SME Server:Documentation:FAQ

From SME Server
Jump to navigation Jump to search


Frequently Asked Questions

This Section lists Frequently Asked Questions (FAQ) for SME 7. Problems many people run into installing SME 7 for the first time or upgrading to later versions are found here.

If your question isn't listed here, it's possible it's a Rarely Asked Question (RAQ), in which case you'll be better off searching for answers in Bugzilla.

Installation troubles

Installer prompts for installation file location

Problems have been reported installing SME Server off a PATA CD-ROM drive. The system is able to boot from the CD-ROM drive but after that you get prompted by a message to specify the location where the installation image can be found. This might either mean that the disk is not readable or the CD-ROM drive is not recognized. If you have validated the disk and are sure that the disk passes you might try to add the all-generic-ide option to the boot prompt before starting the installer like this:

linux all-generic-ide

Yum Updates

Which repositories should be enabled

You should have the following repositories enabled (blue)

CentOS - os
CentOS - updates
SME Server - addons
SME Server - extras
SME Server - os
SME Server - updates.

DO NOT enable SME Server - updates testing which is considered beta, unless

  • it is a TEST server NOT a production server or
  • you want to be part of a bug-testing group.

Additionally

  • SME Server - test is considered alpha
  • SME Server - dev contains automatically built rpms. It contains lots of experimental,

incomplete and mutually incompatible packages.


  Warning:
If upgrading from a system prior to 7.1 update 1, ie a 7.1 CD install or earlier,

you need to ensure you have the latest versions of the following rpms prior to applying the rest of the updates. This speeds up install process and avoids updates from centos that may be ahead of the distribution.

yum update dbus dbus-glib smeserver-support smeserver-yum yum yum-plugin-fastest-mirror python-sqlite 
signal-event post-upgrade; signal-event reboot



  Note:
A system installed from the SME 7.1 CD will have the 5 repositories above enabled. A system installed from the SME 7.0 iso and updated to 7.1 or later will only have the 3 SME Server repositories enabled. After updating from SME 7.0 to SME 7.1.x you should enable the Centos - os & Centos - updates repositories in server-manager.


Reconfigure / post-upgrade and reboot

  • When is a post-upgrade and reboot required?

The server manager yum installer has no way of determining whether any configuration files will change if all are re-expanded or to know which binaries have changed (or use libraries which have now changed) and therefore need to be restarted. The only safe option is to reconfigure and restart everything.

After clicking Reconfigure check the Status message and that the server does actually reboot. Rarely circumstances arise that prevent the reconfigure from triggering. If so run the following,

signal-event post-upgrade; signal-event reboot

Updating from SME 7.x to SME 7.2

See Updating_to_SME_7.2#Yum_Update

Warning in rkhunter email report

After upgrading to SME Server 7.4, the admin user may receive the following warning from rkhunter:

Warning: The SSH and rkhunter configuration options should be the same:
        SSH configuration option 'PermitRootLogin': yes
        Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': no

This warning message is not indicative of a software error or security issue and can be safely ignored. The issue is to be attended to in a future release of SME Server. See this bug report for more information.

General

  • Please Wait - Yum Running (prereposetup)

This means Yum is working out what updates are available. Occasionally such as when large sets of updates are released this could take 10+ minutes to complete

  • Yum doesn't seem to be working correctly. What do I do now?

If for some reason you can't get yum to work correctly, try:

yum clean metadata
or possibly 'yum clean all'
yum update
  • Fix for 'Metadata file does not match checksum'

Typical error message

http://apt.sw.be/fedora/3/en/i386/dag/repodata/primary.xml.gz: 
[Errno -1] Metadata file does not match checksum Trying other mirror.
Error: failure: repodata/primary.xml.gz from dag: [Errno 256] No more mirrors to try.

To flush the up stream proxies, using wget, run:

wget --cache=off http://apt.sw.be/fedora/3/en/i386/dag/repodata/filelists.xml.gz
wget --cache=off http://apt.sw.be/fedora/3/en/i386/dag/repodata/primary.xml.gz
wget --cache=off http://apt.sw.be/fedora/3/en/i386/dag/repodata/repomd.xml
yum update
  • An unclean shutdown during a system update can put the system into a state where it's difficult to recover.

find all the duplicate rpm's

rpm -qa | sort | less 

Then remove all the duplicate rpm's

rpm -e --nodeps rpmname

Install the newest rpms

yum install rpmname
signal-event post-upgrade; signal-event reboot
  • Where can I go to learn more about yum, and about how SME uses it?

Adding_Software , man yum, http://linux.duke.edu/projects/yum/

Adding, removing or disabling repositories

  • What is the recommended way to add other yum repositories

The following code uses the dag repository as an example and sets the status to disabled. The repository is configured to be used via the command line with the --enablerepo= option

The following command will configure the dag repository on SME Server. EDIT NOT COMPLETE!


To create an entry in the database for the epel repository we open put the following commands in a terminal window or in a shell window:

/sbin/e-smith/db yum_repositories set epel repository \

Name 'SME Server - epel' \
BaseURL 'http://<http://download.fedoraproject.org/pub/epel/7/$basearch' \
EnableGroups yes \
GPGCheck yes \
Visible no \
status disabled

To enable the changes:

    signal-event yum-modify

Just to be sure, give yum a fresh start:

    yum clean all

After adding it to the database we have to update the changes to the configuration file:

signal-event yum-modify
  • How do I remove yum repositories
db yum_repositories delete repositoryname
signal-event yum-modify
  • How do I disable a repository to allow future use via command line with the --enablerepo= option
db yum_repositories repositoryname setprop status disabled
signal-event yum-modify

Other popular repositories

A list off other repositories can be found at Category:Yum_Repository.

Be careful updating software from these repositories. Only update packages by name eg.

yum update --enablerepo=reponame  packagename

Do not do a general update with the 3rd party repository enabled as it could update many packages that will overwrite SME versions.

Hardware Compatibility List

List of Hardware that known have problems with SME Server

Maintaining a complete HCL is difficult, the following links will give a indication of hardware being used by SME Servers and upstream providers

Client Computers

  • Samba trust relationships lost?

This is a possible bug with an upgrade from SME6. After an upgrade, local workstations cannot log in. If you are experiencing this problem, please have a look at this bug for a fix, and provide followup: [1]


  • Windows XP Clients - Patch to logon to SME domain

This patch can be used when Windows XP clients won't be able to log on to the SME Server domain. The registry patch is located here: http://servername/server-resources/regedit/winxplogon.reg Double click on the winxplogon.reg file and the settings will be added to the Windows Registry.


  • How to disable password caching on Windows 95/98/ME/2000 Clients?

This patch can be used if you don't want Windows clients to remember password for shared folders on SME Server. The registry patch is located here: http://servername/server-resources/regedit/win98pwdcache.reg Just double click on the win98pwdcache.reg file and the settings will be added to the Windows Registry.

Note Although the filename seems to indicate that this patch will only work for Windows 98, but it also works in Windows 95, Windows ME and Windows 2000.


  • LDAP Directory Gives MAPI_E_CALL_FAIL Errors on Outlook 2002 or Outlook 2003

In Outlook 2002 or 2003 when someone tries to find a contact using the LDAP server, a message stating that "Unavailable critical extension" and then a second message saying "The search could not be completed. MAPI_E_CALL_FAIL" shows up and nothing shows up from the search. The directory works beautifully in Thunderbird 1.5 as well as Outlook 2000, but not 2002 or 2003. More information can be found here: [2] [3]


  • Where is the netlogon directory?

The netlogon directory is located on the SMESERVER at: /home/e-smith/files/samba/netlogon It can also be found by a client computer at: \\servername\netlogon

Web Applications

  • chmod 777

Using 777 is always wrong (despite the fact that many howtos recommend it). 0770 is sufficient, as long as www is a member of the group owning the directory, and is safer.

Use chown www /path/to/dir
and preferably put your app in /opt/app not in an ibay

  • Generic Instructions for Installing a Web Application

Generic WebApp rpm

  • Wasn't mod_perl installed in previous versions? How do I install it?

It may have been, but it was not used so it is no longer included. If you do want to install it do the following:

Note The commands on a linux shell are case-sensitive, this means that Capital is not the same as capital.

 yum install mod_perl
 config setprop modPerl status enabled
 signal-event post-upgrade ; signal-event reboot

  • The directory structure is visible. How do I disable indexes in ibays?

SME Server 6.0, 6.0.1, and 6.5 all had the following for the ibays/html directory - "Options Indexes Includes". This would indicate that indexes were allowed for html directories. In SME Server 7.0 this is made a parameter and it defaults to enabled to be compatible with SME Server releases before SME Server 7.0 installations.

To disable indexes for an ibay in SME Server 7.0 do the following:

 db accounts setprop //ibayname// Indexes disabled 
 signal-event ibay-modify //ibayname// 

This issue was first reported here: [[4]]

  • I need to create (or install) a PHP application that needs access to the /tmp directory.
db accounts setprop ibayname PHPBaseDir /tmp/:/home/e-smith/files/ibays/ibayname/
signal-event ibay-modify ibayname

By default if you have PHP code in an IBAY, it can only run in that IBAY. The above commands will allow PHP code in the IBAY to run outside of its installed directory.

Here is a list of all the IBAY specific settings

Reset the root and admin password

1. Restart your server and at the beginning of the boot-up use the arrow keys to select the kernel you would like to boot into.

2. Press A , to allow you to append parameters to your grub boot settings.

3. Be careful not to change anything, only add the following after the A (Be sure to put a space before "single"):

  single

4. Press enter. you will be presented with a prompt.

5. At this prompt type the following two commands (each followed by a return). You will be asked to provide a new password. Reset both your root and your admin password and set them to the same value:

 passwd root
 passwd admin

Reboot your server and everything should be okay now.

File Size Limitations

  • Apache, the web server can only transfer or show files under 2G
  • Backup to USB Disk

FAT32 only supports file size of <4GB. It is recommended that you format your external usb drives to ext3.

External DNS

To allow external users to communicate with your server, you must have correctly configured DNS records. Once you have purchased a domain, you should configure the following records (customised if necessary) to allow web and email communication:

1. An A record, myserver.mydomain.com, pointing to the external IP address of your server

2. A CNAME record, *.mydomain.com, pointing to the A record myserver.mydomain.com [this is a catchall that allows aliases such as www.mydomain.com and mail.mydomain.com to be resolved without having to create multiple CNAME records]

3. An MX record, pointing to myserver.mydomain.com, to allow for email delivery

If your registrar does not allow you to create DNS records, you may use a free service such as http://www.zoneedit.com or similar.

The example shown assumes that your server is operating in Server and Gateway mode and has a static external IP address. Depending on your network design and server configuration, the example may need to be modified. For example, if you use a Dynamic DNS service, you would need to modify the A record to point to your Dynamic DNS hostname, rather than a static IP address.

Domains

  • When I create a DOMAIN, I don't see anything listed in the HOSTNAMES AND ADDRESSES panel for that DOMAIN.

For a domain to be effective (for email or web), it needs to be configured as INTERNET DNS SERVERS (this is the default value). Since the domain resolves via INTERNET DNS SERVERS, no hostnames or addresses are created locally. For more info please visit the Administration Manual section regarding Domains: [[5]]


Virus Scanning

  • When you elect to nightly scan your server for viruses the current default is to scan /home/e-smith/files

Note that early SME 7 Servers defaulted to /.

Also you may want to scan under /opt if have contribs that store user data there

the db property to change to the default

config setprop clamav FilesystemScanFilesystems /home/e-smith/files

or to scan different areas of the server is

config setprop clamav FilesystemScanFilesystems "/home/e-smith/files /opt"


  • How do I exclude some directories from scanning

Set the db value to exclude more directories

The default

 config setprop clamav FilesystemScanExclude /proc,/sys,/usr/share,/var

Change with

config setprop clamav FilesystemScanExclude /proc,/sys,/usr/share,/var,/home/e-smith/files/ibays

After any change, run the signal-event for expand and regenerate configuration files, and restart pertinent services

signal-event clamav-update

Proxy Pass

  • I want to pass some http requests to a server behind my SME Server or external to my site, how can I do this?

You can set a ProxyPass directive that will pass certain requests to an internal or external server that hosts the domain to be proxypassed:

db domains set proxypassdomain.com domain 
db domains setprop proxypassdomain.com Nameservers internet
db domains setprop proxypassdomain.com ProxyPassTarget http://xxx.xxx.xxx.xxx/
db domains setprop proxypassdomain.com TemplatePath ProxyPassVirtualHosts 
signal-event domain-create proxypassdomain.com

where proxypassdomain.com is the domain name hosted on the internal or external server and http://xxx.xxx.xxx.xxx/ is the IP address of the internal or external server eg 192.168.1.20 or 122.456.12.171 (it must be the publicly accessible IP if an external server)


To delete a ProxyPass directive that you previously set up:

db domains delete proxypassdomain.com
signal-event domain-delete proxypassdomain.com


  Note:
If you have added the internal or external server's domain name as a virtual domain on the SME Server, you must remove it prior to issuing these commands. The server-manager domains panel will show the proxy pass entry but you will not be able to edit it, see bugzilla:1612.


Shell Access

  • I need to give a user shell access to the SME Server.

Shell access should only be provided to users who have a *need* for it and can be trusted.

Before a user can have shell access Admin must enable ssh access at

server-manager -> Security -> Remote Access

You then enable shell access for a user by:

db accounts setprop username Shell /bin/bash
chsh -s /bin/bash username

Upgrading Server

  • What's the best way to upgrade to a new server ?

An article is written for this subject. Please visit: UpgradeDisk.

  • Do you want to move a running SME 7 Server installation to new hardware ?

There is a document that describes a method using the Affa contrib. Affa makes it possible to move with a minimal effort and minimal downtime of the production server. Please visit: Moving SME to new Hardware

Changing maximum Ibay, Account or Group name length

  • How do I change the default maximum (12 characters) name length of an I-Bay, account or group?

Enter following command on the console as root:

/sbin/e-smith/db configuration set maxIbayNameLength xx
/sbin/e-smith/db configuration set maxAcctNameLength xx
/sbin/e-smith/db configuration set maxGroupNameLength xx

where 'xx' is the new size e.g. 15.

Followed by:

/sbin/e-smith/signal-event console-save

Deletion of Users Ibays Groups

  • I can't delete & create a user for some reason. What do I do now?

If for some reason you can't delete & create a user, then first do:

signal-event user-delete <username>
db accounts delete <username>
  • I can't delete & create a ibay for some reason. What do I do now?

If for some reason you can't delete & create a ibay, then first do:

signal-event ibay-delete <ibayname>
db accounts delete <ibayname>
  • I can't delete & create a group for some reason. What do I do now?

If for some reason you can't delete & create a group, then first do:

signal-event group-delete <groupname>
db accounts delete <groupname>


  • I was looking in the home directory of a user and I see a hidden directory called ".junkmail". Do I need that? Can I delete it?

Don't remove or rename .junkmail folders.


Access denied to i-bay with newly created group

  • Problem: If I try to write to an i-bay immediately after creating a new group, and being a member of that group, and assigning that group access rights to the i-bay, access is denied. Changing the i-bay access to an older group of which I am a member, access is allowed as desired.
Workaround: log out after creating the group and then log back in

The issue seems to be with samba not SME. See Bugzilla:4961 Privileges are assigned upon logon in Linux, hence the need to log out and then log in again to receive the newly created group's privileges.

Password Strength Checking

  • How can I change password strength & what do the strength settings mean?


  Warning:
It is strongly advised not to set the password strength setting to none as this will lower the security of your server significantly.



  Note:
PAM module requires passwords to be at least 6 characters long, so setting a password that is shorter than that may cause other problems later. SME server default settings enforce 7 character passwords.


The following settings are available to specify the password strength on SME Server:

setting explanation
strong The password is passed through Cracklib for dictionary type word checking as well as requiring upper case, lower case, number, non alpha and a mimimum length of 7 characters.
normal The password requires upper case, lower case, number, non alpha and a minimum length of 7 characters.
none The password can be anything as no checking is done.

Please note that "none" does not mean no password, it just means no password strength checking, so you can enter any (weak) password you want as long as it is at least 7 characters long.

To set password strength do:

config setprop passwordstrength Admin strengthvalue
config setprop passwordstrength Users strengthvalue
config setprop passwordstrength Ibays strengthvalue

where strengthvalue is one of the entries listed in the table above; either "strong", "normal" or "none" .

e.g.

config setprop passwordstrength Users normal

To review the current settings do:

config show passwordstrength

which should display something like:

passwordstrength=configuration
 Admin=strong
 Ibays=strong
 Users=strong

Alternatively, you can install the smeserver-password contrib discussed here: Password

This contrib will let you configure password strength and aging through a web panel in the server-manager.


References:

  1. Old Bugtracker on SF.net: Sme7a22 - user passwords
  2. Bugzilla:161
  3. Bugzilla:2686

Hard Drives, RAID's, USB Hard Drives

  • How should I setup my hard-drives?

We never recommend anything other than a single disk install or multiple disks of the same type. Anything else and you are following an unrecommended setup and you will need to navigate for yourself. Repeat, we never recommend anything other than a single disk install or multiple disks of the same type. If you're thinking of doing anything else (setup your own partitions), read this section again.

  • How should I setup my RAID?

A full article on RAID is found here: Raid


  • I want to use a hardware RAID. What do you suggest?

Please see the notes in the RAID article: Raid#Raid_Notes


  • How do I recover an SME Server with lvm drives

A full article on the recovery method is found here: Recovering_SME_Server_with_lvm_drives


  • I'm installing a RAID 5 but it seems to take a long time. Is there something wrong?

RAID 5 systems (those with 3+ disks) can take a long time during and after the install for everything to sync. Reportedly, it takes almost 2 hours before the disks finally finish syncing on 4 X 80GB disks.


  • If I boot my SMESERVER with a USB hard drive attached, it recognizes the drive. However, after unplugging the drive, then replugging, it no longer exists. Any ideas why?

Reportedly, some external usb hd's must be completely powered up before connecting the usb cable.


  • If I boot my SMESERVER with a USB hard drive attached, it doesn't recognize the drive. Any workarounds for this?

Some USB drives need to be plugged twice into the server to be recognized.


  • Further information regarding USB disks can be found in this HOW TO: USBDisks

Backups & Restores

  • AIT-1 Backup: buffer unreliable

An AIT-1 is unreliable if used with variable block size. Set the setting

config setprop flexbackup TapeBlocksize 512

AIT-2, DAT and LTO seem to work well with variable block size.


  • Slow tape backup performance may be improved by changing Flex backup settings
config setprop flexbackup Blocksize 256
config setprop flexbackup BufferMegs 16


  • In the ADMIN CONSOLE, there is an option to BACKUP TO USB but there are no restore options.

The RESTORE option is only visible on a new install. If you missed this during install, you can

config set PasswordSet no 
signal-event post-upgrade; signal-event reboot 

During reboot reconfiguration process you should see the new restore via USB backup option.

-NOW plug in the usb drive (Do not plug in the usb drive until you reach this point).
-pick YES or RESTORE (or whatever is presented to you)


Supervised Services

  • Many services on SME are supervised, to see which are type
ps ax |grep runsv

To control them read the sv manual

man sv
  • it seems that "sv u http-e-smith" gives no errors, even if the service fails to restart, so you need to use "sv s httpd-e-smith" to check if it fails (example: due to a httpd.conf error)

This is just the way that runsv (part of the runit package) works. The "sv u http-e-smith" only sends a message to runsv saying that we want the service to be up. runsv then will keep trying to get the service running.


Server-Manager

  • I can't access the server-manager. What do I do now?

There are many reasons why you wouldn't be to access the server-manager. First try:

signal-event post-upgrade;  signal-event reboot

If you still can't access, there are reports that a certificates mis-match might have occurred after update. In that case:

rm /home/e-smith/ssl.key/*.key
rm /home/e-smith/ssl.pem/*.pem
rm /home/e-smith/ssl.crt/*.crt
signal-event domain-modify; signal-event reboot


  • I used to access the SERVER-MANAGER with localhost:980 remotely via SSH tunnel and now I can't. What happened?

This feature has been deprecated a long time and finally removed in V7.2

If you really want to use this then forward 443 to localhost:443 and then use https://localhost/server-manager/


  • Using a ssh client, the /server-manager login screen is difficult to read

The text is white, so you need to adjust your ssh client to use a dark background


  • I've renamed my server with the ADMIN CONSOLE. The old name appears under the SERVER-MANAGER, HOSTNAMES panel. It cannot be deleted as there are no MODIFY/REMOVE links.
-login to the shell console
-type: db hosts setprop <local.mycompany.local> static no
-go to the HOSTNAMES & ADDRESSES panel and you should be able to modify/remove the name

Booting with SMP kernel after upgrade to version 7.2 from CD

  • I've upgraded and now the SMP kernel isn't available.

This is because when upgrading to 7.2 from CD, kernel modules are missing for SMP IF the output of "cat/proc/cpuinfo" does not show multiple processors. The SMP kernel, if not present, can be installed via yum using: Do:

yum install kernel-smp kmod-ppp-smp kmod-slip-smp kmod-appletalk-smp
signal-event post-upgrade
signal-event reboot

Details: http://bugs.contribs.org/show_bug.cgi?id=3095

  • I'm getting a kernel panic after upgrade from CD. What do I do now?

When upgrading with a CD, the upgrade will rewrite the grub.conf file. As a result, any additional boot arguments (i.e. acpi=off) will be lost during upgrade. Please edit the grub.conf file.


Special Characters

  • I get strange characters & letters when look at my file names.

If you get filenames that look like: "éèÃ.txt" It's most likely because the SME server isn't understanding special characters you may be using. You can change it to understand special characters in filenames by:

db configuration setprop smb UnixCharSet ISO8859-1
expand-template /etc/smb.conf
/etc/init.d/smb restart


Upstream proxy server configuration

  • How do I configure a mandatory upstream proxy server, there used to be a panel in earlier versions of sme server, but it's missing in sme7.x
config set SquidParent a.b.c.d
config set SquidParentPort nnn
signal-event post-upgrade
signal-event reboot

[The SquidParentPort setting is optional if the upstream proxy is on port 3128.]

From http://forums.contribs.org/index.php?topic=32998.msg140512#msg140512


Memory usage and limits

  • How much memory can sme server handle

SME server currently (v7.3) supports 16GB of RAM, with a maximum of 3GB per process. These limits can easily be increased to 64GB total and 4GB per process by installing and running the "hugemem" variant of the kernel

  • Why does my sme server always seem to be using all the memory, there is no spare memory left

Utilities such as top or htop always report that all available memory is being used. The Linux OS is designed to utilise all available memory all of the time. If other processes require more memory then it is made available to those processes. Fully utilising all the available memory is a good thing as it optimises the performanece of your server.

  • How can I tell if my sme server needs more memory

Watch the availabe swap memory usage eg using top, htop or ps -aux. If swap memory usage regularly exceeds 50% of the available swap memory, then you should add more physical RAM to your system. Other indications that additional RAM is required are "out of memory" messages in log files, and at times the server becomes inactive for a period, often related to spam & virus scanning & high email loads.


This article describes the booting process of SME Server.

Installation

When booting from the installation CD you will get a boot prompt where you can simply press Enter to start the standard installation (or upgrade) routine.

After showing the boot prompt for some time SME will start the installation process automatically. It will then afford you the opportunity to test the installation medium.

Afterwards you can choose which language you want to use for the following installation process.

Boot Options

You can use the function keys F1 to F5 to get more information about different boot options.

  Note:
If installing on a i586 machine you will need to replace sme with smei586 in the following commands.


Normal installation

sme

Set raid type

sme raid=[none,0,1,5,6]
  • For SME Server 8 raid=none and raid=0 are for no software raid, other arguments are for raid levels (eg Raid1, Raid5, Raid6)
  • For SME Server 9 raid=none is for no software raid, other arguments are for raid levels (eg Raid0, Raid1, Raid5, Raid6)


  Note:
For SME Server 9 the option sme raid=none have a different behaviour since the /boot is always made on a software raid 1 called /dev/md0. All other partitions (/ and swap) are without software raid. (see bugzilla:8369)


Set number of spares

In case you have 3 or more hard disks in your server and don't want to have a spare disk

sme spares=[0-(disks-2)]

Set drive type to include

Nominate which drives the installer will use to put the OS onto, not nominating a drive will exclude it from use, if left blank will include all drives

sme drives=[hda,sda,xvda,...]

Set drives to exclude

Nominate which drives the installer will not try to install the OS to eg a boot USB with the iso on it, or other connected backup USB drives, see note below

sme exclude= sdc

To install SME without software RAID

For example MB with fake raid or with 'Config Disk' issue bugzilla:5850

sme raid=none


  Note:
For SME Server 9 raid=0 means that the raid level required is 0 (eg : Raid0). If you want no software raid you have to choose raid=none


To install SME without a logical volume manager type

sme nolvm

To have /, /tmp, /var, /home/e-smith/files and swap on separate partitions type

sme multipart

If you have a driver disk type

sme dd

Installation hangs

The last screen shown is "Welcome to SME Server".

sme ide=nodma

dmraid (SME8.1 off by default)

If required can be appended at boot time

sme dmraid

Installation errors when disks previously used with fake raid.

sme ide=nodmraid

SATA Driver installation error

eg IBM IntelliStation M Pro stalls

sme acpi=off

Intel DG965 Motherboards (G33xx)

sme pci=nommconf acpi=off all-generic-ide 

To enable the rescue mode type

sme rescue

To use an ext4 file system

(except for /boot) instead of the default ext3.

sme ext4


  Note:
For SME Server 9 it is no longer needed to set sme ext4 to have a ext4 file system since it is the default file system


Notes

The installer without anything being passed should behave identically for disks < 10 with the exception that it won't include any device that is housed on a drive that needs the usb-storage or spb2 module.

If you want to include drives that are on USB or firewire you must use the drives= option and specify all drives (not just the usb/firewire drives) that you want to use.

If you don't want to use raid at all specify raid=0 or raid=none (they are identical, 0 means none).

If you don't want a spare you should use the spares= option and specify a value of 0. By default 1 spare will be added for disks > 3. Another spare drive will be added for every additional 7 drives you add (10, 17, ...).

If you specify a raid level but don't have enough drives it will fall back to the next highest raid level (ex. 5 drives, 2 spares, raid 6 will fail back to raid 5 as 5-2=3 useable drives).

From SME ISO releases 7.5.1 and SME 8.0 the installer will automatically exclude the drive containing the install media or ks files. Refer http://forums.contribs.org/index.php/topic,46866.msg230681.html#msg230681

General Boot Help

Certain hardware configurations may have trouble with the automatic hardware detection done during the installation. If you experience problems during the installation, restart the installation adding the noprobe option. With the standard installation that would be

sme noprobe

or e.g. if you don't want a software RAID:

sme noraid noprobe

and so on.

Kernel Parameter Help

Some kernel parameters can be specified on the command line and will be passed to the kernel. This does not include options to modules such as ethernet cards or devices such as CD-ROM drives.

To pass an option to the kernel use the following format:

sme <options>

If a different installation mode is desired, enter it after the option(s).

For example, to install on a system with 128MB of RAM using noprobe mode, type the following:

sme mem=128M noprobe

To pass options to modules, you will need to use the noprobe mode to disable PCI autoprobing. When the installer asks for your device type that needs an option or parameter passed to it, there will be a place to type those in at that time.

Rescue Mode Help

The installer includes a rescue mode which can be used when a system does not boot properly. The rescue mode includes many useful utilities (editor, hard drive and RAID tools, etc.) which will allow one to restore a system to a working state.

To enter the rescue mode, boot your system from the installation CD-ROM and type:

sme rescue

To actually be able to edit files, remount the root partition by typing:

mount -n -o remount /

More

Some problems with booting that cannot or will not be fixed through development of SME8 and solutions on how to bypass them can be found here.

You can run Memtest86 to check your RAM by typing

memtest

at the boot prompt and pressing Enter afterwards.


There are many log files produced by SME Server. Some are standard, some are generated by contributions. This page aims to bring together enough knowledge to understand what generates each log file, what they are for, and how to interpret them.

Access

Access to log files is available with the server-manager, Chapter10#View_log_files and Chapter10#Mail_log_file_analysis

You can also use shell access, eg, to perform more complex searches or manipulations.

Logfile Names

E-mail logfiles

qmail            - details mail distribution (to mailboxes and to other hosts via SMTP). Traces connections, message numbers, bytes, concurrency, and UID.
imap             - connections to the server IMAP folders (IMAP). Shows connections from local device unless IMAP enabled for internet access. Use in conjunction with other logs to trace email.
imaps            - secure connections to the server IMAP folders (IMAPS). Shows connections from local devices unless IMAPS enabled for internet access. Use in conjunction with other logs to trace email.
pop3             - Details connections via pop3 to the server. 
pop3s            - Details connections via pop3s to the server.
smtp-auth-proxy
maillog          - nothing. Empty.
qpsmtpd          - incoming SMTP connections.
sqpsmtpd         - incoming Secure SMTP connections. Authenticated SMTP Via SSL port 465.
clamav           - antivirus
clamd
freshclam        
spamd            - spam

In SME9 IMAP connections are logged in /var/log/dovecot/current

HTTP logfiles

httpd
httpd-admin
squid
squid.run
qpdmtpd

System logfiles

messages
dnscache
iptables
iptraf
mysqld
nmbd
ntpd
oidentd
ppp
yum
tinydns
wan
vbox
cron
sshd
flexbackup
dhcpd
dhcpcd
dmesg
pppoe
pptpd
spooler
radius
radiusd
proftpd
raidmonitor
rpmpkgs
sa
samba
secure
rkhunter.log
boot.log
audit
anaconda.log
anaconda.syslog
lastlog

Error Messages

  • Log message regarding permissions on /var/spool/qpsmtpd/

You may see messages similar to this in your log file:

@400000004326e9472eccc42c 3243 trying to get config for spool_dir @400000004326e9472ed518fc 3243 Permissions on spool_dir /var/spool/qpsmtpd/ are not 0700

They can be safely ignored. Clamav runs under a different user and needs read access to the spool area to avoid copying the file. [[6]]

  • I get messages that look like: (pam_unix)[31705]: session opened for user root by (uid=0)

Most likely these messages coming from a package called SYSSTAT. The package was included in the previous versions of SMESERVER but were removed from the final version of V7. If you see the messages, most likely you had a previous version and upgraded. SYSSTAT isn't needed unless you have a contrib package called SME7ADMIN.

You can safely remove the package by:

yum remove sysstat

Please note that these messages may be caused by other cron jobs (tasks that run automatically) or packages authenticating as root.

  • I get a message saying that: the RSA server certificate CommonName (CN)`servername.domainname.tld' does NOT match server name!

If you change the servername, you will be prompted to reboot. When you do, the SMESERVER will generate a certificate for the new servername-domainname combination and httpd.conf will now reference that new name. References to other virtual domains and hosts will generate warnings in the log.

  • I get: server squid[3145]: WARNING: Disk space over limit: 148412 KB > 102400 KB.

This message is just log noise. The message is informational and squid takes care of the issue itself.

  • I get in the radius log: Info: Using deprecated naslist file. Support for this will go away soon.

This is just the radius daemon (a computer program that runs in the background, rather than under the direct control of a user) complaining about a file that exists in the directory. We don't use it.

  • I get in the clamd log: Error: cli_untar: only standard TAR files are currently supported

Clam (the antivirus portion of SMESERVER) has found a file type which it can't deal with, and so is telling you that it can't scan that file.

Nothing to be concerned about. The fix, if any arrives, will come from the Clam team if they Determine this file format is worthy of their attention.

  • I get in the smeserver-clamscan.log: LibClamAV Warning: Multipart/alternative MIME message contains no boundary header.

This is just log noise. Clamav is scanning badly formatted MIME mail.

  • In the /var/log/messages, I get: 10fix_privilege_tables: ERROR

You can safely ignore these errors. The errors just mean that your tables are already up to date.

  • In the /var/log/messages, I get: rec_read bad magic....

You may also see it with

cat /var/log/samba/* |grep printing |grep 'rec_read bad magic'

You can delete /var/cache/samba/printing/<printer>.tdb files & restart samba.

rm /var/cache/samba/printing/<printer>.tdb
/etc/init.d/smbd restart
  • cannot remove /var/run/dovecot/login: is a directory

You may see this on system startup. It is just noise and doesn't affect anything.

  • I get:
rules: score undef for rule 'MISSING_SUBJECT' in  'MISSING_SUBJECT' at
/usr/lib/perl5/vendor_perl/5.8.5/Mail/SpamAssassin/PerMsgStatus.pm line 2140.

Ignore the message. The warnings are just log noise. After a SPAMASSASSIN update, the rules have been added but don't have a score associated with them. So they will be treated as non-existent and result in an error message.

  • I get:
2008-02-21 23:42:51.106904500 ClamAV update process started at Thu Feb 21 23:42:51 2008
2008-02-21 23:42:51.108696500 WARNING: Your ClamAV installation is OUTDATED!
2008-02-21 23:42:51.108700500 WARNING: Local version: 0.92 Recommended version: 0.92.1
2008-02-21 23:42:51.108704500 DON'T PANIC! Read http://www.clamav.net/support/faq
2008-02-21 23:42:51.108708500 main.inc is up to date (version: 45, sigs: 169676, f-level: 21, builder: sven)
2008-02-21 23:42:51.523757500 ERROR: cdiff_apply: lseek(desc, -350, SEEK_END) failed
2008-02-21 23:42:51.523760500 ERROR: getpatch: Can't apply patch
2008-02-21 23:42:51.523764500 WARNING: Incremental update failed, trying to download daily.cvd
2008-02-21 23:42:52.322303500 WARNING: Mirror 193.1.193.64 is not synchronized.

or:

2008-02-22 00:44:14.874648500 Ignoring mirror 193.1.193.64 (due to previous errors)
2008-02-22 00:44:14.878360500 ERROR: Can't download daily.cvd from database.clamav.net
2008-02-22 00:44:14.879769500 Giving up on database.clamav.net...

Ignore the message. CLAMAV will fix itself on its own. The message is from CLAMAV saying it can't reach the updates. The messages will go away once they can be reached. Check Bugzilla:4002 and Bugzilla:3962

If you lose patience waiting for the messages to go away, you can execute the following commands:

cd /var/clamav/
mv mirrors.dat mirrors.dat.old
sv t /service/freshclam
  • After a ClamAV update or when freshclam is run, the following may appear in the log file
LibClamAV Warning: Detected duplicate databases /var/clamav/main.cvd and /var/clamav/main.cld, 
please manually remove one of them

If you just leave it, freshclam should take of this as it is just log noise. See Bugzilla 7164

RK Hunter Messages

Root Kit Hunter performs a daily check of your system, these are common warnings.

/etc/cron.daily/01-rkhunter

  • The following processes are using deleted files

xyz

  • Process '/sbin/XXX' (PID 3869) is listening on the network.

xyz

  • The SSH and rkhunter configuration options should be the same:

xyz

  • Warning: SSH protocol v1 has been enabled

Servers that have been upgraded to 7.3 from 5.5 give warnings that SSL protocol V1 is enabled.

If you know that you do not use SSH protocol V1 (not SSL!), then you can remove protocol 1 by doing:

config setprop sshd Protocol 2
signal-event remoteaccess-update

Is this article helpful to you?
Please consider donating or volunteering
Thank you!


Information on the email subsystem used in SME Server covering sending/recieving, spam filtering, virus checking, webmail, domains and users.

Troubleshooting

I am having trouble getting sme to send and receive email.

Sending and receiving email are separate functions. You need to investigate each individually.

Sending

If SME server does not send mail, you need to examine the /var/log/qmail/current logs to see what happens when it tries. Most commonly problems can be solved by sending via your ISP's mail server, possibly using encryption and/or authentication. Read the manual.

Receiving

If SME server does not receive mail, then you need to ensure that SMTP connections reach your SME server (DNS settings, router configuration, ISP port blocks) and then you need to examine /var/log/qpsmtpd/current logs to determine what SME server does with the incoming connections. Most problems are DNS, router or ISP issues, and have nothing to do with SME server operation or configuration.

qpsmtpd "Connection Timed Out" errors

See Bugzilla:6888 and Bugzilla:2360

A qpsmtpd timeout error may arise, this is not an issue that is caused by SME server directly, however it can become an issue depending on hardware and configuration settings that are contained in and around other enviroments.

It is discussed under various names

As discussed in Bugzilla:6888 a workaround was found that may help in mitigating the issue.

The tracepath utility (included with SME 8.0 and SME 7.6) can be used to locate non-standard MTU values between your SME server and any remote host.

You can discover the smallest MTU between you and google.com (for example) by running this command, then locating the smallest value of "pmtu" in the results:

tracepath google.com

If tracepath returns any value below 1500 between your SME server and a mail server that you need to receive email from, you may need to reset the MTU on the SME server to match the smallest value returned.

For example, if tracepath returns 1492 (typical for internet connections using PPPoE), you would need to set the MTU on your SME server to the same value (1492) using the following:

config setprop InternalInterface MTU 1492
signal-event post-upgrade; signal-event reboot

Webmail broken after upgrade

After the usual post-upgrade and reboot, webmail is broken with messages like the following in the messages log:

Apr 20 17:29:53 mail [4614]: PHP Fatal error:  Call to a member function on a non-object in /home/httpd/html/horde/imp/lib/Block/tree_folders.php on line 65
Apr 20 17:29:53 mail [4614]: PHP Warning:  Unknown(): Unable to call () - function does not exist in Unknown on line 0

As workaround, logout of Horde, close the browser, reopen, log in to Horde, Webmail should now be fully functional. (Based on suggested fix in Bugzilla:5177)

Spam

Spamassassin

Spam filter with Server-Manager

Using the Server-Manager Configuration/E-Mail panel, adjust the settings to these reasonable defaults.

  • Virus scanning Enabled
  • Spam filtering Enabled
  • Spam sensitivity Custom
  • Custom spam tagging level 4
  • Custom spam rejection level 12
  • Sort spam into junkmail folder Enabled
  • Modify subject of spam messages Enabled

I would also recommend blocking all executable content. To do so, select (highlight) all of the attachment types other than zip files (the last two).

Click Save.

How It Works

When receiving an incoming message, the server first tests for RBL and DNSBL listings, if enabled. If the sender is blacklisted, the messages are blocked outright and Spamassassin never sees it.

With this configuration, the spammiest messages, those marked as 12 or above, will be rejected at the SMTP level. Those spam messages marked between 4 and 12, will be routed to the users' (IMAP) junkmail folder. This is done so the users can check for false-positives...valid messages that were classified as spam by SpamAssassin.

Users may check their junkmail folders for false-positives via webmail, or, if they are using an IMAP mail client, by simply checking the junkmail folder exposed by their mail client.

https://servername/webmail

Enable/Disable Filtering Per-User

This procedure doesn't really disable the spam filtering, it just stopps the spam from being routed to the 'junkmail' folder.

Per-user filtering is enabled by default. Disable filtering with the following command, as root:

db accounts setprop USERNAME SortSpam disabled
db accounts show USERNAME                                   # only displays settings
signal-event user-modify USERNAME


Use the Junkmail folder

The Default spamassassin behaviour put spams in the inbox which is very convenient for users in case of false positive, but it is not practical for learning, and especially it does not facilitate the life of the user (setting is available via the manager). If you want to put directly spams in the junkmail folder issue the command above.

config setprop spamassassin SortSpam enabled
signal-event email-update

Message Retention Time

Set spamassassin for automatically delete junkmail. You can change the "days" that spamassassin sets to automatically delete junkmail, to delete after two months

db configuration setprop spamassassin MessageRetentionTime 60  
signal-event email-update 

Spam score Level and Spam score rejection

The "Custom spam rejection level" will only work when "Spam sensitivity" is set to custom.

  1. Open server-manager.
  2. Click e-mail in the navigation pane (left-hand side).
  3. Click Change e-mail filtering settings.
  4. Change "Spam sensitivity" to custom and adjust the settings to your liking.

This happens because by default, no mail (except for viruses) gets rejected without the admin doing something first.

As a reference, the following setting will have the following behaviours :

Sensitivity Spam tagging level Spam rejection level
Custom TagLevel value
(Custom spam tagging level)
RejectLevel value
(Custom spam rejection level)
veryhigh 2 No rejection
high 3 No rejection
medium 5 No rejection
low 7 No rejection
verylow 9 No rejection

X-Spam-Level Header in Email Messages

SME does not create an X-Spam-Level header in processed email messages by default.

To enable this capability:

/usr/bin/yum install --enablerepo=smecontribs smeserver-qpsmtpd-spamassassinlevelstars
signal-event email-update

(Based on Bugzilla:3505)

  Note:
as SME8 this functionality seems to be included --Unnilennium (talk) 09:05, 3 February 2014 (MST)


spamassassin qpsmtpd's plugins email size limit

This db configuration setting sets the maximum email size above which spamassassin will not apply the spam filtering rules as have been set.

The default setting is 500kb, to increase the maximum size, apply the following commands from a root terminal

db configuration setprop spamassassin MaxMessageSize 2000000 

increases message size to 2mb, apply the change with

signal-event email-update

(Based on Bugzilla:7606)

Custom Rule Scores

You can customize the score assigned by a specific Spamassassin rule (SARE_ADULT2 in this case) as follows:

mkdir -p /etc/e-smith/templates-custom/etc/mail/spamassassin/local.cf
cd /etc/e-smith/templates-custom/etc/mail/spamassassin/local.cf
echo "score SARE_ADULT2 20.000" >> 20localscores
signal-event email-update

You can now add additional tests and custom scores by editing the newly-created template fragment 20localscores and adding new custom scores using:

nano -w /etc/e-smith/templates-custom/etc/mail/spamassassin/local.cf/20localscores
signal-event email-update

Each custom score goes on its own line. If you enter a score surrounded by parentheses, the "custom" score will be added to the default score for the specified test (use score TEST_NAME (-1) to reduce the score for 'TEST_NAME' by 1)

You can remove these customizations using:

rm -f /etc/e-smith/templates-custom/etc/mail/spamassassin/local.cf/20localscores
signal-event email-update

References:

SPF mail rejection/flagging policy

  Warning:
Please note that these instructions do not apply to SME9.2 where the version of qpsmtpd (0.96) does all this out of the box. Indeed if

the custom template below is applied (or left in?) to an SME9.2 system, then you may find that emails are denied when they ought to be accepted!


SME server can protect based of SPF records using spamassassin and the 'sender_permitted_from' plugin. The following lines will enable the plugin.

mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0/
cd /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0/
echo sender_permitted_from spf_deny 1 > 30spf
/sbin/e-smith/expand-template /var/service/qpsmtpd/config/peers/0

Then set your custom rule scores using the Custom Rule Scores section of this page. You should base these scores on your settings in server-manager > Configuration > Email > Change e-mail filtering settings or via db config commands for those with that skillset

echo "score SPF_SOFTFAIL 6.000" >> 20localscores 
echo "score SPF_FAIL 14.000" >> 20localscores
signal-event email-update

In our testing an email that doesn't match SPF records and the sender domain owner has defined a soft fail, if is attributed 6 points and sorted to junkmail folder. If the sender domain owner has defined a hard fail the email attibuted 14 points and is subsequently rejected.
References (but instructions changed to meet new qmail structure):

Pyzor Timeout

See Bugzilla: 5973

  Warning:
SME server 7.# users be aware of an issue that can appear in the /var/log/spamd/current logs

" pyzor: [5281] error: TERMINATED, signal 15 (000f)".


This can be mitigated by the adding of a template fragment.

Template fragment to set a pyzor_timeout based on a value in the config db. If no value is set, there is no output (so pyzor uses it's internal default).

mkdir -p /etc/e-smith/templates/etc/mail/spamassassin/local.cf/50pyzor_timeout
cd /etc/e-smith/templates/etc/mail/spamassassin/local.cf/50pyzor_timeout
nano 50pyzor_timeout

Contents of 50pyzor_timeout

{
  my $pyzor_timeout = ($spamassassin{PyzorTimeout} || 0);
  if ($pyzor_timeout ne '0')
  {
     return "pyzor_timeout " . ($pyzor_timeout);
  }
}

Then a value can be set using:

config setprop spamassassin PyzorTimeout 15
signal-event email-update

Whitelist and Blacklist

If mail comes in and it is misclassified as spam by Spamasassin, you can add the sender to the Spamassassin whitelist so that future messages coming in from that sender are not filtered. Conversely, you can add a spammer to the Spamassassin blacklist so you never see their spam again. Add senders (or their entire domains) to the global whitelist (or blacklist) with commands similar to these (as root):

db spamassassin setprop wbl.global *@vonage.com White
db spamassassin setprop wbl.global *domain2.com White
db spamassassin setprop wbl.global user@domain3.com White
db spamassassin setprop wbl.global spammer@spamdomain.com Black

you can block an entire TLD but please be aware that you might be denying a legitimate email in the future.

db spamassassin setprop wbl.global *@*.xyz Black
db spamassassin setprop wbl.global *@*.link Black

expland template and save the configuration to the database

signal-event email-update

You can view the lists with this command:

db spamassassin show

These lists can be also controlled by the server-manager with the wbl contrib http://wiki.contribs.org/Email_Whitelist-Blacklist_Control

Testing

You can check the auto-learning statistics with this command. You will be able to note the accumulation of the spam tokens (or not). Note that the Bayesian filtering must receive 200 spam messages before it starts to function, so don't expect instantaneous results.

sa-learn --dump magic

You can check the spam filter log with this command:

tail -50 /var/log/spamd/current | tai64nlocal

Check spamassassin configuration like this:

spamassassin -D --lint

If you ever see an error such as:

warn: bayes: cannot open bayes databases /etc/mail/spamassassin/bayes_* R/W: tie failed: Permission denied

Try adjusting some permissions with these commands:

chown :spamd /var/spool/spamd/.spamassassin/*
chmod g+rw /var/spool/spamd/.spamassassin/*

Real-time Blackhole List (RBL)

Enabling RBL's
RBL's are disabled by default to allow maximum accommodation (your ISP may be on a RBL & you may not know it). You can enable RBL's by:

config setprop qpsmtpd DNSBL enabled RHSBL enabled
signal-event email-update

You can see your RBL's by:

config show qpsmtpd

You can add to your RBL's by:

config setprop qpsmtpd RBLList <rbl-list-name>
signal-event email-update

Many will argue what's best, some say the SME defaults are too aggressive and affect some popular free webmail accounts, but most would agree that you can set stable, conservative and non aggressive settings by:

config setprop qpsmtpd RBLList zen.spamhaus.org
signal-event email-update

A conservative setting for the associated DNSBL SBLList is:

config setprop qpsmtpd SBLList dbl.spamhaus.org
signal-event email-update


Note: More information on this topic can be found here: [7] [8]

Possible issues with RBL

When an external dns provider is set in the console menu, it may interfere with some blacklists activated here (RHSBL and DNSBL). The black.uribl.com is know to bounce all emails in this case with a rejection message delivered to the sender. You can in this case

  • Remove the black.uribl.com of your SBLList
config setprop qpsmtpd SBLList multi.surbl.org:rhsbl.sorbs.net:dbl.spamhaus.org
signal-event email-update
  • Let the SME Server being the only dns resolver by removing the dns provider/forwarder in the console menu.

See http://uribl.com/about.shtml#abuse for more information about this issue with black.uribl.com

Obsolete lists

These lists can not be used with smeserver. A migrate fragment will remove them from your settings each time you reconfigure your server.

  • RBLList
      combined.njabl.org
      list.dsbl.org
      multihop.dsbl.org
      dnsbl.ahbl.org
  • SBLLIST
      blackhole.securitysage.com
      bulk.rhs.mailpolice.com
      fraud.rhs.mailpolice.com
      porn.rhs.mailpolice.com
      adult.rhs.mailpolice.com
      bogusmx.rfc-ignorant.org
      ex.dnsbl.org

Server Only

Some of the spam filter rules cannot work unless the SMESERVER knows the external IP of the box. If you put a SMESERVER in server-only mode behind other firewalls, it will lose some of the anti-spam rules. For example, the rule that blocks attempts where spammers try "HELO a.b.c.d" where a.b.c.d is your external IP address.

Unfortunately, many admins believe that port-forwarding SMTP provides additional security. It doesn't, it limits the SMESERVER's ability to apply some rules.


I want to enable GreyListing

GreyListing support is under the covers and can easily be enabled for those who know what they are doing. However, many experienced users found that they spent more time looking after the greylisting configuration than they received in benefit. see Greylisting

Bayesian Filtering

From Wikipedia:

Naive Bayes classifiers work by correlating the use of tokens (typically words, or sometimes other things), with spam and non-spam e-mails and then using Bayes' theorem to calculate a probability that an email is or is not spam.

SME server supports bayesian filtering, but does not have it enabled by default.

Enabling bayesian filtering, autolearning, and spam/ham training allows spamassassin to learn from received email and improve spam filter performance. Bugzilla: 6822

Bayesian Autolearning

The following command will enable the bayesian learning filter and set thresholds for the bayesian filter.

config setprop spamassassin UseBayes 1
config setprop spamassassin BayesAutoLearnThresholdSpam 6.00
config setprop spamassassin BayesAutoLearnThresholdNonspam 0.10
config setprop spamassassin UseBayesAutoLearn 1
expand-template /etc/mail/spamassassin/local.cf
sa-learn --sync --dbpath /var/spool/spamd/.spamassassin -u spamd
chown spamd.spamd /var/spool/spamd/.spamassassin/bayes_*
chown spamd.spamd /var/spool/spamd/.spamassassin/bayes.mutex
chmod 640 /var/spool/spamd/.spamassassin/bayes_* 
config setprop spamassassin status enabled
config setprop spamassassin RejectLevel 12
config setprop spamassassin TagLevel 4
config setprop spamassassin Sensitivity custom
config setprop spamd SpamLearning enabled
signal-event email-update

These commands will:

  • enable spamassassin
  • configure spamassassin to reject any email with a score above 12
  • tag spam scored between 4 and 12 in the email header
  • enable bayesian filter
  • 'autolearn' as SPAM any email with a score above 6.00
Note: SpamAssassin requires at least 3 points from the header, and 3 points from the body
to auto-learn as spam.
Therefore, the minimum working value for this option is 6, to be changed in increments of 3,
12 considered to be a good working value..
  • 'autolearn' as HAM any email with a score below 0.10

Check the bayes stats with the command:

sa-learn --dump magic

The database is located in /var/spool/spamd/.spamassassin/bayes

LearnAsSpam / LearnAsHam (spam/ham training)

LearnAsSpam & LearnAsHam are scripts that can be installed on your server to allow users to manually "train" the bayes database. Training is done by users moving Spam from their Inbox to the "LearnAsSpam" folder, and by COPYING real email that was delivered to junkmail into the "LearnAsHam" folder. All messages in both LearnAsSpam and LearnAsHam are deleted once they have been processed and their tokens have been added to the bayes database.

To install:

  • Enable bayes database as described in Bayesian Autolearning (not the best approach, prefer manual learn by user), or
  • Install smeserver-learn as per wiki page Learn(and keep auto-learning off), then
  • Instruct your users to move any SPAM they find from their Inbox to their LearnAsSpam folder, and to COPY any non-spam (ham) they find in their junkmail folder into their LearnAsHam folder.

This is a really efficient way to reduce impact of SPAM to your particular installation. Do not fear to run again files that are tagged as SPAM, as they will either get ignored if all their patterns are known, or the Bayes might catch one more pattern that could help you to get ride of the next incoming SPAM to even get accepted.

If you want, the code below counts how many e-mail are in LearnAsSpam and LearnAsHam directories (of all users). It's useful to know if your users are using those folders. However Learn will send you a report after each pass. If you are interested on the number of emails lefts in the junkmail directory without any attention, you could install smeserver-mailstats and activate the option to account for them

#!/bin/bash
#  ContaLearn.sh

#for compatibility with older versions without rpm, testing
[  `/sbin/e-smith/db configuration getprop LearnAsSpam dir` ] &&
LearnAsSpam=`/sbin/e-smith/db configuration getprop LearnAsSpam dir` || LearnAsSpam='LearnAsSpam';
[  `/sbin/e-smith/db configuration getprop LearnAsHam dir` ] &&
LearnAsHam=`/sbin/e-smith/db configuration getprop LearnAsHam dir` || LearnAsHam='LearnAsSpam';
JunkMail='junkmail';

echo
date
declare -i tspam
declare -i tham
declare -i tleft
declare -i tnseen

printf "%-25s %-11s %-11s %-11s %-11s \n" "User" "LearnAsSpam" "LearnAsHam" "JunkMail" "NotSeen"
pushd /home/e-smith/files/users/ >>/dev/nul
for u in `ls ` #| grep -v admin`
do
[ "$u" = "admin" ] && mailpath="/home/e-smith/" ||  mailpath="/home/e-smith/files/users/$u" ;
  spam=`ls -1 $mailpath/Maildir/.$LearnAsSpam/cur |wc -l`
  ham=`ls -1 $mailpath/Maildir/.$LearnAsHam/cur |wc -l`
  left=`ls -1 $mailpath/Maildir/.$JunkMail/cur |wc -l`
  nseen=`ls -1 $mailpath/Maildir/.$JunkMail/new |wc -l`
  if  [[ $spam > 0 ]] || [[ $ham > 0 ]] || [[ $left > 0 ]] || [[ $nseen > 0 ]];   then
     printf "%-25s %-11d %-11d %-11d %-11d \n" $u $spam $ham $left $nseen
  fi
  tspam=$tspam+$spam
  tham=$tham+$ham
  tleft=$tleft+$left
  tnseen=$tnseen+$nseen
done
echo "----------------------------------------------------------------------"
printf "%-25s %-11d %-11d %-11d %-11d \n" "Total:" $tspam $tham $tleft $tnseen
echo
popd >>/dev/nul

Learn Contrib

The Learn contrib is intended to install and configure the bayes training tools LearnAsSpam & LearnAsHam.

Reset the Bayes Database

Based on this forum post http://forums.contribs.org/index.php/topic,50712.msg258844.html#msg258844 it may be advantageous to remove the bayes database every few years & recreate it, in order to improve spam filtering performance.

Follow these instructions to turn bayes OFF, delete the database, create an empty database, and turn bayes back on:

config setprop spamassassin UseBayes 0
signal-event email-update
'rm' /var/spool/spamd/.spamassassin/bayes* 
config setprop spamassassin UseBayes 1
expand-template /etc/mail/spamassassin/local.cf
sa-learn --sync --dbpath /var/spool/spamd/.spamassassin -u spamd
chown spamd.spamd /var/spool/spamd/.spamassassin/bayes_*
chown spamd.spamd /var/spool/spamd/.spamassassin/bayes.mutex
chmod 640 /var/spool/spamd/.spamassassin/bayes_* 
signal-event email-update

Updates to smeserver-spamassasin now require two new config db settings to have bayesian autolearning enabled. See forum post https://forums.contribs.org/index.php/topic,54320.msg284208.html#msg284208

The Sonora Communications "Spam Filter Configuration for SME 7" howto

http://www.sonoracomm.com/support/19-inet-support/49-spam-filter-configuration-for-sme-7

GeoIP: spam blocking based on geographical information

The GeoIP plugin for Spamassasin lets us know where our mail server is receiving mail from. If we're receiving too much spam from a particular location, this will help track it down. We can then use that info to reject connections from that place taking the load off our server.


  Note:
This can be a crude way of blocking spam and potentially also block legitimate users!


You can find information how to install and use it on the GeoIP page.

Anti Virus

SME Server uses Clam AntiVirus (http://www.clamav.net) as the default and built-in anti virus engine.

Signatures

By default SME Server will automatically get virus signature database updates from ClamAV.

Other people and organizations have developed additional signatures which can also be used with ClamAV to provide extra protection. Databases of these signatures can be downloaded and installed on SME Server, and used by ClamAV

In order to automate the download and installation of the additional databases, as well as control which databases you use, follow the instruction in the Virus:Additional Signatures Howto

Heuristic Scan

HeuristicScanPrecedence is a new option in clamav 0.94.

When enabled, if a heuristic scan (such as phishingScam) detects a possible virus/phish it will stop scan immediately. Recommended, saves CPU scan-time.

To enable this feature:

config setprop clamav HeuristicScanPrecedence yes
expand-template /etc/clamd.conf
sv t clamd

Default is disabled.

Attachment Filtering

The functionality to block possible executable and virus files attached to emails has been incorporated into SME Server v7.x. See the Email panel in server manager.

Additional file signature patterns can be added to the SME defaults. See the Virus:Email Attachment Blocking Howto for further information

Email Clients

"concurrency limit reached" when using IMAP

Sometime shows as Thunderbird giving this error message, This Mail-server is not a imap4 mail-server

To workaround thunderbirds limitations change, this thunderbird setting to false

  • Preferences, Advanced, Config editor (aka about:config): filter on tls.
  • set security.enable_tls to false

If the total concurrency limit is reached, it'll look like this in /var/log/dovecot/current:

@400000005a1c2c1f19c9381c master: Warning: service(imap): process_limit (2) reached, client connections are being dropped

@400000005a1c2c291a4712dc imap-login: Error: read(imap) failed: Remote closed connection (destination service { process_limit } reached?)

@400000005a1c2c291a471aac imap-login: Error: read(imap) failed: Remote closed connection (destination service { process_limit } reached?)


For the per IP concurrency limit, it'll be like this:

@400000005a1c2c6214542b94 imap-login: Info: Maximum number of connections from user+IP exceeded (mail_max_userip_connections=2): user=<someone>, method=PLAIN, rip=192.168.x.y, lip=192.168.z.t, TLS, session=<abcdefgh>

@400000005a1c2c6233f1bcb4 imap-login: Info: Maximum number of connections from user+IP exceeded (mail_max_userip_connections=2): user=<someone>, method=PLAIN, rip=192.168.x.y, lip=192.168.z.t, TLS, session=<ijklmnop>

The following commands will give your the current value:

db configuration getprop imap ConcurrencyLimit || echo 400
db configuration getprop imap ConcurrencyLimitPerIP || echo 12

You can also increase the ConcurrencyLimitPerIP and/or ConcurrencyLimit value for imap and/or imaps (secure)

config setprop imap ConcurrencyLimitPerIP 20
config setprop imaps ConcurrencyLimitPerIP 20
signal-event post-upgrade; signal-event reboot
  Note:
for sme9, only the key imap has properties ConcurrencyLimitPerIP,checkConcurrencyLimit,ProcessMemoryLimit. If you set these properties to the key imaps, a migrate fragment will remove them automatically.


To see configuration:

config show imap
tail -f /var/log/dovecot/current | tai64nlocal  #out of date

More detail can be found here or here.


  Tip:
You can see if you are running out of the number of available connections in your log file /var/log/imaps/current and look for messages like the log extract below where the ConcurrencyLimitPerIP was set to 20. A 21st connection was attempted and was denied.
tcpsvd: info: pid 30693 from 10.1.0.104
tcpsvd: info: concurrency 30693 10.1.0.104 21/20
tcpsvd: info: deny 30693 0:10.1.0.21 ::10.1.0.104:49332 ./peers/10.1.0


  Tip:
Mobile devices have a tendency to frequently disconnect and connect from the network. When this disconnect happens, the sessions on the server are not always immediately cleaned up (they get cleaned up after a time out of some minutes). When the email client reconnects, they create new network connections and you get into the situation that these new connections get denied because of the concurrency limit. On the mobile device this may be noted as a "Unable to connect to server" message.


  Tip:
Some email clients use a separate connection per imap folder, so the concurrency limits may occur for users that have many imap folders.


Mail server is not an IMAP4 mail server

This is a bug in Thunderbird, the previous tips may help.

The Bat

The gives this error message, but they are wrong.
"This server uses TLS v3.0 which is considered to be obsolete and insecure. The server must use TLS v3.1 or above."


Outlook/Outlook Express give error 10060/0x800CCC90

Most likely OUTLOOK (EXPRESS) isn't configured correctly.

-open OUTLOOK
-click TOOLS > ACCOUNTS
-click CHANGE (on the right-hand side)
-find INCOMING MAIL SERVER & OUTGOING MAIL SERVER (on right-hand side)
-type: mail.yourdomain.tld (in both places)
-click MORE SETTINGS (on bottom-right)
-click OUTGOING SERVER tab (at the top)
-checkmark "MY OUTGOING SERVER REQUIRES AUTHENTICATION"
-bullet "USE SAME SETTINGS AS INCOMING MAIL SERVER"
-click ADVANCED tab (at the top)
-find OUTGOING SERVER
-checkmark "THIS SERVER REQUIRES A SECURE CONNECTION" (under outgoing server)
-change 25 to 465
-[possibly required, secure IMAP is 993]
-click OK > NEXT > FINISHED
-you're finished, your email should work now

Outlook 2013 on Windows 10 gives "An unknown error occurred, error code 0x8004011c" when attempting an IMAP connection for a DOMAIN user

This is a known issue with the above combination of Windows and Outlook version as of 2015-02-18 (see: Bug 9618).

The following registry key resolves the issue: To work around this problem, set the value of the ProtectionPolicy registry entry to 1 to enable local backup of the MasterKey instead of requiring a RWDC in the following registry subkey:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb] 
"ProtectionPolicy"=dword:00000001

The PortectionPolicy entry may need to be created

Outlook 2013 on Windows 8.1 gives error 0x800CCC1A when sending over SMTP port 465

This is a known issue with the above combination of Windows and Outlook version as of 2015-02-18 (see: Bug 8854).

The following client-side workaround has been suggested on the dovecot mailinglist:

Disable TLS1.2 on the Windows 8.1 client, using a registry entry:

 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS1.2\Client]
 "DisabledByDefault"=dword:00000001
 "Enabled"=dword:00000000

If the registry entry above does not exist on your system, you will have to create it manually.

Whether this is OpenSSL or Microsoft's "fault" is currently not answered.

Outlook test message doesn't come through

You clicked the TEST ACCOUNT SETTINGS in OUTLOOK didn't you? This is a bug in OUTLOOK. The test message sends a test email with 'no Date header'. As the name suggests, this means a message without any date. Since the server doesn't accept mail with 'no Date header' (because it's required) the message is rejected. To test, send an actual message from OUTLOOK.

If you want, you can try THUNDERBIRD. It's like OUTLOOK but made by a different company. It's completely free and works very well at home and at the office.

I can't receive/send email from my application (ACT!, vTiger, MS Outlook, etc)

Most likely, this is a bug the application you're using and not a problem with the SMESERVER. The application sends an email with 'no Date header'. As the name suggests, this means a message without any date. Since the server doesn't accept mail with 'no Date header' (because it's required) the message is rejected.

As a workaround you can disable the check for the 'Date header'. To disable this check on the internal interface:

mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local
cd /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local
echo "# 17check_basicheaders disabled by custom template" > \
17check_basicheaders
signal-event email-update

To disable this check for the external interface:

mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0
cd /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0
echo "# 17check_basicheaders disabled by custom template" > \
17check_basicheaders
signal-event email-update

After I upgrade my SME Server, my email folders have disappeared when using IMAP

After upgrade, if there are missing IMAP folders, the client may need to re-subscribe to folders. This may affect either webmail users or users who use an IMAP email client.

Entourage: Using SME's Self-Signed Certificate for SSL Connections from Entourage on OS X 10.4

The main problem here is that Entourage will only support trusted, PEM Base-64 Encoded certificates. To use IMAPS or SMTPS from Entourage with your SME server, you will need to:

1. Login to your Mac as a user with administrative privileges

2. Open Safari and browse to https://smeserver/server-manager.  
   When you receive the warning about your certificate:
   - click on "Show Certificate"
   - click and drag the gold-rimmed image of a certificate to your desktop.  
   You will now have myserver.mydomain.tld.cer on your desktop.

3. Locate and open the Microsoft Cert Manager
   - "Import" the certificate you downloaded in step 2.

4. Highlight the imported certificate and "Export" it. 
   - Select the "PEM..." format
   - add "pem." to the beginning of the filename
   - export it to your Desktop

5. Double-click on the new pem.myserver.mydomain.tld.cer  
   - Apple's Keychain Access application will open.
   - Select the X509Anchors Keychain and click "OK"

6. While still in Apple's Keychain Access, select the "Certificates" category
   - Drag pem.myserver.mydomain.tld.cer into the certificates window.

You should now be able to connect to your SME from your Entourage using IMAPS.

If you are accessing your SME server using a different name than the one encoded in the certificate you will still receive a security warning from Entourage, but "OK" will now grant access to your folders.

Notes:

  • Procedure mostly taken from http://www.kerio.com/manual/kmsug/en/ch09s06.html
  • I still get various other IMAP errors due, I suspect, to the "concurrency limit reached" issue.
  • Click on "Show Keychains" in Apple's "Keychain Access" if you need to delete a certificate and try again.

How do I get my e-mail to show the correct From Address

The From address on an e-mail is not supplied by the server. It is supplied by the e-mail client.

  • Configure your Account in your e-mail client with the correct FROM address.
  • You can change the FROM address in webmail with the following:
    • Login to webmail as the user, go to options-personal information and change the identity to have the correct FROM address. You can have multiple identities with a single user.

Some system generated email is created by the server, some contribs may send mail externally, in these cases you need a valid domain name for the server, buy one or use a free provider like dyndns.org

Outlook 365 / Outlook 2019 IMAP Configuration

Microsoft has disabled the ability to enter the IMAP/SMTP username in the account setup wizard in Outlook 365 / 2019 for Windows. The wizard used within Outlook requires that the IMAP/SMTP username be the full email address.

To work around this issue, setup the account using "Mail (Microsoft Outlook 2016)" in the Windows control panel:  

Server Settings

qmail ConcurrencyLocal

The default value for /var/qmail/control/concurrencylocal is 20. This setting controls the maximum amount of simultaneous local deliveries.

There is a optional database property (does not show unless changed from the default setting) called ConcurrencyLocal for qmail in the config database. The ConcurrencyLocal property changes the value stored in /var/qmail/control/concurrencylocal.

It can be set, for example to decrease the local concurrency limit

config setprop qmail ConcurrencyLocal 6
signal-event email-update

qmail ConcurrencyRemote

The default value for /var/qmail/control/concurrencyremote is 20. This setting controls the maximum amount of simultaneous remote deliveries.

There is a optional database property (does not show unless changed from the default setting) called ConcurrencyRemote for qmail in the config database. The ConcurrencyRemote property changes the value stored in /var/qmail/control/concurrencyremote.

It can be set, for example to decrease the remote concurrency limit

config setprop qmail ConcurrencyRemote 10
signal-event email-update

Refer also this comment by CB

http://forums.contribs.org/index.php/topic,50091.msg251320.html#msg251320

How long retry before return e-mail as undeliverable

To configure how long SME server will try to delivery a message before return a permanent error

mkdir -p /etc/e-smith/templates-custom/var/qmail/control
echo 172800 > /etc/e-smith/templates-custom/var/qmail/control/queuelifetime
expand-template /var/qmail/control/queuelifetime
sv t qmail

The default value is 604800 seconds, or one week.
The example above shows 172800 seconds, or two days (a weekend for infra upgrade!)

source: http://forums.contribs.org/index.php/topic,47471.0.html


Double bounce messages

To stop admin receiving double bounce messages

config setprop qmail DoubleBounceTo someoneuser
signal-event email-update

Or just delete them. You risk losing legitimate double bounces (which are rare, but you want to look at them when they do occur)

config setprop qmail DoubleBounceTo devnull
signal-event email-update

see a longer explaination here

Keep a copy of all emails

You may need to keep a copy of all emails sent to or from your email server. This may be for legal, or other reasons.

The following instructions will create a new user account (default is maillog) and forward every email that goes through your SME server to it.

First, log onto the server-manager and create the user maillog

Go to the SME Command Line (logon as root) and issue the following commands:

config setprop qpsmtpd Bcc enabled
signal-event email-update

Optionally make the forwarding of the emails invisible to the end user. Without it, there will be an X-Copied-To: header in each email. Run this command before the signal-event

config setprop qpsmtpd BccMode bcc

If you want to view the emails, point your email client at the SME and log on as maillog.

You can modify the default user:

config setprop qpsmtpd BccUser someuser

Keep a copy of outgoing emails only

In addition to the commands in the previous section we will also have to create a custom template as follows:

Log in as root or a user with root privileges

mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0/
cp /etc/e-smith/templates/var/service/qpsmtpd/config/peers/0/13bcc /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0/
cd /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0/
nano -w 13bcc

change the code to:

{
     return "# bcc disabled" unless ($qpsmtpd{Bcc} eq "enabled");
     return "bcc mode " . $qpsmtpd{BccMode} . " outgoing " . $qpsmtpd{BccUser};
}

Save by pressing Ctrl x at the same time and confirm with y

Then enable the changes with

signal-event email-update

More info:

perldoc /usr/share/qpsmtpd/plugins/bcc

Set Helo hostname

Default is set to the hostname.domain, but sometime you might want to have something else to answer with the same as your reverseDNS. You can do one of the followings to only adjust the helo name:

config setprop smtpd HeloHost mydomainname
signal-event email-update

or the following to adjust the way your server will present itself everywhere (httpd, qpsmtd...) This might trigger the generation of new ssl certificate, so use it only if you are sure this is what you want to do.

config set DomainName mydomainname
signal-event domain-modify
signal-event email-update

Set max email size

  • IMPORTANT: bugzilla: 7876 points out that if your system has /var/service/qpsmtpd/config/databytes it should be deleted. (Fixed as of smeserver-qpsmtpd-2.4.0-7.el6.sme.noarch - see bugzilla: 8329).

There are several components involved in sending email on a SME server. Each component has a size limit that may affect an email message that passes through the server.

Be aware that email size is not the same thing as attachment size. Binary attachments to email are encoded using techniques that result in email sizes that can be as much as 30% larger than the original attachment. Most major email clients (Thunderbird, Apple Mail, Outlook) allow you to enable a "message size" column in the message list that will show you the size of your email messages (More).

Subsystem Function Default Limit Command to change size Notes
qmail Delivers email to local mailboxes and to remote servers 15000000 config setprop qmail MaxMessageSize xx000000 Value is in BYTES. 15000000 equals approximately 15MB.
No value means no limit.
clamav Used to scan emails and attachments 15M config setprop clamav MaxFileSize 15M Value includes human-readable abbreviations. "15M" equals 15 MegaBytes.
clamd Involved in attachment virus scanning 1400000000 config setprop clamd MemLimit 1400000000 May require increase per this forum topic
qpsmtpd The clamav plugin to qpsmtpd is called with a specified size limit. 25000000 config setprop qpsmtpd MaxScannerSize xx000000 Value is in BYTES.
Question: does this value override the setting of 'MaxFileSize', or will the smaller value prevail?
php The php maximum file upload size will determine the largest file you can attach to an email message using horde (or any other php email client) 10M config setprop php UploadMaxFilesize 10M

clamav

A note about clamav:
ClamAV includes settings to prevent the scanning of archives that could cause problems if fully expanded; if an attachment cannot be scanned, it will be rejected.

In order for changes to take effect, run:

signal-event email-update

These attributes could result in the rejection of a compressed attachment on a SME server:

  • ArchiveMaxCompressionRatio (default 300)
  • MaxFiles (default 1500)
  • MaxRecursion (default 8)

spamassassin

By default the qpsmtpd 'spamassassin' plugin does not pass any messages over 500,000 bytes to spamassassin for scanning.

To change this behavior:

 db configuration setprop spamassassin MaxMessageSize 2000000 

increases message size to 2,000,000 bytes. Apply the change with

signal-event email-update

Change Horde Webmail Login Page 'Welcome To' Title

The login page for Webmail defaults to "Welcome to Horde Webmail". In order to change this to something like "Welcome to MyDomain Mail"

config setprop horde Name "MyDomain Mail"
signal-event email-update

See also:

Other configurable Horde settings DB_Variables Configuration#Horde_(webmail)

Forum post 31093

Add the admin user as an administrator for Horde

config setprop horde Administration enabled 
signal-event email-update

Large attachments not displaying in webmail

Due to limits set in the PHP configuration it might be that webmail will not display large attachments (see also bugzilla:3990). The following entries are related to the error and can be found in the log files:

/var/log/messages

Mar 13 00:00:12 box1 httpd: PHP Fatal error:  Allowed memory size of 33554432 bytes exhausted (tried to allocate 154 bytes) in /home/httpd/html/horde/imp/lib/MIME/Contents.php on line 173

/var/log/httpd/error_log

Allowed memory size of 33554432 bytes exhausted (tried to allocate 0 bytes)

The default MemoryLimit setting in PHP is set to 32M the value can be changed using the commands below replacing XX with the value you desire.

  Note:
You can set the MemoryLimit any value you like but be sure to add the capital M as a suffix for Megabytes.


db configuration setprop php MemoryLimit XXM
expand-template /etc/php.ini
sv t httpd-e-smith

Disable mail to a user from an external network

However, this seems to only affect /var/qmail/control/badrcptto - denying external delivery to your users but allowing outbound emails: http://forums.contribs.org/index.php?topic=40449.5

Can be either a user, pseudonym or group

db accounts setprop groupname/username/pseudonym Visible internal
signal-event email-update

If you want to remove

db accounts delprop groupname/username/pseudonym Visible
signal-event email-update
  • If you need to restrict emails for all users you can perform this command line
db accounts show | awk -F "="  '/\=user/ {print $1}' |while read USER; do db accounts setprop $USER Visible internal; done
signal-event email-update

If you want to remove

db accounts show | awk -F "="  '/\=user/ {print $1}' |while read USER; do db accounts delprop $USER Visible; done
signal-event email-update
  Note:
Please note that admin and other system accounts can not be hidden from external network this way.

Also note that Pseudonyms can be set to internal only using the server-manager.


I can't receive mail at: user@mail.domain.tld

Add mail.domain.tld as a virtualdomain.

-login to SERVER-MANAGER
-click DOMAINS (on the left)
-click ADD
-type: mail.domain.tld

How do I find out who is logged into webmail and what IP number.

This is logged is in /var/log/messages.

Allow SMTP relay of mail without encryption/authentication

Change the configuration of the system from the default, so that it no longer requires encryption/authentication before allowing relaying of mail.

  • For most case, you really want to allow few specific clients on your LAN or trusted networks, this is done by setting a coma separated list of ip this way (replace IP1, IP2, IP3 by valid ips).
config set qpsmtpd UnauthenticatedRelayClients IP1,IP2,IP3
signal-event email-update
  • In some case you would have a whole dedicated network with appliances needing to send email without auth, this is done this way
db networks setprop {$network} RelayRequiresAuth disabled
signal-event email-update
  • In case you needs are not fulfilled because you need to accommodate a list of remote IP or a sub network of a larger trusted network, you can create a custom template. Here for reference the accepted formats:
mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/relayclients
# a subnetwork by only using a prefix of full ip
echo "10.10.0.">>  /etc/e-smith/templates-custom/var/service/qpsmtpd/config/relayclients/80custom
# an external ip
echo "99.10.1.23" >> /etc/e-smith/templates-custom/var/service/qpsmtpd/config/relayclients/80custom
# an external network you control
echo "164.163.12.1/30" >> /etc/e-smith/templates-custom/var/service/qpsmtpd/config/relayclients/80custom
signal-event email-update
  • Disable smtp authentication on all local interfaces as shown in Bugzilla: 6522
config setprop qpsmtpd RelayRequiresAuth disabled
signal-event email-update

SMTP Authentication TLS before Auth disable & enable

Since SME v7.5 the default for SMTP Authentication is 'requires TLS before Auth' to increase security. Where a SME7.4 or earlier server with SMTP & SSMTP authentication enabled has been upgraded, users are now unable to send mail. Users will need to enable TLS or Auto for the Authentication encryption setting in their email clients. Some older email clients and devices do not support TLS.

A fix was released in SME7.5.1 to allow this setting to be disabled (ie revert to SME7.4 functionality). Upgrade to SME7.5.1 before using these commands.

To disable this (AUTH without TLS) & revert to SME7.4 defaults do

config setprop qpsmtpd TlsBeforeAuth 0
signal-event email-update

To change back to the sme7.5 & greater default (AUTH with TLS) do

config setprop qpsmtpd TlsBeforeAuth 1
signal-event email-update

See http://forums.contribs.org/index.php/topic,46218.0.html

http://bugs.contribs.org/show_bug.cgi?id=5997

Internet provider's outgoing port 25 is blocked: How to set an alternative outgoing port for the SMTP server

If your Internet provider is blocking outgoing smtp port 25 on your internet connection but your provider is offering an alternative outgoing port (or when using some relay service) you can simply set this alternative port by adding it to the 'Address of Internet provider's mail server' value in the 'E-mail delivery settings' screen of the server-manager like this:

<internet providers mail server name or ip-address>:<alternative port>

For example: mail.mydomain.com:587

This setting does not alter the incoming smtp mail server port on SME server, which will still use port 25. Refer to a workaround in http://wiki.contribs.org/PortRedirect

How do I enable and configure a disclaimer in email messages

A disclaimer message can be added to the footer of all outgoing email messages.

The message can be the same for all domains or it can be different for all domains.

This functionality is part of sme7.2 release so make sure you have upgraded before doing this.

To create a general disclaimer for all domains on your sme server

config setprop smtpd disclaimer enabled
nano -w /service/qpsmtpd/config/disclaimer

Enter the required disclaimer text

To save & exit

Ctrl o
Ctrl x

To make the changes take effect

signal-event email-update


To create domain specific disclaimers, create seperate domain based disclaimer text files

Delete the general (all domains) disclaimer file if you have already created it

rm  /service/qpsmtpd/config/disclaimer
config setprop smtpd disclaimer enabled
nano -w /service/qpsmtpd/config/disclaimer_domain1.com.au
nano -w /service/qpsmtpd/config/disclaimer_domain2.com
nano -w /service/qpsmtpd/config/disclaimer_domain3.org

Enter the required text in each disclaimer file

To save & exit

Ctrl o
Ctrl x

After making any changes remember to do

signal-event email-update


Note if you only wish to have a disclaimer for some domains, then only create a disclaimer text file for those domains


Note also the criteria for when a disclaimer is attached

(see http://bugs.contribs.org/show_bug.cgi?id=2648)

eg a disclaimer is added to internal to external messages but not internal to internal messages.

To disable the disclaimer function for all domains on your sme server

config setprop smtpd disclaimer disabled
signal-event email-update

Email WBL server manager panel

There is a server-manager contrib to allow GUI control of email white and black lists, detailed in the wiki article: Email_Whitelist-Blacklist_Control.

The panel allows easy configuration of functionality that is built into qmail, qpsmtpd and spamassassin. For more information google for qmail & qpsmtpd, read the spamassassin section in this wiki article and see Email#Default_Plugin_Configuration default qpsmtpd plugin confguration).

There are two main sections, Blacklist and Whitelist, where you can control settings.

Note that there are subtle differences in syntax between whitelist and blacklist entries

Blacklist - Black lists are used for rejecting e-mail traffic

 DNSBL status      - DNSBL is an abbreviation for "DNS blacklist". 
                     It is a list of IP addresses known to be spammers.
 RHSBL status      - RHSBL is an abbreviation for "Right Hand Side Blacklist". 
                     It is a list of domain names known to be spammers.
 qpsmtpd badhelo   - Check a HELO message delivered from a connecting host. 
                     Reject any that appear in badhelo during the 'helo' stage.
 qmail badmailfrom - Check envelope sender addresses. 
                     Reject any that appear (@host or user@host) in badmailfrom during the 'mail'           
                     stage.
 spamassassin blacklist_from - Any envelope sender of a mail (*@host or user@host) matching an 
                               entry in blacklist_from will be rejected by spamassassin.

Whitelists - White lists are used for accepting e-mail traffic

 Whitelists status           - White Lists: ACCEPT
 qpsmtpd whitelisthosts      - Any IP address listed in whitelisthosts will be exempted 
                               from any further validation during the 'connect' stage.
 qpsmtpd whitelisthelo       - Any host that issues a HELO matching an entry in whitelisthelo 
                               will be exempted from further validation during the 'helo' stage.
 qpsmtpd whitelistsenders    - Any envelope sender of a mail (host or user@host) matching an 
                               entry in whitelistsenders will be exempted from further validation
                               during the 'mail' stage.
 spamassassin whitelist_from - Any envelope sender of a mail (*@host or user@host) matching an 
                               entry in whitelist_from will be exempted from spamassassin rejection.

How to block email from one address to another address with check_badmailfromto plugin

Enable the check_badmailfromto plugin. Adapted from this Forum post

This is based heavily on the similar check_badmailfrom, but this plugin references both the FROM: and TO: lines, and if they both are present in the badmailfromto config file (a tab delimited list of FROM/TO pairs), then the message is blocked as if the recipient (TO) didn't exist. This is specifically designed to not give the impression that the sender is blocked (good for cases of harassment).

Prior SME9.2 : qpsmtpd check_badmailfromto plugin

To control mail from external locations to internal locations do

mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0
mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/plugins
echo "check_badmailfromto" > /etc/e-smith/templates-custom/var/service/qpsmtpd/config/plugins/31check_badmailfromto
ln -s /etc/e-smith/templates-custom/var/service/qpsmtpd/config/plugins/31check_badmailfromto /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0/31check_badmailfromto
signal-event email-update

To control mail sent from internal locations to internal locations, in addition to the above also do

mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local
ln -s /etc/e-smith/templates-custom/var/service/qpsmtpd/config/plugins/31check_badmailfromto /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local/31check_badmailfromto
signal-event email-update


Since SME9.2 : qpsmtpd badmailfromto plugin

remove previous templates, if you are updating

rm /etc/e-smith/templates-custom/var/service/qpsmtpd/config/plugins/31check_badmailfromto \
/etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0/31check_badmailfromto \
/etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local/31check_badmailfromto

To control mail from external locations to internal locations do

mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0
mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/plugins
echo "badmailfromto" > /etc/e-smith/templates-custom/var/service/qpsmtpd/config/plugins/31badmailfromto
ln -s /etc/e-smith/templates-custom/var/service/qpsmtpd/config/plugins/31badmailfromto /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0/31badmailfromto
signal-event email-update

To control mail sent from internal locations to internal locations, in addition to the above also do

mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local
ln -s /etc/e-smith/templates-custom/var/service/qpsmtpd/config/plugins/31badmailfromto /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local/31badmailfromto
signal-event email-update

For Qmail

Create and configure the badmailfromto custom template fragment

mkdir -p /etc/e-smith/templates-custom/var/qmail/control/badmailfromto
nano -w /etc/e-smith/templates-custom/var/qmail/control/badmailfromto/template-begin

Type in the From and To pairs that you want to stop email delivery for, with a tab between them and a carriage return at the end of the line, with additional pairs on a new line ie

user@bad-domain.com tab user@yourdomain.com enter
user@bad-domain2 tab user2@yourdomain enter

Note also that wildcards or blank spaces are not supported

eg

john@aol.com      mary@yourdomain
bill@yahoo.com      paul@yourdomain.com

then save using

Ctrl o
Ctrl x

Expand the template to update the /var/qmail/control/badmailfromto config file

expand-template /var/qmail/control/badmailfromto

Restart mail services

signal-event email-update

Redirect mail.domain.net to Webmail

Setup external dns records

Add mail.domain.net in Domains panel in server-manager

db domains setprop mail.dom.ain TemplatePath ProxyPassVirtualHosts ProxyPassTarget http://sme.dom.ain/webmail
signal-event remoteaccess-update

where http://sme.dom.ain/webmail is servername.domainname/webmail

E-mail Retrieval

http://wiki.contribs.org/SME_Server:Documentation:Administration_Manual:Chapter13#E-mail_Retrieval

If your ISP does not provide a custom sort field and you experience the following errors occuring when Multidrop is enabled and the "Select Sort Method (for multi-drop)" is set to Default:

fetchmail: warning: multidrop for pop3.mypopserver.com requires envelope option!
fetchmail: warning: Do not ask for support if all mail goes to postmaster!

and/or

fetchmail: warning: multidrop for my.isp.domain requires envelope option! 
fetchmail: warning: Do not ask for support if all mail goes to postmaster! 


Set "Select Sort Method (for multi-drop) to 'Received' or 'for' As described at bugzilla:5602 bugzilla:6483

Domain Authentication

  Work in Progress:
trex1512 has marked this page as a Work in Progress. The contents off this page may be in flux, please have a look at this page history the to see list of changes.


Major mail hosting companies (Google, Yahoo, Microsoft) have made domain-authentication mandatory so as to not mark incoming mail as spam.

To facilitate this support for DomainKeys and DKIM signing needs to be enabled in SME's mail subsystem. These techniques require the adding of records in the DNS zone for the user's domain. The DKIM/DK/SPF/SenderID configuration has to be added to your your DNS server / registrar.

How do I remove an email address from the everyone group

By default, all users are automatically added to the user group "everyone". If you would like to remove a user from this group, connect to the server using SSH or locally log in to the server and issue the commands below. Be sure to substitute the name of the user you want to remove for the word username.

db accounts setprop username EveryoneEmail no
signal-event user-modify username


How do I remove an email address from any regular group

By default, all users member of a group "group1" are automatically added as recipients of mail sent to group1@domain. If you would like to remove a user from this group, connect to the server using SSH or locally log in to the server and issue the commands below. Be sure to substitute the name of the user you want to remove for the word username.

db accounts setprop group1 EmailExcludeUsers tom,jack 
signal-event group-modify group1

If you want to prevent all the user members from another group "group2" from receiving emails addressed to group1@domain while they are also member of group1, you could connect to the server using SSH or locally log in to the server and issue the commands below. Be sure to substitute the name of the user you want to remove for the word username.

db accounts setprop group1  EmailExcludeGroups group2
signal-event group-modify group1

All members of the group will still be member for all other purpose (samba access to ibays as an example)

This behaviour is only available as per e-smith-qmail-2.4.0-7.sme see bug #9540

Change the number of logs retained for qpsmtpd and/or sqpsmtpd

The normal retention is 5 logs for both qpsmptd and sqpsmtpd. This may or may not fit all installations. This information is pulled from bugzilla.

Check your config to see if any change has been made to the default log retention rules. Note there are different rules for qpsmtpd and sqpsmtpd. You have to make changes to both as you require.

config show qpsmtpd

If the KeepLogFiles property isn't listed, the default rules apply. Determine how many logs you would like to keep and apply that to the following example. In the command below, 15 is used to keep 15 qpsmtpd logs.

db configuration setprop qpsmtpd KeepLogFiles 15

Restart multilog with the following.

sv t /service/qpsmtpd/log

Check that your setting saved.

ps aux | grep qpsmtpd | grep multi

Look for the line that ends with /var/log/qpsmtpd and verify the number after n equals your KeepLogFiles property from above.

DKIM Setup - qpsmtpd version<0.96

A plugin has been written and is available in SME

To activate it manually follow the steps below, or download a shell script that will do the server based stuff for you & guide you on the DNS stuff setup_dkim.sh:-

Note: I'd recommend reviewing the script first to make sure you're happy to run it on your system

Create a folder:

mkdir /var/service/qpsmtpd/config/dkimkeys/

Then:

cd /var/service/qpsmtpd/config/dkimkeys/
openssl genrsa -out dkim.private 1024
openssl rsa -in dkim.private -pubout -out dkim.public
chown qpsmtpd:qpsmtpd -R /var/service/qpsmtpd/config/dkimkeys/
chmod 0700 dkim.private

For each domain you want to sign:

cp -a dkim.private <fully qualified domain name>.private (less the <> brackets)

Then create a template fragment:

mkdir --parent /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local
echo "dkim_sign keys dkim">/etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local/69dkim_sign
signal-event email-update

Finally propagate your public key "dkim.public" content (<key text>) to your DNS.

Check with your DNS server / registrar. Something similar to the following should work but it varies depending on provider - replace <fully qualified domain name> with your doman details e.g "mydomain.org" (less the <> brackets):

When extracting the key text from the dkim.public file it's on multiple lines. For the key to work for us in the DNS TXT record we need to exclude the header & footer lines & have just the key text as a single line string (the setup_dkim.sh script provides this info in the format required).

default._domainkey.<fully qualified domain name> IN TXT "k=rsa; p=<key text>; t=y"


With Zonedit the following works within your Zone :

Subdomain : default._domainkey

Type : TXT

Text : "v=DKIM1;k=rsa; p=<key text>; t=y"


If you want to customize the signing you can add parameters to the line in /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local/69dkim_sign. Parameters and value are separated by a space only.

  1. keys : "dk" or "domainkeys" for domainkey signature only, "dkim" for DKIM signature only, default "both" (n.b. above template example is dkim ONLY)
  2. dk_method : for domainkey method , default "nofws"
  3. selector : the selector you want, default "default"
  4. algorithm : algorithm for DKIM signing, default "rsa-sha1"
  5. dkim_method : for DKIM, default "relaxed"

NB: key files can not be defined in parameters, they need to be in /var/service/qpsmtpd/config/dkimkeys/{SENDER_DOMAIN}.private


  Tip:
You can verify that your settings are correct by sending an email to check-auth@verifier.port25.com, a free service the purpose of which is to verify if your domain does not contradict mail policies. Please check the answer carefully. See bugzilla:4558#c6


See also : bugzilla:8251 bugzilla:8252

DKIM Setup - qpsmtpd version >= 0.96

Version 0.96 and above supports DKIM natively without the need for extra plugins.

All you have to do is to enable the DKIM signing and promulgate the DNS TXT entries to support it.

Enable the signing:

db configuration setprop qpsmtpd DKIMSigning enabled
signal-event email-update

and then run:

qpsmtpd-print-dns <domain name>

to show the DNS entry(s) required.

Then you have to update your DNS.


  Tip:
You can verify that your settings are correct by sending an email to check-auth@verifier.port25.com, a free service the purpose of which is to verify if your domain does not contradict mail policies. Please check the answer carefully. See bugzilla:4558#c6


also see bugzilla:9694 and https://wikit.firewall-services.com/doku.php/smedev/qpsmtpd_096#documentation

More details are available here

Incoming DKIM checking is also enabled out of the box.


In case you got a problem using the DKIM field provided with your DNS provider /registrar, please first contact them to ensure the problem is not how you try to enter the information. In the likelihood, you got "invalid field" or "too long field" errors and your provider is not able to help you or update its interface, you can generate a shorter DKIM key (with 1024 instead of the default 2048) this way:

cd /home/e-smith/dkim_keys/default
mv private private.long
mv public public.long
openssl genrsa -out private 1024
openssl rsa -in private -pubout -out public
chown qpsmtpd:qpsmtpd private
chown root:qpsmtpd public
chmod 0400 private
signal-event email-update
qpsmtpd-print-dns

Outbound DKIM signing / SPF / DMARC policy FOR MULTIPLE DOMAINS

The default DKIM key is created in /home/e-smith/dkim_keys/default. To enable DKIM signing for all the domains that you manage:

db configuration setprop qpsmtpd DKIMSigning enabled 
signal-event email-update

If you want to disable dkim signing for a domain, you can use:

db domains setprop domain.com DKIMSigning disabled 
signal-event email-update

The default behavior is to use the same key pair for all your domains. But you can create other key pairs for specific domain if you want. For example, if you want to use a specific key pair for the domain.net domain:

cd /home/e-smith/dkim_keys 
mkdir domain.net 
cd domain.net 
echo default > selector 
openssl genrsa -out private 2048 
openssl rsa -in private -out public -pubout 
chown qpsmtpd:qpsmtpd private 
chmod 400 private 
signal-event email-update

Now, the emails using a domain.net sender address will be signed by this new key instead of the default one.

Domain Keys

There is a plugin to check incoming mail has been signed

Please read here for more details : http://bugs.contribs.org/show_bug.cgi?id=4569


  Warning:
There is a plugin for signing with DomainKeys but it is not installed by default. It has not been tested on Koozali SME Server:

http://wiki.qpsmtpd.org/doku.php?id=plugins:spam:domainkeys_sign


Other information

DomainKeys seem to be deprecated in favour of DKIM.

The DomainKeys plugin only CHECKS incoming email. Spamassassin checks for DKIM.

Temporary_error_on_maildir_delivery

In certains cases you have some mailboxes which can't delivery messages and the qmail log say:

deferral: Temporary_error_on_maildir_delivery._(#4.3.0)/

It is probably that your users want to go beyond the upper limit of their quota, so you have to increase it. This could solve their problems.

External Access

Allow external IMAP mail access

There was a deliberate decision to remove non-SSL protected username/password services from the external interface.


  Warning:
Keep in mind that your passwords, your data won't be protected and will be in clear text over Internet


to allow unsecure IMAP access

config setprop imap access public
signal-event email-update

But before you do this try to use secure IMAP (IMAPS or imap over ssl) with port 993

POP3 & webmail HTTP

I want to set my SMESERVER to allow POP3 (or webmail HTTP) but it's not an option, I only see POP3S (or webmail HTTPS).

The SMESERVER is secure by design. POP3 (or webmail HTTP) is viewed as inadequate security and removed as an option from a standard installation to encourage unknowing administrators to select the 'best practice' option -a secure connection with POP3S, IMAPS, or HTTPS.

  Warning:
Keep in mind that your passwords, your data won't be protected and will be in clear text over Internet


You can still set your SMESERVER to allow POP3 settings by:

config setprop pop3 access public
signal-event email-update

Allow external pop3 access

Email settings > POP3 server access in SME 7.1 server-manager allows only pop3s protocol for clients outside the LAN. Some email clients (eg The Bat! v3.98.4) won't allow pop3s connections to SME 7.1 because of ssl version conflict. Until this is sorted out, a workaround is to hack SME to allow regular pop3 on the external interface using the following commands.

  Warning:
Keep in mind that your passwords, your data won't be protected and will be in clear text over Internet


config setprop pop3 access public
signal-event email-update
svc -t /service/pop3s  

more information bugzilla:2620

Imap

Folders with a dot in name

Email folder names that have a period ('.') in the folder name, will be split into sub-folders. e.g. folder name 'www.contribs.org' is created as

www
  contribs
        org

Dovecot Idle_Notify

Poor battery consumption issues has been reported with K9-mail on recent Android systems. It is apparent one way of helping this is to modify the imap_idle_notify setting. The default is in Dovecot, and therefore on SME is 2 minutes.

K9 has an idle refresh of 24 mins but it seems with Dovecot defaults at 2 mins it causes lots of wake ups and battery drain.

This is configurable via a config db property.

Default on install

# config show dovecot
 dovecot=service
   Quotas=enabled
   status=enabled

Set dovecot Idle_Notify to 20 minutes

# config setprop dovecot Idle_Notify 20
# config show dovecot
 dovecot=service
   Idle_Notify=20
   Quotas=enabled
   status=enabled

Expand template to update *.conf (can also issue a full reconfigure/reboot)

# expand-template /etc/dovecot/dovecot.conf
# dovecot -a |grep imap_idle_notify_interval
  imap_idle_notify_interval = 20 mins

qpsmtpd

SME uses the qpsmtpd smtp daemon.

Official Description

qpsmtpd is a flexible smtpd daemon written in Perl. Apart from the core SMTP features, all functionality is implemented in small "extension plugins" using the easy to use object oriented plugin API.

qpsmtpd was originally written as a drop-in qmail-smtpd replacement, but now it also includes smtp forward, postfix, exim and maildir "backends".

qpsmtpd wiki: http://wiki.qpsmtpd.org

Log watching tool

qplogtail is a script to to monitor /var/log/qpsmtpd/current, see bugzilla:3418

Qpsmtpd for SME versions 9.1 and earlier

  Warning:
Please note that the version of qpsmtpd has been upgraded for SME version 9.2 and later to qpsptpd version 0.96. This change has resulted in a lot of changes to the way it works, the plugins (and their names!) and the corresponding database entries, so this section ONLY applies to SME Version 9.1 and earlier, except where the plugin has been retained, See the next section for the new details.


Default Plugin Configuration

SME uses the following qpsmtpd plugins to evaluate each incoming email.

SME maintains 2 distinct configurations: one for the 'local' networks (as defined in server-manager::Security::Local networks) and another for 'remote' networks (everyone else).

The default configuration of each plugin is indicated in the 'Default Status' column.

Plugin Purpose Default Status
hosts_allow Prohibit more than "InstancesPerIP" connections from any single host (change with 'config setprop smtpd InstancesPerIP'). Allow or deny connections according to the contents of /var/service/qpsmtpd/config/hosts_allow. See hosts_allow SVN code for more details. enabled
peers Allow different plugin configuration based on the sending computer's IP address. By default SME maintains different configurations for the local networks (in /var/service/qpsmtpd/config/peers/local) and for everyone else (in /var/service/qpsmtpd/config/peers/0) enabled
logging/logterse Allow greater logging detail using smaller log files. Optionally supports qplogsumm.pl to compile qpsmtpd statistics. enabled
auth/auth_cvm_unix_local Allow authenticated smtp relay enabled (remote)
disabled (local)
check_earlytalker reject email from servers that talk out of turn enabled (remote)
disabled (local)
count_unrecognized_commands reject email from servers that issue X invalid commands enabled (remote)
disabled (local)
bcc bcc all email to a specific address for archiving disabled
check_relay Check to see if relaying is allowed (in case the recipient is not listed in one of SME's local domains) enabled
check_norelay Check to see if the sending server is specifically forbidden to relay through us. enabled
require_resolvable_fromhost Check that the domain listed in the sender's email address is resolvable enabled (remote)
disabled (local)
check_basicheaders reject email that lacks either a From: or Date: header enabled
rhsbl Reject email if the sender's email domain has a reputation for disregarding smtp RFCs. disabled
(always disabled for local connections)
dnsbl Reject email from hosts listed in your configured dnsbl servers disabled
check_badmailfrom Reject email where the sender address is listed in /var/service/qpsmtpd/config/badmailfrom enabled
check_badrcptto_patterns Reject email addressed to any address matching an expression listed in /var/service/qpsmtpd/config/badrcptto_patterns enabled
check_badrcptto Reject email addressed to any address listed in /var/service/qpsmtpd/config/badrcptto enabled
check_spamhelo Reject email from hosts that say 'helo ...' using a value in /var/service/qpsmtpd/config/badhelo enabled
check_smtp_forward If config show DelegateMailServer or db domains show <domainname> MailServer is set (telling SME to deliver email for all domains or just <domainname> to another server), check_smtp_forward will connect to the specified server and will reject the message outright if the internal mail server would also reject it. disabled
unless an internal mail server is configured.
check_goodrcptto Accept email only if the recipient address matches an entry in /var/service/qpsmtpd/config/goodrcptto. For domains that are configured to use an internal mail server, the entire domain name will be added to .../goodrcptto. enabled
rcpt_ok Return 'OK' if none of the other host checks has returned 'DENY' (??) enabled
pattern_filter Reject email according to content patterns (??) disabled
tnef2mime Convert MS TNEF (winmail.dat) and uuencoded attachments to MIME enabled
disclaimer Add a configurable disclaimer to email messages disabled
spamassassin Check email using spamassassin, and optionally reject it completely if the score exceeds a configurable value. disabled
(always disabled for local connections)
virus/clamav Scan incoming email with ClamAV enabled
queue/qmail-queue Deliver the incoming message to qmail for delivery. enabled

Qpsmtpd for SME versions 9.2 and Later

  Warning:
Please note that the version of qpsmtpd has been upgraded for SME version 9.2 and later to qpsmtpd version 0.96. This change has resulted in a lot of changes to the way it works, the plugins (and their names!) and the corresponding database entries, so this section ONLY applies to SME Version 9.2 and later version, see the previous section for the details.


This section has been taken from the notes prepared by the dev who made the changes, the wiki is here.

Here is a list of the plugins in use, and a note of any changes that might have occurred:

  • logterse: no change
  • tls: no change
  • auth_cvm_unix_local: no change
  • check_earlytalker: renamed earlytalker
  • count_unrecognized_commands: no change
  • bcc: no change
  • check_relay: renamed relay
  • check_norelay: merged into the relay plugin
  • require_resolvable_fromhost: renamed resolvable_fromhost
  • check_basicheaders: renamed headers
  • rhsbl: no change
  • dnsbl: no change
  • check_badmailfrom: renamed badmailfrom
  • check_badrcptto_patterns: doesn't exist anymore, merged with badrcptto
  • check_badrcptto: renamed badrcptto
  • check_spamhelo: renamed helo
  • check_smtp_forward: no change
  • check_goodrcptto: no change
  • rcpt_ok: no change
  • pattern_filter: no change
  • tnef2mime: no change
  • spamassassin: no change
  • clamav: no change
  • qmail-queue: no change

Here is a section for each of the new plugins which are installed by default. The ones that have not changed are documented above.

Karma

The karma plugin tracks sender history. For each inbound email, various plugins can raise, or lower the "naughtiness" of the connection (eg, if SPF check passes, if the message is spammy etc...). For each host sending us email, the total number of connections, and the number of good and bad connections is recorded in a database. If a host as more bad than good connections in its history, emails will be rejected for 1 day. 3 settings are available for this plugin:

  • Karma (enabled|disabled): Default value is disabled. Change to enabled to use the plugin
  • KarmaNegative (integer): Default value is 2.
    It's the delta between good and bad connection to consider the host naughty enough to block it for 1 day.
    Eg, with a default value of two, a host can be considered naughty if it sent you 8 good emails and 10 bad ones
  • KarmaStrikes (integer): Default value is 3. This is the threshold for a single email to be considered good or bad.
    Eg, with the default value of 3, an email needs at least 3 bad karmas (reaches -3) for the connection to be considered bad.
    On the other side, 3 good karmas are needed for the connection to be considered good. Between the two, the connection is considered neutral
    and won't be used in the history count

Example:

db configuration setprop qpsmtpd Karma enabled KarmaNegative 3
signal-event email-update


URIBL

The URIBL plugin works a bit like RHSBL, except that it checks domain names found in the body of the email. For each URI identified, the corresponding domain name can be submitted to a BL list (through DNS queries). Two settings are available:

  • URIBL (enabled|disabled): Default is disabled. Set this to enabled to use the plugin
  • UBLList: (Comma separated list addresses): Default value is multi.surbl.org:8-16-64-128,black.uribl.com,rhsbl.sorbs.net.
    This can be the same as RBLList. You can also set bitmask to use for combined lists (in the default value, the bitmask is 8-16-64-128)


Example:

db configuration setprop qpsmtpd URIBL enabled UBLList multi.surbl.org,black.uribl.com
signal-event email-update


Helo

Previously, the helo plugin was just checking for some known bad helo hostnames used by spammers (aol.com and yahoo.com). Now, it can check much more than that. This plugin is always enabled and has a single setting:

  • HeloPolicy: (lenient|rfc|strict). The default value is lenient.

See https://github.com/smtpd/qpsmtpd/blob/master/plugins/helo for a description of the various tests done at each level

Example:

db configuration setprop qpsmtpd HeloPolicy rfc
signal-event email-update

Inbound DKIM / SPF / DMARC

DMARC is a policy on top of DKIM and SPF. By default, SPF and DKIM are now checked on every inbound emails, but no reject is attempted. The dmarc plugin can decide to reject the email (depending on the sender policy). dkim and spf plugins are always enabled. dmarc has two settings:

  • DMARCReject (enabled|disabled): Default value is disabled.
    If set to enabled, the dmarc plugin can decide to reject an email (if the policy of the sender is to reject on alignment failure)
  • DMARCReporting (enabled|disabled): Default value is enabled.
    If set to enabled, enable reporting (which is the r in dmarc). Reporting is a very important part of the DMARC standard.
    When enabled, you'll record information about email you receive from domains which have published a DMARC policy in a local
    SQLite database (/var/lib/qpsmtpd/dmarc/reports.sqlite).
    Then, once a day, you send the aggregate reports to the domain owner so they have feedback.
    You can set this to disabled if you want to disable this feature
  • SPFRejectPolicy (0|1|2|3|4): Default value is 0. Set the policy to apply in case of SPF failure when the sender hasn't published a DMARC policy.
    Note: this is only used when no DMARC policy is published by the sender.
    If there's a DMARC policy, even a "p=none" one (meaning no reject), then the email won't be rejected, even on failed SPF tests.
  • 0: do not reject anything
  • 1: reject when SPF says fail
  • 2: reject when SPF says softfail
  • 3: reject when SPF says neutral
  • 4: reject when an error occurred (like a syntax error in SPF entry) or if no SPF entry is published
  • Inbound DKIM checks are only used by DMARC. No reject solely based on DKIM is supported

Example:

db configuration setprop qpsmtpd DMARCReject disabled SPFRejectPolicy 2
signal-event email-update

Outbound DKIM signing / SPF / DMARC policy

Everything is now ready for you to sign your outbound emails, and publish your public key, as well as your SPF and DMARC policy. A default DKIM key is created in /home/e-smith/dkim_keys/default. To enable DKIM signing for all the domain you manage:

db configuration setprop qpsmtpd DKIMSigning enabled
signal-event email-update

If you want to disable dkim signing for a domain, you can use:

db domains setprop domain.com DKIMSigning disabled
signal-event email-update

The default behavior is to use the same key pair for all your domains. But you can create other key pairs for specific domain if you want. For example, if you want to use a specific key pair for the domain.net domain:

cd /home/e-smith/dkim_keys
mkdir domain.net
cd domain.net
echo default > selector
openssl genrsa -out private 2048
openssl rsa -in private -out public -pubout
chown qpsmtpd:qpsmtpd private
chmod 400 private
signal-event email-update

Now, the emails using a domain.net sender address will be signed by this new key instead of the default one.

Publishing your DNS entries

Signing your outbound emails is just part of the process. You now need to publish some DNS entries so everyone can check if the email they receive matches your policy. This part is not to be done on your SME Server, but on your public DNS provider. A script helps you by creating some sample DNS entries already formatted for a bind-like zone file. To use it:

qpsmtpd-print-dns <domain name>

If omitted, the primary domain name is assumed.

Example output:

Here are sample DNS entries you should add in your public DNS
The DKIM entry can be copied as is, but others will probably need to be adjusted
to your need. For example, you should either change the reporting email adress
for DMARC (or create the needed pseudonym)


default._domainkey IN TXT "v=DKIM1; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs/Qq3Ntpx2QNdRxGKMeKc2r9ULvyYW633IbLivHznN9JvjJIbS54PGIEk3sSxvZSdpTRAvYlxn/nRi329VmcDK0vJYb2ut2rnZ3VO3r5srm+XEvTNPxij5eU4gqw+5ayySDjqzAMEMc5V7lUMpZ/YiqnscA075XiMF7iEq8Quv1y0LokmgwtxzOXEZap34WXlKyhYzH+D""fabF6SUllmA0ovODNvudzvEOanPlViQ7q7d+Mc3b7X/fzgJfh5P9f5U+iSmzgyGctSb6GX8sqsDMNVEsRZpSE3jd2Z33RDWyW21PGOKB/ZrLiliKfdJbd3Wo7AN7bWsZpQsei2Hsv1niQIDAQAB"
@ IN SPF "v=spf1 mx a -all"
@ IN TXT "v=spf1 mx a -all"
_dmarc IN TXT "v=DMARC1; p=none; adkim=s; aspf=r; rua=mailto:dmarc-feedback@domain.net; pct=100"

All you have to do now is publish those records, but do note that there is a point to consider when publishing the default._domainkey DNS record, as produced by the qpsmtpd-print-dns command: if the DNS record includes ;t=y then as per the DKIM specification (RFC4781 section 3.6.1) this means that your "...domain is testing DKIM. Verifiers MUST NOT treat messages from signers in testing mode differently from unsigned email, even should the signature fail to verify. Verifiers MAY wish to track testing mode results to assist the signer."

On the other hand, if no ;t=y is included, then it means you are intending to use DKIM in production mode. It might be a good idea to publish the DKIM DNS record first in testing mode (;t=y included), check how things go and if everything is alright, remove the ;t=y part.


Testing

You can install spfquery:

yum --enablerepo=epel install libspf2 libspf2-progs

Usage (try -help for help):

spfquery -ip=11.22.33.44 -sender=user@aol.com -helo=spammer.tld

Check record via dig

dig -t TXT +short somedomain.co.uk

Load

The loadcheck plugin can temporarily deny inbound emails if your server is overloaded. This plugin is always enabled and has a single setting:

  • MaxLoad (int number): Default is 7. If your load is above this value, emails from the outside will be deferred.

Other QPSMTPD Plugins

The following qpsmtpd plugins will work on a SME server, but are either not included or are not configured by default.

Plugin Purpose Default Status
connection_time Track the total time for each qpsmtpd connection from 'Accepted connection' through 'click, disconnecting', and output the results to the qpsmtpd log file. not installed - not clear if this works for SME9.2 (anyone?)
GeoIP Track the geographic origin of incoming email and optionally reject email from specified countries not installed - does work for SME 9.2 and later.

Internal or External Mail Servers

SME can be configured as a spam and antivirus filter for one or more "Internal or External" mail servers on a domain-by-domain basis. The mail server specified does not have to be on the same local network as your SME server, & can be hosted on an external site.

Deliver ALL email to a single internal or external mail server

You can set the default delivery location for all domains on your SME server to a single internal or external mail server by setting the mail server address in server-manager::Configuration::E-mail::Change e-mail delivery settings::Address of internal mail server.

Note: Address of internal mail server must be blank if you want any email delivered to the SME server itself.

Deliver email for one domain to an internal or external mail server

You can override the default email delivery destination for individual domains on your SME server (forwarding all email for the specified domain to another server) as follows:

First, create the necessary virtual domains using server-manager::Configuration::Domains::Add Domain.

Then, (assuming your domain is called test.com and the actual mail server is at a.b.c.d issue the following commands:

db domains setprop test.com MailServer a.b.c.d
signal-event email-update

A FQDN can also be used for the MailServer property, eg aspmx.l.google.com instead of the IP address a.b.c.d

db domains setprop test.com MailServer aspmx.l.google.com
signal-event email-update


Remove the internal or external mail server (and return email delivery for test.com to the default for your SME server) using:

db domains delprop test.com MailServer
signal-event email-update

Secondary/Backup Mail Server Considerations

Many people misunderstand the issues of using a secondary or backup mail server (backup MX) to hold your mail before it gets delivered to your SME Server. If you consider putting a backup mail server in place because you are concerned about lost mail because your internet connection may occasionally drop out, think again and consider the issues discussed below.

What is Backup MX

A backup MX is a system whereby through your DNS records you tell other servers on the internet that in order to deliver mail to your domain they first need to try the primary MX record and if they fail to connect they can try to connect to one or more of your listed backup or secondary mail servers. See also http://en.wikipedia.org/wiki/MX_record

The process of delivering email to your SME Server

So lets look at how mail gets delivered without and with a backup mx when your Internet link, ISP or server is down.

Without a backup MX

  • The sending mail server cannot connect to your server.
  • The sending mail server MUST queue the mail and try again later.
  • The mail stays on the sender's server.
  • The sender's server resends the mail at a later date.

The requirement to re-queue is a fundamental part of the SMTP protocol - it is not optional. So, if your server is offline due to a link or ISP outage, the mail just stays at the sender's server until you are once again reachable.

With a backup MX

  • The sending mail server cannot contact your server.
  • The sending mail server sends the mail to your secondary MX.
  • The secondary MX queues the mail until your link/server is up.
  • The mail is queued on an untrusted third-party mail server (think about confidential mail between your company and some business partner).
  • The sending mail server's administrator thinks it has been delivered, according to their logs.
  • You have no, or little, visibility over the queued mail.
  • When your link comes up, the secondary MX sends the mail on to your server.
  • You have added more hops, more systems and more delay to the process.

If you think that a backup MX will protect against broken mail servers which don't re-queue, you can't. Those servers will drop mail on the floor at random times, for example when their Internet link is down.

Those servers are also highly likely to never try your backup MX.

Thankfully those servers are mostly gone from the Internet, but adding a secondary MX doesn't really improve the chances that they won't drop mail destined for your server on the floor.

Backup MX and SPAM Filtering

On top of the issue, indicated above, there is another issue to consider and that is what happens with SPAM due to the use of a Backup MX.

Your SME Server takes care of filtering a lot of SPAM by checking on the full username & domain at the time it is received.

For example if your server hosts example.com and someone sends mail to joeuser@example.com, the server will only accept the mail if joeuser is a local user/alias/group/pseudonym on the server. Otherwise, the mail is rejected during the SMTP transaction.

A backup mail server however, generally does not have a full list of users against which it can check if it should accept the mail for the given domain. Hence it will accept mail for invalid users.

So:

  • If you trust the secondary MX, you will accept a lot of SPAM when the link comes up.
  • If you don't trust it, you will cause a lot of SPAM backscatter as the mail has been accepted at the secondary MX and then later bounced by you.
  • Stopping backscatter is why SME Server rejects invalid addresses during the initial SMTP transaction.

The SPAM backscatter can only be stopped if the secondary MX has a full list of users for your domain to allow filtering to occur.

But:

  • You need to be able to configure this secondary MX with such user/domain lists
  • You need to maintain these secondary configurations when users are added/deleted from your primary server configuration
  • You need to test (regularly) if the secondary is successfully accepting/rejecting mail as required.

Quite a few sites have lost lots of mail through misconfigured backup MX servers. Unfortunately, the time when you find out they are misconfigured is when you go to use them, and then you find that the backup MX has changed configuration and bounced all of your mail.

Then you realise that this mail could have queued at the sender's site if there hadn't been a broken secondary MX bouncing the mail for you.

  • If you bounce mail at your server, you have logs to show what's wrong.
  • If your secondary MX bounces your mail, you usually have no way to determine what happened other than via reports from the original senders that your mail bounced.

Summary

In summary, if your server/Internet connection is available most (let's say >90%) of the time, you are generally better off without a secondary MX.

If your server/link is down more than this (e.g. dialup), you should not be delivering mail directly to your server.

If you still want to consider setting up a seconday MX, ensure that:

  • you have fully control of the configuration of each of the email gateways for your domain
  • each gateway can make decisions on whether to accept/reject mail for the users at the domain

Mail server on dynamic IP

Problems with running a mail server on SME server using a dynamic external IP from ISP

This information comes from http://bugs.contribs.org/show_bug.cgi?id=2057#c10

This is the chronological sequence of events that leads to issues with mail servers on dynamic IPs:

1) Server gets dynamic IP

2) Reboot/power fail (without updating dynamic DNS to "offline")

3) Another server/someone else is allocated your old IP while your server is down

4) The other server/person is running a mail server

5) The other server either gets your mail (which is bad) or bounces your mail (also bad)

You have no control over this issue and you will lose mail when it happens. If you have a dynamic IP, the recommended approach is to get someone with a static IP to queue your inbound mail and send it to you on a non-standard port, preferably with an authentication mechanism which queues the mail if the auth fails, just in case someone else happens to have a mail server on the same port (while highly unlikely, this is possible).

Whether this issue is really a problem to end users, depends on how much you "value" your mail. For a home user having their own mail server, it is probably not a great problem if some messages should happen to go astray, but for all other classes of users, you should really avoid running a mail server on a dynamic IP, without implementing a suitable queueing workaround as suggested. Some ISPs change the IP very infrequently eg yearly, so in those cases it is also not a significant problem. Many/most ISP's will issue a new IP every time a connection is lost & re-established, so these situations are more problematic.

How to re-apply procmail rules

If you have a folder of email that needs to have the procmail rules applied, then the trick is to be logged in as the email user, and then position your self in the home directory, and then this works:

su <username> -s /bin/bash 
cd ~
for m in <fullpath to maildirectory>/cur/*; do echo $m; procmail < $m && rm $m; done



Is this article helpful to you?
Please consider donating or volunteering
Thank you!

The server manager is the GUI front end for the firewall. The firewall is modified automatically in response to changes you make in the configuration, such as enabling/disabling services, marking them public/private, forwarding ports, etc.

If you wish to make changes beyond those provided for by the server manager, you can do so by setting DB records or providing custom templates. Only make these changes if you are sure you know what you are doing, incorrect settings will compromise security on your server.

FAQs

  • I want to have two WAN addresses; one for the SMESERVER and another that needs to be treated like a "Local Network". I can't set any address from the WAN subnet as a "Local Network".

This is intended behaviour as SMESERVER is secure by design. If you need to do something like this, you should know what you are doing and understand what to poke under the covers.

DB Settings

  • How do I allow public access to a service I've added to SME Server?

For this example the service you have installed is called 'manta' and 'nnn' is the TCP port number that needs to be opened. Watch your capitalization with the command below:

 config set manta service access public status enabled TCPPort nnn

For UDP services, use UDPPort instead of TCPPort.

If you need to open multiple ports for one service you can use TCPPorts and UDPPorts. Port numbers are seperated with a comma, but without a space. Note that ranges of ports are defined with a : between the numbers in this case, instead of a -.

Note that you can also set restrictions with AllowHosts and DenyHosts:

 config setprop manta AllowHosts 1.2.3.4,10.11.12.0/24 
 config setprop manta DenyHosts 16.17.18.18
 

Then, to activate, do:

 signal-event remoteaccess-update
  • I want to block traffic from some ip-addresses to my server on some port.
config setprop httpd-e-smith DenyHosts a.b.c.d,w.x.y.z
signal-event post-upgrade
signal-event reboot

Additional information on customizing iptables

Create a custom-named service definition in the configuration database. you can see the DB configuration

db configuration set <servicename> service

Apply your desired firewall restrictions to any existing SME 'service' or to a custom-named service that you have created. Combine a custom-named service with port-forwarding to create customized firewall rules.

db configuration setprop <servicename> TCPPort <portnumber>
db configuration setprop <servicename> TCPPorts <portnumbers>
db configuration setprop <servicename> UDPPort <portnumber>
db configuration setprop <servicename> UDPPorts <portnumbers>
db configuration setprop <servicename> status enabled|disabled
db configuration setprop <servicename> access public|private
db configuration setprop <servicename> AllowHosts a.b.c.d,x.y.z.0/24
db configuration setprop <servicename> DenyHosts e.f.g.h,l.m.n.0/24

Effectuate the changes you have made

signal-event remoteaccess-update
Affected file: /etc/rc.d/init.d/masq
Variable Target Default Expected values
TCPPort --proto tcp --dport <Ports> Pre-configured for default services; no default for custom services empty or a numerical or coma separated numbers
TCPPorts --proto tcp --dports <Ports> No default for custom services; Ranges of ports are defined with a : not a - empty or a numerical or coma separated numbers
UDPPort --proto udp --dport <Ports> Pre-configured for default services; no default for custom services empty or a numerical or coma separated numbers
UDPPorts --proto udp --dports <Ports> No default for custom services; Ranges of ports are defined with a : not a - empty or a numerical or coma separated numbers
status disabled AllowHosts is set to "" (an empty string) unless the status is 'enabled' 'enabled' or 'disabled'
access private AllowHosts is set to "" (an empty string) unless access is 'public' 'private' for localhost and local network only (Server and gateway mode), 'public' for everywhere, 'localhost' for localhost only
AllowHosts --src ..... --jump ACCEPT Pre-configured for default services; no default for custom services. Default is '0.0.0.0/0' if service is enabled and public. IP and netmask with this format 0.0.0.0/0, or coma separated list of these elements
DenyHosts --src ..... --jump denylog Pre-configured for default services; no default for custom services. If 'DenyHosts' is empty or does not exist then there are no '... --jump denylog' entries created in /etc/init.d/masq. IP and netmask with this format 0.0.0.0/0, or coma separated list of these elements

Custom templates

Block incoming IP address

  • I want to block All traffic from some ip-addresses to my server.

Manual Method

Create a custom template and list the IP's

mkdir -p /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/
nano -w /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/40DenyRiffRaff

Now add the IP's you wish to block to the newly create file in the following format.

/sbin/iptables -A INPUT -s 69.212.12.76/32 -j DROP
/sbin/iptables -A INPUT -s 88.28.215.11/32 -j DROP

expand and restart

/sbin/e-smith/expand-template /etc/rc.d/init.d/masq
/etc/init.d/masq restart
  

To check the new block use the following command and look for the IP address you just DROP'ed. It should be listed in the "source" column.

 iptables -L INPUT -v -n

Automated method

The above can be automated slightly.

First lets create a key where we can add IPs that we want to block:

config set ipblock configuration status enabled DenyHosts 208.100.26.0/24 logging disabled

As above, create the following template:

mkdir -p /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/
nano -w /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/40DenyRiffRaff

Paste this code:

{
   use esmith::ConfigDB;
   my $db = esmith::ConfigDB->open_ro
       || die 'Could not open configuration database';
   # Completely block any riff raff
   if ( ( my $status = $db->get_prop( 'ipblock', 'status' ) ) eq 'enabled' )
   {
       my $DenyHosts = $db->get_prop( 'ipblock', 'DenyHosts' ) ||  '';
       if ( $DenyHosts ne  '' ) {
           my $logging = $db->get_prop( 'ipblock', 'logging' ) || 'disabled';
           foreach my $host ( split( ',', $DenyHosts ) ) {
               $OUT .= "\n";
               $OUT .= "# Simple ipblock for riff raff\n\n";
               if ( $logging eq 'enabled' ) {
                   $OUT .= "/sbin/iptables -A INPUT -s $host -j denylog\n";
               }
               else {
                   $OUT .= "/sbin/iptables -A INPUT -s $host -j DROP\n";
               }
           }
           $OUT .= "\n";
       }
       else {
           $OUT .= "# ipblock no DenyHosts set\n";
       }
   }
   else {
       $OUT .= "# ipblock disabled\n";
   }
}

You can add multiple addresses separated by commas:

config setprop ipblock DenyHosts 208.100.26.0/24,1.2.3.4,5.6.0.0/16

You can disable this blocking with:

config setprop ipblock status disabled

If you want to log the dropped packets rather than just drop them:

config setprop ipblock logging enabled

Then expand and restart your firewall:

/sbin/e-smith/expand-template /etc/rc.d/init.d/masq
/etc/init.d/masq restart

Block outgoing IPs or mac addresses

This section needs improvement.

See this forum post for clues re doing this, based in part on the concept of blocking incming traffic from specific external IPs.

http://forums.contribs.org/index.php/topic,46036.0/all.html

Formulation of suitable iptables rules will be required, use

man iptables

The template fragment needs to be placed in the right order, so that other rules do not negate the rule eg

20blockIP

Example: To block access based on the mac address of the NIC of the wokstation (not on IP)

mkdir -p /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/
pico -w /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/20Blockmac

Add the following code to the fragment and save

/sbin/iptables -A INPUT -m mac --mac-source XX:XX:XX:XX:XX:XX -j DROP

(Replace XX.XX.XX.XX.XX.XX with actual mac address)

expand-template /etc/rc.d/init.d/masq
/etc/init.d/masq restart

Check that blocking works as expected

To see the iptables that are in effect on your server, issue the command

iptables --list

or

iptables -L

Block outgoing ports

  • I want to block outgoing traffic from my server.

These commands are based on http://bugs.contribs.org/show_bug.cgi?id=2977

Please check for the latest attachments (custom template fragments) to this bug.

At present, traffic is only blocked if it originates on the primary local network. No processing is performed on traffic addressed to the LAN IP, WAN IP or loopback address of the SME.

Download custom templates and configure ports with db command

mkdir -p /etc/e-smith/templates-custom/etc/rc.d/init.d/masq
cd /etc/e-smith/templates-custom/etc/rc.d/init.d/masq
wget -O 91adjustPortBlocks http://bugs.contribs.org/attachment.cgi?id=1395
wget -O 42SetupPortBlocks http://bugs.contribs.org/attachment.cgi?id=1389

Create desired db entries to suit the ports & protocols you want to block

config setprop masq TCPBlocks address:port
config setprop masq UDPBlocks address:port

eg to block all outbound traffic except that passed by the smtp & httpd proxies

config setprop masq TCPBlocks 0.0.0.0/0:1-65535
config setprop masq UDPBlocks 0.0.0.0/0:1-65535

eg to leave open some ports ie 222 & 2000-2010, block in ranges

config setprop masq TCPBlocks 0.0.0.0/0:1-221,0.0.0.0/0:223-1999,0.0.0.0/0:2011-65535

Update the config changes and restart masq

signal-event remoteaccess-update
/etc/init.d/masq restart

Bypass Proxy

  • You have Transparent Proxy enabled (the default) but want to allow this to be selectively bypassed.

These commands are based on http://bugs.contribs.org/show_bug.cgi?id=2374

Please check for the latest attachments (custom template fragments) to this bug.

Download custom templates and configure ports with db command

mkdir -p /etc/e-smith/templates-custom/etc/rc.d/init.d/masq
cd /etc/e-smith/templates-custom/etc/rc.d/init.d/masq
wget -O 35transproxy http://bugs.contribs.org/attachment.cgi?id=1410
wget -O 90adjustTransProxy http://bugs.contribs.org/attachment.cgi?id=2178

Create desired db entries for the clients or sites you want to allow

config setprop squid BypassProxyTo   162.23.23.125
config setprop squid BypassProxyFrom a.b.c.d,x.y.z.0/0
expand-template /etc/rc.d/init.d/masq
/etc/init.d/masq restart

If the setting changes do not appear to take effect, do the following

signal-event reboot

To add a BypassProxyFrom IP & retain existing IPs without re-entering them, do the following

config setprop squid BypassProxyFrom a.b.c.d,$(config getprop squid BypassProxyFrom)
expand-template /etc/rc.d/init.d/masq
/etc/init.d/masq restart

Followed if necessary by

signal-event reboot

To remove a specific entry but leave other existing entries unchanged

config setprop squid BypassProxyFrom \
$(config getprop squid BypassProxyFrom | \
sed -e 's/entry-to-be-removed//' -e 's/^,//' -e 's/,$//' -e 's/,,//')

where entry-to-be-removed is the IP to be removed

Note: The first sed is to remove the entry, the last second is to remove the comma at the beginning, the second for a comma at the end and the last to remove the double comma when an entry is removed at the middle of the list.

Disable bypass:

config delprop squid BypassProxyFrom
config delprop squid BypassProxyTo
expand-template /etc/rc.d/init.d/masq
service masq restart
signal-event reboot

Open Ports in Private Server/Gateway Mode

  • I want to hide all ports, so I put my SMESERVER in PRIVATE SERVER/GATEWAY mode. I can still see some ports are open.

Certain services are still open on the WAN interface in PRIVATE SERVER/GATEWAY mode. Those services can be set to absolute private from the command line by:

config setprop masq Stealth yes
config setprop ftp access private
config setprop smtpd access private
config setprop dnscache access private
config setprop httpd-e-smith access private
config setprop oidentd access private
config setprop modSSL access private
config setprop ssmtpd access private
config setprop sshd access private
config setprop imaps access private
config setprop ldap access private
config setprop pop3 access private
config setprop pop3s access private
config setprop nmbd access private
config setprop smbd access private
signal-event post-upgrade
signal-event reboot



SME Server up to and including version 9.x runs MySQL as a database server.

SME Server 10 uses MariaDB to provide this function. A lot of applications require a MySQL database, among them is the Horde webmail interface which is supplied by SME Server by default.

General

  Warning:
Koozali SME Server Version 10: MySQL is provided by MariaDB. You can check the version in the usual way, e.g. at the time of writing version 5.5.


The SME Server is based on CentOS, the development team will take their stock RPM's from the CentOS releases. The current version of MariaDB installed on SME Server is version 5.5.68.You can upgrade MariaDB, using their rpms, to a higher version but you are advised not to do so, as this might break your SME Server configuration. The Horde webmail interface relies on MariaDB. Upgrading to version 10.x has potential to break stuff like webmail. If you insist on upgrading MariaDB you may be able to find instructions in the forum, but be advised that no support can be expected from the developers and all bugs reported in the bugtracker will not be taken into account.

Alternatively you can rely on contribs and Red-Hat Software collection to add MySQL 5.7 and MariaDB 10.1 10.2 10.3 or 10.5 as secondary SQL service to satisfy your needs.

MariaDB on SME Server runs on a socket instead of on a port which you might be accustomed to. This is done to improve security as in the view of the development team only the server itself (localhost) needs to have access to the MySQL server. However you can configure MySQL to be accessible from the local network (see below).


  Note:
All MariaDB services provided by core or contribs shares the same /etc/my.cnf file as configuration file. Please respect the sections inside the file when adding some new template-custom depending if you want this be seen by all running version or a specific version. You can refer to MariaDB manual for more information.

While MySQL supports this kind of configuration, for backward compatibility of the contrib MySQL57 we kept a separate config file.


[mysqld]
[mysqld_safe]
[mysql-5.7]
[mariadb-10.1]
[mariadb-10.2]
[mariadb-10.3]
[mariadb-10.5]

Access to MariaDB/MySQL from my application

As stated above on SME Server you have to use socket, this is more secure than using port. By default the service only listen on the server using socket, so trying to connect with any port will result in a failure.

Most application will have to define a string to access the socket, as below pointing to localhost (not 127.0.0.1, nor the LAN ip) and the full path to the socket. In some situation you will have to define the socket path and the host (localhost again and not 127.0.0.1) in variables.

define( 'DB_HOST', 'localhost:/var/lib/mysql/mysql.sock' );

MariaDB/MySQL root password

There appears to be no password set for the MySQL root password, but this is not true. If you are logged in to the SME Server shell a special mechanism is in place to log you in with MySQL root privileges without prompting you for the password.

The MySQL root password for SME Server is a 72 character random string generated during installation of SME Server. You should never change the MySQL root password as this will break your SME Server configuration. How to login as MySQL root user? describes how to access MySQL with root privileges on SME Server.

Login as MySQL root user

To login as MySQL root user, simply type 'mysql' at the SME Server shell, this will log you in with root privileges.

Resetting the MySQL root password

To reset the password for the MySQL root account. The MySQL root user on SME Server has a random generated password which is generated during installation. You do not need to know this password to login to MySQL with root privileges on SME Server. If you might have changed the MySQL root password you can reset it like this after getting command line access as root user.

systemctl stop mariadb
expand-template /root/.my.cnf
expand-template /var/lib/mysql/set.password
/usr/libexec/mysqld --socket=/var/lib/mysql/mysql.sock --bootstrap --user=mysql --skip-grant-tables < /var/lib/mysql/set.password
exit
systemctl start mariadb 
cd /var/service/mysqld
sv d .
expand-template /root/.my.cnf
expand-template /var/service/mysqld/set.password
/usr/libexec/mysqld --bootstrap --user=mysql --skip-grant-tables < ./set.password
sv u .

For SME Server 7.2 and earlier releases do the following (they use the runsvctrl command instead of the sv command):

cd /var/service/mysqld
runsvctrl d .
expand-template /root/.my.cnf
expand-template /var/service/mysqld/set.password
/usr/libexec/mysqld --bootstrap --user=mysql --skip-grant-tables < ./set.password
runsvctrl u .

Restoring accidentally deleted MySQL root user

mariadb 5.5 and up to 10.5
systemctl stop mariadb 
echo "GRANT ALL PRIVILEGES ON *.* TO 'root'@'`config get DomainName`' WITH GRANT OPTION;">/var/lib/mysql/set.rootuser
echo "GRANT PROXY ON @ TO 'root'@'`config get DomainName`' WITH GRANT OPTION;">>/var/lib/mysql/set.rootuser
echo "GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' WITH GRANT OPTION;">>/var/lib/mysql/set.rootuser
echo "GRANT PROXY ON @ TO 'root'@'localhost' WITH GRANT OPTION;">>/var/lib/mysql/set.rootuser
expand-template /root/.my.cnf
expand-template /var/lib/mysql/set.password
/usr/libexec/mysqld --socket=/var/lib/mysql/mysql.sock --bootstrap --user=mysql --skip-grant-tables <( cat /var/lib/mysql/set.rootuser  /var/lib/mysql/set.password)
exit
systemctl start mariadb 

for MySQL 5.1.73

cd /var/service/mysqld
sv d .
echo 'use mysql;'>set.rootuser
echo "INSERT INTO `user` VALUES ('localhost','root',,'Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y',,,,,0,0,0,0);">>set.rootuser
expand-template /root/.my.cnf
expand-template /var/service/mysqld/set.password
/usr/libexec/mysqld --bootstrap --user=mysql --skip-grant-tables < set.rootuser
/usr/libexec/mysqld --bootstrap --user=mysql --skip-grant-tables < set.password
sv u .

Note: The following is only applicable on SME 7.3 and MySQL 4.1

cd /var/service/mysqld
sv d .
echo 'use mysql;'>set.rootuser
echo -n 'INSERT INTO user VALUES("localhost","root","",'>>set.rootuser
echo '"Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","Y","","","","",0,0,0);'>>set.rootuser
expand-template /root/.my.cnf
expand-template /var/service/mysqld/set.password
/usr/libexec/mysqld --bootstrap --user=mysql --skip-grant-tables < set.rootuser
/usr/libexec/mysqld --bootstrap --user=mysql --skip-grant-tables < set.password
sv u .

MariaDB/MySQL fails to start

you need to investigate the cause by inspecting two logs :

  • service log
journalctl -u mariadb
  • mariadb log
tail -f  /var/log/mariadb/mariadb.log

Corrupted user table

Your error in mariadb log will include

ERROR: 130  Incorrect file format 'user'

This could mostly occurs after a power outage. mysql.user table is a MYSIAM type

# ll /var/lib/mysql/mysql/user.*
-rw-rw---- 1 mysql mysql 10630  3 jui 21:08 /var/lib/mysql/mysql/user.frm
-rw-rw---- 1 mysql mysql   488  3 jui 21:08 /var/lib/mysql/mysql/user.MYD
-rw-rw---- 1 mysql mysql  2048  3 jui 21:08 /var/lib/mysql/mysql/user.MYI

In this case you might see user.MYD or user.MYI with 0 byte size. If the issue is on MYI this is the index you should be able to rebuild, if it is on the MYD, this is the data, you will need a backup to restore from.

as root, first start mariadb without grant table

systemctl stop mariadb
/usr/libexec/mysqld --defaults-file=/etc/my.cnf --basedir=/usr --datadir=/var/lib/mysql  --user=mysql --skip-grant-tables
  Warning:
be careful that mariadb will be running without any user auth, if it is open to outside of your server, then you might want to close this access first, and keep this session as short as possible


then use mysql command line

mysqlcheck mysql

if wound any error try

mysqlcheck mysql --repair

if it fails then you needs to do a restore. You might have a dump in /home/e-smith/db/mysql/mysql.dump. Wishing it is up to date. I suggest you to copy it and just extract the part for the table you are missing. You need what is under

--
-- Table structure for table `user`
--

and

--
-- Dumping data for table `user`
--

Considering your table dump is now in a file called /home/e-smith/db/mysql/mysql.user.dump, do

mysql mysql < /home/e-smith/db/mysql/mysql.user.dump
expand-template /var/lib/mysql/set.password
mysql mysql < /var/lib/mysql/set.password
mysqladmin shutdown
systemctl start mariadb


  Warning:
the line dumping the table mysql.user to the mariadb server will delete any existing entries in the table if you are using the default SME dump as it has a DROP TABLE IF EXISTS line. So do this only if you know what you are doing.


Access MariaDB/MySQL using port from the localhost and local network

MariaDB/MySQL on SME Server runs on a socket instead of on a port. MariaDB/MySQL on SME Server is by default configured to allow only localhost connections to improve security, this means that it is only accessible from the server itself and not from the local network nor from the internet. If you wish to enable local network access, execute the following commands on a SME Server shell as root (note access private is not needed as this is the default, and TCPPort 3306 neither as all ports are open to the LAN by default):


  Warning:
Keep in mind that by default MariaDB/MySQL is not using any kind of encryption unless you did work on that yourself, so any access to the port from the LAN will be as clear text and anyone on the LAN will be able to access to the password and all the data transferred between your server and the client. Refers to the manual of your database version.


config setprop mariadb LocalNetworkingOnly no
expand-template /etc/my.cnf
systemctl restart /service/mysqld
config setprop mysqld LocalNetworkingOnly no
expand-template /etc/my.cnf
sv t /service/mysqld

Access MySQL from a remote network

If you wish to enable access to MariaDB/MySQL databases from remote networks, then in addition to the LocalNetworkingOnly db setting mentioned above, you will need to execute the following commands:

config set mariadb service access public status enabled TCPPort 3306 
signal-event remoteaccess-update 
signal-event smeserver-mysql-update
config set mysqld service access public status enabled TCPPort 3306 
signal-event remoteaccess-update 
signal-event reboot

Keep in mind this enables access to your MariaDB/MySQL database for ANYONE, so make sure you have strong passwords on ALL your MariaDB/MySQL databases. Alternatively it would be a more secure approach to require external (remote) users to establish a VPN connection and effectively become part of the local network. In that case do not change the mysql access to public status using the above command.


  Warning:
Keep in mind that by default MariaDB/MySQL is not using any kind of encryption unless you did work on that yourself, so any access to the port from the WAN will be as clear text and anyone on the Internet will be able to access to the password and all the data transferred between your server and the client. Refers to the manual of your database version.


Create MariaDB/MySQL user(s) with access from other computers

SME Server's default MariaDB/MySQL database users, and most of the database examples in the wiki, allow login only from localhost.

If you want to access a MariaDB/MySQL database on your SME server from other computers, you must not only make the configuration changes described above, you must also create a user who is allowed to login from those systems (see 5.5.4. Access Control, Stage 1: Connection Verification for more detail).

Allow mysql login from any LAN workstation

Assuming your local network is 192.168.1.0, you can create a user with MariaDB/MySQL access from any LAN workstation (or VPN client) using the command shown below (courtesy of DarkMirage).

  Tip:
The suggestion here is to assign privileges based on IP number (using a wild card if desired), the same can also be done for hostnames. In some cases, like dynamicaly assgned IP addresses, this might be a more suitable and robust solution.


You probably want to change:

  • the database name (MyDB)
  • the user name (MyUser)
  • the password (MyPW) and
  • the allowed computers (192.168.1.%)
## In the command below, \ escapes a linebreak.
   ## Either include them, or place the entire command on one line
   mysql -e "\
   create database MyDB; \
   GRANT SELECT,INSERT,UPDATE,DELETE,CREATE,ALTER \
   ON *.* \
   TO 'MyUser'@'192.168.1.%' \
   IDENTIFIED BY 'MyPW'; \
   FLUSH PRIVILEGES;"

Security Implications of allowing remote MariaDB/MySQL login

It is technically possible to combine the above techniques to allow remote MariaDB/MySQL login from any host on the Internet (allow network login, open the firewall, then set the network address to '%'). This would be a bad idea.

If you have remote users who need access to your MariaDB/MySQL database(s), encourage them to use a VPN connection, or an SSH tunnel, or (at a minimum), restrict the allowed login hosts to their internet IP address. On top of that, you are encouraged to enforce encrypted connection at the level of you MariaDB/MySQL service to avoid any clear text exchange on the LAN or worse on the Internet.

Enable InnoDB engine

  Warning:
Version 10 MySQL is provided by MariaDB which already has InnoDB as its default database engine


To enable the InnoDB engine, run the following commands:

db configuration setprop mysqld InnoDB enabled
expand-template /etc/my.cnf
sv t /service/mysqld

To disable the InnoDB engine, run the following commands:

db configuration setprop mysqld InnoDB disabled
expand-template /etc/my.cnf
sv t /service/mysqld

Administration

Information about user managament can be found in the MySQL User Account Management section of the MySQL manual, which holds a lot of useful information, a small section is listed here for convenience.

Create a new database

  • See the developers guide if you wish to automate the creation of a database within an rpm

or

  • Get access to the SME Server shell and issue the following commands:
mysqladmin create 'dbname' --default-character-set=utf8

This will create an empty database called dbname.


  Warning:
The 'root' user should not be permitted to access the database except from localhost. Each application should have its own database and its own user to access that database.


Creating MySQL user(s)

Decide which permissions you will have to give to the user on what database. Details about this can be found in the MariaDB/MySQL Manual found at the MariaDB/MySQL site. Get access to the SME Server shell and issue the following commands to login to the MySQL server:

mysql

Suppose we want to create a user which has read-only access on all tables in the database called 'test':

GRANT SELECT ON test.* TO 'user'@'host' IDENTIFIED BY 'password';

In the above line you will have to fill in the user and the host and/or domain from which you will allow the user access to the SME Server MariaDB/MySQL server (don't forget the single quotes). More information can be found in the MariaDB/MySQL Server Manual at the MariaDB/MySQL website linked here.

Listing available databases

To view a list of available databases on the system you can issue the following command while logged in in MariaDB/MySQL:

show databases;

Remove a database

Get access to the SME Server shell and MariaDB/MySQL and issue the following command:

drop database databasename;

Replace databasename with the name of the database.

Remove a user

Get access to the SME Server shell and MariaDB/MySQL and issue the following command:

USE mysql;
DELETE FROM user WHERE user = 'username';
FLUSH PRIVILEGES;

Replace username with the username you wish to delete.


  Tip:
mysql_setpermission is a command line menu driven utility that can assist in MySQL administration.


Optimizing MariaDB/MySQL default settings for SME 10

Here are the available settings from the configuration database to tweak you MariaDB service. If no default value indicated, please refers the the manual of your database version for its own default value:

key default Role
innodb_file_format barracuda
innodb_file_per_table 1
LocalNetworkingOnly no
OpenFilesLimit 0
MaxConnections
WaitTimeout
QueryCacheLimit
QueryCacheSize 1M
QueryCacheType 1
SortBufferSize
ReadRndBufferSize
TableOpenCache
TableOpenCacheInstances
TmpTableSize
MaxHeapTableSize
ThreadCacheSize 256
KeyBufferSize key_buffer_size
MyisamSortBufferSize myisam_sort_buffer_size
JoinBufferSize 262144
ReadBufferSize
MaxConnectErrors
ConnectTimeout 100
MaxAllowedPacket 16M
SlowQueries


to alter a value, just do

config set mariadb  KeyBufferSize 18M MyisamSortBufferSize 8M
expand-template /etc/my.cnf 
systemctl restart mariadb

if your needed option is not available then create a dedicated template custom. Be careful to use a name starting with a number between 016 and 039.

mkdir -p /etc/e-smith/templates-custom/etc/my.cnf/
vim /etc/e-smith/templates-custom/etc/my.cnf/017myvalues
expand-template /etc/my.cnf 
systemctl restart mariadb

Optimizing MariaDB/MySQL default settings for up to SME9

SME Server uses MariaDB/MySQL for the webmail package, and the default configuration is optimized for that.

If you are using the SME server to provide MariaDB/MySQL databases for functions running on workstations, you may need to adjust some of the default MariaDB/MySQL parameters. Keep in mind it is difficult to optimize MYSQL for a number of different applications, as default values that are suitable for one application may not be suitable for another. In determining appropriate settings for MariaDB/MySQL, you will also need to consider the system resources & general specification of the server that MariaDB/MySQL is running on.

Pointers for tuning and optimizing the databases can be found at http://www.mysqlperformanceblog.com/2006/09/29/what-to-tune-in-mysql-server-after-installation/ and http://lists.mysql.com/mysql/214398 and specifically re key_buffer_size at http://lists.mysql.com/mysql/214398

The following example comes from this forum thread http://forums.contribs.org/index.php/topic,46694.0.html and refers to this bug report http://bugs.contribs.org/show_bug.cgi?id=6287

To change the following parameters

key_buffer_size=18M
myisam_sort_buffer_size=8M

Create a custom template fragment & edit it to include your required parameters

mkdir -p /etc/e-smith/templates-custom/etc/my.cnf/
vim  /etc/e-smith/templates-custom/etc/my.cnf/016mysetup

Save & Exit

Ctrl o
Ctrl x

Expand the changes & restart mysql

expand-template /etc/my.cnf
sv t /service/mysqld

Check /etc/my.cnf to see that the changes are reflected.


Later versions of applications

Why does SME Server still not have PHP 5, MySql4, Apach2, xxx

SME Server 7.x is based on Centos 4.x which in term is based on RedHat Enterprise Linux 4.x. Since the development team is limited in person and time, all work is done in spare time, we do not have the time to implement such big changes and cope with the maintenance of such work.

Is xxx on SME Server still safe to run?

Yes, because security fixes and bug fixes are backported to the 4.x releases and they are propagated to the users as updates, for more information have a look at http://www.redhat.com/security/updates/backporting.

Can I install a later version of xxx

Yes, but you are then responsible for updates and possible conflicts with updates

For example see this page for PHP#PHP_5 PHP updates and warnings

Known Problems

  Note:
This section is to be used to document problems that cannot or will not be fixed through development of SME Server 7.

Please refer to the KnownProblems page