Koozali

By telleropnul, June 22, 2016

Apply settings

signal-event post-upgrade; signal-event reboot

Password strength

config setprop passwordstrength Users strong
config setprop passwordstrength Users normal
config setprop passwordstrength Users none
config setprop passwordstrength Ibays strong
config setprop passwordstrength Ibays normal
config setprop passwordstrength Ibays none

PHP settings

db configuration setprop php MaxExecutionTime 300
db configuration setprop php MemoryLimit 64M
db configuration setprop php UploadMaxFilesize 50M
db configuration setprop php PostMaxSize 60M
expand-template /etc/php.ini
/etc/init.d/httpd-e-smith restart

Contribs

yum --enablerepo=smecontribs install smeserver-roundcube
yum --enablerepo=smecontribs install smeserver-remoteuseraccess
yum --enablerepo=smecontribs install smeserver-awstats

iBays

db accounts setprop IBAYNAME AllowOverride All
db accounts setprop IBAYNAME FollowSymLinks enabled
signal-event ibay-modify IBAYNAME

‘AllowOverride’ allows for the loading of .htaccess files (WordPress, Joomla, ownCloud, nextCloud).
‘FollowSymlinks’ allows for Apache to follow symbolic links (‘Forbidden’ errors).

Whenever you see “RewriteEngine On” in a .htaccess file, you need to run the above commands.
The “FollowSymLinks” command can also be placed in the .htaccess file, although this is not recommended and not necessary:

Options +FollowSymLinks

Enable HTTPS for Primary iBay

db accounts show Primary
db accounts setprop Primary SSL enabled
db accounts show Primary
signal-event ibay-modify Primary

innoDB

NextCloud / ownCloud required InnoDB engine enabled.

db configuration setprop mysqld InnoDB enabled
expand-template /etc/my.cnf
sv t /service/mysqld

PHPmyAdmin

yum --enablerepo=smecontribs install smeserver-phpmyadmin
signal-event phpmyadmin-update
config show phpmyadmin
  access=private
  adminaccess=enabled
  multiaccess=disabled

If you want to change settings (NOT recommended):

config setprop phpmyadmin access (private|public)
signal-event ibay-modify

Remote Access

Use Server Manager ‘Remote Access’ or:

db configuration setprop sshd TCPPort 22|other
db configuration setprop sshd status enabled
db configuration setprop sshd PermitRootLogin yes|no
db configuration setprop sshd acccess public
db configuration setprop sshd PasswordAuthentication yes|no
/sbin/e-smith/signal-event remoteaccess-update

Once user remote access using SSH keys has been setup, change PermitRootLogin and PasswordAuthentication to “no”.

User Remote Access

Use Server Manager 'User Remote Access' to set SSH keys and login shell.

Sudo

db accounts setprop user Sudoer yes
signal-event user-modify user

PHP-SCL

 /sbin/e-smith/db yum_repositories set remi repository \
Name 'Remi - EL6' \
BaseURL 'http://rpms.famillecollet.com/enterprise/6/remi/$basearch/' \
EnableGroups no \
GPGCheck yes \
GPGKey http://rpms.famillecollet.com/RPM-GPG-KEY-remi \
Visible yes \
Exclude mysql*,php-* \
status disabled
 signal-event yum-modify

Then Issue the command line

yum install smeserver-php-scl --enablerepo=smecontribs,remi,epel

Note:

You may get the following error:

Error: Package: gd-last-2.2.1-2.el6.remi.x86_64 (remi)
           Requires: libwebp.so.5()(64bit)

If so, simply run the following commands and try again:

wget https://pulp.inuits.eu/collet/remi/x86_64/gd-last-2.1.1-2.el6.remi.x86_64.rpmyum install gd-last-2.1.1-2.el6.remi.x86_64.rpm

If you do not want to restart your server:

signal-event php-update; config set UnsavedChanges no

or

signal-event post-upgrade; signal-event reboot

PHP open_basedir + upload_tmp_dir

cat /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/95AddType00PHP2ibays
{
    my $status = $php{status} || 'disabled';
    if ($status eq 'enabled')
    {
        use esmith::AccountsDB;
        my $adb = esmith::AccountsDB->open_ro();
        foreach my $ibay ($adb->ibays)
        {
            local $dynamicContent = $ibay->prop('CgiBin') || 'disabled';
            if ($dynamicContent eq 'enabled')
            {
                $OUT .= "\n<Directory /home/e-smith/files/ibays/" . $ibay->key . "/html>\n";
                $OUT .= "    AddType application/x-httpd-php .php .php3 .phtml\n";
                $OUT .= "    AddType application/x-httpd-php-source .phps\n";

                # Set the sandbox within which PHP is confined to play
                my $basedir = $ibay->prop('PHPBaseDir')
                    || ("/home/e-smith/files/ibays/" . $ibay->key . "/");
                # $OUT .= "    php_admin_value open_basedir $basedir\n";
                $OUT .= "    php_admin_value open_basedir $basedir".":/tmp:/usr/share/pear\n";
                $OUT .= "    php_admin_value upload_tmp_dir $basedir"."html/tmp\n";
                $OUT .= "</Directory>\n";
            }
        }
    }
}


[root@f0001 ~]# expand-template /etc/httpd/conf/httpd.conf

grep upload /etc/httpd/conf/httpd.conf

    php_admin_value upload_max_filesize 100M
    php_admin_value upload_tmp_dir /var/lib/phpMyAdmin/tmp
    php_admin_value upload_tmp_dir /home/e-smith/files/ibays/Primary/html/tmp
    php_admin_value upload_tmp_dir /home/e-smith/files/ibays/i0001/html/tmp
    php_admin_value upload_tmp_dir /home/e-smith/files/ibays/i0002/html/tmp

grep basedir /etc/httpd/conf/httpd.conf

    php_admin_value open_basedir /usr/share/php:/usr/share/phpMyAdmin:/etc/phpMyAdmin:/var/lib/phpMyAdmin
    php_admin_value open_basedir /home/e-smith/files/ibays/Primary/:/tmp:/usr/share/pear
    php_admin_value open_basedir /home/e-smith/files/ibays/i0001/:/tmp:/usr/share/pear
    php_admin_value open_basedir /home/e-smith/files/ibays/i0002/:/tmp:/usr/share/pear

Copy Maildir between users

Uploading a user Maildir requires copying hidden folders.  If you move between servers, you probably want to use a zip file.  To zip hidden files as well, use the following syntax:

Syntax:
zip -r zipfile file1 file2

Example:
zip -r myfile.zip Maildir/* Maildir/.*

Don’t forget to export and import addressbook contacts manually.
Don’t forget that sometimes folders have a slightly different name (“.Sent” versus “.sent-items”).

SSL – Single Certificate (skip this and go to Let’s Encrypt secion)

Important: Koozali does not support multiple SSL certificates.  You can only install a single SSL certificate.  If you host multiple web sites, you may want to consider a multi-domain single certificate.

Do not install:

yum install smeserver-certificate --enablerepo=stephdl

Reset all SSL certificates to factory default:

rm /home/e-smith/ssl.crt/*
rm /home/e-smith/ssl.key/*
rm /home/e-smith/ssl.pem/*
signal-event post-upgrade
signal-event reboot

Configure SSL certificate manually:

rm /home/e-smith/ssl.crt/*
rm /home/e-smith/ssl.key/*
rm /home/e-smith/ssl.pem/*
cp server.domain_com.crt /home/e-smith/ssl.crt/
cp server.domain_com.ca-bundle /home/e-smith/ssl.crt/
cp server.domain_com.key /home/e-smith/ssl.key/

Update SSL config:
config setprop modSSL crt /home/e-smith/ssl.crt/server.domain_com.crt
config setprop modSSL CertificateChainFile /home/e-smith/ssl.crt/server.domain_com.ca-bundle
config setprop modSSL key /home/e-smith/ssl.key/server.domain_com.key

Test SSL config:
config show modSSL
modSSL=service
    CertificateChainFile=/home/e-smith/ssl.crt/server.domain_com.ca-bundle
    TCPPort=443
    access=public
    crt=/home/e-smith/ssl.crt/server.domain_com.crt
    key=/home/e-smith/ssl.key/server.domain_com.key
    status=enabled

Apply changes:
signal-event post-upgrade
signal-event reboot

SSL – Multi domain certificate using Let’s Encrypt

https://wiki.contribs.org/Letsencrypt

WordPress HTTP to HTTPS

Note that WordPress URLs are always stored as absolute URLs, not relative(!).  If you change your WordPress website from HTTP to HTTPS you should export the database to a text file, search and replace all URLs and import the database from text file(!)

If you get FORBIDDEN errors when accessing web pages, make sure WordPress .htaccess rewrite rule has FollowSymLinks enabled:

.htaccess

Koozali (SME server) by default does not allow loading of .htaccess files as this is considered insecure.

To have Apache allow loading of .htaccess files in an ibay, use the following command:

db accounts setprop IBAYNAME AllowOverride All
signal-event ibay-modify IBAYNAME

Next, we can change the Permalinks setting in WordPress from “Plain” (http://yoursite.com/?p=123) to “Post-name” (http://yoursite.com/sample-post).

However, Koozali (SME server) Apache by default has 2 options disabled that need to be enabled for URL rewriting (= “Post-name” type permalinks) to work:

Options +FollowSymLinks
RewriteEngine On

The .htaccess file generated by WordPress looks something like this:

# BEGIN WordPress
 <IfModule mod_rewrite.c>
 RewriteBase /
 RewriteRule ^index\.php$ - [L]
 RewriteCond %{REQUEST_FILENAME} !-f
 RewriteCond %{REQUEST_FILENAME} !-d
 RewriteRule . /index.php [L]
 </IfModule>
 # END WordPress

We can simply add the two required instructions like so:

# BEGIN WordPress
 <IfModule mod_rewrite.c>
 Options +FollowSymLinks
 RewriteEngine On
 RewriteBase /
 RewriteRule ^index\.php$ - [L]
 RewriteCond %{REQUEST_FILENAME} !-f
 RewriteCond %{REQUEST_FILENAME} !-d
 RewriteRule . /index.php [L]
 </IfModule>
 # END WordPress

It is recommended to change permissions to 640 (rw-r—– admin shared .htaccess) to prevent WordPress from overwriting this .htaccess file whenever Permalinks settings are (accidentally) changed.

db

# /sbin/e-smith/db –help
usage:
/sbin/e-smith/db dbfile keys
/sbin/e-smith/db dbfile print [key]
/sbin/e-smith/db dbfile show [key]
/sbin/e-smith/db dbfile get key
/sbin/e-smith/db dbfile set key type [prop1 val1] [prop2 val2] …
/sbin/e-smith/db dbfile setdefault key type [prop1 val1] [prop2 val2] …
/sbin/e-smith/db dbfile delete key
/sbin/e-smith/db dbfile printtype [key]
/sbin/e-smith/db dbfile gettype key
/sbin/e-smith/db dbfile settype key type
/sbin/e-smith/db dbfile printprop key [prop1] [prop2] [prop3] …
/sbin/e-smith/db dbfile getprop key prop
/sbin/e-smith/db dbfile setprop key prop1 val1 [prop2 val2] [prop3 val3] …
/sbin/e-smith/db dbfile delprop key prop1 [prop2] [prop3] …

Being verbose you would do:
# /sbin/e-smith/db /home/e-smith/db/configuration setprop qpsmtpd RBLList blah,blah,blah
# /sbin/e-smith/db /home/e-smith/db/configuration setprop qpsmtpd SBLList blah,blah,blah
# /sbin/e-smith/signal-event email-update

In shorthand you could do:
# config setprop qpsmtpd RBLList blah,blah,blah SBLList blah,blah,blah
# signal-event email-update

My recommendations. Learn verbose. For quick command-line entries, shorthand method is faster for us lazy typists. However, when you move into writing scripts, see the Development documentation, use perl and the provided perl db interfaces found here:

/usr/lib/perl5/site_perl/esmith

Spam

Show mail daemon configuration:

config show qpsmtpd

Server Black List (SBL)
– List of servers
– There are a number of flavours.

Right-Hand Side Black List (RHSBL)
– A right-hand side blacklist (RHSBL) is a listing that contains the domain names of spammers.
– Uses the “SBLList” property.
– Right hand side black list (RHSBL) using one or more server black list (SBLList) containing entries like dbl.spamhaus.org (‘dbl’ meaning domain block list) or rhsbl.sorbs.net (‘rhsbl’ meaning right hand side block list) is very confusing.

config setprop qpsmtp RHSBL enabled
config setprop qpsmtpd SBLList dbl.spamhaus.org,multi.surbl.org,black.uribl.com,rhsbl.sorbs.net
/sbin/e-smith/signal-event email-update
svc -t /service/qpsmtpd

DNS Block List (DNSBL)
– Block spam hosts based on the IP address of the remote system.
– Uses “RBLList” property.

config setprop qpsmtp DNSBL enabled
config setprop qpsmtpd RBLList zen.spamhaus.org,bl.spamcop.net
/sbin/e-smith/signal-event email-update
svc -t /service/qpsmtpd

Multiple values used to be separated by colon (“:”), but nowadays are comma separated (“,”).

You can perform a SPAM blacklist search here:
https://www.dnsbl.info/

Simply enter the IP address in the “received from” header of a SPAM email to see if it is listed as a known SPAM host in any of the server black lists.

URIBL

The URIBL plugin works a bit like RHSBL, except that it checks domain names found in the body of the email. For each URI identified, the corresponding domain name can be submitted to a BL list (through DNS queries). Two settings are available:

  • URIBL (enabled|disabled): Default is disabled. Set this to enabled to use the plugin
  • UBLList: (Comma separated list addresses): Default value is multi.surbl.org:8-16-64-128,black.uribl.com,rhsbl.sorbs.net.
    This can be the same as RBLList. You can also set bitmask to use for combined lists (in the default value, the bitmask is 8-16-64-128)

SBLList contains domain names:

dbl.spamhaus.org
The Spamhaus DBL is a realtime database of domains (typically web site domains) found in spam messages.

badconf.rhsbl.sorbs.net
List of domain names where the A or MX records point to bad address space.

nomail.rhsbl.sorbs.net
List of domain names where the owners have indicated no email should ever originate from these domains.

dnsbl.sorbs.net
Combined list.  Seems to contain most new spam nodes.

RBLList contains IP addresses:

xbl.spamhaus.org
The Spamhaus XBL block list (eXploit i.e. botnet Block List) contains IP addresses of hijacked computers sending large amounts of SPAM email.

sbl.spamhaus.org
The Spamhaus SBL block list (Spam Block List) contains IP addresses of computers sending SPAM email.  This list is maintained by a dedicated team of investigators.

pbl.spamhaus.org
The Spamhaus PBL block list (Policy Block List) contains IP address ranges that should not have active MX mail servers.  This list is based on ISP data and exceptions.

zen.spamhaus.org
ZEN is the combination of all Spamhaus IP-based DNSBLs into one single powerful and comprehensive blocklist to make querying faster and simpler. It contains the SBL, SBLCSS, XBL and PBL blocklists.

bl.spamcop.net
“You are here because your mail server IP is listed due to a detected volume of unsolicited email identified by our email servers over at SpamCop.”.

bl.nosolicitado.org
“You are here because your mail server IP is listed due to a detected volume of unsolicited email identified by our email servers over at Nosolicitado.”

Mail daemon QSMTP logs

cd /usr/local/bin
wget -O qploggrep http://bugs.contribs.org/attachment.cgi?id=2034
chmod 755 qploggrep

Display all qpsmtpd transactions denied due to dnsbl blocklists:

qploggrep dnsbl

Display all qsmtp transactions from /var/log/qpsmtpd/* (note the space and dot):

qploggrep .

Mail connections sorted by number of concurrent connections:

qploggrep "/`config getprop smtpd Instances` " | sort -k4

GeoIP blocking

Block email by country of origin (“received from” IP address).  Useless when email is sent from a bot network using computers in various countries.

GeoIP is enabled in SME server 9.x by default.  Try this:

geoiplookup 8.8.8.8
geoiplookup contribs.org

Adding countries to the GeoIP blocking list:

config setprop qpsmtpd BadCountries br,ru,sp
signal-event email-update

Monitoring

Monitoring mail server activity:

 tail -f /var/log/qpsmtpd/current