SME Server:Documentation:FAQ
From SME Server
[edit] Frequently Asked Questions
This Section lists Frequently Asked Questions (FAQ) for SME 7. Problems many people run into installing SME 7 for the first time or upgrading to later versions are found here.
If your question isn't listed here, it's possible it's a Rarely Asked Question (RAQ), in which case you'll be better off searching for answers in Bugzilla.
[edit] Installation troubles
[edit] Installer prompts for installation file location
Problems have been reported installing SME Server off a PATA CD-ROM drive. The system is able to boot from the CD-ROM drive but after that you get prompted by a message to specify the location where the installation image can be found. This might either mean that the disk is not readable or the CD-ROM drive is not recognized. If you have validated the disk and are sure that the disk passes you might try to add the all-generic-ide option to the boot prompt before starting the installer like this:
linux all-generic-ide
[edit] Yum Updates
[edit] Which repositories should be enabled
You should have the following repositories enabled (blue)
CentOS - os CentOS - updates SME Server - addons SME Server - os SME Server - updates.
DO NOT enable SME Server - updates testing which is considered beta, unless
- it is a TEST server NOT a production server or
- you want to be part of a bug-testing group.
Additionally
- SME Server - test is considered alpha
- SME Server - dev contains automatically built rpms. It contains lots of experimental,
incomplete and mutually incompatible packages.
| Warning: |
| If upgrading from a system prior to 7.1 update 1, ie a 7.1 CD install or earlier,
you need to ensure you have the latest versions of the following rpms prior to applying the rest of the updates. This speeds up install process and avoids updates from centos that may be ahead of the distribution. yum update dbus dbus-glib smeserver-support smeserver-yum yum yum-plugin-fastest-mirror python-sqlite signal-event post-upgrade; signal-event reboot |
| Note: |
| A system installed from the SME 7.1 CD will have the 5 repositories above enabled. A system installed from the SME 7.0 iso and updated to 7.1 or later will only have the 3 SME Server repositories enabled. After updating from SME 7.0 to SME 7.1.x you should enable the Centos - os & Centos - updates repositories in server-manager. |
- For another way to reset the repositories to the default see Adding_Software#Restoring_Default_Yum_Repositories
[edit] Reconfigure / post-upgrade and reboot
- When is a post-upgrade and reboot required?
The server manager yum installer has no way of determining whether any configuration files will change if all are re-expanded or to know which binaries have changed (or use libraries which have now changed) and therefore need to be restarted. The only safe option is to reconfigure and restart everything.
After clicking Reconfigure check the Status message and that the server does actually reboot. Rarely circumstances arise that prevent the reconfigure from triggering. If so run the following,
signal-event post-upgrade; signal-event reboot
[edit] Updating from SME 7.x to SME 7.2
See Updating_to_SME_7.2#Yum_Update
[edit] General
- Please Wait - Yum Running (prereposetup)
This means Yum is working out what updates are available. Occasionally such as when large sets of updates are released this could take 10+ minutes to complete
- Yum doesn't seem to be working correctly. What do I do now?
If for some reason you can't get yum to work correctly, try:
yum clean metadata or possibly 'yum clean all' yum update
- Fix for 'Metadata file does not match checksum'
Typical error message
http://apt.sw.be/fedora/3/en/i386/dag/repodata/primary.xml.gz: [Errno -1] Metadata file does not match checksum Trying other mirror. Error: failure: repodata/primary.xml.gz from dag: [Errno 256] No more mirrors to try.
To flush the up stream proxies, using wget, run:
wget --cache=off http://apt.sw.be/fedora/3/en/i386/dag/repodata/filelists.xml.gz wget --cache=off http://apt.sw.be/fedora/3/en/i386/dag/repodata/primary.xml.gz wget --cache=off http://apt.sw.be/fedora/3/en/i386/dag/repodata/repomd.xml yum update
- An unclean shutdown during a system update can put the system into a state where it's difficult to recover.
find all the duplicate rpm's
rpm -qa | sort | less
Then remove all the duplicate rpm's
rpm -e --nodeps rpmname
Install the newest rpms
yum install rpmname signal-event post-upgrade; signal-event reboot
- Where can I go to learn more about yum, and about how SME uses it?
Adding_Software , man yum, http://linux.duke.edu/projects/yum/
[edit] Adding, removing or disabling repositories
- What is the recommended way to add other yum repositories
The following code uses the dag repository as an example and sets the status to disabled. The repository is configured to be used via the command line with the --enablerepo= option
db yum_repositories set dag repository \ Name 'Dag - EL4' \ BaseURL 'http://apt.sw.be/redhat/el4/en/$basearch/dag' \ EnableGroups no \ GPGCheck yes \ GPGKey http://dag.wieers.com/packages/RPM-GPG-KEY.dag.txt \ Visible no \ Exclude freetype,htop,iptraf,rsync,syslinux \ status disabled
- How do I remove yum repositories
db yum_repositories delete repositoryname expand-template /etc/yum.conf
- How do I disable a repository to allow future use via command line with the --enablerepo= option
db yum_repositories repositoryname setprop status disabled expand-template /etc/yum.conf
[edit] Other popular repositories
http://wiki.contribs.org/Category:Yum_Repository
[edit] Hardware Compatibility List
List of Hardware that known have problems with SME Server
Maintaining a complete HCL is difficult, the following links will give a indication of hardware being used by SME Servers and upstream providers
[edit] Client Computers
- Samba trust relationships lost?
This is a possible bug with an upgrade from SME6. After an upgrade, local workstations cannot log in. If you are experiencing this problem, please have a look at this bug for a fix, and provide followup: [1]
- Windows XP Clients - Patch to logon to SME domain
This patch can be used when Windows XP clients won't be able to log on to the SME Server domain. The registry patch is located here: http://servername/server-resources/regedit/winxplogon.reg Double click on the winxplogon.reg file and the settings will be added to the Windows Registry.
- How to disable password caching on Windows 95/98/ME/2000 Clients?
This patch can be used if you don't want Windows clients to remember password for shared folders on SME Server. The registry patch is located here: http://servername/server-resources/regedit/win98pwdcache.reg Just double click on the win98pwdcache.reg file and the settings will be added to the Windows Registry.
Note Although the filename seems to indicate that this patch will only work for Windows 98, but it also works in Windows 95, Windows ME and Windows 2000.
- LDAP Directory Gives MAPI_E_CALL_FAIL Errors on Outlook 2002 or Outlook 2003
In Outlook 2002 or 2003 when someone tries to find a contact using the LDAP server, a message stating that "Unavailable critical extension" and then a second message saying "The search could not be completed. MAPI_E_CALL_FAIL" shows up and nothing shows up from the search. The directory works beautifully in Thunderbird 1.5 as well as Outlook 2000, but not 2002 or 2003. More information can be found here: [2] [3]
- Where is the netlogon directory?
The netlogon directory is located on the SMESERVER at: /home/e-smith/files/samba/netlogon It can also be found by a client computer at: \\servername\netlogon
[edit] Web Applications
- chmod 777
Using 777 is always wrong (despite the fact that many howtos recommend it). 0770 is sufficient, as long as www is a member of the group owning the directory, and is safer.
Use chown www /path/to/dir
and preferably put your app in /opt/app not in an ibay
- Generic Instructions for Installing a Web Application
http://wiki.contribs.org/Generic_WebApp_rpm
- Wasn't mod_perl installed in previous versions? How do I install it?
It may have been, but it was not used so it is no longer included. If you do want to install it do the following:
Note The commands on a linux shell are case-sensitive, this means that Capital is not the same as capital.
yum install mod_perl config setprop modPerl status enabled signal-event post-upgrade ; signal-event reboot
- The directory structure is visible. How do I disable indexes in ibays?
SME Server 6.0, 6.0.1, and 6.5 all had the following for the ibays/html directory - "Options Indexes Includes". This would indicate that indexes were allowed for html directories. In SME Server 7.0 this is made a parameter and it defaults to enabled to be compatible with SME Server releases before SME Server 7.0 installations.
To disable indexes for an ibay in SME Server 7.0 do the following:
db accounts setprop //ibayname// Indexes disabled signal-event ibay-modify //ibayname//
This issue was first reported here: [[4]]
- I need to create (or install) a PHP application that needs access to the /tmp directory.
db accounts setprop ibayname PHPBaseDir /tmp/:/home/e-smith/files/ibays/ibayname/ signal-event ibay-modify ibayname
By default if you have PHP code in an IBAY, it can only run in that IBAY. The above commands will allow PHP code in the IBAY to run outside of its installed directory.
Here is a list of all the IBAY specific settings
[edit] Reset the root and admin password
1. Restart your server and at the beginning of the boot-up use the arrow keys to select the kernel you would like to boot into.
2. Press A , to allow you to append parameters to your grub boot settings.
3. Be careful not to change anything, only add the following after the A (Be sure to put a space before single):
single
4. Press enter. you will be presented with a prompt.
5. At this prompt type the following two commands (each followed by a return). You will be asked to provide a new password. Reset both your root and your admin password and set them to the same value:
passwd root passwd admin
Reboot your server and everything should be okay now.
[edit] File Size Limitations
- Apache, the web server can only transfer or show files under 2G
- Backup to USB Disk
FAT32 only supports file size of <4GB. It is recommended that you format your external usb drives to ext3.
[edit] Domains
- When I create a DOMAIN, I don't see anything listed in the HOSTNAMES AND ADDRESSES panel for that DOMAIN.
For a domain to be effective (for email or web), it needs to be configured as INTERNET DNS SERVERS (this is the default value). Since the domain resolves via INTERNET DNS SERVERS, no hostnames or addresses are created locally. For more info please visit the Administration Manual section regarding Domains: [[5]]
[edit] Virus Scanning
- When you elect to nightly scan your server for viruses the current default is to scan /home/e-smith/files
Note that early SME 7 Servers defaulted to /.
Also you may want to scan under /opt if have contribs that store user data there
the db property to change to the default
config setprop clamav FilesystemScanFilesystems /home/e-smith/files
or to scan different areas of the server is
config setprop clamav FilesystemScanFilesystems /home/e-smith/files,/opt
- How do I exclude some directories from scanning
Set the db value to exclude more directories
The default
config getprop clamav FilesystemScanExclude /proc,/sys,/usr/share,/var
Change with
config setprop clamav FilesystemScanExclude /proc,/sys,/usr/share,/var,/home/e-smith/files/ibays
[edit] Proxy Pass
- I want to pass some http requests to a server behind my SME Server or external to my site, how can I do this?
You can set a ProxyPass directive that will pass certain requests to an internal or external server that hosts the domain to be proxypassed
db domains set proxypassdomain.com domain db domains setprop proxypassdomain.com Nameservers internet db domains setprop proxypassdomain.com ProxyPassTarget http://xxx.xxx.xxx.xxx/ db domains setprop proxypassdomain.com TemplatePath ProxyPassVirtualHosts signal-event domain-create proxypassdomain.com
where proxypassdomain.com is the domain name hosted on the internal or external server and http://xxx.xxx.xxx.xxx/ is the IP address of the internal or external server eg 192.168.1.20 or 122.456.12.171 (it must be the publicly accessible IP if an external server)
|
| Note: |
| If you have added the internal or external server's domain name as a virtual domain on the SME Server, you must remove it prior to issuing these commands. The server-manager domains panel will show the proxy pass entry but you will not be able to edit it, see bugzilla:1612. |
[edit] Shell Access
- I need to give a user shell access to the SME Server.
Shell access should only be provided to users who have a *need* for it and can be trusted.
Before a user can have shell access Admin must enable ssh access at
server-manager -> Security -> Remote Access
You then enable shell access for a user by:
db accounts setprop username Shell /bin/bash chsh -s /bin/bash username
[edit] Upgrading Server
- What's the best way to upgrade to a new server ?
An article is written for this subject. Please visit: http://wiki.contribs.org/UpgradeDisk
[edit] Changing maximum Ibay, Account or Group name length
- How do I change the default maximum (12 characters) name length of an I-Bay, account or group?
Enter following command on the console as root:
/sbin/e-smith/db configuration set maxIbayNameLength xx /sbin/e-smith/db configuration set maxAcctNameLength xx /sbin/e-smith/db configuration set maxGroupNameLength xx
where 'xx' is the new size e.g. 15.
Followed by:
/sbin/e-smith/signal-event console-save
[edit] Deletion of Users Ibays Groups
- I can't delete & create a user for some reason. What do I do now?
If for some reason you can't delete & create a user, then first do:
signal-event user-delete <username> db accounts delete <username>
- I can't delete & create a ibay for some reason. What do I do now?
If for some reason you can't delete & create a ibay, then first do:
signal-event ibay-delete <ibayname> db accounts delete <ibayname>
- I can't delete & create a group for some reason. What do I do now?
If for some reason you can't delete & create a group, then first do:
signal-event group-delete <groupname> db accounts delete <groupname>
- I was looking in the home directory of a user and I see a hidden directory called ".junkmail". Do I need that? Can I delete it?
Don't remove or rename .junkmail folders.
[edit] Password Strength Checking
- How can I change password strength & what do the strength settings mean?
|
| Warning: |
| It is strongly advised not to set the password strength setting to none as this will lower the security of your server significantly. |
|
| Note: |
| PAM module requires passwords to be at least 6 characters long, so setting a password that is shorter than that may cause other problems later. SME server default settings enforce 7 character passwords. |
The following settings are available to specify the password strength on SME Server:
| setting | explanation |
|---|---|
| strong | The password is passed through Cracklib for dictionary type word checking as well as requiring upper case, lower case, number, non alpha and a mimimum length of 7 characters. |
| normal | The password requires upper case, lower case, number, non alpha and a minimum length of 7 characters. |
| none | The password can be anything as no checking is done.
Please note that "none" does not mean no password, it just means no password strength checking, so you can enter any (weak) password you want as long as it is at least 7 characters long. |
To set password strength do:
config setprop passwordstrength Admin strengthvalue config setprop passwordstrength Users strengthvalue config setprop passwordstrength Ibays strengthvalue
where strengthvalue is one of the entries listed in the table above.
e.g.
config setprop passwordstrength Users normal
To review the current settings do:
config show passwordstrength
which should display something like:
passwordstrength=configuration Admin=strong Ibays=strong Users=strong
References:
[edit] Hard Drives, RAID's, USB Hard Drives
- How should I setup my hard-drives?
We never recommend anything other than a single disk install or multiple disks of the same type. Anything else and you are following an unrecommended setup and you will need to navigate for yourself. Repeat, we never recommend anything other than a single disk install or multiple disks of the same type. If you're thinking of doing anything else (setup your own partitions), read this section again.
- How should I setup my RAID?
A full article on RAID is found here: Raid
- I want to use a hardware RAID. What do you suggest?
Please see the notes in the RAID article: Raid#Raid_Notes
- How do I recover an SME Server with lvm drives
A full article on the recovery method is found here: Recovering_SME_Server_with_lvm_drives
- I'm installing a RAID 5 but it seems to take a long time. Is there something wrong?
RAID 5 systems (those with 3+ disks) can take a long time during and after the install for everything to sync. Reportedly, it takes almost 2 hours before the disks finally finish syncing on 4 X 80GB disks.
- If I boot my SMESERVER with a USB hard drive attached, it recognizes the drive. However, after unplugging the drive, then replugging, it no longer exists. Any ideas why?
Reportedly, some external usb hd's must be completely powered up before connecting the usb cable.
- If I boot my SMESERVER with a USB hard drive attached, it doesn't recognize the drive. Any workarounds for this?
Some USB drives need to be plugged twice into the server to be recognized.
[edit] Backups & Restores
- AIT-1 Backup: buffer unreliable
An AIT-1 is unreliable if used with variable block size. Set the setting
config setprop flexbackup TapeBlocksize 512
AIT-2, DAT and LTO seem to work well with variable block size.
- Slow tape backup performance may be improved by changing Flex backup settings
config setprop flexbackup Blocksize 256 config setprop flexbackup BufferMegs 16
- In the ADMIN CONSOLE, there is an option to BACKUP TO USB but there are no restore options.
The RESTORE option is only visible on a new install. If you missed this during install, you can
config set PasswordSet no signal-event post-upgrade; signal-event reboot
During reboot reconfiguration process you should see the new restore via USB backup option.
-NOW plug in the usb drive (Do not plug in the usb drive until you reach this point). -pick YES or RESTORE (or whatever is presented to you)
[edit] Supervised Services
- Many services on SME are supervised, to see which are type
ps ax |grep runsv
To control them read the sv manual
man sv
- it seems that "sv u http-e-smith" gives no errors, even if the service fails to restart, so you need to use "sv s httpd-e-smith" to check if it fails (example: due to a httpd.conf error)
This is just the way that runsv (part of the runit package) works. The "sv u http-e-smith" only sends a message to runsv saying that we want the service to be up. runsv then will keep trying to get the service running.
[edit] Server-Manager
- I can't access the server-manager. What do I do now?
There are many reasons why you wouldn't be to access the server-manager. First try:
signal-event post-upgrade; signal-event reboot
If you still can't access, there are reports that a certificates mis-match might have occurred after update. In that case:
rm /home/e-smith/ssl.key/*.key rm /home/e-smith/ssl.pem/*.pem rm /home/e-smith/ssl.crt/*.crt signal-event domain-modify; signal-event reboot
- I used to access the SERVER-MANAGER with localhost:980 remotely via SSH tunnel and now I can't. What happened?
This feature has been deprecated a long time and finally removed in V7.2
If you really want to use this then forward 443 to localhost:443 and then use https://localhost/server-manager/
- Using a ssh client, the /server-manager login screen is difficult to read
The text is white, so you need to adjust your ssh client to use a dark background
- I've renamed my server with the ADMIN CONSOLE. The old name appears under the SERVER-MANAGER, HOSTNAMES panel. It cannot be deleted as there are no MODIFY/REMOVE links.
-login to the shell console -type: db hosts setprop <local.mycompany.local> static no -go to the HOSTNAMES & ADDRESSES panel and you should be able to modify/remove the name
[edit] Booting with SMP kernel after upgrade to version 7.2 from CD
- I've upgraded and now the SMP kernel isn't available.
This is because when upgrading to 7.2 from CD, kernel modules are missing for SMP IF the output of "cat/proc/cpuinfo" does not show multiple processors. The SMP kernel, if not present, can be installed via yum using: Do:
yum install kernel-smp kmod-ppp-smp kmod-slip-smp kmod-appletalk-smp signal-event post-upgrade signal-event reboot
Details: http://bugs.contribs.org/show_bug.cgi?id=3095
- I'm getting a kernel panic after upgrade from CD. What do I do now?
When upgrading with a CD, the upgrade will rewrite the grub.conf file. As a result, any additional boot arguments (i.e. acpi=off) will be lost during upgrade. Please edit the grub.conf file.
[edit] Special Characters
- I get strange characters & letters when look at my file names.
If you get filenames that look like: "éèÃ.txt" It's most likely because the SME server isn't understanding special characters you may be using. You can change it to understand special characters in filenames by:
db configuration setprop smb UnixCharSet ISO8859-1 expand-template /etc/smb.conf /etc/init.d/smb restart
[edit] Upstream proxy server configuration
- How do I configure a mandatory upstream proxy server, there used to be a panel in earlier versions of sme server, but it's missing in sme7.x
config set SquidParent a.b.c.d config set SquidParentPort nnn signal-event post-upgrade signal-event reboot
[The SquidParentPort setting is optional if the upstream proxy is on port 3128.]
From http://forums.contribs.org/index.php?topic=32998.msg140512#msg140512
[edit] Memory usage and limits
- How much memory can sme server handle
SME server currently (v7.3) supports 16GB of RAM, with a maximum of 3GB per process. These limits can easily be increased to 64GB total and 4GB per process by installing and running the "hugemem" variant of the kernel
- Why does my sme server always seem to be using all the memory, there is no spare memory left
Utilities such as top or htop always report that all available memory is being used. The Linux OS is designed to utilise all available memory all of the time. If other processes require more memory then it is made available to those processes. Fully utilising all the available memory is a good thing as it optimises the performanece of your server.
- How can I tell if my sme server needs more memory
Watch the availabe swap memory usage eg using top, htop or ps -aux. If swap memory usage regularly exceeds 50% of the available swap memory, then you should add more physical RAM to your system. Other indications that additional RAM is required are "out of memory" messages in log files, and at times the server becomes inactive for a period, often related to spam & virus scanning & high email loads.
[edit] Log Files
There are many log files produced by SME Server. Some are standard, some are generated by contributions. This page aims to bring together enough knowledge to understand what generates each log file, what they are for, and how to interpret them.
[edit] Access
Access to log files is available with the /server-manager http://wiki.contribs.org/SME_Server:Documentation:Administration_Manual:Chapter10#View_log_files http://wiki.contribs.org/SME_Server:Documentation:Administration_Manual:Chapter10#Mail_log_file_analysis
You can also use shell access, eg, to perform more complex searches or manipulations.
[edit] Date Conversions
Most of the SME log files are created using D.J. Bernstein's multilog.
- Multilog logs to a file named 'current' in a subdirectory named for the service
- Multilog records time as an "@" followed by "a precise timestamp".
- Multilog timestamps are converted to human-readable form automatically by 'View log files' referenced above.
- At a shell prompt you can pipe multilog output through tai64nlocal to generate a human-readable time:
tail -f /var/log/qpsmtpd/current | tai64nlocal
Some SME Server log files are still created using syslog or another process (not multilog). An example of this is the squid/access.log file. The following command will convert the times in a squid logfile to human-readable form:
tail -f /var/log/squid/access.log | perl -pe 's/^\d+\.\d+/localtime $&/e;'
Bugzilla:3432 is raised to have this incorporated in the server-manager view log files option.
[edit] Logfile Names
[edit] E-mail logfiles
qmail - details mail distribution (to mailboxes and to other hosts via SMTP). imap - connections to the local imap folders imaps pop3 - requests from users to collect mail from local server pop3s smtp-auth-proxy maillog qpsmtpd - incoming SMTP connections sqpsmtpd clamav - antivirus clamd freshclam spamd - spam
[edit] HTTP logfiles
httpd httpd-admin squid squid.run qpdmtpd
[edit] System logfiles
messages dnscache iptables iptraf mysqld nmbd ntpd oidentd ppp yum tinydns wan vbox cron sshd flexbackup dhcpd dhcpcd dmesg pppoe pptpd spooler radius radiusd proftpd raidmonitor rpmpkgs sa samba secure rkhunter.log boot.log audit anaconda.log anaconda.syslog lastlog
[edit] Error Messages
- Log message regarding permissions on /var/spool/qpsmtpd/
You may see messages similar to this in your log file:
@400000004326e9472eccc42c 3243 trying to get config for spool_dir @400000004326e9472ed518fc 3243 Permissions on spool_dir /var/spool/qpsmtpd/ are not 0700
They can be safely ignored. Clamav runs under a different user and needs read access to the spool area to avoid copying the file. [[6]]
- I get messages that look like: (pam_unix)[31705]: session opened for user root by (uid=0)
Most likely these messages coming from a package called SYSSTAT. The package was included in the previous versions of SMESERVER but were removed from the final version of V7. If you see the messages, most likely you had a previous version and upgraded. SYSSTAT isn't needed unless you have a contrib package called SME7ADMIN.
You can safely remove the package by: yum remove sysstat
Please note that these messages may be caused by other cron jobs (tasks that run automatically) or packages authenticating as root.
- I get a message saying that: the RSA server certificate CommonName (CN)`servername.domainname.tld' does NOT match server name!
If you change the servername, you will be prompted to reboot. When you do, the SMESERVER will generate a certificate for the new servername-domainname combination and httpd.conf will now reference that new name. References to other virtual domains and hosts will generate warnings in the log.
- I get: server squid[3145]: WARNING: Disk space over limit: 148412 KB 102400 KB.
This message is just log noise. The message is informational and squid takes care of the issue itself.
- I get in the radius log: Info: Using deprecated naslist file. Support for this will go away soon.
This is just the radius daemon (a computer program that runs in the background, rather than under the direct control of a user) complaining about a file that exists in the directory. We don't use it.
- I get in the clamd log: Error: cli_untar: only standard TAR files are currently supported
Clam (the antivirus portion of SMESERVER) has found a file type which it can't deal with, and so is telling you that it can't scan that file.
Nothing to be concerned about. The fix, if any arrives, will come from the Clam team if they Determine this file format is worthy of their attention.
- I get in the smeserver-clamscan.log: LibClamAV Warning: Multipart/alternative MIME message contains no boundary header.
This is just log noise. Clamav is scanning badly formatted MIME mail.
- In the /var/log/messages, I get: 10fix_privilege_tables: ERROR
You can safely ignore these errors. The errors just mean that your tables are already up to date.
- In the /var/log/messages, I get: rec_read bad magic....
You may also see it with
cat /var/log/samba/* |grep printing |grep 'rec_read bad magic'
You can delete /var/cache/samba/printing/<printer>.tdb files & restart samba.
rm /var/cache/samba/printing/<printer>.tdb /etc/init.d/smbd restart
- cannot remove /var/run/dovecot/login: is a directory
You may see this on system startup. It is just noise and doesn't affect anything.
- I get:
rules: score undef for rule 'MISSING_SUBJECT' in 'MISSING_SUBJECT' at /usr/lib/perl5/vendor_perl/5.8.5/Mail/SpamAssassin/PerMsgStatus.pm line 2140.
Ignore the message. The warnings are just log noise. After a SPAMASSASSIN update, the rules have been added but don't have a score associated with them. So they will be treated as non-existent and result in an error message.
- I get:
2008-02-21 23:42:51.106904500 ClamAV update process started at Thu Feb 21 23:42:51 2008 2008-02-21 23:42:51.108696500 WARNING: Your ClamAV installation is OUTDATED! 2008-02-21 23:42:51.108700500 WARNING: Local version: 0.92 Recommended version: 0.92.1 2008-02-21 23:42:51.108704500 DON'T PANIC! Read http://www.clamav.net/support/faq 2008-02-21 23:42:51.108708500 main.inc is up to date (version: 45, sigs: 169676, f-level: 21, builder: sven) 2008-02-21 23:42:51.523757500 ERROR: cdiff_apply: lseek(desc, -350, SEEK_END) failed 2008-02-21 23:42:51.523760500 ERROR: getpatch: Can't apply patch 2008-02-21 23:42:51.523764500 WARNING: Incremental update failed, trying to download daily.cvd 2008-02-21 23:42:52.322303500 WARNING: Mirror 193.1.193.64 is not synchronized.
or:
2008-02-22 00:44:14.874648500 Ignoring mirror 193.1.193.64 (due to previous errors) 2008-02-22 00:44:14.878360500 ERROR: Can't download daily.cvd from database.clamav.net 2008-02-22 00:44:14.879769500 Giving up on database.clamav.net...
Ignore the message. CLAMAV will fix itself on its own. The message is from CLAMAV saying it can't reach the updates. The messages will go away once they can be reached. Check Bugzilla:4002 and Bugzilla:3962
If you lose patience waiting for the messages to go away, you can execute the following commands:
cd /var/clamav/ mv mirrors.dat mirrors.dat.old sv t /service/freshclam
[edit] RK Hunter Messages
Root Kit Hunter performs a daily check of your system, these are common warnings.
/etc/cron.daily/01-rkhunter
- The following processes are using deleted files
xyz
- Process '/sbin/XXX' (PID 3869) is listening on the network.
xyz
- The SSH and rkhunter configuration options should be the same:
xyz
- Warning: SSH protocol v1 has been enabled
Servers that have been upgraded to 7.3 from 5.5 give warnings that SSL protocol V1 is enabled.
If you know that you do not use SSH protocol V1 (not SSL!), then you can remove protocol 1 by doing:
config setprop sshd Protocol 2 signal-event remoteaccess-update
[edit] Email
[edit] Spam
[edit] Spamassassin
Set spamassassin for automatically delete junkmail. You can change the "days" that spamassassin sets to automatically delete junkmail, to delete after two months
db configuration setprop spamassassin MessageRetentionTime 60 signal-event email-update
The "Custom spam rejection level" will only work when "Spam sensitivity" is set to custom.
- Open server-manager.
- Click e-mail in the navigation pane (left-hand side).
- Click Change e-mail filtering settings.
- Change "Spam sensitivity" to custom and adjust the settings to your liking.
This happens because by default, no mail (except for viruses) gets rejected without the admin doing something first.
[edit] X-Spam-Level Header in Email Messages
SME does not create an X-Spam-Level header in processed email messages by default.
To enable this capability:
/usr/bin/yum install --enablerepo=smecontribs smeserver-qpsmtpd-spamassassinlevelstars signal-event email-update
(Based on Bugzilla:3505)
[edit] Custom Rule Scores
You can customize the score assigned by a specific Spamassassin rule (SARE_ADULT2 in this case) as follows:
mkdir -p /etc/e-smith/templates-custom/etc/mail/spamassassin/local.cf cd /etc/e-smith/templates-custom/etc/mail/spamassassin/local.cf echo "score SARE_ADULT2 20.000" >> 20localscores signal-event email-update
You can now add additional tests and custom scores by editing the newly-created template fragment 20localscores and adding new custom scores using:
pico -w /etc/e-smith/templates-custom/etc/mail/spamassassin/local.cf/20localscores signal-event email-update
Each custom score goes on its own line. If you enter a score surrounded by parentheses, the "custom" score will be added to the default score for the specified test (use score TEST_NAME (-1) to reduce the score for 'TEST_NAME' by 1)
You can remove these customizations using:
rm -f /etc/e-smith/templates-custom/etc/mail/spamassassin/local.cf/20localscores signal-event email-update
References:
- http://spamassassin.apache.org/full/3.1.x/dist/doc/Mail_SpamAssassin_Conf.html#scoring_options
- http://spamassassin.apache.org/tests_3_2_x.html
- http://www.rulesemporium.com/
[edit] Real-time Blackhole List (RBL)
Enabling RBL's
RBL's are disabled by default to allow maximum accommodation (your ISP may be on a RBL & you may not know it). You can enable RBL's by:
config setprop qpsmtpd DNSBL enabled RHSBL enabled signal-event email-update
You can see your RBL's by:
config show qpsmtpd
You can add to your RBL's by:
config setprop qpsmtpd RBLList <rbl-list-name> signal-event email-update
Many will argue what's best but most would agree that you can set best-practice recommended settings by:
config setprop qpsmtpd RBLList zen.spamhaus.org:whois.rfc-ignorant.org:dnsbl.njabl.org signal-event email-update
Note: More information on this topic can be found here: [7] [8]
[edit] Server Only
Some of the spam filter rules cannot work unless the SMESERVER knows the external IP of the box. If you put a SMESERVER in server-only mode behind other firewalls, it will lose some of the anti-spam rules. For example, the rule that blocks attempts where spammers try "HELO a.b.c.d" where a.b.c.d is your external IP address.
Unfortunately, many admins believe that port-forwarding SMTP provides additional security. It doesn't, it limits the SMESERVER's ability to apply some rules.
[edit] I want to enable GreyListing
GreyListing support is under the covers and can easily be enabled for those who know what they are doing. However, many experienced users found that they spent more time looking after the greylisting configuration than they received in benefit.
[edit] Setup Blacklists & Bayesian Autolearning
(Much of what follows has been shamelessly copied from the Sonoracomm howto)
The default SME settings (as you can see here) do not include DNSBL filtering, spam rejection, or (which is not obvious from the above) bayesian filtering in spamassassin to allow spamassassin to learn from received email and improve over time.
The following command will enable the default blacklists, enable the bayesian learning filter and set thresholds for the bayesian filter.
config setprop spamassassin UseBayes 1 config setprop spamassassin BayesAutoLearnThresholdSpam 4.00 config setprop spamassassin BayesAutoLearnThresholdNonspam 0.10 expand-template /etc/mail/spamassassin/local.cf sa-learn --sync --dbpath /var/spool/spamd/.spamassassin -u spamd chown spamd.spamd /var/spool/spamd/.spamassassin/bayes_* chown spamd.spamd /var/spool/spamd/.spamassassin/bayes.mutex chmod 640 /var/spool/spamd/.spamassassin/bayes_* config setprop qpsmtpd DNSBL enabled config setprop qpsmtpd RHSBL enabled config setprop spamassassin status enabled config setprop spamassassin RejectLevel 12 config setprop spamassassin TagLevel 4 config setprop spamassassin Sensitivity custom signal-event email-update
These commands will:
- enable spamassassin
- configure spamassassin to reject any email with a score above 12
- tag spam scored between 4 and 12 in the email header
- enable bayesian filter
- 'autolearn' as SPAM any email with a score above 4.00
- 'autolearn' as HAM any email with a score below 0.10
- enable RHSBL using the default SBLList. Note that rhsbl checking has been known to place a heavy burden on SME servers.
- enable DNSBL using the default RBLList
[edit] The entire Sonoracomm howto from Google's text cache
- The Sonoracomm HowTo has been a very well regarded set of instructions for SME mail server configuration for quite a while.
- This section was created during an extended outage of the Sonoracomm web server (in 2007?)
- The Sonoracomm HowTo has been updated since this section was created, and is well worth examining. View the current version at: http://www.sonoracomm.com/index.php?option=com_content&task=view&id=49&Itemid=32
- The content below has been modified to include changes suggested in the bug tracker and forums.
- These instructions are aimed mostly at configuring SME as the only mail server, not for using SME with an internal mail server. (Specifically, LearnAsSpam.pl is harder to configure when using an internal mail server - you would have to develop a method for getting the unmarked SPAM into an IMAP folder directly on the SME server itself. Not impossible, but difficult!)
SONORA COMMUNICATIONS, INC.
This is a quick configuration howto, not an in-depth look at SpamAssassin. Much more can be done beyond this document, but this will take a big dent out of your spam and free up CPU cycles on your server.
See 'More Information' at the end.
SpamAssassin
The following command will enable the default blacklists, enable the bayesian learning filter and set thresholds for the bayesian filter.
rpm -Uvh \ http://mirror.contribs.org/smeserver/contribs/\ michaelw/sme7/smeserver-spamassassin-features-0.0.2-0.noarch.rpm
This command will install the FuzzyOCR SA plugin designed to catch those nasty image-based spam messages.
yum -y --enablerepo=smeupdates-testing install FuzzyOcr
Server-Manager
Using the Server-Manager Configuration/E-Mail panel, adjust the settings to these reasonable
- Virus scanning Enabled
- Spam filtering Enabled
- Spam sensitivity Custom
- Custom spam tagging level 4
- Custom spam rejection level 12
- Sort spam into junkmail folder Enabled
- Modify subject of spam messages Enabled
It is also recommend blocking all executable content. To do so, select (highlight) all of the attachment types other than zip files (the last two).
Click Save.
How It Works
When receiving an incoming message, the server first tests for RBL and DNSBL listings, if enabled. If the sender is blacklisted, the messages are blocked outright and Spamassassin never sees it.
With this configuration, the spammiest messages, those marked as 12 or above, will be rejected at the SMTP level. Those spam messages marked between 4 and 12, will be routed to the users' (IMAP) junkmail folder. This is done so the users can check for false-positives...valid messages that were classified as spam by SpamAssassin.
Users may check their junkmail folders for false-positives via webmail, or, if they are using an IMAP mail client, by simply checking the junkmail folder exposed by their mail client.
Tweaking
The server will automatically delete old spam in the junkmail folders after 90 days. You can control the number of days old spam is kept with the following commands. Where 15 is the number of days you want to keep messages, do...
db configuration setprop spamassassin MessageRetentionTime 15 signal-event email-update svc -t /service/qpsmtpd
then
config show spamassassin
If you think you are losing misclassified mail, adjust the Custom spam rejection level higher.
If too much spam is making through to your inbox, carefully adjust the 'Custom spam tagging level' down. Many people use the level 4. Anything below that may result in false-positives. YMMV.
If too much spam is building up in your (IMAP) junkmail folder, adjust the 'Custom spam rejection level' down or change the number of days spam is kept in the junkmail folder before being automatically deleted by the server.
Bayesian (Learning) Filter
Install the LearnAsSpam.pl, (optional) mailstats and sa-update scripts, then configure nightly cron jobs like this:
cd /usr/bin wget http://mirror.contribs.org/smeserver/\ contribs//bread/mailstats/LearnAsSpam.pl wget http://mirror.contribs.org/smeserver/\ contribs//bread/mailstats/spamfilter-stats-7.pl cd /etc/cron.d wget http://mirror.contribs.org/smeserver/\ contribs//bread/mailstats/LearnAsSpam.cron wget http://mirror.contribs.org/smeserver/\ contribs//bread/mailstats/mailstats.cron cd /etc/cron.daily wget http://mirror.contribs.org/smeserver/\ contribs//bread/mailstats/sa-update chmod +x sa-update /etc/rc.d/init.d/crond restart
Using an IMAP mail client, create a new folder called 'LearnAsSpam' (case sensitive). It can be created at the top level (like 'Inbox') or as a sub-folder. Create the folder for each user that will help train the Bayesian filter. Webmail will work fine for creating this folder, as well as for checking the junkmail (filtered mail or quarantine) folder.
If any spam messages make it past the filter and into your inbox, just move them into the LearnAsSpam folder. A nightly cron job will process them and delete them for you. This is how you train the Bayesian filter.
Testing
You can check the auto-learning statistics with this command. You will be able to note the accumulation of the spam tokens (or not). Note that the Bayesian filtering must receive 200 spam messages before it starts to function, so don't expect instantaneous results.
sa-learn --dump magic
You can check the spam filter log with this command:
tail -50 /var/log/spamd/current | tai64nlocal
If you ever see an error such as: warn: bayes: cannot open bayes databases /etc/mail/spamassassin/bayes_* R/W: tie failed: Permission denied Try adjusting some permissions with these commands:
chown :spamd /var/spool/spamd/.spamassassin/* chmod g+rw /var/spool/spamd/.spamassassin/*
Whitelist and Blacklist
If mail comes in and it is misclassified as spam (and moved to the junkmail folder when that feature is enabled), you can add the sender to the whitelist so that future messages coming in from that sender are not filtered.
Conversely, you can add a spammer to the blacklist so you never see their spam again.
Add senders (or their entire domains) to the global whitelist (or blacklist) with commands similar to these (as root):
db spamassassin setprop wbl.global *@vonage.com White db spamassassin setprop wbl.global *domain2.com White db spamassassin setprop wbl.global badname@baddomain.com Black db spamassassin setprop wbl.global *@verybaddomain.com Black db spamassassin setprop wbl.global This e-mail address is being protected from spam bots, you need JavaScript enabled to view it White db spamassassin setprop wbl.global This e-mail address is being protected from spam bots, you need JavaScript enabled to view it Black expand-template /etc/mail/spamassassin/local.cf svc -t /service/spamd
You can enter multiple addresses/domains for both white and black lists in one command
db spamassassin setprop wbl.global name@domain.com White *domain2.com White *domain3.com Black expand-template /etc/mail/spamassassin/local.cf svc -t /service/spamd
You can view the lists with this command:
db spamassassin show
You can delete one or more entries from the white/blacklist using
db spamassassin delprop wbl.global name@domain.com *domain2.com
- name@domain.com and *domain2.com must exactly match a value in the output from db spamassassin show to the left of the equals sign.
- You do not need to specify White or Black when deleting entries.
Clam Antivirus
Update and check your Clam Antivirus with this command. This is normally done automatically every hour via cron.
freshclam -v
or
freshclam --debug
Verify hourly update checking by viewing the freshclam/current log file via the Server-Manager View Log Files panel.
Realtime Blackhole Lists and DNS Blacklists
To view the settings for the RBL and DNSBL, use this command:
config show qpsmtpd
If you followed the instructions above, both checks are enabled.
To see the log of these tests, use a command like:
tail /var/log/qpsmtpd/current | tai64nlocal
To specify multiple RBLs, use a command like this:
config setprop qpsmtpd RBLList \ bl.spamcop.net,combined.njabl.org,dnsbl.ahbl.org,dnsbl-1.uceprotect.net,\ list.dsbl.org,multihop.dsbl.org,psbl.surriel.com,zen.spamhaus.org
Note: we have had trouble with the uceprotect.net level 2 list and sometimes remove it from the list as shown here.
To enable or disable both available lists, use something like:
config setprop qpsmtpd DNSBL enabled RHSBL enabled
To confirm any configuration changes and enact them:
signal-event email-update svc -t /service/qpsmtpd
More Information
Introduction to Antispam Practices - here
Here is another great [9] howto.
Informative URLs:
- http://forums.contribs.org/index.php?topic=35178.0
- http://forums.contribs.org/index.php?topic=31278.0
- http://forums.contribs.org/index.php?topic=31279.0
- http://forums.contribs.org/index.php?topic=32158.0
- http://mirror.contribs.org/smeserver/contribs/michaelw/sme7/
- http://mirror.contribs.org/smeserver/contribs/bread/mailstats/
- http://wiki.apache.org/spamassassin/BayesInSpamAssassin
- Enter this command at a console:
perldoc Mail::SpamAssassin::Conf
Last Updated ( Thursday, 21 June 2007 )
[edit] Email Clients
[edit] "concurrency limit reached" when using IMAP
Sometime shows as Thunderbird giving this error message, This Mail-server is not a imap4 mail-server
To workaround thunderbirds limitations change, this thunderbird setting to false
- Preferences, Advanced, Config editor (aka about:config): filter on tls.
- set security.enable_tls to false
You can also increase the ConcurrencyLimitPerIP and/or ConcurrencyLimit value for imap and/or imaps (secure)
config setprop imap ConcurrencyLimitPerIP 20 config setprop imaps ConcurrencyLimitPerIP 20 signal-event post-upgrade; signal-event reboot
check
config show imap tail -f /var/log/imap/current | tai64nlocal
More detail can be found here.
[edit] Mail server is not an IMAP4 mail server
This is a bug in Thunderbird, the previous tips may help
[edit] The Bat
The gives this error message, but they are wrong.
"This server uses TLS v3.0 which is considered to be obsolete and insecure.
The server must use TLS v3.1 or above."
[edit] Outlook/Outlook Express give error 10060/0x800CCC90
Most likely OUTLOOK (EXPRESS) isn't configured correctly.
-open OUTLOOK -click TOOLS > ACCOUNTS -click CHANGE (on the right-hand side) -find INCOMING MAIL SERVER & OUTGOING MAIL SERVER (on right-hand side) -type: mail.yourdomain.tld (in both places) -click MORE SETTINGS (on bottom-right) -click OUTGOING SERVER tab (at the top) -checkmark "MY OUTGOING SERVER REQUIRES AUTHENTICATION" -bullet "USE SAME SETTINGS AS INCOMING MAIL SERVER" -click ADVANCED tab (at the top) -find OUTGOING SERVER -checkmark "THIS SERVER REQUIRES A SECURE CONNECTION" (under outgoing server) -change 25 to 465 -[possibly required, secure IMAP is 993] -click OK > NEXT > FINISHED -you're finished, your email should work now
[edit] Outlook test message doesn't come through
You clicked the TEST ACCOUNT SETTINGS in OUTLOOK didn't you? This is a bug in OUTLOOK. The test message sends a test email with 'no Date header'. As the name suggests, this means a message without any date. Since the server doesn't accept mail with 'no Date header' (because it's required) the message is rejected. To test, send an actual message from OUTLOOK.
If you want, you can try THUNDERBIRD. It's like OUTLOOK but made by a different company. It's completely free and works very well at home and at the office.
[edit] I can't receive/send email from my application (ACT!, vTiger, MS Outlook, etc)
Most likely, this is a bug the application you're using and not a problem with the SMESERVER. The application sends an email with 'no Date header'. As the name suggests, this means a message without any date. Since the server doesn't accept mail with 'no Date header' (because it's required) the message is rejected.
As a workaround you can disable the check for the 'Date header'. To disable this check on the internal interface:
mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local cd /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local echo "# 17check_basicheaders disabled by custom template" > \ 17check_basicheaders signal-event email-update
To disable this check for the external interface:
mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0 cd /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0 echo "# 17check_basicheaders disabled by custom template" > \ 17check_basicheaders signal-event email-update
[edit] After I upgrade my SME Server, my email folders have disappeared when using IMAP
After upgrade, if there are missing IMAP folders, the client may need to re-subscribe to folders. This may affect either webmail users or users who use an IMAP email client.
[edit] Entourage: Using SME's Self-Signed Certificate for SSL Connections from Entourage on OS X 10.4
The main problem here is that Microsoft has decided that Entourage will only support trusted, PEM Base-64 Encoded certificates. To use IMAPS or SMTPS from Entourage with your SME server, you will need to:
1. Login to your Mac as a user with administrative privileges 2. Open Safari and browse to https://smeserver/server-manager. When you receive the warning about your certificate: - click on "Show Certificate" - click and drag the gold-rimmed image of a certificate to your desktop. You will now have myserver.mydomain.tld.cer on your desktop. 3. Locate and open the Microsoft Cert Manager - "Import" the certificate you downloaded in step 2. 4. Highlight the imported certificate and "Export" it. - Select the "PEM..." format - add "pem." to the beginning of the filename - export it to your Desktop 5. Double-click on the new pem.myserver.mydomain.tld.cer - Apple's Keychain Access application will open. - Select the X509Anchors Keychain and click "OK" 6. While still in Apple's Keychain Access, select the "Certificates" category - Drag pem.myserver.mydomain.tld.cer into the certificates window.
You should now be able to connect to your SME from your Entourage using IMAPS.
If you are accessing your SME server using a different name than the one encoded in the certificate you will still receive a security warning from Entourage, but "OK" will now grant access to your folders.
Notes:
- Procedure mostly taken from http://www.kerio.com/manual/kmsug/en/ch09s06.html
- I still get various other IMAP errors due, I suspect, to the "concurrency limit reached" issue.
- Click on "Show Keychains" in Apple's "Keychain Access" if you need to delete a certificate and try again.
[edit] Server Settings
[edit] Double bounce messages
To stop admin receiving double bounce messages
config setprop qmail DoubleBounceTo someoneuser signal-event email-update
Or just delete them. You risk losing legitimate double bounces (which are rare, but you want to look at them when they do occur)
config setprop qmail DoubleBounceTo devnull signal-event email-update
see a longer explaination here
[edit] Keep a copy of all emails
You may need to keep a copy of all emails sent to or from your email server. This may be for legal, or other reasons.
The following instructions will create a new user account (maillog) and forward every email that goes through your SME server to it.
First, log onto the server-manager and create the user maillog
Go to the SME Command Line (logon as root) and issue the following commands:
config setprop qpsmtpd Bcc enabled signal-event email-update
Optionally make the forwarding of the emails invisible to the end user. Without it, there will be an X-Copied-To: header in each email. Run this command before the signal-event
config setprop qpsmtpd BccMode bcc
If you want to view the emails, point your email client at the SME and log on as maillog.
[edit] Set max email size
Restrict the size of email messages that can pass through your mail server
config setprop qmail MaxMessageSize x signal-event email-update
where x is in bytes, eg 6000000 = 6 MB
[edit] Add the admin user as an administrator for Horde
config setprop horde Administration enabled signal-event email-update
[edit] Large attachments not displaying in webmail
Due to limits set in the PHP configuration it might be that webmail will not display large attachments (see also bugzilla:3990). The following entries are related to the error and can be found in the log files:
/var/log/messages
Mar 13 00:00:12 box1 httpd: PHP Fatal error: Allowed memory size of 33554432 bytes exhausted (tried to allocate 154 bytes) in /home/httpd/html/horde/imp/lib/MIME/Contents.php on line 173
/var/log/httpd/error_log
Allowed memory size of 33554432 bytes exhausted (tried to allocate 0 bytes)
The default MemoryLimit setting in PHP is set to 32M the value can be changed using the commands below replacing XX with the value you desire.
|
| Note: |
| You can set the MemoryLimit any value you like but be sure to add the capital M as a suffix for Megabytes. |
db configuration setprop php MemoryLimit XXM expand-template /etc/php.ini sv t httpd-e-smith
[edit] Disable mail to a user from an external network
Can be either a user, pseudonym or group
db accounts setprop groupname/username Visible internal signal-event email-update
[edit] I can't receive mail at: user@mail.domain.tld
Add mail.domain.tld as a virtualdomain.
-login to SERVER-MANAGER -click DOMAINS (on the left) -click ADD -type: mail.domain.tld
[edit] How do I find out who is logged into webmail and what IP number.
This is logged is in /var/log/messages.
[edit] How do I enable smtp authentication for users on the internal network.
mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local cd /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local cp /etc/e-smith/templates/var/service/qpsmtpd/config/peers/0/05auth_cvm_unix_local . signal-event email-update
(note the "." at the end of the 3rd line)
Authentication for the local network will now follow the setting of config::qpsmtpd::Authentication
[edit] How do I disable SMTP relay for unauthenticated LAN clients
http://forums.contribs.org/index.php?topic=38797.msg176490#msg176490
- Enable smtp authentication as shown above
- Disable un-authenticated smtp relay for the local network(s)using:
mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/relayclients echo "# SMTP Relay from local network denied by custom template" >\ /etc/e-smith/templates-custom/var/service/qpsmtpd/config/relayclients/80relayFromLocalNetwork signal-event email-update
- Configure your email clients to use smtps with authentication:
- change outgoing smtp port to 465 and select SSL
- enable Authentication against the outgoing mail server
[edit] Internet provider's port 25 is blocked: How to set an alternative port for the SMTP server
If your provider is blocking smtp port 25 on your internet connection but your hosting provider is offering an alternative port (or when using some relay service) you can simply set this alternative port by adding it to the 'Address of Internet provider's mail server' value in the 'E-mail delivery settings' screen of the server-manager like this:
<internet providers mail server name or ip-address>:<alternative port>
For example: mail.mydomain.com:587
[edit] How do I enable and configure a disclaimer in email messages
A disclaimer message can be added to the footer of all outgoing email messages.
The message can be the same for all domains or it can be different for all domains.
This functionality is part of sme7.2 release so make sure you have upgraded before doing this.
To create a general disclaimer for all domains on your sme server
config setprop smtpd disclaimer enabled pico -w /service/qpsmtpd/config/disclaimer
Enter the required disclaimer text
To save & exit
Ctrl o Ctrl x
To make the changes take effect
signal-event email-update
To create domain specific disclaimers, create seperate domain based disclaimer text files
Delete the general (all domains) disclaimer file if you have already created it
rm /service/qpsmtpd/config/disclaimer config setprop smtpd disclaimer enabled pico -w /service/qpsmtpd/config/disclaimer_domain1.com.au pico -w /service/qpsmtpd/config/disclaimer_domain2.com pico -w /service/qpsmtpd/config/disclaimer_domain3.org
Enter the required text in each disclaimer file
To save & exit
Ctrl o Ctrl x
After making any changes remember to do
signal-event email-update
Note if you only wish to have a disclaimer for some domains, then only create a disclaimer text file for those domains
Note also the criteria for when a disclaimer is attached
(see http://bugs.contribs.org/show_bug.cgi?id=2648)
eg a disclaimer is added to internal to external messages but not internal to internal messages.
There are also various switches that can be applied
(see http://bugs.contribs.org/show_bug.cgi?id=2648).
To disable the disclaimer function for all domains on your sme server
config setprop smtpd disclaimer disabled signal-event email-update
[edit] Email WBL server manager panel
There is a server manager contrib to allow GUI control of email white and black lists.
The panel allows easy configuration of functionality that is built into qmail, qpsmtpd and spamassassin. For more information google for qmail & qpsmtpd, read the spamassassin section in this wiki article and see default qpsmtpd plugin confguration).
|
| Warning: |
It is a test release, although it has been in use since Jan 2007 and appears functionaly stable. To install do:
wget http://mirror.contribs.org/smeserver/contribs/dmay/smeserver/7.x/testing/smeserver-wbl/smeserver-wbl-0.0.1-a8.dmay.noarch.rpm rpm -Uvh smeserver-wbl*.rpm |
There are two main sections, Reject and Accept, where you can control settings.
Reject - Black lists are used for rejecting e-mail traffic
DNSBL status - DNSBL is an abbreviation for "DNS blacklist".
It is a list of IP addresses known to be spammers.
RHSBL status - RHSBL is an abbreviation for "Right Hand Side Blacklist".
It is a list of domain names known to be spammers.
qpsmtpd badhelo - Check a HELO message delivered from a connecting host.
Reject any that appear in badhelo during the 'helo' stage.
qmail badmailfrom - Check envelope sender addresses.
Reject any that appear (@host or user@host) in badmailfrom during the 'mail'
stage.
Accept - White lists are used for accepting e-mail traffic
Whitelists status - White Lists: ACCEPT
qpsmtpd whitelisthosts - Any IP address listed in whitelisthosts will be exempted
from any further validation during the 'connect' stage.
qpsmtpd whitelisthelo - Any host that issues a HELO matching an entry in whitelisthelo
will be exempted from further validation during the 'helo' stage.
qpsmtpd whitelistsenders - Any envelope sender of a mail (@host or user@host) matching an
entry in whitelistsenders will be exempted from further validation
during the 'mail' stage.
spamassassin whitelist_from - Any envelope sender of a mail (*@host or user@host) matching an
entry in whitelist_from will be exempted from spamassassin rejection.
After making any changes using this panel you must click both the Save and Update buttons, in order for changes to take effect.
[edit] External Access
[edit] Allow external IMAP mail access
There was a deliberate decision to remove non-SSL protected username/password services from the external interface.
to allow unsecure IMAP access
config setprop imap access public signal-event email-update
But before you do this try to use secure IMAP
fixme: explain how
[edit] POP3 & webmail HTTP
I want to set my SMESERVER to allow POP3 (or webmail HTTP) but it's not an option, I only see POP3S (or webmail HTTPS).
The SMESERVER is secure by design. POP3 (or webmail HTTP) is viewed as inadequate security and removed as an option from a standard installation to encourage unknowing administrators to select the 'best practice' option -a secure connection with POP3S, IMAPS, or HTTPS.
You can still set your SMESERVER to allow POP3 settings by:
config setprop pop3 access public signal-event email-update
[edit] Allow external pop3 access
Email settings > POP3 server access in SME 7.1 server-manager allows only pop3s protocol for clients outside the LAN. Some email clients (eg The Bat! v3.98.4) won't allow pop3s connections to SME 7.1 because of ssl version conflict. Until this is sorted out, a workaround is to hack SME to allow regular pop3 on the external interface using the following commands.
config setprop pop3 access public signal-event email-update svc -t /service/pop3s
more information bugzilla:2620
[edit] Imap
[edit] Folders with a dot in name
Email folder names that have a period ('.') in the folder name, will be split into sub-folders. e.g. folder name 'www.contribs.org' is created as
www
contribs
org
[edit] qpsmtpd
SME uses the qpsmtpd smtp daemon.
[edit] Official Description
qpsmtpd is a flexible smtpd daemon written in Perl. Apart from the core SMTP features, all functionality is implemented in small "extension plugins" using the easy to use object oriented plugin API.
qpsmtpd was originally written as a drop-in qmail-smtpd replacement, but now it also includes smtp forward, postfix, exim and maildir "backends".
qpsmtpd wiki: http://wiki.qpsmtpd.org
[edit] Default Plugin Configuration
SME uses the following qpsmtpd plugins to evaluate each incoming email.
SME maintains 2 distinct configurations: one for the 'local' networks (as defined in server-manager::Security::Local networks) and another for 'remote' networks (everyone else).
The default configuration of each plugin is indicated in the 'Default Status' column.
| Plugin | Purpose | Default Status |
|---|---|---|
| hosts_allow | Prohibit more than "InstancesPerIP" connections from any single host (change with 'config setprop smtp InstancesPerIP'). Allow or deny connections according to the contents of /var/service/qpsmtpd/config/hosts_allow. See hosts_allow SVN code for more details. | upcoming |
| peers | Allow different plugin configuration based on the sending computer's IP address. By default SME maintains different configurations for the local networks (in /var/service/qpsmtpd/config/peers/local) and for everyone else (in /var/service/qpsmtpd/config/peers/0) | enabled |
| logging/logterse | Allow greater logging detail using smaller log files | enabled |
| auth/auth_cvm_unix_local | Allow authenticated smtp relay | enabled (remote) disabled (local) |
| check_earlytalker | reject email from servers that talk out of turn | enabled (remote) disabled (local) |
| count_unrecognized_commands | reject email from servers that issue X invalid commands | enabled (remote) disabled (local) |
| bcc | bcc all email to a specific address for archiving | disabled |
| check_relay | Check to see if relaying is allowed (in case the recipient is not listed in one of SME's local domains) | enabled |
| check_norelay | Check to see if the sending server is specifically forbidden to relay through us. | enabled |
| require_resolvable_fromhost | Check that the domain listed in the sender's email address is resolvable | enabled (remote) disabled (local) |
| check_basicheaders | reject email that lacks either a From: or Date: header | enabled |
| rhsbl | Reject email if the sender's email domain has a reputation for disregarding smtp RFCs. | disabled (always disabled for local connections) |
| dnsbl | Reject email from hosts listed in your configured dnsbl servers | disabled |
| check_badmailfrom | Reject email where the sender address is listed in /var/service/qpsmtpd/config/badmailfrom | enabled |
| check_badrcptto_patterns | Reject email addressed to any address matching an expression listed in /var/service/qpsmtpd/config/badrcptto_patterns | enabled |
| check_badrcptto | Reject email addressed to any address listed in /var/service/qpsmtpd/config/badrcptto | enabled |
| check_spamhelo | Reject email from hosts that say 'helo ...' using a value in /var/service/qpsmtpd/config/badhelo | enabled |
| check_smtp_forward | If config show DelegateMailServer or db domains show <domainname> MailServer is set (telling SME to deliver email for all domains or just <domainname> to another server), check_smtp_forward will connect to the specified server and will reject the message outright if the internal mail server would also reject it. | disabled unless an internal mail server is configured. |
| c |