By telleropnul, June 22, 2016

Apply settings

signal-event post-upgrade; signal-event reboot

Password strength

config setprop passwordstrength Users strong
config setprop passwordstrength Users normal
config setprop passwordstrength Users none
config setprop passwordstrength Ibays strong
config setprop passwordstrength Ibays normal
config setprop passwordstrength Ibays none

PHP settings

db configuration setprop php MaxExecutionTime 300
db configuration setprop php MemoryLimit 64M
db configuration setprop php UploadMaxFilesize 50M
db configuration setprop php PostMaxSize 60M
expand-template /etc/php.ini
/etc/init.d/httpd-e-smith restart


yum --enablerepo=smecontribs install smeserver-roundcube
yum --enablerepo=smecontribs install smeserver-remoteuseraccess
yum --enablerepo=smecontribs install smeserver-awstats


db accounts setprop IBAYNAME AllowOverride All
db accounts setprop IBAYNAME FollowSymLinks enabled
signal-event ibay-modify IBAYNAME

‘AllowOverride’ allows for the loading of .htaccess files (WordPress, Joomla, ownCloud, nextCloud).
‘FollowSymlinks’ allows for Apache to follow symbolic links (‘Forbidden’ errors).

Whenever you see “RewriteEngine On” in a .htaccess file, you need to run the above commands.
The “FollowSymLinks” command can also be placed in the .htaccess file, although this is not recommended and not necessary:

Options +FollowSymLinks

Enable HTTPS for Primary iBay

db accounts show Primary
db accounts setprop Primary SSL enabled
db accounts show Primary
signal-event ibay-modify Primary


NextCloud / ownCloud required InnoDB engine enabled.

db configuration setprop mysqld InnoDB enabled
expand-template /etc/my.cnf
sv t /service/mysqld


yum --enablerepo=smecontribs install smeserver-phpmyadmin
signal-event phpmyadmin-update
config show phpmyadmin

If you want to change settings (NOT recommended):

config setprop phpmyadmin access (private|public)
signal-event ibay-modify

Remote Access

Use Server Manager ‘Remote Access’ or:

db configuration setprop sshd TCPPort 22|other
db configuration setprop sshd status enabled
db configuration setprop sshd PermitRootLogin yes|no
db configuration setprop sshd acccess public
db configuration setprop sshd PasswordAuthentication yes|no
/sbin/e-smith/signal-event remoteaccess-update

Once user remote access using SSH keys has been setup, change PermitRootLogin and PasswordAuthentication to “no”.

User Remote Access

Use Server Manager 'User Remote Access' to set SSH keys and login shell.


db accounts setprop user Sudoer yes
signal-event user-modify user


 /sbin/e-smith/db yum_repositories set remi repository \
Name 'Remi - EL6' \
BaseURL 'http://rpms.famillecollet.com/enterprise/6/remi/$basearch/' \
EnableGroups no \
GPGCheck yes \
GPGKey http://rpms.famillecollet.com/RPM-GPG-KEY-remi \
Visible yes \
Exclude mysql*,php-* \
status disabled
 signal-event yum-modify

Then Issue the command line

yum install smeserver-php-scl --enablerepo=smecontribs,remi,epel


You may get the following error:

Error: Package: gd-last-2.2.1-2.el6.remi.x86_64 (remi)
           Requires: libwebp.so.5()(64bit)

If so, simply run the following commands and try again:

wget https://pulp.inuits.eu/collet/remi/x86_64/gd-last-2.1.1-2.el6.remi.x86_64.rpmyum install gd-last-2.1.1-2.el6.remi.x86_64.rpm

If you do not want to restart your server:

signal-event php-update; config set UnsavedChanges no


signal-event post-upgrade; signal-event reboot

PHP open_basedir + upload_tmp_dir

cat /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/95AddType00PHP2ibays
    my $status = $php{status} || 'disabled';
    if ($status eq 'enabled')
        use esmith::AccountsDB;
        my $adb = esmith::AccountsDB->open_ro();
        foreach my $ibay ($adb->ibays)
            local $dynamicContent = $ibay->prop('CgiBin') || 'disabled';
            if ($dynamicContent eq 'enabled')
                $OUT .= "\n<Directory /home/e-smith/files/ibays/" . $ibay->key . "/html>\n";
                $OUT .= "    AddType application/x-httpd-php .php .php3 .phtml\n";
                $OUT .= "    AddType application/x-httpd-php-source .phps\n";

                # Set the sandbox within which PHP is confined to play
                my $basedir = $ibay->prop('PHPBaseDir')
                    || ("/home/e-smith/files/ibays/" . $ibay->key . "/");
                # $OUT .= "    php_admin_value open_basedir $basedir\n";
                $OUT .= "    php_admin_value open_basedir $basedir".":/tmp:/usr/share/pear\n";
                $OUT .= "    php_admin_value upload_tmp_dir $basedir"."html/tmp\n";
                $OUT .= "</Directory>\n";

[root@f0001 ~]# expand-template /etc/httpd/conf/httpd.conf

grep upload /etc/httpd/conf/httpd.conf

    php_admin_value upload_max_filesize 100M
    php_admin_value upload_tmp_dir /var/lib/phpMyAdmin/tmp
    php_admin_value upload_tmp_dir /home/e-smith/files/ibays/Primary/html/tmp
    php_admin_value upload_tmp_dir /home/e-smith/files/ibays/i0001/html/tmp
    php_admin_value upload_tmp_dir /home/e-smith/files/ibays/i0002/html/tmp

grep basedir /etc/httpd/conf/httpd.conf

    php_admin_value open_basedir /usr/share/php:/usr/share/phpMyAdmin:/etc/phpMyAdmin:/var/lib/phpMyAdmin
    php_admin_value open_basedir /home/e-smith/files/ibays/Primary/:/tmp:/usr/share/pear
    php_admin_value open_basedir /home/e-smith/files/ibays/i0001/:/tmp:/usr/share/pear
    php_admin_value open_basedir /home/e-smith/files/ibays/i0002/:/tmp:/usr/share/pear

Copy Maildir between users

Uploading a user Maildir requires copying hidden folders.  If you move between servers, you probably want to use a zip file.  To zip hidden files as well, use the following syntax:

zip -r zipfile file1 file2

zip -r myfile.zip Maildir/* Maildir/.*

Don’t forget to export and import addressbook contacts manually.
Don’t forget that sometimes folders have a slightly different name (“.Sent” versus “.sent-items”).

SSL – Single Certificate (skip this and go to Let’s Encrypt secion)

Important: Koozali does not support multiple SSL certificates.  You can only install a single SSL certificate.  If you host multiple web sites, you may want to consider a multi-domain single certificate.

Do not install:

yum install smeserver-certificate --enablerepo=stephdl

Reset all SSL certificates to factory default:

rm /home/e-smith/ssl.crt/*
rm /home/e-smith/ssl.key/*
rm /home/e-smith/ssl.pem/*
signal-event post-upgrade
signal-event reboot

Configure SSL certificate manually:

rm /home/e-smith/ssl.crt/*
rm /home/e-smith/ssl.key/*
rm /home/e-smith/ssl.pem/*
cp server.domain_com.crt /home/e-smith/ssl.crt/
cp server.domain_com.ca-bundle /home/e-smith/ssl.crt/
cp server.domain_com.key /home/e-smith/ssl.key/

Update SSL config:
config setprop modSSL crt /home/e-smith/ssl.crt/server.domain_com.crt
config setprop modSSL CertificateChainFile /home/e-smith/ssl.crt/server.domain_com.ca-bundle
config setprop modSSL key /home/e-smith/ssl.key/server.domain_com.key

Test SSL config:
config show modSSL

Apply changes:
signal-event post-upgrade
signal-event reboot

SSL – Multi domain certificate using Let’s Encrypt


WordPress HTTP to HTTPS

Note that WordPress URLs are always stored as absolute URLs, not relative(!).  If you change your WordPress website from HTTP to HTTPS you should export the database to a text file, search and replace all URLs and import the database from text file(!)

If you get FORBIDDEN errors when accessing web pages, make sure WordPress .htaccess rewrite rule has FollowSymLinks enabled:


Koozali (SME server) by default does not allow loading of .htaccess files as this is considered insecure.

To have Apache allow loading of .htaccess files in an ibay, use the following command:

db accounts setprop IBAYNAME AllowOverride All
signal-event ibay-modify IBAYNAME

Next, we can change the Permalinks setting in WordPress from “Plain” (http://yoursite.com/?p=123) to “Post-name” (http://yoursite.com/sample-post).

However, Koozali (SME server) Apache by default has 2 options disabled that need to be enabled for URL rewriting (= “Post-name” type permalinks) to work:

Options +FollowSymLinks
RewriteEngine On

The .htaccess file generated by WordPress looks something like this:

# BEGIN WordPress
 <IfModule mod_rewrite.c>
 RewriteBase /
 RewriteRule ^index\.php$ - [L]
 RewriteCond %{REQUEST_FILENAME} !-f
 RewriteCond %{REQUEST_FILENAME} !-d
 RewriteRule . /index.php [L]
 # END WordPress

We can simply add the two required instructions like so:

# BEGIN WordPress
 <IfModule mod_rewrite.c>
 Options +FollowSymLinks
 RewriteEngine On
 RewriteBase /
 RewriteRule ^index\.php$ - [L]
 RewriteCond %{REQUEST_FILENAME} !-f
 RewriteCond %{REQUEST_FILENAME} !-d
 RewriteRule . /index.php [L]
 # END WordPress

It is recommended to change permissions to 640 (rw-r—– admin shared .htaccess) to prevent WordPress from overwriting this .htaccess file whenever Permalinks settings are (accidentally) changed.


# /sbin/e-smith/db –help
/sbin/e-smith/db dbfile keys
/sbin/e-smith/db dbfile print [key]
/sbin/e-smith/db dbfile show [key]
/sbin/e-smith/db dbfile get key
/sbin/e-smith/db dbfile set key type [prop1 val1] [prop2 val2] …
/sbin/e-smith/db dbfile setdefault key type [prop1 val1] [prop2 val2] …
/sbin/e-smith/db dbfile delete key
/sbin/e-smith/db dbfile printtype [key]
/sbin/e-smith/db dbfile gettype key
/sbin/e-smith/db dbfile settype key type
/sbin/e-smith/db dbfile printprop key [prop1] [prop2] [prop3] …
/sbin/e-smith/db dbfile getprop key prop
/sbin/e-smith/db dbfile setprop key prop1 val1 [prop2 val2] [prop3 val3] …
/sbin/e-smith/db dbfile delprop key prop1 [prop2] [prop3] …

Being verbose you would do:
# /sbin/e-smith/db /home/e-smith/db/configuration setprop qpsmtpd RBLList blah,blah,blah
# /sbin/e-smith/db /home/e-smith/db/configuration setprop qpsmtpd SBLList blah,blah,blah
# /sbin/e-smith/signal-event email-update

In shorthand you could do:
# config setprop qpsmtpd RBLList blah,blah,blah SBLList blah,blah,blah
# signal-event email-update

My recommendations. Learn verbose. For quick command-line entries, shorthand method is faster for us lazy typists. However, when you move into writing scripts, see the Development documentation, use perl and the provided perl db interfaces found here:



Show mail daemon configuration:

config show qpsmtpd

Server Black List (SBL)
– List of servers
– There are a number of flavours.

Right-Hand Side Black List (RHSBL)
– A right-hand side blacklist (RHSBL) is a listing that contains the domain names of spammers.
– Uses the “SBLList” property.
– Right hand side black list (RHSBL) using one or more server black list (SBLList) containing entries like dbl.spamhaus.org (‘dbl’ meaning domain block list) or rhsbl.sorbs.net (‘rhsbl’ meaning right hand side block list) is very confusing.

config setprop qpsmtp RHSBL enabled
config setprop qpsmtpd SBLList dbl.spamhaus.org,multi.surbl.org,black.uribl.com,rhsbl.sorbs.net
/sbin/e-smith/signal-event email-update
svc -t /service/qpsmtpd

DNS Block List (DNSBL)
– Block spam hosts based on the IP address of the remote system.
– Uses “RBLList” property.

config setprop qpsmtp DNSBL enabled
config setprop qpsmtpd RBLList zen.spamhaus.org,bl.spamcop.net
/sbin/e-smith/signal-event email-update
svc -t /service/qpsmtpd

Multiple values used to be separated by colon (“:”), but nowadays are comma separated (“,”).

You can perform a SPAM blacklist search here:

Simply enter the IP address in the “received from” header of a SPAM email to see if it is listed as a known SPAM host in any of the server black lists.


The URIBL plugin works a bit like RHSBL, except that it checks domain names found in the body of the email. For each URI identified, the corresponding domain name can be submitted to a BL list (through DNS queries). Two settings are available:

  • URIBL (enabled|disabled): Default is disabled. Set this to enabled to use the plugin
  • UBLList: (Comma separated list addresses): Default value is multi.surbl.org:8-16-64-128,black.uribl.com,rhsbl.sorbs.net.
    This can be the same as RBLList. You can also set bitmask to use for combined lists (in the default value, the bitmask is 8-16-64-128)

SBLList contains domain names:

The Spamhaus DBL is a realtime database of domains (typically web site domains) found in spam messages.

List of domain names where the A or MX records point to bad address space.

List of domain names where the owners have indicated no email should ever originate from these domains.

Combined list.  Seems to contain most new spam nodes.

RBLList contains IP addresses:

The Spamhaus XBL block list (eXploit i.e. botnet Block List) contains IP addresses of hijacked computers sending large amounts of SPAM email.

The Spamhaus SBL block list (Spam Block List) contains IP addresses of computers sending SPAM email.  This list is maintained by a dedicated team of investigators.

The Spamhaus PBL block list (Policy Block List) contains IP address ranges that should not have active MX mail servers.  This list is based on ISP data and exceptions.

ZEN is the combination of all Spamhaus IP-based DNSBLs into one single powerful and comprehensive blocklist to make querying faster and simpler. It contains the SBL, SBLCSS, XBL and PBL blocklists.

“You are here because your mail server IP is listed due to a detected volume of unsolicited email identified by our email servers over at SpamCop.”.

“You are here because your mail server IP is listed due to a detected volume of unsolicited email identified by our email servers over at Nosolicitado.”

Mail daemon QSMTP logs

cd /usr/local/bin
wget -O qploggrep http://bugs.contribs.org/attachment.cgi?id=2034
chmod 755 qploggrep

Display all qpsmtpd transactions denied due to dnsbl blocklists:

qploggrep dnsbl

Display all qsmtp transactions from /var/log/qpsmtpd/* (note the space and dot):

qploggrep .

Mail connections sorted by number of concurrent connections:

qploggrep "/`config getprop smtpd Instances` " | sort -k4

GeoIP blocking

Block email by country of origin (“received from” IP address).  Useless when email is sent from a bot network using computers in various countries.

GeoIP is enabled in SME server 9.x by default.  Try this:

geoiplookup contribs.org

Adding countries to the GeoIP blocking list:

config setprop qpsmtpd BadCountries br,ru,sp
signal-event email-update


Monitoring mail server activity:

 tail -f /var/log/qpsmtpd/current