to conlfict between old and new syntax
  2. conflicts between two syntaxes adds warnings in error+log which are interpreted as attack by fail2ban and can blacklist the client
  3. conflicts between old syntax and new syntax can lead to unexpected behaviour : one could get access to something he should not have and opposite is also possibleé

We then move all core and contribs syntax to the new mod_authz_core, we however left the mod_access_compat enabled so if httpd still encounter old syntax in your custom template or httacces it does not fails to start and let you some access, but you need to check your templates-custom fragments and htaccess files to be sure all is safe.

A good resource on how to migrate syntaxes is available here: https://httpd.apache.org/docs/2.4/upgrading.html

While the generik rule will be to check for the old syntax and replace with new one, the red alert is if one sees any "mod_access_compat.c", you need to understand the logic used and replace it carefully.

you really need to replace any occurrence this way

<IfModule mod_access_compat.c> 

to

<IfModule !mod_authz_core.c>

In other words :

<IfModule mod_authz_core.c>
   #httpd 2.4 auth module
   Order Allow,Deny
   Deny from all
</IfModule>
<IfModule mod_access_compat.c>
    # mod compat is enabled here so this will be interpreted and lead issue
</IfModule>

should become

<IfModule mod_authz_core.c>
    # Apache 2.4
    Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
   # Apache 2.2 
   Order Allow,Deny
   Deny from all
</IfModule>


All occurences not inside a <IfModule !mod_authz_core.c> </IfModule> block should be converted this way:

Order Allow,Deny => 
Order Deny,Allow => 
Deny from all => Require all denied
Allow from x.x.x.x => Require ip x.x.x.x
Allow from all => Require all granted
Require valid-user => Require valid-user
Require user admin => Require user admin

The situation more complex arise about the

Satisfy ANY
Allow from 127.0.0.1
Require user admin
Satisfy ALL
Allow from 127.0.0.1
Require user admin

Any is the default with new syntax so you can safely remove it, unless you have really specific needs which were not available with old syntax. However, you can implement it this way

<RequireAny>
  Require ip 127.0.0.1
  Require user admin
</RequireAny>

And witht he ALL situation

<RequireAll>
  Require ip 127.0.0.1
  Require user admin
</RequireAll>


detect where something need to be changed in my ibays
find /home/e-smith/files/ibays/ -iname .htaccess  |xargs  egrep "allow|deny|order|satisfy|mod_access_compat.c"  -i --color=auto
detect where something need to be changed in my templates-custom fragments
egrep "allow|deny|order|satisfy|mod_access_compat.c"  -i --color=auto -r /etc/e-smith/templates-custom/etc/httpd/conf/
Access to a specific folder in my ibay using http while I should not be able to access it

please refer to SME_Server:10.1#Unable_to_access_to_a_specific_folder_in_my_ibay_using_http

Known issues using ISO installer

Raid 1

SME10 does not handle anymore degraded RAID1 on initial install due to limitations with new version of installation software Anaconda and blivet.

My two disks ended up as a huge LVM virtual disk

This occured with 10.0 installer, if you entered the utility disk on second screen. This erased the default SME partitionning set at the kickstart stage, and load the CentOS default partitionning. We workaround that, while we suggest you not to enter this utility unless you really want to make your own specific partitionning, if you do hit the autopartitionning utility then you will now ends up with all available disk inside a LVM volume, but at least no /home partition created.

Installer crashes on first GUI screen

This could occurs on some specific network settings (dhcp or not, slow access) with virtual machines. Try installing without enabling the network, or changing the devices you set for your virtual machine in proxmox.

netinstall ends up with a Centos minimal

Because of limitations with timeouts implemented in repo initialization, we are not able to left the SME install enabled by default, if we do that on slow connexions you will end up with a fatal error preventing you to actually install anything. Because of that, unless you use your own kickstart, using the GUI installer on the netinstall ISO , you need on the second screen to enter in the menu select packages to install and select minimal install.


See also AddExtraHardDisk if you think you might use RAID1 one day. But it's an alternative for part of the date. Best solution is to reinstall SME10 with 2 drives.


Koozali SME Server 10.1 Changelog

Major changes in this release

  • httpd access control using httpd 2.4 syntax
  • improve handling of logs between journalctl and rsyslog
  • improve logrotate scripts
  • better handling of pseudonyms
  • improve yum update without reboot
  • upgrade bglibs and cvm-unix to last version
  • Contribs data are now part of core backup
  • This release is based on CentOS 7.9.2009 and all available updates
  • Improved handling of SSL certificates
  • Increased level of security in term of encryption for all services
  • FTP is only available over TLS by default to avoid clear text exchanges on the network
  • PHP module is not used anymore by apache server. We now use php-fpm 7.4 by default.
  • PHP-FPM available by default : 5.4, 5.5, 5.6, 7.0, 7.1, 7.2, 7.3, 7.4, 8.0 and 8.1. Supported versions are 5.4, 7.4 (up to 2022 Nov. 28), 8.0 and 8.1
  • no degraded RAID support on install
  • using protocol SMB2 and SMB3 only for file share, CIFS/SMB1 is not available as default.
  • migration of most services to systemd
  • added specific events to prevent the need of reboot on yum update / yum install
  • Switch from mysql 5.1 to mariadb 5.5
  • Dovecot is now handling imap, imaps, pop3, pop3s

Detailed changes in this release

Only the changes since SME Server 10 RC1 are listed, mainly autogenerated from the changelogs.

Packages altered by Centos, Redhat, and Fedora-associated developers are not included.

The changelogs are written per package

SME built or modified packages - ChangeLogs

9 June 2021

Backups

18 Aug 2022

  • Backups

e-smith-backup - negative date (mtime, data modification time) zerodate fix [SME: 11907] - allow mounting smbv1 backup share [SME: 11557] - remove lock noise to cron stdout for workstation backup [SME: 11530] - fix dar restore replacing rootdir symlinks by folders [SME: 11424] - Remove duplicate gunzip call in perform_restore [SME: 11266] - Remove debug output of device names - Revert BlockDevices.pm and backup call to not filter to removable drives - Replace hal-* calls with BlockDevices [SME: 11319] - add update event [SME: 11124] - Added /etc/backup-data.d to backup paths [SME: 10245] - Added error handling to restore using pipe pattern from perform_backup [SME: 3139] - Made reboot optional after console restore - Fixed bootstrap restore not activating config changes [SME: 10921] - Manually added ext2 and ext3 to Block Device file system check where ext4 present - updated Block Device discovery to fix recovery from console [SME: 8244] - Credit to Catton Durbrow


File Server
  • e-smith-samba

- samba fix typo in delete v6 profile dir win10 [SME: 11725] - samba delete v6 profile dir win10 [SME: 11725] - samba create v6 profile dir win10 [SME: 11725] - netlogon.bat +x [SME: 11566] - add possibility to reenable allow execute always on ibays homes or everywhere [SME: 11555] - fix double entries for min protocol [SME: 11558] - clean rsyslog syntax for smbd and nmbd [SME: 11422] - fix noise in message log from nmbd and smbd redirected to dedicated logs [SME: 11349] - allow using user-create-profiledir action with temp or package-update events [SME: 11348] - fix log noise for smb.service [SME: 11157] - add Restart=always [SME: 11118] - add Restart=always [SME: 11117] - migrate nmbd to systemd [SME: 11118] - migrate smbd to systemd [SME: 11117]

 create generik smb.service service

- create e-smith-samba-update event [SME: 11157] - Fix mutex locking [SME: 11199] - Fix pid directory [SME: 11198] - Add /etc/krb5.conf as template using templates from smeserver-samba - [SME: 11093] - remove win98pwdcache.reg from server-resources [SME: 9060] - set min server and client protocol SMB2 [SME: 10576]

 add check so max always greater than min

- add port 445 if min server protocol is SMB2 or SMB3 [SME: 10963]

LDAP
  • e-smith-ldap

- add support or rsshusers system group [SME: 11753] - redirect syslog for ldapt to /var/log/ldap/ldap.log [SME: 11745] - fix ssl-update reload instead of restart ldap [SME: 11598] - fix wrong path for templates.metadata [SME: 11595] - use template for ssl pem [SME: 11595] - fix ldap failing to start on initial boot [SME: 11480] - fix wrong alias to ldap.init [SME: 11301] - add -update event [SME: 11140] - move ldap to systemd [SME: 11099] - move ldap.init to systemd [SME: 11096] - New protocol default as TLSv1.2 [SME: 10936]

 New property TLSProtocolMin
 Ciphers are now ordered with stronger first
Localisation
  • smeserver-locale

- apply local 2022-07-21.patch [SME: 12117] - apply local 2021-06-06.patch [SME: 11593] - apply local 2021-05-12.patch [SME: 11593] - apply local 2021-01-09.patch [SME: 11310] - apply local 2019-12-07.patch

Mail Server
  • e-smith-email

- add quote around filename to .fetchids moving script [SME: 12131] - move fetchids from /run and avoid its loss on reboot [SME: 12131]

 similar changes in contrib smesevrer-fetchmail

- fix typo in regex [SME: 11799] - fix missing dot in regex for untainting [SME: 11799]

 would delete any account named with the string before the dot

- untainting string correctly [SME: 11716] - fix typo for mailpattern for rar files [SME: 11690] - fix perms for /var/lock/fetchmail [SME: 11634] - make /var/lock/fetchmail dir permanent [SME: 11634] - add new RAR file signatures to default mailpatterns database [SME: 11265] - webmail is only SSL [SME: 11443] - create -update event [SME: 11133] - move smtp-auth-proxy to systemd [SME: 11102] - allow creation of pseudonyms with setting of local only [SME: 3802]

  • e-smith-qmail

- fix multiple errors with pseudonyms in template [SME: 8591]

 orphaned pseudonyms are associated to admin

- repopulate qmail assign db and sighup qmail on group event [SME: 11934] - can set to 0 ConcurrencyLocal or ConcurrencyRemote [SME: 11645]

 this allows to disable of type of delivery

- add Requires=runit.service [SME: 11245] - fix missing actions for systemd on upgrade event [SME: 11105]

 cleanup preset file

- remove qmail link in init.d and whole rc.d [SME: 11105]

 take 3

- remove qmail link in init.d [SME: 11105] - execute systemd-reload before service adjust in events [SME: 11228] - remove S95reset-unsavedflag [SME: 11229] - remove rc7.d link [SME: 11105] - fix actions in e-smith-qmail-update [SME: 11152] - Move qmail service to systemd [SME: 11105] - Create e-smith-qmail-update event [SME: 11152]

  • qpsmtpd

- fix fetchmail patch to check local_ip [SME: 11763] - fix configuration not honoured on initial start [SME: 10387]

 commented out load_plugins see https://github.com/smtpd/qpsmtpd/issues/288.
  • smeserver-clamav

- logrotate clamd keeps logging to old log [SME: 11963] - remove default property ArchiveBlockEncrypted [SME: 11695] - fix property name error 2.7.0-12.sme [SME: 11695] - fix spec file error 2.7.0-11.sme [SME: 11474] - rename property ArchiveBlockEncrypted to AlertEncrypted as per upstream [SME: 11695]

 added properties AlertBrokenExecutables AlertExceedsMax AlertOLE2Macros
 AlertPartitionIntersection AlertPhishingCloak and AlertPhishingSSLMismatch
 with default no
 added property HeuristicAlerts with default yes

- fix noise on centos2sme [SME: 11474] - identify from which server is freshclam error [SME: 11755]

 fix from Graeme Fleming

- fix typo in logrotate [SME: 11608] - fix typo and missing +x [SME: 11520] - fix issues with non epel standard scan.conf [SME: 11520]

 move clamd.conf to scan.conf
 remove alias for clamtop
 add a wrapper for clamdscan to force --fdpass

- ease use of clamdtop [SME: 11313] - fix Transaction check error [SME: 11311] - add pid folder /run/clamd/ [SME: 11103]

 few improvements

- create update event [SME: 11162] - Updated to use 0.103+ from EPEL [SME: 11194] - Updated to use systemd for clamd [SME: 11103] - Updated to use systemd for freshclam [SME: 11104] - increase lower memory limit to 1GB [SME: 10833] - fix for AllowSupplementaryGroups warning [SME: 10813]

  • smeserver-qpsmtpd

- Print both 255 char and full length DKIM keys [SME: 11974] - fix unable to set internal only pseudonym as full email [SME: 11933] - add softlimit template for qpsmtpd [SME: 11858]

 increase softlimit to 50000000.

- fix regression Set the default helo policy to lenient [SME: 11864] - mail sent on 127.0.0.200:25 should be spam checked [SME: 10289]

 filtering again fetchmail originating mails

- sighup on reload [SME: 11759] - fix tnef2mime FATAL PLUGIN ERROR [SME: 11648]

 this will be a temp fix by redefining MIME::Parser::Filer::output_path
 until it has been fixed upstream

- update depreacted reject_threshold to reject [SME: 11492] - remove /usr/lib/systemd/system-preset/80-koozali-qpsmtpd.preset [SME: 10958] - modify for clamav 0.103.0 [SME: 11210] - roll up patches - add Requires=runit.service (qpsmtpd & sqpsmtpd) [SME: 11245] - fix service not enabled [SME: 11107]

 remove reset-unsavedflag

- Move qpsmtpd & sqpsmtpd services to systemd [SME: 11107] - Create smeserver-qpsmtpd-update event [SME: 11164] - expand badrcptto_ext when needed [SME: 10638]

 this avoid user, group or pseudonyms for internal purpose to be reachable
 from outside

- minimum Protocol TLSv1.0 [SME: 10460]

 better ciphers order.
Server manager
  • e-smith-manager

- update to httpd 2.4 access syntax for httpd-admin [SME: 12129] - update to httpd 2.4 access syntax [SME: 12129] - removing reference to old log rotation action [SME: 11872] - take 2 wrong system mode reported in bugreport [SME: 10448] - fix wrong system mode reported in bugreport [SME: 10448] - create -update event [SME: 11144] - migrate httpd-admin to systemd [SME: 11110] - removing hardcoded ports [SME: 10967] - Add a FollowSymlinks for user-password in password/cgi-bin (perl-suid) [SME: 9677] - update apache icon path [SME: 9591] - add message to indicate EOL after Jun 30 2024 fix [SME: 10170]

 e-smith-viewlogfiles
 perl-CGI-FormMagick
Webmail and Groupware
  • smeserver-horde

- fix invalid domain if ForcePrimaryDomain is enabled [SME: 11980] - fix $ldapServer is commented out if Horde ForcePrimaryDomain is disabled [SME: 11981] - use httpd 2.4 access control syntax [SME: 11945] - fix previous patch error extra line [SME: 11694] - fix alarm noise when disabled [SME: 11694] - Syntax error, unexpected '(T_STRING), expecting ')' [SME: 11738] - thanks to zsolt vasarhelyi for patch test - Ingo filters TLS error if sieve is enabled [SME: 11628] - fix missing call to perl module emsith::php [SME: 11489] - clean rsyslog syntax for horde [SME: 11422] - improved php basedir, with filtering of noise for gpg [SME: 10945] - force SSL for horde [SME: 11443] - fix horde not honoring switch to php-fpm 5.4 [SME: 11433] - update mail settings for the php-pool [SME: 11431] - spamd SpamLearning property migrated to spamassassin SpamLearning [SME: 11376] - Configuration is not up to date, hash to update [SME: 11308] - fix wrong template path for php55, php56 and php [SME: 11255] - fix webmail not accessible after enabling from manager [SME: 11233] - update rsyslog syntax [SME: 11016]

 move fragment so syntax is similar to message

- remove harcoded ports [SME: 10969] - add gpg to php base dir [SME: 10945] - workaround logging noise caused by libsasl [SME: 10943] - log as admin and not admin@domain for cli tasks [SME: 10910] - fix ingo imap preferences [SME: 10912] - allow httpd-auth for calendar, tasks access using rpc.php ... [SME: 10908] - add smeserver-horde-update event [SME: 10909] - avoid loss of user parameter on Primary Domain change [SME: 1005]

 this will also avoid the loss of parameter if we log with a different virtualhost
 horde preference is now stored with the SME username without @domain

- fix bad regex to strip domain [SME: 10224]

 also we can now force Primary domain to use as default email
 we can strip heading string from virtualhost domain to create email
 default identity email will update as long as no other identity is created for the user

- fix typo in php-fpm patch [SME: 10872] - remove php3 references [SME: 10866] - remove strict and warning alert from error log [SME: 10823] - dedicated php-fpm pool for horde [SME: 10872] - apply patches from John H. Bennett III [SME: 10717] - cvs admin -ko on patch1

Web Server
  • e-smith-apache

- reverting last change [SME: 9375] - add conflict on older ibays, php, horde, proxy, manager rpms - removing mod_access_compat [SME: 9375] - convert httpd 2.2 allow,deny to Require for 2.4 [SME: 9375] - use maxsize, not size [SME: 11867] - use logrotate.d instead of event action [SME: 11867]

 use size to force log rotate before normal delay

- add modules ldap authnz_ldap and proxy_wstunnel [SME: 11760]

 previously provided by webapps-common

- fix httpd-e-smith failing to start on reboot in private server-gateway mode [SME: 11596] - add possibility to force https on LAN only [SME: 11511]

 usefull for VPN over port 443

- prevent httpd to fail if modSSL defined certs does not exist [SME: 10826]

 default on self generated cert

- create-update event [SME: 11123] - move httpd-e-smith to systemd [SME: 11111]

 changed sigusr1 used in events to reload as defined in the unit file

- give a logger to httpd-e-smith : journald [SME: 1416] - set default SSLStrictSNIVHostCheck to off [SME: 8693] - add SNI support for individual certificates per VirtualHosts [SME: 8693] - port 80 and 443 should not be hardcoded [SME: 9192] - e-smith-apache removing hardcoded ports [SME: 10966] - remove php3 and php4 refs [SME: 10867] - disable TLSv1 TLSv1.1 by default [SME: 10459]

Other fixes and updates
  • bglibs

- initial build for SME10 [SME: 11883]

 patched selftests.sh to avoid net/resolve_ipv4addr.c test which fails under mock
 added BuildRequires glibc glibc-static glibc-devel mtools autoconf
 commented out files for devel /usr/local/bglibs/lib/*.lib and /usr/local/bglibs/lib/*/*.a
 as they fails.
  • cvm

- build cvm 0.97 for SME10 [SME: 11315]

  • e-smith-LPRng

- untainting port cleanly [SME: 12106] - remove /usr/lib/systemd/system-preset/80-koozali-LPRng.preset [SME: 10958] - Add 'Requires:runit.service' [SME: 11245] - Add a fragment for lpd in 49-koozali.preset [SME: 11006] - Remove init.d/supervise/lpd link [SME: 11006] - keep runit service for systemd [SME: 11006] - fix update event name [SME: 11007] - from service to systemd [SME: 11006] - add lpd-update event [SME: 11007]

  • e-smith-base

- no new self signed cert when adding/removing non self hosts [SME: 12130] - fix /dev/log not being recreated [SME: 12073] - add rsshusers group to ldap and update it [SME: 11956] - fix symlinks preventing log rotation [SME: 11950] - remove immark module to reduce messages log activity [SME: 11813] - fix logs not rotated before 100M (size maxsize) [SME: 10484] - reduce systemd noise in messages [SME: 11813] - fix dhcp address not propagated [SME: 11930] - make rsyslog listen journald which listen /dev/log [SME: 11813]

 template for /etc/systemd/journald.conf

- properly configure /etc/logrotate.conf [SME: 10484]

 template for /etc/logrotate.conf
 use of size to limit max size of file and rotate earlier

- drop e-smith logrotate actions creating dangling links [SME: 946] - make journald log permanent by creating /var/log/journal [SME: 11795] - allow group-modify-unix on update event [SME: 11766] - fix typo in last patch [SME: 11722] - add support for systemd service with instance service@instance.service [SME: 11722] - add local domains in self signed cert alt subjects [SME: 11624]

 add local hosts in self signed cert alt subjects
 modSSL property to disable hosts domains addition : AddDomains AddHosts
 default is enabled when empty

- fix missing export [SME: 11620] - fix issue with adding new user to the ldap db [SME: 11607] - always renew self signed certificate [SME: 11552]

 update key / crt if not signed with the right key size
 default to self signed if custom cert and key are not files or not rigth type
 add perl module to help handle certificates and keys
 TODO: check if both key and cert are related, if not default to self signed

- fix openssl.conf not generated when openldap field are empty [SME: 11569] - fix missing path to systemctl for add-wants [SME: 11537] - merge dhcpdmanager custom template fragments with core [SME: 10657] - remove templates-custom previously owned by a contrib [SME: 11508]

 they got migrated as part as normal backup restore

- fix masq failing on initial boot [SME: 11479] - removing weekly cron for ddns update, targeted script has been removed [SME: 11470] - revert e-smith-service file [SME: 9692] - add systemctl wrapper [SME: 11345] - clean rsyslog syntax for dhcpd [SME: 11422] - cleanup /etc/rc.d and /var/service [SME: 9692] - remove klogd references [SME: 11363] - restore part of pptp code and move to generik vpn entry [SME: 11374] - drop dyndns core support [SME: 11415] - fix enabled service not started on reboot [SME: 11355]

 unless a power outage, as long as you reboot, halt or shutdown systemd will
 be in sync

- fix console::startup run twice [SME: 11358 ] - improve run order in systemd-default [SME: 11356] - fix uninitialized value during post-install [SME: 11350] - fix user with rssh shell need to be member of rsshusers group [SME: 9155] - add missing /sbin/e-smith/bootstrap-runlevel7 [SME: 11318] - fix typo for isolate [SME: 11246] - separate bootstrap-console from run level service launch [SME: 11318] - only run isolate if sme-server.target is not active [SME: 11246] - update system-preset usr/lib file [SME: 10958] - fix loss of httpd basic auth [SME: 11309] - fix services starting when they are in Wants= for sme-server.target and preset disabled [SME: 11247] - rewrite of manageRAID.pl and add_drive_to_raid for SME10 [SME: 10918] - added gdisk as a dependency to support GPT systems - fix modSSL key crt and keychain files really exist [SME: 11252] - add ldap.init as exception for preset - fix init-accounts [SME: 9642] - validate modSSL key crt and keychain files really exist [SME: 11252]

 if not we use self generated

- drop pptpd support [SME: 11250] - add bash-completion [SME: 11244] - improve local service to systemd [SME: 11119]

 now run rc.local file as part of the event
  • e-smith-cvm-unix-local

- fix error compressing log still in use by delaying it [SME: 11968] - reverting to release 7 state [SME: 11885] - Add yum action to restart post install [SME: 11885] - bump requirement for cvm [SME: 11885]

 removing daemontools requirement

- expand rsyslog.conf [SME: 11807] - redirect and rotate log for cvm-unix [SME: 11807]

 fix cvm-pre script permission

- fix service stopping restarting on crash [SME: 11792] - fix typo [SME: 11314] - migrate to systemd [SME: 11314] - add update event [SME: 11125]

  • e-smith-devtools

- remove duplication with Dar backup [SME: 11993] - ease backup include and exclude of contribs [SME: 11993] - netlogon.bat +x [SME: 11566] - add update event [SME: 11126]

  • e-smith-ibays

- add missing elements to e-smith-ibays-update event to activate changes [SME: 11774] - fix AH01797: client denied by server conf [SME: 11774]

 use new require syntax for httpd 2.4

- fix patch for SSLRequireSSL [SME: 8150] - force https if auth or dav are enabled [SME: 11407] - merge SSL and SSLRequireSSL properties [SME: 8150]

 now SSLRequireSSL will force SSL to the html ibay directory and redirect to https

- update php properties and folders [SME: 11412] - remove last bit of atalk [SME: 668] - add update event [SME: 11139] - remove hardcoded ports [SME: 10968] - remove php3 reference [SME: 10869] - fix apache failing if ibay has dynamic content enabled and phpmodule is disabled [SME: 10871] - revert patch, wrong rpm [SME: 10871] - add support for php-fpm [SME: 10871]

  • e-smith-lib-compspec

- fix last dot erased on completion [SME: 11368] - error on incorect cmd input [SME: 4661] - allow easy access to templates.metadata to expand desired files [SME: 11312] - add update event [SME: 11142]

  • e-smith-ntp

- dedicated log and logrotate [SME: 12115]

 thanks to bunkobugsy for this patch

- untainting fields [SME: 12107] - fix ntpd crashing with panic_stop [SME: 11298] - update override.conf to 50koozali.conf [SME: 11008] - adding missing folder /usr/lib/systemd/system/ntpd.service.d [SME: 11008] - fix typo in path for new driftfile [SME: 8881] - fix systemd-preset fragment [SME: 11008]

 add +x to ExecStartPRe script

- improve systemd integration [SME: 11008] - change driftfile path [SME: 8881] - from service to systemd [SME: 11008] - add ntpd-update event [SME: 11009] - revert last change [SME: 10190]

 on sme10 systemd has ntpd disabled by default

- revert last change [SME: 10190]

 on sme10 systemd has ntpd disabled by default
  • e-smith-nutUPS

- Misspelling in /usr/lib/systemd/system/nut.service file [SME: 11633] - fix start ordering nut.service [SME: 11488] - fix ExecStartPre path for /usr/lib/tmpfiles.d/nut-run.conf [SME: 11488] - fix ExecStartPre path for nut.service [SME: 11488] - fix template path for monitor [SME: 9423] - Fix preset line endings in 49-koozali.preset [SME: 11215] - add update event to avoid reboot [SME: 11146] - adapt nut UPS for systemd [SME: 9423]

  • e-smith-packetfilter

- restrict VPN networks to their interface [SME: 11640]

 remove remoteVPNSubnet property added VPNif property

- fix dropin file not expanded on initial installation [SME: 11528] - fix noise on logrotate, doing a restart instead of reload [SME: 11451] - move ulogd to systemd [SME: 11426] - require ulogd 2 [SME: 11426] - remove pptpd last references [SME: 11420] - remove /usr/lib/systemd/system-preset/80-koozali-packetfilter.preset [SME: 10958] - drop pptpd support [SME: 11251] - launch masq using systemd unit [SME: 11089] - create event to avoid reboot on update [SME: 11122]

  • e-smith-proxy

- use httpd 2.4 access control syntax [SME: 11944] - fix squid starting before network [SME: 11713]

 also dropin file not expanded on install fixed

- cleanup in /etc/rc.d and /var/service/squid [SME: 9692]

  • e-smith-radiusd

- redirect daemon log to its own file [SME: 11947] - workaround upstream missing definition of /var/run/radiusd/tmp [SME: 11859] - fix startup informational message Duplicate Auth-Type 'REJECT' [SME: 11736] - patch was blank, populate and apply [SME: 11736] - fix startup informational message Duplicate Auth-Type 'REJECT' [SME: 11736] - add db property PAP-auth [SME: 11735] - add/fix PAP-auth patch [SME: 11735] - fix WAP-auth patch [SME: 11718] - fix LDAP-auth patch [SME: 11719] - fix ssl template metadata patch [SME: 11680] - remove services2adjust in bootstrap-console-save event, this put systemd in a loop [SME: 11602] - ssl pem using template in place of copy [SME: 11602] - radiusd needs ldap started before [SME: 11302] - add Restart=always [SME: 11113]

 change group of pem file to radiusd

- create -update event [SME: 11155] - move radiusd to systemd {SME: 11113]

 remove noise from spec file

- fix server restartting with virtual_server error [SME: 10853]

  • smeserver-audittools

- display yum repo as seen by yum and db [SME: 10880] - add remi-safe in list of newrpms [SME: 11932] - fix temp event displayed by events audittool [SME: 11674] - fix links to different rpm rported as modified [SME: 11673] - add update event [SME: 11161]

  • smeserver-yum

- bump version number - no reboot for dbus-glib [SME: 12091] - rephrase contrib update message [SME: 11543] - move mysqld to mariadb in smeserver plugin [SME: 11921] - remove force AutoInstallUpdates to disabled [SME: 11961] - fix rotate yum.log as not standard location [SME: 11951] - remove yum_update_dbs from messages log [SME: 11952] - restart cvm-unix on cvm or bglibs update [SME: 11886] - remove pop3 and pop3s services from plugin [SME: 11808] - fix restarting spamd instead of spamassassin [SME: 11803] - Re-word-reboot-required-message.patch [SME: 11790] - fix wrong qpsmtpd handling [SME: 11768] - add elrepo GPG key [SME: 11625] - no reboot needed for systemd-python [SME: 11609] - fix services stop on removal [SME: 11510] - run navigation-conf when a panel is installed [SME: 11507] - migrate back to normal CentOS mirrors after el6 EOL [SME: 11477] - version 2 with

 deleting yum{eolversion} if for previous release or not yet eol
 better handling of conditions

- avoid reboot on removal of smeserver-* rpms [SME: 11458] - navigation-conf when a panel is installed - fix wrong path for rsyslog.conf [SME: 11364] - remove noise in yum process "overriding all signals, forcing restart" [SME: 11372] - packages installed logged both in yum.log and message [SME: 11364] - set priority to 10 for remi-safe [SME: 11360] - fix poor handling of service adjusting and action order [SME: 11300]

 now a temp event is created
 also better logging, better handling of update vs removal

- make yum dbs service fork [SME: 11243]

 now smeserver.py plugin call the service
 yum-modify can use the service restart
 yum.service is its own service, not called by local.service

- move yum upate db service to systemd [SME: 11180] - fix -update events not runt on package upgrade [SME: 11184]

 lower noise on forced restart

- fix switch to vault BaseURL for CentOS [SME: 11227] - add remi-safe as base repo [SME: 11179] - smeserver-yum-update event created [SME: 11168] - fix separate action before template, and after service [SME: 11175]

 run all actions with post-upgrade as default event

- fix some templates not expanded [SME: 11121] - fix smeserver.py not executing action because of wrong path [SME: 11047] - fix error when key absent of a dict of smeserver plugin at clean stage [SME: 10931] - avoid missing template error after removal of a rpm [SME: 10846] - restart php-fpm services when needed [SME: 10873] - applying patch [SME: 10690] - fix NameError: global name 'yum_update_dbs' is not defined [SME: 6940] - use yum-cron with autoupdate feature [SME: 10690]


The changelogs are written per package On behalf of the Koozali SME Server development team

- Compilation of release data is thanks to scripts developed by Ian Wells and substantially improved by Jean Phillipe Pialasse