1,574
edits
Changes
Jump to navigation
Jump to search
Line 1:
Line 1: − + + Line 15:
Line 16: − + Line 25:
Line 26: − + Line 31:
Line 32: − + − + Line 43:
Line 44: + + + + + + + + + + + + + + + + Line 51:
Line 68: − + − + + + + + + + + + + + + + + + + + + + + + + + + + + + + Line 60:
Line 104: − + Line 67:
Line 111: − + + + + + + Line 84:
Line 133: − + Line 92:
Line 141: + − '''Practical usage guidelines'''+ − An SME Server has only one name set, meaning only one occurrence of a name can be in the system, whether it be a user, a group, a pseudonym or an ibay. + − + − Therefore whenever you create a user account and you have multiple domains, then that user will apply to all domains automatically. + − + − + − − − − Line 111:
Line 157: − eg create your domains eg domain1, domain2, domain3, domain4 and configure those domains to use different ibays for the web content. + − − − create user accounts user1, user2, user3, user4 as needed for users who want to use the email address "sales", but keep in mind they will use the login name user1 rather than sales (the login names could be johnb, johnb2, johnw, johnm etc) − − create user accounts user5, user6, user7, user8 as needed for users who want to use the email address "info", but keep in mind they will use the login name user5 etc rather than info − + − + − sales@domain1 which forwards to user1 − sales@domain2 which forwards to user2 − sales@domain3 which forwards to user3 − sales@domain4 which forwards to user4 − info@domain1 which forwards to user5 + − info@domain2 which forwards to user6 − info@domain3 which forwards to user7 − info@domain4 which forwards to user8 − + − + − + − + + + + + + + + + + Line 147:
Line 190: − + − − − Line 196:
Line 236: − + + + + + + + + + + +
SME Server:Documentation:Administration Manual:Chapter9 (view source)
Revision as of 06:40, 21 July 2017
, 06:40, 21 July 2017Broken link
===Chapter 9. Collaboration===
<noinclude>{{Languages}}</noinclude>
===Collaboration===
====Users====
====Users====
From the list of user accounts, you can easily modify or remove a user account (by clicking on "modify" or "remove" next to the user name) or set the user's password. User accounts are locked out and cannot be used until you set the initial password for each account . As a reminder of this, user accounts appear in red until the password is changed. (In the example shown here, the administrator has not yet changed the password for user "Sally Salmon").
From the list of user accounts, you can easily modify or remove a user account (by clicking on "modify" or "remove" next to the user name) or set the user's password. User accounts are locked out and cannot be used until you set the initial password for each account . As a reminder of this, user accounts appear in red until the password is changed. (In the example shown here, the administrator has not yet changed the password for user "Sally Salmon").
{{DrawBoxNote|content=If you want someone to have an email address at your company, but want the messages forwarded to another external email address, you can create the user account but set the email delivery option in the user account to 'Forward to address below' and enter the external address. If you leave the user account locked out, the user will not be able to access services on your server, but the email will be delivered to the external email address.}}
{{Note box|If you want someone to have an email address at your company, but want the messages forwarded to another external email address, you can create the user account but set the email delivery option in the user account to 'Forward to address below' and enter the external address. If you leave the user account locked out, the user will not be able to access services on your server, but the email will be delivered to the external email address.}}
=====Disabling User Accounts=====
=====Disabling User Accounts=====
=====Changing User Passwords=====
=====Changing User Passwords=====
Once they have an active account, your users can set their own passwords by accessing the user-password URL which is only accessible from Local Networks. They do this through their web browsers by visiting the URL www.yourdomain.xxx:User_Manual-password (where "www.yourdomain.xxx" is the web server name you entered into the server console). The staff at The Pagan Vegan would visit the URL www.tofu-dog.com:User_Manual-password .
Once they have an active account, your users can set their own passwords by accessing the user-password URL which is only accessible from Local Networks. They do this through their web browsers by visiting the URL www.yourdomain.xxx/user-password (where "www.yourdomain.xxx" is the web server name you entered into the server console). The staff at The Pagan Vegan would visit the URL www.yourdomain.xxx/user-password .
To make the change, a user would enter his or her account name (the characters before "@"), the old password and the new password (to ensure accuracy, the screen asks for the new password twice). Note that changing the password for a user in the server-manager overrides any previous password entered by your user. Therefore, when a user forgets his password, simply reset it in the server- manager.
To make the change, a user would enter his or her account name (the characters before "@"), the old password and the new password (to ensure accuracy, the screen asks for the new password twice). Note that changing the password for a user in the server-manager overrides any previous password entered by your user. Therefore, when a user forgets his password, simply reset it in the server- manager.
{{DrawBoxNote|content=There is no way for the administrator to recover a forgotten password for a user. All they can do is set a new password for the user.}}
{{Note box|There is no way for the administrator to recover a forgotten password for a user. All they can do is set a new password for the user.}}
{{DrawBoxNote|content='''Password strength checking is too strong. How do I change it?'''<br />
{{Note box|'''Password strength checking is too strong. How do I change it?'''<br />
First a warning - Far too many systems out there have weak passwords and they will be broken into. Educating your users on the necessity of strong passwords is the best option. If that fails, here is how you change the password strength checking from 'strong' to 'normal', which was the setting in previous versions of SME. Be careful to use the exact capitalization.<br />
First a warning - Far too many systems out there have weak passwords and they will be broken into. Educating your users on the necessity of strong passwords is the best option. If that fails, here is how you change the password strength checking from 'strong' to 'normal', which was the setting in previous versions of SME. Be careful to use the exact capitalization.<br />
It is also possible, but strongly discouraged, to disable password strength checking by setting to 'none'
It is also possible, but strongly discouraged, to disable password strength checking by setting to 'none'
}}
}}
The following settings are available to specify the password strength on SME Server:
{|
! setting explanation
!
|-
| ''strong''
| The password is passed through Cracklib for dictionary type word checking as well as requiring upper case, lower case, number, non alpha and a mimimum length of 7 characters.
|-
| ''normal''
| The password requires upper case, lower case, number, non alpha and a minimum length of 7 characters.
|-
| ''none''
| The password can be anything as no checking is done.
Please note that "none" does not mean no password, it just means no password strength checking, so you can enter any (weak) password you want as long as it is at least 7 characters long.
|}
====Groups====
====Groups====
Creating a new group is a simple three-step process. You enter the group name (as with account names, these should begin with a lower-case letter and consist only of lower-case letters and numbers), followed by a brief description. Finally, check the boxes next to the names of the users who should be associated with that group.
Creating a new group is a simple three-step process. You enter the group name (as with account names, these should begin with a lower-case letter and consist only of lower-case letters and numbers), followed by a brief description. Finally, check the boxes next to the names of the users who should be associated with that group.
{{DrawBoxWarning|content=When you create a group, you are required to assign at least one user to that group. If you fail to do so, the group will not be created and you will receive an error message.}}
{{Warning box|When you create a group, you are required to assign at least one user to that group. If you fail to do so, the group will not be created and you will receive an error message.}}
After you add (or remove) a user account from a group, the user must log out and log back in for those changes to take effect. Until the user does so, he or she will still have their old group membership information. For instance, suppose you create a new group "sales" and assign user "ffrog" (Fred Frog) to that group. You then create a new i-bay called "salesinfo" that only the "sales" group can access. Fred Frog is still logged into a Windows PC and now tries to connect to the new i-bay through Windows Explorer. He will receive a permission-denied error. He must log out of Windows (he does not need to shut down or reboot, just log out) and login again. Now he should be able to go through Windows Explorer and access the "salesinfo" i-bay without any problem.
[[bugzilla:6934]]
After you add (or remove) a user account from a group, the user must log out and log back in for those changes to take effect. Until the user does so, he or she will still have their old group membership information. For instance, suppose you create a new group "sales" and assign user "ffrog" (Fred Frog) to that group. You then create a new i-bay called "salesinfo" that only the "sales" group can access, until Fred logs out and then logs back in he will not have access to the new "sales" group and its ibay "salesinfo".
{{Note box|A windows user who is still logged into a Windows PC and tries to connect to the new i-bay through Windows Explorer. They will receive a permission-denied error. They must log out of Windows (they do not need to shut down or reboot, just log out) and login again. Now they should be able to go through Windows Explorer and access the "salesinfo" i-bay without any problem.}}
====Setting Windows Admin Rights====
If you are using SME Server as a domain controller and the windows workstations have joined the domain then by adding users to special groups you are able to change the rights a users has on that workstation.
The domain always has three groups created, assigned as follows:
{| border="1" cellpadding="10" cellspacing="0"
!Group Description
!Domain Rights
|-
|Domain Admins
|admin
|-
|Domain Users
|shared (everyone)
|-
|Domain Guests
|nobody
|}
If you create a group and name it whatever you want but put one of the above for the description then the newly created group will replace the above mapping. So if you create a group called "admins" and give it a description of "Domain Admins" then anyone you assign to this group will be a domain admin and also a local admin on ANY box that has joined the domain.
You can also create a less privileged group "Power Users"<br>
see https://ss64.com/nt/syntax-security_groups.html and https://www.howtogeek.com/school/windows-network-sharing/lesson1/all/ for the rights granted to the different groups.
====Quotas====
====Quotas====
[[Image:Quotas.png]]
[[Image:Quotas.png]]
{{DrawBoxWarning|content=Note that the quotas apply to all files that a user stores on the server. This includes not just their home directory, but also all files that they may put into any of the i-bays.}}
{{Warning box|Note that the quotas apply to all files that a user stores on the server. This includes not just their home directory, but also all files that they may put into any of the i-bays.}}
There are two quotas that can be applied to each user account:
There are two quotas that can be applied to each user account:
Note that if the user account exceeds the "Limit with grace period" for seven consecutive days, the account will be treated as if it exceeded the absolute limit and will no longer be able to save files or receive email.
Note that if the user account exceeds the "Limit with grace period" for seven consecutive days, the account will be treated as if it exceeded the absolute limit and will no longer be able to save files or receive email.
{{DrawBoxWarning|content=Email for the user account is not lost! It is held in the delivery queue and will be delivered to the user when their disk usage drops back below their absolute limit (or the "limit with grace period" if they were locked out due to seven days above that limit).}}
{{Warning box|Email for the user account is not lost! It is held in the delivery queue and will be delivered to the user when their disk usage drops back below their absolute limit (or the "limit with grace period" if they were locked out due to seven days above that limit).}}
{{note box|msg=In certains cases you have some mailboxes which can't delivery messages and the qmail log say:
deferral: Temporary_error_on_maildir_delivery._(#4.3.0)/
It is probably that your users want to go beyond the upper limit of their quota, [[SME_Server:Documentation:Administration_Manual:Chapter9#Quotas|so you have to increase it]]. This could solve their problems. see [[bugzilla:7738]]}}
By selecting " Modify " you are able to set a quota (in Megabytes) for a particular user account. Note that you do not have to set both limits for a user account and can choose to set only one of the limits.
By selecting " Modify " you are able to set a quota (in Megabytes) for a particular user account. Note that you do not have to set both limits for a user account and can choose to set only one of the limits.
If you wish to modify or remove any of these pseudonyms, or create new ones, you can use the web panel found under the "Collaboration" section of the server-manager, as shown below.
If you wish to modify or remove any of these pseudonyms, or create new ones, you can use the web panel found under the "Collaboration" section of the server-manager, as shown below.
{{DrawBoxNote|content=The special pseudonyms of "everyone", "postmaster" and "mailer-daemon" will only be visible after you have either added a user account to the system or have added a custom pseudonym. Until that time, these three pseudonyms are there, but will not be visible on the Pseudonyms web panel.}}
{{Note box|The special pseudonyms of "everyone", "postmaster" and "mailer-daemon" will only be visible after you have either added a user account to the system or have added a custom pseudonym. Until that time, these three pseudonyms are there, but will not be visible on the Pseudonyms web panel.}}
[[Image:Pseudonyms.png]]
[[Image:Pseudonyms.png]]
[[Image:Create-a-pseudonym.png]]
[[Image:Create-a-pseudonym.png]]
=====Practical usage guidelines=====
An SME Server has only one name set, meaning only one occurrence of a name can be in the system, whether it be a user, a group, a pseudonym or an ibay. Therefore whenever you create a user account and you have multiple domains, then that user will apply to all domains automatically.
So the user account "sales" will receive email for:
*sales@domain1
*sales@domain2
*sales@domain3
So the user account "sales" will receive email for
*sales@domain4
sales@domain1
sales@domain2
sales@domain3
sales@domain4
The problem with this is that you cannot have different people using the same user account name to collect email.
The problem with this is that you cannot have different people using the same user account name to collect email.
The golden rule is never allocate unique user names to end users accounts as these will no longer be available for globalname@domain type email address usage.
The golden rule is never allocate unique user names to end users accounts as these will no longer be available for globalname@domain type email address usage.
*create your domains eg domain1, domain2, domain3, domain4 and configure those domains to use different ibays for the web content. You can even setup different groups to allow only different users to access each ibay to update web content etc.
You can even setup different groups to allow only different users to access each ibay to update web content etc.
create user accounts user9, user10, user11, user12 as needed for users who want to use the email address "accounts", but keep in mind they will use the login name user9 etc rather than accounts
*create user accounts user1, user2, user3, user4 as needed for users who want to use the email address "sales", but keep in mind they will use the login name user1 rather than sales (the login names could be johnb, johnb2, johnw, johnm etc)
create pseudonyms eg
*create user accounts user5, user6, user7, user8 as needed for users who want to use the email address "info", but keep in mind they will use the login name user5 etc rather than info
*create user accounts user9, user10, user11, user12 as needed for users who want to use the email address "accounts", but keep in mind they will use the login name user9 etc rather than accounts
accounts@domain1 which forwards to user9
*create pseudonyms eg
accounts@domain2 which forwards to user10
**sales@domain1 which forwards to user1
accounts@domain3 which forwards to user11
**sales@domain2 which forwards to user2
accounts@domain4 which forwards to user12
**sales@domain3 which forwards to user3
**sales@domain4 which forwards to user4
**info@domain1 which forwards to user5
**info@domain2 which forwards to user6
**info@domain3 which forwards to user7
**info@domain4 which forwards to user8
**accounts@domain1 which forwards to user9
**accounts@domain2 which forwards to user10
**accounts@domain3 which forwards to user11
**accounts@domain4 which forwards to user12
ie. in the pseudonyms field type the whole pseudonym name as sales@domain1
ie. in the pseudonyms field type the whole pseudonym name as sales@domain1
If you want webmail to be configured for the correct domain for the correct end user the first time they use it, then you will need to do that manually yourself before issuing the login details to the user, eg
If you want webmail to be configured for the correct domain for the correct end user the first time they use it, then you will need to do that manually yourself before issuing the login details to the user, eg
login to webmail as the end user eg user1 (for domain1) and setup the profile for that user to show the return email address of sales@domain1
login to webmail as the end user eg user1 (for domain1) and setup the profile for that user to show the return email address of sales@domain1 login to webmail as the end user eg user2 (for domain2) and setup the profile for that user to show the return email address of sales@domain2
login to webmail as the end user eg user2 (for domain2) and setup the profile for that user to show the return email address of sales@domain2
Do the same for all other webmail accounts that will be issued configuring the profile and return address as applicable.
Do the same for all other webmail accounts that will be issued configuring the profile and return address as applicable.
If you don't configure webmail profiles manually then they will have the default return address of loginusername@domain1 (or the main domain name of the server if different).
If you don't configure webmail profiles manually then they will have the default return address of loginusername@domain1 (or the main domain name of the server if different).
'''Summary'''
'''Summary'''
See this thread for details
See this thread for details
http://forums.contribs.org/index.php?topic=30953.0
http://forums.contribs.org/index.php?topic=30953.0
Removing the default SME server behaviour to '''auto create pseudonyms'''. In this scenario (multiple domains) you may not require or desire the need of the default behaviour of auto creation of pseudonyms.
To achieve this comment with an # at beginning the line 793 into
/usr/lib/perl5/site_perl/esmith/FormMagick/Panel/useraccounts.pm
{{Note box|Please not that the path to esmith perl libraries has changed as of SME Server 9.x to '''/usr/share/perl5/vendor_perl/esmith'''.}}
the line should be like
# $accountdb->create_user_auto_pseudonyms($acctName);
====Information Bays====
====Information Bays====
The i-bay (information bay) feature of the SME Server is a simple, very flexible and powerful way for you to share information with others. It is such a rich and important feature that we've devoted [http://wiki.contribs.org/SME_Server:Documentation:Administration_Manual:Chapter14 Chapter 14] entirely to dealing with Information Bays.
The i-bay (information bay) feature of the SME Server is a simple, very flexible and powerful way for you to share information with others. It is such a rich and important feature that we've devoted [http://wiki.contribs.org/SME_Server:Documentation:Administration_Manual:Chapter14 Chapter 14] entirely to dealing with Information Bays.