Koozali

By telleropnul, June 22, 2016

Apply settings

signal-event post-upgrade; signal-event reboot

Password strength

config setprop passwordstrength Users strong
config setprop passwordstrength Users normal
config setprop passwordstrength Users none
config setprop passwordstrength Ibays strong
config setprop passwordstrength Ibays normal
config setprop passwordstrength Ibays none

PHP settings

db configuration setprop php MaxExecutionTime 300
db configuration setprop php MemoryLimit 64M
db configuration setprop php UploadMaxFilesize 50M
db configuration setprop php PostMaxSize 60M
expand-template /etc/php.ini
/etc/init.d/httpd-e-smith restart

Contribs

yum --enablerepo=smecontribs install smeserver-roundcube
yum --enablerepo=smecontribs install smeserver-remoteuseraccess
yum --enablerepo=smecontribs install smeserver-awstats

iBays

db accounts setprop IBAYNAME AllowOverride All
db accounts setprop IBAYNAME FollowSymLinks enabled
signal-event ibay-modify IBAYNAME

‘AllowOverride’ allows for the loading of .htaccess files (WordPress, Joomla, ownCloud, nextCloud).
‘FollowSymlinks’ allows for Apache to follow symbolic links (‘Forbidden’ errors).

Whenever you see “RewriteEngine On” in a .htaccess file, you need to run the above commands.
The “FollowSymLinks” command can also be placed in the .htaccess file, although this is not recommended and not necessary:

Options +FollowSymLinks

Enable HTTPS for Primary iBay

db accounts show Primary
db accounts setprop Primary SSL enabled
db accounts show Primary
signal-event ibay-modify Primary

innoDB

NextCloud / ownCloud required InnoDB engine enabled.

db configuration setprop mysqld InnoDB enabled
expand-template /etc/my.cnf
sv t /service/mysqld

PHPmyAdmin

yum --enablerepo=smecontribs install smeserver-phpmyadmin
signal-event phpmyadmin-update
config show phpmyadmin
  access=private
  adminaccess=enabled
  multiaccess=disabled

If you want to change settings (NOT recommended):

config setprop phpmyadmin access (private|public)
signal-event ibay-modify

Remote Access

Use Server Manager ‘Remote Access’ or:

db configuration setprop sshd TCPPort 22|other
db configuration setprop sshd status enabled
db configuration setprop sshd PermitRootLogin yes|no
db configuration setprop sshd acccess public
db configuration setprop sshd PasswordAuthentication yes|no
/sbin/e-smith/signal-event remoteaccess-update

Once user remote access using SSH keys has been setup, change PermitRootLogin and PasswordAuthentication to “no”.

User Remote Access

Use Server Manager 'User Remote Access' to set SSH keys and login shell.

Sudo

db accounts setprop user Sudoer yes
signal-event user-modify user

PHP-SCL

 /sbin/e-smith/db yum_repositories set remi repository \
Name 'Remi - EL6' \
BaseURL 'http://rpms.famillecollet.com/enterprise/6/remi/$basearch/' \
EnableGroups no \
GPGCheck yes \
GPGKey http://rpms.famillecollet.com/RPM-GPG-KEY-remi \
Visible yes \
Exclude mysql*,php-* \
status disabled
 signal-event yum-modify

Then Issue the command line

yum install smeserver-php-scl --enablerepo=smecontribs,remi,epel

Note:

You may get the following error:

Error: Package: gd-last-2.2.1-2.el6.remi.x86_64 (remi)
           Requires: libwebp.so.5()(64bit)

If so, simply run the following commands and try again:

wget https://pulp.inuits.eu/collet/remi/x86_64/gd-last-2.1.1-2.el6.remi.x86_64.rpmyum install gd-last-2.1.1-2.el6.remi.x86_64.rpm

If you do not want to restart your server:

signal-event php-update; config set UnsavedChanges no

or

signal-event post-upgrade; signal-event reboot

PHP open_basedir + upload_tmp_dir

cat /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/95AddType00PHP2ibays
{
    my $status = $php{status} || 'disabled';
    if ($status eq 'enabled')
    {
        use esmith::AccountsDB;
        my $adb = esmith::AccountsDB->open_ro();
        foreach my $ibay ($adb->ibays)
        {
            local $dynamicContent = $ibay->prop('CgiBin') || 'disabled';
            if ($dynamicContent eq 'enabled')
            {
                $OUT .= "\n<Directory /home/e-smith/files/ibays/" . $ibay->key . "/html>\n";
                $OUT .= "    AddType application/x-httpd-php .php .php3 .phtml\n";
                $OUT .= "    AddType application/x-httpd-php-source .phps\n";

                # Set the sandbox within which PHP is confined to play
                my $basedir = $ibay->prop('PHPBaseDir')
                    || ("/home/e-smith/files/ibays/" . $ibay->key . "/");
                # $OUT .= "    php_admin_value open_basedir $basedir\n";
                $OUT .= "    php_admin_value open_basedir $basedir".":/tmp:/usr/share/pear\n";
                $OUT .= "    php_admin_value upload_tmp_dir $basedir"."html/tmp\n";
                $OUT .= "</Directory>\n";
            }
        }
    }
}


[root@f0001 ~]# expand-template /etc/httpd/conf/httpd.conf

grep upload /etc/httpd/conf/httpd.conf

    php_admin_value upload_max_filesize 100M
    php_admin_value upload_tmp_dir /var/lib/phpMyAdmin/tmp
    php_admin_value upload_tmp_dir /home/e-smith/files/ibays/Primary/html/tmp
    php_admin_value upload_tmp_dir /home/e-smith/files/ibays/i0001/html/tmp
    php_admin_value upload_tmp_dir /home/e-smith/files/ibays/i0002/html/tmp

grep basedir /etc/httpd/conf/httpd.conf

    php_admin_value open_basedir /usr/share/php:/usr/share/phpMyAdmin:/etc/phpMyAdmin:/var/lib/phpMyAdmin
    php_admin_value open_basedir /home/e-smith/files/ibays/Primary/:/tmp:/usr/share/pear
    php_admin_value open_basedir /home/e-smith/files/ibays/i0001/:/tmp:/usr/share/pear
    php_admin_value open_basedir /home/e-smith/files/ibays/i0002/:/tmp:/usr/share/pear

Copy Maildir between users

Uploading a user Maildir requires copying hidden folders.  If you move between servers, you probably want to use a zip file.  To zip hidden files as well, use the following syntax:

Syntax:
zip -r zipfile file1 file2

Example:
zip -r myfile.zip Maildir/* Maildir/.*

Don’t forget to export and import addressbook contacts manually.
Don’t forget that sometimes folders have a slightly different name (“.Sent” versus “.sent-items”).

SSL – Single Certificate (skip this and go to Let’s Encrypt secion)

Important: Koozali does not support multiple SSL certificates.  You can only install a single SSL certificate.  If you host multiple web sites, you may want to consider a multi-domain single certificate.

Do not install:

yum install smeserver-certificate --enablerepo=stephdl

Reset all SSL certificates to factory default:

rm /home/e-smith/ssl.crt/*
rm /home/e-smith/ssl.key/*
rm /home/e-smith/ssl.pem/*
signal-event post-upgrade
signal-event reboot

Configure SSL certificate manually:

rm /home/e-smith/ssl.crt/*
rm /home/e-smith/ssl.key/*
rm /home/e-smith/ssl.pem/*
cp server.domain_com.crt /home/e-smith/ssl.crt/
cp server.domain_com.ca-bundle /home/e-smith/ssl.crt/
cp server.domain_com.key /home/e-smith/ssl.key/

Update SSL config:
config setprop modSSL crt /home/e-smith/ssl.crt/server.domain_com.crt
config setprop modSSL CertificateChainFile /home/e-smith/ssl.crt/server.domain_com.ca-bundle
config setprop modSSL key /home/e-smith/ssl.key/server.domain_com.key

Test SSL config:
config show modSSL
modSSL=service
    CertificateChainFile=/home/e-smith/ssl.crt/server.domain_com.ca-bundle
    TCPPort=443
    access=public
    crt=/home/e-smith/ssl.crt/server.domain_com.crt
    key=/home/e-smith/ssl.key/server.domain_com.key
    status=enabled

Apply changes:
signal-event post-upgrade
signal-event reboot

SSL – Multi domain certificate using Let’s Encrypt

https://wiki.contribs.org/Letsencrypt

WordPress HTTP to HTTPS

Note that WordPress URLs are always stored as absolute URLs, not relative(!).  If you change your WordPress website from HTTP to HTTPS you should export the database to a text file, search and replace all URLs and import the database from text file(!)

If you get FORBIDDEN errors when accessing web pages, make sure WordPress .htaccess rewrite rule has FollowSymLinks enabled:

.htaccess

Koozali (SME server) by default does not allow loading of .htaccess files as this is considered insecure.

To have Apache allow loading of .htaccess files in an ibay, use the following command:

db accounts setprop IBAYNAME AllowOverride All
signal-event ibay-modify IBAYNAME

Next, we can change the Permalinks setting in WordPress from “Plain” (http://yoursite.com/?p=123) to “Post-name” (http://yoursite.com/sample-post).

However, Koozali (SME server) Apache by default has 2 options disabled that need to be enabled for URL rewriting (= “Post-name” type permalinks) to work:

Options +FollowSymLinks
RewriteEngine On

The .htaccess file generated by WordPress looks something like this:

# BEGIN WordPress
 <IfModule mod_rewrite.c>
 RewriteBase /
 RewriteRule ^index\.php$ - [L]
 RewriteCond %{REQUEST_FILENAME} !-f
 RewriteCond %{REQUEST_FILENAME} !-d
 RewriteRule . /index.php [L]
 </IfModule>
 # END WordPress

We can simply add the two required instructions like so:

# BEGIN WordPress
 <IfModule mod_rewrite.c>
 Options +FollowSymLinks
 RewriteEngine On
 RewriteBase /
 RewriteRule ^index\.php$ - [L]
 RewriteCond %{REQUEST_FILENAME} !-f
 RewriteCond %{REQUEST_FILENAME} !-d
 RewriteRule . /index.php [L]
 </IfModule>
 # END WordPress

It is recommended to change permissions to 640 (rw-r—– admin shared .htaccess) to prevent WordPress from overwriting this .htaccess file whenever Permalinks settings are (accidentally) changed.

db

# /sbin/e-smith/db –help
usage:
/sbin/e-smith/db dbfile keys
/sbin/e-smith/db dbfile print [key]
/sbin/e-smith/db dbfile show [key]
/sbin/e-smith/db dbfile get key
/sbin/e-smith/db dbfile set key type [prop1 val1] [prop2 val2] …
/sbin/e-smith/db dbfile setdefault key type [prop1 val1] [prop2 val2] …
/sbin/e-smith/db dbfile delete key
/sbin/e-smith/db dbfile printtype [key]
/sbin/e-smith/db dbfile gettype key
/sbin/e-smith/db dbfile settype key type
/sbin/e-smith/db dbfile printprop key [prop1] [prop2] [prop3] …
/sbin/e-smith/db dbfile getprop key prop
/sbin/e-smith/db dbfile setprop key prop1 val1 [prop2 val2] [prop3 val3] …
/sbin/e-smith/db dbfile delprop key prop1 [prop2] [prop3] …

Being verbose you would do:
# /sbin/e-smith/db /home/e-smith/db/configuration setprop qpsmtpd RBLList blah,blah,blah
# /sbin/e-smith/db /home/e-smith/db/configuration setprop qpsmtpd SBLList blah,blah,blah
# /sbin/e-smith/signal-event email-update

In shorthand you could do:
# config setprop qpsmtpd RBLList blah,blah,blah SBLList blah,blah,blah
# signal-event email-update

My recommendations. Learn verbose. For quick command-line entries, shorthand method is faster for us lazy typists. However, when you move into writing scripts, see the Development documentation, use perl and the provided perl db interfaces found here:

/usr/lib/perl5/site_perl/esmith

Spam

Real-time Blackhole List (RBL)

Enabling RBL’s
RBL’s are disabled by default to allow maximum accommodation (your ISP may be on a RBL & you may not know it). You can enable RBL’s by:

config setprop qpsmtpd DNSBL enabled RHSBL enabled
signal-event email-update

You can see your RBL’s by:

config show qpsmtpd

You can add to your RBL’s by:

config setprop qpsmtpd RBLList <rbl-list-name>
signal-event email-update

Many will argue what’s best, some say the SME defaults are too aggressive and affect some popular free webmail accounts, but most would agree that you can set stable, conservative and non aggressive settings by:

config setprop qpsmtpd RBLList zen.spamhaus.org
signal-event email-update

A conservative setting for the associated DNSBL SBLList is:

config setprop qpsmtpd SBLList dbl.spamhaus.org
signal-event email-update

What does it all mean

DNSBL = DNS based Block List.  Contains a list of suspicious IP addresses.  Uses SBL lists (Spam Block List)
RHSBL = Right Hand Side Block List.  This refers to everything to the right of the @ symbol in the email address.  Otherwise known as the domain name.  Contains a list of suspicious domain names.  Uses RBL lists (Righthand Block List).

My current configuration

config show qpsmtpd

Note all values are comma separated!

 qpsmtpd=service
 Bcc=disabled
 BccMode=cc
 BccUser=maillog
 DNSBL=enabled
 LogLevel=6
 MaxScannerSize=25000000
 RBLList=zen.spamhaus.org
 RHSBL=enabled
 RelayRequiresAuth=enabled
 SBLList=dbl.spamhaus.org,dnsbl.sorbs.net
 TlsBeforeAuth=1
 UBLList=multi.surbl.org:8-16-64-128,black.uribl.com,rhsbl.sorbs.net
 URIBL=disabled
 access=public
 qplogsumm=disabled
 status=enabled

URIBL

The URIBL plugin works a bit like RHSBL, except that it checks domain names found in the body of the email. For each URI identified, the corresponding domain name can be submitted to a BL list (through DNS queries). Two settings are available:

  • URIBL (enabled|disabled): Default is disabled. Set this to enabled to use the plugin
  • UBLList: (Comma separated list addresses): Default value is multi.surbl.org:8-16-64-128,black.uribl.com,rhsbl.sorbs.net.
    This can be the same as RBLList. You can also set bitmask to use for combined lists (in the default value, the bitmask is 8-16-64-128)

SBLList contains domain names:

dbl.spamhaus.org
The Spamhaus DBL is a realtime database of domains (typically web site domains) found in spam messages.

badconf.rhsbl.sorbs.net
List of domain names where the A or MX records point to bad address space.

nomail.rhsbl.sorbs.net
List of domain names where the owners have indicated no email should ever originate from these domains.

dnsbl.sorbs.net
Combined list.  Seems to contain most new spam nodes.

RBLList contains IP addresses:

xbl.spamhaus.org
The Spamhaus XBL block list (eXploit i.e. botnet Block List) contains IP addresses of hijacked computers sending large amounts of SPAM email.

sbl.spamhaus.org
The Spamhaus SBL block list (Spam Block List) contains IP addresses of computers sending SPAM email.  This list is maintained by a dedicated team of investigators.

pbl.spamhaus.org
The Spamhaus PBL block list (Policy Block List) contains IP address ranges that should not have active MX mail servers.  This list is based on ISP data and exceptions.

zen.spamhaus.org
ZEN is the combination of all Spamhaus IP-based DNSBLs into one single powerful and comprehensive blocklist to make querying faster and simpler. It contains the SBL, SBLCSS, XBL and PBL blocklists.

bl.spamcop.net
“You are here because your mail server IP is listed due to a detected volume of unsolicited email identified by our email servers over at SpamCop.”.

bl.nosolicitado.org
“You are here because your mail server IP is listed due to a detected volume of unsolicited email identified by our email servers over at Nosolicitado.”