Realm Business Systems - User contributions [en-gb]

SMEServer DB Command

2026-04-03T10:23:36Z

Rdswikiadmin: Created page with "copied from; https://wiki.koozali.org/Db_command_tutorial#Signal-event (This page was last edited on 5 March 2022, at 19:31.) ==db command tutorial== The '''db''' command is unique to SME Server, and is the command line user interface to the '''db system'''. It is used to manipulate configuration setting of the various configuration databases which are then incorporated into the standard configuration files in /etc/.... via the template expansion process. The '''db sy..."

copied from; https://wiki.koozali.org/Db_command_tutorial#Signal-event (This page was last edited on 5 March 2022, at 19:31.)

==db command tutorial==

The '''db''' command is unique to SME Server, and is the command line user interface to the '''db system'''. It is used to manipulate configuration setting of the various configuration databases which are then incorporated into the standard configuration files in /etc/.... via the template expansion process.

The '''db system''' comes with default values that can be manipulated by either manually through the CLI or fully automatic through the Server Manager. This tutorial explains manipulating the '''db system''' manually through the CLI.

To display the syntax issue the following command:
/sbin/e-smith/db
which will result in the db help output below, for we did not pass any parameters.
/sbin/e-smith/db dbfile keys
/sbin/e-smith/db dbfile print [key]
/sbin/e-smith/db dbfile show [key]
/sbin/e-smith/db dbfile get key
/sbin/e-smith/db dbfile set key type [prop1 val1] [prop2 val2] ...
/sbin/e-smith/db dbfile setdefault key type [prop1 val1] [prop2 val2] ...
/sbin/e-smith/db dbfile delete key
/sbin/e-smith/db dbfile printtype [key]
/sbin/e-smith/db dbfile gettype key
/sbin/e-smith/db dbfile settype key type
/sbin/e-smith/db dbfile printprop key [prop1] [prop2] [prop3] ...
/sbin/e-smith/db dbfile getprop key prop
/sbin/e-smith/db dbfile setprop key prop1 val1 [prop2 val2] [prop3 val3] ...
/sbin/e-smith/db dbfile delprop key prop1 [prop2] [prop3] ...

{{Note box|Note that on a properly setup SME Server (path wise) '''you do not need''' to include the
/sbin/e-smith/ part, '''only use db or config''' since you are in the Path of your environment}}

===Only for the configuration database===
{{Note box| Use of 'config' is a shorthand version for 'db configuration' and therefore only works with the configuration database}}
db configuration
is
config

Note this only applies to this one often used database file, all others must be referred to using the format
db dbname command key [property value] [property2 value2]

All database files are in
/home/e-smith/db

===Auto completion===

Like in every Linux shell you can use the TAB key when you use the command line to auto complete or propose all available answers

===Examples===
Here are a few examples to demonstrate usage and syntax correlation
db dbname show

Using real db names - for the database in /home/e-smith/db/configuration
db configuration show
db configuration show |less
db configuration keys |less

* An example for the imap service
[root@sme8dev64 ~]# db configuration show imap

imap=service
ConcurrencyLimit=400
ConcurrencyLimitPerIP=12
TCPPort=143
access=private
status=enabled

we can retrieve a value
[root@sme8dev64 ~]# db configuration getprop imap status
which gives something like
enabled

[root@sme8dev64 ~]# db configuration getprop dansguardian ConcurrencyLimitPerIP
which gives something like
12

Compare the above displayed actual element values of the db command with the syntax result from issuing the db command where each element or piece equates to:

===Keys/Properties/values===

All turn around A key with properties and values of the properties, no more, no less. You can have a lot of properties under a key which is unique

imap=service
ConcurrencyLimit=400
ConcurrencyLimitPerIP=12
TCPPort=143
access=private
status=enabled

{| class="wikitable"
|-
! Database name !! Unique key !! Property name !! Default value || Possible values || Description
|-
| configuration ||style="text-align:center;"| imap || ||style="text-align:center;"|'''service'''|| || Unique key name
|-
| || || Concurrenstyle || style="text-align:center;"|'''400''' || style="text-align:center;"|nnn || User defined value
|-
| || || ConcurrencyLimitPerIP || style="text-align:center;"|'''12''' || style="text-align:center;"|nn || User defined value
|-
| || || TCPPort || style="text-align:center;"|'''143''' || style="text-align:center;"|nnn || TCP port or port range [nnn] or [nnn-nnn]
|-
| || || access || style="text-align:center;"|'''private''' || style="text-align:center;"|private / public || Specify LAN only or LAN and WAN access. The firewall will be adjusted accordingly
|-
| || || status || style="text-align:center;"|'''enabled''' || style="text-align:center;"|enabled / disabled || Enable or disable this service. The firewall will be adjusted accordingly
|}

Apply the above "reasoning" to any database and the the syntax presented by issuing db then makes sense.

Note that missing (or no) properties and values do not necessarily mean no value is in the /etc/file.conf system, as the template code can have a default value in the absence of a specific db value.

Note to determine what db settings are supported by sme code, or what the default values are, refer to (ie read) the code that is in the particular template or custom template associated with a /etc/file.conf

Look in /etc/e-smith/templates/... and /etc/e-smith/templates-custom/....
and subfolders and template fragments applicable to particular /etc/file.conf configuration files.

===show all available databases===
To show a list of existing databases do
ls -al /home/e-smith/db

which gives something like for official databases

total 304
-rw-r----- 1 root admin 1921 févr. 18 2014 accounts
-rw-r--r-- 1 root admin 0 févr. 2 2013 backups
-rw-r----- 1 root admin 8816 nov. 4 19:38 configuration
-rw-r----- 1 root admin 361 févr. 2 2013 domains
-rw-r----- 1 root admin 816 févr. 7 2013 hosts
drwxr-x--- 2 root ldap 4096 févr. 22 2013 ldap
-rw-r----- 1 root admin 3098 févr. 2 2013 mailpatterns
drwxr-x--- 2 root root 4096 avril 27 2014 mysql
drwxr-xr-x 2 root root 4096 nov. 3 21:42 navigation
-rw-r----- 1 root admin 299 févr. 2 2013 networks
-rw-r----- 1 root admin 0 mars 11 2010 portforward_tcp
-rw-r----- 1 root admin 0 mars 11 2010 portforward_udp
-rw-r----- 1 root admin 271 févr. 2 2013 spamassassin
-rw-r--r-- 1 root root 201371 nov. 4 04:04 yum_available
-rw-r--r-- 1 root root 37419 nov. 4 04:04 yum_installed
-rw-r----- 1 root admin 4459 févr. 18 2014 yum_repositories
-rw-r--r-- 1 root root 70 nov. 4 04:04 yum_updates

To show the keys for the two main databases do:
db configuration show |less
That can be abbreviated to
config show |less

db accounts show |less
Note after using the |less switch, press Enter to scroll down a line at a time, or press Space to scroll down a page at a time. 'q' to quit.

===Usage===
{{Note box| Use of 'config' is a shorthand version for 'db configuration' and therefore only works with the configuration database}}
====Create a key in a database====
the generic command is :
db dbfile set key type [prop1 val1] [prop2 val2] ...

dbfile : choose the database in /home/e-smith/db
key : the name of key
type : generally 'service' or 'configuration' but it can be other things as webbapps or url or ...

If you want to create a keys called 'plop' in the configuration database with a type as 'configuration you can do like this

db configuration set plop configuration Name wordpress PublicAccess private status enabled DbName wordpress DbUser wordpress WpLang en

you can see the result

config show plop
or
db configuration show plop

plop=configuration
DbName=wordpress
DbUser=wordpress
Name=wordpress
PublicAccess=private
WpLang=en
status=enabled

====Change values of properties====
The generic command line is
db dbfile setprop key prop1 val1 [prop2 val2] [prop3 val3] ...

dbfile : choose the database in /home/e-smith/db
key : the name of key

Then if you want to modify some values of our example above
db configuration setprop plop PublicAccess public WpLang fr
or
config setprop plop PublicAccess public WpLang fr

We want to verify
config show plop
or
db configuration show plop

plop=configuration
DbName=wordpress
DbUser=wordpress
Name=wordpress
PublicAccess=public <----------Here
WpLang=fr <----------Here
status=enabled

====Create a property under a key====

Same as above, really not difficult

db configuration setprop plop PlopTheWorld YES
or
config setprop plop PlopTheWorld YES

and to display modification

db configuration show plop
or
config show plop

plop=configuration
DbName=wordpress
DbUser=wordpress
Name=wordpress
PlopTheWorld=YES <----------Here
PublicAccess=public
WpLang=fr
status=enabled

==== Setting db variables to default values ====
{{Note box| Use of 'config' is a shorthand version for 'db configuration' and therefore only works with the configuration database}}

Any db variable that has a default value can be reset to the default by deleting the variable entirely, then re-initializing the default database values as follows:
config delprop <key> <prop>
/etc/e-smith/events/actions/initialize-default-databases

for example
db configuration delprop plop WPlang
/etc/e-smith/events/actions/initialize-default-databases
or
config delprop plop WpLang
/etc/e-smith/events/actions/initialize-default-databases

==== Delete a property value ====
To delete the property
db dbfile delprop <key> <prop>
for example
db configuration delprop plop WpLang
or
config delprop plop WpLang

==== Delete a Key ====
To delete the Key
db dbfile delete <key>
for example
db configuration delete plop
or
config delete plop

==== Reset a property to an empty value ====
To reset to an empty value
db dbfile setprop <key> <prop> <nowiki>''</nowiki>

for example
db configuration setprop plop WpLang <nowiki>''</nowiki>
or
config setprop plop WpLang <nowiki>''</nowiki>

====Check if a key is used====
To check if a key is used, grep templates

Eg :

grep -irn grapCutof /etc/e-smith/templates

grep -rn AutoBlock /etc/e-smith/templates

{{Note box|: via CLI so it is easy to make mistakes.

Hence it is safer to user server manager when there is an entry to configure key.}}

{{Warning box|Database parameters are case sensitive so take great care when typing at the server shell because no error messages are given should you make a mistake.}}

===Signal-event===

Once you have '''adjusted/modified/created''' your '''keys/properties/values''', it is not finished because you have to do a signal-event to read all templates and add the values you have set in all configuration files.

signal-event are called like this, the most known is
signal-event post-upgrade; signal-event reboot
This one reboot your server and reconfigure all templates and initialize all default db entries. It is an SME Server requirement that all database entries and configuration files must be correctly configured after a "reconfiguration reboot"

signal-event console-save
This one is useful when you don't want to restart your server, a lot of event are called with this command line but The console-save event is not a "reconfigure everything" event, and only changes items which can be configured from the text-mode console. It is convenient in this case as it performs database initialization and migration.

all specific events can be found at [[DB_Variables_Configuration]] and in the [[SME_Server:Documentation:Developers_Manual#Signalling_events|developer manual]] with more informations

===References===

See the Howto section for a couple of articles on db commands that should give useful info ie

http://wiki.contribs.org/DB_Variables_Configuration

and

http://wiki.contribs.org/Useful_Commands

and refer to the Developers Guide for technical information if needed

----
[[Category:Howto]]

Useful Commands

2026-03-29T06:03:47Z

Rdswikiadmin:

=== SME ===

Check added RPM's
/sbin/e-smith/audittools/newrpms
/sbin/e-smith/audittools/newrpms | grep smeserver

Check RPM's
rpm -qa smeserver* | sort -d
rpm -qa e-smith* | sort -d

Check templates
/sbin/e-smith/audittools/templates

RPM initial install date
rpm -qa --last | grep -v "initial install date"

Check Repositories http://wiki.contribs.org/SME_Server:Adding_Software
/sbin/e-smith/audittools/repositories

List Repositories
db yum_repositories show
cat /home/e-smith/db/yum_repositories

Restore Default Repositories
cd /home/e-smith/db/
rm -f yum_repositories.po
mv yum_repositories yum_repositories.po
/etc/e-smith/events/actions/initialize-default-databases
signal-event dnf-modify
dnf update

Yum; There are unfinished transactions remaining
yum install yum-utils
yum-complete-transaction --cleanup-only

Check RPM Package owning FILE
rpm -qf /usr/bin/nmap

RPM erase single package
rpm -e --nodeps xxx

Check Domain
host -t mx <domain>
host -t a <domain>
host -t soa <domain>
host -t txt <domain>
host -t ns <domain>
host -t txt _dmarc.<domain>
host -t txt default._domainkey.<domain>

Ciphers
openssl ciphers -v | awk '{print $2}' | sort | uniq

Network packet capture and test
tcpdump
tcpdump -i eth1 port 42526 -v
tcpdump -i br0 port 42526 -v
nmap -p 42526 -sU -P0 <domain>
nmap -p 42526 -sT -P0 <domain>

Squid Log Date
perl -pe 's/[\d\.]+/localtime($&)/e' /var/log/squid/access.log

Check Apache modules loaded;
apachectl -t -D DUMP_MODULES

Custom Network
config setprop ExternalInterface EthtoolOpts "speed 10 duplex full autoneg off"

Server Default Backup List
perl -e 'use esmith::Backup;$b=new esmith::Backup;print join("\n",$b->restore_list)."\n"'

Server Reset Initial Restore
config delete PasswordSet
config setprop bootstrap-console Run Yes
signal-event reboot

Redirect website
create redirect ibay
db accounts setprop redirect AllowOverride all
db accounts setprop redirect FollowSymLinks enabled
signal-event ibay-modify redirect

cd /home/e-smith/files/ibays/redirect/html
vim .htaccess
Redirect 301 / http://www.domain.com/

Disable mail to a user from an external network
db accounts setprop groupname/username Visible internal
signal-event email-update

Disable the check for the Date header on the internal interface:
mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local
cd /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local
echo "# 17check_basicheaders disabled by custom template" > 17check_basicheaders
signal-event email-update

cat /etc/e-smith/templates/var/service/qpsmtpd/config/plugins/17check_basicheaders
{
$OUT = "check_basicheaders";

# Note: You can't specify a maximum offset of 0 days, but that's fair
my $days = $smtpd{MaximumDateOffset} || '';

$OUT .= " $days" if ($days);
}

Disable the check for the Date header on the external interface:
mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0
cd /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0
echo "# 17check_basicheaders disabled by custom template" > 17check_basicheaders
signal-event email-update

cat /etc/e-smith/templates/var/service/qpsmtpd/config/peers/0/17check_basicheaders
{
$OUT = "check_basicheaders";

# Note: You can't specify a maximum offset of 0 days, but that's fair
my $days = $smtpd{MaximumDateOffset} || '';

$OUT .= " $days" if ($days);
}

List contents of queued email
# /var/qmail/bin/qmail-qread
14 Dec 2014 03:35:51 GMT #165184302 2886
# find /var/qmail/queue -name 165184302| xargs cat | less

Qmail retry period before return e-mail as undeliverable
default is 604800 seconds = 1 week, 172800 seconds = 2 days
mkdir -p /etc/e-smith/templates-custom/var/qmail/control
echo 172800 > /etc/e-smith/templates-custom/var/qmail/control/queuelifetime
expand-template /var/qmail/control/queuelifetime
sv t qmail

=== unzip ===
tar -xvf xxx.tar
tar -zxvf xxx.tar.gz
tar -xf xxx.tar.xz
unzip xxx.zip
bunzip2 xxx.bz2
bzip2 -d xxx.bz2
xz -dv xxx.xz

=== tar create ===
tar -zcvf archive-name.tar.gz (/directory-name/)file(s)
xz -6cv --threads=0 /path/filename > /path/filename.xz

=== scp ===
scp -rp -P 44 root@192.168.1.1:/.../filename .

=== rsync ===
rsync -aH /affa/smesvr /media/affa/affa/
rsync -aHvzhe ssh --progress root@10.10.15.1:/var/affa/archive /var/affa/
rsync -avzhe "ssh -p 22222" --progress root@123.45.67.89:/path/filename /path
rsync -avzhe "ssh -p 22222" --progress --partial root@123.45.67.89:/path/filename /path

=== .bashrc ===
PS1="\[\e[30m\]\h:\w#\[\e[m\] " BLACK
PS1="\[\e[31m\]\h:\w#\[\e[m\] " RED
PS1="\[\e[32m\]\h:\w#\[\e[m\] " GREEN
PS1="\[\e[34m\]\h:\w#\[\e[m\] " BLUE
PS1="\[\e[35m\]\h:\w#\[\e[m\] " PINK
PS1="\[\e[36m\]\h:\w#\[\e[m\] " CYAN

export HISTTIMEFORMAT="%d%m%y %T "

Processor info
cat /proc/cpuinfo

Software RAID status
cat /proc/mdstat

Linux check maximum MTU
ping -M do -s 1434 google.co.uk

Windows check maximum MTU
ping google.co.uk -f -l 1434

=== Symbolic link ===
ln -s /path-to-folder(file) foldername(filename)

=== Public key ===
on the HOST server:
affa --send-key targetsvr
ssh-keygen -t ed25519
ssh-keygen -t rsa

cat /root/.ssh/id_rsa.pub

on the TARGET server: add
mkdir -p /root/.ssh
cd /root/.ssh
vim authorized_keys

config setprop sshd PasswordAuthentication no
signal-event remoteaccess-update
config show sshd

=== MySQL ===
mysql
use icinga
REPAIR TABLE icinga_hoststatus;
REPAIR TABLE icinga_logentries;
\q

/etc/init.d/icinga stop
mysqlcheck --databases icinga

Restore mysql db
mysql -u root -p wcuk < wcuk.sql

=== APC ===
Update BATTDATE to the current date.
Kill the apcupsd daemon first, Run apctest to update the UPS eeprom.

Debian;
apt install apcupsd
vim /etc/apcupsd/apcupsd.conf
vim /etc/default/apcupsd
systemctl restart apcupsd.service

cd /etc/init.d/
./apcupsd start

http://www.apcupsd.com/manual/manual.html#red-hat-systems

Compile
SME;
yum install gcc gcc-c++
yum remove gcc gcc-c++

http://sourceforge.net/projects/apcupsd/files/latest/download?source=files

gunzip apcupsd-3.14.13.tar.gz
tar -xvf apcupsd-3.14.13.tar
cd apcupsd-3.14.13
./configure --help
./configure --enable-usb
make
make install

DEBIAN;
apt-get install g++
apt-get install make
./configure --enable-usb
make
make install
vim /etc/apcupsd/apcupsd.conf
cd /etc/init.d
./apcupsd status
./apcupsd start
./apcupsd status

aptitude remove make
aptitude remove g++

additional package removed gcc

IPv6
ipv4="192.168.0.1"; sla="5"; printf "2002:%02x%02x:%02x%02x:%04x::1" `echo $ipv4 | tr "." " "` $sla

=== Vigor ===
vigor sip_alg
sys sip_alg ?
sys sip_alg 0
sys commit

ipsec passthrough
srv nat ipsecpass on

VDSL
WAN / General Setup / VLAN Tag Insertion = Enable / Tag Value = 101

vTiger
vTiger delete demo data SQL command
update vtiger_crmentity set deleted = 1

vTiger >5.04 reset admin password to 'admin'

mysql
use <vtiger_database_name>;
update vtiger_users set user_password = 'adpexzg3FUZAk', crypt_type = '' where user_name = 'admin';

Websites

2026-01-16T08:13:40Z

Rdswikiadmin:

=== SME ===
: http://smebox.uk/mirror/releases/
: http://mirror.canada.pialasse.com/releases/
: http://www.mirrorservice.org/sites/mirror.contribs.org/smeserver/releases/
: https://wiki.koozali.org/Category:Contrib

=== KVM ===
: https://wiki.debian.org/KVM
: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/virtualization_deployment_and_administration_guide/index
: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/logical_volume_manager_administration/index
: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/logical_volume_manager_administration/lvm_cli
: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/logical_volume_manager_administration/lv#lvm_cache_volume_creation
: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/storage_administration_guide/index
: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_and_managing_virtualization/index
: https://www.libvirt.org/kbase/live_full_disk_backup.html
: https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/stable-virtio/virtio-win.iso

=== Nextcloud ===
: https://docs.nextcloud.com/server/latest/admin_manual/index.html
: https://docs.nextcloud.com/server/13/admin_manual/configuration_server/occ_command.html#
: https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/config_sample_php_parameters.html

=== Microsoft ===
: https://azure.microsoft.com/en-us/resources/cloud-computing-dictionary/what-are-private-public-hybrid-clouds

=== Super GRUB2 Disk ===
:https://www.supergrubdisk.org/donate/

=== Other ===
: https://www.server-world.info/en/
: http://www.apcupsd.com/manual/manual.html
: http://www.apcupsd.com/manual/manual.html#configuration-directives-used-to-set-the-ups-eeprom
: https://docs.mojolicious.org/Mojolicious/Guides
: https://en.wikipedia.org/wiki/Private_network
: https://en.wikipedia.org/wiki/Iptables
: https://en.wikipedia.org/wiki/Netfilter

=== RedHat===
: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/4/html/security_guide/index
: https://www.redhat.com/sysadmin/iptables

SMEServer DB Variables

2026-01-14T17:40:01Z

Rdswikiadmin: Created page with "Copied from; https://wiki.koozali.org/DB_Variables_Configuration (This page was last edited on 2 January 2024, at 00:18.) {{usefulnote}} == Database variables == {{Note box|See following wiki pages for the syntax of access to the configuration database entries from the command line [http://wiki.contribs.org/SME_Server:Documentation:Developers_Manual:Section2#Access_from_the_command_line Access from the Command Line] and a [http://wiki.contribs.org/Db_command_tutorial db..."

Copied from; https://wiki.koozali.org/DB_Variables_Configuration (This page was last edited on 2 January 2024, at 00:18.)

{{usefulnote}}
== Database variables ==
{{Note box|See following wiki pages for the syntax of access to the configuration database entries from the command line [http://wiki.contribs.org/SME_Server:Documentation:Developers_Manual:Section2#Access_from_the_command_line Access from the Command Line] and a [http://wiki.contribs.org/Db_command_tutorial db command tutorial]}}

SME Server comes with the most used parameters set as variables in its internal configuration databases. These variables are used to store values to be used in the final configuration files. Please, read the [[SME_Server:Documentation:Developers_Manual:Section2]] to understand the template and database process.

These variables are useful to configure your system more easily, as you do not need to modify configuration files directly for most common cases. It also makes it possible to administer the server through its server-manager as the database variables are used to set and change configuration parameters. After editing, the configuration files must be regenerated and affected services need to be restarted.

For example, suppose you need to increase "memory-limit" in php.

You would simply execute these commands at the server console:

db configuration setprop php MemoryLimit 64M
expand-template /etc/php.ini
/etc/init.d/httpd-e-smith restart

The first line changes the value for the memory limit of PHP, the second line regenerates the configuration file and the last line will reload Apache (and subsequently also PHP as this is configured as a module of Apache).

{{Warning box|Database parameters are case sensitive so take great care when typing at the server shell because no error messages are given should you make a typo.}}

The database system is based on a flat file system, but you should never edit them directly. Instead you should use the db command. More details on using the database system can be found in the [http://mirror.contribs.org/smeserver/contribs/gordonr/devguide/html/devguide.html#SME-INTERNALS SME Server Developer's Guide].

=== Setting db variables to default values ===
{{Note box| Use of 'config' is a shorthand version for 'db configuration' and therefore only works with the configuration database}}

Any db variable that has a default value can be reset to the default by deleting the variable entirely, then re-initializing the default database values as follows:
config delprop <key> <prop>
/etc/e-smith/events/actions/initialize-default-databases

==== Delete a property value ====
To delete the property
db accounts delprop <key> <prop>

==== Reset a property value ====
To reset to an empty value
db accounts setprop <key> <prop> <nowiki>''</nowiki>

{{Warning box|Database parameters are case sensitive so take great care when typing at the server shell because no error messages are given should you make a mistake.}}

===Concept of the signal-event command===
Due to the efforts of the developers, you can further simplify the commands using the signal-event proccess.

For full details see [[SME_Server:Documentation:Developers_Manual:Section2]]

=== Overview of database variables ===
The next section describes the standard variables defined on SME Server. Please update this list with new standard variables in future SME Server versions.

The tables below have three columns. The first is the variable, the second is the target variable (located in the final configuration file), and the third is the default value.

A lot of the variables can be set using the server-manager but some can not. For example the variable DomainMaster for samba is not important here, because this can be set through server-manager. On the other hand, the variable RecycleBin is important, because it is not accessible through the server-manager.

Configuration files may use database values from a single configuration key, or may use multiple keys. The latter is the case for the /etc/rc.d/init.d/masq configuration file. This file takes it values from multiple database keys such as squid and masq.

It is also possible that multiple configuration files use the same key. An example of this is the httpd-admin key. This key has a variable TCPPort which is used in multiple files (/etc/httpd/admin-conf/httpd.conf and /etc/services).

==== AppleTalk (atalk) ====
''Usage''
db configuration setprop atalk variable value
signal-event workgroup-update
{| width="100%" cellspacing="0" cellpadding="5" border="1"
|+Affected file: /etc/atalk/netatalk.conf
!Variable
!Target
!Default
|-
|MaxClients
|AFPD_MAX_CLIENTS
|20
|}

{{Warning box|The AppleTalk protocol has been removed from SME Server as of version 8.x}}

==== Backup ====
''Usage''
db configuration setprop backup variable value
signal-event conf-backup
{| width="100%" cellspacing="0" cellpadding="5" border="1"
|+Affected file: /etc/e-smith/events/post-backup/S90eject-tape
!Variable
!Target
!Default
|-
|Device
|$device
|/dev/st0
|-
|Eject
|''Logical operation''
|no
|}

==== Console Mode ====
''Usage'' - Choose either login or auto DB variable.
config set ConsoleMode login
signal-event post-upgrade
signal-event reboot
{| width="100%" cellspacing="0" cellpadding="5" border="1"
!Variable
!Target
!Default
|-
|ConsoleMode
|Console Setting
|login
|}

{{Warning box|This functionality has been deprecated as of SME Server 9.x}}

==== Clam AntiVirus (clamav) ====
===== clamav =====

''Usage''
db configuration setprop clamav variable value
signal-event clamav-update
{| width="100%" cellspacing="0" cellpadding="5" border="1"
|+Affected file: /etc/clamd.conf
!Variable
!Target
!Default
|-
|ArchiveBlockEncrypted
|ArchiveBlockEncrypted
|no
|-
|ArchiveBlockMax
|ArchiveBlockMax
|no
|-
|ArchiveMaxCompressionRatio
|ArchiveMaxCompressionRatio
|300
|-
|ArchiveMaxFiles
|ArchiveMaxFiles
|1500
|-
|ArchiveMaxFileSize
|ArchiveMaxFileSize
|15M
|-
|ArchiveMaxRecursion
|ArchiveMaxRecursion
|8
|-
|Debug
|Debug
|no
|-
|DetectBrokenExecutables
|DetectBrokenExecutables
|no
|-
|FilesystemScanExclude
|FilesystemScanExclude
|/proc,/sys,/usr/share,/var
|-
|IdleTimeout
|IdleTimeout
|60
|-
|LeaveTemporaryFiles
|LeaveTemporaryFiles
|no
|-
|LogClean
|LogClean
|yes
|-
|LogTime
|LogTime
|yes
|-
|LogVerbose
|LogVerbose
|yes
|-
|MaxConnectionQueueLength
|MaxConnectionQueueLength
|30
|-
|MaxDirectoryRecursion
|MaxDirectoryRecursion
|20
|-
|MaxThreads
|MaxThreads
|20
|-
|ReadTimeout
|ReadTimeout
|300
|-
|ScanArchive
|ScanArchive
|yes
|-
|ScanHTML
|ScanHTML
|yes
|-
|ScanMail
|ScanMail
|yes
|-
|ScanOLE2
|ScanOLE2
|yes
|-
|ScanPE
|ScanPE
|yes
|-
|SelfCheck
|SelfCheck
|1800
|-
|StreamMaxLength
|StreamMaxLength
|25M
|}

{| width="100%" cellspacing="0" cellpadding="5" border="1"
|+Affected file: /etc/freshclam.conf
!Variable
!Target
!Default
|-
|Checks
|Checks
|24
|-
|DatabaseMirror
|DatabaseMirror
|db.local.clamav.net
|-
|DNSDatabaseInfo
|DNSDatabaseInfo
|current.cvd.clamav.net
|-
|LogVerbose
|LogVerbose
|yes
|-
|MaxAttempts
|MaxAttempts
|6
|}
===== clamd =====
''Usage''
db configuration setprop clamd variable value
signal-event clamav-update
{| width="100%" cellspacing="0" cellpadding="5" border="1"
|+Affected file: /var/service/clamd/env/MEMLIMIT
!Variable
!Target
!Default
|-
|MemLimit
|MEMLIMIT
|1400000000
|}

==== DHCP daemon (dhcpd) ====
''Usage''
db configuration setprop dhcpd variable value
signal-event remoteaccess-update
{| width="100%" cellspacing="0" cellpadding="5" border="1"
|+Affected file: /etc/dhcpd.conf
!Variable
!Target
!Default
|-
|Bootp
|bootp
|deny
|-
|startDynamicIPRange
|range
|
|-
|endDynamicIPRange
|range
|
|-
|}
Note: the end of the dynamic IP range will be set to the value of 'endDynamicIPRange' ''minus'' the value of pptpd:sessions.

==== DNS Cache Forwarder (dnscache / dnscache.forwarder) ====
''Usage''
db configuration setprop dnscache variable value
signal-event dns-update
or for some settings
signal-event console-save

{| width="100%" cellspacing="0" cellpadding="5" border="1"
|+Affected files: /var/service/dnscache.forwarder/config, var/service/dnscache.forwarder/root/servers/@
!Variable
!Target
!Default
!Options
|-
|CacheSize
|CACHESIZE
|1000000 (SME9 10000000)
|Variable
|-
|DataLimit
|DATALIMIT
|3000000 (SME9 12000000)
|Variable
|-
|Forwarder
|Forwarder
|not configured
|a.b.c.d - address of remote DNS server
|-
|Forwarder
|Forwarder2
|not configured
|a.b.c.d - address of remote DNS server
|}

==== TinyDNS ====
''Usage''
db configuration setprop tinydns variable value
signal-event dns-update
{| width="100%" cellspacing="0" cellpadding="5" border="1"
|+Affected file: /var/service/tinydns/env
!Variable
!Target
!Default
|-
|ListenIP
|IP
|127.0.0.1
|-
|DataLimit
|DATALIMIT
|300000
|}

==== FlexBackup ====
''Usage''
db configuration setprop flexbackup variable value
signal-event conf-backup
{| width="100%" cellspacing="0" cellpadding="5" border="1"
|+Affected file: /etc/flexbackup.conf
!Variable
!Target
!Default
|-
|Blocksize
|$blksize
|32
|-
|TapeBlocksize
|$mt_blksize
|0
|-
|BufferProg
|$buffer
|buffer
|-
|BufferMegs
|$buffer_megs
|20
|-
|erase_rewind_only
|$erase_rewind_only
|false
|-
|Type
|$type
|tar
|}

==== Horde (webmail) ====
''Usage''
db configuration setprop horde variable value

expand-template /home/httpd/html/horde/conf.menu.apps.php
{| width="100%" cellspacing="0" cellpadding="5" border="1"
|+Affected file: /home/httpd/html/horde/conf.menu.aps.php
!Variable
!Target
!Default
|-
|MenuArray
|MenuArray
|enabled
|}

expand-template /home/httpd/html/horde/config/conf.php
{| width="100%" cellspacing="0" cellpadding="5" border="1"
|+Affected file: /home/httpd/html/horde/config/conf.php
!Variable
!Target
!Default
|-
|Administration
|Administration
|disabled
|}

expand-template /etc/e-smith/templates/home/httpd/html/horde/config/prefs.php/200personal
{| width="100%" cellspacing="0" cellpadding="5" border="1"
|+Affected file: /etc/e-smith/templates/home/httpd/html/horde/config/prefs.php/200personal
!Variable
!Target
!Default
|-
|Name
|'My Company'
|'Horde Webmail'
|}

expand-template /home/httpd/html/horde/turba/config/sources.php
{| width="100%" cellspacing="0" cellpadding="5" border="1"
|+Affected file: /home/httpd/html/horde/turba/config/sources.php
!Variable
!Target
!Default
|-
|freebusy
|freebusy
|disabled
|-
|SharedAddressBooks
|SharedAddressBooks
|disabled
|}

==== Apache server ibay specific (httpd-e-smith) ====
see [[PHP]] for specific php options for ibays, or see [[Webhosting]] contrib.

''Usage''
db accounts setprop ibayname variable value
signal-event ibay-modify ibayname
{| width="100%" cellspacing="0" cellpadding="5" border="1"
|+Affected file: /etc/httpd/conf/httpd.conf
!Variable
!Target
!Default
|-
|AllowOverride
|AllowOverride
|None
|-
|FollowSymLinks
|FollowSymLinks
|disabled
|-
|Indexes
|Indexes
|enabled
|-
|PHPRegisterGlobals
|register_globals
|disabled
|-
|PHPBaseDir
|open_basedir
|/home/e-smith/files/ibays/ibayname
|-
|SSLv2
|SSLProtocol
|disabled
|-
|SSL
|Force https access to ibay through Apache.
|disabled
|}
 

* these options are specific to SME Server 9 and are not backported to SME Server 8. See [[bugzilla:8239]]
''Usage''
db accounts setprop ibayname variable value
signal-event ibay-modify ibayname

==== Apache server-manager (httpd-admin) ====
{| width="100%" cellspacing="0" cellpadding="5" border="1"
|+Affected file: /etc/httpd/conf/httpd.conf
!Variable
!Target
!Default
|-
|PermitPlainTextAccess
|
|no
|-
|ValidFrom
|
|ip/mask coma separated list
|}''Usage''
db configuration setprop httpd-admin variable value
signal-event remoteaccess-update
{| width="100%" cellspacing="0" cellpadding="5" border="1"
|+Affected file: /etc/httpd/admin-conf/httpd.conf and /etc/services
!Variable
!Target
!Default
|-
|TCPPort
|TCPPort
|980
|}

==== IMAP (imap) ====
''Usage''
db configuration setprop imap variable value
signal-event email-update
{| width="100%" cellspacing="0" cellpadding="5" border="1"
|+Affected file: /var/service/imap/config
!Variable
!Target
!Default
|-
|ConcurrencyLimit
|INSTANCES
|2000
|-
|ConcurrencyLimitPerIP
|INSTANCES_PER_IP
|12
|-
|ProcessMemoryLimit
|ulimitdata
|128000000
|}

{{Tip box|The notes on the concurrency limits noted under IMAPS also apply here. See below.}}
{{Note box| for sme9, only the key imap has properties ConcurrencyLimitPerIP,checkConcurrencyLimit,ProcessMemoryLimit. If you set these properties to the key imaps, a migrate fragment will remove them automatically}}
* only for SME Server 9
{| width="100%" cellspacing="0" cellpadding="5" border="1"
|+Affected file: /var/service/imap/config
!Variable
!Target
!Default
|-
|AllowPlainText
|if set to disabled, dovecot will still listen on port 143, but will only accept TLS connexions, even from the local networks
|enabled/disabled, default is enabled
|}

==== IMAPS (imaps) ====

These properties apply to SME versions before 9.0 only. After 9.0, the imap properties are used to control imaps concurrency and memory limits.

''Usage''
db configuration setprop imaps variable value
signal-event email-update
{| width="100%" cellspacing="0" cellpadding="5" border="1"
|+Affected file: /var/service/imaps/config
!Variable
!Target
!Default
|-
|ConcurrencyLimit
|INSTANCES
|2000
|-
|ConcurrencyLimitPerIP
|INSTANCES_PER_IP
|12
|-
|ProcessMemoryLimit
|ulimitdata
|128000000
|}
{{Note box| For sme9, only the key imap has properties ConcurrencyLimitPerIP, checkConcurrencyLimit, ProcessMemoryLimit. If you set these properties to the key imaps, a migrate fragment will remove them automatically. Look at /etc/dovecot/dovecot.conf for default values. ProcessMemoryLimit defaults to 256MB.
}}
{{Tip box|msg=You can see if you are running out of the number of available connections in your log file /var/log/dovecot/current (for sme8, it is /var/log/imap/current and /var/log/imaps/current) and look for messages like the log extract below where the ConcurrencyLimitPerIP was set to 12. A 13th connection was attempted and was denied.

@400000005396a2d215b40d9c imap-login: Info: Maximum number of connections from user+IP exceeded (mail_max_userip_connections=12):
user=<stephane>, method=PLAIN, rip=90.84.144.xxx, lip=192.168.xx.15, TLS

}}
{{Tip box|Mobile devices have a tendency to frequently disconnect and connect from the network. When this disconnect happens, the sessions on the server are not always immediately cleaned up (they get cleaned up after a time out of some minutes). When the email client reconnects, they create new network connections and you get into the situation that these new connections get denied because of the concurrency limit. On the mobile device this may be noted as a "Unable to connect to server" message.
}}
{{Tip box|Some email clients use a separate connection per imap folder, so the concurrency limits may occur for users that have many imap folders.
}}

==== Dovecot ====
* Only for SME Server 9
With smeserver-dovecot installed, 4 services in the configuration DB are used 

imap and imaps are used to be backward compatible with e-smith-imap (and are used to control the TCPPort of the service, and if it's accessible from local network or from the internet) 

dovecot is now the main service entry in the configuration DB. It's used to control various optional features of dovecot

''Usage''
db configuration setprop dovecot variable value
signal-event email-update
{| width="100%" cellspacing="0" cellpadding="5" border="1"
|+Affected file: /etc/dovecot/dovecot.conf
!Variable
!Target
!Default
|-
|AdminIsMaster
| if enabled, the admin user will be a [http://wiki2.dovecot.org/Authentication/MasterUsers master user], and will be able to login as any user. To do so use user1*admin as login and the admin password to log as user1
|enabled/disabled, default is disabled
|-
|FullTextIndexing
|will turn on or off the full text indexing. When this option is enabled, a first search in an IMAP folder will trigger indexation. Next searches will be much faster. Read [http://wiki2.dovecot.org/Plugins/FTS/Squat this page] before enabling this option
|enabled/disabled, default is disabled
|-
|LogActions
|will turn on or off extra logging (flag change, move, copy etc…). !! Warning !!: enabling this can generate a huge amount of logs
|enabled/disabled, default is disabled
|-
|Quotas
|will report the actual [http://wiki2.dovecot.org/Quota/FS used space and the remaining one if the user has a quota limit]
|enabled/disabled, default is enabled
|}

==== Fetchmail ====
Various fetchmail settings for email collection

''Usage''
db configuration setprop fetchmail variable value
signal-event email-update

See the man page for more settings:

https://www.fetchmail.info/fetchmail-man.html

{| width="100%" cellspacing="0" cellpadding="5" border="1"
|+Affected file: /etc/fetchmail
!Variable
!Target
!Default
|-
|Verbosity
| For debugging
|silent/verbose, default is silent
|-
|SSL
|Use SSL
|enabled/disabled, default is disabled
|-
|Protocol
|POP3
|POP/Other, default is POP3
|-
|TCPPort
|Retrieved from smtpd
|default 25
|}

==== IPTables firewall (masq) ====
''Usage''
db configuration setprop masq variable value
signal-event remoteaccess-update
{| width="100%" cellspacing="0" cellpadding="5" border="1"
|+Affected file: /etc/rc.d/init.d/masq
!Variable
!Target
!Default
|-
|Logging
|Logging
|most
|-
|Stealth
|Stealth
|no
|}

{{Tip box|Special case is TCPPort and UDPPort from any DB key.

Any Db key named "TCPPort" or "UDPPort" affect masq file.

Currently the following keys are included in masq:

'''TCPPort:'''

''httpd-admin - sshd - smtpd - ssmtpd''
}}

=====Additional information on customizing iptables=====
Create a custom-named service definition in the configuration database.

db configuration set <servicename> service

Apply your desired firewall restrictions to any existing SME 'service' or to a custom-named service that you have created. Combine a custom-named service with port-forwarding to create customized firewall rules.

db configuration setprop <servicename> TCPPort <portnumber>
db configuration setprop <servicename> TCPPorts <portnumbers>
db configuration setprop <servicename> UDPPort <portnumber>
db configuration setprop <servicename> UDPPorts <portnumbers>
db configuration setprop <servicename> status enabled|disabled
db configuration setprop <servicename> access public|private|localhost
db configuration setprop <servicename> AllowHosts a.b.c.d,x.y.z.0/24
db configuration setprop <servicename> DenyHosts e.f.g.h,l.m.n.0/24

Effectuate the changes you have made
signal-event remoteaccess-update

{| width="100%" cellspacing="0" cellpadding="5" border="1"
|+Affected file: /etc/rc.d/init.d/masq
!Variable
!Target
!Default
|-
|TCPPort
| --proto tcp --dport <Ports>
|Pre-configured for default services; no default for custom services
|-
|TCPPorts
| --proto tcp --dports <Ports>
|No default for custom services; Ranges of ports are defined with a : not a -
|-
|UDPPort
| --proto udp --dport <Ports>
|Pre-configured for default services; no default for custom services
|-
|UDPPorts
| --proto udp --dports <Ports>
|No default for custom services; Ranges of ports are defined with a : not a -
|-
|status
| enabled | disabled
|AllowHosts is set to "" (an empty string) unless the status is 'enabled'
|-
|access
| public | private
|AllowHosts is set to "" (an empty string) unless access is 'public'
|-
|AllowHosts
| --src ..... --jump ACCEPT
|Pre-configured for default services; no default for custom services. Default is '0.0.0.0/0' if service is ''enabled'' and ''public''.
|-
|DenyHosts
| --src ..... --jump denylog
|Pre-configured for default services; no default for custom services. If 'DenyHosts' is empty or does not exist then there are no '... --jump denylog' entries created in /etc/init.d/masq.
|}

==== SpamAssassin ====
''Usage''
db configuration setprop spamassassin variable value
signal-event email-update
{| width="100%" cellspacing="0" cellpadding="5" border="1"
|+Affected file: /etc/mail/spamassassin/local.cf
!Variable
!Target
!Default
|-
|DNSAvailable
|dns_available
|yes
|-
|OkLanguages
|ok_languages
|all
|-
|OkLocales
|ok_locales
|all
|-
|ReportSafe
|report_safe
|0
|-
|Subject
|rewrite_header Subject
|[SPAM]
|-
|SkipRBLChecks
|skip_rbl_checks
|0
|-
|TrustedNetworks
|trusted_networks
|127.
|-
|UseAutoWhitelist
|use_auto_whitelist
|0
|-
|UseBayes
|use_bayes
|0
|-
|Sensitivity
|required_hits
|medium
|}

Sometimes certain spamassassin update servers [http://bugs.contribs.org/show_bug.cgi?id=7116 get corrupted or are not updated frequently].
The list is available at:
'''/var/lib/spamassassin/3.003001/updates_spamassassin_org/MIRRORED.BY'''

==== MySQL (mysqld) ====
''Usage''
db configuration setprop mysqld variable value
expand-template /etc/my.cnf
sv t /service/mysqld
{| width="100%" cellspacing="0" cellpadding="5" border="1"
|+Affected file: /etc/my.cnf
!Variable
!Target
!Default
|-
|InnoDB
|InnoDB
|disabled
|-
|LocalNetworkingOnly
|LocalNetworkingOnly
|yes
|}

==== Network Time Protocol (ntpd) ====
''Usage''
db configuration setprop ntpd variable value
signal-event timeserver-update

{| width="100%" cellspacing="0" cellpadding="5" border="1"
|+Affected file: /var/service/ntpd/env/MEMLIMIT
!Variable
!Target
!Default
|-
|MemLimit
|MEMLIMIT
|35000000
|}

{| width="100%" cellspacing="0" cellpadding="5" border="1"
|+Affected file: /etc/ntp/step-tickers and /etc/ntp.conf
!Variable
!Target
!Default
|-
|NTPServer
|server
|pool.ntp.org
|-
|SyncToHWClockSupported
|SyncToHWClockSupported
|yes
|}

=====SupportLargeDrift=====
A new db key for ntpd: SupportLargeDrift.
Default value is disabled, which doesn't change the current behaviour. [[bugzilla: 7979]]

If set to enabled, it will
- add tinker panic 0 at the begening of the ntp.conf
- remove the lines
server 127.127.1.0 # local clock
fudge 127.127.1.0 stratum 10

With SupportLargeDrift enabled, the guest is able to resync the clock with the
configured ntp server, even after resuming from a suspended state (tested with
a ~10min drift, it took about 3 or 4 minutes for the guest to resync the clock
after resuming).

db configuration setprop ntpd SupportLargeDrift enabled

==== Php ====
see [[PHP]] page for all the available options

''Usage''
db configuration setprop php variable value
expand-template /etc/php.ini
/etc/init.d/httpd-e-smith restart
{| width="100%" cellspacing="0" cellpadding="5" border="1"
|+Affected file: /etc/php.ini
!Variable
!Target
!Default
|-
|MaxExecutionTime
|max_execution_time
|30
|-
|MemoryLimit
|memory_limit
|32M
|-
|PostMaxSize
|post_max_size
|20M
|-
|UploadMaxFilesize
|upload_max_filesize
|10M
|-
|AllowUrlFopen
|allow_url_fopen
|Off
|-
|ExposePHP
|expose_php : Exposes to the world that PHP is installed on the server
|Off
|}
''Don't forget "M" unit because you get a lot of httpd errors and apache can't start!''

{| width="100%" cellspacing="0" cellpadding="5" border="1"
|+Affected file: /etc/php-fpm.d/{ibays.conf,www.conf,custom.conf} and /etc/e-smith/templates/etc/httpd/conf/httpd.conf/
!Variable
!Target
!Default
|-
|AllowUrlFopen
|AllowUrlfOpen
|disabled, set to enabled
|-
|MemoryLimit
|MemoryLimit
|disabled, set a M as unit, eg 64M
|-
|UpMaxFileSize
|UpMaxFileSize
|disabled, set a M as unit, eg 64M
|-
|PostMaxSize
|PostMaxSize
|disabled, set a M as unit, eg 64M
|-
|MaxExecTime
|MaxExecTime
|disabled, set time in second without units, eg 60 or unlimited
|}

==== Virtual Private Network (VPN) (pptpd) ====
''Usage''
db configuration setprop pptpd variable value
signal-event remoteaccess-update
{| width="100%" cellspacing="0" cellpadding="5" border="1"
|+Affected file: /etc/ppp/options.pptpd
!Variable
!Target
!Default
|-
|debug
|debug
|no
|-
|mtu
|mtu
|not set by default, add your value (1404) after mtu
|-
|mru
|mru
|not set by default, add your value (1404) after mru
-
|-
|Passive
|passive
|enabled
|-
|Interfaces
|Unknown
|not set by default
|}

{| width="100%" cellspacing="0" cellpadding="5" border="1"
|+Affected file: /etc/pptpd.conf
!Variable
!Target
!Default
|-
|debug
|debug
|no
|}

==== Pro FTP (proftpd) ====
''Usage''
db configuration setprop ftp variable value
signal-event remoteaccess-update
{| width="100%" cellspacing="0" cellpadding="5" border="1"
|+Affected file: /etc/proftpd.conf
!Variable
!Target
!Default
|-
|DisableAnonymous
|DisableAnonymous
|no
|}
==== Qmail ====
You can set the maximum size of email to be sent 

''Usage''
expressed in bytes
db configuration setprop qmail MaxMessageSize 15000000
signal-event email-update
{| width="100%" cellspacing="0" cellpadding="5" border="1"
|+Affected file: /etc/proftpd.conf
!Variable
!Target
!Default
|-
|MaxMessageSize
|The maximum email size for sending
|15000000
|}

====Qpsmptd====
{{Note box |For KOOZALI SME 10 server, qpsmtpd replaces smtpd.}}

Work in progress !!

''Usage''
config show qpsmtpd

config setprop qpsmtpd variable value
signal-event email-update

{| width="100%" cellspacing="0" cellpadding="5" border="1"
|+Affected file:
.conf
!Variable
!Target
!Default
|-
|Authentication
|Authentication
|enabled
|-
|Bcc
|Bcc
|disabled
|-
|BccMode
|BccMode
|cc
|-
|BccUser
|BccUser
|maillog
|-
|DKIMSigning
|DKIMSigning
|enabled
|-
|DNSBL
|DNSBL
|disabled
|-
|Instances
|Instances
|40
|-
|InstancesPerIP
|InstancesPerIP
|5
|-
|LogLevel
|LogLevel
|6
|-
|MaxScannerSize
|MaxScannerSize
|25000000
|-
|MaximumDateOffset
|MaximumDateOffset
|0
|-
|PatternScan
|PatternScan
|disabled
|-
|Proxy
|Proxy
|blocked
|-
|RBLList
|RBLList
|bl.spamcop.net,dnsbl-1.uceprotect.net,dnsbl-2.uceprotect.net,psbl.surriel.com,zen.spamhaus.org
|-
|RHSBL
|RHSBL
|disabled
|-
|RelayRequiresAuth
|RelayRequiresAuth
|enabled
|-
|SBLList
|SBLList
|multi.surbl.org,black.uribl.com,rhsbl.sorbs.net
|-
|TCPPort
|TCPPort
|25
|-
|TCPProxyPort
|TCPProxyPort
|25
|-
|TlsBeforeAuth
|TlsBeforeAuth
|1
|-
|UBLList
|UBLList
|multi.surbl.org:8-16-64-128,black.uribl.com,rhsbl.sorbs.net
|-
|URIBL
|URIBL
|disabled
|-
|VirusScan
|VirusScan
|enabled
|-
|access
|access
|public
|-
|qplogsumm
|qplogsumm
|disabled
|-
|status
|status
|enabled
|-
|tnef2mime
|tnef2mime
|enabled
|-
|
|
|
|}

==== Samba global settings (smbd) ====
''Usage''
db configuration setprop smb variable value
signal-event ibay-modify
{| width="100%" cellspacing="0" cellpadding="5" border="1"
|+Affected file: /etc/samba/smb.conf
!Variable
!Target
!Default
|-
|RecycleBin
|recycle
|disabled
|-
|ShadowCopy
|shadow_copy
|disabled
|-
|DeadTime
|deadtime
|10080
|-
|DisplayCharSet
|display charset
|ISO8859-1
|-
|DosCharSet
|dos charset
|850
|-
|LogonDrive
|logon drive
|Z
|-
|OpLocks
|oplocks
|enabled
|-
|OsLevel
|os level
|65
|-
|ServerString
|server string
|SME Server
|-
|SMBPorts
|smb ports
|139
|-
|UnixCharSet
|unix charset
|UTF8
|-
|UseClientDriver
|use client driver
|yes
|-
|LogLevel
|log level
|1
|}

==== Samba per i-bay settings (smbd) ====

''Usage''
db accounts setprop ibay_name variable value
signal-event ibay-modify
{| width="100%" cellspacing="0" cellpadding="5" border="1"
|+Affected file: /etc/samba/smb.conf
!Variable
!Target
!Default
|-
|Browseable
|browseable
|enabled
|-
|OpLocks
|oplocks
|enabled
|-
|RecycleBin
|recycle
|disabled
|-
|VetoOplockFiles
|veto oplock files
|(not set)
|-
|Audit
|full_audit
|disabled
|-
|KeepVersions
|If RecycleBin is enabled in smbd, then you can keep version of recycle bin
|disabled, set it to enabled
|-
|ShadowCopy
|If Shadowcopy is enabled in the smbd, then you can turn off per ibay
|enabled, set it to disabled
|-
|cscPolicy
|set the csc policy (manual, documents, programs, disable)
|(not set)
|}

==== Squid Proxy (squid) ====
''Usage''
db configuration setprop squid variable value
signal-event proxy-update
{| width="100%" cellspacing="0" cellpadding="5" border="1"
|+Affected file: /etc/squid/squid.conf
!Variable
!Target
!Default
|-
|SSLPorts
|Configure additional https ports (use single port or multiple ports separated by coma (,)
|no default value (443 and 563 are hard coded)
|-
|SafePorts
|acl Safe_ports port
|80
|-
|EnforceSafePorts
|EnforceSafePorts
|no
|}

How to configure additional https ports
* only one port
config setprop squid SSLPorts 2083
signal-event proxy-update
* several ports
config setprop squid SSLPorts 2083,569,1,568,965
signal-event proxy-update
* remove ports
config setprop squid SSLPorts ""
signal-event proxy-update

{| width="100%" cellspacing="0" cellpadding="5" border="1"
|+Affected file: /etc/squid/squid.conf and /etc/rc.d/init.d/masq
!Variable
!Target
!Default
|-
|Transparent
|Transparent
|yes
|}

{| width="100%" cellspacing="0" cellpadding="5" border="1"
|+Affected file: /etc/rc.d/init.d/masq
!Variable
!Target
!Default
|-
|TransparentPort
|TransparentPort
|3128
|}

''Alternate Usage for Configuration of an Up-Stream Proxy Server''
db configuration set squid-parent-variable value
signal-event proxy-update
{| width="100%" cellspacing="0" cellpadding="5" border="1"
|+Affected file: /etc/squid/squid.conf
!squid-parent-variable
!Target
!Default
|-
|SquidParent
|name-or-ip-of-upstream-proxy-server
|(none)
|-
|SquidParentPort
|port-number-used-by-upstream-proxy-server
|(none)
|}(un-do using 'db configuration delete SquidParent', 'signal-event proxy-update')

==== SSH (sshd) ====
''Usage''
db configuration setprop sshd variable value
signal-event remoteaccess-update
{| width="100%" cellspacing="0" cellpadding="5" border="1"
|+Affected file: /etc/ssh/sshd_config
!Variable
!Target
!Default
|-
|TCPPort
|Port
|22
|-
|Protocol
|Protocol
|2
|-
|UsePAM
|UsePAM
|no
|-
|MaxAuthTries
|MaxAuthTries
|2
|-
|MaxStartups
|MaxStartups
|10:30:60
|-
| MotdStatus
| MotdStatus (display or not the motd)
| enabled
|-
|PasswordAuthentication
|PasswordAuthentication
|no
|-
|PermitRootLogin
|PermitRootLogin
|no
|-
|AllowHosts
|AllowHosts
|IP address(es) list
|}

{{Note box|Currently in SME 7.2 and up, TCPPort is configurable via server-manager, under Remote Access menu.

To configure AllowHosts:
IP address(es) list is a single IP or a comma separated list of IP addresses and/or netmasks (e.g. 16.17.18.19,203.14.64.0/24).
Ssh will then only be allowed from those IP addresses. The firewall code will drop ssh connections from any other hosts.}}

=====Autoblock_ssh=====

see [[AutoBlock#Public_SSH_Acess]]

{| width="100%" cellspacing="0" cellpadding="5" border="1"
|+Affected file: /etc/ssh/sshd_config
!Variable
!Target
!Default
|-
|AutoBlockTime
|AutoBlockTime
|900
|-
|AutoBlockTries
|AutoBlockTries
|4
|-
|AutoBlock
|AutoBlock
|enabled for sme9/disabled for sme8
|}

==== smtpd ====
{{Warning box| OBSOLETE. smtpd has been deprecated in sme10. now the variable is qpsmtpd.}}

''Usage''
config setprop smtpd variable value
signal-event email-update

{| width="100%" cellspacing="0" cellpadding="5" border="1"
|+Affected file: /var/service/qpsmtpd/runenv 
'''[[bugzilla:7846]]''': Changes to <code>'''Instances'''</code> or <code>'''InstancesPerIP'''</code> require a restart of qpsmtpd: 
<code>expand-template /var/service/qpsmtpd/runenv && sv t /service/qpsmtpd /service/sqpsmtpd</code>
!Variable
!Target
!Default
|-
|Instances
|Total smtp Instances
|40
|-
|InstancesPerIP
|smtp-Instances-Per-IP
|5
|}

 
{| width="100%" cellspacing="0" cellpadding="5" border="1"

|+Affected file: /var/service/qpsmtpd/config/smtpgreeting
!Variable
!Target
!Default
|-
|Greeting
|Hostname portion of the greeting provided by your server to inbound SMTP connections
|$SystemName.$DomainName
|}

 
{| width="100%" cellspacing="0" cellpadding="5" border="1"

|+Affected file: /var/qmail/control/helohost
!Variable
!Target
!Default
|-
|HeloHost
|SMTP Helo / Ehlo value provided by your server when connecting to external SMTP servers to send email
|$DomainName
|}

==== yum ====
''Usage''
config setprop yum variable value
signal-event yum-modify
{| width="100%" cellspacing="0" cellpadding="5" border="1"
|+Affected file: /etc/yum.conf
!Variable
!Target
!Default
|-
|AutoInstallUpdates
|Install updates automatically?
|disabled
|-
|check4updates
|Frequency of Update Checking daily(default but monthly or weekly available)
|daily
|-
|EnableGroups
|Enable Groups
|0
|-
|GPGCheck
|Check GPG signature for repositories
|0
|-
|PackageFunctions
|Display individual packages in 'Software Installer'
|disabled
|-
|RandomDelay
|Random Delay
|120
|-
|status
|Yum's status
|enabled
|-
|RestrictRepo
|Repo names whose contents should be excluded from 'Available Packages' in the 'Software Installer'
|none
|-
|RestrictRPM
|All or part of an RPM name to be excluded from 'Available Packages' in the 'Software Installer'
|none
|-
|DeltaRpmProcess
| Only changes between the installed package and the new one are downloaded. Once the delta rpm loaded, a rebuilding process is started only SME10 see [[bugzilla:8834]])
| disabled (by default)/enabled
|-
| DownloadOnlyHour XX (0-23)
| Set the time when to download rpm updates by yum (only sme10 see [bugzilla:1502]])
| default is 04 AM if no property
|}

See also 'db yum_repositories' [http://wiki.contribs.org/Category:Yum_Repository All available repositories] 

''Usage''
db yum_repositories setprop RepositoryName variable value
signal-event yum-modify
{| width="100%" cellspacing="0" cellpadding="5" border="1"
|+Affected file: /etc/yum.smerepos.d/sme-base.repo
!Variable
!Target
!Default
|-
|EnableGroups
|Enable groupinstall with yum
|Yes(default)/no
|-
|GPGCheck
|Enable the rpm verification by GPG of the repository signature
|Yes(default)/no
|-
|MirrorList
|It is the base url where the repository can be found
|no default value
|-
|status
|Enable the repository in yum, all updates will be installed if enabled
|disabled/enabled
|-
|Visible
|The repository can be selected from 'Enabled repositories' in the 'Software Installer' in order to be Enabled by Yum if set to yes
|no
|-
|IncludePkgs 'rpm1,rpm2,rpm3'
|Only rpms mentioned here will be available for installation or upgrade.
|
|-
|Exclude 'rpm1,rpm2,rpm3'
| rpms mentioned here will be excluded by yum
|
|-
|DeltaRpmPercentage XX
| Defines the maximum ratio allowed between the delta rpm size and the package size on a per-repository basis: by default, delta rpms can’t be bigger than 75% of the size of the associated rpms, otherwise they are not used. Set to disabled if you don't want to use deltarpm for this repository (only SME10 see [[bugzilla:8834]])
| default is '75' if no property
|}

==== Miscellaneous Other DB Variables ====
{{Note box|This is meant to be an easy place to add db variable information if you don't have time to put it into the correct section(s) above. You can find most of the template fragments affected by a given db variable if you execute:

cd /etc/e-smith
fgrep -lR ''variable'' templ<nowiki>*/* |</nowiki> less

where ''variable'' is the name of the variable using correct capitalization

Note that any command listed here is to be executed on one line!}}

{| width="100%" cellspacing="0" cellpadding="5" border="1"
!Command
!service(s)
!config file(s)
!notes
|-
|db domains setprop test.com '''MailServer''' a.b.c.d or use FQDN in place of a.b.c.d eg db domains setprop test.com '''MailServer''' aspmx.l.google.com
|qpsmtpd; qmail; fetchmail
|/var/service/qpsmtpd/config/goodrcptto

/var/service/qpsmtpd/config/peers/local

/var/service/qpsmtpd/config/peers/

/var/service/qpsmtpd/plugins

/var/service/qmail/control/virtualdomains

/var/service/qmail/control/smtproutes

/etc/fetchmail
|Forward all email for the specified domain to the IP address ''a.b.c.d''. ''a.b.c.d'' can be either local or remote. By default, the recipient address will be verified as valid on ''a.b.c.d'' before SME accepts the inbound message.
|-
|config set '''SquidParent''' <hostname or IP>
|squid, diald
|/etc/diald.filter, /etc/squid/squid.conf
|Configure squid to peform all web downloads from the specified upstream proxy server
|-
|config set '''SquidParentPort''' <portnumber>
|squid
|/etc/squid/squid.conf
|Connect to the upstream proxy server using <portnumber>. Defaults to 3128 if 'SquidParentPort' is unspecified. Ignored if SquidParent is not set.
|-
|config delete '''SquidParent'''
|squid, diald
|/etc/squid/squid.conf, /etc/diald.filter
|Return squid to normal operation (no upstream proxy server)
|-
|db accounts setprop username Visible internal ; signal-event email-update
|n/a
|n/a
|Make an email address invisible from outside? (see http://forums.contribs.org/index.php?topic=36302.0)
|-
|db accounts setprop pseudonym Visible internal ; signal-event email-update
|n/a
|n/a
|Make an pseudonym email address invisible from outside
|-
|db <database> delprop key ''property'' ; /etc/e-smith/events/actions/initialize-default-databases
|various
|various
|Restore the developers' default value for ''property''
|-
|db <database> delete ''key'' ; /etc/e-smith/events/actions/initialize-default-databases
|various
|various
|Restore the developers' default value for each property belonging to the key ''key''
|-
|config set '''AdminIsNotRoot''' enabled
|n/a
|n/a
|In server-manager panel, changing admin password no more change root password. root password is managed through '''passwd''' shell command and admin and root passwords can be distinct passwords.
|-
|config setprop smtp-auth-proxy PeerPort xxx; signal-event email-update
|smtp-auth-proxy
|none - the smtp-auth-proxy executable (//usr/local/sbin/smtp-auth-proxy.pl) reads the config database directly.
|Used to change the port number used to connect to the upstream mail server ("SMTPSmartHost" or "Address of Internet provider's mail server"). Defaults to port 25 if PeerPort is not set; uses SSL if port 465 is selected.
|-
|db configuration setprop qpsmtpd tlsCipher '''XXX'''; signal-event email-update
|qpsmtpd
|/var/service/qpsmtpd/config/tls_ciphers
|By default qpsmtpd only accepts the stronger SSL 3.0 or TLS 1.0 protocols for securing SMTPS connections. If needed, one can set qpsmtpd to also allow the weaker SSL 2.0 protocol. For '''XXX''' one can use: '''<tt>'ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM'</tt>''' (SSLv2/SSLv3/TLSv1) '''<tt>'HIGH:!SSLv2'</tt>''' (=Default: only allow stronger SSLv3/TLSv1 protocols) ''Note: don't forget to use the quotes!!''
|-
|config setprop pppoe Mlimit <value>
|pppoe
|/service/wan/run.pppoe.conf
|notes. - <value> cannot be set below 100000000 - <value> can be set above 100000000.
If pppoe Mlimit is set to a value '''below the MIN_MEMORY_LIMIT''', currently 100000000, this lower value will not be accepted '''and Mlimit will be set to the default value (100000000)'''.

|-
|command
|service(s)
|config file(s)
|notes. Copy this block when adding new entries to this table.
|}

==== Port Forwarding ====
Server manager will create two databases, one for TCP and one for UDP

db portforward_tcp set {port} forward AllowHosts {some.host.ip} Comment {Test} Denyhosts {0.0.0.0/0} DestHost {dest.host.ip} DestPort {port}

db portforward_udp set {port} forward AllowHosts {some.host.ip} Comment {Test} Denyhosts {0.0.0.0/0} DestHost {dest.host.ip} DestPort {port}

Apply with:

signal-event portforwarding-update

----
{| width="100%" cellspacing="0" cellpadding="5" border="1"
!Variable
!Target
!Default
|-
|port
|Incoming Port for Forwarding
|none
|-
|DestPort
|Destination Target Port
|port
|-
|DestHost
|Destination Host IP
|none
|-
|AllowHosts
|Allowed Hosts
|0.0.0.0/0
|-
|DenyHosts
|Denied Hosts
|0.0.0.0/0
|-
|Comment
|Notes for this rule
|none
|}

[[Category:Howto]]
[[Category:Developer]]

SMEServer Collabora

2026-01-14T17:26:51Z

Rdswikiadmin: Created page with "Copied from; https://wiki.koozali.org/Collabora (This page was last edited on 14 November 2025, at 06:40.) {{Languages}}   {{#vardefine:contribname| {{lc: {{#titleparts: {{BASEPAGENAME}} |1}} }} }} {{#vardefine:smecontribname| smeserver-{{lc: {{#titleparts: {{BASEPAGENAME}} |1}} }} }} <!-- we defi..."

Copied from; https://wiki.koozali.org/Collabora (This page was last edited on 14 November 2025, at 06:40.)

{{Languages}}


{{#vardefine:contribname| {{lc: {{#titleparts: {{BASEPAGENAME}} |1}} }} }}
{{#vardefine:smecontribname| smeserver-{{lc: {{#titleparts: {{BASEPAGENAME}} |1}} }} }}

{{#vardefine:lang| {{lc: {{#titleparts: {{PAGENAME}} | | -1}} }} |en }}

{{Infobox contribs
|name={{#var:contribname}}
|image=Collabora_Online_primary_logo.svg
|description_image= {{#var:contribname}} logo
|maintainer= Unnilennium
|licence=
|url= https://www.collaboraoffice.com/code/
|category= Cloud
|tags=Nextcloud,Online Office,Document editor,Cloud
}}

===Maintainer===

[[User:Unnilennium|Jean-Philippe Pialasse]]

=== Version ===

{{#smeversion: {{#var:smecontribname}} }}
=== Description ===
Collabora Online is a powerful LibreOffice-based online office that supports all major document, spreadsheet and presentation file formats, which you can integrate into your own infrastructure.

Key features are collaborative editing and excellent office file format support.

This package offers a configuration of the open source development edition https://www.collaboraoffice.com/code/

A VirtualHost property is to be filled with a domain name so the daemon will be reversed proxy through your apache httpd server. Do not forget to also define this Virtualdomain to your list of domains, enable it for let's encrypt if you use it, and also define this domain to point to your server at your DNS provider.

Collabora Online requires a dedicated virtual host and it’s only accessible from HTTPS with a valid certificate.

=== Installation ===
<tabs container="">
<tab name="For SME 11">
dnf install smeserver-extrarepositories-collaboraoffice
dnf install {{#var:smecontribname}} collaboraofficebasis-en-US collaboraoffice-dict-en

then you will need to configure let's say domain collabora.mydomain.com

configuration part for domain + let's encrypt and nextcloud on the same server, please just change the content of the variable $MYDOMAIN
MYDOMAIN="collabora.mydomain.com"
db domains set $MYDOMAIN domain Content Primary Description collabora Nameservers localhost letsencryptSSLcert enabled TemplatePath Collabora
signal-event domain-create $MYDOMAIN
expand-template /etc/dehydrated/domains.txt
dehydrated -c
signal-event smeserver-collabora-update

then all is configured in nextcloud installed on the same server
if you do want to keep self signed certificate you need to issue
occ config:app:set disable_certificate_verification --value "yes"

Reminder configure your domain DNS to point to your server!

We assume you also already have configured correctly [[Letsencrypt]] and [[Nextcloud]] contribs BEFORE.
</tab>
<tab name="For SME 10">
yum install smeserver-extrarepositories-collaboraoffice
yum --enablerepo=smecontribs install {{#var:smecontribname}} collaboraofficebasis-en-US collaboraoffice-dict-en

then you will need to configure let's say domain collabora.mydomain.com

configuration part for domain + let's encrypt and nextcloud on the same server, please just change the content of the variable $MYDOMAIN
MYDOMAIN="collabora.mydomain.com"
config setprop coolwsd VirtualHost $MYDOMAIN
db domains set $MYDOMAIN domain Content Primary Description collabora Nameservers localhost letsencryptSSLcert enabled TemplatePath Collabora
signal-event domain-create $MYDOMAIN
expand-template /etc/dehydrated/domains.txt
dehydrated -c
signal-event smeserver-collabora-update

then all is configured in nextcloud installed on the same server

Reminder configure your domain DNS to point to your server!

We assume you also already have configured correctly [[Letsencrypt]] and [[Nextcloud]] contribs BEFORE.
</tab>

</tabs>

You can also add to the yum install line the dictionary you need, or add one later
<tabs container="">
<tab name="For SME 11">
dnf install collaboraoffice-dict-fr collaboraofficebasis-fr
</tab>
<tab name="For SME 10">
yum install collaboraoffice-dict-fr collaboraofficebasis-fr

</tab>

</tabs>

=== Tweaking ===

==== language available ====
Available languages are: ar, bg, br, ca, cs, da, de, el, es, et, fr, gd, gl, gu, he, hi, hr, hu, id, is, it, ko, lt, lv, nl, no, oc, pl, pt-BR, pt-PT, ro, ru, sk, sl, sr, sv, te, tr, uk, vi

In order to use new dictionaries, you may have to change the "allowed_languages" setting in /etc/coolwsd/coolwsd.xml . In the example below the Danish dictionary is added as an "allowed language":
$ diff coolwsd.xml.bak coolwsd.xml
10c10
< <allowed_languages default="de_DE en_GB en_US es_ES fr_FR it nl pt_BR pt_PT ru" desc="List of supported languages of Writing Aids (spell checker, grammar checker, thesaurus, hyphenation) on this instance. Allowing too many has negative effect on startup performance.">de_DE en_GB en_US es_ES fr_FR it nl pt_BR pt_PT ru</allowed_languages>
---
> <allowed_languages default="de_DE en_GB en_US es_ES fr_FR it nl pt_BR pt_PT ru" desc="List of supported languages of Writing Aids (spell checker, grammar checker, thesaurus, hyphenation) on this instance. Allowing too many has negative effect on startup performance.">da en_GB en_US</allowed_languages>

==== menu display ====

To modify look on the toolbar for Compact Biew (as opposed to Tabbed View) in nextcloud config , OR change this to compact :

/etc/coolwsd/coolwsd.xml
<code>182 <user_interface>
183 <mode default="default" desc="Controls the user interface style. The 'default' means: Take the value from ui_defaults, or decide for one of compact or tabbed (default|compact|tabbed)" type="string">compact</mode>
184 <use_integration_theme default="true" desc="Use theme from the integrator" type="bool">true</use_integration_theme>
185 </user_interface></code>

=== Configuration ===
you can list the available configuration with the following command :
config show coolwsd

Some of the properties are not shown, but are defaulted in a template or a script. Here a more comprehensive list with default and expected values :
{| class="wikitable"
!property
!default
!values
!
|-
|VirtualHost
|
|domain
|you need one domain configured to allow it to work with nextcloud
|-
|AllowWopiHost
|
|comma separated list of ip or domains
|list of domains allowed to access collabora, by default empty. the server itself and nextcloud defined Virtualhost are added to this list
|-
|access
|
|private, public,local
|not defined for localhost use only; please leave it as it
|-
|TCPPort
|
|port number
|default is listening on localhost:9980, but please no SSL configuration keep it this way, and rather use http proxy with VirtualHost property
|-
|status
|enabled
|enabled,disabled
|}

=== Uninstall ===
yum remove {{#var:smecontribname}} CODE-brand collaboraoffice collaboraoffice-* collaboraofficebasis-* coolwsd

=== Sources ===
# https://help.nextcloud.com/t/start-to-finish-nextcloud-collabora-step-by-step-guide/10602
# https://help.nextcloud.com/t/collabora-connection-refused/5024

=== Bugs ===
Please raise bugs under the SME-Contribs section in {{BugzillaFileBug|product=|component=|title= bugzilla}}
and select the {{#var:smecontribname}} component or use {{BugzillaFileBug|product=SME%20Contribs|component={{#var:smecontribname}}|title=this link}}

Below is an overview of the current issues for this contrib:{{#bugzilla:columns=id,product,version,status,summary|sort=id|order=desc|component={{#var:smecontribname}} |noresultsmessage=No open bugs found.}}

===Changelog===
Only released version in smecontrib are listed here.

{{ #smechangelog: {{#var:smecontribname}} }}


[[Category: Contrib]]


[[contribtemplate::2| ]]

SMEServer Useful

2026-01-14T17:20:32Z

Rdswikiadmin:

Copied from; https://wiki.koozali.org/Useful_Commands (This page was last modified on 28 July 2025, at 12:05.)

{{usefulnote}}
==SME Server locale==
By default the sme server 8 locale is ISO-8859-1ldapsear

==ACL==

===See ACL===
getfacl /path/2/files/or/folders

===set ACL===
setfacl -P -R -m u:apache:rwX,d:u:apache:rwX /path/2/files/or/folders

-R : recursive 

-P : physical, follow symlinks

==Apache Related Commands==
===Apache options to ibay===
====Expand httpd.conf template====

expand-template /etc/httpd/conf/httpd.conf
sv h /service/httpd-e-smith
or
/sbin/e-smith/expand-template /etc/httpd/conf/httpd.conf
/usr/bin/sv h /service/httpd-e-smith

====Restart httpd====

/etc/init.d/httpd-e-smith restart
or
sv t /service/httpd-e-smith

=====SME10=====
How do I start, restart, stop, reload and check the status of a service (httpd-e-smith.service) with systemd.

# systemctl start httpd-e-smith.service
# systemctl restart httpd-e-smith.service
# systemctl stop httpd-e-smith.service
# systemctl reload httpd-e-smith.service
# systemctl status httpd-e-smith.service

====Enable AllowOverride All/None====
leave Apache reads the distributed configuration file .htaccess per ibay:
db accounts setprop IBAYNAME AllowOverride All
signal-event ibay-modify IBAYNAME
if you want to remove
db accounts delprop IBAYNAME AllowOverride
signal-event ibay-modify IBAYNAME

====enable Symlinks in that iBay====
db accounts setprop IBAYNAME FollowSymLinks enabled
signal-event ibay-modify IBAYNAME
if you want to remove
db accounts delprop IBAYNAME FollowSymLinks
signal-event ibay-modify IBAYNAME

====disable apache directory indexes per ibay====
db accounts setprop IBAYNAME Indexes disabled
signal-event ibay-modify IBAYNAME
if you want to remove
db accounts delprop IBAYNAME Indexes
signal-event ibay-modify IBAYNAME

====PHPBaseDir per ibay====
the phpbasedir is a "php-jail", if you want that it uses its normal jail and allow it to use also /tmp then :

db accounts setprop IBAYNAME PHPBaseDir /home/e-smith/files/ibays/IBAYNAME/:/tmp/
signal-event ibay-modify IBAYNAME

====Allow PHP URL File Open per ibay====
For SME9 exclusively see [[Useful_Commands#PHP_settings_only_for_SME9]] 

Make custom httpd directory if not exist
mkdir -p /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf

Create the template name 99allow_url_fopen and put the content
<Directory /home/e-smith/files/ibays/IBAYNAME/html>
php_admin_flag allow_url_fopen on
</Directory>
Save the file

Expand
expand-template /etc/httpd/conf/httpd.conf

Restart httpd.
/etc/init.d/httpd-e-smith restart

====Allow PHP URL File Open====

This is set with a db command.
Use the command here
http://wiki.contribs.org/DB_Variables_Configuration#Php
and replace the variable and value
eg

db configuration setprop php AllowUrlFopen On
expand-template /etc/php.ini
/etc/init.d/httpd-e-smith restart

====PHP document root====
$_SERVER['DOCUMENT_ROOT']
If you set up an application in an ibay you may have some odd results due to the usage of $_SERVER['DOCUMENT_ROOT'] by the application.
By default this is set in php.ini to :

/home/e-smith/files/ibays/Primary/html

How to overcome $_SERVER['DOCUMENT_ROOT'] issues in ibays see [[PHP_document_root]]

====PHP settings only for SME9====
{{Tip box|msg=These settings modify only the behaviour of one ibay and not at all the whole php settings for the server. Only for sme9, see [[bugzilla:8239]]}}

db accounts setprop ibayname variable value
signal-event ibay-modify ibayname

AllowUrlFopen : enabled/disabled
MemoryLimit : set a M as unit, eg 64M
UpMaxFileSize : set a M as unit, eg 64M
PostMaxSize : set a M as unit, eg 64M
MaxExecTime: unlimited or set time in second without units, eg 60

====PHPinfo====
PHPinfo will provide an overview of all PHP related settings. A quick way to get an overview or search for a setting, one could use:
php -r "phpinfo();" | less
or to save to a text file:
php -r "phpinfo();" > phpinfo.txt
or to search for specific values and save to a text file:
php -r "phpinfo();" | grep mysql > phpmysql.txt

===https forced redirection using custom template===
see [[Https_redirection]]

If it does not already exist then create the following directory

mkdir -p /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/VirtualHosts

cd /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/VirtualHosts

nano 60redir-ibayname1

Paste or type the following code including the brackets, replacing ibayname with the name of your ibay

{
if ($port ne "443")
{
$OUT .= <<'HERE';
## Redirect Web Address to Secure Address
RewriteEngine on
RewriteRule ^/ibayname https://%{HTTP_HOST}/ibayname

## End Of Redirect
HERE
}
}

Save the file & exit by Ctrl+x

/sbin/e-smith/expand-template /etc/httpd/conf/httpd.conf

/etc/init.d/httpd restart

==Backup==
===Debug the Mount of a remote workstation Share===
In the case of you have errors when you mount a remote cifs share (used by the panel 'backup or restore', you can experiment by just running the two commands from the command line (replace $host $share $mountdir appropriately)
/bin/mount -t cifs "//$host/$share" $mountdir -o credentials=/etc/dar/CIFScredentials,nounix
/bin/mountpoint $mountdir

For example :
/bin/mount -t cifs "//192.168.xx.xx/backup-sme" /mnt/smb -o credentials=/etc/dar/CIFScredentials,nounix
/bin/mountpoint /mnt/smb/

===Launch Manually a backup===
* only for an usb_backup or a remote_backup
/etc/e-smith/events/actions/workstation-backup-dar

==Certificates==
see http://wiki.contribs.org/Certificates_Concepts
===How to change your certificate===

Since SME version 7.1.3, the functionality to configure a Common Name in the certificate is included in the main SME packages and can be configured as follows:

config setprop modSSL CommonName www.domain.com
expand-template /home/e-smith/ssl.crt/crt
expand-template /home/e-smith/ssl.key/key
signal-event domain-modify
signal-event email-update

see this forum thread [http://forums.contribs.org/index.php?topic=33109.15] and bug report [http://bugs.contribs.org/show_bug.cgi?id=1689]

===How to set a different expiration time===

The SME self signed certificate is valid for one year, and is automatically renewed on the anniversary of the installation date of the SME server OS.
To specify how long your SME certificate will last for, do the following:

cp /etc/e-smith/templates/home/e-smith/ssl.crt /etc/e-smith/templates-custom/home/e-smith/ssl.crt
nano -w /etc/e-smith/templates-custom/home/e-smith/ssl.crt

change the value for KEYLIFEINDAYS on the first line to the number of days the certificate will remain valid for eg 1826 for 5 years.

Save & exit by pressing the following keys at the same time
ctrl o
ctrl x

Create a new self signed certificate, with the longer validity period. Replace the filenames below with the correct file/key names applicable to your server.
rm /home/e-smith/ssl.crt/servername.domain.com.crt
rm /home/e-smith/ssl.key/servername.domain.com.key
rm /home/e-smith/ssl.pem/servername.domain.com.pem
signal-event post-upgrade
signal-event reboot

Install the new certificate into your browser.

Also see http://wiki.contribs.org/Certificates_Concepts

===How to simply recreate the certificate for SME Server===

rm /home/e-smith/ssl.{crt,key,pem}/*
config delprop modSSL CommonName
config delprop modSSL crt
config delprop modSSL key
signal-event post-upgrade
signal-event reboot
alternately
config show modSSL
config delprop modSSL crt key CertificateChainFile
signal-event ssl-update

==Command-Line Quick Reference Guide==
Below is a list of commands that I use all the time & tend to forget.
===Generic Linux===

{| class="wikitable"
|-
! COMMAND NAME !! DESCRIPTION
|-
| /usr/sbin/smbd -V || samba version
|-
| /usr/sbin/httpd -v || apache version
|-
| httpd -t || verify the syntax of the configuration file of apache
|-
| httpd -tf /path/to/config/file || verify the syntax of the specified configuration file of apache
|-
| httpd -t -D DUMP_MODULES || display all loaded modules of apache
|-
| mysql -v || mysql version
|-
| php -v || php version
|-
| du -sh /* || shows your folder sizes by directory in the root (you can adapt to your directory path)
|-
| df -h || shows disk usage in human readable form
|-
| man <commandname> || shows more info about a command
|-
| uname -a || kernel release version
|-
| mv || moves or renames a file
|-
| cp || copies or backup a file
|-
| rm || removes or deletes a file
|-
| <nowiki>ps -aux|grep <process></nowiki> || outputs processes running <process>
|-
| ps -AH || report process status
|-
| ps fax || display processes by tree with their pid
|-
| top || shows processes
|-
| top -i || shows only active processes
|-
| htop || shows processes (more versatile than top)
|-
| iptraf || shows network info
|-
| mc -d || show midnight commander (cli file browser) to navigate through system easily
|-
| host -t mx aol.com || shows the mx records for aol.com
|-
| dig any aol.com || show all dns records for aol.com (you can choose the dns server by adding its IP or hostname : '@8.8.4.4')
|-
| net groupmap list || shows samba mappings to nt groups
|-
| telinit 1 || changes to single user mode
|-
| ifconfig || shows detailed info on ethernet ports
|-
| grep -nsr "casesensitivesearch" /path/to/dir || finds all documents containing the criteria in a dir (add 'i' to the options for a non sensitive search)
|-
| grep -nsri server-manager.jpg /etc/e-smith/ || search the file server-manager.jpg in the path directory /etc/e-smith
|-
| grep -P '^www |apache' /etc/group || search after patterns which start by www and/or apache in /etc/group
|-
| tail -f /var/log/<LOGFILE> || realtime viewing of your log file
|-
| tar -czvf foo.tar.gz foo || creates a tar/zip file of a directory
|-
| tar -xvzf foo.tar.gz || untar/unzip a tar/zip file
|-
| scp -P <ssh_portnumber> foo.tar.gz <user>@<other_server_ipaddress>:/opt || transfers file to another server in /opt directory
|-
| rsync --progress -te "ssh -p <ssh_portnumber>" foo <other_server_ipaddress>:/opt || transfers file to another server
|-
| sed -i -e "s/foo/fee/g" <FILENAMEORPATHTODIR> || replaces foo with fee
|-
| sed '/abba/Id' file.txt || remove all '''lines''' with the string 'abba' (case sensitive) in the file.txt
|-
| sed -n '/^www/p' /etc/group || print all line starting by www in the file /etc/group
|-
| watch mysqladmin process || shows the mysql processes running
|-
| lslbk <ONLY SME9>|| lsblk lists information about all available or the specified block devices. The lsblk command reads the sysfs filesystem to gather information. The command prints all block devices (except RAM disks) in a tree-like format by default.
|-
| <nowiki>find . -type f | xargs rpm -qf | sort | uniq</nowiki> || find from which rpm these files come from
|-
| who -r || see in which runlevel you are running (7 for sme8, 4 for sme9)
|-
| findmnt || findmnt will list all mounted filesytems or search for a filesystem.
|-
| pstree || pstree shows running processes as a tree. The tree is rooted at either pid or init if pid is omitted.
|-
| clamdtop || clamdtop is a tool to monitor one or multiple clamd(s), that shows the jobs in clamd’s queue, memory usage, and information about the loaded signature database.
|}

Estimate file space usage - drill down into directories
cd /
du --si --max-depth 1
cd /home
du --si --max-depth 1
cd /home/e-smith
du --si --max-depth 1

====UID/GID====
* see informations of a user
id USER
*change the uid of a user
usermod -u '''UID''' USER_NAME
* create a group
groupadd -g '''GID''' -o GROUPE_NAME
* modify the GID of a group
groupmod -o -g '''GID''' GROUPE_NAME
* add a principal group to a user
usermod -g '''GROUP_NAME_OR_GID''' USER_NAME
* add a secondary group to a user
usermod -a -G '''GROUP_NAME_OR_GID''' USER_NAME

====usermod====
*change the home directory (-m move files/folders to the new location)
usermod -d /var/lib/jdownloader jdownloader
* change the shell access of a user
usermod --shell /bin/bash jdownloader

====Read a TAI64N timestamp in human readable format====
[http://cr.yp.to/daemontools/tai64nlocal.html tai64nlocal] converts precise TAI64N timestamps to a human-readable format.
tai64nlocal reads lines from stdin. If a line does not begin with @, tai64nlocal writes it to stdout without change. If a line begins with @, tai64nlocal looks for a timestamp after the @, in the format printed by tai64n, and writes the line to stdout with the timestamp converted to local time in ISO format: YYYY-MM-DD HH:MM:SS.SSSSSSSSS. 

Eg
cat /var/log/qpsmtpd/current |tai64nlocal|less
Or
tailf /var/log/sshd/current | tai64nlocal

====adjust the ntp time====
if you want to set the correct time via ntpd without restarting the server 

in a root terminal
/etc/init.d/ntpd stop
ntpdate pool.ntp.org
/etc/init.d/ntpd start
and to verify
date

====create missing group and set gid====
If a specific sme group or linux group is missing, you can create it again. see [[bugzilla:7932#c48]]
groupadd -g 102 -o apache
rpm --setugids --setperms rpm1 rpm2

where 102 is the correct gid of apache group, adapt it to the right setting
where rpm1 and rpm2 are valid rpm but broken due to the lack of apache group during installation or upgrade

if the group apache exists but with the wrong gid (example 48) you can set the 102 gid

groupmod -o -g 102 apache

====display what are your network interfaces====
# perl -Mesmith::ethernet -e "print esmith::ethernet::probeAdapters();"
EthernetDriver1 e1000 08:00:27:23:85:a6 "Intel Corporation 82540EM Gigabit Ethernet Controller (rev 02)"
alternatively, and only for SME9 or greater, you can use
# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether AA:BB:CC:DD:EE:FF brd ff:ff:ff:ff:ff:ff
inet 11.22.22.44/XY brd 11.22.33.255 scope global eth0
3: dummy0: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
link/ether 10:00:01:02:03:04 brd ff:ff:ff:ff:ff:ff
inet 192.168.45.1/24 brd 192.168.45.255 scope global dummy0

====find files by their size====
it could be useful to find large file by the command line

find /home/e-smith -type f -size +200'''M''' -exec ls -lh {} \; | awk '{ print $ ":_" $5 }';

use
‘k’ for Kilobytes (units of 1024 bytes)
‘M’ for Megabytes (units of 1048576 bytes)
‘G’ for Gigabytes (units of 1073741824 bytes)

====reduce root's user reserved space====
as a default, 5% of the disk space is allocated to root user

you can reduce the allocated space to 1% with (for LVM)

tune2fs -m 1 /dev/mapper/main-root

if you're not using LVM, use

df -h

to see where / is mounted

====find files by the Name====
find ~/smeserver/ -name 'e-smith-backup-2.4.0*'
or use (updatedb is launched every night)
updatedb
locate e-smith-backup-2.4.0

====how much mail data per user is stored on the server====

You can adapt that command line to your needs, here we can see the used disk spaceof all emails stored by your users on your SME Server.
du -s /home/e-smith/files/users/*/Maildir | sort -rn | cut -f2- | xargs -d "\n" du -sh

====Replace a chain of characters====
Replace a chain of characters chaine1 by chaine2 in all files of the current directory with '.txt'

find . -name "*.txt" -type f -exec sed -i "s/chaine1/chaine2/g" {} \;

====Check file system in case of corruption====

If your filesystem is corrupted. That can be a hardware failure, or a software corruption (after a crash). The server won't boot before you manually run fsck to check/repair the filesystem. Note that this might not be possible if the problem is comming from hardware failure (hope you have backups....).

Try this:
- when you're prompted to, enter the root password, you'll be dropped on a shell
- manually run fsck

e2fsck -D -tt -y /dev/main/root

It can take several minutes/hours depending on the size of your drives and their speed. With some luck, the filesystem will be cleaned, and you'll be able to boot.

====Adding notes/comments to shell commands====
You can add comments to shell commands without interrupting the functionality of the shell command. The comments will be appear in .bash_history which can be beneficial for later analysis. e.g. Why was the the command given or who entered the command. Examples:
cat /etc/redhat-release #johnd What version are we running

config setprop sshd status disabled #maryc Disable ssh access ticket:#12345

With (complex) grep arguments one would be able to search the bash history on different criteria. e.g. To find all shell commands given entered by mary that have something to do with ssh (example line above):
cat /root/.bash_history | grep "#mary" | grep ssh
will return:
config setprop sshd status disabled #maryc Disable ssh access ticket:#12345

====Adding date and time to bash history====
By default the bash history does not show the date and time of any activity. You can enable this by entering the following command:
HISTTIMEFORMAT="%d/%m/%y %T "
where %d=day, %m is month, &y is year and %T is time

To see the bash history with the date and time added, enter:
history

the history command can be useful in combination with added comments to shell commands for more precise analysis or (automatic) reporting based on a shell script and cron.

====Find open ports====

* netstat
# netstat -anp|grep 5232
tcp 0 0 192.168.12.233:5232 0.0.0.0:* LISTEN 2028/python

* nmap
nmap can specify if a port is closed or not
yum install nmap
nmap localhost -p 5232

===Raid===
You have a lot of interesting tutorial [http://wiki.contribs.org/Category:Administration:Storage concerning the Raid]
==== shows software raid performance ====
hdparm -Tt /dev/mdX

(where X is 0,1,2,etc)

==== gives raid info ====
mdadm --detail /dev/mdX

(where X is 0,1,2,etc)

==== shows software raid ====
cat /proc/mdstat

==== remove the degraded raid ====
when you install the smeserver with one drive and in a degraded raid, you will see a 'U_' state but without warnings. If you want to leave just one 'U'
mdadm --grow /dev/md0 --force --raid-devices=1
mdadm --grow /dev/md1 --force --raid-devices=1

===RPM's===

{| class="wikitable"
|-
! Command !! Explanation
|-
| rpm -qa || shows all rpms installed
|-
| rpm -qa --last || shows all rpms installed & installation date
|-
| rpm -q || asks for rpm info
|-
| rpm -qi || asks for detailed rpm info
|-
| rpm -qlv <packagename> || lists all files in a package
|-
| rpm -qlvp <packagename.rpm> || List all files in a rpm which is not installed
|-
| rpm -qf <filename> || reports what package a file belongs to
|-
| rpm -qV <packagename> || reports if permission and ownership are OK
|-
| rpm -qRp <packagename.rpm> || Find what dependencies have a rpm
|-
| rpm -qR <packagename> || Find what dependencies have a package name
|-
| rpm -q --whatrequires <packagename> || find what packages have <packagename> as dependancy
|-
|rpm -e --test <packagename> || find what packages have <packagename> as dependancy (more verbose as above)
|-
| rpm -e --nodeps <packagename> || remove packagename without removing dependencies
|-
| rpm --setugids <packagename> || set right ownership to rpm
|-
| rpm --setperms <packagename> || set right permissions to rpm
|-
| rpm -e --noscripts <packagename> || remove packagename without executing sciptlets (%pre, %post, %preun, %postun)
|-
| rpm -Va || capture any damaged/incomplete rpms - but will also show lots of configuration files, which you of course expect to be modified.
|}

====Find upstream rpms patched by contribs.org====
For the need of the distribution we ought to patch some upstream rpms, this is the list
rpm -qa --qf "%{name} %{BuildHost}\n" | grep -P 'build64\-1|builder.koozali.org' | awk '{print $1}' | grep -vP '^smeserver|e\-smith' | sort

====Restore all permissions and ownership====
If you want to restore all permissions and right ownership of rpm, you can do this in a root terminal. See [[bugzilla:6851#c15]]
for f in $(rpm -qa); do echo $f; rpm --setugids $f; done
for f in $(rpm -qa); do echo $f; rpm --setperms $f; done

===YUM'ing and repositories===
{| class="wikitable"
|-
! Command !! Explanation
|-
| yum install <packagename> || installs packagename & any package it may need
|-
| yum remove <packagename> || removes packagename
|-
| yum history package-info <packagename> || Shows the installation/removal history of a package and it's Transaction ID [http://yum.baseurl.org/wiki/YumHistory see more commands]
|-
| yum history undo <Transaction ID> || Removes all packages from a specific Transaction ID [http://yum.baseurl.org/wiki/YumHistory see more commands]
|-
| yum list updates || list updates to any installed package
|-
| yum list available || list available packages in all repos not already installed
|-
| yum list available |grep <reponame> || list available packages -shows only from repo name
|-
| yum search <packagename> || lists all packages in all repos matching packagename
|-
| yum clean all --enablerepo=* || Is used to clean up various things which accumulate in the yum cache (includes disabled repos)
|-
| yum --enablerepo=<reponame> <command> || enables a repo not normally enabled
|-
| /sbin/e-smith/audittools/newrpms || shows all extra packages installed
|-
| /sbin/e-smith/audittools/repositories || show all repositories and if they are activated or not
|-
| db yum_repositories show <reponame> || show properties of the repository <reponame> '''(you may use TAB to auto-complete your command line)'''
|}

=====Restoring Default Yum Repositories=====

{{note box|If you have problems with your yum setup you may have entered incorrect repository values. Remove the current values and restore the original setting with these commands}}

cd /home/e-smith/db/
mv yum_repositories yum_repositories.po
/etc/e-smith/events/actions/initialize-default-databases

Now you have a clean install, you can re-add 3rd party repos as described above

signal-event yum-modify

and check if you can update your server

yum update

==LDAP==
===Show/Debug the state of LDAP===
about the DB settings
db configuration show ldap

about the service (see the pid and the output when manually you start the service)
cd /service/ldap
sv s .
./run

See the ownership of LDAP database (must be owned ldap:ldap)
ll /var/lib/ldap/

===ldif-fix===
it just prints what changes are needed in the ldap tree. With -u instead of -d, those changes are applied
/var/service/ldap/ldif-fix -d

===Parse the ldap catalogue===

you can use this command
slapcat
or if you want to sort
slapcat | grep -viP 'userPassword|sambaNTPassword|sambaLMPassword'

===namingContexts===
we can conduct a simple search of the naming context to see our directory information you can display 'dn' LDAP parameters, either by the [[SME_Server:Documentation:Administration_Manual:Chapter13#Directory|server-manager]] or by the command line :
ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts''
or you can do
ldapsearch -x -h localhost -s base |grep 'dn'

* for example

[root@sme9 ~]# ldapsearch -x -h localhost -s base |grep 'dn'
# base <dc=stephane,dc=dtdns,dc=net> (default) with scope baseObject
# stephane.dtdns.net
'''dn: dc=mycompany,dc=local'''

====Retrieve the ldap base====
in a template you can do
baseDN = "ou=Users,{ esmith::util::ldapBase($DomainName); }";

===request a listing of all entries===
The following LDAP search is requesting a listing of all entries starting from the base "dc=example,dc=local". This should return all of the entries

ldapsearch -x -b 'dc=mycompany,dc=local' '(objectclass=*)'

===Bind with a specific user on LDAP===
Try to connect to ldap with credentials of a specific user and see the LDAP catalogue. Find the '<nowiki/>'''dc'''' by the chapter [[Useful_Commands#namingContexts|above]]

ldapsearch -x -D uid=user2,ou=Users,dc=server1,dc=pt -W

* for example
[root@sme9 ~]# ldapsearch -x -D uid=stephane,ou=Users,dc=mycompany,dc=local -W

===Check a specific user in LDAP catalogue===
display informations on the user requested. Find the '<nowiki/>'''dc'''' by the chapter [[Useful_Commands#namingContexts|above]]

'''for sme9'''
ldapsearch -x -D cn=root,dc=server1,dc=pt -w $(cat /etc/pam_ldap.secret) -b ou=Users,dc=domain,dc=tld "uid=test2"
'''for sme8'''
ldapsearch -x -D cn=root,dc=server1,dc=pt -w $(cat /etc/ldap.secret) -b ou=Users,dc=domain,dc=tld "uid=test2"

* for example
'''for sme9'''
ldapsearch -x -D cn=root,dc=mycompany,dc=local -w $(cat /etc/pam_ldap.secret) -b ou=Users,dc=mycompany,dc=local "uid=stephane"
'''for sme8'''
ldapsearch -x -D cn=root,dc=mycompany,dc=local -w $(cat /etc/ldap.secret) -b ou=Users,dc=mycompany,dc=local "uid=stephane"

===Retrieve the ldap password===

* directly in a terminal
perl -Mesmith::util -e 'print esmith::util::LdapPassword();'
* in a template
my $pwd = esmith::util::LdapPassword();

if you need to call the ldap password in a script you can invoke this bash variable
* for sme8
PWD=$(cat /etc/ldap.secret)
* for sme9
PWD=$(cat /etc/pam_ldap.secret)

==Log==
===Parse Log files to search for errors===
When you want to test the SME Product it can be useful to see what it occurs.
This CL can help you, but you should read the entire log
grep -iE "uninitialized|WARNING|ERROR" /var/log/messages
of course this is for the /var/log/messages

or if you want to parse all log
grep -iE "uninitialized|WARNING|ERROR" /var/log/*

{{Note box| you have now a tool in your hand to parse logfile : [[Audit_Tools#logcheck]]. You should be aware that tool is here to help to find errors in the development side of the SME Server and thus you could have a lot of false positive}}

=== '''Parse log for hack / phishing for missing files''' ===
<syntaxhighlight lang="bash">
EXTIP=`curl -s ifconfig.me/ip`
grep "File does not exist" /var/log/httpd/error_log | sed -e 's#\: /#\n#' | grep "home" | sort -u | sed -e "s#$EXTIP#\<IP\>#g" > dict_err.txt
# grep "File does not exist" /var/log/httpd/admin_error_log | sed -e 's#\: /#\n#' | grep "home" | sort -u | sed -e "s#$EXTIP#\<IP\>#g" > dict_admin_err.txt
</syntaxhighlight>
* verbose output

less /var/log/messages| grep -iE "useless|uninitialized|warn|fail|error|disable|unable|exit"

* search all logs with verbose output
less /var/log/* | grep -iE "useless|uninitialized|warn|fail|error|disable|unable|exit"

==Mail==
see [[Email]]

===check blocked email address by the server===
grep -i 'blocked email address' /var/log/qpsmtpd/current

===maximum email size===
[[Email#Set_max_email_size]]

===Spam filter with Server-Manager===
Using the Server-Manager Configuration/E-Mail panel, adjust the settings to these reasonable defaults.

*Virus scanning Enabled
*Spam filtering Enabled
*Spam sensitivity Custom
*Custom spam tagging level 4
*Custom spam rejection level 12
*Sort spam into junkmail folder Enabled
*Modify subject of spam messages Enabled

===spam retention in junk mailbox===
The server will automatically delete old spam in the junkmail folders after 90 days. You can control the number of days old spam is kept with the following commands. Where 15 is the number of days you want to keep messages, do...
db configuration setprop spamassassin MessageRetentionTime 15
signal-event email-update
svc -t /service/qpsmtpd
then
config show spamassassin

===Mail Statistics===

See [[Mailstats]] for details on the mailstats package.

yum install --enablerepo=smecontribs smeserver-mailstats

===Whitelist and Blacklist===
If mail comes in and it is misclassified as spam by Spamasassin, you can add the sender to the Spamassassin whitelist so that future messages coming in from that sender are not filtered.
Conversely, you can add a spammer to the Spamassassin blacklist so you never see their spam again.
Add senders (or their entire domains) to the global whitelist (or blacklist) with commands similar to these (as root):

db spamassassin setprop wbl.global *@vonage.com White
db spamassassin setprop wbl.global *domain2.com White
db spamassassin setprop wbl.global user@domain3.com White
db spamassassin setprop wbl.global spammer@spamdomain.com Black

expland template and save the configuration to the database
signal-event email-update

You can view the lists with this command:
db spamassassin show

These lists can be also controlled by the server-manager with the wbl contrib http://wiki.contribs.org/Email_Whitelist-Blacklist_Control

==MySQL==
There appears to be no password set for the MySQL root password, but this is not true. If you are logged in to the SME Server shell a special mechanism is in place to log you in with MySQL root privileges without prompting you for the password.

The MySQL root password for SME Server is a 72 character random string generated during installation of SME Server. You should never change the MySQL root password as this will break your SME Server configuration. How to login as MySQL root user? describes how to access MySQL with root privileges on SME Server.

For more informations you can see the [[MySQL]] page

===Login as MySQL root user===
To login as MySQL root user, simply type 'mysql' at the SME Server shell, this will log you in with root privileges.
the mysql admin password is a random password generated which can be find

*/root/.my.cnf
*/etc/ldap.secret for sme8 and /etc/pam_ldap.secret for sme9

'''do not modify these files.'''

* directly in a terminal
perl -Mesmith::util -e 'print esmith::util::LdapPassword();'
* in a template
my $pwd = esmith::util::LdapPassword();

if you need to call the mysql password in a script you can invoke this bash variable
* for sme8
PWD=$(cat /etc/ldap.secret)
* for sme9
PWD=$(cat /etc/pam_ldap.secret)

===Create a Database and its User===
Create a new MySQL database (In this example the database name is databasename. Change '''databasename''', '''username''' and '''password''' with your own choices as required)

Login as root and issue the following command to enter the MySQL CLI and create the database:

mysql
create database '''databasename''';
grant all privileges on '''databasename'''.* to '''username''' identified by '<nowiki/>'''password'''';
flush privileges;
exit

or directly from the shell or script:

mysql -e "create database '''databasename''';"
mysql -e "grant all privileges on '''databasename'''.* to '''username''' identified by '<nowiki/>'''password'''';"
mysql -e "flush privileges;"

===Remove a database===
Get access to the SME Server shell and MySQL and issue the following command:

drop database databasename;
or from the shell. Confirmation will be asked.
mysqladmin drop databasename
Replace databasename with the name of the database.

===Remove a user===
Get access to the SME Server shell and MySQL and issue the following command:

USE mysql;
DELETE FROM user WHERE user = 'username';
FLUSH PRIVILEGES;

Replace username with the username you wish to delete.

{{Tip box|mysql_setpermission is a command line menu driven utility that can assist in MySQL administration.}}

===Show databases directly from CLI===

Directly in your Terminal you can see how much DB mysql you have.

mysqlshow

+--------------------+
| Databases |
+--------------------+
| information_schema |
| egroupware |
| horde |
| mysql |
| roundcube |
| test |
| wordpress |
+--------------------+

===Other useful MySQL commands:===
* list all available database.
show databases;
*display a list of the MySQL users
SELECT user FROM mysql.user;
*remove the user jeffrey
DROP USER 'jeffrey'@'localhost';
* list the privileges granted to the account user
SHOW GRANTS FOR 'user'@'localhost';
* give all rights on all databases for new_dba user
GRANT ALL PRIVILEGES ON *.* TO 'new_dba'@'localhost' IDENTIFIED BY 'password' WITH GRANT OPTION;
FLUSH PRIVILEGES;
* give all rights on database for new_user
GRANT SELECT, UPDATE, INSERT, DELETE ON database.* TO 'new_user'@'localhost' IDENTIFIED BY 'password';
FLUSH PRIVILEGES;
* will let you destroy a database. Use with care. Use 'mysqladmin --help' for all available options.
mysqladmin drop '''databasename''';
* show you all '''table''' details of mysql '''database'''
use database;
show table status;
* let you see all '''tables''' of mysql '''database'''
use database;
show table status;

==Password==
===Password strength===

First a warning - Far too many systems out there have weak passwords and they will be broken into. Educating your users on the necessity of strong passwords is the best option. If that fails, here is how you change the password strength checking from 'strong' to 'normal', which was the setting in previous versions of SME. Be careful to use the exact capitalization.

config setprop passwordstrength Admin normal
config setprop passwordstrength Users normal
config setprop passwordstrength Ibays normal

It is also possible, but strongly discouraged, to disable password strength checking by setting to 'none'

Password strength options are:

none : Only checks if the password meets the minimum length requirement (default - 12 characters).
normal : Requires minimum length plus both uppercase and lowercase characters.
intermediate : Requires minimum length, uppercase, lowercase, and passes a dictionary check.
strong : Requires all of intermediate's checks plus must contain numbers and special characters

And password minimum length (which defaults to 12), can be set:

config setprop passwordstrength length <whatever>

===Change Password Users by the command line===

If you want to change password to your users by the command Line instead of the user panel of SME Server you can do it like this.

perl -e "use esmith::util;esmith::util::setUserPassword( 'username', 'password');"; /sbin/e-smith/signal-event password-modify username

run it for each user separately and replace
username
and
password
with the appropriate values for each of your users.

For special characters note this bug regarding escaping [[bugzilla:8510]]

Some examples :

perl -e 'use esmith::util;esmith::util::setUserPassword("username","pass!word");'

Or:

perl -e "use esmith::util;esmith::util::setUserPassword( 'username','pass"'!'"word');"

===Generating strong random password===
You can Install '''[[Random_Strong_Password_Generator|randpw]]''' else you can use manually the CL below

Security should not be taken lightly and password for e.g. databases, connections etc. need to be long and strong. One way of generating a strong random password is:
< /dev/urandom tr -dc '_A-Z-a-z-0-9!@+[](){}~<>*%^&#+=/$:;,?' | head -c${1:-50};echo;
This will generate a 50 character long random password whereby the characters are selected from the above given string _A-Z-a-z-0-9!@+[](){}~<>*%^&#+=/$:;,?. The number 50 represents the length of the generated password and can be adjusted to fit your needs.

One could also store the generated password to a file or to a db key:
< /dev/urandom tr -dc '_A-Z-a-z-0-9!@+[](){}~<>*%^&#+=/$:;,?' | head -c${1:-50} > mypassword.txt

config set MyStrongPassword `< /dev/urandom tr -dc '_A-Z-a-z-0-9!@+[](){}~<>*%^&#+=/$:;,?' | head -c${1:-50};echo;`
Please note the usage of ` (the backtick character) which is not the same as the ' (single quote character)

===Signalling events : Signal-event===

The signal-event program takes an event name as an argument, and executes all of the actions in that event, providing the event name as the first parameter and directing all output to the system log. It works by listing the entries in the event directory and executing them in sequence. So for example, the command:

signal-event console-save

will perform all the actions associated with the console-save event, which is defined by the contents of the /etc/e-smith/events/console-save/ directory. This is exactly what the console user interface does when you select save at the end of the console configuration wizard.

[[SME_Server:Documentation:Developers_Manual:Chapter7#Standard_events_and_their_arguments| see all options]]

==PHP Related Commands==
===Show current php settings===

config show php

===Expand php.ini template===

expand-template /etc/php.ini

===Configure PHP Basedir Restriction per ibay===

db accounts setprop IBAYNAME PHPBaseDir DIR1:DIR2:DIRn
signal-event ibay-modify IBAYNAME

Example

db accounts setprop Primary PHPBaseDir /home/e-smith/files/ibays/Primary:/tmp
signal-event ibay-modify Primary

===Execution Time===
For SME9 exclusively see [[Useful_Commands#PHP_settings_only_for_SME9]] 
db configuration setprop php MaxExecutionTime ZZ
expand-template /etc/php.ini
/etc/init.d/httpd-e-smith restart
where ZZ is the time in seconds.

===Memory Limit===
For SME9 exclusively see [[Useful_Commands#PHP_settings_only_for_SME9]] 
db configuration setprop php MemoryLimit XXM
expand-template /etc/php.ini
/etc/init.d/httpd-e-smith restart
where XX is the amount of memory in Mb.

===Upload Max File Size===
For SME9 exclusively see [[Useful_Commands#PHP_settings_only_for_SME9]] 
db configuration setprop php UploadMaxFilesize WW
expand-template /etc/php.ini
/etc/init.d/httpd-e-smith restart
where WW is the file size in Mb.

===Post Maximum Size===
For SME9 exclusively see [[Useful_Commands#PHP_settings_only_for_SME9]] 
db configuration setprop php PostMaxSize WW
expand-template /etc/php.ini
/etc/init.d/httpd-e-smith restart
where WW is the file size in Mb.

===Allow URL FOpen===
For SME9 exclusively see [[Useful_Commands#PHP_settings_only_for_SME9]] 
Not secure. Instead use per ibay or directory.

==SAMBA==
===shows samba mappings to nt groups===
net groupmap list
===manage the SAM database(Database of Samba Users)===
The pdbedit program is used to manage the users accounts stored in the sam database and can only be run by root.
pdbedit -u USER -v
for example
pdbedit -u stephane -v

===check an smb.conf configuration===
testparm - check an smb.conf configuration file for internal correctness
testparm -vs

===The Trust Relationship Failure===
Using Samba 3 sometimes some Windows computers fall off the domain, resulting in a trust relationship failure.

The trust relationship between this workstation and the primary domain failed.

This is generally caused by mis-matched work-station and domain controller account passwords. To reset this you must un-join/re-join the domain.

===enable samba audit logs for ibays===
Samba audit logging can be enabled for ibays using db variables.

Samba activity is logged in /var/log/samba/samba_audit

To enable audit logging for an ibay named "fileshare":
<nowiki>db accounts setprop fileshare Audit enabled
signal-event ibay-modify fileshare</nowiki>

To enable audit logging for every ibay on your server:
<nowiki>for ibay in $(db accounts show |grep \=ibay |cut -d= -f1); do db accounts setprop $ibay Audit enabled; done
signal-event ibay-modify</nowiki>

The details of what gets logged are controlled by /etc/e-smith/templates/etc/smb.conf/ibays/10smbaudit

==SME Server specific==
=== Command Line===
{| class="wikitable"
|-
! Command !! Explanation
|-
| signal-event post-upgrade || performs SME Server to go regenerate all templates
|-
| signal-event reboot || reboots the server
|-
| signal-event <event> || performs SME Server to go regenerate event template '''(you may use TAB to auto-complete your command line)'''
|-
| signal-event console-save || Expands templates and reconfigures services which can be changed from the text-mode console and which do not require a reboot
|-
| signal-event dns-update || refreshes the DNS cache, useful for when you know a domain has changed IP and the TTL is too long to wait
|-
| /etc/e-smith/events/actions/navigation-conf || recreates server-manager navigation panel
|-
| config show || display the internal configuration of the server
|-
| config show <service name> || show the service configuration '''(you may use TAB to auto-complete your command line)'''
|-
| db || shows the syntax of the db command
|-
| db configuration show || shows the entire server configuration
|-
| db configuration setprop <record> <property> <value> || sets or changes a property in the configuration database
|-
| db accounts show || shows all account details
|-
| db accounts show <accountname> || shows the account details
|-
| /etc/e-smith/events/actions/initialize-default-databases|| action for initializing the default database values
|}
===Refresh DNS cache===

signal-event dns-update

refreshes the DNS cache, useful for when you know a domain has changed IP and the TTL is too long to wait

===Refresh Squid Cache===
Extracted from: http://forums.contribs.org/index.php?topic=38848.msg176737#msg176737

===Flush and Restart===

sv d /service/squid
echo "" > /var/spool/squid/swap.state
sv u /service/squid

& to check it's running
sv s /service/squid
===SystemConfig===
Some relative Informations to your system are recorded in the configuration database
config show sysconfig
===db command===
{{note box|SME Server comes with the most used parameters set as variables in its internal configuration databases. These variables are used to store values to be used in the final configuration files. Please, read the [[SME_Server:Documentation:Developers_Manual:Section2]] to understand the template and database process.}}

you can see this page of the wiki [[DB_Variables_Configuration]] and the [[Db_command_tutorial]]

==== Setting db variables to default values ====
{{Note box| Use of 'config' is a shorthand version for 'db configuration' and therefore only works with the configuration database}}

Any db variable that has a default value can be reset to the default by deleting the variable entirely, then re-initializing the default database values as follows:
config delprop <key> <prop>
/etc/e-smith/events/actions/initialize-default-databases

==== Delete a property value ====
To delete the property
db accounts delprop <key> <prop>

==== Reset a property to an empty value ====
To reset to an empty value
db accounts setprop <key> <prop> <nowiki>''</nowiki>

{{Warning box|Database parameters are case sensitive so take great care when typing at the server shell because no error messages are given should you make a mistake.}}

====Create DB key manually by a script====

An example on how create by hand some db with contents in a script. all these db can not be erased because for every 'post-upgrade signal-event; signal-event reboot', the default values set manually below will return.

mkdir -p /etc/e-smith/db/accounts/defaults/wordpress
echo "reserved" > /etc/e-smith/db/accounts/defaults/wordpress/type

mkdir -p /etc/e-smith/db/configuration/defaults/wordpress
echo "configuration" > /etc/e-smith/db/configuration/defaults/wordpress/type
echo "Wordpress weblog" > /etc/e-smith/db/configuration/defaults/wordpress/Name
echo "global" > /etc/e-smith/db/configuration/defaults/wordpress/PublicAccess
echo "enabled" > /etc/e-smith/db/configuration/defaults/wordpress/status
echo "wordpress" > /etc/e-smith/db/configuration/defaults/wordpress/DbName
echo "wordpress" > /etc/e-smith/db/configuration/defaults/wordpress/DbUser
echo "en" > /etc/e-smith/db/configuration/defaults/wordpress/WpLang

in order to initialize all db settings
/etc/e-smith/events/actions/initialize-default-databases

====Create DB key manually by 'config'====
If you want to create a key entry manually you can use the 'config' command and save properties in the '''configuration database'''. For your information, once deleted you cannot retrieve default values as above.
The generic Command line is :
config configuration set key type [prop1 val1] [prop2 val2] ...
for example you can do

config set plop configuration Name wordpress PublicAccess private status enabled DbName wordpress DbUser wordpress WpLang en

you can see the result

config show plop
plop=configuration
DbName=wordpress
DbUser=wordpress
Name=wordpress
PublicAccess=private
WpLang=en
status=enabled

===Modify Hidden settings of users===
====Grant bash access to a "user"====
db accounts setprop '''user''' Shell /bin/bash
signal-event user-modify '''user'''

====Grant vpn access to a "user"====
db accounts setprop '''user''' VPNClientAccess yes
signal-event user-modify '''user'''

====Grant sudo access to a "user"====
db accounts setprop '''user''' Sudoer yes
signal-event user-modify '''user'''

====Chroot "user" on FTP usage====
db accounts setprop '''user''' ChrootDir /home/e-smith/files/users/user/home
signal-event user-modify '''user'''

=== General Service Handling ===
====SME9====
SME Server uses [http://smarden.org/runit/ runit], a UNIX init scheme with service supervision. See the man page of [http://smarden.org/runit/sv.8.html the 'sv' command]

All other linux common way to start or stop services are also valuable

/etc/init.d/servicename start/stop/status
service servicename start/stop/status

*start
sv u /service/servicename
*stop
sv d /service/servicename
*restart
sv t /service/servicename
* status
sv s /service/servicename
{{tip box|you may use TAB to auto-complete your command line}}

you have some shortcuts
down => 'd',
stop => 'd',
up => 'u',
start => 'u',
restart => 't',
sigterm => 't',
adjust => 'h',
reload => 'h',
sighup => 'h',
sigusr1 => '1',
sigusr2 => '2',
once => 'o',
pause => 'p',
alarm => 'a',
interrupt => 'i',
quit => 'q',
kill => 'k',
exit => 'x',

Restarting:

sv t /service/httpd-e-smith

====SME10====
'''Systemctl''' is a '''systemd''' utility that is responsible for Controlling the '''systemd''' system and service manager. '''Systemd''' is a collection of system management daemons, utilities, and libraries which serves as a replacement of '''System V init''' daemon. Systemd functions as central management and configuration platform

To list all loaded services on your system (whether active; running, exited or failed, use the '''list-units''' subcommand and <code>--type</code> switch with a value of service.
# systemctl list-units --type=service
OR
# systemctl --type=service

But to get a quick glance of all running services (i.e all loaded and actively running services), run the following command.
# systemctl list-units --type=service --state=running
OR
# systemctl --type=service --state=running

List all failed units.
# systemctl --failed

Check whether a Unit or Service is running or not?.
# systemctl status httpd-e-smith

How do I start, restart, stop, reload and check the status of a service ('''httpd.service''') in Linux.
# systemctl start httpd-e-smith.service
# systemctl restart httpd-e-smith.service
# systemctl stop httpd-e-smith.service
# systemctl reload httpd-e-smith.service
# systemctl status httpd-e-smith.service

===Add a custom service===

see this [[Add_a_custom_service |page]]

==SSL==
===Test SSL certificate===
This free online service performs a deep analysis of the configuration of any SSL web server on the public Internet.
https://www.ssllabs.com/ssltest/
===SSL diagnostic===
The s_client command implements a generic SSL/TLS client which connects to a remote host using SSL/TLS. It is a very useful diagnostic tool for SSL servers. 

[https://www.openssl.org/docs/apps/s_client.html openssl s_client] Documentation
*on sme
openssl s_client -connect localhost:993
*on a remote host
openssl s_client -connect yourdomain:993

===SSL Signature algorithm===
you can verify the algorithm signature of your certificate 

for example
openssl x509 -noout -text -in /home/e-smith/ssl.pem/sme9dev2.mycompany.local.pem

== SSH ==

===Enable SSH===
* Enable ssh access (the lazy not-so-secure way, but I am assuming for this testing/dev scenario that your external IP is really a local address behind a router)
<syntaxhighlight lang="Bash">
db configuration setprop sshd status enabled
db configuration setprop sshd PermitRootLogin yes
db configuration setprop sshd acccess public
db configuration setprop sshd PasswordAuthentication yes
/sbin/e-smith/signal-event remoteaccess-update
</syntaxhighlight>

* Allow ssh in public or private mode : '''public'''= all internet '''private'''= only your network

db configuration sshd access public
signal-event remoteaccess-update

===Access to the terminal of your remote sme===

ssh root@ip-sme-or-remote-hostname
or
ssh -pX root@ip-sme-or-remote-host (X is the port listened by ssh service)

{{Note box| you need to forward in your router the port 22 (or whatever you decide) to your internal sme's ip and '''allow ssh in the server-manager with the root login and Password Authentication''' (Security/Remote Access menu). '''You can enhance security by disabling the root connection''' : Allow administrative command line access over secure shell NO
Keep in mind that you need '''to set the service to public access (entire internet)''' if you want to be accessible by ssh outside of you network (see the [[Denyhosts]] contrib for banning hosts which failed too many login attempts to your ssh deamon.) }}

===Execute or run a command over ssh to a remote server and auto disconnect after quit===

ssh -t root@ip-sme-or-remote-hostname command

where 'command' is the program or command to run. An example could be:

ssh -t root@192.168.1.5 top

===Access to the server-manager through SSH===

We can access to the server-manager of your remote SME Server by SSH with a tunneling protocol initiated by "ssh -L". This command has to be done by a superuser in a Terminal like if you want to be connected to your SME Server by SSH.
{{note box|We assume that ports are forwarded in your router to your sme internal IP (443 and 22) and the root user is allowed to access by ssh to the server.}}

Do this in a root terminal of your Linux computer outside of your network

ssh -L 443:localhost:443 root@your-static-external-network-IP-or-host.dyndsn.org

host.dyndsn.org could be a free service as [http://dyn.com/dns/ dyndns.org] or [http://www.noip.com/ noip.com]

'''Keep the terminal open''', Then you need to use this specific URL in your WEB Browser to go to the server-manager

https://localhost/server-manager

{{tip box|msg=It is possible to use putty if you are afraid about some commands in a terminal, you can find a lot of examples by typing this in google [https://www.google.com/search?q=tunneling+by+putty tunneling by putty]}}

====Access with non standard ports====
In certain cases which you are not root on the local computer, you can not redirect port < 1024, so you have to use port > 1024 as the example below.

ssh -L 9443:localhost:443 root@your-remote-ip -p 22

9443 : local port
443 : remote https port
your-remote-ip : the remote host (could be an ip or a domain name)
22 : this is the port where the ssh server is listening, you can change it in accordance with the remote server

'''Keep the terminal open''', Then you need to use this specific URL in your WEB Browser to go to the server-manager

https://localhost:9443/server-manager

----
[[Category:Howto]]

SMEServer Qpsmtpd

2026-01-14T17:19:35Z

Rdswikiadmin:

Copied from; https://wiki.koozali.org/Qpsmtpd/sme11 (This page was last modified on 28 April 2024, at 22:45.)

{{WIP box|this is a work in progress for the new SME 11 qpsmtpd configuration}}

TODO: update [[Email#qpsmtpd]] for SME11

=qpsmtpd=
[[Wikipedia:Qpsmtpd|qpsmtpd]] has been a core component of SME Server since SME 7, providing advanced spam fighting capabilities.

SME Server 9.2 introduced qpsmtpd 0.96 with several new capabilities. At the same time, smeserver-qpsmtpd has been updated to provide additional SME Server configuration options.

SME Server 10 start moving the services to systemd.

SME Server 11 will upgrade to qpsmtpd 1.0. At the same time, smeserver-qpsmtpd has been updated providing separate configuration for each running deamons and introducing a third running deamon now covering all usual SMTP ports 25 (qpsmtpd), 587 (new uqpsmtpd) and 465 (sqpsmtpd). Also SME11 provides a full systemd implementaiton of the services without runit. Softlimit has been increased from 50MB to 150MB.

==Systemd Configuration ==
Some of the setting that were previously arranged using runit run script and multiple called script are all now present in systemd unit, with a dropin file to override default. The dropin file is templated<syntaxhighlight lang="ini">
# /usr/lib/systemd/system/uqpsmtpd.service
[Unit]
Description=qpsmtpd on submission port
After=network.target network-online.target qpsmtpd.service

[Service]
Type=simple
LimitDATA=150000000
LimitSTACK=150000000
LimitMEMLOCK=150000000
Environment=PORT=587 INSTANCES=40 INSTANCES_PER_IP=5 QPSMTPD_CONFIG=/var/service/uqpsmtpd/config PATH=/var/qmail/bin:/bin:/usr/bin:/usr/local/bin TCPLOCALHOST=me
WorkingDirectory=/var/service/qpsmtpd/

ExecStartPre=/sbin/e-smith/service-status uqpsmtpd
ExecStartPre=/sbin/e-smith/systemd/qpsmtpd-init %N
ExecStart=/usr/bin/qpsmtpd-forkserver \
-u qpsmtpd \
-l 0.0.0.0 \
-p $PORT \
-c $INSTANCES \
-m $INSTANCES_PER_IP
ExecReload=/bin/kill -HUP $MAINPID
Restart=always
RestartSec=20s
SyslogIdentifier=uqpsmtpd

[Install]
WantedBy=sme-server.target

# /usr/lib/systemd/system/uqpsmtpd.service.d/50koozali.conf
#------------------------------------------------------------
# !!DO NOT MODIFY THIS FILE!!
#
# Manual changes will be lost when this file is regenerated.
#
# Please read the developer's guide, which is available
# at http://www.contribs.org/development/
#
# Copyright (C) 1999-2006 Mitel Networks Corporation
#------------------------------------------------------------
[Service]
LimitDATA=150000000
LimitSTACK=150000000
LimitMEMLOCK=150000000
Environment=
Environment=QPSMTPD_CONFIG=/var/service/uqpsmtpd/config PORT=587 INSTANCES=10 INSTANCES_PER_IP=5 PATH=/var/qmail/bin:/bin:/usr/bin:/usr/local/bin TCPLOCALHOST=sme11.example.com
</syntaxhighlight>

==Services folders==
<syntaxhighlight lang="bash">
/var/service/qpsmtpd
/var/service/qpsmtpd/config
/var/service/qpsmtpd/config/dkim
/var/service/qpsmtpd/config/peers
/var/service/qpsmtpd/peers
/var/service/qpsmtpd/ssl
/var/service/sqpsmtpd
/var/service/sqpsmtpd/supervise
/var/service/sqpsmtpd/config
/var/service/sqpsmtpd/config/dkim -> ../../qpsmtpd/config/dkim
/var/service/sqpsmtpd/config/peers
/var/service/sqpsmtpd/peers
/var/service/qpsmtpd/ssl -> ../qpsmtpd/ssl
/var/service/uqpsmtpd
/var/service/uqpsmtpd/config
/var/service/uqpsmtpd/config/dkim -> ../../qpsmtpd/config/dkim
/var/service/uqpsmtpd/config/peers
/var/service/uqpsmtpd/peers
/var/service/qpsmtpd/ssl -> ../qpsmtpd/ssl

</syntaxhighlight>

==Properties in configuration db==
{| class="wikitable mw-collapsible"
|+
x: use the value of qpsmtpd key property for this key too.
!property
!qpsmtpd
! sqpsmtpd
!uqpsmtpd
!information
|-
|Authentication
|enabled
|enabled
|enabled
|
|-
|Bcc
|disabled
|x
|x
|
|-
|BccMode
|cc
|x
|x
|
|-
|BccUser
|maillog
|x
|x
|
|-
|DNSBL
|disabled
|x
|x
|
|-
|Instances
|40
|10
|10
|
|-
|InstancesPerIP
|5
|5
|5
|
|-
|LogLevel
|6
|x
|x
|
|-
|MaxScannerSize
|25000000
|x
|x
|
|-
|MaximumDateOffset
|0
|x
|x
|
|-
|PatternsScan
|disabled
|x
|x
|
|-
|Proxy
|blocked
|x
|x
|
|-
|RBLList
|bl.spamcop.net,dnsbl-1.uceprotect.net,dnsbl-2.uceprotect.net,psbl.surriel.com,zen.spamhaus.org
|x
|x
|
|-
|RHSBL
|disabled
|x
|x
|
|-
|RelayRequiresAuth
|enabled
|x
|x
|
|-
|SoftLimit
|150000000
|150000000
|150000000
|
|-
|SBLList
|multi.surbl.org,black.uribl.com,rhsbl.sorbs.net
|x
|x
|
|-
|TCPPort
|25
|465
|587
|
|-
|TCPProxyPort
|25
|x
|x
|
|-
|TlsBeforeAuth
|1
|1 (hardcoded)
|1 (hardcoded)
|
|-
|UBLList
|multi.surbl.org:8-16-64-128,black.uribl.com,rhsbl.sorbs.net
|x
|x
|
|-
|URIBL
|disabled
|x
|x
|
|-
|VirusScan
|enabled
|x
|x
|
|-
|access
|public
|public
|public
|
|-
|qplogsumm
|disabled
|x
|x
|
|-
|status
|enabled
|enabled
|enabled
|
|-
|tnef2mime
|enabled
|x
|x
|
|-
|
|
|
|
|
|-
|KarmaNegative
|(2)
|
|
|
|-
|KarmaStrikes
|(3)
|
|
|
|-
|HeloPolicy
|<nowiki>(lenient)[lenient | rfc | strict]</nowiki>
|
|
|
|-
|MaximumDateOffset
|(0)
|
|
|
|-
|MaxLoad
|(7)
|
|
|
|-
|SPFRejectPolicy
|(0)[0-4]
|
|
|
|-
|DMARCReject
|<nowiki>(disabled)[enabled|disabled]</nowiki>
|
|
|
|-
|DMARCReporting
|<nowiki>(enabled)[enabled|disabled]</nowiki>
|
|
|
|-
|disclaimer
|<nowiki>(disabled)[enabled|disabled]</nowiki>
|
|
|
|}

==Config files==
{| class="wikitable"
|+template: is templated individually ; metadata: use another template via a metadata file.
!config file
!qpsmtpd
!sqpsmtpd
!uqpsmtpd
!plugin
!related properties
!information
|-
|badhelo
|template
|metadata
|metadata
|helo
|
|
|-
|badmailfrom
|template
|metadata
|metadata
|badmailfrom
badmailfromto

badrcptto
|
|
|-
|badrcptto
|template
|metadata
|metadata
|badrcptto
check_goodrcptto
|
|fixed output
|-
|badrcptto_ext
|template
|metadata
|metadata
|badrcptto
|
|hide emails when db accounts setprop ACCOUNT Visible internal
|-
|dkim
|folder
|folder
|folder
|
|
|not in use
|-
|dnsbl_allow
|template
|metadata
|metadata
|dnsbl
|
|
|-
|dnsbl_zones
|template
|metadata
|metadata
|dnsbl
per_user_config
|$qpsmtpd{RBLList}
|
|-
|forcespamcheck
|template
|metadata
|metadata
|forcespamcheck
|
|empty file, plugin set in peers
|-
|goodrcptto
|template
|metadata
|metadata
|check_goodrcptto
|
|
|-
|invalid_resolvable_fromhost
|template
|metadata
|metadata
|resolvable_fromhost
|
|fixed output
|-
|IP
|template
|metadata
|metadata
|
|
|IP for tcpserver to bind to , 0 for all, fixed to 0
|-
|loglevel
|template
|metadata
|metadata
|logterse (...)
|$qpsmtpd{LogLevel}
|
|-
|memory_threshold
|template
|metadata
|metadata
|
|
|fixed to 1
|-
|norelayclients
|template
|metadata
|metadata
|relay
|
|$GatewayIP if set
|-
|peers
|folder
|folder
|folder
|peers
|
|see peers section
|-
|plugin_dirs
|template
|metadata
|metadata
|
|
|fixed output /usr/share/qpsmtpd/plugins
|-
|plugins
|x
|x
|x
|x
|x
|has a copy of peers fragments, hidden by metadata
|-
|relayclients
|template
|'''metadata : to remove?'''
|'''metadata: to remove?'''
|greylisting
relay

spamassassin
|
|IP allowed for relay without auth
|-
|rhsbl_zones
|template
|metadata
|metadata
|rhsbl
|$qpsmtpd{SBLList}
|
|-
|signatures_patterns
|template
|metadata
|metadata
|
|
|uses db mailpatterns
|-
|smtpgreeting
|template
|metadata
|metadata
|
|$qpsmtpd{Greeting}
|default to host.domain
|-
|spool_dir
|template
|metadata
|metadata
|
|
|fixed output /var/spool/qpsmtpd
|-
|spool_perms
|x
|x
|x
|
|
|file, do not alter
|-
|subject_prefix
|template
|metadata
|metadata
|
|$spamassassin{Subject}
|
|-
|timeout
|template
|metadata
|metadata
|
|$qpsmtpd{timeout}
|120 as default
|-
|timeoutsmtpd
|template
|metadata
|metadata
|
|$qpsmtpd{timeoutsmtpd}
|120 as default
|-
|tls_before_auth
|template
|template
|template
|
|$qpsmtpd{TlsBeforeAuth}
|hardcoded for uqpsmtpd and sqpsmtpd
|-
|tls_ciphers
|template
|template
|template
|tls
|$qpsmtpd{TlsBeforeAuth}
$sqpsmtpd{TlsBeforeAuth}

$uqpsmtpd{TlsBeforeAuth}
|sqpsmtpd default to uqpsmtpd
global default is $modSSL{CipherSuite}
|-
|tls_protocols
|template
|template
|template
|tls
|SSLv2, SLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3
|TLS1.2 minimum for uqpsmtpd and sqpsmtpd
TLS1.1 minimum for qpsmtpd

properties are set individually for each service
|-
|uribl_zones
|template
|metadata
|metadata
|
|$qpsmtpd{UBLList}
|
|}

==Peer plugin configuration==
SME Server uses a plugin call peers, that set the plugins used depending on the client IP, i.e. 2 configurations are presents one for LAN and another for WAN.
{| class="wikitable"
|+
X for not present/overriden
!plugin
!config
!qp local
!qp 0
!sqp /uqp
local
!sqp/uqp
0
!TODO
|-
|00setup
|set bounce_unknown_user
|
|
|
|
|
|-
|02logterse
|logging/logterse
|
|
|
|
|
|-
|04tls
|tls ssl/cert.pem ssl/cert.pem ssl/cert.pem ssl/dhparam.pem
|
|
|
|
|
|-
|05auth_cvm_unix_local
|
|
|
|
|
|To remove
|-
|06auth_imap
|auth/auth_imap 127.0.0.1 143
|
|
|
|
|
|-
|09karma
|karma negative $negative strikes $strikes reject naughty db_dir /var/lib/qpsmtpd/karma
|X
|
|X
|
|enabled by default ?
|-
|10earlytalker
|earlytalker
|X
|
|X
|
|<nowiki>add wait and check-at [ CONNECT | DATA ] options</nowiki>
|-
|11bogus_bounce
|bogus_bounce
|
|
|
|
|
|-
|12count_unrecognized_commands
|count_unrecognized_commands 4
|X
|
|X
|
|
|-
|13bcc
|bcc mode $qpsmtpd{BccMode} all $user
|
|
|
|
|add possibility to set direction (all/incoming/outgoing)
|-
|14relay
|relay
|
|
|
|
|should we remove from 465 and 581 or set RELAY ONLY ?
|-
|15helo
|<nowiki>helo policy { $qpsmtpd{HeloPolicy} || 'lenient' } reject naughty</nowiki>
|X
|
|X
|
|
|-
|16resolvable_fromhost
|resolvable_fromhost
|X
|
|X
|
|
|-
|17headers
|headers future $days past $days" if ($days)
|
|
|
|
|
|-
|19loadcheck
|<nowiki>loadcheck max_load { $qpsmtpd{MaxLoad} || '7' }</nowiki>
|X
|
|X
|
|
|-
|20rhsbl
|rhsbl
|X
|
|X
|
|
|-
|221spf
|<nowiki>sender_permitted_from reject 1 no_dmarc_policy { $qpsmtpd{SPFRejectPolicy} || '0' }</nowiki>
|X
|
|X
|
|change default to 1
|-
|222dkim
|dkim reject 0
|
|
|
|
|
|-
|223dmarc
|<nowiki>marc reject { (( $qpsmtpd{DMARCReject} || 'disabled' ) =~ m/^1|on|enabled|yes$/) ? '1' : '0' } reporting { (( $qpsmtpd{DMARCReporting} || 'enabled' ) =~ m/^1|on|enabled|yes$/) ? '1' : '0' }</nowiki>
|X
|
|X
|
|
|-
|22dnsbl
|dnsbl reject naughty
|X
|
|X
|
|
|-
|23naughty
|naughty reject mail
|X
|
|X
|
|
|-
|24uribl
|uribl action deny
|
|
|
|
|
|-
|30badmailfrom
|badmailfrom
|
|
|
|
|
|-
|34badrcptto
|badrcptto
|
|X
|
|X
|
|-
|34badrcptto_ext
|badrcptto more_badrcptto badrcptto_ext
|X
|
|X
|
|
|-
|37check_smtp_forward
|check_smtp_forward
|
|
|
|
|needed for submission ?
|-
|38check_goodrcptto
|check_goodrcptto extn -
|
|
|
|
|
|-
|39rcpt_ok
|rcpt_ok
|
|
|
|
|
|-
|62pattern_filter
|virus/pattern_filter check=patterns action=deny
|
|
|
|
|
|-
|62tnef2mime
|tnef2mime
|
|
|
|
|
|-
|65disclaimer
|disclaimer
|
|X
|
|X
|missing disclaimer_file definition?
|-
|70spamassassin
|spamassassin reject $spamassassin{RejectLevel} munge_subject_threshold $spamassassin{TagLevel} size_limit $spamassassin{MaxMessageSize}
|X
|
|X
|
|
|-
|71forcespamcheck
|forcespamcheck reject $spamassassin{RejectLevel} munge_subject_threshold $spamassassin{TagLevel} size_limit $spamassassin{MaxMessageSize}
|
|X
|
|X
|
|-
|80clamav
|virus/clamdscan scan_all yes clamd_socket /run/clamd/clamd.socket defer_on_error yes max_size $max_size
|
|
|
|
|
|-
|90queue-qmail-queue
|queue/qmail-queue
|
|
|
|
|also content commented to remove ?
|-
|90queue-smtp-forward
|# commented out
|
|
|
|
|
|}

==Upgrade Considerations==
we used check_badcountries for a while, but could we switch back to ident/geoip ?

whitelist plugin : adding the ip-range whitelist; add login of ip

===A-Record DNSBL Services===
:Some DNSBL services - notably b.barracudacentral.org - provide their results using a DNS "A" record instead of a DNS TXT record. The dnsbl plugin requires these services to include a colon (":") in dnsbl_zones - however, SME used to use a colon the server separator in the configuration database. In order to support these A-Record DNSBL services, the separator for RBLList, SBLList, and the new UBLList is now a comma.

:You can now configure b.barracudacentral.org using (note the single quotes):
:<code><nowiki>config setprop qpsmtpd RBLList server1,server2,'b.barracudacentral.org:Blocked - see <http://bbl.barracudacentral.com/q.cgi?ip=%IP%>'</nowiki></code>

===DKIM & DMARC===
:DKIM & DMARC are now supported natively by SME Server. To enable these you will need to configure appropriate DNS records in your public DNS server.
:There are forum reports of problems for users who had DKIM enabled using the DKIM contrib.
===URIBL===
:qpsmtpd now supports URIBL - the ability to block emails that contain known malicious URLs within the body of the email. This service is disabled by default.

:Enable URIBL with the default services using:
<nowiki>config setprop qpsmtpd URIBL enabled
signal-event email-update</nowiki>

:'''Note:''' If your SME server is using high traffic external DNS forwarders like [https://developers.google.com/speed/public-dns/ google] (8.8.8.8 / 8.8.4.4), [https://www.opendns.com/setupguide/ opendns] (208.67.222.222 / 208.67.220.220), or any large ISP's (Cox, Comcast, Verizon), enabling URIBL may block all incoming email. This will only affect you if you have configured a DNS forwarder in server-manager -- a default SME server installation does its own direct DNS lookups and would not be affected unless you receive over 250,000 emails per day.

:Read more at http://uribl.com/refused.shtml

==="Naughty" plugin===
:SME Server is now using the 'naughty' plugin which allows early plugins like dnsbl, earlytalker, etc to indicate that the email should be rejected at a later point in the interaction. This allows the server to log extra information for denied emails. Specifically, emails denied by dnsbl will now show the sender and recipient email addresses in the qpsmtpd log

==Plugins==

Below is a list of all the plugins from /usr/share/qpsmtpd/plugins on a freshly updated SME 9.2 server.

<div style="column-count:2;-moz-column-count:2;-webkit-column-count:2; border:1px solid grey;">
<tt>+ New in SME 11 
<nowiki>* Improved or changed in SME 9.2</nowiki> 
<nowiki>U Unused (by default) in SME Server</nowiki> 
<nowiki>E Extra / External Configuration Required</nowiki> 
<nowiki>CW Contrib or Wiki page exists that uses this plugin</nowiki> 
<nowiki>SM Can be configured using server-manager</nowiki> 
<nowiki>DB Can be configured using db variables</nowiki></tt>

<tt>X Provided by a contrib, not in qpsmtpd git 
<nowiki>AC Auto-configured by SME Server</nowiki></tt>
</div> 
<div style="column-count:4;-moz-column-count:4;-webkit-column-count:4">
*[[Qpsmtpd:auth/auth_checkpassword|auth/auth_checkpassword]] (U)
*[[Qpsmtpd:auth/auth_cvm_unix_local|auth/auth_cvm_unix_local]] (AC)
*[[Qpsmtpd:auth/authdeny|auth/authdeny]] (U)
*[[Qpsmtpd:auth/auth_flat_file|auth/auth_flat_file]] (U)
*[[Qpsmtpd:auth/auth_imap|auth/auth_imap]] (U)
*[[Qpsmtpd:auth/auth_ldap_bind|auth/auth_ldap_bind]] (U)
*[[Qpsmtpd:auth/auth_vpopmail|auth/auth_vpopmail]] (U)
*[[Qpsmtpd:auth/auth_vpopmaild|auth/auth_vpopmaild]] (U)
*[[Qpsmtpd:auth/auth_vpopmail_sql|auth/auth_vpopmail_sql]] (U)
*[[Qpsmtpd:autowhitelist_relayrcpt|autowhitelist_relayrcpt]] (U)
*[[Qpsmtpd:badmailfrom|badmailfrom]]
*[[Qpsmtpd:badmailfromto|badmailfromto]] (U)
*[[Qpsmtpd:badrcptto|badrcptto]] (AC)
*[[Qpsmtpd:bcc|bcc]] (U DB)
*[[Qpsmtpd:bogus_bounce|bogus_bounce]] (DB)
*check_badcountries (X [[GeoIP|CW]])
*[[Qpsmtpd:check_goodrcptto|check_goodrcptto]] (AC)
*[[Qpsmtpd:check_smtp_forward|check_smtp_forward]] (AC)
*[[Qpsmtpd_connection_time|connection_time]] (U CW)
*[[Qpsmtpd:content_log|content_log]] (U)
*[[Qpsmtpd:count_unrecognized_commands|count_unrecognized_commands]] (DB)
*[[Qpsmtpd:denysoft_multi_rcpt|denysoft_multi_rcpt]] (U)
*[[Email#How_do_I_enable_and_configure_a_disclaimer_in_email_messages|disclaimer]] (U DB CW)
*[[Qpsmtpd:dkim|dkim]] (+ DB E)
*[[Qpsmtpd:dkim_sign|dkim_sign]] (+ DB E)
*[[Qpsmtpd:dmarc|dmarc]] (DB E)
*[[Email#Real-time_Blackhole_List_.28RBL.29|dnsbl]] (* DB CW)
*[[Qpsmtpd:dns_whitelist_soft|dns_whitelist_soft]] (U)
*[[Qpsmtpd:domainkeys|domainkeys]]
*[[Qpsmtpd:dont_require_anglebrackets|dont_require_anglebrackets]] (U)
*[[Qpsmtpd:dspam|dspam]] (U)
*[[Qpsmtpd_check_earlytalker|earlytalker]] (AC [[Qpsmtpd check earlytalker|CW]])
*[[Qpsmtpd:exe_filter|exe_filter]] (U AC)
*[[Qpsmtpd:fcrdns|fcrdns]] (U)
*[[Qpsmtpd:fix_headers_case|fix_headers_case]] (U CW)
*[[greylisting]] (U CW)
*[[Qpsmtpd:handler|handler]] (U)
*[[Qpsmtpd:headers|headers]] (*)
*[[Qpsmtpd:helo|helo]] (AC)
*[[Qpsmtpd:help|help]] (U)
*[[Qpsmtpd:hosts_allow|hosts_allow]] (AC)
*[[Qpsmtpd:http_config|http_config]] (U)
*[[Qpsmtpd:ident/geoip|ident/geoip]] (U)
*[[Qpsmtpd:ident/p0f|ident/p0f]] (U)
*[[Qpsmtpd:karma|karma]] (+ U DB)
*[[Qpsmtpd:karma_tool|karma_tool]]
*[[Qpsmtpd:loadcheck|loadcheck]] (+)
*[[Qpsmtpd:logging|logging]] (AC)
*[[Qpsmtpd:loop|loop]] (U)
*[[Qpsmtpd:milter|milter]] (U)
*[[Qpsmtpd:naughty|naughty]] ()
*[[Qpsmtpd:noop_counter|noop_counter]] (U)
*[[Qpsmtpd:parse_addr_withhelo|parse_addr_withhelo]] (U)
*[[Qpsmtpd:peers|peers]] (AC)
*[[Qpsmtpd:per_user_config|per_user_config]] (U CW)
*[[Qpsmtpd:qmail_deliverable|qmail_deliverable]] (U)
*[[Qpsmtpd:queue|queue]] (AC)
*[[Qpsmtpd:quit_fortune|quit_fortune]] (U)
*[[Qpsmtpd:random_error|random_error]] (U)
*[[Qpsmtpd:rcpt_map|rcpt_map]] (U)
*[[Qpsmtpd:rcpt_ok|rcpt_ok]] (AC)
*[[Qpsmtpd:rcpt_regexp|rcpt_regexp]] (U)
*[[Qpsmtpd:registry.txt|registry.txt]] (U)
*[[Qpsmtpd:relay|relay]] (AC)
*[[Qpsmtpd:resolvable_fromhost|resolvable_fromhost]] (AC)
*[[Email#Real-time_Blackhole_List_.28RBL.29|rhsbl]] (* DB CW)
*[[Qpsmtpd:sender_permitted_from|sender_permitted_from]] (?)
*[[Email#Spamassassin|spamassassin]] (DB SM AC CW)
*[[Qpsmtpd:stunnel|stunnel]] (U)
*[[Qpsmtpd:tls|tls]] (AC)
*[[Qpsmtpd:tls_cert|tls_cert]]
*[[Qpsmtpd:tnef2mime|tnef2mime]] (AC)
*[[Qpsmtpd:uribl|uribl]] (DB)
*[[Qpsmtpd:user_config|user_config]] (U)
*[[Virus:Email_Attachment_Blocking|virus]] (DB SM CW)
*[[Qpsmtpd:whitelist|whitelist]] (U?)
</div>

----
[[Category:Mail]]
[[Category:Qpsmtpd]]
[[Category:SME11-Development]]

SMEServer PHP

2026-01-14T17:18:47Z

Rdswikiadmin:

Copied from; https://wiki.koozali.org/PHP (This page was last modified on 17 July 2024, at 14:50.)

{{Languages|PHP}}
Starting with SME 10, the '''php''' module is no longer used for httpd. Instead we rely on '''php-fpm''' which can enable every available version of php.

By default we provide the following versions:

*54 (maintained by Red-Hat up to CentOS 7 EOL: 30 Jun 2024).
*55,56,70,71,72 (Note: unsupported!).
*73 (supported up to 6 Dec 2021).
*74 (supported up to 28 Nov 2022).
*80 (supported up to 26 Nov 2023).

 
===db keys available to control php configuration and services===
First you need to decide if you want to alter the php behaviour for an ibay or for a specific php version, of for all php versions.
{| class="wikitable"
|+db configuration properties
!keys
!role
!
|-
|php
|customization of /etc/php.ini
|for php54
|-
|php55
|customization of /opt/remi/php55/root/etc/php.ini
| rowspan="11" |if no properties defined, will use php keys properties
|-
|php56
|customization of /opt/remi/php56/root/etc/php.ini
|-
|php70
|customization of /etc/opt/remi/php70/php.ini
|-
|php71
|customization of /etc/opt/remi/php71/php.ini
|-
|php72
|customization of /etc/opt/remi/php72/php.ini
|-
|php73
|customization of /etc/opt/remi/php73/php.ini
|-
|php74
|customization of /etc/opt/remi/php74/php.ini
|-
|php80
|customization of /etc/opt/remi/php80/php.ini
|-
|php81
|customization of /etc/opt/remi/php81/php.ini
|-
|php82
|customization of /etc/opt/remi/php82/php.ini
|-
|php83
|customization of /etc/opt/remi/php83/php.ini
|}
Every version of php has its own php-fpm service running, the related configuration db entry is (as shown in the Table above) php-fpm for php (ie php54), php55-php-fpm for php55 and so on.

If you really want to disable one version of php, shown below is what you need to do for php55, as an example:
config setprop php55-php-fpm status disabled
signal-event webapps-update

===Available properties===
Here is a list of available properties to configure php. You have to choose at which level you want to handle the change.

*Do you want the change for the whole server? -- then probably choose to change it for key php): db configuration setprop php ...
*Do you want the change for a specific version of php? -- then you should probably do it against a specific php key e.g. : db configuration setprop php74 ...
*Do you want to apply the change for a specific ibay? -- this is what we suggest you to do in most cases: db accounts setprop myibay ..

{| class="wikitable"
|+
!php setting
!ibay property
!php.ini property
!default
!note
|-
| -
|PHPVersion
| -
|74
|can vary upon update if left empty
|-
|allow_url_fopen
|AllowUrlFopen
|AllowUrlFopen
|off
|unsecure keep to off
|-
|allow_url_include
| -
| -
|off
|
|-
|auto_prepend_file
|AutoPrependFile
| -
|enabled
|/usr/share/php/auth_translation.php unless disabled
|-
|disable_functions
|DisableFunctions
| -
|system,show_source, symlink,exec,dl,shell_exec,passthru,phpinfo,escapeshellarg,escapeshellcmd
|
|-
|display_errors
|DisplayErrors
| -
|off
|
|-
|error_log
| -
| -
|/var/log/php/$key/error.log
|
|-
|error_reporting
|ErrorReporting
| -
|E_ALL & ~E_NOTICE & ~E_DEPRECATED & ~E_STRICT
|
|-
|expose_php
| -
|ExposePHP
|Off
|
|-
|file_upload
|FileUpload
| -
|Off
|
|-
|mail.add_x_header
| -
|MailAddXHeader
|disabled
|only global, not per php version
|-
|mail.force_extra_parameters
|MailForceSender
|MailForceSender
|root@$DomainName
|ibayname@$DomainName for ibays
|-
|mail.log
| -
|MailLog
|disabled
|
|-
|max_execution_time
|MaxExecutionTime
|MaxExecutionTime
|30
|
|-
|max_file_uploads
| -
|MaxFileUpload
|20
|
|-
|max_input_time
|MaxInputTime
|MaxInputTime
|60
|
|-
|memory_limit
|MemoryLimit
|MemoryLimit
|128M
|
|-
|open_basedir
|PHPBaseDir
| -
|/home/e-smith/files/ibays/IBAYNAME/:/var/lib/php/IBAYNAME/:/usr/share/php/:/usr/share/pear/:/opt/remi/php$version/root/usr/share/pear/:/opt/remi/php$version/root/usr/share/php/
|
|-
|post_max_size
|PostMaxSize
|PostMaxSize
|20M
|
|-
|security.limit_extensions
|AllowPHTML
|
|disabled
|allow php to interprete more file (.php .htm .html .phar .phtml .xml)
|-
|sendmail_from
| -
|MailForceSender
|root@$DomainName
|
|-
|sendmail_path
| -
|SendmailPath
|/usr/sbin/sendmail -t -i
|
|-
|short_open_tag
| -
|ShortOpenTag
|On
|
|-
|upload_max_filesize
|UploadMaxFilesize
|UploadMaxFilesize
|10M
|
|}
if you want to set a specific value for an ibay, here we show how to use php80 for ibay MYIBAY and avoid having any disabled function:
db accounts setprop MYIBAY disable_functions none PHPVersion 80
signal-event webapps-update
{{Note box|It is strongly suggested that you install the smeserver-webhosting contrib enabling you to set your ibay php values from the server-manager. Everything is available and it prevents you from making a mistake in the settings.}}

===Display Error Messages===

By default PHP does not display error messages on screen. Sometimes you get a blank page when executing PHP scripts. Usually some sort of error has occurred, but this error text will '''not''' be displayed as SME Server is configured to not display them. Instead the error messages are reported to the log files of the webserver and the general logfile of the server.

Try to analyze your logfiles:
/var/log/httpd/error_log and /var/log/httpd/access_log and perhaps also /var/log/messages.

{{Warning box|It is strongly advised that you disable "display errors" after you have tracked and solved the problem, as the displayed error message might provide information (like filesystem layout) that only should be known to the system administrators and not to users, let alone people with bad intentions. Thus it is a potential SECURITY RISK. After debugging, disable it again.}}

====Enable changes for all php versions====
If you (for debugging purposes for instance) would like to enable it you can do it with the instructions found below:

mkdir -p /etc/e-smith/templates-custom/etc/php.ini
cp /etc/e-smith/templates/etc/php.ini/30ErrorHandling /etc/e-smith/templates-custom/etc/php.ini

After that:

sed -i /etc/e-smith/templates-custom/etc/php.ini/30ErrorHandling -e 's/display_errors.*/display_errors = On/g'

After that issue the following commands:

signal-event webapps-update

Now access your page again and see what the error is.

====Undo Changes====
If everything works you remove the 30ErrorHandling file from the /etc/e-smith/templates-custom/etc/php.ini folder and issue the last two lines again:

signal-event webapps-update

====Enable changes for a specific ibay====
Starting SME10 and smeserver-php-3.0.0-39
db accounts setprop MYIBAY DisplayErrors enabled
signal-event webapps-update
===Open basedir restriction===
SME Server has a security measure in place which is called 'open basedir restriction'. This measure prevents PHP from executing or invoking other PHP scripts outside the scope of its own tree; in other words it creates a 'sandbox' or 'jail'.

Overall configuration is defined in the php.ini file but you can add an override on a per ibay basis.

====Error message====
The PHP open basedir restriction is usually presented to the user like this in the /var/log/messages file:

Aug 12 17:27:42 homer httpd: PHP Warning: main(): open_basedir restriction in effect. File(/tmp/test.php) is not within the allowed path(s): (/home/e-smith/files/ibays/Primary/html/) in /home/e-smith/files/ibays/Primary/html/test.php on line 2

In general you will find this message in the log files only as by default PHP is configured to prevent the display of error messages to the end users. This can be changed as per [[PHP#Display_Error_Messages|this HowTo]].

====Modifying the PHPBaseDir setting for an ibay====
<ol>
(Please also see: [http://wiki.contribs.org/Useful_Commands#PHP_Related_Commands these] instructions on the [http://wiki.contribs.org/Useful_Commands Useful_Commands] page.)
<li>Open a SME Server shell as root user and document the current setting of the PHPBaseDir directive by writing down the output of the following command:
db accounts getprop ibayname PHPBaseDir
Be careful to write it down to the letter as we need it in the next step.
For the Primary ibay the ouptut of above command would normally look like this:
/home/e-smith/files/ibays/Primary/html/
</li><li>Decide on what directory you would like to add and issue the following:
db accounts setprop ibayname PHPBaseDir value
Replace ibayname with the name of the ibay and value with the old value for the PHPBaseDir directive you have written down and a colon (:) followed by the full path to the directory you would like to add with a tailing slash (/), e.g.
db accounts setprop Primary PHPBaseDir /home/e-smith/files/ibays/Primary/html/:/opt/gallery2/
Above command would allow for invocation of scripts in the /opt/gallery2 path from the Primary ibay html folder by PHP.
To allow uploading of files to via http to a ibay name wiki:
db accounts setprop wiki PHPBaseDir /home/e-smith/files/ibays/wiki/:/tmp/

</li><li>After defining the new setting we need to reflect the change in the configuration file of the web server and have the web server reload it's configuration file. This is done by issuing the following command:
signal-event ibay-modify ibayname

Be sure to replace ibayname with the name of the ibay you have just modified.
</li></ol>
===Upload_tmp_dir===
upload_tmp_dir

From SME Server V8 up to and including SME Server V9, you could sometimes have an error thrown by PHP and would then need to specify a temporary directory (e.g. upload_tmp_dir) which is not set in php.ini. see [[bugzilla:6650]] and [[bugzilla:7652]]. Many php applications need this setting, the best-known culprits are Wordpress, Roundcube, eGroupWare, and there are others. The symptoms observed are that you can't upload contents to the PHP application.

An easy resolution is to make a Custom Template to resolve this issue. See [[Uploadtmpdir]].

=== Advanced use of the php-fpm pools ===

==== For the ibays with php-fpm.d/ibays.conf ====
For the ibays better option is to simply use the contrib [[Webhosting]].

==== For the contrib sharefolders with php-fpm.d/shares.conf ====
Similar to ibays.

==== For the contribs with php-fpm.d/www.conf ====
Please read [[Building Your Contrib]].

==== For your custom needs with php-fpm.d/custom.conf ====
You can build your own pool to use in any place on your server, even in a subfolder of an ibay or in place of the regular ibay php-pool (property PHPCustomPool).

There are two ways in doing that:

===== using db php =====
Using the default template : /etc/e-smith/templates/etc/php-fpm.d/custom.conf , you can set your own pool doing:
db php set MYPOOLNAME pool Version 81 status enabled
here are the accepted supplementary properties, as always missing or empty means using default.
{| class="wikitable"
!property
!default
!values
!information
|-
|status
|enabled
|enabled,disabled
|-
|Version
|
|
|php version to use eg 80 for php 8.0
|-
|MemoryLimit
|128M
|
|-
|MaxExecutionTime
|30
|
|-
|MaxInputTime
|60
|
|-
|AllowUrlFopen
|off
|
|-
|MaxChildren
|15
|
|-
|PostMaxSize
|10M
|
|-
|UploadMaxFilesize
|10M
|
|-
|FileUpload
|enabled
|
|-
|BaseDir
|
|
|-
|DisabledFunctions
|system,show_source,symlink,exec,dl,shell_exec,passthru,phpinfo,escapeshellarg,escapeshellcmd
|
|-
|User
|www
|
|-
|Group
|www
|
|-
|DisplayErrors
|disabled
|
|-
|LogErrors
|disabled
|
|-
|MaxChildren
|15
|
|-
|AutoPrependFile
|enabled
|
|will use the autoprepend file
|-
|MailForceSender
|php\@$DomainName
|
|
|}
You will then need two httpd.conf custom template fragment to use your pool. You will need to change '''MYPOOL''' to what you want
mkdir -p /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/
vim /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/98mypoolusage

<Directory /home/e-smith/files/ibays/test/html/mysubfolder>
SSLRequireSSL
Options None
Options +Indexes
Options +FollowSymLinks
DirectoryIndex index.php index.shtml index.htm index.html
<FilesMatch \.php$>
SetHandler "proxy:unix:/var/run/php-fpm/php80-MYPOOLNAME.sock|fcgi://localhost"
</FilesMatch>
AllowOverride All
order deny,allow
deny from all
allow from all
</Directory>
Then just do:
signal-event webapps-update

===== using a templates-custom =====
You can write your own fragment in /etc/e-smith/templates-custom/etc/php-fpm.d/custom.conf/ e.g. /etc/e-smith/templates-custom/etc/php-fpm.d/custom.conf/15mypool

You will also need to write a httpd fragment similarly to what shown just above.

Here is an example if you want a custom pool for your ibay, in /etc/e-smith/templates-custom/etc/php-fpm.d/ibays.conf/15MYIBAY<syntaxhighlight lang="perl">
{

use esmith::AccountsDB;
use esmith::php;
my $a = esmith::AccountsDB->open_ro || die "Couldn't open the accounts database";
my $ibay = $a->get("MYIBAY");
my $version = PhpFpmVersionToUse($ibay);
my $dynamic = $ibay->prop('CgiBin') || 'disabled';
my $custom = $ibay->prop('CustomPool') || undef;
next unless ($dynamic eq 'enabled' && $version eq $PHP_VERSION && $custom);
my $key = $ibay->key;
my $name = lc $key;
my $pool_name = 'php' . $version . '-' . $name;
$OUT .=<<"_EOF" if ($version eq $PHP_VERSION);

[$pool_name]
user = www
group = www
listen.owner = root
listen.group = www
listen.mode = 0660
listen = /var/run/php-fpm/$pool_name.sock
;
;
;put whatever you need there
;
;
_EOF
}

</syntaxhighlight>

You have then to force the ibay to use it by doing :<syntaxhighlight lang="bash">
db accounts MYIBAY setprop CustomPool enabled
</syntaxhighlight>This will prevent the generation of the default ibay pool in ibays.conf , and let you use /var/run/php-fpm/php$version-$name.sock socket from your template-custom... or from the db php using the same key as the name of the ibay.

===Installation of Composer===

This is made tricky as we do not have the PHP CLI configured.

But we can install it as follows with command line arguments. This is using php7. Check the latest hash file as this changes.

Download:
php74 -d allow_url_fopen=on -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"

Hash check:
php74 -r "if (hash_file('sha384', 'composer-setup.php') === 'e21205b207c3ff031906575712edab6f13eb0b361f2085f1f1237b7126d785e826a450292b6cfd1d64d92e6563bbde02') { echo 'Installer verified'; } else { echo 'Installer corrupt'; unlink('composer-setup.php'); } echo PHP_EOL;"

Install:
php74 -d allow_url_fopen=on ./composer-setup.php

=== Bash script===

Add the code:

nano composer.install

Paste this:

if [ ! -d '/tmp/compose' ]; then
/usr/bin/mkdir -p /tmp/compose
cd /tmp/compose
else
cd /tmp/compose
fi

# Get the setup file
/usr/bin/php74 -d allow_url_fopen=on -r "copy('https://getcomposer.org/installer', '/tmp/compose/composer-setup.php');"

# Hash check
/usr/bin/php74 -r "if (hash_file('sha384', '/tmp/compose/composer-setup.php') === 'dac665fdc30fdd8ec78b38b9800061b4150413ff2e3b6f88543c636f7cd84f6db9189d43a81e5503cda447da73c7e5b6') { echo 'Installer verified'; } else { echo 'Installer corrupt'; unlink('/tmp/compose/composer-setup.php'); } echo PHP_EOL;"

# Install
/usr/bin/php74 -d allow_url_fopen=on /tmp/compose/composer-setup.php
mv /tmp/compose/composer.phar /usr/local/bin/composer

# Tidy
rm -rf /tmp/compose

Save and exit.

Run it:

chmod 0700 composer.install
./composer.install

Check ths file is there:

ll /usr/local/bin/composer

Use with

php74 composer <blah>

=== Bugs ===
Please raise bugs under the SME-Server 10.X section in [http://bugs.contribs.org/enter_bug.cgi Bugzilla] and select the smeserver-php component or use {{BugzillaFileBug|product=SME%20Server%2010.X|component=e-smith-*%20and%20smeserver-*&20packages|title=this link}}.

Below is an overview of the current issues for this package:
{{#bugzilla:columns=id,product,version,status,summary |sort=id|order=desc |component=smeserver-php|noresultsmessage="No open bugs found."}}
----

[[Category: Howto]]
[[Category: Webapps]]

SMEServer Nextcloud

2026-01-14T17:18:01Z

Rdswikiadmin:

Copied from; https://wiki.koozali.org/Nextcloud (This page was last modified on 13 November 2025, at 07:32.)

{{Languages}}


{{#vardefine:contribname| {{lc: {{#titleparts: {{BASEPAGENAME}} |1}} }} }}
{{#vardefine:smecontribname| smeserver-{{lc: {{#titleparts: {{BASEPAGENAME}} |1}} }} }}

{{#vardefine:lang| {{lc: {{#titleparts: {{PAGENAME}} | | -1}} }} |en }}
{{Infobox contribs
|name={{#var:contribname}}
|image=Nextcloud_Logo.svg
|description_image= {{#var:contribname}} logo
|maintainer= Unnilennium
|licence= AGPLv3
|url= https://nextcloud.com
|category= Cloud
|tags=cloud,files,dropbox,seafile,pydio,ajaxplorer,owncloud
}}
===Maintainer===

[[User:Unnilennium|Jean-Philippe Pialasse]]

=== Version ===

{{#smeversion: {{#var:smecontribname}} }}
{{#smeversion: nextcloud-src }}

=== Description ===
Nextcloud is a suite of client-server software for creating and using file hosting services. It is functionally similar to Dropbox, although Nextcloud is free and open-source, allowing anyone to install and operate it on a private server.

As per SME Server Keep It Simple, all your ibays and home folders will be accessible through the nextcloud interface using the "external files" app. You will also have your main user user Nextcloud folder saved under /home/e-smith/files/owncloud/data which is in the default backup path. So you can now enjoy both your own cloud repository with access to the very same files on your samba share!

How do I add my SME users ? They are already there ! Just tell them to connect to https://mydomain/nextcloud. You can also add external users or allow them to register with a nextcloud app.

What are the admin ? By default you have a nextcloudadmin user and the regular SME admin user. First one use the password you can see with "config getprop nextcloud AdminPassword", and second one, well, just use your regular admin password. Then you can manage apps, external files repos and admin group membership.

=== Installation ===

<tabs container="">
<tab name="For sme11">
yum install {{#var:smecontribname}} --enablerepo=smecontribs

</tab>
<tab name="For sme10">
yum install {{#var:smecontribname}} --enablerepo=smecontribs

you might need a second event or sometime ibays folder is not visible
signal-event nextcloud-update

</tab>
<tab name="For sme9">
You do not need to follow the Repo pages of [https://wiki.contribs.org/Fws fws] and [https://wiki.contribs.org/Remi-safe remi-safe] to install those two needed repos, instead use the packages to install them followed by a yum-modify event. Then run the main installation.
yum install smeserver-extrarepositories-remi-safe smeserver-extrarepositories-fws smeserver-extrarepositories-epel
signal-event yum-modify
yum install {{#var:smecontribname}} --enablerepo=smecontribs,epel,fws
signal-event webapps-update
service php-fpm start
service php71-php-fpm start
service php72-php-fpm start
service php73-php-fpm start
signal-event nextcloud-update

you can skip the service php-fpm* commands if it was already installed and running before the installation of nextcloud

then you can do the following and you can safely ignore the signal-event post-upgrade reboot if prompted, unless you also installed other packages that needs to do so.
config set UnsavedChanges no

or do
signal-event post-upgrade
signal-event reboot
then
signal-event nextcloud-update

if you want to add SME user admin as administrator of nextcloud do
OCC group:adduser admin admin
</tab>
</tabs>

you might want to set your default phone region (use your country 2 letter code - low case)
occ config:system:set default_phone_region --value="us"

you might want to have nextcloud accessible to the Internet
config setprop nextcloud access public
signal-event nextcloud-update
if you want to keep access only to <nowiki>https://YOURDOMAIN/nextcloud</nowiki>, you might want to use pretty URL (without index.php in it)
occ config:system:set htaccess.RewriteBase --type string --value "/nextcloud"
occ maintenance:update:htaccess

=== Use a dedicated domain to connect to Nextcloud ===
<tabs container="">
<tab name="For sme11">
first change the first line variable content with you nextcloud domain as defined with your DNS provider.
<syntaxhighlight lang="bash">
NEXTCLOUDDOMAIN="cloud.mydomain.com"
db domains set $NEXTCLOUDDOMAIN domain Description "Nextcloud" Content Primary Nameservers internet TemplatePath NextcloudVirtualHost letsencryptSSLcert enabled
signal-event domain-create $NEXTCLOUDDOMAIN
</syntaxhighlight>

# this one to let nextcloud DAV be redirect correctly and to have collabora and notify_push recognize the domain ### IN PROGRESS###
<syntaxhighlight lang="bash">
config setprop nextcloud VirtualHost $NEXTCLOUDDOMAIN
signal-event nextcloud-update
</syntaxhighlight>

# only if you use a Let's Encrypt certificate
<syntaxhighlight lang="bash">
expand-template /etc/dehydrated/domains.txt
dehydrated -c
</syntaxhighlight>

if you want to use only your dedicated domain and no subdir access, you can enable pretty URL this way
<syntaxhighlight lang="bash">
occ config:system:set htaccess.RewriteBase --type string --value "/"
occ maintenance:update:htaccess
config setprop nextcloud AliasOnPrimary disabled
signal-event nextcloud-update
</syntaxhighlight>
to restore without pretty url and dual access
<syntaxhighlight lang="bash">
occ config:system:delete htaccess.RewriteBase
occ maintenance:update:htaccess
config delprop nextcloud AliasOnPrimary
signal-event nextcloud-update
</syntaxhighlight>

</tab>
<tab name="For sme10">
first change the first line variable content with you nextcloud domain as defined with your DNS provider.
<syntaxhighlight lang="bash">
NEXTCLOUDDOMAIN="cloud.mydomain.com"
db domains set $NEXTCLOUDDOMAIN domain Description "Nextcloud" Content Primary Nameservers internet TemplatePath WebAppVirtualHost DocumentRoot /usr/share/nextcloud RequireSSL enabled letsencryptSSLcert enabled
signal-event domain-create $NEXTCLOUDDOMAIN

# this one to let nextcloud DAV be redirect correctly and to have collabora recognize the domain
config setprop nextcloud VirtualHost $NEXTCLOUDDOMAIN
signal-event nextcloud-update

# only if you use a Let's Encrypt certificate
expand-template /etc/dehydrated/domains.txt
dehydrated -c

</syntaxhighlight>
</tab>
</tabs>

=== Configuration ===
{| class="wikitable"
!property
!default
!values
!
|-
|AdminPassword
|GENERATED
|string
|password for your main admin user for nextcloud (*)
|-
|AdminUser
|nextcloudadmin
|string
|main admin user for your installation (*)
|-
|cliurl
|enabled
|enabled,disabled
|force overwrite.cli.url to https://domain/nextcloud or https://domain if virtualhost is set; disable it if you have specific needs and then use occ command to set your value
|-
|DbName
|nextcloud
|string
|for mysql db
|-
|DbPassword
|GENERATED
|string
|for mysql db
|-
|DbUser
|nextcloud
|string
|for mysql db
|-
|TrustedDomains
|empty
|strings coma separated
|add domain or ip that are in need to be added to default access to nextcloud
|-
|VirtualHost
|empty
|domain name
|domain dedicated to nextcloud, needs to also be defined as domain on the server
|-
|access
|private
|private, public
|
|-
|status
|enabled
|enabled,disabled
|
|-
|MaxUploadSize
|4096M
|number
|if a number will be converted to Megabytes, otherwise use the usual suffix : 2T for 2 terrabytes etc...
|-
|MemoryLimit
|528M
|number
|webinterface : if a number will be converted to Megabytes, otherwise use the usual suffix : 2T for 2 terrabytes etc...
|-
|memory_limit
|1024M
|number
|for cli like occ command or cron: if a number will be converted to Megabytes, otherwise use the usual suffix : 2T for 2 terrabytes etc...
|-
|Shares
|enabled
|enabled,disabled
|add the samba shares from the shared-folders contrib in the nextcloud ibays folder along with regular ibays
|-
|IncludeIbay
|empty
|strings coma separated
|add ibays names that need to be include. If not empty, only the name present here will be accessible via nextcloud. Take precedence over ExcludeIbay. You set it with a random string to exclude all ibays and shares from automatic inclusion.
|-
|ExcludeIbay
|Primary
|strings coma separated
|will exclude from nexcloud access any ibay via nextcloud. Default excludes Primary ibay. If you want to include Primary set it with a random string.
|-
|opcache.memory_consumption
|32
|number
|update this value if Nextcloud says that it should be
|-
|opcache.interned_strings_buffer
|128
|number
|update this value if Nextcloud says that it should be
|-
|PHPBaseDir
|
|colon separated string
|php base dir you want to add to the default example /home/e-smith/files/ibays/musique/files:/usr/share/GeoIP/GeoLite2-Country.mmdb:/proc/cpuinfo
|-
|UseSMB
|enabled
|enabled,disabled
|allow you to set ibay access via samba share or via Local driver in nextcloud. Enabled is for samba, this allow you to access as your user and have your quota accounted. It might be a little slower, and need you to have your password loaded in the session. Local driver if disabled, will let you access only what apache user (www) has right to access as member of a group.
|}
(*) the SME admin user is also an admin of your nextcloud installation. You have two admin account as per default installation on SME Server.

example of setting :
config setprop nextcloud ExcludeIbay ibay1,ibay2
signal-event nextcloud-update

=== LDAP/AD Integration Settings ===
Do not change the LDAP/AD integration settings for "1. Server: Localhost" or you will break the Nextcloud install. If you want to add a second LDAP/AD server, click the "+" symbol to add another configuration and then add the appropriate LDAP/AD settings.

=== Command line ===
if you happen to need tweaking your installation, here is how to access the command line for Nextcloud on SME, we made it easier for you, just log as root and use the OCC command (using capitals), This command will execute for you what you need as the www user, using the needed version of php. Here two examples: <syntaxhighlight lang="bash">
occ maintenance:mode --off
occ maintenance:repair

</syntaxhighlight>to seek for additional command consult Nextcloud documentation : https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/occ_command.html

=== Upgrade ===
yum update {{#var:smecontribname}} {{#var:contribname}} --enablerepo=smecontribs

=== CLI upgrade of Nextcloud software ===
<tabs container="">
<tab name="For sme11">
<syntaxhighlight lang="bash">
/usr/bin/nc_upgrade
/usr/bin/nc_dbupdate
</syntaxhighlight>

alternatively
<syntaxhighlight lang="bash">
occ maintenance:mode --on
sudo -u www /usr/bin/php83 --define memory_limit=1024M -d apc.enable_cli=1 /usr/share/nextcloud/updater/updater.phar
occ upgrade
occ maintenance:mode --off
</syntaxhighlight>

</tab>
<tab name="For sme10">
yum install {{#var:smecont
You should rather prefer the online updater, but in case:<syntaxhighlight lang="bash">
occ maintenance:mode --on
sudo -u www /usr/bin/php74 --define memory_limit=1024M -d apc.enable_cli=1 /usr/share/nextcloud/updater/updater.phar --no-interaction
occ upgrade
occ maintenance:mode --off
</syntaxhighlight>In case of a huge db, you can choose the online updater and then only issue the db update doing<syntaxhighlight lang="bash">
occ upgrade
occ maintenance:mode --off
</syntaxhighlight>

starting 25 to upgrace to 26, you should do
<syntaxhighlight lang="bash">
occ maintenance:mode --on
sudo -u www /usr/bin/php81 --define memory_limit=1024M -d apc.enable_cli=1 /usr/share/nextcloud/updater/updater.phar --no-interaction
occ upgrade
occ maintenance:mode --off
</syntaxhighlight>In case of a huge db, you can choose the online updater and then only issue the db update doing<syntaxhighlight lang="bash">
occ upgrade
occ maintenance:mode --off
</syntaxhighlight>
</tab>
</tabs>

=== Restore info loglevel ===
<syntaxhighlight lang="bash">
occ config:system:set loglevel --value=3
</syntaxhighlight>

=== Migration ===

==== from SME 10 to SME 11 ====

# before migrate to SME11
## upgrade to NC 29 or NC 30 (this might require you to migrate mariadb database from 5.5 to contrib mariadb 10.5, see below in this page)
## make sure you have a nextcloud database in mariadb 10.5 (mysqlshow105)
## make sure you have some backup /home/e-smith/db/mariadb105/nextcloud.dump
## delete nextcloud database from mariadb 5.5
## make sure you do not have any /home/e-smith/db/mysql/nextcloud.dump
## migrate using either migratehelper, console backup or workstation backup
# Install SME 11
## restore backup when you are asked for
## check you have:
### a mariadb nextcloud db ( mariadb-show)
### your data folder : ll /home/e-smith/files/nextcloud
### your current config and software : ll /usr/share/nextcloud/
### configuration key nextcloud : config show nextcloud
### install smeserver-nextcloud

enjoy!

=== Uninstall ===

{{Warning box| if you plan to reinstall and had the nextcloud rpm installed do not yum remove it or rpm -e it as it would put you in a situation where you will not be able to reinstall and restore your old data. nextcloud-src rpm if present do not create such situation and can be removed safely.}}

Uninstalling the rpms
yum remove {{#var:smecontribname}} {{#var:contribname}}-src
rpm -e --justdb nextcloud

those folders will then remain
* /usr/share/nextcloud : software and config
* /home/e-smith/files/nextcloud : user data

also you will have mariadb or mariadb105 with nextcloud db and user.

And finally, db configuration with entry for nextcloud.

If all of those remains as is, a simple reinstall of the contrib will bring back nextcloud running. If you uninstalled it because your install was non functional or want a complete removal, there are extra steps.

In case of deleting either the db or part of the software folder, whenever you will try to reinstall the contrib, process will fail as db and files are not in sync.

In case you need to reinstall from scratch, '''first, backup what you might want to restore latter''':
cd /home/e-smith/files/nextcloud/data
mysqldump nextcloud > nextcloud55.sql
mysqldump105 nextcloud > nextcloud105.sql
config print nextcloud /root/nextcloud.config
tar -czf /root/nextcloud.tar.gz /home/e-smith/files/nextcloud/data /usr/share/nextcloud
then erase all what is remaining:
mysql -e "DROP DATABASE `config getprop nextcloud DbName`;DROP USER IF EXISTS `config getprop nextcloud DbUser`;"
mysql105 -e "DROP DATABASE `config getprop nextcloud DbName`;DROP USER IF EXISTS `config getprop nextcloud DbUser`;"
rm -rf /usr/share/nextcloud
rm -rf /home/e-smith/files/nextcloud
#this one is optional, and should not cause issue if still there
config delete nextcloud

and you should be able to start a new install from scratch

=== Release schedule ===
see https://github.com/nextcloud/server/wiki/Maintenance-and-Release-Schedule

as per 2025/11:
{| class="wikitable"
!Version
!Name
!Release date
!End of life
|-
|33
|Hub 26 Winter
|TBD
|
|-
|32
|Hub 25 Autumn
|2025-09-27
|2026-09
|-
|'''31'''
|Hub 10
|2025-02-25
|2026-02
|-
|'''<s>30</s>'''
|<s>Hub 9</s>
|<s>2024-09-14</s>
|<s>2025-09</s>
|-
|'''<s>29</s>'''
|<s>Hub 8</s>
|<s>2024-04-24</s>
|<s>2025-04</s>
|-
|'''<s>28</s>'''
|<s>Hub 7</s>
|<s>2023-12-12</s>
|<s>2024-12</s>
|-
|'''<s>27</s>'''
|<s>Hub 6</s>
|<s>2023-06-13</s>
|<s>2024-06</s>
|-
|'''<s>26</s>'''
|<s>Hub 4</s>
|<s>2023-03-21</s>
|<s>2024-03</s>
|-
|'''<s>25</s>'''
|<s>Hub 3</s>
|<s>2022-10-19</s>
|<s>2023-10</s>
|-
|'''<s>24</s>'''
|<s>Hub 3</s>
|<s>2022-05-03</s>
|<s>2023-05</s>
|-
|'''<s>23</s>'''
|<s>Hub 2</s>
|<s>2021-11-30</s>
|<s>2022-12</s>
|-
|'''<s>22</s>'''
|<s>Hub</s>
|<s>2021-07-06</s>
|<s>2022-07</s>
|-
|'''<s>21</s>'''
|<s>Hub</s>
|<s>2021-02-22</s>
|<s>2022-02</s>
|-
|'''<s>20</s>'''
|<s>Hub</s>
|<s>2020-10-03</s>
|<s>2021-11</s>
|-
|'''<s>19</s>'''
|<s>Hub</s>
|<s>2020-06-03</s>
|<s>2021-06</s>
|-
|'''<s>18</s>'''
|<s>Hub</s>
|<s>2020-01-16</s>
|<s>2021-01</s>
|}

=== Migrate Database from core mariadb 5.5 to mariadb 10.5 on SME10===
If you are in the situation your are unable to update your nextcloud because of database requirements, you might need to install a newer and then migrate your db.

Here a simple procedure, after having the new db working as a sclo [[Mariadb105]] for SME10 as example.<syntaxhighlight lang="bash">
occ maintenance:mode --on
mysqldump `config getprop nextcloud DbName` > nextcloud.sql
echo "CREATE DATABASE IF NOT EXISTS `config getprop nextcloud DbName` CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci;"| mysql105
mysql105 `config getprop nextcloud DbName`< nextcloud.sql
echo "CREATE USER IF NOT EXISTS `config getprop nextcloud DbUser`@localhost IDENTIFIED BY '`config getprop nextcloud DbPassword`';"| mysql105
echo "GRANT ALL PRIVILEGES ON `config getprop nextcloud DbName`.* TO `config getprop nextcloud DbUser`@localhost; FLUSH PRIVILEGES;" | mysql105
occ config:system:set dbhost --value localhost:/var/lib/mysql/mariadb105.sock --type string
occ maintenance:mode --off
</syntaxhighlight>

After checking that all is working you can then delete yourself the old db from the previous mysql server, or keep it as a backup for a while.
If it fails and just want to go back to previous state:
occ maintenance --on
occ config:system:set host --value localhost --type string
occ maintenance --off

=== File Scan ===
<syntaxhighlight lang="bash">
# scan all, could take hours if you have a lot of files
occ files:scan -v --all
# scan all that is inside a username path (including external storages mounted there)
occ files:scan -v myusername
#scan only a subfolder of a user (path needs a heading / and is relative to /home/e-smith/files/nextcloud/data)
occ files:scan -v --path="/myusername/files/myfolder/mysubfolder" myusername
#For external storage one has to use a user and the mount point in the user space, e.g. admin
occ files:scan -v --path="/admin/files/name_of_external_storage"
</syntaxhighlight>If you use groupgfolders app, then you might consider, to list the golders id<syntaxhighlight lang="bash">
occ groupfolders:list
</syntaxhighlight>then for folder group with id 1<syntaxhighlight lang="bash">
occ groupfolders:scan 1
</syntaxhighlight>

=== Known issues ===
==== Issue importing files in db "Entry path/to/file will not be accessible due to incompatible encoding" ====
<syntaxhighlight lang="bash">
yum install convmv --enablerepo=epel
#first test to see the changes
convmv -f utf-8 -t utf-8 --nfc -r /home/e-smith/files/nextcloud/data/username
#check, then with --notest
convmv -f utf-8 -t utf-8 --nfc -r --notest /home/e-smith/files/nextcloud/data/username
#then rescan
occ files:scan -p /username/files/
</syntaxhighlight>this might also occurs on ibays / home folders and their files not all visibles from nextcloud, simply adapt the path for convmv /home/e-smith/files/ibays/ibayname/files/ or /home/e-smith/files/users/userame/home/

==== Remove legacy nextcloud rpm without deleting /usr/share/nextcloud content ====
for installs done before smeserver-nextcloud 1.2.0-16, the rppm nextcloud was required and was conflicting with web update. Since 1.2.0-16 it is not required anymroe and we use a nextcloud-src rpm which updates itself in /usr/share/nextcloud-src and is only used if you install the first time or restart from scratch your install.
To remove the nextcloud rpm which is not needed and save your files:
rpm -e --justdb nextcloud

source https://unix.stackexchange.com/questions/208722/how-to-remove-an-rpm-package-while-keeping-certain-files
===Reset Database===

For reference, whilst looking at resetting file caches I found this.

It is probably extremely dangerous but wanted to make a note.

https://github.com/nextcloud/server/issues/8113#issuecomment-565876798

=== Bugs ===
Please raise bugs under the SME-Contribs section in [http://bugs.contribs.org/enter_bug.cgi bugzilla]
and select the {{#var:smecontribname}} component or use {{BugzillaFileBug|product=SME%20Contribs|component={{#var:smecontribname}}|title=this link}}

Below is an overview of the current issues for this contrib:{{#bugzilla:columns=id,product,version,status,summary|sort=id|order=desc|component={{#var:smecontribname}} |noresultsmessage=No open bugs found.}}

===Changelog===
Only released version in smecontrib are listed here.

{{#smechangelog: {{#var:smecontribname}} }}


[[Category: Contrib]]


===References===
# https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/occ_command.html
# https://help.nextcloud.com/t/migration-from-mysql-to-mariadb/6816/3
# https://help.nextcloud.com/t/changing-mariadb-socket-when-hosting-multiple-db-ubuntu/68294
# https://markus-blog.de/index.php/2019/10/21/how-to-migrate-nextcloud-17-database-backend-from-mysql-to-postgresql/
# https://www.ullright.org/ullWiki/show/nextcloud-cheatsheet

SMEServer Fail2ban

2026-01-14T17:17:22Z

Rdswikiadmin:

Copied from; https://wiki.koozali.org/Fail2ban (This page was last modified on 30 July 2022, at 20:25.)

{{Languages|Fail2ban}}

== Fail2ban for SME Server ==
{{Level|Easy|The instructions on this page can be followed by a beginner.}}

== Maintainer ==
[[User:VIP-ire|Daniel B.]] 
[http://www.firewall-services.com Firewall Services] 
mailto:daniel@firewall-services.com

Please discuss, provide feedback and share experiences on the forums [http://forums.contribs.org/index.php/topic,51127.0.html '''here''']

== Description ==
Fail2ban operates by monitoring log files (e.g. /var/log/pwdfail, /var/log/auth.log, etc.) for selected entries and running scripts based on them. Most commonly this is used to block selected IP addresses that may belong to hosts that are trying to breach the system's security. It can ban any host IP that makes too many login attempts or performs any other unwanted action within a time frame defined by the administrator.
Fail2ban is typically set up to unban a blocked host within a certain period, so as to not "lock out" any genuine connections that may have been temporarily misconfigured. However, an unban time of several minutes is usually enough to stop a network connection being flooded by malicious connections, as well as reducing the likelihood of a successful dictionary attack.

After installation the most important core services (and some additional ones) are monitored by default without the need for manual configuration (see: [[#Services|Services]]).

{{Tip box|fail2ban is not only a tool against brute force attack on ssh but it can be a tool useful against http protocol attacks or [http://forums.contribs.org/index.php/topic,50162.msg252195.html#msg252195 spam attacks] on your server. See the [[Fail2ban#Jail.conf |jail section]]}}

== Requirements ==
This contrib has been developed and tested on SME Server 8 and later.

{{Note box|The SME feature [http://wiki.contribs.org/AutoBlock AutoBlock SSH] should be disabled to ensure that fail2ban controls SSH traffic and not the SME build-in firewall.}}

==Koozali SME v9/v10==

{{#smeversion: smeserver-fail2ban}}

== Installation Koozali SME==
<tabs container><tab name="For SME 10">
yum --enablerepo=smecontribs install smeserver-fail2ban
</tab><tab name="For SME 9">

* install the rpms

yum --enablerepo=smecontribs install smeserver-fail2ban

* Apply the needed configuration:
Use care to execute these three commands precisely. Failure to do so may prevent remote login via ssh.

db configuration setprop masq status enabled
expand-template /etc/rc.d/init.d/masq
/etc/init.d/masq restart
signal-event fail2ban-conf
or, as an alternative, use the following commands. They will have the same effect after rebooting.
db configuration setprop masq status enabled
signal-event post-upgrade; signal-event reboot

{{warning box| Failing to run either of these command will completely lock network access next time iptables rules are reloaded}}
{{warning box| The masq service must be enabled for fail2Ban to work correctly. If you disable it, Fail2ban won't ban anything}}
</tab>
</tabs>
{{warning box| Starting SME10 and smeserver-fail2ban 0.1.18-29, manual change of configuration is included in core backup, if you use .local files in the folders action.d/ fail2ban.d/ filter.d/ jail.d/. Any change to rpm owned .conf file is not added in core backup. Use the .local files to override the conf file instead and it will be in the backup. See http://www.fail2ban.org/wiki/index.php/MANUAL_0_8#Configuration.}}

== Disable SME Feature AutoBlock SME 9 or greater ==
It's been noted that one of the features of fail2ban overlaps the built-in ssh AutoBlock feature of SME (https://wiki.contribs.org/AutoBlock).
It is possible to disable the AutoBlock feature using the following optional steps.

1. View what your current settings are for the built in SME AutoBlock feature by entering the following at the cli.
# config show sshd
2. If AutoBlock is disabled no action is required. If AutoBlock is enabled, set it to disabled with the following commands:
# config setprop sshd AutoBlock disabled
# signal-event remoteaccess-update

==DB command==
While there is a panel in the server-manager, you can also manage the contrib by the db configuration, it is quite simple

# config show fail2ban
fail2ban=service
Mail=enabled
status=enabled

Available options are below:

* '''IgnoreIP''': a comma separated list of IP or CIDR networks which will never be blocked by fail2ban. Example: 12.15.22.4,17.20.0.0/16. All your local networks and networks allowed to access the server-manager are already automatically whitelisted
* '''FilterLocalNetworks''' can be enabled or disabled (default is disabled). If set to enabled, local networks won't be whitelisted, and fail2ban can also ban hosts from the internal networks. Note that networks allowed to access the server-manager are not affected (they will never be blocked)
* '''BanTime''': Duration (in seconds) of a ban. Default to 1800 (about 30 minutes)
* '''FindTime''': The time window fail2ban will check, in seconds. Default is 900. So, this means fail2ban will only check for the number of failed login attempts in the last 15 minutes
* '''MaxRetry''': Number of failed attempts in the last '''FindTime''' seconds to trigger a ban. Default is 3
* '''Mail''': can be enabled or disabled (default is enabled). If enabled, each ban will notify the admin by email
* '''MailRecipient''': if '''Mail''' is enabled, the email address which should receive ban notifications. Default is root (the admin account will receive)

After changing one of these settings, you need to apply it:
signal-event fail2ban-conf

for example :

config setprop fail2ban IgnoreIP 12.15.22.4,17.20.0.0/16
signal-event fail2ban-conf

{{Note box|<code>signal-event fail2ban-conf</code> effectively restarts the service and clears existing bans, but a suitable 'findtime' results in a reban. Be aware that the restart delay can be unexpectedly lengthy due to the resource intensive process of scanning the logs to reban offending addresses.}}

== Services ==
The following services are monitored out of the box, and fail2ban will ban client IP for '''BanTime''' if more than '''MaxRetry''' authentication failure occure in less than '''FindTime'''

*ssh
*dovecot (only on SME9, or if you run [https://wikit.firewall-services.com/doku.php/smedev/dovecot smeserver-dovecot])
*qpsmtpd. If a remote server send you too many mails which qpsmtpd rejects, it's probably spammer, so Fail2ban will blacklist it. MaxRetry is x3 for this service, so with the default config, a remote server will be blacklisted if 9 mails are rejected in less than 15 minutes
*httpd-e-smith. The standard http server. 3 different filters check apache logs:
** noscripts: check client which ask for scripts which are not available on your server. It's usually script-kiddies trying to exploit security vulerabilities
** scan: another set of filter for popular scans (phpMyAdmin, wp-login, admin area etc...)
** auth: will check for standard authentication failure
*pam. This will check a generic authentication failure. Everything which uses pam should work
*[[Sogo|SOGo]]. Check SOGo logs for failed authentications
*[[LemonLDAP-NG]]. Check system logs for auth failure on LemonLDAP::NG portal
*ftp. Check auth failure on your FTP daemon
*[[Ejabberd]]. Check auth failure against EJabberd

Each filters will disable itself if the corresponding service is disabled. You can also disable specific filter if you want. For example, if you want to disable Apache filters:

db configuration setprop httpd-e-smith Fail2Ban disabled
signal-event fail2ban-conf

== Selective bans ==
Fail2Ban will do its best to do a selective ban. For example, if 3 auth failure against ssh are detected, only tcp port 22 (or any other port you choosed for SSH) will be blocked. Same for httpd-e-smith, SOGO, LemonLDAP::NG which will only blacklist tcp ports 80 and 443, qpsmtpd will block tcp ports 25 and 465, dovecot will block 143 and 993 etc...

There's only two ways to be completly locked (all port/protocol):
* pam. As this is a generic file, it's not possible to check which service was used when an auth failure occured, so the entire client IP will be blacklisted
* recidive. This is a special filter. It monitors fail2Ban logs, and blacklist client IP which gets locked several time. If a client is locked out 5 times in 24 hours, it'll be completly blacklisted for one full week

== Use Fail2ban ==
=== List all jails ===
[root@sme8 ~]# fail2ban-client status
Status
|- Number of jail: 10
`- Jail list: http-overflows, http-noscript, http-auth, sogo, pam-generic, ssh-ddos, http-scan, ssh, qpsmtpd, recidive

=== List IP banned from a specific jail ===
[root@sme8 ~]# fail2ban-client status ssh
choose the specific jail with the command above which lists the Jail-list.

=== Example script which list How many ip are banned from all jails ===

nano /root/checklist_ban
#!/bin/bash
#lancer le script en sudo
JAILS=$(fail2ban-client status | grep " Jail list:" | sed 's/`- Jail list://g' | sed 's/,//g')
for j in $JAILS
do
echo "$j $(fail2ban-client status $j | grep " Currently banned:" | sed 's/ |- Currently banned:\t//g')"
done

chmod 700 /root/checklist_ban

to launch the script, do the following command:
/root/checklist_ban

=== Unban an IP ===
In certain case you would to unban an IP immediately because you don't want waste time to wait the automatic IP unban process of fail2ban.
In first you you have to find the specific jail which has blocked you IP, you can refer to the mail that the admin user has received or you can list a specific jail.

fail2ban-client status qpsmtpd

Status for the jail: qpsmtpd
|- filter
| |- File list: /var/log/qpsmtpd/current /var/log/sqpsmtpd/current
| |- Currently failed: 5
| `- Total failed: 119
`- action
|- Currently banned: 1
| `- IP list: 93.17.128.20
`- Total banned: 1

If you want to know all you active jail, then do :

fail2ban-client status

Therefore you have to play with this command to unban your IP

fail2ban-client set qpsmtpd unbanip 93.17.128.20

the generic command is :

fail2ban-client set JAIL unbanip MYIP

===Jail.conf===
The jail.conf is templated (/etc/e-smith/templates/etc/fail2ban/jail.conf) and the default file contains the configuration as below. You can add your own template of jail.conf at
/etc/e-smith/templates-custom/etc/fail2ban/jail.conf
if first time you need to create the folder for your custom template
mkdir -p /etc/e-smith/templates-custom/etc/fail2ban/jail.conf

and do this to expland templates

expand-template /etc/rc.d/init.d/masq
/etc/init.d/masq restart
signal-event fail2ban-conf

====default jail.conf====
[DEFAULT]
ignoreip = 127.0.0.0/8 192.168.XXX.XXX 192.168.XXX.0/24
bantime = 1800
findtime = 900
maxretry = 3
usedns = yes
backend = auto

{{Note box|msg=Your network and your server are in the list of ignored IP by fail2ban (see IgnoreIP)}}

[ssh]
enabled = true
filter = sshd
logpath = /var/log/sshd/current
action = smeserver-iptables[port="22",protocol=tcp,bantime=1800]
smeserver-sendmail[name="SSH",dest=root]

[ssh-ddos]
enabled = true
filter = sshd-ddos
logpath = /var/log/sshd/current
action = smeserver-iptables[port="22",protocol=tcp,bantime=1800]
smeserver-sendmail[name="SSH",dest=root]

[qpsmtpd]
enabled = true
filter = qpsmtpd
logpath = /var/log/*qpsmtpd/current
maxretry = 9
action = smeserver-iptables[port="25,465",protocol=tcp,bantime=1800]
smeserver-sendmail[name="Qpsmtpd",dest=root]

[http-overflows]
enabled = true
filter = apache-overflows
logpath = /var/log/httpd/error_log
action = smeserver-iptables[port="80,443",protocol=tcp,bantime=1800]
smeserver-sendmail[name="Apache (overflows)",dest=root]

[http-noscript]
enabled = true
filter = apache-noscript
logpath = /var/log/httpd/error_log
action = smeserver-iptables[port="80,443",protocol=tcp,bantime=1800]
smeserver-sendmail[name="Apache (noscript)",dest=root]

[http-scan]
enabled = true
filter = apache-scan
logpath = /var/log/httpd/error_log
action = smeserver-iptables[port="80,443",protocol=tcp,bantime=1800]
smeserver-sendmail[name="Apache (scan)",dest=root]

[http-auth]
enabled = true
filter = apache-auth
logpath = /var/log/httpd/error_log
action = smeserver-iptables[port="80,443",protocol=tcp,bantime=1800]
smeserver-sendmail[name="Apache (auth)",dest=root]

[pam-generic]
enabled = true
filter = pam-generic
logpath = /var/log/secure
maxretry = 6
action = smeserver-iptables[bantime=1800]
smeserver-sendmail[name="PAM generic",dest=root]

[recidive]
enabled = true
filter = recidive
logpath = /var/log/fail2ban/daemon.log
bantime = 604800
findtime = 86400
maxretry = 5
backend = polling
action = smeserver-iptables[bantime=604800]
smeserver-sendmail[name="Recidive",dest=root]

====Custom local filters====

You can add your custom rules by adding a filtername.local file in /etc/fail2ban/filters.d/
wget https://bugs.koozali.org/attachment.cgi?id=6229 -O /etc/fail2ban/filters.d/apache-badbots.local

would be an example of local bad bots rules, be careful to test for your personal case. Some advanced rules could create a lot of false positive and lock out your users.

== Uninstall ==
yum remove smeserver-fail2ban fail2ban

==User contributions==
=== Testing new regex ===
You can test new regex - notes from here http://bugs.contribs.org/show_bug.cgi?id=8955

fail2ban-regex [LOG] [REGEX]

You can also test the actual conf files as follows

fail2ban-regex /var/log/qpsmtpd/current /etc/fail2ban/filter.d/qpsmtpd.conf

Note that some characters such as ` may need escaping on the command line like this \` but do not need escaping in the conf files

e.g From qpsmptd.conf file this works in the conf file

^\s*\d+\s*logging::logterse plugin $deny$: ` <HOST>\s*.*90\d.*msg denied before queued$

However, on the command line it needs writing like this

^\s*\d+\s*logging::logterse plugin $deny$: \` <HOST>\s*.*90\d.*msg denied before queued$

===Show IPs banned by service===
====Check the fail2ban log====
Here is another quick script that shows you the most recent IPs banned in the logs. Note that they may have been unbanned but there is no check for this.
mkdir /root/bin
nano -w /root/bin/IP_list.sh

and copy and paste the below code into the file:

#!/bin/sh
# Set CLI vars to something we can read
TYPE=$1
LOG=$2

# Set main grep string
SEARCH="Ban ((1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])"

# Add the search term
SEARCH="\[$TYPE]\ $SEARCH"

# Now search the log
grep -oE "\[$TYPE\] Ban ((1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])" $LOG

Save the file and make it executable:
chmod 755 /root/bin/IP_list.sh

Usage :
IP_list.sh [service] [log]

e.g.
IP_list.sh qpsmtpd /var/log/fail2ban/daemon.log
====Check the fail2ban banned IP for all active jails ====
by [[User:Unnilennium|Unnilennium]] ([[User talk:Unnilennium|talk]])
mkdir /root/bin
vim /root/bin/sfail2ban

paste this in it:
#!/bin/bash
for SERVI in $(fail2ban-client status|grep 'Jail list'|cut -d':' -f2|sed 's/, / /g'| sed -e 's/^[ \t]*//')
do
fail2ban-client status $SERVI |grep -E 'IP list|Status for the jail'|sed 'N;s/\n/:/'|cut -d: -f2,4
done
then do
chmod 755 /root/bin/sfail2ban

Usage :
sfail2ban
output:
# sfail2ban
ftp:
imap:
pam-generic:
qpsmtpd:
recidive: 141.98.80.15
ssh:
ssh-ddos:
wordpress:

====Print a summary of the fail2ban db====
mkdir -p /root/bin
vi /root/bin/bansummary.sh

Paste this
<nowiki>#!/bin/bash
echo -e \
"IP \t"\
"BanTime \t"\
"UnbanTime \t"\
"Jail"

for ban in $(db fail2ban show |awk -F\= ' $2=="ban" {print $1}');
do
IP=$(db fail2ban getprop $ban Host)
Bantime=$(date +"%F %T" -d @$(db fail2ban getprop $ban BanTimestamp))
UnBanTime=$(date +"%F %T" -d @$(db fail2ban getprop $ban UnbanTimestamp))
LastJail=$(zgrep -H "Ban $IP" $(find /var/log/fail2ban -type f -ctime -7) |tail -1 |awk '{print $6}')

printf "%-15s" "$IP"
echo -e "\t$Bantime\t$UnBanTime\t$LastJail"
done
</nowiki>

save, then make executable
chmod 755 /root/bin/bansummary.sh

Usage:
bansummary.sh
Output:
<nowiki>IP BanTime UnbanTime Jail
46.246.39.228 2017-09-09 18:45:00 2017-09-10 18:45:00 [http-scan]
124.239.180.102 2017-09-09 12:07:32 2017-09-10 12:07:32 [http-scan]
212.237.54.93 2017-09-09 19:27:32 2017-09-10 19:27:32 [http-scan]
</nowiki>

===WordPress===
Fail2Ban works with WordPress but needs some extra configuration. Please review the WordPress page, https://wiki.contribs.org/Wordpress#Fail2Ban

== Bugs ==
Please raise bugs under the SME-Contribs section in [http://bugs.contribs.org/enter_bug.cgi bugzilla]
and select the smeserver-fail2ban component or use {{BugzillaFileBug|product=SME%20Contribs|component=smeserver-fail2ban|title=this link}}.

Below is an overview of the current issues for this contrib:{{#bugzilla:columns=id,product,version,status,summary|sort=id|order=desc|component=smeserver-fail2ban|noresultsmessage=No open bugs found.}}

==Changelog==
Only released version in smecontrib are listed here.

{{#smechangelog: smeserver-fail2ban}}
----

[[Category: Contrib]]
[[Category: Security]]

SMEServer FTP

2026-01-14T17:16:34Z

Rdswikiadmin:

Copied from; https://wiki.koozali.org/Ftp (This page was last modified on 26 September 2025, at 18:18.)

In short SME uses port 21 for FTP. Default mode used is passive. To use it you will need a custom template and enabling ports (PassivePort https://bugs.koozali.org/show_bug.cgi?id=12454).

Starting SME10, ftp default is to use explicit TLS over ftp (FTPs explicite) '''Easy filezilla connexion to SME would use url with FTPES://.'''
{| class="wikitable"
|+disambiguation
!term / protocol
!port
!deamon
!explanation
|-
|ftp ftp://
|21
|proftpd
|unencrypted file transfer protocol, all is clear text, no encryption. disabled on SME>=10
|-
|ftps ftpes://
|21
|proftpd
|explicit TLS encrypted file transfer protocol, password exchange and files are encrypted
|-
|ftps ftps://
|900
|proftpd
|implicit TLS, not available on SME
|-
|sftp
|22
|sshd
|secured file transfer protocol over ssh. this needs a RSA or EC key on SME Server
|}
SME Server offers a ftp server, which is Proftpd. If enabled it allows you to access to the Primary ibay files folder with anonymous access, and to any content your user is allowed, if authenticated, inside /home/e-smith/files.

Prior to SME 10 ftp was using cleat text communication ('''FTP'''), allowing one to listen to your password and files exchanged on the network. Now TLS is enforced by default ('''FTPs'''), and it is suggested that you keep it enabled.

While you may be used to the traditional port 21 for file transfer protocol ('''FTP'''), this page is here to help you have steady access to your ftp server, by understanding it, and enabling the extra needed ports.

Your server is using

Do not confuse '''sFTP''', which is part of ssh protocol and uses port 22, with '''FTPs''' which is the regular ftp protocol over port 21 using a layer of SSL/TLS encryption.

== FTP connection modes : active versus passive ==
SME by default offers both active and passive mode when you are on LAN. However, as soon as you try to access from a remote location you will have some difficulties depending on the situation.

By default, for passive connection, Proftpd will use ports from 1024 and up, which means that you must forward ''all'' ports 1024-65535 from the NAT to the FTP server! And you have to allow many (possibly) dangerous ports in your fire-walling rules! Not a good situation.

==== The Modes ====

===== active =====
From the server-side firewall's standpoint, to support active mode FTP the following communication channels need to be opened (http://slacksite.com/other/ftp.html):

* FTP server's port 21 from anywhere (Client initiates connection)
* FTP server's port 21 to ports > 1024 (Server responds to client's control port)
* FTP server's port 20 to ports > 1024 (Server initiates data connection to client's data port)
* FTP server's port 20 from ports > 1024 (Client sends ACKs to server's data port)

===== passive =====
From the server-side firewall's standpoint, to support passive mode FTP the following communication channels need to be opened (http://slacksite.com/other/ftp.html):

* FTP server's port 21 from anywhere (Client initiates connection)
* FTP server's port 21 to ports > 1024 (Server responds to client's control port)
* FTP server's ports > 1024 from anywhere (Client initiates data connection to random port specified by server)
* FTP server's ports > 1024 to remote ports > 1024 (Server sends ACKs (and data) to client's data port)

note port 20 does not need to be open inward on SME, as it is only used to send from SME, however if you have a restrictive firewall between Internet and SME limiting outgoing connection you need to open port 20 to be able to do active ftp. http://www.proftpd.org/docs/howto/AWS.html

==== Examples ====

===== SME is server-gateway connected to Internet - Client is remote behind a NAT =====
Active mode will not work because the NAT will mostly hide the client port.

Passive mode will need to use the <code>PassivePorts</code> directive in your <code>proftpd.conf</code> to control what ports <code>proftpd</code> will use for its passive data transfers, and you will need to open those port in your SME firewall.

===== SME is server-gateway behind a firewall / NAT to Internet - Client is remote behind a NAT =====
Active mode will not work because the NAT will mostly hide the client port.

Passive mode will need to use the <code>PassivePorts</code> directive in your <code>proftpd.conf</code> to control what ports <code>proftpd</code> will use for its passive data transfers, and you will need to open those port in your SME firewall and in your firewall between you SME and Internet. You might also need a template custom to add MasqueradeAddress (http://www.proftpd.org/docs/modules/mod_core.html#MasqueradeAddress).

===== SME is server-gateway connected to Internet - Client is remote directly connected to the Internet =====
Active mode will work.

Passive mode will need to use the <code>PassivePorts</code> directive in your <code>proftpd.conf</code> to control what ports <code>proftpd</code> will use for its passive data transfers, and you will need to open those port in your SME firewall.

== SSL mode: Explicit SSL versus Implicit SSL ==
'''SME 10 and above uses explicit SSL mode for FTPs''' over port 21 only and does not need port 990. The client must explicitly request for SSL/TLS to be able to go on.

FTPS (FTP over TLS) is served up in two incompatible modes. If using explicit FTPS, the client connects to the normal FTP port and explicitly switches into secure (TLS) mode with "AUTH TLS", whereas implicit FTPS is an older style service that assumes TLS mode right from the start of the connection (and normally listens on TCP port 990, rather than 21).

In a FileZilla client this means prefixing the host with "FTPES://" to connect an "explicit" FTPS server, or "FTPS://" for the legacy "implicit" server (for which you will likely also need to set the port to 990).

== Filezilla config ==
[[File:Filezilla-ftpes.png|left|thumb]]
If you use a client such a filezilla, starting SME 10, you will need to select the options

* encryption: TLS/SSL explicit encription
* port: 21
* hostname : you ip or domain name
* user name: your user name
* password : your password user

== SME enabling from smanager ==
[[File:Smanager2-ftp.png|none|thumb|898x898px]]

== FTP configuration options in SME ==
{| class="wikitable"
|+configuration db
!key
!Property
!default
|-
| rowspan="10" |ftp
|access
|private
|-
|TcpPorts
|49200:49999
|-
|TCPPort
|21
|-
|ChrootDir
|
|-
|TLSEnable
|on
|-
|TLSRequired
|on
|-
|TLSVerifyClient
|off
|-
|LoginAccess
|private
|-
|DisableAnonymous
|yes
|-
|status
|disabled
|}
{| class="wikitable"
|+account db for ibay type
!Property
!default
|-
|PublicAccess
|none
|-
|DisableAnonymous
|no
|}

== TODO ==

*http://www.proftpd.org/docs/modules/mod_core.html#MasqueradeAddress Virtualhost vs Class see http://www.proftpd.org/docs/howto/NAT.html
* http://www.proftpd.org/docs/howto/FXP.html

===Bug report===
Proftpd is listed in the [https://bugs.koozali.org/enter_bug.cgi?product=SME%20Server%2010.X bugtracker server] section.

Please report all bugs, new feature requests and documentation issues there.

Current bugs:

https://bugs.koozali.org/buglist.cgi?bug_status=UNCONFIRMED&bug_status=CONFIRMED&bug_status=NEEDINFO&bug_status=IN_PROGRESS&bug_status=RESOLVED&f1=cf_package&list_id=102854&o1=equals&query_format=advanced&resolution=---&v1=e-smith-proftpd

== Sources ==

* https://wiki.filezilla-project.org/FTP_over_TLS#Explicit_vs_Implicit_FTPS
* http://www.proftpd.org/docs/howto/TLS.html
* https://hstechdocs.helpsystems.com/manuals/globalscape/archive/secureserver3/Explicit_versus_Implicit_SSL.htm
* https://winscp.net/eng/docs/ftp_modes
* http://www.proftpd.org/docs/howto/NAT.html
* http://slacksite.com/other/ftp.html

[[Category:Howto]]

SMEServer Email

2026-01-14T17:15:29Z

Rdswikiadmin:

Copied from; https://wiki.koozali.org/Email (This page was last modified on 10 June 2023, at 09:56.)

{{usefulnote}}
{{Languages}}
Information on the email subsystem used in SME Server covering sending/recieving, spam filtering, virus checking, webmail, domains and users.

==Troubleshooting==
I am having trouble getting sme to send and receive email.

Sending and receiving email are separate functions. You need to investigate each individually.

===Sending===
If SME server does not send mail, you need to examine the /var/log/qmail/current logs to see what happens when it tries. Most commonly problems can be solved by sending via your ISP's mail server, possibly using encryption and/or authentication. Read the manual.

===Receiving===
If SME server does not receive mail, then you need to ensure that SMTP connections reach your SME server (DNS settings, router configuration, ISP port blocks) and then you need to examine /var/log/qpsmtpd/current logs to determine what SME server does with the incoming connections. Most problems are DNS, router or ISP issues, and have nothing to do with SME server operation or configuration.

====qpsmtpd "Connection Timed Out" errors====
See [[Bugzilla:6888]] and [[Bugzilla:2360]]

A qpsmtpd timeout error may arise, this is not an issue that is caused by SME server directly, however it can become an issue depending on hardware and configuration settings that are contained in and around other enviroments.

It is discussed under various names

*Path MTU Discovery Blackhole http://www.phildev.net/mss/mss-talk.pdf
*Path MTU Discovery Failures http://www.wand.net.nz/~mluckie/pubs/debugging-pmtud.imc2005.pdf
*TCP Problems with Path MTU Discovery http://www.ietf.org/rfc/rfc2923.txt

As discussed in [[Bugzilla:6888]] a workaround was found that may help in mitigating the issue.

The [http://linux.die.net/man/8/tracepath tracepath] utility (included with SME 8.0 and SME 7.6) can be used to locate non-standard MTU values between your SME server and any remote host.

You can discover the smallest MTU between you and google.com (for example) by running this command, then locating the smallest value of "pmtu" in the results:
tracepath google.com

If tracepath returns any value below 1500 between your SME server and a mail server that you need to receive email from, you may need to reset the MTU on the SME server to match the smallest value returned.

For example, if tracepath returns 1492 (typical for internet connections using PPPoE), you would need to set the MTU on your SME server to the same value (1492) using the following:

config setprop InternalInterface MTU 1492
signal-event post-upgrade; signal-event reboot

===Webmail broken after upgrade===
After the usual post-upgrade and reboot, webmail is broken with messages like the following in the messages log:

Apr 20 17:29:53 mail [4614]: PHP Fatal error: Call to a member function on a non-object in /home/httpd/html/horde/imp/lib/Block/tree_folders.php on line 65
Apr 20 17:29:53 mail [4614]: PHP Warning: Unknown(): Unable to call () - function does not exist in Unknown on line 0

As workaround, logout of Horde, close the browser, reopen, log in to Horde, Webmail should now be fully functional. (Based on suggested fix in [[Bugzilla:5177]])

==Spam==
===Spamassassin===
====Spam filter with Server-Manager====
Using the Server-Manager Configuration/E-Mail panel, adjust the settings to these reasonable defaults.

*Virus scanning Enabled
*Spam filtering Enabled
*Spam sensitivity Custom
*Custom spam tagging level 4
*Custom spam rejection level 12
*Sort spam into junkmail folder Enabled
*Modify subject of spam messages Enabled

I would also recommend blocking all executable content. To do so, select (highlight) all of the attachment types other than zip files (the last two).

Click Save.
====How It Works====

When receiving an incoming message, the server first tests for RBL and DNSBL listings, if enabled. If the sender is blacklisted, the messages are blocked outright and Spamassassin never sees it.

With this configuration, the spammiest messages, those marked as 12 or above, will be rejected at the SMTP level. Those spam messages marked between 4 and 12, will be routed to the users' (IMAP) junkmail folder. This is done so the users can check for false-positives...valid messages that were classified as spam by SpamAssassin.

Users may check their junkmail folders for false-positives via webmail, or, if they are using an IMAP mail client, by simply checking the junkmail folder exposed by their mail client.

https://servername/webmail

====Enable/Disable Filtering Per-User====

This procedure doesn't really disable the spam filtering, it just stopps the spam from being routed to the 'junkmail' folder.

Per-user filtering is enabled by default. Disable filtering with the following command, as root:

db accounts setprop USERNAME SortSpam disabled
db accounts show USERNAME # only displays settings
signal-event user-modify USERNAME

====Use the Junkmail folder====
The Default spamassassin behaviour put spams in the inbox which is very convenient for users in case of false positive, but it is not practical for learning, and especially it does not facilitate the life of the user (setting is available via the manager). If you want to put directly spams in the junkmail folder issue the command above.

config setprop spamassassin SortSpam enabled
signal-event email-update

====Message Retention Time====
Set spamassassin for automatically delete junkmail.
You can change the "days" that spamassassin sets to automatically delete junkmail, to delete after two months

db configuration setprop spamassassin MessageRetentionTime 60
signal-event email-update

====Spam score Level and Spam score rejection====
The "Custom spam rejection level" will only work when "Spam sensitivity" is set to custom.
<ol><li>Open server-manager.
</li><li>Click e-mail in the navigation pane (left-hand side).
</li><li>Click Change e-mail filtering settings.
</li><li>Change "Spam sensitivity" to custom and adjust the settings to your liking.
</li></ol>

This happens because by default, no mail (except for viruses) gets rejected without the admin doing something first.

As a reference, the following setting will have the following behaviours :

{| class="wikitable"
|-
!Sensitivity!!Spam tagging level!!Spam rejection level
|-
|Custom||TagLevel value (Custom spam tagging level)||RejectLevel value (Custom spam rejection level)
|-
|veryhigh||2||No rejection
|-
|high||3||No rejection
|-
|medium||5||No rejection
|-
|low||7||No rejection
|-
|verylow||9||No rejection
|}

====X-Spam-Level Header in Email Messages====
SME does not create an X-Spam-Level header in processed email messages by default.

To enable this capability:
/usr/bin/yum install --enablerepo=smecontribs smeserver-qpsmtpd-spamassassinlevelstars
signal-event email-update

(Based on [[Bugzilla:3505]])
{{note box| as SME8 this functionality seems to be included --[[User:Unnilennium|Unnilennium]] ([[User talk:Unnilennium|talk]]) 09:05, 3 February 2014 (MST)}}

====spamassassin qpsmtpd's plugins email size limit====
This db configuration setting sets the maximum email size above which spamassassin will not apply the spam filtering rules as have been set.

The default setting is 500kb, to increase the maximum size, apply the following commands from a root terminal

db configuration setprop spamassassin MaxMessageSize 2000000
increases message size to 2mb, apply the change with
signal-event email-update

(Based on [[Bugzilla:7606]])

====Custom Rule Scores====
You can customize the score assigned by a specific Spamassassin rule (SARE_ADULT2 in this case) as follows:
mkdir -p /etc/e-smith/templates-custom/etc/mail/spamassassin/local.cf
cd /etc/e-smith/templates-custom/etc/mail/spamassassin/local.cf
echo "score SARE_ADULT2 20.000" >> 20localscores
signal-event email-update

You can now add additional tests and custom scores by editing the newly-created template fragment ''20localscores'' and adding new custom scores using:
nano -w /etc/e-smith/templates-custom/etc/mail/spamassassin/local.cf/20localscores
signal-event email-update
Each custom score goes on its own line. If you enter a score surrounded by parentheses, the "custom" score will be added to the default score for the specified test (use ''score TEST_NAME (-1)'' to reduce the score for 'TEST_NAME' by 1)

You can remove these customizations using:
rm -f /etc/e-smith/templates-custom/etc/mail/spamassassin/local.cf/20localscores
signal-event email-update

References:

*http://spamassassin.apache.org/full/3.1.x/dist/doc/Mail_SpamAssassin_Conf.html#scoring_options
*http://spamassassin.apache.org/tests_3_2_x.html
*http://www.rulesemporium.com/

====SPF mail rejection/flagging policy====
{{Warning box|Please note that these instructions do not apply to SME9.2 where the version of qpsmtpd (0.96) does all this out of the box. Indeed if
the custom template below is applied (or left in?) to an SME9.2 system, then you may find that emails are denied when they ought to be accepted!}}

SME server can protect based of SPF records using spamassassin and the 'sender_permitted_from' plugin. The following lines will enable the plugin.
mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0/
cd /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0/
echo sender_permitted_from spf_deny 1 > 30spf
/sbin/e-smith/expand-template /var/service/qpsmtpd/config/peers/0

Then set your custom rule scores using the [[#Custom_Rule_Scores|Custom Rule Scores]] section of this page. You should base these scores on your settings in server-manager > Configuration > Email > Change e-mail filtering settings or via db config commands for those with that skillset
echo "score SPF_SOFTFAIL 6.000" >> 20localscores
echo "score SPF_FAIL 14.000" >> 20localscores
signal-event email-update

In our testing an email that doesn't match SPF records and the sender domain owner has defined a soft fail, if is attributed 6 points and sorted to junkmail folder. If the sender domain owner has defined a hard fail the email attibuted 14 points and is subsequently rejected.
 
References (but instructions changed to meet new qmail structure):

*http://forums.contribs.org/index.php?topic=21631.0

====Pyzor Timeout====

See [[Bugzilla: 5973]]
{{Warning box|SME server 7.# users be aware of an issue that can appear in the /var/log/spamd/current logs
" pyzor: [5281] error: TERMINATED, signal 15 (000f)".}}

This can be mitigated by the adding of a template fragment.

Template fragment to set a pyzor_timeout based on a value in the config db.
If no value is set, there is no output (so pyzor uses it's internal default).

mkdir -p /etc/e-smith/templates/etc/mail/spamassassin/local.cf/50pyzor_timeout
cd /etc/e-smith/templates/etc/mail/spamassassin/local.cf/50pyzor_timeout
nano 50pyzor_timeout

Contents of 50pyzor_timeout

{
my $pyzor_timeout = ($spamassassin{PyzorTimeout} || 0);
if ($pyzor_timeout ne '0')
{
return "pyzor_timeout " . ($pyzor_timeout);
}
}

Then a value can be set using:

config setprop spamassassin PyzorTimeout 15
signal-event email-update

====Whitelist and Blacklist====
If mail comes in and it is misclassified as spam by Spamasassin, you can add the sender to the Spamassassin whitelist so that future messages coming in from that sender are not filtered.
Conversely, you can add a spammer to the Spamassassin blacklist so you never see their spam again.
Add senders (or their entire domains) to the global whitelist (or blacklist) with commands similar to these (as root):

db spamassassin setprop wbl.global *@vonage.com White
db spamassassin setprop wbl.global *domain2.com White
db spamassassin setprop wbl.global user@domain3.com White
db spamassassin setprop wbl.global spammer@spamdomain.com Black

you can block an entire TLD but please be aware that you might be denying a legitimate email in the future.
db spamassassin setprop wbl.global *@*.xyz Black
db spamassassin setprop wbl.global *@*.link Black

expland template and save the configuration to the database
signal-event email-update

You can view the lists with this command:
db spamassassin show

These lists can be also controlled by the server-manager with the wbl contrib http://wiki.contribs.org/Email_Whitelist-Blacklist_Control

====Testing====

You can check the auto-learning statistics with this command. You will be able to note the accumulation of the spam tokens (or not). Note that the Bayesian filtering must receive 200 spam messages before it starts to function, so don't expect instantaneous results.

sa-learn --dump magic

You can check the spam filter log with this command:

tail -50 /var/log/spamd/current | tai64nlocal

Check spamassassin configuration like this:

spamassassin -D --lint

If you ever see an error such as:

warn: bayes: cannot open bayes databases /etc/mail/spamassassin/bayes_* R/W: tie failed: Permission denied

Try adjusting some permissions with these commands:

chown :spamd /var/spool/spamd/.spamassassin/*
chmod g+rw /var/spool/spamd/.spamassassin/*

===Real-time Blackhole List (RBL)===
Enabling RBL's 
RBL's are disabled by default to allow maximum accommodation (your ISP may be on a RBL & you may not know it). You can enable RBL's by:
config setprop qpsmtpd DNSBL enabled RHSBL enabled
signal-event email-update

You can see your RBL's by:
config show qpsmtpd

You can add to your RBL's by:
config setprop qpsmtpd RBLList <rbl-list-name>
signal-event email-update

Many will argue what's best, some say the SME defaults are too aggressive and affect some popular free webmail accounts, but most would agree that you can set stable, conservative and non aggressive settings by:
config setprop qpsmtpd RBLList zen.spamhaus.org
signal-event email-update

A conservative setting for the associated DNSBL SBLList is:
config setprop qpsmtpd SBLList dbl.spamhaus.org
signal-event email-update

Note: More information on this topic can be found here:
[http://wiki.contribs.org/Updating_to_SME_7.2#RHSBL_Servers]
[http://wiki.contribs.org/Updating_to_SME_7.2#DNSBL_Servers]

====Possible issues with RBL====
When an external dns provider is set in the console menu, it may interfere with some blacklists activated here (RHSBL and DNSBL). The black.uribl.com is know to bounce all emails in this case with a rejection message delivered to the sender. You can in this case

*Remove the black.uribl.com of your SBLList

config setprop qpsmtpd SBLList multi.surbl.org:rhsbl.sorbs.net:dbl.spamhaus.org
signal-event email-update

*Let the SME Server being the only dns resolver by removing the dns provider/forwarder in the console menu.

See http://uribl.com/about.shtml#abuse for more information about this issue with black.uribl.com

====Obsolete lists====
These lists can not be used with smeserver. A migrate fragment will remove them from your settings each time you reconfigure your server.

*RBLList

combined.njabl.org
list.dsbl.org
multihop.dsbl.org
dnsbl.ahbl.org

*SBLLIST

blackhole.securitysage.com
bulk.rhs.mailpolice.com
fraud.rhs.mailpolice.com
porn.rhs.mailpolice.com
adult.rhs.mailpolice.com
bogusmx.rfc-ignorant.org
ex.dnsbl.org

===Server Only===
Some of the spam filter rules cannot work unless the SMESERVER knows the external IP of the box. If you put a SMESERVER in server-only mode behind other firewalls, it will lose some of the anti-spam rules. For example, the rule that blocks attempts where spammers try "HELO a.b.c.d" where a.b.c.d is your external IP address.

Unfortunately, many admins believe that port-forwarding SMTP provides additional security. It doesn't, it limits the SMESERVER's ability to apply some rules.

===I want to enable GreyListing===
GreyListing support is under the covers and can easily be enabled for those who know what they are doing. However, many experienced users found that they spent more time looking after the greylisting configuration than they received in benefit.
see [[Greylisting]]

===Bayesian Filtering===
From [[wikipedia:Naive_Bayes_spam_filtering|Wikipedia]]:
<blockquote>Naive Bayes classifiers work by correlating the use of tokens (typically words, or sometimes other things), with spam and non-spam e-mails and then using Bayes' theorem to calculate a probability that an email is or is not spam.</blockquote>

SME server supports bayesian filtering, but does not have it enabled by default.

Enabling bayesian filtering, autolearning, and spam/ham training allows spamassassin to learn from received email and improve spam filter performance. [[Bugzilla: 6822]]

====Bayesian Autolearning====
The following command will enable the bayesian learning filter and set thresholds for the bayesian filter.
config setprop spamassassin UseBayes 1
config setprop spamassassin BayesAutoLearnThresholdSpam 6.00
config setprop spamassassin BayesAutoLearnThresholdNonspam 0.10
config setprop spamassassin UseBayesAutoLearn 1
expand-template /etc/mail/spamassassin/local.cf
sa-learn --sync --dbpath /var/spool/spamd/.spamassassin -u spamd
chown spamd.spamd /var/spool/spamd/.spamassassin/bayes_*
chown spamd.spamd /var/spool/spamd/.spamassassin/bayes.mutex
chmod 640 /var/spool/spamd/.spamassassin/bayes_*
config setprop spamassassin status enabled
config setprop spamassassin RejectLevel 12
config setprop spamassassin TagLevel 4
config setprop spamassassin Sensitivity custom
config setprop spamd SpamLearning enabled
signal-event email-update

These commands will:

*enable spamassassin
*configure spamassassin to reject any email with a score above 12
*tag spam scored between 4 and 12 in the email header
*enable bayesian filter
*'autolearn' as SPAM any email with a score above 6.00

Note: SpamAssassin requires at least 3 points from the header, and 3 points from the body
to auto-learn as spam.
Therefore, the minimum working value for this option is 6, to be changed in increments of 3,
12 considered to be a good working value..

*'autolearn' as HAM any email with a score below 0.10

Check the bayes stats with the command:
sa-learn --dump magic

The database is located in /var/spool/spamd/.spamassassin/bayes

====LearnAsSpam / LearnAsHam (spam/ham training)====

LearnAsSpam & LearnAsHam are scripts that can be installed on your server to allow users to manually "train" the bayes database. Training is done by users moving Spam from their Inbox to the "LearnAsSpam" folder, and by COPYING real email that was delivered to junkmail into the "LearnAsHam" folder. All messages in both LearnAsSpam and LearnAsHam are deleted once they have been processed and their tokens have been added to the bayes database.

To install:

* Enable bayes database as described in [[Email#Bayesian_Autolearning | Bayesian Autolearning]] (not the best approach, prefer manual learn by user), or
* Install smeserver-learn as per wiki page [[Learn]](and keep auto-learning off), then
* Instruct your users to move any SPAM they find from their Inbox to their LearnAsSpam folder, and to COPY any non-spam (ham) they find in their junkmail folder into their LearnAsHam folder.

This is a really efficient way to reduce impact of SPAM to your particular installation. Do not fear to run again files that are tagged as SPAM, as they will either get ignored if all their patterns are known, or the Bayes might catch one more pattern that could help you to get ride of the next incoming SPAM to even get accepted.

If you want, the code below counts how many e-mail are in LearnAsSpam and LearnAsHam directories (of all users). It's useful to know if your users are using those folders. However Learn will send you a report after each pass. If you are interested on the number of emails lefts in the junkmail directory without any attention, you could install [[mailstats | smeserver-mailstats]] and activate the option to account for them
<pre>
#!/bin/bash
# ContaLearn.sh

#for compatibility with older versions without rpm, testing
[ `/sbin/e-smith/db configuration getprop LearnAsSpam dir` ] &&
LearnAsSpam=`/sbin/e-smith/db configuration getprop LearnAsSpam dir` || LearnAsSpam='LearnAsSpam';
[ `/sbin/e-smith/db configuration getprop LearnAsHam dir` ] &&
LearnAsHam=`/sbin/e-smith/db configuration getprop LearnAsHam dir` || LearnAsHam='LearnAsSpam';
JunkMail='junkmail';

echo
date
declare -i tspam
declare -i tham
declare -i tleft
declare -i tnseen

printf "%-25s %-11s %-11s %-11s %-11s \n" "User" "LearnAsSpam" "LearnAsHam" "JunkMail" "NotSeen"
pushd /home/e-smith/files/users/ >>/dev/nul
for u in `ls ` #| grep -v admin`
do
[ "$u" = "admin" ] && mailpath="/home/e-smith/" || mailpath="/home/e-smith/files/users/$u" ;
spam=`ls -1 $mailpath/Maildir/.$LearnAsSpam/cur |wc -l`
ham=`ls -1 $mailpath/Maildir/.$LearnAsHam/cur |wc -l`
left=`ls -1 $mailpath/Maildir/.$JunkMail/cur |wc -l`
nseen=`ls -1 $mailpath/Maildir/.$JunkMail/new |wc -l`
if [[ $spam > 0 ]] || [[ $ham > 0 ]] || [[ $left > 0 ]] || [[ $nseen > 0 ]]; then
printf "%-25s %-11d %-11d %-11d %-11d \n" $u $spam $ham $left $nseen
fi
tspam=$tspam+$spam
tham=$tham+$ham
tleft=$tleft+$left
tnseen=$tnseen+$nseen
done
echo "----------------------------------------------------------------------"
printf "%-25s %-11d %-11d %-11d %-11d \n" "Total:" $tspam $tham $tleft $tnseen
echo
popd >>/dev/nul

</pre>

====Learn Contrib====
The [[Learn]] contrib is intended to install and configure the bayes training tools LearnAsSpam & LearnAsHam.

====Reset the Bayes Database====
Based on this forum post http://forums.contribs.org/index.php/topic,50712.msg258844.html#msg258844 it may be advantageous to remove the bayes database every few years & recreate it, in order to improve spam filtering performance.

Follow these instructions to turn bayes OFF, delete the database, create an empty database, and turn bayes back on:

config setprop spamassassin UseBayes 0
signal-event email-update
'rm' /var/spool/spamd/.spamassassin/bayes*

config setprop spamassassin UseBayes 1
expand-template /etc/mail/spamassassin/local.cf
sa-learn --sync --dbpath /var/spool/spamd/.spamassassin -u spamd
chown spamd.spamd /var/spool/spamd/.spamassassin/bayes_*
chown spamd.spamd /var/spool/spamd/.spamassassin/bayes.mutex
chmod 640 /var/spool/spamd/.spamassassin/bayes_*
signal-event email-update

Updates to smeserver-spamassasin now require two new config db settings to have bayesian autolearning enabled. See forum post https://forums.contribs.org/index.php/topic,54320.msg284208.html#msg284208

===The Sonora Communications "Spam Filter Configuration for SME 7" howto===

http://www.sonoracomm.com/support/19-inet-support/49-spam-filter-configuration-for-sme-7

===GeoIP: spam blocking based on geographical information===

The GeoIP plugin for Spamassasin lets us know where our mail server is receiving mail from. If we're receiving too much spam from a particular location, this will help track it down. We can then use that info to reject connections from that place taking the load off our server.

{{Note box | This can be a crude way of blocking spam and potentially also block legitimate users!}}

You can find information how to install and use it on the [[GeoIP]] page.

==Anti Virus==
SME Server uses Clam AntiVirus (http://www.clamav.net) as the default and built-in anti virus engine.

===Signatures===
By default SME Server will automatically get virus signature database updates from ClamAV.

Other people and organizations have developed additional signatures which can also be used with ClamAV to provide extra protection. Databases of these signatures can be downloaded and installed on SME Server, and used by ClamAV

In order to automate the download and installation of the additional databases, as well as control which databases you use, follow the instruction in the [[Virus:Additional_Signatures|Virus:Additional Signatures]] Howto

===Heuristic Scan===
HeuristicScanPrecedence is a new option in clamav 0.94.

When enabled, if a heuristic scan (such as phishingScam) detects a possible virus/phish it will stop scan immediately. Recommended, saves CPU scan-time.

To enable this feature:
config setprop clamav HeuristicScanPrecedence yes
expand-template /etc/clamd.conf
sv t clamd

Default is disabled.

===Attachment Filtering===
The functionality to block possible executable and virus files attached to emails has been incorporated into SME Server v7.x. See the [[SME_Server:Documentation:Administration_Manual:Chapter13#E-mail_Filtering|Email]] panel in server manager.

Additional file signature patterns can be added to the SME defaults. See the [[Virus:Email_Attachment_Blocking|Virus:Email Attachment Blocking]] Howto for further information

==Email Clients==
==="concurrency limit reached" when using IMAP===
Sometime shows as Thunderbird giving this error message,
''This Mail-server is not a imap4 mail-server''

To workaround thunderbirds limitations change, this thunderbird setting to false

*Preferences, Advanced, Config editor (aka about:config): filter on tls.
*set security.enable_tls to false

If the total concurrency limit is reached, it'll look like this in /var/log/dovecot/current:

@400000005a1c2c1f19c9381c master: Warning: service(imap): process_limit (2) reached, client connections are being dropped

@400000005a1c2c291a4712dc imap-login: Error: read(imap) failed: Remote closed connection (destination service { process_limit } reached?)

@400000005a1c2c291a471aac imap-login: Error: read(imap) failed: Remote closed connection (destination service { process_limit } reached?)

For the per IP concurrency limit, it'll be like this:

@400000005a1c2c6214542b94 imap-login: Info: Maximum number of connections from user+IP exceeded (mail_max_userip_connections=2): user=<someone>, method=PLAIN, rip=192.168.x.y, lip=192.168.z.t, TLS, session=<abcdefgh>

@400000005a1c2c6233f1bcb4 imap-login: Info: Maximum number of connections from user+IP exceeded (mail_max_userip_connections=2): user=<someone>, method=PLAIN, rip=192.168.x.y, lip=192.168.z.t, TLS, session=<ijklmnop>

The following commands will give your the current value:
db configuration getprop imap ConcurrencyLimit || echo 400
db configuration getprop imap ConcurrencyLimitPerIP || echo 12

You can also increase the ConcurrencyLimitPerIP and/or ConcurrencyLimit value for imap and/or imaps (secure)
config setprop imap ConcurrencyLimitPerIP 20
config setprop imaps ConcurrencyLimitPerIP 20
signal-event post-upgrade; signal-event reboot
{{Note box| for sme9, only the key imap has properties ConcurrencyLimitPerIP,checkConcurrencyLimit,ProcessMemoryLimit. If you set these properties to the key imaps, a migrate fragment will remove them automatically.}}
To see configuration:
config show imap

tail -f /var/log/dovecot/current | tai64nlocal #out of date

More detail can be found [http://forums.contribs.org/index.php?topic=33124.0 here] or [https://forums.contribs.org/index.php/topic,51872.0 here].

{{Tip box|You can see if you are running out of the number of available connections in your log file /var/log/imaps/current and look for messages like the log extract below where the ConcurrencyLimitPerIP was set to 20. A 21st connection was attempted and was denied.

tcpsvd: info: pid 30693 from 10.1.0.104
tcpsvd: info: concurrency 30693 10.1.0.104 21/20
tcpsvd: info: deny 30693 0:10.1.0.21 ::10.1.0.104:49332 ./peers/10.1.0
}}
{{Tip box|Mobile devices have a tendency to frequently disconnect and connect from the network. When this disconnect happens, the sessions on the server are not always immediately cleaned up (they get cleaned up after a time out of some minutes). When the email client reconnects, they create new network connections and you get into the situation that these new connections get denied because of the concurrency limit. On the mobile device this may be noted as a "Unable to connect to server" message.}}
{{Tip box|Some email clients use a separate connection per imap folder, so the concurrency limits may occur for users that have many imap folders.}}

===Mail server is not an IMAP4 mail server===
This is a bug in Thunderbird, the previous tips may help.

===The Bat===
The gives this error message, but they are wrong. 
"This server uses TLS v3.0 which is considered to be obsolete and insecure.
The server must use TLS v3.1 or above."

===Outlook/Outlook Express give error 10060/0x800CCC90===
Most likely OUTLOOK (EXPRESS) isn't configured correctly.

-open OUTLOOK
-click TOOLS > ACCOUNTS
-click CHANGE (on the right-hand side)
-find INCOMING MAIL SERVER & OUTGOING MAIL SERVER (on right-hand side)
-type: mail.yourdomain.tld (in both places)
-click MORE SETTINGS (on bottom-right)
-click OUTGOING SERVER tab (at the top)
-checkmark "MY OUTGOING SERVER REQUIRES AUTHENTICATION"
-bullet "USE SAME SETTINGS AS INCOMING MAIL SERVER"
-click ADVANCED tab (at the top)
-find OUTGOING SERVER
-checkmark "THIS SERVER REQUIRES A SECURE CONNECTION" (under outgoing server)
-change 25 to 465
-[possibly required, secure IMAP is 993]
-click OK > NEXT > FINISHED
-you're finished, your email should work now

===Outlook 2013 on Windows 10 gives "An unknown error occurred, error code 0x8004011c" when attempting an IMAP connection for a DOMAIN user===
This is a known issue with the above combination of Windows and Outlook version as of 2015-02-18 (see: [http://bugs.contribs.org/show_bug.cgi?id=9618 Bug 9618]).

The following registry key resolves the issue:
To work around this problem, set the value of the ProtectionPolicy registry entry to 1 to enable local backup of the MasterKey instead of requiring a RWDC in the following registry subkey:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb]
"ProtectionPolicy"=dword:00000001

The PortectionPolicy entry may need to be created

===Outlook 2013 on Windows 8.1 gives error 0x800CCC1A when sending over SMTP port 465===
This is a known issue with the above combination of Windows and Outlook version as of 2015-02-18 (see: [http://bugs.contribs.org/show_bug.cgi?id=8854 Bug 8854]).

The following client-side workaround has been suggested on the [http://www.dovecot.org/list/dovecot/2014-May/096029.html dovecot mailinglist]:

Disable TLS1.2 on the Windows 8.1 client, using a registry entry:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS1.2\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

If the registry entry above does not exist on your system, you will have to create it manually.

Whether this is OpenSSL or Microsoft's "fault" is currently not answered.

===Outlook test message doesn't come through===
You clicked the TEST ACCOUNT SETTINGS in OUTLOOK didn't you? This is a bug in OUTLOOK. The test message sends a test email with 'no Date header'. As the name suggests, this means a message without any date. Since the server doesn't accept mail with 'no Date header' (because it's required) the message is rejected. To test, send an actual message from OUTLOOK.

If you want, you can try THUNDERBIRD. It's like OUTLOOK but made by a different company. It's completely free and works very well at home and at the office.

===I can't receive/send email from my application (ACT!, vTiger, MS Outlook, etc)===
Most likely, this is a bug the application you're using and not a problem with the SMESERVER. The application sends an email with 'no Date header'. As the name suggests, this means a message without any date. Since the server doesn't accept mail with 'no Date header' (because it's required) the message is rejected.

As a workaround you can disable the check for the 'Date header'.
To disable this check on the internal interface:
mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local
cd /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local
echo "# 17check_basicheaders disabled by custom template" > \
17check_basicheaders
signal-event email-update

To disable this check for the external interface:
mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0
cd /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0
echo "# 17check_basicheaders disabled by custom template" > \
17check_basicheaders
signal-event email-update

===After I upgrade my SME Server, my email folders have disappeared when using IMAP===
After upgrade, if there are missing IMAP folders, the client may need to re-subscribe to folders. This may affect either webmail users or users who use an IMAP email client.

===Entourage: Using SME's Self-Signed Certificate for SSL Connections from Entourage on OS X 10.4===
The main problem here is that Entourage will only support trusted, PEM Base-64 Encoded certificates. To use IMAPS or SMTPS from Entourage with your SME server, you will need to:
1. Login to your Mac as a user with administrative privileges

2. Open Safari and browse to https://''smeserver''/server-manager.
When you receive the warning about your certificate:
- click on "Show Certificate"
- click and drag the gold-rimmed image of a certificate to your desktop.
You will now have ''myserver.mydomain.tld.cer'' on your desktop.

3. Locate and open the '''Microsoft Cert Manager'''
- "Import" the certificate you downloaded in step 2.

4. Highlight the imported certificate and "Export" it.
- Select the "PEM..." format
- add "''pem.''" to the beginning of the filename
- export it to your Desktop

5. Double-click on the new ''pem.myserver.mydomain.tld.cer''
- Apple's '''Keychain Access''' application will open.
- Select the '''X509Anchors''' Keychain and click "OK"

6. While still in Apple's '''Keychain Access''', select the "Certificates" category
- Drag ''pem.myserver.mydomain.tld.cer'' into the certificates window.

You should now be able to connect to your SME from your Entourage using IMAPS.

If you are accessing your SME server using a different name than the one encoded in the certificate you will still receive a security warning from Entourage, but "OK" will now grant access to your folders.

Notes:

*Procedure mostly taken from http://www.kerio.com/manual/kmsug/en/ch09s06.html
*I still get various other IMAP errors due, I suspect, to the "concurrency limit reached" issue.
*Click on "Show Keychains" in Apple's "Keychain Access" if you need to delete a certificate and try again.

===How do I get my e-mail to show the correct From Address===

The From address on an e-mail is not supplied by the server. It is supplied by the e-mail client.

*Configure your Account in your e-mail client with the correct FROM address.
*You can change the FROM address in webmail with the following:
**Login to webmail as the user, go to ''options-personal information'' and change the ''identity'' to have the correct FROM address. You can have multiple identities with a single user.

Some system generated email is created by the server, some contribs may send mail externally, in these cases you need a valid domain name for the server, buy one or use a free provider like dyndns.org

===Outlook 365 / Outlook 2019 IMAP Configuration===

Microsoft has disabled the ability to enter the IMAP/SMTP username in the account setup wizard in Outlook 365 / 2019 for Windows. The wizard used within Outlook requires that the IMAP/SMTP username be the full email address.

To work around this issue, setup the account using "Mail (Microsoft Outlook 2016)" in the Windows control panel:
[[File:Screen Shot 2019-12-04 at 6.44.18 AM.png|450px]]

==Server Settings==
===qmail ConcurrencyLocal===
The default value for /var/qmail/control/concurrencylocal is 20. This setting controls the maximum amount of simultaneous local deliveries.

There is a optional database property (does not show unless changed from the default setting) called ConcurrencyLocal for qmail in the config database. The ConcurrencyLocal property changes the value stored in /var/qmail/control/concurrencylocal.

It can be set, for example to decrease the local concurrency limit
config setprop qmail ConcurrencyLocal 6
signal-event email-update

===qmail ConcurrencyRemote===
The default value for /var/qmail/control/concurrencyremote is 20. This setting controls the maximum amount of simultaneous remote deliveries.

There is a optional database property (does not show unless changed from the default setting) called ConcurrencyRemote for qmail in the config database. The ConcurrencyRemote property changes the value stored in /var/qmail/control/concurrencyremote.

It can be set, for example to decrease the remote concurrency limit
config setprop qmail ConcurrencyRemote 10
signal-event email-update

Refer also this comment by CB

http://forums.contribs.org/index.php/topic,50091.msg251320.html#msg251320

===How long retry before return e-mail as undeliverable===
To configure how long SME server will try to delivery a message before return a permanent error

mkdir -p /etc/e-smith/templates-custom/var/qmail/control
echo 172800 > /etc/e-smith/templates-custom/var/qmail/control/queuelifetime
expand-template /var/qmail/control/queuelifetime
sv t qmail

The default value is 604800 seconds, or one week. 
The example above shows 172800 seconds, or two days (a weekend for infra upgrade!)

source: http://forums.contribs.org/index.php/topic,47471.0.html

===Double bounce messages===
To stop admin receiving double bounce messages

config setprop qmail DoubleBounceTo someoneuser
signal-event email-update

Or just delete them. You risk losing legitimate double bounces (which are
rare, but you want to look at them when they do occur)

config setprop qmail DoubleBounceTo devnull
signal-event email-update

see a longer explaination [[Email_delete_double-bounce_messages | here]]

===Keep a copy of all emails===
You may need to keep a copy of all emails sent to or from your email server.
This may be for legal, or other reasons.

The following instructions will create a new user account (default is maillog) and forward every email that goes through your SME server to it.

First, log onto the server-manager and create the user '''maillog'''

Go to the SME Command Line (logon as root) and issue the following commands:

config setprop qpsmtpd Bcc enabled
signal-event email-update

Optionally make the forwarding of the emails invisible to the end user. Without it, there will be an X-Copied-To: header in each email. Run this command before the signal-event

config setprop qpsmtpd BccMode bcc

If you want to view the emails, point your email client at the SME and log on as maillog.

You can modify the default user:

config setprop qpsmtpd BccUser someuser

====Keep a copy of outgoing emails only====
In addition to the commands in the [[#Keep_a_copy_of_all_emails | previous section]] we will also have to create a custom template as follows:

Log in as root or a user with root privileges
mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0/
cp /etc/e-smith/templates/var/service/qpsmtpd/config/peers/0/13bcc /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0/
cd /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0/
nano -w 13bcc

change the code to:
{
return "# bcc disabled" unless ($qpsmtpd{Bcc} eq "enabled");
return "bcc mode " . $qpsmtpd{BccMode} . " outgoing " . $qpsmtpd{BccUser};
}

Save by pressing Ctrl x at the same time and confirm with y

Then enable the changes with
signal-event email-update
More info:
perldoc /usr/share/qpsmtpd/plugins/bcc

===Set Helo hostname===
Default is set to the hostname.domain, but sometime you might want to have something else to answer with the same as your reverseDNS. You can do one of the followings to only adjust the helo name:

config setprop smtpd HeloHost mydomainname
signal-event email-update

or the following to adjust the way your server will present itself everywhere (httpd, qpsmtd...) This might trigger the generation of new ssl certificate, so use it only if you are sure this is what you want to do.

config set DomainName mydomainname
signal-event domain-modify
signal-event email-update

===Set max email size===

*IMPORTANT: [[bugzilla: 7876]] points out that if your system has ''/var/service/qpsmtpd/config/databytes'' it should be deleted. (Fixed as of smeserver-qpsmtpd-2.4.0-7.el6.sme.noarch - see [[bugzilla: 8329]]).

There are several components involved in sending email on a SME server. Each component has a size limit that may affect an email message that passes through the server.

Be aware that ''email size'' is not the same thing as ''attachment size''. Binary attachments to email are encoded using techniques that result in email sizes that can be as much as 30% larger than the original attachment. Most major email clients (Thunderbird, Apple Mail, Outlook) allow you to enable a "message size" column in the message list that will show you the size of your email messages ([http://forums.contribs.org/index.php/topic,48366.msg241720.html#msg241720 More]).

{| width="100%" cellspacing="0" cellpadding="5" border="1"
!Subsystem
!Function
!Default Limit
!Command to change size
!Notes
|-
|qmail
|Delivers email to local mailboxes and to remote servers
|15000000
|config setprop qmail MaxMessageSize xx000000
|Value is in BYTES. 15000000 equals approximately 15MB. No value means no limit.
|-
|clamav
|Used to scan emails and attachments
|15M
|config setprop clamav MaxFileSize 15M
|Value includes human-readable abbreviations. "15M" equals 15 MegaBytes.
|-
|clamd
|Involved in attachment virus scanning
|1400000000
|config setprop clamd MemLimit 1400000000
|May require increase per [https://forums.contribs.org/index.php?topic=54070.0;topicseen this forum topic]
|-
|qpsmtpd
|The clamav plugin to qpsmtpd is called with a specified size limit.
|25000000
|config setprop qpsmtpd MaxScannerSize xx000000
|Value is in BYTES. Question: does this value override the setting of 'MaxFileSize', or will the smaller value prevail?
|-
|php
|The php maximum file upload size will determine the largest file you can attach to an email message using horde (or any other php email client)
|10M
|config setprop php UploadMaxFilesize 10M
|
|-
|}
====clamav====
A note about clamav: 
ClamAV includes settings to prevent the scanning of archives that could cause problems if fully expanded; if an attachment cannot be scanned, it will be rejected.

In order for changes to take effect, run:
signal-event email-update

These attributes could result in the rejection of a compressed attachment on a SME server:

*ArchiveMaxCompressionRatio (default 300)
*MaxFiles (default 1500)
*MaxRecursion (default 8)

====spamassassin====
By default the qpsmtpd 'spamassassin' plugin does not pass any messages over 500,000 bytes to spamassassin for scanning.

To change this behavior:
db configuration setprop spamassassin MaxMessageSize 2000000
increases message size to 2,000,000 bytes. Apply the change with
signal-event email-update

===Change Horde Webmail Login Page 'Welcome To' Title===
The login page for Webmail defaults to "Welcome to Horde Webmail". In order to change this to something like "Welcome to MyDomain Mail"
config setprop horde Name "MyDomain Mail"
signal-event email-update

See also:

Other configurable Horde settings [[DB_Variables Configuration#Horde_(webmail)]]

Forum post [http://forums.contribs.org/index.php/topic,31093.0.html 31093]

===Add the admin user as an administrator for Horde===

config setprop horde Administration enabled
signal-event email-update

===Large attachments not displaying in webmail===
Due to limits set in the PHP configuration it might be that webmail will not display large attachments (see also [[bugzilla:3990]]). The following entries are related to the error and can be found in the log files:

'''/var/log/messages'''
Mar 13 00:00:12 box1 httpd: PHP Fatal error: Allowed memory size of 33554432 bytes exhausted (tried to allocate 154 bytes) in /home/httpd/html/horde/imp/lib/MIME/Contents.php on line 173

'''/var/log/httpd/error_log'''
Allowed memory size of 33554432 bytes exhausted (tried to allocate 0 bytes)

The default MemoryLimit setting in PHP is set to 32M the value can be changed using the commands below replacing ''XX'' with the value you desire.
{{Note box|You can set the MemoryLimit any value you like but be sure to add the capital M as a suffix for Megabytes.}}
db configuration setprop php MemoryLimit XXM
expand-template /etc/php.ini
sv t httpd-e-smith

===Disable mail to a user from an external network===
However, this seems to only affect /var/qmail/control/badrcptto - denying external delivery to your users but allowing outbound emails:
http://forums.contribs.org/index.php?topic=40449.5

Can be either a user, pseudonym or group
db accounts setprop groupname/username/pseudonym Visible internal
signal-event email-update

If you want to remove
db accounts delprop groupname/username/pseudonym Visible
signal-event email-update

*If you need to restrict emails for all users you can perform this command line

db accounts show | awk -F "=" '/\=user/ {print $1}' |while read USER; do db accounts setprop $USER Visible internal; done
signal-event email-update

If you want to remove
db accounts show | awk -F "=" '/\=user/ {print $1}' |while read USER; do db accounts delprop $USER Visible; done
signal-event email-update
{{Note box|Please note that admin and other system accounts can not be hidden from external network this way.

Also note that Pseudonyms can be set to internal only using the server-manager.}}

===I can't receive mail at: user@mail.domain.tld===
Add mail.domain.tld as a virtualdomain.
-login to SERVER-MANAGER
-click DOMAINS (on the left)
-click ADD
-type: mail.domain.tld

===How do I find out who is logged into webmail and what IP number.===
This is logged is in /var/log/messages.

===Allow SMTP relay of mail without encryption/authentication===

Change the configuration of the system from the default, so that it no longer requires encryption/authentication before allowing relaying of mail.

* For most case, you really want to allow few specific clients on your LAN or trusted networks, this is done by setting a coma separated list of ip this way (replace IP1, IP2, IP3 by valid ips).
config set qpsmtpd UnauthenticatedRelayClients IP1,IP2,IP3
signal-event email-update

* In some case you would have a whole dedicated network with appliances needing to send email without auth, this is done this way
db networks setprop {$network} RelayRequiresAuth disabled
signal-event email-update

* In case you needs are not fulfilled because you need to accommodate a list of remote IP or a sub network of a larger trusted network, you can create a custom template. Here for reference the accepted formats:
mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/relayclients
# a subnetwork by only using a prefix of full ip
echo "10.10.0.">> /etc/e-smith/templates-custom/var/service/qpsmtpd/config/relayclients/80custom
# an external ip
echo "99.10.1.23" >> /etc/e-smith/templates-custom/var/service/qpsmtpd/config/relayclients/80custom
# an external network you control
echo "164.163.12.1/30" >> /etc/e-smith/templates-custom/var/service/qpsmtpd/config/relayclients/80custom
signal-event email-update

* Disable smtp authentication on all local interfaces as shown in [[Bugzilla: 6522]]

config setprop qpsmtpd RelayRequiresAuth disabled
signal-event email-update

===SMTP Authentication TLS before Auth disable & enable===
Since SME v7.5 the default for SMTP Authentication is 'requires TLS before Auth' to increase security.
Where a SME7.4 or earlier server with SMTP & SSMTP authentication enabled has been upgraded, users are now unable to send mail.
Users will need to enable TLS or Auto for the Authentication encryption setting in their email clients. Some older email clients and devices do not support TLS.

A fix was released in SME7.5.1 to allow this setting to be disabled (ie revert to SME7.4 functionality). Upgrade to SME7.5.1 before using these commands.

To disable this (AUTH without TLS) & revert to SME7.4 defaults do
config setprop qpsmtpd TlsBeforeAuth 0
signal-event email-update

To change back to the sme7.5 & greater default (AUTH with TLS) do
config setprop qpsmtpd TlsBeforeAuth 1
signal-event email-update
See http://forums.contribs.org/index.php/topic,46218.0.html

http://bugs.contribs.org/show_bug.cgi?id=5997

===Internet provider's outgoing port 25 is blocked: How to set an alternative outgoing port for the SMTP server===
If your Internet provider is blocking outgoing smtp port 25 on your internet connection but your provider is offering an alternative outgoing port (or when using some relay service) you can simply set this alternative port by adding it to the 'Address of Internet provider's mail server' value in the 'E-mail delivery settings' screen of the server-manager like this:
<internet providers mail server name or ip-address>:<alternative port>
For example: mail.mydomain.com:587

This setting does not alter the incoming smtp mail server port on SME server, which will still use port 25. Refer to a workaround in http://wiki.contribs.org/PortRedirect

===How do I enable and configure a disclaimer in email messages===
A disclaimer message can be added to the footer of all outgoing email messages.

The message can be the same for all domains or it can be different for all domains.

This functionality is part of sme7.2 release so make sure you have upgraded before doing this.

To create a general disclaimer for all domains on your sme server
config setprop smtpd disclaimer enabled
nano -w /service/qpsmtpd/config/disclaimer
Enter the required disclaimer text

To save & exit
Ctrl o
Ctrl x
To make the changes take effect
signal-event email-update

To create domain specific disclaimers, create seperate domain based disclaimer text files

Delete the general (all domains) disclaimer file if you have already created it
rm /service/qpsmtpd/config/disclaimer
config setprop smtpd disclaimer enabled
nano -w /service/qpsmtpd/config/disclaimer_domain1.com.au
nano -w /service/qpsmtpd/config/disclaimer_domain2.com
nano -w /service/qpsmtpd/config/disclaimer_domain3.org

Enter the required text in each disclaimer file

To save & exit
Ctrl o
Ctrl x
After making any changes remember to do
signal-event email-update

Note if you only wish to have a disclaimer for some domains, then only create a disclaimer text file for those domains

Note also the criteria for when a disclaimer is attached

(see http://bugs.contribs.org/show_bug.cgi?id=2648)

eg a disclaimer is added to internal to external messages but not internal to internal messages.

To disable the disclaimer function for all domains on your sme server
config setprop smtpd disclaimer disabled
signal-event email-update

===Email WBL server manager panel===

There is a server-manager contrib to allow GUI control of email white and black lists, detailed in the wiki article: [[:Email_Whitelist-Blacklist_Control]].

The panel allows easy configuration of functionality that is built into qmail, qpsmtpd and spamassassin. For more information google for qmail & qpsmtpd, read the spamassassin section in this wiki article and see [[:Email#Default_Plugin_Configuration default qpsmtpd plugin confguration]]).

There are two main sections, Blacklist and Whitelist, where you can control settings.

Note that there are subtle differences in syntax between whitelist and blacklist entries

Blacklist - Black lists are used for rejecting e-mail traffic

DNSBL status - DNSBL is an abbreviation for "DNS blacklist".
It is a list of IP addresses known to be spammers.
RHSBL status - RHSBL is an abbreviation for "Right Hand Side Blacklist".
It is a list of domain names known to be spammers.
qpsmtpd badhelo - Check a HELO message delivered from a connecting host.
Reject any that appear in badhelo during the 'helo' stage.
qmail badmailfrom - Check envelope sender addresses.
Reject any that appear (@host or user@host) in badmailfrom during the 'mail'
stage.
spamassassin blacklist_from - Any envelope sender of a mail (*@host or user@host) matching an
entry in blacklist_from will be rejected by spamassassin.

Whitelists - White lists are used for accepting e-mail traffic

Whitelists status - White Lists: ACCEPT
qpsmtpd whitelisthosts - Any IP address listed in whitelisthosts will be exempted
from any further validation during the 'connect' stage.
qpsmtpd whitelisthelo - Any host that issues a HELO matching an entry in whitelisthelo
will be exempted from further validation during the 'helo' stage.
qpsmtpd whitelistsenders - Any envelope sender of a mail (host or user@host) matching an
entry in whitelistsenders will be exempted from further validation
during the 'mail' stage.
spamassassin whitelist_from - Any envelope sender of a mail (*@host or user@host) matching an
entry in whitelist_from will be exempted from spamassassin rejection.

===How to block email from one address to another address with check_badmailfromto plugin===

Enable the check_badmailfromto plugin. Adapted from [http://forums.contribs.org/index.php/topic,35667.0.html this Forum post]

This is based heavily on the similar check_badmailfrom, but this plugin references both the
FROM: and TO: lines, and if they both are present in the badmailfromto
config file (a tab delimited list of FROM/TO pairs), then the message is
blocked as if the recipient (TO) didn't exist. This is specifically designed
to not give the impression that the sender is blocked (good for cases of
harassment).

====Prior SME9.2 : qpsmtpd check_badmailfromto plugin====
To control mail from external locations to internal locations do
mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0
mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/plugins
echo "check_badmailfromto" > /etc/e-smith/templates-custom/var/service/qpsmtpd/config/plugins/31check_badmailfromto
ln -s /etc/e-smith/templates-custom/var/service/qpsmtpd/config/plugins/31check_badmailfromto /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0/31check_badmailfromto
signal-event email-update

To control mail sent from internal locations to internal locations, in addition to the above also do
mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local
ln -s /etc/e-smith/templates-custom/var/service/qpsmtpd/config/plugins/31check_badmailfromto /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local/31check_badmailfromto
signal-event email-update

====Since SME9.2 : qpsmtpd badmailfromto plugin====
remove previous templates, if you are updating
rm /etc/e-smith/templates-custom/var/service/qpsmtpd/config/plugins/31check_badmailfromto \
/etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0/31check_badmailfromto \
/etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local/31check_badmailfromto

To control mail from external locations to internal locations do
mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0
mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/plugins
echo "badmailfromto" > /etc/e-smith/templates-custom/var/service/qpsmtpd/config/plugins/31badmailfromto
ln -s /etc/e-smith/templates-custom/var/service/qpsmtpd/config/plugins/31badmailfromto /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0/31badmailfromto
signal-event email-update

To control mail sent from internal locations to internal locations, in addition to the above also do
mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local
ln -s /etc/e-smith/templates-custom/var/service/qpsmtpd/config/plugins/31badmailfromto /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local/31badmailfromto
signal-event email-update

====For Qmail====

Create and configure the badmailfromto custom template fragment
mkdir -p /etc/e-smith/templates-custom/var/qmail/control/badmailfromto
nano -w /etc/e-smith/templates-custom/var/qmail/control/badmailfromto/template-begin

Type in the From and To pairs that you want to stop email delivery for, with a tab between them and a carriage return at the end of the line, with additional pairs on a new line ie
user@bad-domain.com tab user@yourdomain.com enter
user@bad-domain2 tab user2@yourdomain enter

Note also that wildcards or blank spaces are not supported

eg
john@aol.com mary@yourdomain
bill@yahoo.com paul@yourdomain.com

then save using
Ctrl o
Ctrl x

Expand the template to update the /var/qmail/control/badmailfromto config file
expand-template /var/qmail/control/badmailfromto

Restart mail services
signal-event email-update

===Redirect mail.domain.net to Webmail===
Setup external dns records

Add mail.domain.net in Domains panel in server-manager
db domains setprop mail.dom.ain TemplatePath ProxyPassVirtualHosts ProxyPassTarget http://sme.dom.ain/webmail
signal-event remoteaccess-update

where http://sme.dom.ain/webmail is servername.domainname/webmail

===E-mail Retrieval===
http://wiki.contribs.org/SME_Server:Documentation:Administration_Manual:Chapter13#E-mail_Retrieval

If your ISP does not provide a custom sort field and you experience the following errors occuring when Multidrop is enabled and the "Select Sort Method (for multi-drop)" is set to Default:

fetchmail: warning: multidrop for pop3.mypopserver.com requires envelope option!
fetchmail: warning: Do not ask for support if all mail goes to postmaster!

and/or

fetchmail: warning: multidrop for my.isp.domain requires envelope option!
fetchmail: warning: Do not ask for support if all mail goes to postmaster!

Set "Select Sort Method (for multi-drop) to 'Received' or 'for'
As described at [[bugzilla:5602]] [[bugzilla:6483]]

===Domain Authentication===
{{WIP box|trex1512}}
Major mail hosting companies (Google, Yahoo, Microsoft) have made domain-authentication mandatory so as to not mark incoming mail as spam.

To facilitate this support for DomainKeys and DKIM signing needs to be enabled in SME's mail subsystem. These techniques require the adding of records in the DNS zone for the user's domain. The DKIM/DK/SPF/SenderID configuration has to be added to your your DNS server / registrar.

===How do I remove an email address from the everyone group===
By default, all users are automatically added to the user group "everyone". If you would like to remove a user from this group, connect to the server using SSH or locally log in to the server and issue the commands below. Be sure to substitute the name of the user you want to remove for the word username.

db accounts setprop username EveryoneEmail no
signal-event user-modify username

===How do I remove an email address from any regular group===
By default, all users member of a group "group1" are automatically added as recipients of mail sent to group1@domain. If you would like to remove a user from this group, connect to the server using SSH or locally log in to the server and issue the commands below. Be sure to substitute the name of the user you want to remove for the word username.

db accounts setprop group1 EmailExcludeUsers tom,jack
signal-event group-modify group1

If you want to prevent all the user members from another group "group2" from receiving emails addressed to group1@domain while they are also member of group1, you could connect to the server using SSH or locally log in to the server and issue the commands below. Be sure to substitute the name of the user you want to remove for the word username.

db accounts setprop group1 EmailExcludeGroups group2
signal-event group-modify group1

All members of the group will still be member for all other purpose (samba access to ibays as an example)

This behaviour is only available as per e-smith-qmail-2.4.0-7.sme see bug #9540

===Change the number of logs retained for qpsmtpd and/or sqpsmtpd===
The normal retention is 5 logs for both qpsmptd and sqpsmtpd. This may or may not fit all installations. This information is pulled from bugzilla.

Check your config to see if any change has been made to the default log retention rules. Note there are different rules for qpsmtpd and sqpsmtpd. You have to make changes to both as you require.
config show qpsmtpd
If the KeepLogFiles property isn't listed, the default rules apply. Determine how many logs you would like to keep and apply that to the following example. In the command below, 15 is used to keep 15 qpsmtpd logs.
db configuration setprop qpsmtpd KeepLogFiles 15
Restart multilog with the following.
sv t /service/qpsmtpd/log
Check that your setting saved.
ps aux | grep qpsmtpd | grep multi
Look for the line that ends with /var/log/qpsmtpd and verify the number after n equals your KeepLogFiles property from above.

==DKIM Setup - qpsmtpd version<0.96==

A plugin has been written and is available in SME

To activate it manually follow the steps below, or download a shell script that will do the server based stuff for you & guide you on the DNS stuff [ftp://ftp.gfitc.com.au:2121/e-smith/setup_dkim.sh setup_dkim.sh]:-

Note: I'd recommend reviewing the script first to make sure you're happy to run it on your system

Create a folder:
mkdir /var/service/qpsmtpd/config/dkimkeys/
Then:
cd /var/service/qpsmtpd/config/dkimkeys/
openssl genrsa -out dkim.private 1024
openssl rsa -in dkim.private -pubout -out dkim.public
chown qpsmtpd:qpsmtpd -R /var/service/qpsmtpd/config/dkimkeys/
chmod 0700 dkim.private
For each domain you want to sign:
cp -a dkim.private <fully qualified domain name>.private (less the <> brackets)
Then create a template fragment:
mkdir --parent /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local
echo "dkim_sign keys dkim">/etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local/69dkim_sign
signal-event email-update

Finally propagate your public key "dkim.public" content (<key text>) to your DNS.

Check with your DNS server / registrar. Something similar to the following should work but it varies depending on provider - replace <fully qualified domain name> with your doman details e.g "mydomain.org" (less the <> brackets):

When extracting the key text from the dkim.public file it's on multiple lines. For the key to work for us in the DNS TXT record we need to exclude the header & footer lines & have just the key text as a single line string (the setup_dkim.sh script provides this info in the format required).

default._domainkey.<fully qualified domain name> IN TXT "k=rsa; p=<key text>; t=y"

With Zonedit the following works within your Zone :

Subdomain : default._domainkey

Type : TXT

Text : "v=DKIM1;k=rsa; p=<key text>; t=y"

If you want to customize the signing you can add parameters to the line in /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local/69dkim_sign. Parameters and value are separated by a space only.

#keys : "dk" or "domainkeys" for domainkey signature only, "dkim" for DKIM signature only, default "both" (n.b. above template example is dkim ONLY)
#dk_method : for domainkey method , default "nofws"
#selector : the selector you want, default "default"
#algorithm : algorithm for DKIM signing, default "rsa-sha1"
#dkim_method : for DKIM, default "relaxed"

NB: key files can not be defined in parameters, they need to be in /var/service/qpsmtpd/config/dkimkeys/{SENDER_DOMAIN}.private

{{Tip box|msg=You can verify that your settings are correct by sending an email to [mailto:check-auth@verifier.port25.com check-auth@verifier.port25.com], a free service the purpose of which is to verify if your domain does not contradict mail policies. Please check the answer carefully. See [[bugzilla:4558#c6]] }}

See also : [[bugzilla:8251]] [[bugzilla:8252]]

==DKIM Setup - qpsmtpd version >= 0.96==

Version 0.96 and above supports DKIM natively without the need for extra plugins.

All you have to do is to enable the DKIM signing and promulgate the DNS TXT entries to support it.

Enable the signing:
db configuration setprop qpsmtpd DKIMSigning enabled
signal-event email-update

and then run:
qpsmtpd-print-dns <domain name>

to show the DNS entry(s) required.

Then you have to update your DNS.

{{Tip box|msg=You can verify that your settings are correct by sending an email to [mailto:check-auth@verifier.port25.com check-auth@verifier.port25.com], a free service the purpose of which is to verify if your domain does not contradict mail policies. Please check the answer carefully. See [[bugzilla:4558#c6]] }}

also see [[bugzilla:9694]] and https://wikit.firewall-services.com/doku.php/smedev/qpsmtpd_096#documentation

More details are available [https://wiki.contribs.org/Email#Inbound_DKIM_.2F_SPF_.2F_DMARC here]

Incoming DKIM checking is also enabled out of the box.

In case you got a problem using the DKIM field provided with your DNS provider /registrar, please first contact them to ensure the problem is not how you try to enter the information. In the likelihood, you got "invalid field" or "too long field" errors and your provider is not able to help you or update its interface, you can generate a shorter DKIM key (with 1024 instead of the default 2048) this way:

cd /home/e-smith/dkim_keys/default
mv private private.long
mv public public.long
openssl genrsa -out private 1024
openssl rsa -in private -pubout -out public
chown qpsmtpd:qpsmtpd private
chown root:qpsmtpd public
chmod 0400 private
signal-event email-update
qpsmtpd-print-dns

===Outbound DKIM signing / SPF / DMARC policy FOR MULTIPLE DOMAINS===
The default DKIM key is created in /home/e-smith/dkim_keys/default. To enable DKIM signing for all the domains that you manage:
db configuration setprop qpsmtpd DKIMSigning enabled
signal-event email-update
If you want to disable dkim signing for a domain, you can use:
db domains setprop domain.com DKIMSigning disabled
signal-event email-update
The default behavior is to use the same key pair for all your domains. But you can create other key pairs for specific domain if you want. For example, if you want to use a specific key pair for the domain.net domain:
cd /home/e-smith/dkim_keys
mkdir domain.net
cd domain.net
echo default > selector
openssl genrsa -out private 2048
openssl rsa -in private -out public -pubout
chown qpsmtpd:qpsmtpd private
chmod 400 private
signal-event email-update
Now, the emails using a domain.net sender address will be signed by this new key instead of the default one.

==Domain Keys==

There is a plugin to check incoming mail has been signed

Please read here for more details : http://bugs.contribs.org/show_bug.cgi?id=4569

{{Warning box|msg=There is a plugin for signing with DomainKeys but it is not installed by default. It has not been tested on Koozali SME Server:

http://wiki.qpsmtpd.org/doku.php?id=plugins:spam:domainkeys_sign}}

==Other information==

DomainKeys seem to be deprecated in favour of DKIM.

The DomainKeys plugin only CHECKS incoming email. Spamassassin checks for DKIM.

===Temporary_error_on_maildir_delivery===

In certains cases you have some mailboxes which can't delivery messages and the qmail log say:

deferral: Temporary_error_on_maildir_delivery._(#4.3.0)/

It is probably that your users want to go beyond the upper limit of their quota, [[SME_Server:Documentation:Administration_Manual:Chapter9#Quotas|so you have to increase it]]. This could solve their problems.

==External Access==
===Allow external IMAP mail access===
There was a deliberate decision to remove non-SSL protected username/password
services from the external interface.

{{Warning box|Keep in mind that your passwords, your data won't be protected and will be in clear text over Internet}}

to allow '''unsecure IMAP access'''

config setprop imap access public
signal-event email-update

But before you do this try to use secure IMAP (IMAPS or imap over ssl) with port 993 

===POP3 & webmail HTTP===
I want to set my SMESERVER to allow POP3 (or webmail HTTP) but it's not an option, I only see POP3S (or webmail HTTPS).

The SMESERVER is secure by design. POP3 (or webmail HTTP) is viewed as inadequate security and removed as an option from a standard installation to encourage unknowing administrators to select the 'best practice' option -a secure connection with POP3S, IMAPS, or HTTPS.
{{Warning box|Keep in mind that your passwords, your data won't be protected and will be in clear text over Internet}}
You can still set your SMESERVER to allow POP3 settings by:
config setprop pop3 access public
signal-event email-update

===Allow external pop3 access===

Email settings > POP3 server access in SME 7.1 server-manager allows only pop3s protocol for clients outside the LAN. Some email clients (eg The Bat! v3.98.4) won't allow pop3s connections to SME 7.1 because of ssl version conflict. Until this is sorted out, a workaround is to hack SME to allow regular pop3 on the external interface using the following commands.
{{Warning box|Keep in mind that your passwords, your data won't be protected and will be in clear text over Internet}}
config setprop pop3 access public
signal-event email-update
svc -t /service/pop3s

more information [[bugzilla:2620]]

==Imap==
===Folders with a dot in name===
Email folder names that have a period ('.') in the folder name, will be split into sub-folders.
e.g. folder name 'www.contribs.org' is created as
www
contribs
org
===Dovecot Idle_Notify===
Poor battery consumption issues has been reported with K9-mail on recent Android systems. It is apparent one way of helping this is to modify the imap_idle_notify setting. The default is in Dovecot, and therefore on SME is 2 minutes.

K9 has an idle refresh of 24 mins but it seems with Dovecot defaults at 2 mins it causes lots of wake ups and battery drain.

This is configurable via a config db property.

Default on install
# config show dovecot
dovecot=service
Quotas=enabled
status=enabled

Set dovecot Idle_Notify to 20 minutes

# config setprop dovecot Idle_Notify 20
# config show dovecot
dovecot=service
Idle_Notify=20
Quotas=enabled
status=enabled

Expand template to update *.conf (can also issue a full reconfigure/reboot)

# expand-template /etc/dovecot/dovecot.conf
# dovecot -a |grep imap_idle_notify_interval
imap_idle_notify_interval = 20 mins

==qpsmtpd==
SME uses the [http://smtpd.develooper.com qpsmtpd] smtp daemon.

===Official Description===
qpsmtpd is a flexible smtpd daemon written in Perl. Apart from the core SMTP features, all functionality is implemented in small "extension plugins" using the easy to use object oriented plugin API.

qpsmtpd was originally written as a drop-in qmail-smtpd replacement, but now it also includes smtp forward, postfix, exim and maildir "backends".

qpsmtpd wiki: http://wiki.qpsmtpd.org

===Log watching tool===
qplogtail is a script to to monitor /var/log/qpsmtpd/current, see [[bugzilla:3418]]

===Qpsmtpd for SME versions 9.1 and earlier===
{{Warning box|Please note that the version of qpsmtpd has been upgraded for SME version 9.2 and later to qpsptpd version 0.96. This change has resulted in a lot of changes to the way it works, the plugins (and their names!) and the corresponding database entries, so this section ONLY applies to SME Version 9.1 and earlier, except where the plugin has been retained, See the next section for the new details.}}
====Default Plugin Configuration====
SME uses the following [http://wiki.qpsmtpd.org/plugins qpsmtpd plugins] to evaluate each incoming email.

SME maintains 2 distinct configurations: one for the 'local' networks (as defined in server-manager::Security::Local networks) and another for 'remote' networks (everyone else).

The default configuration of each plugin is indicated in the 'Default Status' column.
{| width="100%" cellspacing="0" cellpadding="5" border="1"
!Plugin
!Purpose
!Default Status
|-
|hosts_allow
|Prohibit more than "InstancesPerIP" connections from any single host (change with 'config setprop smtpd InstancesPerIP'). Allow or deny connections according to the contents of /var/service/qpsmtpd/config/hosts_allow. See [http://svn.perl.org/qpsmtpd/trunk/plugins/hosts_allow hosts_allow SVN code] for more details.
|[http://bugs.contribs.org/show_bug.cgi?id=3352 enabled]
|-
|peers
|Allow different plugin configuration based on the sending computer's IP address. By default SME maintains different configurations for the local networks (in /var/service/qpsmtpd/config/peers/local) and for everyone else (in /var/service/qpsmtpd/config/peers/0)
|enabled
|-
|logging/logterse
|Allow greater logging detail using smaller log files. Optionally supports [[Email_Statistics#qplogsumm.pl|qplogsumm.pl]] to compile qpsmtpd statistics.
|enabled
|-
|auth/auth_cvm_unix_local
|Allow authenticated smtp relay
|enabled (remote) '''disabled (local)'''
|-
|[[qpsmtpd_check_earlytalker|check_earlytalker]]
|reject email from servers that talk out of turn
|enabled (remote) '''disabled (local)'''
|-
|count_unrecognized_commands
|reject email from servers that issue ''X'' invalid commands
|enabled (remote) '''disabled (local)'''
|-
|bcc
|bcc all email to a specific address for archiving
|'''disabled'''
|-
|check_relay
|Check to see if relaying is allowed (in case the recipient is not listed in one of SME's local domains)
|enabled
|-
|check_norelay
|Check to see if the sending server is specifically forbidden to relay through us.
|enabled
|-
|require_resolvable_fromhost
|Check that the domain listed in the sender's email address is resolvable
|enabled (remote) '''disabled (local)'''
|-
|check_basicheaders
|reject email that lacks either a From: or Date: header
|enabled
|-
|rhsbl
|Reject email if the sender's email domain has a reputation for disregarding smtp RFCs.
|'''disabled''' (always disabled for local connections)
|-
|dnsbl
|Reject email from hosts listed in your configured dnsbl servers
|'''disabled'''
|-
|check_badmailfrom
|Reject email where the sender address is listed in /var/service/qpsmtpd/config/badmailfrom
|enabled
|-
|check_badrcptto_patterns
|Reject email addressed to any address matching an expression listed in /var/service/qpsmtpd/config/badrcptto_patterns
|enabled
|-
|check_badrcptto
|Reject email addressed to any address listed in /var/service/qpsmtpd/config/badrcptto
|enabled
|-
|check_spamhelo
|Reject email from hosts that say 'helo ...' using a value in /var/service/qpsmtpd/config/badhelo
|enabled
|-
|check_smtp_forward
|If ''config show DelegateMailServer'' or ''db domains show <domainname> MailServer'' is set (telling SME to deliver email for all domains or just <domainname> to another server), check_smtp_forward will connect to the specified server and will reject the message outright if the internal mail server would also reject it.
|'''disabled''' unless an internal mail server is configured.
|-
|check_goodrcptto
|Accept email only if the recipient address matches an entry in /var/service/qpsmtpd/config/goodrcptto. For domains that are configured to use an internal mail server, the entire domain name will be added to .../goodrcptto.
|enabled
|-
|rcpt_ok
|Return 'OK' if none of the other host checks has returned 'DENY' (??)
|enabled
|-
|pattern_filter
|Reject email according to content patterns (??)
|'''disabled'''
|-
|tnef2mime
|Convert MS TNEF (winmail.dat) and uuencoded attachments to MIME
|enabled
|-
|disclaimer
|Add a configurable disclaimer to email messages
|'''disabled'''
|-
|spamassassin
|Check email using spamassassin, and optionally reject it completely if the score exceeds a configurable value.
|'''disabled''' (always disabled for local connections)
|-
|virus/clamav
|Scan incoming email with ClamAV
|enabled
|-
|queue/qmail-queue
|Deliver the incoming message to qmail for delivery.
|enabled
|-
|}

===Qpsmtpd for SME versions 9.2 and Later===
{{Warning box|Please note that the version of qpsmtpd has been upgraded for SME version 9.2 and later to qpsmtpd version 0.96. This change has resulted in a lot of changes to the way it works, the plugins (and their names!) and the corresponding database entries, so this section ONLY applies to SME Version 9.2 and later version, see the previous section for the details.}}

This section has been taken from the notes prepared by the dev who made the changes, the wiki is [https://wikit.firewall-services.com/doku.php/smedev/qpsmtpd_096#documentation here].

Here is a list of the plugins in use, and a note of any changes that might have occurred:

*logterse: no change
*tls: no change
*auth_cvm_unix_local: no change
*check_earlytalker: '''renamed earlytalker'''
*count_unrecognized_commands: no change
*bcc: no change
*check_relay: '''renamed relay'''
*check_norelay: '''merged into the relay plugin'''
*require_resolvable_fromhost: '''renamed resolvable_fromhost'''
*check_basicheaders: '''renamed headers'''
*rhsbl: no change
*dnsbl: no change
*check_badmailfrom: '''renamed badmailfrom'''
*check_badrcptto_patterns: '''doesn't exist anymore, merged with badrcptto'''
*check_badrcptto: '''renamed badrcptto'''
*check_spamhelo: '''renamed helo'''
*check_smtp_forward: no change
*check_goodrcptto: no change
*rcpt_ok: no change
*pattern_filter: no change
*tnef2mime: no change
*spamassassin: no change
*clamav: no change
*qmail-queue: no change

Here is a section for each of the new plugins which are installed by default. The ones that have not changed are documented [https://wiki.contribs.org/Email#Default_Plugin_Configuration above].

====Karma====

The karma plugin tracks sender history. For each inbound email, various plugins can raise, or lower the "naughtiness" of the connection (eg, if SPF check passes, if the message is spammy etc...). For each host sending us email, the total number of connections, and the number of good and bad connections is recorded in a database. If a host as more bad than good connections in its history, emails will be rejected for 1 day. 3 settings are available for this plugin:

*Karma (enabled|disabled): Default value is disabled. Change to enabled to use the plugin 
*KarmaNegative (integer): Default value is 2. It's the delta between good and bad connection to consider the host naughty enough to block it for 1 day. Eg, with a default value of two, a host can be considered naughty if it sent you 8 good emails and 10 bad ones 
*KarmaStrikes (integer): Default value is 3. This is the threshold for a single email to be considered good or bad. Eg, with the default value of 3, an email needs at least 3 bad karmas (reaches -3) for the connection to be considered bad. On the other side, 3 good karmas are needed for the connection to be considered good. Between the two, the connection is considered neutral and won't be used in the history count

Example:
db configuration setprop qpsmtpd Karma enabled KarmaNegative 3
signal-event email-update

====URIBL====

The URIBL plugin works a bit like RHSBL, except that it checks domain names found in the body of the email. For each URI identified, the corresponding domain name can be submitted to a BL list (through DNS queries). Two settings are available:

*URIBL (enabled|disabled): Default is disabled. Set this to enabled to use the plugin
*UBLList: (Comma separated list addresses): Default value is '''multi.surbl.org:8-16-64-128,black.uribl.com,rhsbl.sorbs.net'''. This can be the same as RBLList. You can also set bitmask to use for combined lists (in the default value, the bitmask is 8-16-64-128)

Example:
db configuration setprop qpsmtpd URIBL enabled UBLList multi.surbl.org,black.uribl.com
signal-event email-update

====Helo====

Previously, the helo plugin was just checking for some known bad helo hostnames used by spammers (aol.com and yahoo.com). Now, it can check much more than that. This plugin is always enabled and has a single setting:

*HeloPolicy: (lenient|rfc|strict). The default value is '''lenient'''.

See https://github.com/smtpd/qpsmtpd/blob/master/plugins/helo for a description of the various tests done at each level

Example:
db configuration setprop qpsmtpd HeloPolicy rfc
signal-event email-update

====Inbound DKIM / SPF / DMARC====

DMARC is a policy on top of DKIM and SPF. By default, SPF and DKIM are now checked on every inbound emails, but no reject is attempted. The dmarc plugin can decide to reject the email (depending on the sender policy). dkim and spf plugins are always enabled. dmarc has two settings:

*DMARCReject (enabled|disabled): Default value is disabled. If set to enabled, the dmarc plugin can decide to reject an email (if the policy of the sender is to reject on alignment failure) 
*DMARCReporting (enabled|disabled): Default value is enabled. If set to enabled, enable reporting (which is the '''r''' in dma'''r'''c). Reporting is a very important part of the DMARC standard. When enabled, you'll record information about email you receive from domains which have published a DMARC policy in a local SQLite database (/var/lib/qpsmtpd/dmarc/reports.sqlite). Then, once a day, you send the aggregate reports to the domain owner so they have feedback. You can set this to disabled if you want to disable this feature 
*SPFRejectPolicy (0|1|2|3|4): Default value is 0. Set the policy to apply in case of SPF failure when the sender hasn't published a DMARC policy. Note: this is only used when no DMARC policy is published by the sender. If there's a DMARC policy, even a "p=none" one (meaning no reject), then the email won't be rejected, even on failed SPF tests.

:*0: do not reject anything
:*1: reject when SPF says fail
:*2: reject when SPF says softfail
:*3: reject when SPF says neutral
:*4: reject when an error occurred (like a syntax error in SPF entry) or if no SPF entry is published

*Inbound DKIM checks are only used by DMARC. No reject solely based on DKIM is supported

Example:
db configuration setprop qpsmtpd DMARCReject disabled SPFRejectPolicy 2
signal-event email-update
====Outbound DKIM signing / SPF / DMARC policy====

Everything is now ready for you to sign your outbound emails, and publish your public key, as well as your SPF and DMARC policy. A default DKIM key is created in /home/e-smith/dkim_keys/default. To enable DKIM signing for all the domain you manage:
db configuration setprop qpsmtpd DKIMSigning enabled
signal-event email-update

If you want to disable dkim signing for a domain, you can use:
db domains setprop domain.com DKIMSigning disabled
signal-event email-update

The default behavior is to use the same key pair for all your domains. But you can create other key pairs for specific domain if you want. For example, if you want to use a specific key pair for the domain.net domain:
cd /home/e-smith/dkim_keys
mkdir domain.net
cd domain.net
echo default > selector
openssl genrsa -out private 2048
openssl rsa -in private -out public -pubout
chown qpsmtpd:qpsmtpd private
chmod 400 private
signal-event email-update

Now, the emails using a domain.net sender address will be signed by this new key instead of the default one.

====Publishing your DNS entries====

Signing your outbound emails is just part of the process. You now need to publish some DNS entries so everyone can check if the email they receive matches your policy. This part is not to be done on your SME Server, but on your public DNS provider. A script helps you by creating some sample DNS entries already formatted for a bind-like zone file. To use it:
qpsmtpd-print-dns <domain name>
If omitted, the primary domain name is assumed.

Example output:
Here are sample DNS entries you should add in your public DNS
The DKIM entry can be copied as is, but others will probably need to be adjusted
to your need. For example, you should either change the reporting email adress
for DMARC (or create the needed pseudonym)

default._domainkey IN TXT "v=DKIM1; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs/Qq3Ntpx2QNdRxGKMeKc2r9ULvyYW633IbLivHznN9JvjJIbS54PGIEk3sSxvZSdpTRAvYlxn/nRi329VmcDK0vJYb2ut2rnZ3VO3r5srm+XEvTNPxij5eU4gqw+5ayySDjqzAMEMc5V7lUMpZ/YiqnscA075XiMF7iEq8Quv1y0LokmgwtxzOXEZap34WXlKyhYzH+D""fabF6SUllmA0ovODNvudzvEOanPlViQ7q7d+Mc3b7X/fzgJfh5P9f5U+iSmzgyGctSb6GX8sqsDMNVEsRZpSE3jd2Z33RDWyW21PGOKB/ZrLiliKfdJbd3Wo7AN7bWsZpQsei2Hsv1niQIDAQAB"
@ IN SPF "v=spf1 mx a -all"
@ IN TXT "v=spf1 mx a -all"
_dmarc IN TXT "v=DMARC1; p=none; adkim=s; aspf=r; rua=mailto:dmarc-feedback@domain.net; pct=100"
All you have to do now is publish those records, but do note that there is a point to consider when publishing the default._domainkey DNS record, as produced by the ''qpsmtpd-print-dns'' command: if the DNS record includes '';t=y'' then as per the DKIM specification ([http://dkim.org/specs/rfc4871-dkimbase.html#keys RFC4781 section 3.6.1]) this means that your ''"...domain is testing DKIM. Verifiers MUST NOT treat messages from signers in testing mode differently from unsigned email, even should the signature fail to verify. Verifiers MAY wish to track testing mode results to assist the signer."''

On the other hand, if no '';t=y'' is included, then it means you are intending to use DKIM in production mode. It might be a good idea to publish the DKIM DNS record first in testing mode ('';t=y'' included), check how things go and if everything is alright, remove the '';t=y'' part.

====Testing====
You can install spfquery:

yum --enablerepo=epel install libspf2 libspf2-progs

Usage (try -help for help):

spfquery -ip=11.22.33.44 -sender=user@aol.com -helo=spammer.tld

Check record via dig

dig -t TXT +short somedomain.co.uk

====Load====
The loadcheck plugin can temporarily deny inbound emails if your server is overloaded. This plugin is always enabled and has a single setting:

*MaxLoad (int number): Default is 7. If your load is above this value, emails from the outside will be deferred.

===Other QPSMTPD Plugins===
The following qpsmtpd plugins will work on a SME server, but are either not included or are not configured by default.
{| width="100%" cellspacing="0" cellpadding="5" border="1"
!Plugin
!Purpose
!Default Status
|-
|[[Qpsmtpd_connection_time|connection_time]]
|Track the total time for each qpsmtpd connection from 'Accepted connection' through 'click, disconnecting', and output the results to the qpsmtpd log file.
|not installed - not clear if this works for SME9.2 (anyone?)
|-
|[[GeoIP]]
|Track the geographic origin of incoming email and optionally reject email from specified countries
|not installed - does work for SME 9.2 and later.
|}

==Internal or External Mail Servers==
SME can be configured as a spam and antivirus filter for one or more "Internal or External" mail servers on a domain-by-domain basis. The mail server specified does not have to be on the same local network as your SME server, & can be hosted on an external site.

===Deliver ALL email to a single internal or external mail server===
You can set the default delivery location for all domains on your SME server to a single ''internal or external'' mail server by setting the mail server address in server-manager::Configuration::E-mail::Change e-mail delivery settings::Address of internal mail server.

Note: ''Address of internal mail server'' must be blank if you want any email delivered to the SME server itself.

===Deliver email for one domain to an internal or external mail server===
You can override the default email delivery destination for individual domains on your SME server (forwarding all email for the specified domain to another server) as follows:

First, create the necessary virtual domains using server-manager::Configuration::Domains::Add Domain.

Then, (assuming your domain is called ''test.com'' and the actual mail server is at ''a.b.c.d'' issue the following commands:
db domains setprop test.com MailServer a.b.c.d
signal-event email-update

A FQDN can also be used for the MailServer property, eg ''aspmx.l.google.com'' instead of the IP address ''a.b.c.d''

db domains setprop test.com MailServer aspmx.l.google.com
signal-event email-update

Remove the internal or external mail server (and return email delivery for ''test.com'' to the default for your SME server) using:
db domains delprop test.com MailServer
signal-event email-update

==Secondary/Backup Mail Server Considerations==

Many people misunderstand the issues of using a secondary or backup
mail server (backup MX) to hold your mail before it gets delivered
to your SME Server. If you consider putting a backup mail server in
place because you are concerned about lost mail because your internet
connection may occasionally drop out, think again and consider the issues
discussed below.

===What is ''Backup MX''===

A backup MX is a system whereby through your DNS records you tell other
servers on the internet that in order to deliver mail to your domain they
first need to try the primary MX record and if they fail to connect they
can try to connect to one or more of your listed backup or secondary mail
servers. See also http://en.wikipedia.org/wiki/MX_record

===The process of delivering email to your SME Server===

So lets look at how mail gets delivered without and with a
''backup mx'' when your Internet link, ISP or server is down.

===='''Without''' a backup MX====

*The sending mail server cannot connect to your server.
*The sending mail server MUST queue the mail and try again later.
*The mail stays on the sender's server.
*The sender's server resends the mail at a later date.

''The requirement to re-queue is a fundamental part of the SMTP protocol - ''
it is not optional. So, if your server is '''offline''' due to a link or ISP
outage, '''the mail just stays at the sender's server until you are once '''
again reachable'''.'''

===='''With''' a backup MX====

*The sending mail server cannot contact your server.
*The sending mail server sends the mail to your secondary MX.
*The secondary MX queues the mail until your link/server is up.
*The mail is queued on an '''untrusted''' third-party mail server (''think about confidential mail between your company and some business partner'').
*The sending mail server's administrator ''thinks'' it has been delivered, according to their logs.
*You have no, or little, visibility over the queued mail.
*When your link comes up, the secondary MX sends the mail on to your server.
*You have added more hops, more systems and more delay to the process.

If you think that a backup MX will protect against broken mail servers
which don't re-queue, you can't. Those servers will drop mail on the floor
at random times, for example when ''their'' Internet link is down.

Those servers are also highly likely to never try your backup MX.

Thankfully those servers are mostly gone from the Internet, but adding a
secondary MX doesn't really improve the chances that they won't drop mail
destined for your server on the floor.

===Backup MX and SPAM Filtering===

On top of the issue, indicated above, there is another issue to consider
and that is what happens with SPAM due to the use of a ''Backup MX''.

Your SME Server takes care of filtering a lot of SPAM by checking on the full
username & domain at the time it is received.

For example if your server hosts '''example.com''' and someone sends
mail to '''joeuser@example.com''', the server will '''only''' accept the mail
if joeuser is a local user/alias/group/pseudonym on the server.
Otherwise, the mail is rejected during the SMTP transaction.

A backup mail server however, generally does not have a full list of
users against which it can check if it should accept the mail for the given
domain. Hence it will accept mail for ''invalid'' users.

So:

*If you trust the secondary MX, you will accept a lot of SPAM when the link comes up.
*If you don't trust it, you will cause a lot of SPAM backscatter as the mail has been accepted at the secondary MX and then later bounced by you.
*Stopping backscatter is why SME Server rejects invalid addresses during the initial SMTP transaction.

The SPAM backscatter can only be stopped if the secondary MX has a full list
of users for your domain to allow filtering to occur.

But:

*You need to be able to configure this secondary MX with such user/domain lists
*You need to maintain these secondary configurations when users are added/deleted from your primary server configuration
*You need to test (regularly) if the secondary is successfully accepting/rejecting mail as required.

Quite a few sites have lost lots of mail through misconfigured backup MX servers. Unfortunately, the time when you find
out they are misconfigured is when you go to use them, and then you find that the backup MX has changed configuration and bounced all of your mail.

Then you realise that this mail could have queued at the sender's site if there hadn't been a broken secondary MX bouncing the mail for you.

*If you bounce mail at your server, you have logs to show what's wrong.
*If your secondary MX bounces your mail, you usually have no way to determine what happened other than via reports from the original senders that your mail bounced.

===Summary===

In summary, if your server/Internet connection is available most (let's say >90%) of
the time, you are generally better off without a secondary MX.

If your server/link is down more than this (e.g. dialup), you should not be delivering mail
directly to your server.

If you still want to consider setting up a seconday MX, ensure that:

*you have fully control of the configuration of each of the email gateways for your domain
*each gateway can make decisions on whether to accept/reject mail for the users at the domain

==Mail server on dynamic IP==
===Problems with running a mail server on SME server using a dynamic external IP from ISP===

This information comes from http://bugs.contribs.org/show_bug.cgi?id=2057#c10

This is the chronological sequence of events that leads to issues with mail servers on dynamic IPs:

1) Server gets dynamic IP

2) Reboot/power fail (without updating dynamic DNS to "offline")

3) Another server/someone else is allocated your old IP while your server is down

4) The other server/person is running a mail server

5) The other server either gets your mail (which is bad) or bounces your mail (also bad)

You have no control over this issue and you will lose mail when it happens. If you have a dynamic IP, the recommended approach is to get someone with a static IP to queue your inbound mail and send it to you on a non-standard port, preferably with an authentication mechanism which queues the mail if the auth fails, just in case someone else happens to have a mail server on the same port (while highly unlikely, this is possible).

Whether this issue is really a problem to end users, depends on how much you "value" your mail. For a home user having their own mail server, it is probably not a great problem if some messages should happen to go astray, but for all other classes of users, you should really avoid running a mail server on a dynamic IP, without implementing a suitable queueing workaround as suggested. Some ISPs change the IP very infrequently eg yearly, so in those cases it is also not a significant problem. Many/most ISP's will issue a new IP every time a connection is lost & re-established, so these situations are more problematic.

==How to re-apply procmail rules==

If you have a folder of email that needs to have the procmail rules applied, then the trick is to be logged in as the email user, and then position your self in the home directory, and then this works:
su <username> -s /bin/bash
cd ~
for m in <fullpath to maildirectory>/cur/*; do echo $m; procmail < $m && rm $m; done

<noinclude>
[[Category:Mail]]
[[Category:Howto]]
</noinclude>

Useful Commands

2026-01-13T11:40:38Z

Rdswikiadmin: /* .bashrc */

=== SME ===

Check added RPM's
/sbin/e-smith/audittools/newrpms
/sbin/e-smith/audittools/newrpms | grep smeserver

Check RPM's
rpm -qa smeserver* | sort -d
rpm -qa e-smith* | sort -d

Check templates
/sbin/e-smith/audittools/templates

RPM initial install date
rpm -qa --last | grep -v "initial install date"

Check Repositories http://wiki.contribs.org/SME_Server:Adding_Software
/sbin/e-smith/audittools/repositories

List Repositories
db yum_repositories show
cat /home/e-smith/db/yum_repositories

Restore Default Repositories
cd /home/e-smith/db/
rm -f yum_repositories.po
mv yum_repositories yum_repositories.po
/etc/e-smith/events/actions/initialize-default-databases
signal-event dnf-modify
dnf update

Yum; There are unfinished transactions remaining
yum install yum-utils
yum-complete-transaction --cleanup-only

Check RPM Package owning FILE
rpm -qf /usr/bin/nmap

RPM erase single package
rpm -e --nodeps xxx

Check Domain
host -t mx <domain>
host -t a <domain>
host -t soa <domain>
host -t txt <domain>
host -t ns <domain>
host -t txt _dmarc.<domain>
host -t txt default._domainkey.<domain>

Network packet capture and test
tcpdump
tcpdump -i eth1 port 42526 -v
tcpdump -i br0 port 42526 -v
nmap -p 42526 -sU -P0 <domain>
nmap -p 42526 -sT -P0 <domain>

Squid Log Date
perl -pe 's/[\d\.]+/localtime($&)/e' /var/log/squid/access.log

Check Apache modules loaded;
apachectl -t -D DUMP_MODULES

Custom Network
config setprop ExternalInterface EthtoolOpts "speed 10 duplex full autoneg off"

Server Default Backup List
perl -e 'use esmith::Backup;$b=new esmith::Backup;print join("\n",$b->restore_list)."\n"'

Server Reset Initial Restore
config delete PasswordSet
config setprop bootstrap-console Run Yes
signal-event reboot

Redirect website
create redirect ibay
db accounts setprop redirect AllowOverride all
db accounts setprop redirect FollowSymLinks enabled
signal-event ibay-modify redirect

cd /home/e-smith/files/ibays/redirect/html
vim .htaccess
Redirect 301 / http://www.domain.com/

Disable mail to a user from an external network
db accounts setprop groupname/username Visible internal
signal-event email-update

Disable the check for the Date header on the internal interface:
mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local
cd /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local
echo "# 17check_basicheaders disabled by custom template" > 17check_basicheaders
signal-event email-update

cat /etc/e-smith/templates/var/service/qpsmtpd/config/plugins/17check_basicheaders
{
$OUT = "check_basicheaders";

# Note: You can't specify a maximum offset of 0 days, but that's fair
my $days = $smtpd{MaximumDateOffset} || '';

$OUT .= " $days" if ($days);
}

Disable the check for the Date header on the external interface:
mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0
cd /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0
echo "# 17check_basicheaders disabled by custom template" > 17check_basicheaders
signal-event email-update

cat /etc/e-smith/templates/var/service/qpsmtpd/config/peers/0/17check_basicheaders
{
$OUT = "check_basicheaders";

# Note: You can't specify a maximum offset of 0 days, but that's fair
my $days = $smtpd{MaximumDateOffset} || '';

$OUT .= " $days" if ($days);
}

List contents of queued email
# /var/qmail/bin/qmail-qread
14 Dec 2014 03:35:51 GMT #165184302 2886
# find /var/qmail/queue -name 165184302| xargs cat | less

Qmail retry period before return e-mail as undeliverable
default is 604800 seconds = 1 week, 172800 seconds = 2 days
mkdir -p /etc/e-smith/templates-custom/var/qmail/control
echo 172800 > /etc/e-smith/templates-custom/var/qmail/control/queuelifetime
expand-template /var/qmail/control/queuelifetime
sv t qmail

=== unzip ===
tar -xvf xxx.tar
tar -zxvf xxx.tar.gz
tar -xf xxx.tar.xz
unzip xxx.zip
bunzip2 xxx.bz2
bzip2 -d xxx.bz2
xz -dv xxx.xz

=== tar create ===
tar -zcvf archive-name.tar.gz (/directory-name/)file(s)
xz -6cv --threads=0 /path/filename > /path/filename.xz

=== scp ===
scp -rp -P 44 root@192.168.1.1:/.../filename .

=== rsync ===
rsync -aH /affa/smesvr /media/affa/affa/
rsync -aHvzhe ssh --progress root@10.10.15.1:/var/affa/archive /var/affa/
rsync -avzhe "ssh -p 22222" --progress root@123.45.67.89:/path/filename /path
rsync -avzhe "ssh -p 22222" --progress --partial root@123.45.67.89:/path/filename /path

=== .bashrc ===
PS1="\[\e[30m\]\h:\w#\[\e[m\] " BLACK
PS1="\[\e[31m\]\h:\w#\[\e[m\] " RED
PS1="\[\e[32m\]\h:\w#\[\e[m\] " GREEN
PS1="\[\e[34m\]\h:\w#\[\e[m\] " BLUE
PS1="\[\e[35m\]\h:\w#\[\e[m\] " PINK
PS1="\[\e[36m\]\h:\w#\[\e[m\] " CYAN

export HISTTIMEFORMAT="%d%m%y %T "

Processor info
cat /proc/cpuinfo

Software RAID status
cat /proc/mdstat

Linux check maximum MTU
ping -M do -s 1434 google.co.uk

Windows check maximum MTU
ping google.co.uk -f -l 1434

=== Symbolic link ===
ln -s /path-to-folder(file) foldername(filename)

=== Public key ===
on the HOST server:
affa --send-key targetsvr
ssh-keygen -t ed25519
ssh-keygen -t rsa

cat /root/.ssh/id_rsa.pub

on the TARGET server: add
mkdir -p /root/.ssh
cd /root/.ssh
vim authorized_keys

config setprop sshd PasswordAuthentication no
signal-event remoteaccess-update
config show sshd

=== MySQL ===
mysql
use icinga
REPAIR TABLE icinga_hoststatus;
REPAIR TABLE icinga_logentries;
\q

/etc/init.d/icinga stop
mysqlcheck --databases icinga

Restore mysql db
mysql -u root -p wcuk < wcuk.sql

=== APC ===
Update BATTDATE to the current date.
Kill the apcupsd daemon first, Run apctest to update the UPS eeprom.

Debian;
apt install apcupsd
vim /etc/apcupsd/apcupsd.conf
vim /etc/default/apcupsd
systemctl restart apcupsd.service

cd /etc/init.d/
./apcupsd start

http://www.apcupsd.com/manual/manual.html#red-hat-systems

Compile
SME;
yum install gcc gcc-c++
yum remove gcc gcc-c++

http://sourceforge.net/projects/apcupsd/files/latest/download?source=files

gunzip apcupsd-3.14.13.tar.gz
tar -xvf apcupsd-3.14.13.tar
cd apcupsd-3.14.13
./configure --help
./configure --enable-usb
make
make install

DEBIAN;
apt-get install g++
apt-get install make
./configure --enable-usb
make
make install
vim /etc/apcupsd/apcupsd.conf
cd /etc/init.d
./apcupsd status
./apcupsd start
./apcupsd status

aptitude remove make
aptitude remove g++

additional package removed gcc

IPv6
ipv4="192.168.0.1"; sla="5"; printf "2002:%02x%02x:%02x%02x:%04x::1" `echo $ipv4 | tr "." " "` $sla

=== Vigor ===
vigor sip_alg
sys sip_alg ?
sys sip_alg 0
sys commit

ipsec passthrough
srv nat ipsecpass on

VDSL
WAN / General Setup / VLAN Tag Insertion = Enable / Tag Value = 101

vTiger
vTiger delete demo data SQL command
update vtiger_crmentity set deleted = 1

vTiger >5.04 reset admin password to 'admin'

mysql
use <vtiger_database_name>;
update vtiger_users set user_password = 'adpexzg3FUZAk', crypt_type = '' where user_name = 'admin';

Useful Commands

2026-01-13T11:40:04Z

Rdswikiadmin: /* rsync */

=== SME ===

Check added RPM's
/sbin/e-smith/audittools/newrpms
/sbin/e-smith/audittools/newrpms | grep smeserver

Check RPM's
rpm -qa smeserver* | sort -d
rpm -qa e-smith* | sort -d

Check templates
/sbin/e-smith/audittools/templates

RPM initial install date
rpm -qa --last | grep -v "initial install date"

Check Repositories http://wiki.contribs.org/SME_Server:Adding_Software
/sbin/e-smith/audittools/repositories

List Repositories
db yum_repositories show
cat /home/e-smith/db/yum_repositories

Restore Default Repositories
cd /home/e-smith/db/
rm -f yum_repositories.po
mv yum_repositories yum_repositories.po
/etc/e-smith/events/actions/initialize-default-databases
signal-event dnf-modify
dnf update

Yum; There are unfinished transactions remaining
yum install yum-utils
yum-complete-transaction --cleanup-only

Check RPM Package owning FILE
rpm -qf /usr/bin/nmap

RPM erase single package
rpm -e --nodeps xxx

Check Domain
host -t mx <domain>
host -t a <domain>
host -t soa <domain>
host -t txt <domain>
host -t ns <domain>
host -t txt _dmarc.<domain>
host -t txt default._domainkey.<domain>

Network packet capture and test
tcpdump
tcpdump -i eth1 port 42526 -v
tcpdump -i br0 port 42526 -v
nmap -p 42526 -sU -P0 <domain>
nmap -p 42526 -sT -P0 <domain>

Squid Log Date
perl -pe 's/[\d\.]+/localtime($&)/e' /var/log/squid/access.log

Check Apache modules loaded;
apachectl -t -D DUMP_MODULES

Custom Network
config setprop ExternalInterface EthtoolOpts "speed 10 duplex full autoneg off"

Server Default Backup List
perl -e 'use esmith::Backup;$b=new esmith::Backup;print join("\n",$b->restore_list)."\n"'

Server Reset Initial Restore
config delete PasswordSet
config setprop bootstrap-console Run Yes
signal-event reboot

Redirect website
create redirect ibay
db accounts setprop redirect AllowOverride all
db accounts setprop redirect FollowSymLinks enabled
signal-event ibay-modify redirect

cd /home/e-smith/files/ibays/redirect/html
vim .htaccess
Redirect 301 / http://www.domain.com/

Disable mail to a user from an external network
db accounts setprop groupname/username Visible internal
signal-event email-update

Disable the check for the Date header on the internal interface:
mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local
cd /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local
echo "# 17check_basicheaders disabled by custom template" > 17check_basicheaders
signal-event email-update

cat /etc/e-smith/templates/var/service/qpsmtpd/config/plugins/17check_basicheaders
{
$OUT = "check_basicheaders";

# Note: You can't specify a maximum offset of 0 days, but that's fair
my $days = $smtpd{MaximumDateOffset} || '';

$OUT .= " $days" if ($days);
}

Disable the check for the Date header on the external interface:
mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0
cd /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0
echo "# 17check_basicheaders disabled by custom template" > 17check_basicheaders
signal-event email-update

cat /etc/e-smith/templates/var/service/qpsmtpd/config/peers/0/17check_basicheaders
{
$OUT = "check_basicheaders";

# Note: You can't specify a maximum offset of 0 days, but that's fair
my $days = $smtpd{MaximumDateOffset} || '';

$OUT .= " $days" if ($days);
}

List contents of queued email
# /var/qmail/bin/qmail-qread
14 Dec 2014 03:35:51 GMT #165184302 2886
# find /var/qmail/queue -name 165184302| xargs cat | less

Qmail retry period before return e-mail as undeliverable
default is 604800 seconds = 1 week, 172800 seconds = 2 days
mkdir -p /etc/e-smith/templates-custom/var/qmail/control
echo 172800 > /etc/e-smith/templates-custom/var/qmail/control/queuelifetime
expand-template /var/qmail/control/queuelifetime
sv t qmail

=== unzip ===
tar -xvf xxx.tar
tar -zxvf xxx.tar.gz
tar -xf xxx.tar.xz
unzip xxx.zip
bunzip2 xxx.bz2
bzip2 -d xxx.bz2
xz -dv xxx.xz

=== tar create ===
tar -zcvf archive-name.tar.gz (/directory-name/)file(s)
xz -6cv --threads=0 /path/filename > /path/filename.xz

=== scp ===
scp -rp -P 44 root@192.168.1.1:/.../filename .

=== rsync ===
rsync -aH /affa/smesvr /media/affa/affa/
rsync -aHvzhe ssh --progress root@10.10.15.1:/var/affa/archive /var/affa/
rsync -avzhe "ssh -p 22222" --progress root@123.45.67.89:/path/filename /path
rsync -avzhe "ssh -p 22222" --progress --partial root@123.45.67.89:/path/filename /path

=== .bashrc ===
PS1="\[\e[30m\]\h:\w#\[\e[m\] " BLACK
PS1="\[\e[31m\]\h:\w#\[\e[m\] " RED
PS1="\[\e[32m\]\h:\w#\[\e[m\] " GREEN
PS1="\[\e[34m\]\h:\w#\[\e[m\] " BLUE
PS1="\[\e[36m\]\h:\w#\[\e[m\] " CYAN

export HISTTIMEFORMAT="%d%m%y %T "

Processor info
cat /proc/cpuinfo

Software RAID status
cat /proc/mdstat

Linux check maximum MTU
ping -M do -s 1434 google.co.uk

Windows check maximum MTU
ping google.co.uk -f -l 1434

=== Symbolic link ===
ln -s /path-to-folder(file) foldername(filename)

=== Public key ===
on the HOST server:
affa --send-key targetsvr
ssh-keygen -t ed25519
ssh-keygen -t rsa

cat /root/.ssh/id_rsa.pub

on the TARGET server: add
mkdir -p /root/.ssh
cd /root/.ssh
vim authorized_keys

config setprop sshd PasswordAuthentication no
signal-event remoteaccess-update
config show sshd

=== MySQL ===
mysql
use icinga
REPAIR TABLE icinga_hoststatus;
REPAIR TABLE icinga_logentries;
\q

/etc/init.d/icinga stop
mysqlcheck --databases icinga

Restore mysql db
mysql -u root -p wcuk < wcuk.sql

=== APC ===
Update BATTDATE to the current date.
Kill the apcupsd daemon first, Run apctest to update the UPS eeprom.

Debian;
apt install apcupsd
vim /etc/apcupsd/apcupsd.conf
vim /etc/default/apcupsd
systemctl restart apcupsd.service

cd /etc/init.d/
./apcupsd start

http://www.apcupsd.com/manual/manual.html#red-hat-systems

Compile
SME;
yum install gcc gcc-c++
yum remove gcc gcc-c++

http://sourceforge.net/projects/apcupsd/files/latest/download?source=files

gunzip apcupsd-3.14.13.tar.gz
tar -xvf apcupsd-3.14.13.tar
cd apcupsd-3.14.13
./configure --help
./configure --enable-usb
make
make install

DEBIAN;
apt-get install g++
apt-get install make
./configure --enable-usb
make
make install
vim /etc/apcupsd/apcupsd.conf
cd /etc/init.d
./apcupsd status
./apcupsd start
./apcupsd status

aptitude remove make
aptitude remove g++

additional package removed gcc

IPv6
ipv4="192.168.0.1"; sla="5"; printf "2002:%02x%02x:%02x%02x:%04x::1" `echo $ipv4 | tr "." " "` $sla

=== Vigor ===
vigor sip_alg
sys sip_alg ?
sys sip_alg 0
sys commit

ipsec passthrough
srv nat ipsecpass on

VDSL
WAN / General Setup / VLAN Tag Insertion = Enable / Tag Value = 101

vTiger
vTiger delete demo data SQL command
update vtiger_crmentity set deleted = 1

vTiger >5.04 reset admin password to 'admin'

mysql
use <vtiger_database_name>;
update vtiger_users set user_password = 'adpexzg3FUZAk', crypt_type = '' where user_name = 'admin';

Useful Commands

2026-01-13T11:34:24Z

Rdswikiadmin: /* tar create */

=== SME ===

Check added RPM's
/sbin/e-smith/audittools/newrpms
/sbin/e-smith/audittools/newrpms | grep smeserver

Check RPM's
rpm -qa smeserver* | sort -d
rpm -qa e-smith* | sort -d

Check templates
/sbin/e-smith/audittools/templates

RPM initial install date
rpm -qa --last | grep -v "initial install date"

Check Repositories http://wiki.contribs.org/SME_Server:Adding_Software
/sbin/e-smith/audittools/repositories

List Repositories
db yum_repositories show
cat /home/e-smith/db/yum_repositories

Restore Default Repositories
cd /home/e-smith/db/
rm -f yum_repositories.po
mv yum_repositories yum_repositories.po
/etc/e-smith/events/actions/initialize-default-databases
signal-event dnf-modify
dnf update

Yum; There are unfinished transactions remaining
yum install yum-utils
yum-complete-transaction --cleanup-only

Check RPM Package owning FILE
rpm -qf /usr/bin/nmap

RPM erase single package
rpm -e --nodeps xxx

Check Domain
host -t mx <domain>
host -t a <domain>
host -t soa <domain>
host -t txt <domain>
host -t ns <domain>
host -t txt _dmarc.<domain>
host -t txt default._domainkey.<domain>

Network packet capture and test
tcpdump
tcpdump -i eth1 port 42526 -v
tcpdump -i br0 port 42526 -v
nmap -p 42526 -sU -P0 <domain>
nmap -p 42526 -sT -P0 <domain>

Squid Log Date
perl -pe 's/[\d\.]+/localtime($&)/e' /var/log/squid/access.log

Check Apache modules loaded;
apachectl -t -D DUMP_MODULES

Custom Network
config setprop ExternalInterface EthtoolOpts "speed 10 duplex full autoneg off"

Server Default Backup List
perl -e 'use esmith::Backup;$b=new esmith::Backup;print join("\n",$b->restore_list)."\n"'

Server Reset Initial Restore
config delete PasswordSet
config setprop bootstrap-console Run Yes
signal-event reboot

Redirect website
create redirect ibay
db accounts setprop redirect AllowOverride all
db accounts setprop redirect FollowSymLinks enabled
signal-event ibay-modify redirect

cd /home/e-smith/files/ibays/redirect/html
vim .htaccess
Redirect 301 / http://www.domain.com/

Disable mail to a user from an external network
db accounts setprop groupname/username Visible internal
signal-event email-update

Disable the check for the Date header on the internal interface:
mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local
cd /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local
echo "# 17check_basicheaders disabled by custom template" > 17check_basicheaders
signal-event email-update

cat /etc/e-smith/templates/var/service/qpsmtpd/config/plugins/17check_basicheaders
{
$OUT = "check_basicheaders";

# Note: You can't specify a maximum offset of 0 days, but that's fair
my $days = $smtpd{MaximumDateOffset} || '';

$OUT .= " $days" if ($days);
}

Disable the check for the Date header on the external interface:
mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0
cd /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0
echo "# 17check_basicheaders disabled by custom template" > 17check_basicheaders
signal-event email-update

cat /etc/e-smith/templates/var/service/qpsmtpd/config/peers/0/17check_basicheaders
{
$OUT = "check_basicheaders";

# Note: You can't specify a maximum offset of 0 days, but that's fair
my $days = $smtpd{MaximumDateOffset} || '';

$OUT .= " $days" if ($days);
}

List contents of queued email
# /var/qmail/bin/qmail-qread
14 Dec 2014 03:35:51 GMT #165184302 2886
# find /var/qmail/queue -name 165184302| xargs cat | less

Qmail retry period before return e-mail as undeliverable
default is 604800 seconds = 1 week, 172800 seconds = 2 days
mkdir -p /etc/e-smith/templates-custom/var/qmail/control
echo 172800 > /etc/e-smith/templates-custom/var/qmail/control/queuelifetime
expand-template /var/qmail/control/queuelifetime
sv t qmail

=== unzip ===
tar -xvf xxx.tar
tar -zxvf xxx.tar.gz
tar -xf xxx.tar.xz
unzip xxx.zip
bunzip2 xxx.bz2
bzip2 -d xxx.bz2
xz -dv xxx.xz

=== tar create ===
tar -zcvf archive-name.tar.gz (/directory-name/)file(s)
xz -6cv --threads=0 /path/filename > /path/filename.xz

=== scp ===
scp -rp -P 44 root@192.168.1.1:/.../filename .

=== rsync ===
rsync -aH /affa/smesvr /media/affa/affa/
rsync -aHvzhe ssh --progress root@10.10.15.1:/var/affa/archive /var/affa/
rsync -avzhe "ssh -p 22222" --progress root@123.45.67.89:/mnt/backups/dump/vzdump-qemu-101-2021_09_25-00_00_09.vma.zst /mnt/4TB1/abc
rsync -avzhe "ssh -p 22222" --progress --partial root@123.45.67.89:/mnt/mirror1/dump/fri/SAGESVR.qcow2 /media/owner/WEEKLY/abc

=== .bashrc ===
PS1="\[\e[30m\]\h:\w#\[\e[m\] " BLACK
PS1="\[\e[31m\]\h:\w#\[\e[m\] " RED
PS1="\[\e[32m\]\h:\w#\[\e[m\] " GREEN
PS1="\[\e[34m\]\h:\w#\[\e[m\] " BLUE
PS1="\[\e[36m\]\h:\w#\[\e[m\] " CYAN

export HISTTIMEFORMAT="%d%m%y %T "

Processor info
cat /proc/cpuinfo

Software RAID status
cat /proc/mdstat

Linux check maximum MTU
ping -M do -s 1434 google.co.uk

Windows check maximum MTU
ping google.co.uk -f -l 1434

=== Symbolic link ===
ln -s /path-to-folder(file) foldername(filename)

=== Public key ===
on the HOST server:
affa --send-key targetsvr
ssh-keygen -t ed25519
ssh-keygen -t rsa

cat /root/.ssh/id_rsa.pub

on the TARGET server: add
mkdir -p /root/.ssh
cd /root/.ssh
vim authorized_keys

config setprop sshd PasswordAuthentication no
signal-event remoteaccess-update
config show sshd

=== MySQL ===
mysql
use icinga
REPAIR TABLE icinga_hoststatus;
REPAIR TABLE icinga_logentries;
\q

/etc/init.d/icinga stop
mysqlcheck --databases icinga

Restore mysql db
mysql -u root -p wcuk < wcuk.sql

=== APC ===
Update BATTDATE to the current date.
Kill the apcupsd daemon first, Run apctest to update the UPS eeprom.

Debian;
apt install apcupsd
vim /etc/apcupsd/apcupsd.conf
vim /etc/default/apcupsd
systemctl restart apcupsd.service

cd /etc/init.d/
./apcupsd start

http://www.apcupsd.com/manual/manual.html#red-hat-systems

Compile
SME;
yum install gcc gcc-c++
yum remove gcc gcc-c++

http://sourceforge.net/projects/apcupsd/files/latest/download?source=files

gunzip apcupsd-3.14.13.tar.gz
tar -xvf apcupsd-3.14.13.tar
cd apcupsd-3.14.13
./configure --help
./configure --enable-usb
make
make install

DEBIAN;
apt-get install g++
apt-get install make
./configure --enable-usb
make
make install
vim /etc/apcupsd/apcupsd.conf
cd /etc/init.d
./apcupsd status
./apcupsd start
./apcupsd status

aptitude remove make
aptitude remove g++

additional package removed gcc

IPv6
ipv4="192.168.0.1"; sla="5"; printf "2002:%02x%02x:%02x%02x:%04x::1" `echo $ipv4 | tr "." " "` $sla

=== Vigor ===
vigor sip_alg
sys sip_alg ?
sys sip_alg 0
sys commit

ipsec passthrough
srv nat ipsecpass on

VDSL
WAN / General Setup / VLAN Tag Insertion = Enable / Tag Value = 101

vTiger
vTiger delete demo data SQL command
update vtiger_crmentity set deleted = 1

vTiger >5.04 reset admin password to 'admin'

mysql
use <vtiger_database_name>;
update vtiger_users set user_password = 'adpexzg3FUZAk', crypt_type = '' where user_name = 'admin';

Useful Commands

2026-01-13T11:32:37Z

Rdswikiadmin: /* unzip */

=== SME ===

Check added RPM's
/sbin/e-smith/audittools/newrpms
/sbin/e-smith/audittools/newrpms | grep smeserver

Check RPM's
rpm -qa smeserver* | sort -d
rpm -qa e-smith* | sort -d

Check templates
/sbin/e-smith/audittools/templates

RPM initial install date
rpm -qa --last | grep -v "initial install date"

Check Repositories http://wiki.contribs.org/SME_Server:Adding_Software
/sbin/e-smith/audittools/repositories

List Repositories
db yum_repositories show
cat /home/e-smith/db/yum_repositories

Restore Default Repositories
cd /home/e-smith/db/
rm -f yum_repositories.po
mv yum_repositories yum_repositories.po
/etc/e-smith/events/actions/initialize-default-databases
signal-event dnf-modify
dnf update

Yum; There are unfinished transactions remaining
yum install yum-utils
yum-complete-transaction --cleanup-only

Check RPM Package owning FILE
rpm -qf /usr/bin/nmap

RPM erase single package
rpm -e --nodeps xxx

Check Domain
host -t mx <domain>
host -t a <domain>
host -t soa <domain>
host -t txt <domain>
host -t ns <domain>
host -t txt _dmarc.<domain>
host -t txt default._domainkey.<domain>

Network packet capture and test
tcpdump
tcpdump -i eth1 port 42526 -v
tcpdump -i br0 port 42526 -v
nmap -p 42526 -sU -P0 <domain>
nmap -p 42526 -sT -P0 <domain>

Squid Log Date
perl -pe 's/[\d\.]+/localtime($&)/e' /var/log/squid/access.log

Check Apache modules loaded;
apachectl -t -D DUMP_MODULES

Custom Network
config setprop ExternalInterface EthtoolOpts "speed 10 duplex full autoneg off"

Server Default Backup List
perl -e 'use esmith::Backup;$b=new esmith::Backup;print join("\n",$b->restore_list)."\n"'

Server Reset Initial Restore
config delete PasswordSet
config setprop bootstrap-console Run Yes
signal-event reboot

Redirect website
create redirect ibay
db accounts setprop redirect AllowOverride all
db accounts setprop redirect FollowSymLinks enabled
signal-event ibay-modify redirect

cd /home/e-smith/files/ibays/redirect/html
vim .htaccess
Redirect 301 / http://www.domain.com/

Disable mail to a user from an external network
db accounts setprop groupname/username Visible internal
signal-event email-update

Disable the check for the Date header on the internal interface:
mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local
cd /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local
echo "# 17check_basicheaders disabled by custom template" > 17check_basicheaders
signal-event email-update

cat /etc/e-smith/templates/var/service/qpsmtpd/config/plugins/17check_basicheaders
{
$OUT = "check_basicheaders";

# Note: You can't specify a maximum offset of 0 days, but that's fair
my $days = $smtpd{MaximumDateOffset} || '';

$OUT .= " $days" if ($days);
}

Disable the check for the Date header on the external interface:
mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0
cd /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0
echo "# 17check_basicheaders disabled by custom template" > 17check_basicheaders
signal-event email-update

cat /etc/e-smith/templates/var/service/qpsmtpd/config/peers/0/17check_basicheaders
{
$OUT = "check_basicheaders";

# Note: You can't specify a maximum offset of 0 days, but that's fair
my $days = $smtpd{MaximumDateOffset} || '';

$OUT .= " $days" if ($days);
}

List contents of queued email
# /var/qmail/bin/qmail-qread
14 Dec 2014 03:35:51 GMT #165184302 2886
# find /var/qmail/queue -name 165184302| xargs cat | less

Qmail retry period before return e-mail as undeliverable
default is 604800 seconds = 1 week, 172800 seconds = 2 days
mkdir -p /etc/e-smith/templates-custom/var/qmail/control
echo 172800 > /etc/e-smith/templates-custom/var/qmail/control/queuelifetime
expand-template /var/qmail/control/queuelifetime
sv t qmail

=== unzip ===
tar -xvf xxx.tar
tar -zxvf xxx.tar.gz
tar -xf xxx.tar.xz
unzip xxx.zip
bunzip2 xxx.bz2
bzip2 -d xxx.bz2
xz -dv xxx.xz

=== tar create ===
tar -zcvf archive-name.tar.gz (/directory-name/)file(s)

=== scp ===
scp -rp -P 44 root@192.168.1.1:/.../filename .

=== rsync ===
rsync -aH /affa/smesvr /media/affa/affa/
rsync -aHvzhe ssh --progress root@10.10.15.1:/var/affa/archive /var/affa/
rsync -avzhe "ssh -p 22222" --progress root@123.45.67.89:/mnt/backups/dump/vzdump-qemu-101-2021_09_25-00_00_09.vma.zst /mnt/4TB1/abc
rsync -avzhe "ssh -p 22222" --progress --partial root@123.45.67.89:/mnt/mirror1/dump/fri/SAGESVR.qcow2 /media/owner/WEEKLY/abc

=== .bashrc ===
PS1="\[\e[30m\]\h:\w#\[\e[m\] " BLACK
PS1="\[\e[31m\]\h:\w#\[\e[m\] " RED
PS1="\[\e[32m\]\h:\w#\[\e[m\] " GREEN
PS1="\[\e[34m\]\h:\w#\[\e[m\] " BLUE
PS1="\[\e[36m\]\h:\w#\[\e[m\] " CYAN

export HISTTIMEFORMAT="%d%m%y %T "

Processor info
cat /proc/cpuinfo

Software RAID status
cat /proc/mdstat

Linux check maximum MTU
ping -M do -s 1434 google.co.uk

Windows check maximum MTU
ping google.co.uk -f -l 1434

=== Symbolic link ===
ln -s /path-to-folder(file) foldername(filename)

=== Public key ===
on the HOST server:
affa --send-key targetsvr
ssh-keygen -t ed25519
ssh-keygen -t rsa

cat /root/.ssh/id_rsa.pub

on the TARGET server: add
mkdir -p /root/.ssh
cd /root/.ssh
vim authorized_keys

config setprop sshd PasswordAuthentication no
signal-event remoteaccess-update
config show sshd

=== MySQL ===
mysql
use icinga
REPAIR TABLE icinga_hoststatus;
REPAIR TABLE icinga_logentries;
\q

/etc/init.d/icinga stop
mysqlcheck --databases icinga

Restore mysql db
mysql -u root -p wcuk < wcuk.sql

=== APC ===
Update BATTDATE to the current date.
Kill the apcupsd daemon first, Run apctest to update the UPS eeprom.

Debian;
apt install apcupsd
vim /etc/apcupsd/apcupsd.conf
vim /etc/default/apcupsd
systemctl restart apcupsd.service

cd /etc/init.d/
./apcupsd start

http://www.apcupsd.com/manual/manual.html#red-hat-systems

Compile
SME;
yum install gcc gcc-c++
yum remove gcc gcc-c++

http://sourceforge.net/projects/apcupsd/files/latest/download?source=files

gunzip apcupsd-3.14.13.tar.gz
tar -xvf apcupsd-3.14.13.tar
cd apcupsd-3.14.13
./configure --help
./configure --enable-usb
make
make install

DEBIAN;
apt-get install g++
apt-get install make
./configure --enable-usb
make
make install
vim /etc/apcupsd/apcupsd.conf
cd /etc/init.d
./apcupsd status
./apcupsd start
./apcupsd status

aptitude remove make
aptitude remove g++

additional package removed gcc

IPv6
ipv4="192.168.0.1"; sla="5"; printf "2002:%02x%02x:%02x%02x:%04x::1" `echo $ipv4 | tr "." " "` $sla

=== Vigor ===
vigor sip_alg
sys sip_alg ?
sys sip_alg 0
sys commit

ipsec passthrough
srv nat ipsecpass on

VDSL
WAN / General Setup / VLAN Tag Insertion = Enable / Tag Value = 101

vTiger
vTiger delete demo data SQL command
update vtiger_crmentity set deleted = 1

vTiger >5.04 reset admin password to 'admin'

mysql
use <vtiger_database_name>;
update vtiger_users set user_password = 'adpexzg3FUZAk', crypt_type = '' where user_name = 'admin';

Useful Commands

2026-01-13T11:32:13Z

Rdswikiadmin: /* SME */

=== SME ===

Check added RPM's
/sbin/e-smith/audittools/newrpms
/sbin/e-smith/audittools/newrpms | grep smeserver

Check RPM's
rpm -qa smeserver* | sort -d
rpm -qa e-smith* | sort -d

Check templates
/sbin/e-smith/audittools/templates

RPM initial install date
rpm -qa --last | grep -v "initial install date"

Check Repositories http://wiki.contribs.org/SME_Server:Adding_Software
/sbin/e-smith/audittools/repositories

List Repositories
db yum_repositories show
cat /home/e-smith/db/yum_repositories

Restore Default Repositories
cd /home/e-smith/db/
rm -f yum_repositories.po
mv yum_repositories yum_repositories.po
/etc/e-smith/events/actions/initialize-default-databases
signal-event dnf-modify
dnf update

Yum; There are unfinished transactions remaining
yum install yum-utils
yum-complete-transaction --cleanup-only

Check RPM Package owning FILE
rpm -qf /usr/bin/nmap

RPM erase single package
rpm -e --nodeps xxx

Check Domain
host -t mx <domain>
host -t a <domain>
host -t soa <domain>
host -t txt <domain>
host -t ns <domain>
host -t txt _dmarc.<domain>
host -t txt default._domainkey.<domain>

Network packet capture and test
tcpdump
tcpdump -i eth1 port 42526 -v
tcpdump -i br0 port 42526 -v
nmap -p 42526 -sU -P0 <domain>
nmap -p 42526 -sT -P0 <domain>

Squid Log Date
perl -pe 's/[\d\.]+/localtime($&)/e' /var/log/squid/access.log

Check Apache modules loaded;
apachectl -t -D DUMP_MODULES

Custom Network
config setprop ExternalInterface EthtoolOpts "speed 10 duplex full autoneg off"

Server Default Backup List
perl -e 'use esmith::Backup;$b=new esmith::Backup;print join("\n",$b->restore_list)."\n"'

Server Reset Initial Restore
config delete PasswordSet
config setprop bootstrap-console Run Yes
signal-event reboot

Redirect website
create redirect ibay
db accounts setprop redirect AllowOverride all
db accounts setprop redirect FollowSymLinks enabled
signal-event ibay-modify redirect

cd /home/e-smith/files/ibays/redirect/html
vim .htaccess
Redirect 301 / http://www.domain.com/

Disable mail to a user from an external network
db accounts setprop groupname/username Visible internal
signal-event email-update

Disable the check for the Date header on the internal interface:
mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local
cd /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local
echo "# 17check_basicheaders disabled by custom template" > 17check_basicheaders
signal-event email-update

cat /etc/e-smith/templates/var/service/qpsmtpd/config/plugins/17check_basicheaders
{
$OUT = "check_basicheaders";

# Note: You can't specify a maximum offset of 0 days, but that's fair
my $days = $smtpd{MaximumDateOffset} || '';

$OUT .= " $days" if ($days);
}

Disable the check for the Date header on the external interface:
mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0
cd /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0
echo "# 17check_basicheaders disabled by custom template" > 17check_basicheaders
signal-event email-update

cat /etc/e-smith/templates/var/service/qpsmtpd/config/peers/0/17check_basicheaders
{
$OUT = "check_basicheaders";

# Note: You can't specify a maximum offset of 0 days, but that's fair
my $days = $smtpd{MaximumDateOffset} || '';

$OUT .= " $days" if ($days);
}

List contents of queued email
# /var/qmail/bin/qmail-qread
14 Dec 2014 03:35:51 GMT #165184302 2886
# find /var/qmail/queue -name 165184302| xargs cat | less

Qmail retry period before return e-mail as undeliverable
default is 604800 seconds = 1 week, 172800 seconds = 2 days
mkdir -p /etc/e-smith/templates-custom/var/qmail/control
echo 172800 > /etc/e-smith/templates-custom/var/qmail/control/queuelifetime
expand-template /var/qmail/control/queuelifetime
sv t qmail

=== unzip ===
tar -xvf xxx.tar
tar -zxvf xxx.tar.gz
tar -xf xxx.tar.xz
unzip xxx.zip
bunzip2 xxx.bz2
bzip2 -d xxx.bz2

=== tar create ===
tar -zcvf archive-name.tar.gz (/directory-name/)file(s)

=== scp ===
scp -rp -P 44 root@192.168.1.1:/.../filename .

=== rsync ===
rsync -aH /affa/smesvr /media/affa/affa/
rsync -aHvzhe ssh --progress root@10.10.15.1:/var/affa/archive /var/affa/
rsync -avzhe "ssh -p 22222" --progress root@123.45.67.89:/mnt/backups/dump/vzdump-qemu-101-2021_09_25-00_00_09.vma.zst /mnt/4TB1/abc
rsync -avzhe "ssh -p 22222" --progress --partial root@123.45.67.89:/mnt/mirror1/dump/fri/SAGESVR.qcow2 /media/owner/WEEKLY/abc

=== .bashrc ===
PS1="\[\e[30m\]\h:\w#\[\e[m\] " BLACK
PS1="\[\e[31m\]\h:\w#\[\e[m\] " RED
PS1="\[\e[32m\]\h:\w#\[\e[m\] " GREEN
PS1="\[\e[34m\]\h:\w#\[\e[m\] " BLUE
PS1="\[\e[36m\]\h:\w#\[\e[m\] " CYAN

export HISTTIMEFORMAT="%d%m%y %T "

Processor info
cat /proc/cpuinfo

Software RAID status
cat /proc/mdstat

Linux check maximum MTU
ping -M do -s 1434 google.co.uk

Windows check maximum MTU
ping google.co.uk -f -l 1434

=== Symbolic link ===
ln -s /path-to-folder(file) foldername(filename)

=== Public key ===
on the HOST server:
affa --send-key targetsvr
ssh-keygen -t ed25519
ssh-keygen -t rsa

cat /root/.ssh/id_rsa.pub

on the TARGET server: add
mkdir -p /root/.ssh
cd /root/.ssh
vim authorized_keys

config setprop sshd PasswordAuthentication no
signal-event remoteaccess-update
config show sshd

=== MySQL ===
mysql
use icinga
REPAIR TABLE icinga_hoststatus;
REPAIR TABLE icinga_logentries;
\q

/etc/init.d/icinga stop
mysqlcheck --databases icinga

Restore mysql db
mysql -u root -p wcuk < wcuk.sql

=== APC ===
Update BATTDATE to the current date.
Kill the apcupsd daemon first, Run apctest to update the UPS eeprom.

Debian;
apt install apcupsd
vim /etc/apcupsd/apcupsd.conf
vim /etc/default/apcupsd
systemctl restart apcupsd.service

cd /etc/init.d/
./apcupsd start

http://www.apcupsd.com/manual/manual.html#red-hat-systems

Compile
SME;
yum install gcc gcc-c++
yum remove gcc gcc-c++

http://sourceforge.net/projects/apcupsd/files/latest/download?source=files

gunzip apcupsd-3.14.13.tar.gz
tar -xvf apcupsd-3.14.13.tar
cd apcupsd-3.14.13
./configure --help
./configure --enable-usb
make
make install

DEBIAN;
apt-get install g++
apt-get install make
./configure --enable-usb
make
make install
vim /etc/apcupsd/apcupsd.conf
cd /etc/init.d
./apcupsd status
./apcupsd start
./apcupsd status

aptitude remove make
aptitude remove g++

additional package removed gcc

IPv6
ipv4="192.168.0.1"; sla="5"; printf "2002:%02x%02x:%02x%02x:%04x::1" `echo $ipv4 | tr "." " "` $sla

=== Vigor ===
vigor sip_alg
sys sip_alg ?
sys sip_alg 0
sys commit

ipsec passthrough
srv nat ipsecpass on

VDSL
WAN / General Setup / VLAN Tag Insertion = Enable / Tag Value = 101

vTiger
vTiger delete demo data SQL command
update vtiger_crmentity set deleted = 1

vTiger >5.04 reset admin password to 'admin'

mysql
use <vtiger_database_name>;
update vtiger_users set user_password = 'adpexzg3FUZAk', crypt_type = '' where user_name = 'admin';

SMEServer FTP

2026-01-13T11:17:14Z

Rdswikiadmin: Created page with "Copied from; https://wiki.koozali.org/Ftp In short SME uses port 21 for FTP. Default mode used is passive. To use it you will need a custom template and enabling ports (PassivePort https://bugs.koozali.org/show_bug.cgi?id=12454). Starting SME10, ftp default is to use explicit TLS over ftp (FTPs explicite) '''Easy filezilla connexion to SME would use url with FTPES://.''' {| class="wikitable" |+disambiguation !term / protocol !port !deamon !explanation |- |ftp ftp://..."

Copied from; https://wiki.koozali.org/Ftp

In short SME uses port 21 for FTP. Default mode used is passive. To use it you will need a custom template and enabling ports (PassivePort https://bugs.koozali.org/show_bug.cgi?id=12454).

Starting SME10, ftp default is to use explicit TLS over ftp (FTPs explicite) '''Easy filezilla connexion to SME would use url with FTPES://.'''
{| class="wikitable"
|+disambiguation
!term / protocol
!port
!deamon
!explanation
|-
|ftp ftp://
|21
|proftpd
|unencrypted file transfer protocol, all is clear text, no encryption. disabled on SME>=10
|-
|ftps ftpes://
|21
|proftpd
|explicit TLS encrypted file transfer protocol, password exchange and files are encrypted
|-
|ftps ftps://
|900
|proftpd
|implicit TLS, not available on SME
|-
|sftp
|22
|sshd
|secured file transfer protocol over ssh. this needs a RSA or EC key on SME Server
|}
SME Server offers a ftp server, which is Proftpd. If enabled it allows you to access to the Primary ibay files folder with anonymous access, and to any content your user is allowed, if authenticated, inside /home/e-smith/files.

Prior to SME 10 ftp was using cleat text communication ('''FTP'''), allowing one to listen to your password and files exchanged on the network. Now TLS is enforced by default ('''FTPs'''), and it is suggested that you keep it enabled.

While you may be used to the traditional port 21 for file transfer protocol ('''FTP'''), this page is here to help you have steady access to your ftp server, by understanding it, and enabling the extra needed ports.

Your server is using

Do not confuse '''sFTP''', which is part of ssh protocol and uses port 22, with '''FTPs''' which is the regular ftp protocol over port 21 using a layer of SSL/TLS encryption.

== FTP connection modes : active versus passive ==
SME by default offers both active and passive mode when you are on LAN. However, as soon as you try to access from a remote location you will have some difficulties depending on the situation.

By default, for passive connection, Proftpd will use ports from 1024 and up, which means that you must forward ''all'' ports 1024-65535 from the NAT to the FTP server! And you have to allow many (possibly) dangerous ports in your fire-walling rules! Not a good situation.

==== The Modes ====

===== active =====
From the server-side firewall's standpoint, to support active mode FTP the following communication channels need to be opened (http://slacksite.com/other/ftp.html):

* FTP server's port 21 from anywhere (Client initiates connection)
* FTP server's port 21 to ports > 1024 (Server responds to client's control port)
* FTP server's port 20 to ports > 1024 (Server initiates data connection to client's data port)
* FTP server's port 20 from ports > 1024 (Client sends ACKs to server's data port)

===== passive =====
From the server-side firewall's standpoint, to support passive mode FTP the following communication channels need to be opened (http://slacksite.com/other/ftp.html):

* FTP server's port 21 from anywhere (Client initiates connection)
* FTP server's port 21 to ports > 1024 (Server responds to client's control port)
* FTP server's ports > 1024 from anywhere (Client initiates data connection to random port specified by server)
* FTP server's ports > 1024 to remote ports > 1024 (Server sends ACKs (and data) to client's data port)

note port 20 does not need to be open inward on SME, as it is only used to send from SME, however if you have a restrictive firewall between Internet and SME limiting outgoing connection you need to open port 20 to be able to do active ftp. http://www.proftpd.org/docs/howto/AWS.html

==== Examples ====

===== SME is server-gateway connected to Internet - Client is remote behind a NAT =====
Active mode will not work because the NAT will mostly hide the client port.

Passive mode will need to use the <code>PassivePorts</code> directive in your <code>proftpd.conf</code> to control what ports <code>proftpd</code> will use for its passive data transfers, and you will need to open those port in your SME firewall.

===== SME is server-gateway behind a firewall / NAT to Internet - Client is remote behind a NAT =====
Active mode will not work because the NAT will mostly hide the client port.

Passive mode will need to use the <code>PassivePorts</code> directive in your <code>proftpd.conf</code> to control what ports <code>proftpd</code> will use for its passive data transfers, and you will need to open those port in your SME firewall and in your firewall between you SME and Internet. You might also need a template custom to add MasqueradeAddress (http://www.proftpd.org/docs/modules/mod_core.html#MasqueradeAddress).

===== SME is server-gateway connected to Internet - Client is remote directly connected to the Internet =====
Active mode will work.

Passive mode will need to use the <code>PassivePorts</code> directive in your <code>proftpd.conf</code> to control what ports <code>proftpd</code> will use for its passive data transfers, and you will need to open those port in your SME firewall.

== SSL mode: Explicit SSL versus Implicit SSL ==
'''SME 10 and above uses explicit SSL mode for FTPs''' over port 21 only and does not need port 990. The client must explicitly request for SSL/TLS to be able to go on.

FTPS (FTP over TLS) is served up in two incompatible modes. If using explicit FTPS, the client connects to the normal FTP port and explicitly switches into secure (TLS) mode with "AUTH TLS", whereas implicit FTPS is an older style service that assumes TLS mode right from the start of the connection (and normally listens on TCP port 990, rather than 21).

In a FileZilla client this means prefixing the host with "FTPES://" to connect an "explicit" FTPS server, or "FTPS://" for the legacy "implicit" server (for which you will likely also need to set the port to 990).

== Filezilla config ==
[[File:Filezilla-ftpes.png|left|thumb]]
If you use a client such a filezilla, starting SME 10, you will need to select the options

* encryption: TLS/SSL explicit encription
* port: 21
* hostname : you ip or domain name
* user name: your user name
* password : your password user

== SME enabling from smanager ==
[[File:Smanager2-ftp.png|none|thumb|898x898px]]

== FTP configuration options in SME ==
{| class="wikitable"
|+configuration db
!key
!Property
!default
|-
| rowspan="10" |ftp
|access
|private
|-
|TcpPorts
|49200:49999
|-
|TCPPort
|21
|-
|ChrootDir
|
|-
|TLSEnable
|on
|-
|TLSRequired
|on
|-
|TLSVerifyClient
|off
|-
|LoginAccess
|private
|-
|DisableAnonymous
|yes
|-
|status
|disabled
|}
{| class="wikitable"
|+account db for ibay type
!Property
!default
|-
|PublicAccess
|none
|-
|DisableAnonymous
|no
|}

== TODO ==

*http://www.proftpd.org/docs/modules/mod_core.html#MasqueradeAddress Virtualhost vs Class see http://www.proftpd.org/docs/howto/NAT.html
* http://www.proftpd.org/docs/howto/FXP.html

===Bug report===
Proftpd is listed in the [https://bugs.koozali.org/enter_bug.cgi?product=SME%20Server%2010.X bugtracker server] section.

Please report all bugs, new feature requests and documentation issues there.

Current bugs:

https://bugs.koozali.org/buglist.cgi?bug_status=UNCONFIRMED&bug_status=CONFIRMED&bug_status=NEEDINFO&bug_status=IN_PROGRESS&bug_status=RESOLVED&f1=cf_package&list_id=102854&o1=equals&query_format=advanced&resolution=---&v1=e-smith-proftpd

== Sources ==

* https://wiki.filezilla-project.org/FTP_over_TLS#Explicit_vs_Implicit_FTPS
* http://www.proftpd.org/docs/howto/TLS.html
* https://hstechdocs.helpsystems.com/manuals/globalscape/archive/secureserver3/Explicit_versus_Implicit_SSL.htm
* https://winscp.net/eng/docs/ftp_modes
* http://www.proftpd.org/docs/howto/NAT.html
* http://slacksite.com/other/ftp.html

[[Category:Howto]]

SMEServer Fail2ban

2026-01-10T10:43:22Z

Rdswikiadmin: Created page with "Copied from; https://wiki.koozali.org/Fail2ban {{Languages|Fail2ban}} == Fail2ban for SME Server == {{Level|Easy|The instructions on this page can be followed by a beginner.}} == Maintainer == Daniel B. [http://www.firewall-services.com Firewall Services] mailto:daniel@firewall-services.com Please discuss, provide feedback and share experiences on the forums [http://forums.contribs.org/index.php/topic,51127.0.html '''here'''] == Descriptio..."

Copied from; https://wiki.koozali.org/Fail2ban

{{Languages|Fail2ban}}

== Fail2ban for SME Server ==
{{Level|Easy|The instructions on this page can be followed by a beginner.}}

== Maintainer ==
[[User:VIP-ire|Daniel B.]] 
[http://www.firewall-services.com Firewall Services] 
mailto:daniel@firewall-services.com

Please discuss, provide feedback and share experiences on the forums [http://forums.contribs.org/index.php/topic,51127.0.html '''here''']

== Description ==
Fail2ban operates by monitoring log files (e.g. /var/log/pwdfail, /var/log/auth.log, etc.) for selected entries and running scripts based on them. Most commonly this is used to block selected IP addresses that may belong to hosts that are trying to breach the system's security. It can ban any host IP that makes too many login attempts or performs any other unwanted action within a time frame defined by the administrator.
Fail2ban is typically set up to unban a blocked host within a certain period, so as to not "lock out" any genuine connections that may have been temporarily misconfigured. However, an unban time of several minutes is usually enough to stop a network connection being flooded by malicious connections, as well as reducing the likelihood of a successful dictionary attack.

After installation the most important core services (and some additional ones) are monitored by default without the need for manual configuration (see: [[#Services|Services]]).

{{Tip box|fail2ban is not only a tool against brute force attack on ssh but it can be a tool useful against http protocol attacks or [http://forums.contribs.org/index.php/topic,50162.msg252195.html#msg252195 spam attacks] on your server. See the [[Fail2ban#Jail.conf |jail section]]}}

== Requirements ==
This contrib has been developed and tested on SME Server 8 and later.

{{Note box|The SME feature [http://wiki.contribs.org/AutoBlock AutoBlock SSH] should be disabled to ensure that fail2ban controls SSH traffic and not the SME build-in firewall.}}

==Koozali SME v9/v10==

{{#smeversion: smeserver-fail2ban}}

== Installation Koozali SME==
<tabs container><tab name="For SME 10">
yum --enablerepo=smecontribs install smeserver-fail2ban
</tab><tab name="For SME 9">

* install the rpms

yum --enablerepo=smecontribs install smeserver-fail2ban

* Apply the needed configuration:
Use care to execute these three commands precisely. Failure to do so may prevent remote login via ssh.

db configuration setprop masq status enabled
expand-template /etc/rc.d/init.d/masq
/etc/init.d/masq restart
signal-event fail2ban-conf
or, as an alternative, use the following commands. They will have the same effect after rebooting.
db configuration setprop masq status enabled
signal-event post-upgrade; signal-event reboot

{{warning box| Failing to run either of these command will completely lock network access next time iptables rules are reloaded}}
{{warning box| The masq service must be enabled for fail2Ban to work correctly. If you disable it, Fail2ban won't ban anything}}
</tab>
</tabs>
{{warning box| Starting SME10 and smeserver-fail2ban 0.1.18-29, manual change of configuration is included in core backup, if you use .local files in the folders action.d/ fail2ban.d/ filter.d/ jail.d/. Any change to rpm owned .conf file is not added in core backup. Use the .local files to override the conf file instead and it will be in the backup. See http://www.fail2ban.org/wiki/index.php/MANUAL_0_8#Configuration.}}

== Disable SME Feature AutoBlock SME 9 or greater ==
It's been noted that one of the features of fail2ban overlaps the built-in ssh AutoBlock feature of SME (https://wiki.contribs.org/AutoBlock).
It is possible to disable the AutoBlock feature using the following optional steps.

1. View what your current settings are for the built in SME AutoBlock feature by entering the following at the cli.
# config show sshd
2. If AutoBlock is disabled no action is required. If AutoBlock is enabled, set it to disabled with the following commands:
# config setprop sshd AutoBlock disabled
# signal-event remoteaccess-update

==DB command==
While there is a panel in the server-manager, you can also manage the contrib by the db configuration, it is quite simple

# config show fail2ban
fail2ban=service
Mail=enabled
status=enabled

Available options are below:

* '''IgnoreIP''': a comma separated list of IP or CIDR networks which will never be blocked by fail2ban. Example: 12.15.22.4,17.20.0.0/16. All your local networks and networks allowed to access the server-manager are already automatically whitelisted
* '''FilterLocalNetworks''' can be enabled or disabled (default is disabled). If set to enabled, local networks won't be whitelisted, and fail2ban can also ban hosts from the internal networks. Note that networks allowed to access the server-manager are not affected (they will never be blocked)
* '''BanTime''': Duration (in seconds) of a ban. Default to 1800 (about 30 minutes)
* '''FindTime''': The time window fail2ban will check, in seconds. Default is 900. So, this means fail2ban will only check for the number of failed login attempts in the last 15 minutes
* '''MaxRetry''': Number of failed attempts in the last '''FindTime''' seconds to trigger a ban. Default is 3
* '''Mail''': can be enabled or disabled (default is enabled). If enabled, each ban will notify the admin by email
* '''MailRecipient''': if '''Mail''' is enabled, the email address which should receive ban notifications. Default is root (the admin account will receive)

After changing one of these settings, you need to apply it:
signal-event fail2ban-conf

for example :

config setprop fail2ban IgnoreIP 12.15.22.4,17.20.0.0/16
signal-event fail2ban-conf

{{Note box|<code>signal-event fail2ban-conf</code> effectively restarts the service and clears existing bans, but a suitable 'findtime' results in a reban. Be aware that the restart delay can be unexpectedly lengthy due to the resource intensive process of scanning the logs to reban offending addresses.}}

== Services ==
The following services are monitored out of the box, and fail2ban will ban client IP for '''BanTime''' if more than '''MaxRetry''' authentication failure occure in less than '''FindTime'''

*ssh
*dovecot (only on SME9, or if you run [https://wikit.firewall-services.com/doku.php/smedev/dovecot smeserver-dovecot])
*qpsmtpd. If a remote server send you too many mails which qpsmtpd rejects, it's probably spammer, so Fail2ban will blacklist it. MaxRetry is x3 for this service, so with the default config, a remote server will be blacklisted if 9 mails are rejected in less than 15 minutes
*httpd-e-smith. The standard http server. 3 different filters check apache logs:
** noscripts: check client which ask for scripts which are not available on your server. It's usually script-kiddies trying to exploit security vulerabilities
** scan: another set of filter for popular scans (phpMyAdmin, wp-login, admin area etc...)
** auth: will check for standard authentication failure
*pam. This will check a generic authentication failure. Everything which uses pam should work
*[[Sogo|SOGo]]. Check SOGo logs for failed authentications
*[[LemonLDAP-NG]]. Check system logs for auth failure on LemonLDAP::NG portal
*ftp. Check auth failure on your FTP daemon
*[[Ejabberd]]. Check auth failure against EJabberd

Each filters will disable itself if the corresponding service is disabled. You can also disable specific filter if you want. For example, if you want to disable Apache filters:

db configuration setprop httpd-e-smith Fail2Ban disabled
signal-event fail2ban-conf

== Selective bans ==
Fail2Ban will do its best to do a selective ban. For example, if 3 auth failure against ssh are detected, only tcp port 22 (or any other port you choosed for SSH) will be blocked. Same for httpd-e-smith, SOGO, LemonLDAP::NG which will only blacklist tcp ports 80 and 443, qpsmtpd will block tcp ports 25 and 465, dovecot will block 143 and 993 etc...

There's only two ways to be completly locked (all port/protocol):
* pam. As this is a generic file, it's not possible to check which service was used when an auth failure occured, so the entire client IP will be blacklisted
* recidive. This is a special filter. It monitors fail2Ban logs, and blacklist client IP which gets locked several time. If a client is locked out 5 times in 24 hours, it'll be completly blacklisted for one full week

== Use Fail2ban ==
=== List all jails ===
[root@sme8 ~]# fail2ban-client status
Status
|- Number of jail: 10
`- Jail list: http-overflows, http-noscript, http-auth, sogo, pam-generic, ssh-ddos, http-scan, ssh, qpsmtpd, recidive

=== List IP banned from a specific jail ===
[root@sme8 ~]# fail2ban-client status ssh
choose the specific jail with the command above which lists the Jail-list.

=== Example script which list How many ip are banned from all jails ===

nano /root/checklist_ban
#!/bin/bash
#lancer le script en sudo
JAILS=$(fail2ban-client status | grep " Jail list:" | sed 's/`- Jail list://g' | sed 's/,//g')
for j in $JAILS
do
echo "$j $(fail2ban-client status $j | grep " Currently banned:" | sed 's/ |- Currently banned:\t//g')"
done

chmod 700 /root/checklist_ban

to launch the script, do the following command:
/root/checklist_ban

=== Unban an IP ===
In certain case you would to unban an IP immediately because you don't want waste time to wait the automatic IP unban process of fail2ban.
In first you you have to find the specific jail which has blocked you IP, you can refer to the mail that the admin user has received or you can list a specific jail.

fail2ban-client status qpsmtpd

Status for the jail: qpsmtpd
|- filter
| |- File list: /var/log/qpsmtpd/current /var/log/sqpsmtpd/current
| |- Currently failed: 5
| `- Total failed: 119
`- action
|- Currently banned: 1
| `- IP list: 93.17.128.20
`- Total banned: 1

If you want to know all you active jail, then do :

fail2ban-client status

Therefore you have to play with this command to unban your IP

fail2ban-client set qpsmtpd unbanip 93.17.128.20

the generic command is :

fail2ban-client set JAIL unbanip MYIP

===Jail.conf===
The jail.conf is templated (/etc/e-smith/templates/etc/fail2ban/jail.conf) and the default file contains the configuration as below. You can add your own template of jail.conf at
/etc/e-smith/templates-custom/etc/fail2ban/jail.conf
if first time you need to create the folder for your custom template
mkdir -p /etc/e-smith/templates-custom/etc/fail2ban/jail.conf

and do this to expland templates

expand-template /etc/rc.d/init.d/masq
/etc/init.d/masq restart
signal-event fail2ban-conf

====default jail.conf====
[DEFAULT]
ignoreip = 127.0.0.0/8 192.168.XXX.XXX 192.168.XXX.0/24
bantime = 1800
findtime = 900
maxretry = 3
usedns = yes
backend = auto

{{Note box|msg=Your network and your server are in the list of ignored IP by fail2ban (see IgnoreIP)}}

[ssh]
enabled = true
filter = sshd
logpath = /var/log/sshd/current
action = smeserver-iptables[port="22",protocol=tcp,bantime=1800]
smeserver-sendmail[name="SSH",dest=root]

[ssh-ddos]
enabled = true
filter = sshd-ddos
logpath = /var/log/sshd/current
action = smeserver-iptables[port="22",protocol=tcp,bantime=1800]
smeserver-sendmail[name="SSH",dest=root]

[qpsmtpd]
enabled = true
filter = qpsmtpd
logpath = /var/log/*qpsmtpd/current
maxretry = 9
action = smeserver-iptables[port="25,465",protocol=tcp,bantime=1800]
smeserver-sendmail[name="Qpsmtpd",dest=root]

[http-overflows]
enabled = true
filter = apache-overflows
logpath = /var/log/httpd/error_log
action = smeserver-iptables[port="80,443",protocol=tcp,bantime=1800]
smeserver-sendmail[name="Apache (overflows)",dest=root]

[http-noscript]
enabled = true
filter = apache-noscript
logpath = /var/log/httpd/error_log
action = smeserver-iptables[port="80,443",protocol=tcp,bantime=1800]
smeserver-sendmail[name="Apache (noscript)",dest=root]

[http-scan]
enabled = true
filter = apache-scan
logpath = /var/log/httpd/error_log
action = smeserver-iptables[port="80,443",protocol=tcp,bantime=1800]
smeserver-sendmail[name="Apache (scan)",dest=root]

[http-auth]
enabled = true
filter = apache-auth
logpath = /var/log/httpd/error_log
action = smeserver-iptables[port="80,443",protocol=tcp,bantime=1800]
smeserver-sendmail[name="Apache (auth)",dest=root]

[pam-generic]
enabled = true
filter = pam-generic
logpath = /var/log/secure
maxretry = 6
action = smeserver-iptables[bantime=1800]
smeserver-sendmail[name="PAM generic",dest=root]

[recidive]
enabled = true
filter = recidive
logpath = /var/log/fail2ban/daemon.log
bantime = 604800
findtime = 86400
maxretry = 5
backend = polling
action = smeserver-iptables[bantime=604800]
smeserver-sendmail[name="Recidive",dest=root]

====Custom local filters====

You can add your custom rules by adding a filtername.local file in /etc/fail2ban/filters.d/
wget https://bugs.koozali.org/attachment.cgi?id=6229 -O /etc/fail2ban/filters.d/apache-badbots.local

would be an example of local bad bots rules, be careful to test for your personal case. Some advanced rules could create a lot of false positive and lock out your users.

== Uninstall ==
yum remove smeserver-fail2ban fail2ban

==User contributions==
=== Testing new regex ===
You can test new regex - notes from here http://bugs.contribs.org/show_bug.cgi?id=8955

fail2ban-regex [LOG] [REGEX]

You can also test the actual conf files as follows

fail2ban-regex /var/log/qpsmtpd/current /etc/fail2ban/filter.d/qpsmtpd.conf

Note that some characters such as ` may need escaping on the command line like this \` but do not need escaping in the conf files

e.g From qpsmptd.conf file this works in the conf file

^\s*\d+\s*logging::logterse plugin $deny$: ` <HOST>\s*.*90\d.*msg denied before queued$

However, on the command line it needs writing like this

^\s*\d+\s*logging::logterse plugin $deny$: \` <HOST>\s*.*90\d.*msg denied before queued$

===Show IPs banned by service===
====Check the fail2ban log====
Here is another quick script that shows you the most recent IPs banned in the logs. Note that they may have been unbanned but there is no check for this.
mkdir /root/bin
nano -w /root/bin/IP_list.sh

and copy and paste the below code into the file:

#!/bin/sh
# Set CLI vars to something we can read
TYPE=$1
LOG=$2

# Set main grep string
SEARCH="Ban ((1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])"

# Add the search term
SEARCH="\[$TYPE]\ $SEARCH"

# Now search the log
grep -oE "\[$TYPE\] Ban ((1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])" $LOG

Save the file and make it executable:
chmod 755 /root/bin/IP_list.sh

Usage :
IP_list.sh [service] [log]

e.g.
IP_list.sh qpsmtpd /var/log/fail2ban/daemon.log
====Check the fail2ban banned IP for all active jails ====
by [[User:Unnilennium|Unnilennium]] ([[User talk:Unnilennium|talk]])
mkdir /root/bin
vim /root/bin/sfail2ban

paste this in it:
#!/bin/bash
for SERVI in $(fail2ban-client status|grep 'Jail list'|cut -d':' -f2|sed 's/, / /g'| sed -e 's/^[ \t]*//')
do
fail2ban-client status $SERVI |grep -E 'IP list|Status for the jail'|sed 'N;s/\n/:/'|cut -d: -f2,4
done
then do
chmod 755 /root/bin/sfail2ban

Usage :
sfail2ban
output:
# sfail2ban
ftp:
imap:
pam-generic:
qpsmtpd:
recidive: 141.98.80.15
ssh:
ssh-ddos:
wordpress:

====Print a summary of the fail2ban db====
mkdir -p /root/bin
vi /root/bin/bansummary.sh

Paste this
<nowiki>#!/bin/bash
echo -e \
"IP \t"\
"BanTime \t"\
"UnbanTime \t"\
"Jail"

for ban in $(db fail2ban show |awk -F\= ' $2=="ban" {print $1}');
do
IP=$(db fail2ban getprop $ban Host)
Bantime=$(date +"%F %T" -d @$(db fail2ban getprop $ban BanTimestamp))
UnBanTime=$(date +"%F %T" -d @$(db fail2ban getprop $ban UnbanTimestamp))
LastJail=$(zgrep -H "Ban $IP" $(find /var/log/fail2ban -type f -ctime -7) |tail -1 |awk '{print $6}')

printf "%-15s" "$IP"
echo -e "\t$Bantime\t$UnBanTime\t$LastJail"
done
</nowiki>

save, then make executable
chmod 755 /root/bin/bansummary.sh

Usage:
bansummary.sh
Output:
<nowiki>IP BanTime UnbanTime Jail
46.246.39.228 2017-09-09 18:45:00 2017-09-10 18:45:00 [http-scan]
124.239.180.102 2017-09-09 12:07:32 2017-09-10 12:07:32 [http-scan]
212.237.54.93 2017-09-09 19:27:32 2017-09-10 19:27:32 [http-scan]
</nowiki>

===WordPress===
Fail2Ban works with WordPress but needs some extra configuration. Please review the WordPress page, https://wiki.contribs.org/Wordpress#Fail2Ban

== Bugs ==
Please raise bugs under the SME-Contribs section in [http://bugs.contribs.org/enter_bug.cgi bugzilla]
and select the smeserver-fail2ban component or use {{BugzillaFileBug|product=SME%20Contribs|component=smeserver-fail2ban|title=this link}}.

Below is an overview of the current issues for this contrib:{{#bugzilla:columns=id,product,version,status,summary|sort=id|order=desc|component=smeserver-fail2ban|noresultsmessage=No open bugs found.}}

==Changelog==
Only released version in smecontrib are listed here.

{{#smechangelog: smeserver-fail2ban}}
----

[[Category: Contrib]]
[[Category: Security]]

SMEServer Qpsmtpd

2026-01-10T07:01:52Z

Rdswikiadmin: Created page with "Copied from; https://wiki.koozali.org/Qpsmtpd/sme11 {{WIP box|this is a work in progress for the new SME 11 qpsmtpd configuration}} TODO: update Email#qpsmtpd for SME11 =qpsmtpd= qpsmtpd has been a core component of SME Server since SME 7, providing advanced spam fighting capabilities. SME Server 9.2 introduced qpsmtpd 0.96 with several new capabilities. At the same time, smeserver-qpsmtpd has been updated to provide additional SME Server c..."

Copied from; https://wiki.koozali.org/Qpsmtpd/sme11

{{WIP box|this is a work in progress for the new SME 11 qpsmtpd configuration}}

TODO: update [[Email#qpsmtpd]] for SME11

=qpsmtpd=
[[Wikipedia:Qpsmtpd|qpsmtpd]] has been a core component of SME Server since SME 7, providing advanced spam fighting capabilities.

SME Server 9.2 introduced qpsmtpd 0.96 with several new capabilities. At the same time, smeserver-qpsmtpd has been updated to provide additional SME Server configuration options.

SME Server 10 start moving the services to systemd.

SME Server 11 will upgrade to qpsmtpd 1.0. At the same time, smeserver-qpsmtpd has been updated providing separate configuration for each running deamons and introducing a third running deamon now covering all usual SMTP ports 25 (qpsmtpd), 587 (new uqpsmtpd) and 465 (sqpsmtpd). Also SME11 provides a full systemd implementaiton of the services without runit. Softlimit has been increased from 50MB to 150MB.

==Systemd Configuration ==
Some of the setting that were previously arranged using runit run script and multiple called script are all now present in systemd unit, with a dropin file to override default. The dropin file is templated<syntaxhighlight lang="ini">
# /usr/lib/systemd/system/uqpsmtpd.service
[Unit]
Description=qpsmtpd on submission port
After=network.target network-online.target qpsmtpd.service

[Service]
Type=simple
LimitDATA=150000000
LimitSTACK=150000000
LimitMEMLOCK=150000000
Environment=PORT=587 INSTANCES=40 INSTANCES_PER_IP=5 QPSMTPD_CONFIG=/var/service/uqpsmtpd/config PATH=/var/qmail/bin:/bin:/usr/bin:/usr/local/bin TCPLOCALHOST=me
WorkingDirectory=/var/service/qpsmtpd/

ExecStartPre=/sbin/e-smith/service-status uqpsmtpd
ExecStartPre=/sbin/e-smith/systemd/qpsmtpd-init %N
ExecStart=/usr/bin/qpsmtpd-forkserver \
-u qpsmtpd \
-l 0.0.0.0 \
-p $PORT \
-c $INSTANCES \
-m $INSTANCES_PER_IP
ExecReload=/bin/kill -HUP $MAINPID
Restart=always
RestartSec=20s
SyslogIdentifier=uqpsmtpd

[Install]
WantedBy=sme-server.target

# /usr/lib/systemd/system/uqpsmtpd.service.d/50koozali.conf
#------------------------------------------------------------
# !!DO NOT MODIFY THIS FILE!!
#
# Manual changes will be lost when this file is regenerated.
#
# Please read the developer's guide, which is available
# at http://www.contribs.org/development/
#
# Copyright (C) 1999-2006 Mitel Networks Corporation
#------------------------------------------------------------
[Service]
LimitDATA=150000000
LimitSTACK=150000000
LimitMEMLOCK=150000000
Environment=
Environment=QPSMTPD_CONFIG=/var/service/uqpsmtpd/config PORT=587 INSTANCES=10 INSTANCES_PER_IP=5 PATH=/var/qmail/bin:/bin:/usr/bin:/usr/local/bin TCPLOCALHOST=sme11.example.com
</syntaxhighlight>

==Services folders==
<syntaxhighlight lang="bash">
/var/service/qpsmtpd
/var/service/qpsmtpd/config
/var/service/qpsmtpd/config/dkim
/var/service/qpsmtpd/config/peers
/var/service/qpsmtpd/peers
/var/service/qpsmtpd/ssl
/var/service/sqpsmtpd
/var/service/sqpsmtpd/supervise
/var/service/sqpsmtpd/config
/var/service/sqpsmtpd/config/dkim -> ../../qpsmtpd/config/dkim
/var/service/sqpsmtpd/config/peers
/var/service/sqpsmtpd/peers
/var/service/qpsmtpd/ssl -> ../qpsmtpd/ssl
/var/service/uqpsmtpd
/var/service/uqpsmtpd/config
/var/service/uqpsmtpd/config/dkim -> ../../qpsmtpd/config/dkim
/var/service/uqpsmtpd/config/peers
/var/service/uqpsmtpd/peers
/var/service/qpsmtpd/ssl -> ../qpsmtpd/ssl

</syntaxhighlight>

==Properties in configuration db==
{| class="wikitable mw-collapsible"
|+
x: use the value of qpsmtpd key property for this key too.
!property
!qpsmtpd
! sqpsmtpd
!uqpsmtpd
!information
|-
|Authentication
|enabled
|enabled
|enabled
|
|-
|Bcc
|disabled
|x
|x
|
|-
|BccMode
|cc
|x
|x
|
|-
|BccUser
|maillog
|x
|x
|
|-
|DNSBL
|disabled
|x
|x
|
|-
|Instances
|40
|10
|10
|
|-
|InstancesPerIP
|5
|5
|5
|
|-
|LogLevel
|6
|x
|x
|
|-
|MaxScannerSize
|25000000
|x
|x
|
|-
|MaximumDateOffset
|0
|x
|x
|
|-
|PatternsScan
|disabled
|x
|x
|
|-
|Proxy
|blocked
|x
|x
|
|-
|RBLList
|bl.spamcop.net,dnsbl-1.uceprotect.net,dnsbl-2.uceprotect.net,psbl.surriel.com,zen.spamhaus.org
|x
|x
|
|-
|RHSBL
|disabled
|x
|x
|
|-
|RelayRequiresAuth
|enabled
|x
|x
|
|-
|SoftLimit
|150000000
|150000000
|150000000
|
|-
|SBLList
|multi.surbl.org,black.uribl.com,rhsbl.sorbs.net
|x
|x
|
|-
|TCPPort
|25
|465
|587
|
|-
|TCPProxyPort
|25
|x
|x
|
|-
|TlsBeforeAuth
|1
|1 (hardcoded)
|1 (hardcoded)
|
|-
|UBLList
|multi.surbl.org:8-16-64-128,black.uribl.com,rhsbl.sorbs.net
|x
|x
|
|-
|URIBL
|disabled
|x
|x
|
|-
|VirusScan
|enabled
|x
|x
|
|-
|access
|public
|public
|public
|
|-
|qplogsumm
|disabled
|x
|x
|
|-
|status
|enabled
|enabled
|enabled
|
|-
|tnef2mime
|enabled
|x
|x
|
|-
|
|
|
|
|
|-
|KarmaNegative
|(2)
|
|
|
|-
|KarmaStrikes
|(3)
|
|
|
|-
|HeloPolicy
|<nowiki>(lenient)[lenient | rfc | strict]</nowiki>
|
|
|
|-
|MaximumDateOffset
|(0)
|
|
|
|-
|MaxLoad
|(7)
|
|
|
|-
|SPFRejectPolicy
|(0)[0-4]
|
|
|
|-
|DMARCReject
|<nowiki>(disabled)[enabled|disabled]</nowiki>
|
|
|
|-
|DMARCReporting
|<nowiki>(enabled)[enabled|disabled]</nowiki>
|
|
|
|-
|disclaimer
|<nowiki>(disabled)[enabled|disabled]</nowiki>
|
|
|
|}

==Config files==
{| class="wikitable"
|+template: is templated individually ; metadata: use another template via a metadata file.
!config file
!qpsmtpd
!sqpsmtpd
!uqpsmtpd
!plugin
!related properties
!information
|-
|badhelo
|template
|metadata
|metadata
|helo
|
|
|-
|badmailfrom
|template
|metadata
|metadata
|badmailfrom
badmailfromto

badrcptto
|
|
|-
|badrcptto
|template
|metadata
|metadata
|badrcptto
check_goodrcptto
|
|fixed output
|-
|badrcptto_ext
|template
|metadata
|metadata
|badrcptto
|
|hide emails when db accounts setprop ACCOUNT Visible internal
|-
|dkim
|folder
|folder
|folder
|
|
|not in use
|-
|dnsbl_allow
|template
|metadata
|metadata
|dnsbl
|
|
|-
|dnsbl_zones
|template
|metadata
|metadata
|dnsbl
per_user_config
|$qpsmtpd{RBLList}
|
|-
|forcespamcheck
|template
|metadata
|metadata
|forcespamcheck
|
|empty file, plugin set in peers
|-
|goodrcptto
|template
|metadata
|metadata
|check_goodrcptto
|
|
|-
|invalid_resolvable_fromhost
|template
|metadata
|metadata
|resolvable_fromhost
|
|fixed output
|-
|IP
|template
|metadata
|metadata
|
|
|IP for tcpserver to bind to , 0 for all, fixed to 0
|-
|loglevel
|template
|metadata
|metadata
|logterse (...)
|$qpsmtpd{LogLevel}
|
|-
|memory_threshold
|template
|metadata
|metadata
|
|
|fixed to 1
|-
|norelayclients
|template
|metadata
|metadata
|relay
|
|$GatewayIP if set
|-
|peers
|folder
|folder
|folder
|peers
|
|see peers section
|-
|plugin_dirs
|template
|metadata
|metadata
|
|
|fixed output /usr/share/qpsmtpd/plugins
|-
|plugins
|x
|x
|x
|x
|x
|has a copy of peers fragments, hidden by metadata
|-
|relayclients
|template
|'''metadata : to remove?'''
|'''metadata: to remove?'''
|greylisting
relay

spamassassin
|
|IP allowed for relay without auth
|-
|rhsbl_zones
|template
|metadata
|metadata
|rhsbl
|$qpsmtpd{SBLList}
|
|-
|signatures_patterns
|template
|metadata
|metadata
|
|
|uses db mailpatterns
|-
|smtpgreeting
|template
|metadata
|metadata
|
|$qpsmtpd{Greeting}
|default to host.domain
|-
|spool_dir
|template
|metadata
|metadata
|
|
|fixed output /var/spool/qpsmtpd
|-
|spool_perms
|x
|x
|x
|
|
|file, do not alter
|-
|subject_prefix
|template
|metadata
|metadata
|
|$spamassassin{Subject}
|
|-
|timeout
|template
|metadata
|metadata
|
|$qpsmtpd{timeout}
|120 as default
|-
|timeoutsmtpd
|template
|metadata
|metadata
|
|$qpsmtpd{timeoutsmtpd}
|120 as default
|-
|tls_before_auth
|template
|template
|template
|
|$qpsmtpd{TlsBeforeAuth}
|hardcoded for uqpsmtpd and sqpsmtpd
|-
|tls_ciphers
|template
|template
|template
|tls
|$qpsmtpd{TlsBeforeAuth}
$sqpsmtpd{TlsBeforeAuth}

$uqpsmtpd{TlsBeforeAuth}
|sqpsmtpd default to uqpsmtpd
global default is $modSSL{CipherSuite}
|-
|tls_protocols
|template
|template
|template
|tls
|SSLv2, SLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3
|TLS1.2 minimum for uqpsmtpd and sqpsmtpd
TLS1.1 minimum for qpsmtpd

properties are set individually for each service
|-
|uribl_zones
|template
|metadata
|metadata
|
|$qpsmtpd{UBLList}
|
|}

==Peer plugin configuration==
SME Server uses a plugin call peers, that set the plugins used depending on the client IP, i.e. 2 configurations are presents one for LAN and another for WAN.
{| class="wikitable"
|+
X for not present/overriden
!plugin
!config
!qp local
!qp 0
!sqp /uqp
local
!sqp/uqp
0
!TODO
|-
|00setup
|set bounce_unknown_user
|
|
|
|
|
|-
|02logterse
|logging/logterse
|
|
|
|
|
|-
|04tls
|tls ssl/cert.pem ssl/cert.pem ssl/cert.pem ssl/dhparam.pem
|
|
|
|
|
|-
|05auth_cvm_unix_local
|
|
|
|
|
|To remove
|-
|06auth_imap
|auth/auth_imap 127.0.0.1 143
|
|
|
|
|
|-
|09karma
|karma negative $negative strikes $strikes reject naughty db_dir /var/lib/qpsmtpd/karma
|X
|
|X
|
|enabled by default ?
|-
|10earlytalker
|earlytalker
|X
|
|X
|
|<nowiki>add wait and check-at [ CONNECT | DATA ] options</nowiki>
|-
|11bogus_bounce
|bogus_bounce
|
|
|
|
|
|-
|12count_unrecognized_commands
|count_unrecognized_commands 4
|X
|
|X
|
|
|-
|13bcc
|bcc mode $qpsmtpd{BccMode} all $user
|
|
|
|
|add possibility to set direction (all/incoming/outgoing)
|-
|14relay
|relay
|
|
|
|
|should we remove from 465 and 581 or set RELAY ONLY ?
|-
|15helo
|<nowiki>helo policy { $qpsmtpd{HeloPolicy} || 'lenient' } reject naughty</nowiki>
|X
|
|X
|
|
|-
|16resolvable_fromhost
|resolvable_fromhost
|X
|
|X
|
|
|-
|17headers
|headers future $days past $days" if ($days)
|
|
|
|
|
|-
|19loadcheck
|<nowiki>loadcheck max_load { $qpsmtpd{MaxLoad} || '7' }</nowiki>
|X
|
|X
|
|
|-
|20rhsbl
|rhsbl
|X
|
|X
|
|
|-
|221spf
|<nowiki>sender_permitted_from reject 1 no_dmarc_policy { $qpsmtpd{SPFRejectPolicy} || '0' }</nowiki>
|X
|
|X
|
|change default to 1
|-
|222dkim
|dkim reject 0
|
|
|
|
|
|-
|223dmarc
|<nowiki>marc reject { (( $qpsmtpd{DMARCReject} || 'disabled' ) =~ m/^1|on|enabled|yes$/) ? '1' : '0' } reporting { (( $qpsmtpd{DMARCReporting} || 'enabled' ) =~ m/^1|on|enabled|yes$/) ? '1' : '0' }</nowiki>
|X
|
|X
|
|
|-
|22dnsbl
|dnsbl reject naughty
|X
|
|X
|
|
|-
|23naughty
|naughty reject mail
|X
|
|X
|
|
|-
|24uribl
|uribl action deny
|
|
|
|
|
|-
|30badmailfrom
|badmailfrom
|
|
|
|
|
|-
|34badrcptto
|badrcptto
|
|X
|
|X
|
|-
|34badrcptto_ext
|badrcptto more_badrcptto badrcptto_ext
|X
|
|X
|
|
|-
|37check_smtp_forward
|check_smtp_forward
|
|
|
|
|needed for submission ?
|-
|38check_goodrcptto
|check_goodrcptto extn -
|
|
|
|
|
|-
|39rcpt_ok
|rcpt_ok
|
|
|
|
|
|-
|62pattern_filter
|virus/pattern_filter check=patterns action=deny
|
|
|
|
|
|-
|62tnef2mime
|tnef2mime
|
|
|
|
|
|-
|65disclaimer
|disclaimer
|
|X
|
|X
|missing disclaimer_file definition?
|-
|70spamassassin
|spamassassin reject $spamassassin{RejectLevel} munge_subject_threshold $spamassassin{TagLevel} size_limit $spamassassin{MaxMessageSize}
|X
|
|X
|
|
|-
|71forcespamcheck
|forcespamcheck reject $spamassassin{RejectLevel} munge_subject_threshold $spamassassin{TagLevel} size_limit $spamassassin{MaxMessageSize}
|
|X
|
|X
|
|-
|80clamav
|virus/clamdscan scan_all yes clamd_socket /run/clamd/clamd.socket defer_on_error yes max_size $max_size
|
|
|
|
|
|-
|90queue-qmail-queue
|queue/qmail-queue
|
|
|
|
|also content commented to remove ?
|-
|90queue-smtp-forward
|# commented out
|
|
|
|
|
|}

==Upgrade Considerations==
we used check_badcountries for a while, but could we switch back to ident/geoip ?

whitelist plugin : adding the ip-range whitelist; add login of ip

===A-Record DNSBL Services===
:Some DNSBL services - notably b.barracudacentral.org - provide their results using a DNS "A" record instead of a DNS TXT record. The dnsbl plugin requires these services to include a colon (":") in dnsbl_zones - however, SME used to use a colon the server separator in the configuration database. In order to support these A-Record DNSBL services, the separator for RBLList, SBLList, and the new UBLList is now a comma.

:You can now configure b.barracudacentral.org using (note the single quotes):
:<code><nowiki>config setprop qpsmtpd RBLList server1,server2,'b.barracudacentral.org:Blocked - see <http://bbl.barracudacentral.com/q.cgi?ip=%IP%>'</nowiki></code>

===DKIM & DMARC===
:DKIM & DMARC are now supported natively by SME Server. To enable these you will need to configure appropriate DNS records in your public DNS server.
:There are forum reports of problems for users who had DKIM enabled using the DKIM contrib.
===URIBL===
:qpsmtpd now supports URIBL - the ability to block emails that contain known malicious URLs within the body of the email. This service is disabled by default.

:Enable URIBL with the default services using:
<nowiki>config setprop qpsmtpd URIBL enabled
signal-event email-update</nowiki>

:'''Note:''' If your SME server is using high traffic external DNS forwarders like [https://developers.google.com/speed/public-dns/ google] (8.8.8.8 / 8.8.4.4), [https://www.opendns.com/setupguide/ opendns] (208.67.222.222 / 208.67.220.220), or any large ISP's (Cox, Comcast, Verizon), enabling URIBL may block all incoming email. This will only affect you if you have configured a DNS forwarder in server-manager -- a default SME server installation does its own direct DNS lookups and would not be affected unless you receive over 250,000 emails per day.

:Read more at http://uribl.com/refused.shtml

==="Naughty" plugin===
:SME Server is now using the 'naughty' plugin which allows early plugins like dnsbl, earlytalker, etc to indicate that the email should be rejected at a later point in the interaction. This allows the server to log extra information for denied emails. Specifically, emails denied by dnsbl will now show the sender and recipient email addresses in the qpsmtpd log

==Plugins==

Below is a list of all the plugins from /usr/share/qpsmtpd/plugins on a freshly updated SME 9.2 server.

<div style="column-count:2;-moz-column-count:2;-webkit-column-count:2; border:1px solid grey;">
<tt>+ New in SME 11 
<nowiki>* Improved or changed in SME 9.2</nowiki> 
<nowiki>U Unused (by default) in SME Server</nowiki> 
<nowiki>E Extra / External Configuration Required</nowiki> 
<nowiki>CW Contrib or Wiki page exists that uses this plugin</nowiki> 
<nowiki>SM Can be configured using server-manager</nowiki> 
<nowiki>DB Can be configured using db variables</nowiki></tt>

<tt>X Provided by a contrib, not in qpsmtpd git 
<nowiki>AC Auto-configured by SME Server</nowiki></tt>
</div> 
<div style="column-count:4;-moz-column-count:4;-webkit-column-count:4">
*[[Qpsmtpd:auth/auth_checkpassword|auth/auth_checkpassword]] (U)
*[[Qpsmtpd:auth/auth_cvm_unix_local|auth/auth_cvm_unix_local]] (AC)
*[[Qpsmtpd:auth/authdeny|auth/authdeny]] (U)
*[[Qpsmtpd:auth/auth_flat_file|auth/auth_flat_file]] (U)
*[[Qpsmtpd:auth/auth_imap|auth/auth_imap]] (U)
*[[Qpsmtpd:auth/auth_ldap_bind|auth/auth_ldap_bind]] (U)
*[[Qpsmtpd:auth/auth_vpopmail|auth/auth_vpopmail]] (U)
*[[Qpsmtpd:auth/auth_vpopmaild|auth/auth_vpopmaild]] (U)
*[[Qpsmtpd:auth/auth_vpopmail_sql|auth/auth_vpopmail_sql]] (U)
*[[Qpsmtpd:autowhitelist_relayrcpt|autowhitelist_relayrcpt]] (U)
*[[Qpsmtpd:badmailfrom|badmailfrom]]
*[[Qpsmtpd:badmailfromto|badmailfromto]] (U)
*[[Qpsmtpd:badrcptto|badrcptto]] (AC)
*[[Qpsmtpd:bcc|bcc]] (U DB)
*[[Qpsmtpd:bogus_bounce|bogus_bounce]] (DB)
*check_badcountries (X [[GeoIP|CW]])
*[[Qpsmtpd:check_goodrcptto|check_goodrcptto]] (AC)
*[[Qpsmtpd:check_smtp_forward|check_smtp_forward]] (AC)
*[[Qpsmtpd_connection_time|connection_time]] (U CW)
*[[Qpsmtpd:content_log|content_log]] (U)
*[[Qpsmtpd:count_unrecognized_commands|count_unrecognized_commands]] (DB)
*[[Qpsmtpd:denysoft_multi_rcpt|denysoft_multi_rcpt]] (U)
*[[Email#How_do_I_enable_and_configure_a_disclaimer_in_email_messages|disclaimer]] (U DB CW)
*[[Qpsmtpd:dkim|dkim]] (+ DB E)
*[[Qpsmtpd:dkim_sign|dkim_sign]] (+ DB E)
*[[Qpsmtpd:dmarc|dmarc]] (DB E)
*[[Email#Real-time_Blackhole_List_.28RBL.29|dnsbl]] (* DB CW)
*[[Qpsmtpd:dns_whitelist_soft|dns_whitelist_soft]] (U)
*[[Qpsmtpd:domainkeys|domainkeys]]
*[[Qpsmtpd:dont_require_anglebrackets|dont_require_anglebrackets]] (U)
*[[Qpsmtpd:dspam|dspam]] (U)
*[[Qpsmtpd_check_earlytalker|earlytalker]] (AC [[Qpsmtpd check earlytalker|CW]])
*[[Qpsmtpd:exe_filter|exe_filter]] (U AC)
*[[Qpsmtpd:fcrdns|fcrdns]] (U)
*[[Qpsmtpd:fix_headers_case|fix_headers_case]] (U CW)
*[[greylisting]] (U CW)
*[[Qpsmtpd:handler|handler]] (U)
*[[Qpsmtpd:headers|headers]] (*)
*[[Qpsmtpd:helo|helo]] (AC)
*[[Qpsmtpd:help|help]] (U)
*[[Qpsmtpd:hosts_allow|hosts_allow]] (AC)
*[[Qpsmtpd:http_config|http_config]] (U)
*[[Qpsmtpd:ident/geoip|ident/geoip]] (U)
*[[Qpsmtpd:ident/p0f|ident/p0f]] (U)
*[[Qpsmtpd:karma|karma]] (+ U DB)
*[[Qpsmtpd:karma_tool|karma_tool]]
*[[Qpsmtpd:loadcheck|loadcheck]] (+)
*[[Qpsmtpd:logging|logging]] (AC)
*[[Qpsmtpd:loop|loop]] (U)
*[[Qpsmtpd:milter|milter]] (U)
*[[Qpsmtpd:naughty|naughty]] ()
*[[Qpsmtpd:noop_counter|noop_counter]] (U)
*[[Qpsmtpd:parse_addr_withhelo|parse_addr_withhelo]] (U)
*[[Qpsmtpd:peers|peers]] (AC)
*[[Qpsmtpd:per_user_config|per_user_config]] (U CW)
*[[Qpsmtpd:qmail_deliverable|qmail_deliverable]] (U)
*[[Qpsmtpd:queue|queue]] (AC)
*[[Qpsmtpd:quit_fortune|quit_fortune]] (U)
*[[Qpsmtpd:random_error|random_error]] (U)
*[[Qpsmtpd:rcpt_map|rcpt_map]] (U)
*[[Qpsmtpd:rcpt_ok|rcpt_ok]] (AC)
*[[Qpsmtpd:rcpt_regexp|rcpt_regexp]] (U)
*[[Qpsmtpd:registry.txt|registry.txt]] (U)
*[[Qpsmtpd:relay|relay]] (AC)
*[[Qpsmtpd:resolvable_fromhost|resolvable_fromhost]] (AC)
*[[Email#Real-time_Blackhole_List_.28RBL.29|rhsbl]] (* DB CW)
*[[Qpsmtpd:sender_permitted_from|sender_permitted_from]] (?)
*[[Email#Spamassassin|spamassassin]] (DB SM AC CW)
*[[Qpsmtpd:stunnel|stunnel]] (U)
*[[Qpsmtpd:tls|tls]] (AC)
*[[Qpsmtpd:tls_cert|tls_cert]]
*[[Qpsmtpd:tnef2mime|tnef2mime]] (AC)
*[[Qpsmtpd:uribl|uribl]] (DB)
*[[Qpsmtpd:user_config|user_config]] (U)
*[[Virus:Email_Attachment_Blocking|virus]] (DB SM CW)
*[[Qpsmtpd:whitelist|whitelist]] (U?)
</div>

----
[[Category:Mail]]
[[Category:Qpsmtpd]]
[[Category:SME11-Development]]

SMEServer Useful

2026-01-10T06:58:29Z

Rdswikiadmin: Created page with "Copied from; https://wiki.koozali.org/Useful_Commands {{usefulnote}} ==SME Server locale== By default the sme server 8 locale is ISO-8859-1ldapsear ==ACL== ===See ACL=== getfacl /path/2/files/or/folders ===set ACL=== setfacl -P -R -m u:apache:rwX,d:u:apache:rwX /path/2/files/or/folders -R : recursive -P : physical, follow symlinks ==Apache Related Commands== ===Apache options to ibay=== ====Expand httpd.conf template==== expand-template /etc/http..."

Copied from; https://wiki.koozali.org/Useful_Commands

{{usefulnote}}
==SME Server locale==
By default the sme server 8 locale is ISO-8859-1ldapsear

==ACL==

===See ACL===
getfacl /path/2/files/or/folders

===set ACL===
setfacl -P -R -m u:apache:rwX,d:u:apache:rwX /path/2/files/or/folders

-R : recursive 

-P : physical, follow symlinks

==Apache Related Commands==
===Apache options to ibay===
====Expand httpd.conf template====

expand-template /etc/httpd/conf/httpd.conf
sv h /service/httpd-e-smith
or
/sbin/e-smith/expand-template /etc/httpd/conf/httpd.conf
/usr/bin/sv h /service/httpd-e-smith

====Restart httpd====

/etc/init.d/httpd-e-smith restart
or
sv t /service/httpd-e-smith

=====SME10=====
How do I start, restart, stop, reload and check the status of a service (httpd-e-smith.service) with systemd.

# systemctl start httpd-e-smith.service
# systemctl restart httpd-e-smith.service
# systemctl stop httpd-e-smith.service
# systemctl reload httpd-e-smith.service
# systemctl status httpd-e-smith.service

====Enable AllowOverride All/None====
leave Apache reads the distributed configuration file .htaccess per ibay:
db accounts setprop IBAYNAME AllowOverride All
signal-event ibay-modify IBAYNAME
if you want to remove
db accounts delprop IBAYNAME AllowOverride
signal-event ibay-modify IBAYNAME

====enable Symlinks in that iBay====
db accounts setprop IBAYNAME FollowSymLinks enabled
signal-event ibay-modify IBAYNAME
if you want to remove
db accounts delprop IBAYNAME FollowSymLinks
signal-event ibay-modify IBAYNAME

====disable apache directory indexes per ibay====
db accounts setprop IBAYNAME Indexes disabled
signal-event ibay-modify IBAYNAME
if you want to remove
db accounts delprop IBAYNAME Indexes
signal-event ibay-modify IBAYNAME

====PHPBaseDir per ibay====
the phpbasedir is a "php-jail", if you want that it uses its normal jail and allow it to use also /tmp then :

db accounts setprop IBAYNAME PHPBaseDir /home/e-smith/files/ibays/IBAYNAME/:/tmp/
signal-event ibay-modify IBAYNAME

====Allow PHP URL File Open per ibay====
For SME9 exclusively see [[Useful_Commands#PHP_settings_only_for_SME9]] 

Make custom httpd directory if not exist
mkdir -p /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf

Create the template name 99allow_url_fopen and put the content
<Directory /home/e-smith/files/ibays/IBAYNAME/html>
php_admin_flag allow_url_fopen on
</Directory>
Save the file

Expand
expand-template /etc/httpd/conf/httpd.conf

Restart httpd.
/etc/init.d/httpd-e-smith restart

====Allow PHP URL File Open====

This is set with a db command.
Use the command here
http://wiki.contribs.org/DB_Variables_Configuration#Php
and replace the variable and value
eg

db configuration setprop php AllowUrlFopen On
expand-template /etc/php.ini
/etc/init.d/httpd-e-smith restart

====PHP document root====
$_SERVER['DOCUMENT_ROOT']
If you set up an application in an ibay you may have some odd results due to the usage of $_SERVER['DOCUMENT_ROOT'] by the application.
By default this is set in php.ini to :

/home/e-smith/files/ibays/Primary/html

How to overcome $_SERVER['DOCUMENT_ROOT'] issues in ibays see [[PHP_document_root]]

====PHP settings only for SME9====
{{Tip box|msg=These settings modify only the behaviour of one ibay and not at all the whole php settings for the server. Only for sme9, see [[bugzilla:8239]]}}

db accounts setprop ibayname variable value
signal-event ibay-modify ibayname

AllowUrlFopen : enabled/disabled
MemoryLimit : set a M as unit, eg 64M
UpMaxFileSize : set a M as unit, eg 64M
PostMaxSize : set a M as unit, eg 64M
MaxExecTime: unlimited or set time in second without units, eg 60

====PHPinfo====
PHPinfo will provide an overview of all PHP related settings. A quick way to get an overview or search for a setting, one could use:
php -r "phpinfo();" | less
or to save to a text file:
php -r "phpinfo();" > phpinfo.txt
or to search for specific values and save to a text file:
php -r "phpinfo();" | grep mysql > phpmysql.txt

===https forced redirection using custom template===
see [[Https_redirection]]

If it does not already exist then create the following directory

mkdir -p /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/VirtualHosts

cd /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/VirtualHosts

nano 60redir-ibayname1

Paste or type the following code including the brackets, replacing ibayname with the name of your ibay

{
if ($port ne "443")
{
$OUT .= <<'HERE';
## Redirect Web Address to Secure Address
RewriteEngine on
RewriteRule ^/ibayname https://%{HTTP_HOST}/ibayname

## End Of Redirect
HERE
}
}

Save the file & exit by Ctrl+x

/sbin/e-smith/expand-template /etc/httpd/conf/httpd.conf

/etc/init.d/httpd restart

==Backup==
===Debug the Mount of a remote workstation Share===
In the case of you have errors when you mount a remote cifs share (used by the panel 'backup or restore', you can experiment by just running the two commands from the command line (replace $host $share $mountdir appropriately)
/bin/mount -t cifs "//$host/$share" $mountdir -o credentials=/etc/dar/CIFScredentials,nounix
/bin/mountpoint $mountdir

For example :
/bin/mount -t cifs "//192.168.xx.xx/backup-sme" /mnt/smb -o credentials=/etc/dar/CIFScredentials,nounix
/bin/mountpoint /mnt/smb/

===Launch Manually a backup===
* only for an usb_backup or a remote_backup
/etc/e-smith/events/actions/workstation-backup-dar

==Certificates==
see http://wiki.contribs.org/Certificates_Concepts
===How to change your certificate===

Since SME version 7.1.3, the functionality to configure a Common Name in the certificate is included in the main SME packages and can be configured as follows:

config setprop modSSL CommonName www.domain.com
expand-template /home/e-smith/ssl.crt/crt
expand-template /home/e-smith/ssl.key/key
signal-event domain-modify
signal-event email-update

see this forum thread [http://forums.contribs.org/index.php?topic=33109.15] and bug report [http://bugs.contribs.org/show_bug.cgi?id=1689]

===How to set a different expiration time===

The SME self signed certificate is valid for one year, and is automatically renewed on the anniversary of the installation date of the SME server OS.
To specify how long your SME certificate will last for, do the following:

cp /etc/e-smith/templates/home/e-smith/ssl.crt /etc/e-smith/templates-custom/home/e-smith/ssl.crt
nano -w /etc/e-smith/templates-custom/home/e-smith/ssl.crt

change the value for KEYLIFEINDAYS on the first line to the number of days the certificate will remain valid for eg 1826 for 5 years.

Save & exit by pressing the following keys at the same time
ctrl o
ctrl x

Create a new self signed certificate, with the longer validity period. Replace the filenames below with the correct file/key names applicable to your server.
rm /home/e-smith/ssl.crt/servername.domain.com.crt
rm /home/e-smith/ssl.key/servername.domain.com.key
rm /home/e-smith/ssl.pem/servername.domain.com.pem
signal-event post-upgrade
signal-event reboot

Install the new certificate into your browser.

Also see http://wiki.contribs.org/Certificates_Concepts

===How to simply recreate the certificate for SME Server===

rm /home/e-smith/ssl.{crt,key,pem}/*
config delprop modSSL CommonName
config delprop modSSL crt
config delprop modSSL key
signal-event post-upgrade
signal-event reboot
alternately
config show modSSL
config delprop modSSL crt key CertificateChainFile
signal-event ssl-update

==Command-Line Quick Reference Guide==
Below is a list of commands that I use all the time & tend to forget.
===Generic Linux===

{| class="wikitable"
|-
! COMMAND NAME !! DESCRIPTION
|-
| /usr/sbin/smbd -V || samba version
|-
| /usr/sbin/httpd -v || apache version
|-
| httpd -t || verify the syntax of the configuration file of apache
|-
| httpd -tf /path/to/config/file || verify the syntax of the specified configuration file of apache
|-
| httpd -t -D DUMP_MODULES || display all loaded modules of apache
|-
| mysql -v || mysql version
|-
| php -v || php version
|-
| du -sh /* || shows your folder sizes by directory in the root (you can adapt to your directory path)
|-
| df -h || shows disk usage in human readable form
|-
| man <commandname> || shows more info about a command
|-
| uname -a || kernel release version
|-
| mv || moves or renames a file
|-
| cp || copies or backup a file
|-
| rm || removes or deletes a file
|-
| <nowiki>ps -aux|grep <process></nowiki> || outputs processes running <process>
|-
| ps -AH || report process status
|-
| ps fax || display processes by tree with their pid
|-
| top || shows processes
|-
| top -i || shows only active processes
|-
| htop || shows processes (more versatile than top)
|-
| iptraf || shows network info
|-
| mc -d || show midnight commander (cli file browser) to navigate through system easily
|-
| host -t mx aol.com || shows the mx records for aol.com
|-
| dig any aol.com || show all dns records for aol.com (you can choose the dns server by adding its IP or hostname : '@8.8.4.4')
|-
| net groupmap list || shows samba mappings to nt groups
|-
| telinit 1 || changes to single user mode
|-
| ifconfig || shows detailed info on ethernet ports
|-
| grep -nsr "casesensitivesearch" /path/to/dir || finds all documents containing the criteria in a dir (add 'i' to the options for a non sensitive search)
|-
| grep -nsri server-manager.jpg /etc/e-smith/ || search the file server-manager.jpg in the path directory /etc/e-smith
|-
| grep -P '^www |apache' /etc/group || search after patterns which start by www and/or apache in /etc/group
|-
| tail -f /var/log/<LOGFILE> || realtime viewing of your log file
|-
| tar -czvf foo.tar.gz foo || creates a tar/zip file of a directory
|-
| tar -xvzf foo.tar.gz || untar/unzip a tar/zip file
|-
| scp -P <ssh_portnumber> foo.tar.gz <user>@<other_server_ipaddress>:/opt || transfers file to another server in /opt directory
|-
| rsync --progress -te "ssh -p <ssh_portnumber>" foo <other_server_ipaddress>:/opt || transfers file to another server
|-
| sed -i -e "s/foo/fee/g" <FILENAMEORPATHTODIR> || replaces foo with fee
|-
| sed '/abba/Id' file.txt || remove all '''lines''' with the string 'abba' (case sensitive) in the file.txt
|-
| sed -n '/^www/p' /etc/group || print all line starting by www in the file /etc/group
|-
| watch mysqladmin process || shows the mysql processes running
|-
| lslbk <ONLY SME9>|| lsblk lists information about all available or the specified block devices. The lsblk command reads the sysfs filesystem to gather information. The command prints all block devices (except RAM disks) in a tree-like format by default.
|-
| <nowiki>find . -type f | xargs rpm -qf | sort | uniq</nowiki> || find from which rpm these files come from
|-
| who -r || see in which runlevel you are running (7 for sme8, 4 for sme9)
|-
| findmnt || findmnt will list all mounted filesytems or search for a filesystem.
|-
| pstree || pstree shows running processes as a tree. The tree is rooted at either pid or init if pid is omitted.
|-
| clamdtop || clamdtop is a tool to monitor one or multiple clamd(s), that shows the jobs in clamd’s queue, memory usage, and information about the loaded signature database.
|}

Estimate file space usage - drill down into directories
cd /
du --si --max-depth 1
cd /home
du --si --max-depth 1
cd /home/e-smith
du --si --max-depth 1

====UID/GID====
* see informations of a user
id USER
*change the uid of a user
usermod -u '''UID''' USER_NAME
* create a group
groupadd -g '''GID''' -o GROUPE_NAME
* modify the GID of a group
groupmod -o -g '''GID''' GROUPE_NAME
* add a principal group to a user
usermod -g '''GROUP_NAME_OR_GID''' USER_NAME
* add a secondary group to a user
usermod -a -G '''GROUP_NAME_OR_GID''' USER_NAME

====usermod====
*change the home directory (-m move files/folders to the new location)
usermod -d /var/lib/jdownloader jdownloader
* change the shell access of a user
usermod --shell /bin/bash jdownloader

====Read a TAI64N timestamp in human readable format====
[http://cr.yp.to/daemontools/tai64nlocal.html tai64nlocal] converts precise TAI64N timestamps to a human-readable format.
tai64nlocal reads lines from stdin. If a line does not begin with @, tai64nlocal writes it to stdout without change. If a line begins with @, tai64nlocal looks for a timestamp after the @, in the format printed by tai64n, and writes the line to stdout with the timestamp converted to local time in ISO format: YYYY-MM-DD HH:MM:SS.SSSSSSSSS. 

Eg
cat /var/log/qpsmtpd/current |tai64nlocal|less
Or
tailf /var/log/sshd/current | tai64nlocal

====adjust the ntp time====
if you want to set the correct time via ntpd without restarting the server 

in a root terminal
/etc/init.d/ntpd stop
ntpdate pool.ntp.org
/etc/init.d/ntpd start
and to verify
date

====create missing group and set gid====
If a specific sme group or linux group is missing, you can create it again. see [[bugzilla:7932#c48]]
groupadd -g 102 -o apache
rpm --setugids --setperms rpm1 rpm2

where 102 is the correct gid of apache group, adapt it to the right setting
where rpm1 and rpm2 are valid rpm but broken due to the lack of apache group during installation or upgrade

if the group apache exists but with the wrong gid (example 48) you can set the 102 gid

groupmod -o -g 102 apache

====display what are your network interfaces====
# perl -Mesmith::ethernet -e "print esmith::ethernet::probeAdapters();"
EthernetDriver1 e1000 08:00:27:23:85:a6 "Intel Corporation 82540EM Gigabit Ethernet Controller (rev 02)"
alternatively, and only for SME9 or greater, you can use
# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether AA:BB:CC:DD:EE:FF brd ff:ff:ff:ff:ff:ff
inet 11.22.22.44/XY brd 11.22.33.255 scope global eth0
3: dummy0: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
link/ether 10:00:01:02:03:04 brd ff:ff:ff:ff:ff:ff
inet 192.168.45.1/24 brd 192.168.45.255 scope global dummy0

====find files by their size====
it could be useful to find large file by the command line

find /home/e-smith -type f -size +200'''M''' -exec ls -lh {} \; | awk '{ print $ ":_" $5 }';

use
‘k’ for Kilobytes (units of 1024 bytes)
‘M’ for Megabytes (units of 1048576 bytes)
‘G’ for Gigabytes (units of 1073741824 bytes)

====reduce root's user reserved space====
as a default, 5% of the disk space is allocated to root user

you can reduce the allocated space to 1% with (for LVM)

tune2fs -m 1 /dev/mapper/main-root

if you're not using LVM, use

df -h

to see where / is mounted

====find files by the Name====
find ~/smeserver/ -name 'e-smith-backup-2.4.0*'
or use (updatedb is launched every night)
updatedb
locate e-smith-backup-2.4.0

====how much mail data per user is stored on the server====

You can adapt that command line to your needs, here we can see the used disk spaceof all emails stored by your users on your SME Server.
du -s /home/e-smith/files/users/*/Maildir | sort -rn | cut -f2- | xargs -d "\n" du -sh

====Replace a chain of characters====
Replace a chain of characters chaine1 by chaine2 in all files of the current directory with '.txt'

find . -name "*.txt" -type f -exec sed -i "s/chaine1/chaine2/g" {} \;

====Check file system in case of corruption====

If your filesystem is corrupted. That can be a hardware failure, or a software corruption (after a crash). The server won't boot before you manually run fsck to check/repair the filesystem. Note that this might not be possible if the problem is comming from hardware failure (hope you have backups....).

Try this:
- when you're prompted to, enter the root password, you'll be dropped on a shell
- manually run fsck

e2fsck -D -tt -y /dev/main/root

It can take several minutes/hours depending on the size of your drives and their speed. With some luck, the filesystem will be cleaned, and you'll be able to boot.

====Adding notes/comments to shell commands====
You can add comments to shell commands without interrupting the functionality of the shell command. The comments will be appear in .bash_history which can be beneficial for later analysis. e.g. Why was the the command given or who entered the command. Examples:
cat /etc/redhat-release #johnd What version are we running

config setprop sshd status disabled #maryc Disable ssh access ticket:#12345

With (complex) grep arguments one would be able to search the bash history on different criteria. e.g. To find all shell commands given entered by mary that have something to do with ssh (example line above):
cat /root/.bash_history | grep "#mary" | grep ssh
will return:
config setprop sshd status disabled #maryc Disable ssh access ticket:#12345

====Adding date and time to bash history====
By default the bash history does not show the date and time of any activity. You can enable this by entering the following command:
HISTTIMEFORMAT="%d/%m/%y %T "
where %d=day, %m is month, &y is year and %T is time

To see the bash history with the date and time added, enter:
history

the history command can be useful in combination with added comments to shell commands for more precise analysis or (automatic) reporting based on a shell script and cron.

====Find open ports====

* netstat
# netstat -anp|grep 5232
tcp 0 0 192.168.12.233:5232 0.0.0.0:* LISTEN 2028/python

* nmap
nmap can specify if a port is closed or not
yum install nmap
nmap localhost -p 5232

===Raid===
You have a lot of interesting tutorial [http://wiki.contribs.org/Category:Administration:Storage concerning the Raid]
==== shows software raid performance ====
hdparm -Tt /dev/mdX

(where X is 0,1,2,etc)

==== gives raid info ====
mdadm --detail /dev/mdX

(where X is 0,1,2,etc)

==== shows software raid ====
cat /proc/mdstat

==== remove the degraded raid ====
when you install the smeserver with one drive and in a degraded raid, you will see a 'U_' state but without warnings. If you want to leave just one 'U'
mdadm --grow /dev/md0 --force --raid-devices=1
mdadm --grow /dev/md1 --force --raid-devices=1

===RPM's===

{| class="wikitable"
|-
! Command !! Explanation
|-
| rpm -qa || shows all rpms installed
|-
| rpm -qa --last || shows all rpms installed & installation date
|-
| rpm -q || asks for rpm info
|-
| rpm -qi || asks for detailed rpm info
|-
| rpm -qlv <packagename> || lists all files in a package
|-
| rpm -qlvp <packagename.rpm> || List all files in a rpm which is not installed
|-
| rpm -qf <filename> || reports what package a file belongs to
|-
| rpm -qV <packagename> || reports if permission and ownership are OK
|-
| rpm -qRp <packagename.rpm> || Find what dependencies have a rpm
|-
| rpm -qR <packagename> || Find what dependencies have a package name
|-
| rpm -q --whatrequires <packagename> || find what packages have <packagename> as dependancy
|-
|rpm -e --test <packagename> || find what packages have <packagename> as dependancy (more verbose as above)
|-
| rpm -e --nodeps <packagename> || remove packagename without removing dependencies
|-
| rpm --setugids <packagename> || set right ownership to rpm
|-
| rpm --setperms <packagename> || set right permissions to rpm
|-
| rpm -e --noscripts <packagename> || remove packagename without executing sciptlets (%pre, %post, %preun, %postun)
|-
| rpm -Va || capture any damaged/incomplete rpms - but will also show lots of configuration files, which you of course expect to be modified.
|}

====Find upstream rpms patched by contribs.org====
For the need of the distribution we ought to patch some upstream rpms, this is the list
rpm -qa --qf "%{name} %{BuildHost}\n" | grep -P 'build64\-1|builder.koozali.org' | awk '{print $1}' | grep -vP '^smeserver|e\-smith' | sort

====Restore all permissions and ownership====
If you want to restore all permissions and right ownership of rpm, you can do this in a root terminal. See [[bugzilla:6851#c15]]
for f in $(rpm -qa); do echo $f; rpm --setugids $f; done
for f in $(rpm -qa); do echo $f; rpm --setperms $f; done

===YUM'ing and repositories===
{| class="wikitable"
|-
! Command !! Explanation
|-
| yum install <packagename> || installs packagename & any package it may need
|-
| yum remove <packagename> || removes packagename
|-
| yum history package-info <packagename> || Shows the installation/removal history of a package and it's Transaction ID [http://yum.baseurl.org/wiki/YumHistory see more commands]
|-
| yum history undo <Transaction ID> || Removes all packages from a specific Transaction ID [http://yum.baseurl.org/wiki/YumHistory see more commands]
|-
| yum list updates || list updates to any installed package
|-
| yum list available || list available packages in all repos not already installed
|-
| yum list available |grep <reponame> || list available packages -shows only from repo name
|-
| yum search <packagename> || lists all packages in all repos matching packagename
|-
| yum clean all --enablerepo=* || Is used to clean up various things which accumulate in the yum cache (includes disabled repos)
|-
| yum --enablerepo=<reponame> <command> || enables a repo not normally enabled
|-
| /sbin/e-smith/audittools/newrpms || shows all extra packages installed
|-
| /sbin/e-smith/audittools/repositories || show all repositories and if they are activated or not
|-
| db yum_repositories show <reponame> || show properties of the repository <reponame> '''(you may use TAB to auto-complete your command line)'''
|}

=====Restoring Default Yum Repositories=====

{{note box|If you have problems with your yum setup you may have entered incorrect repository values. Remove the current values and restore the original setting with these commands}}

cd /home/e-smith/db/
mv yum_repositories yum_repositories.po
/etc/e-smith/events/actions/initialize-default-databases

Now you have a clean install, you can re-add 3rd party repos as described above

signal-event yum-modify

and check if you can update your server

yum update

==LDAP==
===Show/Debug the state of LDAP===
about the DB settings
db configuration show ldap

about the service (see the pid and the output when manually you start the service)
cd /service/ldap
sv s .
./run

See the ownership of LDAP database (must be owned ldap:ldap)
ll /var/lib/ldap/

===ldif-fix===
it just prints what changes are needed in the ldap tree. With -u instead of -d, those changes are applied
/var/service/ldap/ldif-fix -d

===Parse the ldap catalogue===

you can use this command
slapcat
or if you want to sort
slapcat | grep -viP 'userPassword|sambaNTPassword|sambaLMPassword'

===namingContexts===
we can conduct a simple search of the naming context to see our directory information you can display 'dn' LDAP parameters, either by the [[SME_Server:Documentation:Administration_Manual:Chapter13#Directory|server-manager]] or by the command line :
ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts''
or you can do
ldapsearch -x -h localhost -s base |grep 'dn'

* for example

[root@sme9 ~]# ldapsearch -x -h localhost -s base |grep 'dn'
# base <dc=stephane,dc=dtdns,dc=net> (default) with scope baseObject
# stephane.dtdns.net
'''dn: dc=mycompany,dc=local'''

====Retrieve the ldap base====
in a template you can do
baseDN = "ou=Users,{ esmith::util::ldapBase($DomainName); }";

===request a listing of all entries===
The following LDAP search is requesting a listing of all entries starting from the base "dc=example,dc=local". This should return all of the entries

ldapsearch -x -b 'dc=mycompany,dc=local' '(objectclass=*)'

===Bind with a specific user on LDAP===
Try to connect to ldap with credentials of a specific user and see the LDAP catalogue. Find the '<nowiki/>'''dc'''' by the chapter [[Useful_Commands#namingContexts|above]]

ldapsearch -x -D uid=user2,ou=Users,dc=server1,dc=pt -W

* for example
[root@sme9 ~]# ldapsearch -x -D uid=stephane,ou=Users,dc=mycompany,dc=local -W

===Check a specific user in LDAP catalogue===
display informations on the user requested. Find the '<nowiki/>'''dc'''' by the chapter [[Useful_Commands#namingContexts|above]]

'''for sme9'''
ldapsearch -x -D cn=root,dc=server1,dc=pt -w $(cat /etc/pam_ldap.secret) -b ou=Users,dc=domain,dc=tld "uid=test2"
'''for sme8'''
ldapsearch -x -D cn=root,dc=server1,dc=pt -w $(cat /etc/ldap.secret) -b ou=Users,dc=domain,dc=tld "uid=test2"

* for example
'''for sme9'''
ldapsearch -x -D cn=root,dc=mycompany,dc=local -w $(cat /etc/pam_ldap.secret) -b ou=Users,dc=mycompany,dc=local "uid=stephane"
'''for sme8'''
ldapsearch -x -D cn=root,dc=mycompany,dc=local -w $(cat /etc/ldap.secret) -b ou=Users,dc=mycompany,dc=local "uid=stephane"

===Retrieve the ldap password===

* directly in a terminal
perl -Mesmith::util -e 'print esmith::util::LdapPassword();'
* in a template
my $pwd = esmith::util::LdapPassword();

if you need to call the ldap password in a script you can invoke this bash variable
* for sme8
PWD=$(cat /etc/ldap.secret)
* for sme9
PWD=$(cat /etc/pam_ldap.secret)

==Log==
===Parse Log files to search for errors===
When you want to test the SME Product it can be useful to see what it occurs.
This CL can help you, but you should read the entire log
grep -iE "uninitialized|WARNING|ERROR" /var/log/messages
of course this is for the /var/log/messages

or if you want to parse all log
grep -iE "uninitialized|WARNING|ERROR" /var/log/*

{{Note box| you have now a tool in your hand to parse logfile : [[Audit_Tools#logcheck]]. You should be aware that tool is here to help to find errors in the development side of the SME Server and thus you could have a lot of false positive}}

=== '''Parse log for hack / phishing for missing files''' ===
<syntaxhighlight lang="bash">
EXTIP=`curl -s ifconfig.me/ip`
grep "File does not exist" /var/log/httpd/error_log | sed -e 's#\: /#\n#' | grep "home" | sort -u | sed -e "s#$EXTIP#\<IP\>#g" > dict_err.txt
# grep "File does not exist" /var/log/httpd/admin_error_log | sed -e 's#\: /#\n#' | grep "home" | sort -u | sed -e "s#$EXTIP#\<IP\>#g" > dict_admin_err.txt
</syntaxhighlight>
* verbose output

less /var/log/messages| grep -iE "useless|uninitialized|warn|fail|error|disable|unable|exit"

* search all logs with verbose output
less /var/log/* | grep -iE "useless|uninitialized|warn|fail|error|disable|unable|exit"

==Mail==
see [[Email]]

===check blocked email address by the server===
grep -i 'blocked email address' /var/log/qpsmtpd/current

===maximum email size===
[[Email#Set_max_email_size]]

===Spam filter with Server-Manager===
Using the Server-Manager Configuration/E-Mail panel, adjust the settings to these reasonable defaults.

*Virus scanning Enabled
*Spam filtering Enabled
*Spam sensitivity Custom
*Custom spam tagging level 4
*Custom spam rejection level 12
*Sort spam into junkmail folder Enabled
*Modify subject of spam messages Enabled

===spam retention in junk mailbox===
The server will automatically delete old spam in the junkmail folders after 90 days. You can control the number of days old spam is kept with the following commands. Where 15 is the number of days you want to keep messages, do...
db configuration setprop spamassassin MessageRetentionTime 15
signal-event email-update
svc -t /service/qpsmtpd
then
config show spamassassin

===Mail Statistics===

See [[Mailstats]] for details on the mailstats package.

yum install --enablerepo=smecontribs smeserver-mailstats

===Whitelist and Blacklist===
If mail comes in and it is misclassified as spam by Spamasassin, you can add the sender to the Spamassassin whitelist so that future messages coming in from that sender are not filtered.
Conversely, you can add a spammer to the Spamassassin blacklist so you never see their spam again.
Add senders (or their entire domains) to the global whitelist (or blacklist) with commands similar to these (as root):

db spamassassin setprop wbl.global *@vonage.com White
db spamassassin setprop wbl.global *domain2.com White
db spamassassin setprop wbl.global user@domain3.com White
db spamassassin setprop wbl.global spammer@spamdomain.com Black

expland template and save the configuration to the database
signal-event email-update

You can view the lists with this command:
db spamassassin show

These lists can be also controlled by the server-manager with the wbl contrib http://wiki.contribs.org/Email_Whitelist-Blacklist_Control

==MySQL==
There appears to be no password set for the MySQL root password, but this is not true. If you are logged in to the SME Server shell a special mechanism is in place to log you in with MySQL root privileges without prompting you for the password.

The MySQL root password for SME Server is a 72 character random string generated during installation of SME Server. You should never change the MySQL root password as this will break your SME Server configuration. How to login as MySQL root user? describes how to access MySQL with root privileges on SME Server.

For more informations you can see the [[MySQL]] page

===Login as MySQL root user===
To login as MySQL root user, simply type 'mysql' at the SME Server shell, this will log you in with root privileges.
the mysql admin password is a random password generated which can be find

*/root/.my.cnf
*/etc/ldap.secret for sme8 and /etc/pam_ldap.secret for sme9

'''do not modify these files.'''

* directly in a terminal
perl -Mesmith::util -e 'print esmith::util::LdapPassword();'
* in a template
my $pwd = esmith::util::LdapPassword();

if you need to call the mysql password in a script you can invoke this bash variable
* for sme8
PWD=$(cat /etc/ldap.secret)
* for sme9
PWD=$(cat /etc/pam_ldap.secret)

===Create a Database and its User===
Create a new MySQL database (In this example the database name is databasename. Change '''databasename''', '''username''' and '''password''' with your own choices as required)

Login as root and issue the following command to enter the MySQL CLI and create the database:

mysql
create database '''databasename''';
grant all privileges on '''databasename'''.* to '''username''' identified by '<nowiki/>'''password'''';
flush privileges;
exit

or directly from the shell or script:

mysql -e "create database '''databasename''';"
mysql -e "grant all privileges on '''databasename'''.* to '''username''' identified by '<nowiki/>'''password'''';"
mysql -e "flush privileges;"

===Remove a database===
Get access to the SME Server shell and MySQL and issue the following command:

drop database databasename;
or from the shell. Confirmation will be asked.
mysqladmin drop databasename
Replace databasename with the name of the database.

===Remove a user===
Get access to the SME Server shell and MySQL and issue the following command:

USE mysql;
DELETE FROM user WHERE user = 'username';
FLUSH PRIVILEGES;

Replace username with the username you wish to delete.

{{Tip box|mysql_setpermission is a command line menu driven utility that can assist in MySQL administration.}}

===Show databases directly from CLI===

Directly in your Terminal you can see how much DB mysql you have.

mysqlshow

+--------------------+
| Databases |
+--------------------+
| information_schema |
| egroupware |
| horde |
| mysql |
| roundcube |
| test |
| wordpress |
+--------------------+

===Other useful MySQL commands:===
* list all available database.
show databases;
*display a list of the MySQL users
SELECT user FROM mysql.user;
*remove the user jeffrey
DROP USER 'jeffrey'@'localhost';
* list the privileges granted to the account user
SHOW GRANTS FOR 'user'@'localhost';
* give all rights on all databases for new_dba user
GRANT ALL PRIVILEGES ON *.* TO 'new_dba'@'localhost' IDENTIFIED BY 'password' WITH GRANT OPTION;
FLUSH PRIVILEGES;
* give all rights on database for new_user
GRANT SELECT, UPDATE, INSERT, DELETE ON database.* TO 'new_user'@'localhost' IDENTIFIED BY 'password';
FLUSH PRIVILEGES;
* will let you destroy a database. Use with care. Use 'mysqladmin --help' for all available options.
mysqladmin drop '''databasename''';
* show you all '''table''' details of mysql '''database'''
use database;
show table status;
* let you see all '''tables''' of mysql '''database'''
use database;
show table status;

==Password==
===Password strength===

First a warning - Far too many systems out there have weak passwords and they will be broken into. Educating your users on the necessity of strong passwords is the best option. If that fails, here is how you change the password strength checking from 'strong' to 'normal', which was the setting in previous versions of SME. Be careful to use the exact capitalization.

config setprop passwordstrength Admin normal
config setprop passwordstrength Users normal
config setprop passwordstrength Ibays normal

It is also possible, but strongly discouraged, to disable password strength checking by setting to 'none'

Password strength options are:

none : Only checks if the password meets the minimum length requirement (default - 12 characters).
normal : Requires minimum length plus both uppercase and lowercase characters.
intermediate : Requires minimum length, uppercase, lowercase, and passes a dictionary check.
strong : Requires all of intermediate's checks plus must contain numbers and special characters

And password minimum length (which defaults to 12), can be set:

config setprop passwordstrength length <whatever>

===Change Password Users by the command line===

If you want to change password to your users by the command Line instead of the user panel of SME Server you can do it like this.

perl -e "use esmith::util;esmith::util::setUserPassword( 'username', 'password');"; /sbin/e-smith/signal-event password-modify username

run it for each user separately and replace
username
and
password
with the appropriate values for each of your users.

For special characters note this bug regarding escaping [[bugzilla:8510]]

Some examples :

perl -e 'use esmith::util;esmith::util::setUserPassword("username","pass!word");'

Or:

perl -e "use esmith::util;esmith::util::setUserPassword( 'username','pass"'!'"word');"

===Generating strong random password===
You can Install '''[[Random_Strong_Password_Generator|randpw]]''' else you can use manually the CL below

Security should not be taken lightly and password for e.g. databases, connections etc. need to be long and strong. One way of generating a strong random password is:
< /dev/urandom tr -dc '_A-Z-a-z-0-9!@+[](){}~<>*%^&#+=/$:;,?' | head -c${1:-50};echo;
This will generate a 50 character long random password whereby the characters are selected from the above given string _A-Z-a-z-0-9!@+[](){}~<>*%^&#+=/$:;,?. The number 50 represents the length of the generated password and can be adjusted to fit your needs.

One could also store the generated password to a file or to a db key:
< /dev/urandom tr -dc '_A-Z-a-z-0-9!@+[](){}~<>*%^&#+=/$:;,?' | head -c${1:-50} > mypassword.txt

config set MyStrongPassword `< /dev/urandom tr -dc '_A-Z-a-z-0-9!@+[](){}~<>*%^&#+=/$:;,?' | head -c${1:-50};echo;`
Please note the usage of ` (the backtick character) which is not the same as the ' (single quote character)

===Signalling events : Signal-event===

The signal-event program takes an event name as an argument, and executes all of the actions in that event, providing the event name as the first parameter and directing all output to the system log. It works by listing the entries in the event directory and executing them in sequence. So for example, the command:

signal-event console-save

will perform all the actions associated with the console-save event, which is defined by the contents of the /etc/e-smith/events/console-save/ directory. This is exactly what the console user interface does when you select save at the end of the console configuration wizard.

[[SME_Server:Documentation:Developers_Manual:Chapter7#Standard_events_and_their_arguments| see all options]]

==PHP Related Commands==
===Show current php settings===

config show php

===Expand php.ini template===

expand-template /etc/php.ini

===Configure PHP Basedir Restriction per ibay===

db accounts setprop IBAYNAME PHPBaseDir DIR1:DIR2:DIRn
signal-event ibay-modify IBAYNAME

Example

db accounts setprop Primary PHPBaseDir /home/e-smith/files/ibays/Primary:/tmp
signal-event ibay-modify Primary

===Execution Time===
For SME9 exclusively see [[Useful_Commands#PHP_settings_only_for_SME9]] 
db configuration setprop php MaxExecutionTime ZZ
expand-template /etc/php.ini
/etc/init.d/httpd-e-smith restart
where ZZ is the time in seconds.

===Memory Limit===
For SME9 exclusively see [[Useful_Commands#PHP_settings_only_for_SME9]] 
db configuration setprop php MemoryLimit XXM
expand-template /etc/php.ini
/etc/init.d/httpd-e-smith restart
where XX is the amount of memory in Mb.

===Upload Max File Size===
For SME9 exclusively see [[Useful_Commands#PHP_settings_only_for_SME9]] 
db configuration setprop php UploadMaxFilesize WW
expand-template /etc/php.ini
/etc/init.d/httpd-e-smith restart
where WW is the file size in Mb.

===Post Maximum Size===
For SME9 exclusively see [[Useful_Commands#PHP_settings_only_for_SME9]] 
db configuration setprop php PostMaxSize WW
expand-template /etc/php.ini
/etc/init.d/httpd-e-smith restart
where WW is the file size in Mb.

===Allow URL FOpen===
For SME9 exclusively see [[Useful_Commands#PHP_settings_only_for_SME9]] 
Not secure. Instead use per ibay or directory.

==SAMBA==
===shows samba mappings to nt groups===
net groupmap list
===manage the SAM database(Database of Samba Users)===
The pdbedit program is used to manage the users accounts stored in the sam database and can only be run by root.
pdbedit -u USER -v
for example
pdbedit -u stephane -v

===check an smb.conf configuration===
testparm - check an smb.conf configuration file for internal correctness
testparm -vs

===The Trust Relationship Failure===
Using Samba 3 sometimes some Windows computers fall off the domain, resulting in a trust relationship failure.

The trust relationship between this workstation and the primary domain failed.

This is generally caused by mis-matched work-station and domain controller account passwords. To reset this you must un-join/re-join the domain.

===enable samba audit logs for ibays===
Samba audit logging can be enabled for ibays using db variables.

Samba activity is logged in /var/log/samba/samba_audit

To enable audit logging for an ibay named "fileshare":
<nowiki>db accounts setprop fileshare Audit enabled
signal-event ibay-modify fileshare</nowiki>

To enable audit logging for every ibay on your server:
<nowiki>for ibay in $(db accounts show |grep \=ibay |cut -d= -f1); do db accounts setprop $ibay Audit enabled; done
signal-event ibay-modify</nowiki>

The details of what gets logged are controlled by /etc/e-smith/templates/etc/smb.conf/ibays/10smbaudit

==SME Server specific==
=== Command Line===
{| class="wikitable"
|-
! Command !! Explanation
|-
| signal-event post-upgrade || performs SME Server to go regenerate all templates
|-
| signal-event reboot || reboots the server
|-
| signal-event <event> || performs SME Server to go regenerate event template '''(you may use TAB to auto-complete your command line)'''
|-
| signal-event console-save || Expands templates and reconfigures services which can be changed from the text-mode console and which do not require a reboot
|-
| signal-event dns-update || refreshes the DNS cache, useful for when you know a domain has changed IP and the TTL is too long to wait
|-
| /etc/e-smith/events/actions/navigation-conf || recreates server-manager navigation panel
|-
| config show || display the internal configuration of the server
|-
| config show <service name> || show the service configuration '''(you may use TAB to auto-complete your command line)'''
|-
| db || shows the syntax of the db command
|-
| db configuration show || shows the entire server configuration
|-
| db configuration setprop <record> <property> <value> || sets or changes a property in the configuration database
|-
| db accounts show || shows all account details
|-
| db accounts show <accountname> || shows the account details
|-
| /etc/e-smith/events/actions/initialize-default-databases|| action for initializing the default database values
|}
===Refresh DNS cache===

signal-event dns-update

refreshes the DNS cache, useful for when you know a domain has changed IP and the TTL is too long to wait

===Refresh Squid Cache===
Extracted from: http://forums.contribs.org/index.php?topic=38848.msg176737#msg176737

===Flush and Restart===

sv d /service/squid
echo "" > /var/spool/squid/swap.state
sv u /service/squid

& to check it's running
sv s /service/squid
===SystemConfig===
Some relative Informations to your system are recorded in the configuration database
config show sysconfig
===db command===
{{note box|SME Server comes with the most used parameters set as variables in its internal configuration databases. These variables are used to store values to be used in the final configuration files. Please, read the [[SME_Server:Documentation:Developers_Manual:Section2]] to understand the template and database process.}}

you can see this page of the wiki [[DB_Variables_Configuration]] and the [[Db_command_tutorial]]

==== Setting db variables to default values ====
{{Note box| Use of 'config' is a shorthand version for 'db configuration' and therefore only works with the configuration database}}

Any db variable that has a default value can be reset to the default by deleting the variable entirely, then re-initializing the default database values as follows:
config delprop <key> <prop>
/etc/e-smith/events/actions/initialize-default-databases

==== Delete a property value ====
To delete the property
db accounts delprop <key> <prop>

==== Reset a property to an empty value ====
To reset to an empty value
db accounts setprop <key> <prop> <nowiki>''</nowiki>

{{Warning box|Database parameters are case sensitive so take great care when typing at the server shell because no error messages are given should you make a mistake.}}

====Create DB key manually by a script====

An example on how create by hand some db with contents in a script. all these db can not be erased because for every 'post-upgrade signal-event; signal-event reboot', the default values set manually below will return.

mkdir -p /etc/e-smith/db/accounts/defaults/wordpress
echo "reserved" > /etc/e-smith/db/accounts/defaults/wordpress/type

mkdir -p /etc/e-smith/db/configuration/defaults/wordpress
echo "configuration" > /etc/e-smith/db/configuration/defaults/wordpress/type
echo "Wordpress weblog" > /etc/e-smith/db/configuration/defaults/wordpress/Name
echo "global" > /etc/e-smith/db/configuration/defaults/wordpress/PublicAccess
echo "enabled" > /etc/e-smith/db/configuration/defaults/wordpress/status
echo "wordpress" > /etc/e-smith/db/configuration/defaults/wordpress/DbName
echo "wordpress" > /etc/e-smith/db/configuration/defaults/wordpress/DbUser
echo "en" > /etc/e-smith/db/configuration/defaults/wordpress/WpLang

in order to initialize all db settings
/etc/e-smith/events/actions/initialize-default-databases

====Create DB key manually by 'config'====
If you want to create a key entry manually you can use the 'config' command and save properties in the '''configuration database'''. For your information, once deleted you cannot retrieve default values as above.
The generic Command line is :
config configuration set key type [prop1 val1] [prop2 val2] ...
for example you can do

config set plop configuration Name wordpress PublicAccess private status enabled DbName wordpress DbUser wordpress WpLang en

you can see the result

config show plop
plop=configuration
DbName=wordpress
DbUser=wordpress
Name=wordpress
PublicAccess=private
WpLang=en
status=enabled

===Modify Hidden settings of users===
====Grant bash access to a "user"====
db accounts setprop '''user''' Shell /bin/bash
signal-event user-modify '''user'''

====Grant vpn access to a "user"====
db accounts setprop '''user''' VPNClientAccess yes
signal-event user-modify '''user'''

====Grant sudo access to a "user"====
db accounts setprop '''user''' Sudoer yes
signal-event user-modify '''user'''

====Chroot "user" on FTP usage====
db accounts setprop '''user''' ChrootDir /home/e-smith/files/users/user/home
signal-event user-modify '''user'''

=== General Service Handling ===
====SME9====
SME Server uses [http://smarden.org/runit/ runit], a UNIX init scheme with service supervision. See the man page of [http://smarden.org/runit/sv.8.html the 'sv' command]

All other linux common way to start or stop services are also valuable

/etc/init.d/servicename start/stop/status
service servicename start/stop/status

*start
sv u /service/servicename
*stop
sv d /service/servicename
*restart
sv t /service/servicename
* status
sv s /service/servicename
{{tip box|you may use TAB to auto-complete your command line}}

you have some shortcuts
down => 'd',
stop => 'd',
up => 'u',
start => 'u',
restart => 't',
sigterm => 't',
adjust => 'h',
reload => 'h',
sighup => 'h',
sigusr1 => '1',
sigusr2 => '2',
once => 'o',
pause => 'p',
alarm => 'a',
interrupt => 'i',
quit => 'q',
kill => 'k',
exit => 'x',

Restarting:

sv t /service/httpd-e-smith

====SME10====
'''Systemctl''' is a '''systemd''' utility that is responsible for Controlling the '''systemd''' system and service manager. '''Systemd''' is a collection of system management daemons, utilities, and libraries which serves as a replacement of '''System V init''' daemon. Systemd functions as central management and configuration platform

To list all loaded services on your system (whether active; running, exited or failed, use the '''list-units''' subcommand and <code>--type</code> switch with a value of service.
# systemctl list-units --type=service
OR
# systemctl --type=service

But to get a quick glance of all running services (i.e all loaded and actively running services), run the following command.
# systemctl list-units --type=service --state=running
OR
# systemctl --type=service --state=running

List all failed units.
# systemctl --failed

Check whether a Unit or Service is running or not?.
# systemctl status httpd-e-smith

How do I start, restart, stop, reload and check the status of a service ('''httpd.service''') in Linux.
# systemctl start httpd-e-smith.service
# systemctl restart httpd-e-smith.service
# systemctl stop httpd-e-smith.service
# systemctl reload httpd-e-smith.service
# systemctl status httpd-e-smith.service

===Add a custom service===

see this [[Add_a_custom_service |page]]

==SSL==
===Test SSL certificate===
This free online service performs a deep analysis of the configuration of any SSL web server on the public Internet.
https://www.ssllabs.com/ssltest/
===SSL diagnostic===
The s_client command implements a generic SSL/TLS client which connects to a remote host using SSL/TLS. It is a very useful diagnostic tool for SSL servers. 

[https://www.openssl.org/docs/apps/s_client.html openssl s_client] Documentation
*on sme
openssl s_client -connect localhost:993
*on a remote host
openssl s_client -connect yourdomain:993

===SSL Signature algorithm===
you can verify the algorithm signature of your certificate 

for example
openssl x509 -noout -text -in /home/e-smith/ssl.pem/sme9dev2.mycompany.local.pem

== SSH ==

===Enable SSH===
* Enable ssh access (the lazy not-so-secure way, but I am assuming for this testing/dev scenario that your external IP is really a local address behind a router)
<syntaxhighlight lang="Bash">
db configuration setprop sshd status enabled
db configuration setprop sshd PermitRootLogin yes
db configuration setprop sshd acccess public
db configuration setprop sshd PasswordAuthentication yes
/sbin/e-smith/signal-event remoteaccess-update
</syntaxhighlight>

* Allow ssh in public or private mode : '''public'''= all internet '''private'''= only your network

db configuration sshd access public
signal-event remoteaccess-update

===Access to the terminal of your remote sme===

ssh root@ip-sme-or-remote-hostname
or
ssh -pX root@ip-sme-or-remote-host (X is the port listened by ssh service)

{{Note box| you need to forward in your router the port 22 (or whatever you decide) to your internal sme's ip and '''allow ssh in the server-manager with the root login and Password Authentication''' (Security/Remote Access menu). '''You can enhance security by disabling the root connection''' : Allow administrative command line access over secure shell NO
Keep in mind that you need '''to set the service to public access (entire internet)''' if you want to be accessible by ssh outside of you network (see the [[Denyhosts]] contrib for banning hosts which failed too many login attempts to your ssh deamon.) }}

===Execute or run a command over ssh to a remote server and auto disconnect after quit===

ssh -t root@ip-sme-or-remote-hostname command

where 'command' is the program or command to run. An example could be:

ssh -t root@192.168.1.5 top

===Access to the server-manager through SSH===

We can access to the server-manager of your remote SME Server by SSH with a tunneling protocol initiated by "ssh -L". This command has to be done by a superuser in a Terminal like if you want to be connected to your SME Server by SSH.
{{note box|We assume that ports are forwarded in your router to your sme internal IP (443 and 22) and the root user is allowed to access by ssh to the server.}}

Do this in a root terminal of your Linux computer outside of your network

ssh -L 443:localhost:443 root@your-static-external-network-IP-or-host.dyndsn.org

host.dyndsn.org could be a free service as [http://dyn.com/dns/ dyndns.org] or [http://www.noip.com/ noip.com]

'''Keep the terminal open''', Then you need to use this specific URL in your WEB Browser to go to the server-manager

https://localhost/server-manager

{{tip box|msg=It is possible to use putty if you are afraid about some commands in a terminal, you can find a lot of examples by typing this in google [https://www.google.com/search?q=tunneling+by+putty tunneling by putty]}}

====Access with non standard ports====
In certain cases which you are not root on the local computer, you can not redirect port < 1024, so you have to use port > 1024 as the example below.

ssh -L 9443:localhost:443 root@your-remote-ip -p 22

9443 : local port
443 : remote https port
your-remote-ip : the remote host (could be an ip or a domain name)
22 : this is the port where the ssh server is listening, you can change it in accordance with the remote server

'''Keep the terminal open''', Then you need to use this specific URL in your WEB Browser to go to the server-manager

https://localhost:9443/server-manager

----
[[Category:Howto]]

SMEServer Email

2026-01-10T06:55:10Z

Rdswikiadmin: Created page with "Copied from; https://wiki.koozali.org/Email {{usefulnote}} {{Languages}} Information on the email subsystem used in SME Server covering sending/recieving, spam filtering, virus checking, webmail, domains and users. ==Troubleshooting== I am having trouble getting sme to send and receive email. Sending and receiving email are separate functions. You need to investigate each individually. ===Sending=== If SME server does not send mail, you need to examine the /var/log/..."

Copied from; https://wiki.koozali.org/Email

{{usefulnote}}
{{Languages}}
Information on the email subsystem used in SME Server covering sending/recieving, spam filtering, virus checking, webmail, domains and users.

==Troubleshooting==
I am having trouble getting sme to send and receive email.

Sending and receiving email are separate functions. You need to investigate each individually.

===Sending===
If SME server does not send mail, you need to examine the /var/log/qmail/current logs to see what happens when it tries. Most commonly problems can be solved by sending via your ISP's mail server, possibly using encryption and/or authentication. Read the manual.

===Receiving===
If SME server does not receive mail, then you need to ensure that SMTP connections reach your SME server (DNS settings, router configuration, ISP port blocks) and then you need to examine /var/log/qpsmtpd/current logs to determine what SME server does with the incoming connections. Most problems are DNS, router or ISP issues, and have nothing to do with SME server operation or configuration.

====qpsmtpd "Connection Timed Out" errors====
See [[Bugzilla:6888]] and [[Bugzilla:2360]]

A qpsmtpd timeout error may arise, this is not an issue that is caused by SME server directly, however it can become an issue depending on hardware and configuration settings that are contained in and around other enviroments.

It is discussed under various names

*Path MTU Discovery Blackhole http://www.phildev.net/mss/mss-talk.pdf
*Path MTU Discovery Failures http://www.wand.net.nz/~mluckie/pubs/debugging-pmtud.imc2005.pdf
*TCP Problems with Path MTU Discovery http://www.ietf.org/rfc/rfc2923.txt

As discussed in [[Bugzilla:6888]] a workaround was found that may help in mitigating the issue.

The [http://linux.die.net/man/8/tracepath tracepath] utility (included with SME 8.0 and SME 7.6) can be used to locate non-standard MTU values between your SME server and any remote host.

You can discover the smallest MTU between you and google.com (for example) by running this command, then locating the smallest value of "pmtu" in the results:
tracepath google.com

If tracepath returns any value below 1500 between your SME server and a mail server that you need to receive email from, you may need to reset the MTU on the SME server to match the smallest value returned.

For example, if tracepath returns 1492 (typical for internet connections using PPPoE), you would need to set the MTU on your SME server to the same value (1492) using the following:

config setprop InternalInterface MTU 1492
signal-event post-upgrade; signal-event reboot

===Webmail broken after upgrade===
After the usual post-upgrade and reboot, webmail is broken with messages like the following in the messages log:

Apr 20 17:29:53 mail [4614]: PHP Fatal error: Call to a member function on a non-object in /home/httpd/html/horde/imp/lib/Block/tree_folders.php on line 65
Apr 20 17:29:53 mail [4614]: PHP Warning: Unknown(): Unable to call () - function does not exist in Unknown on line 0

As workaround, logout of Horde, close the browser, reopen, log in to Horde, Webmail should now be fully functional. (Based on suggested fix in [[Bugzilla:5177]])

==Spam==
===Spamassassin===
====Spam filter with Server-Manager====
Using the Server-Manager Configuration/E-Mail panel, adjust the settings to these reasonable defaults.

*Virus scanning Enabled
*Spam filtering Enabled
*Spam sensitivity Custom
*Custom spam tagging level 4
*Custom spam rejection level 12
*Sort spam into junkmail folder Enabled
*Modify subject of spam messages Enabled

I would also recommend blocking all executable content. To do so, select (highlight) all of the attachment types other than zip files (the last two).

Click Save.
====How It Works====

When receiving an incoming message, the server first tests for RBL and DNSBL listings, if enabled. If the sender is blacklisted, the messages are blocked outright and Spamassassin never sees it.

With this configuration, the spammiest messages, those marked as 12 or above, will be rejected at the SMTP level. Those spam messages marked between 4 and 12, will be routed to the users' (IMAP) junkmail folder. This is done so the users can check for false-positives...valid messages that were classified as spam by SpamAssassin.

Users may check their junkmail folders for false-positives via webmail, or, if they are using an IMAP mail client, by simply checking the junkmail folder exposed by their mail client.

https://servername/webmail

====Enable/Disable Filtering Per-User====

This procedure doesn't really disable the spam filtering, it just stopps the spam from being routed to the 'junkmail' folder.

Per-user filtering is enabled by default. Disable filtering with the following command, as root:

db accounts setprop USERNAME SortSpam disabled
db accounts show USERNAME # only displays settings
signal-event user-modify USERNAME

====Use the Junkmail folder====
The Default spamassassin behaviour put spams in the inbox which is very convenient for users in case of false positive, but it is not practical for learning, and especially it does not facilitate the life of the user (setting is available via the manager). If you want to put directly spams in the junkmail folder issue the command above.

config setprop spamassassin SortSpam enabled
signal-event email-update

====Message Retention Time====
Set spamassassin for automatically delete junkmail.
You can change the "days" that spamassassin sets to automatically delete junkmail, to delete after two months

db configuration setprop spamassassin MessageRetentionTime 60
signal-event email-update

====Spam score Level and Spam score rejection====
The "Custom spam rejection level" will only work when "Spam sensitivity" is set to custom.
<ol><li>Open server-manager.
</li><li>Click e-mail in the navigation pane (left-hand side).
</li><li>Click Change e-mail filtering settings.
</li><li>Change "Spam sensitivity" to custom and adjust the settings to your liking.
</li></ol>

This happens because by default, no mail (except for viruses) gets rejected without the admin doing something first.

As a reference, the following setting will have the following behaviours :

{| class="wikitable"
|-
!Sensitivity!!Spam tagging level!!Spam rejection level
|-
|Custom||TagLevel value (Custom spam tagging level)||RejectLevel value (Custom spam rejection level)
|-
|veryhigh||2||No rejection
|-
|high||3||No rejection
|-
|medium||5||No rejection
|-
|low||7||No rejection
|-
|verylow||9||No rejection
|}

====X-Spam-Level Header in Email Messages====
SME does not create an X-Spam-Level header in processed email messages by default.

To enable this capability:
/usr/bin/yum install --enablerepo=smecontribs smeserver-qpsmtpd-spamassassinlevelstars
signal-event email-update

(Based on [[Bugzilla:3505]])
{{note box| as SME8 this functionality seems to be included --[[User:Unnilennium|Unnilennium]] ([[User talk:Unnilennium|talk]]) 09:05, 3 February 2014 (MST)}}

====spamassassin qpsmtpd's plugins email size limit====
This db configuration setting sets the maximum email size above which spamassassin will not apply the spam filtering rules as have been set.

The default setting is 500kb, to increase the maximum size, apply the following commands from a root terminal

db configuration setprop spamassassin MaxMessageSize 2000000
increases message size to 2mb, apply the change with
signal-event email-update

(Based on [[Bugzilla:7606]])

====Custom Rule Scores====
You can customize the score assigned by a specific Spamassassin rule (SARE_ADULT2 in this case) as follows:
mkdir -p /etc/e-smith/templates-custom/etc/mail/spamassassin/local.cf
cd /etc/e-smith/templates-custom/etc/mail/spamassassin/local.cf
echo "score SARE_ADULT2 20.000" >> 20localscores
signal-event email-update

You can now add additional tests and custom scores by editing the newly-created template fragment ''20localscores'' and adding new custom scores using:
nano -w /etc/e-smith/templates-custom/etc/mail/spamassassin/local.cf/20localscores
signal-event email-update
Each custom score goes on its own line. If you enter a score surrounded by parentheses, the "custom" score will be added to the default score for the specified test (use ''score TEST_NAME (-1)'' to reduce the score for 'TEST_NAME' by 1)

You can remove these customizations using:
rm -f /etc/e-smith/templates-custom/etc/mail/spamassassin/local.cf/20localscores
signal-event email-update

References:

*http://spamassassin.apache.org/full/3.1.x/dist/doc/Mail_SpamAssassin_Conf.html#scoring_options
*http://spamassassin.apache.org/tests_3_2_x.html
*http://www.rulesemporium.com/

====SPF mail rejection/flagging policy====
{{Warning box|Please note that these instructions do not apply to SME9.2 where the version of qpsmtpd (0.96) does all this out of the box. Indeed if
the custom template below is applied (or left in?) to an SME9.2 system, then you may find that emails are denied when they ought to be accepted!}}

SME server can protect based of SPF records using spamassassin and the 'sender_permitted_from' plugin. The following lines will enable the plugin.
mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0/
cd /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0/
echo sender_permitted_from spf_deny 1 > 30spf
/sbin/e-smith/expand-template /var/service/qpsmtpd/config/peers/0

Then set your custom rule scores using the [[#Custom_Rule_Scores|Custom Rule Scores]] section of this page. You should base these scores on your settings in server-manager > Configuration > Email > Change e-mail filtering settings or via db config commands for those with that skillset
echo "score SPF_SOFTFAIL 6.000" >> 20localscores
echo "score SPF_FAIL 14.000" >> 20localscores
signal-event email-update

In our testing an email that doesn't match SPF records and the sender domain owner has defined a soft fail, if is attributed 6 points and sorted to junkmail folder. If the sender domain owner has defined a hard fail the email attibuted 14 points and is subsequently rejected.
 
References (but instructions changed to meet new qmail structure):

*http://forums.contribs.org/index.php?topic=21631.0

====Pyzor Timeout====

See [[Bugzilla: 5973]]
{{Warning box|SME server 7.# users be aware of an issue that can appear in the /var/log/spamd/current logs
" pyzor: [5281] error: TERMINATED, signal 15 (000f)".}}

This can be mitigated by the adding of a template fragment.

Template fragment to set a pyzor_timeout based on a value in the config db.
If no value is set, there is no output (so pyzor uses it's internal default).

mkdir -p /etc/e-smith/templates/etc/mail/spamassassin/local.cf/50pyzor_timeout
cd /etc/e-smith/templates/etc/mail/spamassassin/local.cf/50pyzor_timeout
nano 50pyzor_timeout

Contents of 50pyzor_timeout

{
my $pyzor_timeout = ($spamassassin{PyzorTimeout} || 0);
if ($pyzor_timeout ne '0')
{
return "pyzor_timeout " . ($pyzor_timeout);
}
}

Then a value can be set using:

config setprop spamassassin PyzorTimeout 15
signal-event email-update

====Whitelist and Blacklist====
If mail comes in and it is misclassified as spam by Spamasassin, you can add the sender to the Spamassassin whitelist so that future messages coming in from that sender are not filtered.
Conversely, you can add a spammer to the Spamassassin blacklist so you never see their spam again.
Add senders (or their entire domains) to the global whitelist (or blacklist) with commands similar to these (as root):

db spamassassin setprop wbl.global *@vonage.com White
db spamassassin setprop wbl.global *domain2.com White
db spamassassin setprop wbl.global user@domain3.com White
db spamassassin setprop wbl.global spammer@spamdomain.com Black

you can block an entire TLD but please be aware that you might be denying a legitimate email in the future.
db spamassassin setprop wbl.global *@*.xyz Black
db spamassassin setprop wbl.global *@*.link Black

expland template and save the configuration to the database
signal-event email-update

You can view the lists with this command:
db spamassassin show

These lists can be also controlled by the server-manager with the wbl contrib http://wiki.contribs.org/Email_Whitelist-Blacklist_Control

====Testing====

You can check the auto-learning statistics with this command. You will be able to note the accumulation of the spam tokens (or not). Note that the Bayesian filtering must receive 200 spam messages before it starts to function, so don't expect instantaneous results.

sa-learn --dump magic

You can check the spam filter log with this command:

tail -50 /var/log/spamd/current | tai64nlocal

Check spamassassin configuration like this:

spamassassin -D --lint

If you ever see an error such as:

warn: bayes: cannot open bayes databases /etc/mail/spamassassin/bayes_* R/W: tie failed: Permission denied

Try adjusting some permissions with these commands:

chown :spamd /var/spool/spamd/.spamassassin/*
chmod g+rw /var/spool/spamd/.spamassassin/*

===Real-time Blackhole List (RBL)===
Enabling RBL's 
RBL's are disabled by default to allow maximum accommodation (your ISP may be on a RBL & you may not know it). You can enable RBL's by:
config setprop qpsmtpd DNSBL enabled RHSBL enabled
signal-event email-update

You can see your RBL's by:
config show qpsmtpd

You can add to your RBL's by:
config setprop qpsmtpd RBLList <rbl-list-name>
signal-event email-update

Many will argue what's best, some say the SME defaults are too aggressive and affect some popular free webmail accounts, but most would agree that you can set stable, conservative and non aggressive settings by:
config setprop qpsmtpd RBLList zen.spamhaus.org
signal-event email-update

A conservative setting for the associated DNSBL SBLList is:
config setprop qpsmtpd SBLList dbl.spamhaus.org
signal-event email-update

Note: More information on this topic can be found here:
[http://wiki.contribs.org/Updating_to_SME_7.2#RHSBL_Servers]
[http://wiki.contribs.org/Updating_to_SME_7.2#DNSBL_Servers]

====Possible issues with RBL====
When an external dns provider is set in the console menu, it may interfere with some blacklists activated here (RHSBL and DNSBL). The black.uribl.com is know to bounce all emails in this case with a rejection message delivered to the sender. You can in this case

*Remove the black.uribl.com of your SBLList

config setprop qpsmtpd SBLList multi.surbl.org:rhsbl.sorbs.net:dbl.spamhaus.org
signal-event email-update

*Let the SME Server being the only dns resolver by removing the dns provider/forwarder in the console menu.

See http://uribl.com/about.shtml#abuse for more information about this issue with black.uribl.com

====Obsolete lists====
These lists can not be used with smeserver. A migrate fragment will remove them from your settings each time you reconfigure your server.

*RBLList

combined.njabl.org
list.dsbl.org
multihop.dsbl.org
dnsbl.ahbl.org

*SBLLIST

blackhole.securitysage.com
bulk.rhs.mailpolice.com
fraud.rhs.mailpolice.com
porn.rhs.mailpolice.com
adult.rhs.mailpolice.com
bogusmx.rfc-ignorant.org
ex.dnsbl.org

===Server Only===
Some of the spam filter rules cannot work unless the SMESERVER knows the external IP of the box. If you put a SMESERVER in server-only mode behind other firewalls, it will lose some of the anti-spam rules. For example, the rule that blocks attempts where spammers try "HELO a.b.c.d" where a.b.c.d is your external IP address.

Unfortunately, many admins believe that port-forwarding SMTP provides additional security. It doesn't, it limits the SMESERVER's ability to apply some rules.

===I want to enable GreyListing===
GreyListing support is under the covers and can easily be enabled for those who know what they are doing. However, many experienced users found that they spent more time looking after the greylisting configuration than they received in benefit.
see [[Greylisting]]

===Bayesian Filtering===
From [[wikipedia:Naive_Bayes_spam_filtering|Wikipedia]]:
<blockquote>Naive Bayes classifiers work by correlating the use of tokens (typically words, or sometimes other things), with spam and non-spam e-mails and then using Bayes' theorem to calculate a probability that an email is or is not spam.</blockquote>

SME server supports bayesian filtering, but does not have it enabled by default.

Enabling bayesian filtering, autolearning, and spam/ham training allows spamassassin to learn from received email and improve spam filter performance. [[Bugzilla: 6822]]

====Bayesian Autolearning====
The following command will enable the bayesian learning filter and set thresholds for the bayesian filter.
config setprop spamassassin UseBayes 1
config setprop spamassassin BayesAutoLearnThresholdSpam 6.00
config setprop spamassassin BayesAutoLearnThresholdNonspam 0.10
config setprop spamassassin UseBayesAutoLearn 1
expand-template /etc/mail/spamassassin/local.cf
sa-learn --sync --dbpath /var/spool/spamd/.spamassassin -u spamd
chown spamd.spamd /var/spool/spamd/.spamassassin/bayes_*
chown spamd.spamd /var/spool/spamd/.spamassassin/bayes.mutex
chmod 640 /var/spool/spamd/.spamassassin/bayes_*
config setprop spamassassin status enabled
config setprop spamassassin RejectLevel 12
config setprop spamassassin TagLevel 4
config setprop spamassassin Sensitivity custom
config setprop spamd SpamLearning enabled
signal-event email-update

These commands will:

*enable spamassassin
*configure spamassassin to reject any email with a score above 12
*tag spam scored between 4 and 12 in the email header
*enable bayesian filter
*'autolearn' as SPAM any email with a score above 6.00

Note: SpamAssassin requires at least 3 points from the header, and 3 points from the body
to auto-learn as spam.
Therefore, the minimum working value for this option is 6, to be changed in increments of 3,
12 considered to be a good working value..

*'autolearn' as HAM any email with a score below 0.10

Check the bayes stats with the command:
sa-learn --dump magic

The database is located in /var/spool/spamd/.spamassassin/bayes

====LearnAsSpam / LearnAsHam (spam/ham training)====

LearnAsSpam & LearnAsHam are scripts that can be installed on your server to allow users to manually "train" the bayes database. Training is done by users moving Spam from their Inbox to the "LearnAsSpam" folder, and by COPYING real email that was delivered to junkmail into the "LearnAsHam" folder. All messages in both LearnAsSpam and LearnAsHam are deleted once they have been processed and their tokens have been added to the bayes database.

To install:

* Enable bayes database as described in [[Email#Bayesian_Autolearning | Bayesian Autolearning]] (not the best approach, prefer manual learn by user), or
* Install smeserver-learn as per wiki page [[Learn]](and keep auto-learning off), then
* Instruct your users to move any SPAM they find from their Inbox to their LearnAsSpam folder, and to COPY any non-spam (ham) they find in their junkmail folder into their LearnAsHam folder.

This is a really efficient way to reduce impact of SPAM to your particular installation. Do not fear to run again files that are tagged as SPAM, as they will either get ignored if all their patterns are known, or the Bayes might catch one more pattern that could help you to get ride of the next incoming SPAM to even get accepted.

If you want, the code below counts how many e-mail are in LearnAsSpam and LearnAsHam directories (of all users). It's useful to know if your users are using those folders. However Learn will send you a report after each pass. If you are interested on the number of emails lefts in the junkmail directory without any attention, you could install [[mailstats | smeserver-mailstats]] and activate the option to account for them
<pre>
#!/bin/bash
# ContaLearn.sh

#for compatibility with older versions without rpm, testing
[ `/sbin/e-smith/db configuration getprop LearnAsSpam dir` ] &&
LearnAsSpam=`/sbin/e-smith/db configuration getprop LearnAsSpam dir` || LearnAsSpam='LearnAsSpam';
[ `/sbin/e-smith/db configuration getprop LearnAsHam dir` ] &&
LearnAsHam=`/sbin/e-smith/db configuration getprop LearnAsHam dir` || LearnAsHam='LearnAsSpam';
JunkMail='junkmail';

echo
date
declare -i tspam
declare -i tham
declare -i tleft
declare -i tnseen

printf "%-25s %-11s %-11s %-11s %-11s \n" "User" "LearnAsSpam" "LearnAsHam" "JunkMail" "NotSeen"
pushd /home/e-smith/files/users/ >>/dev/nul
for u in `ls ` #| grep -v admin`
do
[ "$u" = "admin" ] && mailpath="/home/e-smith/" || mailpath="/home/e-smith/files/users/$u" ;
spam=`ls -1 $mailpath/Maildir/.$LearnAsSpam/cur |wc -l`
ham=`ls -1 $mailpath/Maildir/.$LearnAsHam/cur |wc -l`
left=`ls -1 $mailpath/Maildir/.$JunkMail/cur |wc -l`
nseen=`ls -1 $mailpath/Maildir/.$JunkMail/new |wc -l`
if [[ $spam > 0 ]] || [[ $ham > 0 ]] || [[ $left > 0 ]] || [[ $nseen > 0 ]]; then
printf "%-25s %-11d %-11d %-11d %-11d \n" $u $spam $ham $left $nseen
fi
tspam=$tspam+$spam
tham=$tham+$ham
tleft=$tleft+$left
tnseen=$tnseen+$nseen
done
echo "----------------------------------------------------------------------"
printf "%-25s %-11d %-11d %-11d %-11d \n" "Total:" $tspam $tham $tleft $tnseen
echo
popd >>/dev/nul

</pre>

====Learn Contrib====
The [[Learn]] contrib is intended to install and configure the bayes training tools LearnAsSpam & LearnAsHam.

====Reset the Bayes Database====
Based on this forum post http://forums.contribs.org/index.php/topic,50712.msg258844.html#msg258844 it may be advantageous to remove the bayes database every few years & recreate it, in order to improve spam filtering performance.

Follow these instructions to turn bayes OFF, delete the database, create an empty database, and turn bayes back on:

config setprop spamassassin UseBayes 0
signal-event email-update
'rm' /var/spool/spamd/.spamassassin/bayes*

config setprop spamassassin UseBayes 1
expand-template /etc/mail/spamassassin/local.cf
sa-learn --sync --dbpath /var/spool/spamd/.spamassassin -u spamd
chown spamd.spamd /var/spool/spamd/.spamassassin/bayes_*
chown spamd.spamd /var/spool/spamd/.spamassassin/bayes.mutex
chmod 640 /var/spool/spamd/.spamassassin/bayes_*
signal-event email-update

Updates to smeserver-spamassasin now require two new config db settings to have bayesian autolearning enabled. See forum post https://forums.contribs.org/index.php/topic,54320.msg284208.html#msg284208

===The Sonora Communications "Spam Filter Configuration for SME 7" howto===

http://www.sonoracomm.com/support/19-inet-support/49-spam-filter-configuration-for-sme-7

===GeoIP: spam blocking based on geographical information===

The GeoIP plugin for Spamassasin lets us know where our mail server is receiving mail from. If we're receiving too much spam from a particular location, this will help track it down. We can then use that info to reject connections from that place taking the load off our server.

{{Note box | This can be a crude way of blocking spam and potentially also block legitimate users!}}

You can find information how to install and use it on the [[GeoIP]] page.

==Anti Virus==
SME Server uses Clam AntiVirus (http://www.clamav.net) as the default and built-in anti virus engine.

===Signatures===
By default SME Server will automatically get virus signature database updates from ClamAV.

Other people and organizations have developed additional signatures which can also be used with ClamAV to provide extra protection. Databases of these signatures can be downloaded and installed on SME Server, and used by ClamAV

In order to automate the download and installation of the additional databases, as well as control which databases you use, follow the instruction in the [[Virus:Additional_Signatures|Virus:Additional Signatures]] Howto

===Heuristic Scan===
HeuristicScanPrecedence is a new option in clamav 0.94.

When enabled, if a heuristic scan (such as phishingScam) detects a possible virus/phish it will stop scan immediately. Recommended, saves CPU scan-time.

To enable this feature:
config setprop clamav HeuristicScanPrecedence yes
expand-template /etc/clamd.conf
sv t clamd

Default is disabled.

===Attachment Filtering===
The functionality to block possible executable and virus files attached to emails has been incorporated into SME Server v7.x. See the [[SME_Server:Documentation:Administration_Manual:Chapter13#E-mail_Filtering|Email]] panel in server manager.

Additional file signature patterns can be added to the SME defaults. See the [[Virus:Email_Attachment_Blocking|Virus:Email Attachment Blocking]] Howto for further information

==Email Clients==
==="concurrency limit reached" when using IMAP===
Sometime shows as Thunderbird giving this error message,
''This Mail-server is not a imap4 mail-server''

To workaround thunderbirds limitations change, this thunderbird setting to false

*Preferences, Advanced, Config editor (aka about:config): filter on tls.
*set security.enable_tls to false

If the total concurrency limit is reached, it'll look like this in /var/log/dovecot/current:

@400000005a1c2c1f19c9381c master: Warning: service(imap): process_limit (2) reached, client connections are being dropped

@400000005a1c2c291a4712dc imap-login: Error: read(imap) failed: Remote closed connection (destination service { process_limit } reached?)

@400000005a1c2c291a471aac imap-login: Error: read(imap) failed: Remote closed connection (destination service { process_limit } reached?)

For the per IP concurrency limit, it'll be like this:

@400000005a1c2c6214542b94 imap-login: Info: Maximum number of connections from user+IP exceeded (mail_max_userip_connections=2): user=<someone>, method=PLAIN, rip=192.168.x.y, lip=192.168.z.t, TLS, session=<abcdefgh>

@400000005a1c2c6233f1bcb4 imap-login: Info: Maximum number of connections from user+IP exceeded (mail_max_userip_connections=2): user=<someone>, method=PLAIN, rip=192.168.x.y, lip=192.168.z.t, TLS, session=<ijklmnop>

The following commands will give your the current value:
db configuration getprop imap ConcurrencyLimit || echo 400
db configuration getprop imap ConcurrencyLimitPerIP || echo 12

You can also increase the ConcurrencyLimitPerIP and/or ConcurrencyLimit value for imap and/or imaps (secure)
config setprop imap ConcurrencyLimitPerIP 20
config setprop imaps ConcurrencyLimitPerIP 20
signal-event post-upgrade; signal-event reboot
{{Note box| for sme9, only the key imap has properties ConcurrencyLimitPerIP,checkConcurrencyLimit,ProcessMemoryLimit. If you set these properties to the key imaps, a migrate fragment will remove them automatically.}}
To see configuration:
config show imap

tail -f /var/log/dovecot/current | tai64nlocal #out of date

More detail can be found [http://forums.contribs.org/index.php?topic=33124.0 here] or [https://forums.contribs.org/index.php/topic,51872.0 here].

{{Tip box|You can see if you are running out of the number of available connections in your log file /var/log/imaps/current and look for messages like the log extract below where the ConcurrencyLimitPerIP was set to 20. A 21st connection was attempted and was denied.

tcpsvd: info: pid 30693 from 10.1.0.104
tcpsvd: info: concurrency 30693 10.1.0.104 21/20
tcpsvd: info: deny 30693 0:10.1.0.21 ::10.1.0.104:49332 ./peers/10.1.0
}}
{{Tip box|Mobile devices have a tendency to frequently disconnect and connect from the network. When this disconnect happens, the sessions on the server are not always immediately cleaned up (they get cleaned up after a time out of some minutes). When the email client reconnects, they create new network connections and you get into the situation that these new connections get denied because of the concurrency limit. On the mobile device this may be noted as a "Unable to connect to server" message.}}
{{Tip box|Some email clients use a separate connection per imap folder, so the concurrency limits may occur for users that have many imap folders.}}

===Mail server is not an IMAP4 mail server===
This is a bug in Thunderbird, the previous tips may help.

===The Bat===
The gives this error message, but they are wrong. 
"This server uses TLS v3.0 which is considered to be obsolete and insecure.
The server must use TLS v3.1 or above."

===Outlook/Outlook Express give error 10060/0x800CCC90===
Most likely OUTLOOK (EXPRESS) isn't configured correctly.

-open OUTLOOK
-click TOOLS > ACCOUNTS
-click CHANGE (on the right-hand side)
-find INCOMING MAIL SERVER & OUTGOING MAIL SERVER (on right-hand side)
-type: mail.yourdomain.tld (in both places)
-click MORE SETTINGS (on bottom-right)
-click OUTGOING SERVER tab (at the top)
-checkmark "MY OUTGOING SERVER REQUIRES AUTHENTICATION"
-bullet "USE SAME SETTINGS AS INCOMING MAIL SERVER"
-click ADVANCED tab (at the top)
-find OUTGOING SERVER
-checkmark "THIS SERVER REQUIRES A SECURE CONNECTION" (under outgoing server)
-change 25 to 465
-[possibly required, secure IMAP is 993]
-click OK > NEXT > FINISHED
-you're finished, your email should work now

===Outlook 2013 on Windows 10 gives "An unknown error occurred, error code 0x8004011c" when attempting an IMAP connection for a DOMAIN user===
This is a known issue with the above combination of Windows and Outlook version as of 2015-02-18 (see: [http://bugs.contribs.org/show_bug.cgi?id=9618 Bug 9618]).

The following registry key resolves the issue:
To work around this problem, set the value of the ProtectionPolicy registry entry to 1 to enable local backup of the MasterKey instead of requiring a RWDC in the following registry subkey:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb]
"ProtectionPolicy"=dword:00000001

The PortectionPolicy entry may need to be created

===Outlook 2013 on Windows 8.1 gives error 0x800CCC1A when sending over SMTP port 465===
This is a known issue with the above combination of Windows and Outlook version as of 2015-02-18 (see: [http://bugs.contribs.org/show_bug.cgi?id=8854 Bug 8854]).

The following client-side workaround has been suggested on the [http://www.dovecot.org/list/dovecot/2014-May/096029.html dovecot mailinglist]:

Disable TLS1.2 on the Windows 8.1 client, using a registry entry:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS1.2\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

If the registry entry above does not exist on your system, you will have to create it manually.

Whether this is OpenSSL or Microsoft's "fault" is currently not answered.

===Outlook test message doesn't come through===
You clicked the TEST ACCOUNT SETTINGS in OUTLOOK didn't you? This is a bug in OUTLOOK. The test message sends a test email with 'no Date header'. As the name suggests, this means a message without any date. Since the server doesn't accept mail with 'no Date header' (because it's required) the message is rejected. To test, send an actual message from OUTLOOK.

If you want, you can try THUNDERBIRD. It's like OUTLOOK but made by a different company. It's completely free and works very well at home and at the office.

===I can't receive/send email from my application (ACT!, vTiger, MS Outlook, etc)===
Most likely, this is a bug the application you're using and not a problem with the SMESERVER. The application sends an email with 'no Date header'. As the name suggests, this means a message without any date. Since the server doesn't accept mail with 'no Date header' (because it's required) the message is rejected.

As a workaround you can disable the check for the 'Date header'.
To disable this check on the internal interface:
mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local
cd /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local
echo "# 17check_basicheaders disabled by custom template" > \
17check_basicheaders
signal-event email-update

To disable this check for the external interface:
mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0
cd /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0
echo "# 17check_basicheaders disabled by custom template" > \
17check_basicheaders
signal-event email-update

===After I upgrade my SME Server, my email folders have disappeared when using IMAP===
After upgrade, if there are missing IMAP folders, the client may need to re-subscribe to folders. This may affect either webmail users or users who use an IMAP email client.

===Entourage: Using SME's Self-Signed Certificate for SSL Connections from Entourage on OS X 10.4===
The main problem here is that Entourage will only support trusted, PEM Base-64 Encoded certificates. To use IMAPS or SMTPS from Entourage with your SME server, you will need to:
1. Login to your Mac as a user with administrative privileges

2. Open Safari and browse to https://''smeserver''/server-manager.
When you receive the warning about your certificate:
- click on "Show Certificate"
- click and drag the gold-rimmed image of a certificate to your desktop.
You will now have ''myserver.mydomain.tld.cer'' on your desktop.

3. Locate and open the '''Microsoft Cert Manager'''
- "Import" the certificate you downloaded in step 2.

4. Highlight the imported certificate and "Export" it.
- Select the "PEM..." format
- add "''pem.''" to the beginning of the filename
- export it to your Desktop

5. Double-click on the new ''pem.myserver.mydomain.tld.cer''
- Apple's '''Keychain Access''' application will open.
- Select the '''X509Anchors''' Keychain and click "OK"

6. While still in Apple's '''Keychain Access''', select the "Certificates" category
- Drag ''pem.myserver.mydomain.tld.cer'' into the certificates window.

You should now be able to connect to your SME from your Entourage using IMAPS.

If you are accessing your SME server using a different name than the one encoded in the certificate you will still receive a security warning from Entourage, but "OK" will now grant access to your folders.

Notes:

*Procedure mostly taken from http://www.kerio.com/manual/kmsug/en/ch09s06.html
*I still get various other IMAP errors due, I suspect, to the "concurrency limit reached" issue.
*Click on "Show Keychains" in Apple's "Keychain Access" if you need to delete a certificate and try again.

===How do I get my e-mail to show the correct From Address===

The From address on an e-mail is not supplied by the server. It is supplied by the e-mail client.

*Configure your Account in your e-mail client with the correct FROM address.
*You can change the FROM address in webmail with the following:
**Login to webmail as the user, go to ''options-personal information'' and change the ''identity'' to have the correct FROM address. You can have multiple identities with a single user.

Some system generated email is created by the server, some contribs may send mail externally, in these cases you need a valid domain name for the server, buy one or use a free provider like dyndns.org

===Outlook 365 / Outlook 2019 IMAP Configuration===

Microsoft has disabled the ability to enter the IMAP/SMTP username in the account setup wizard in Outlook 365 / 2019 for Windows. The wizard used within Outlook requires that the IMAP/SMTP username be the full email address.

To work around this issue, setup the account using "Mail (Microsoft Outlook 2016)" in the Windows control panel:
[[File:Screen Shot 2019-12-04 at 6.44.18 AM.png|450px]]

==Server Settings==
===qmail ConcurrencyLocal===
The default value for /var/qmail/control/concurrencylocal is 20. This setting controls the maximum amount of simultaneous local deliveries.

There is a optional database property (does not show unless changed from the default setting) called ConcurrencyLocal for qmail in the config database. The ConcurrencyLocal property changes the value stored in /var/qmail/control/concurrencylocal.

It can be set, for example to decrease the local concurrency limit
config setprop qmail ConcurrencyLocal 6
signal-event email-update

===qmail ConcurrencyRemote===
The default value for /var/qmail/control/concurrencyremote is 20. This setting controls the maximum amount of simultaneous remote deliveries.

There is a optional database property (does not show unless changed from the default setting) called ConcurrencyRemote for qmail in the config database. The ConcurrencyRemote property changes the value stored in /var/qmail/control/concurrencyremote.

It can be set, for example to decrease the remote concurrency limit
config setprop qmail ConcurrencyRemote 10
signal-event email-update

Refer also this comment by CB

http://forums.contribs.org/index.php/topic,50091.msg251320.html#msg251320

===How long retry before return e-mail as undeliverable===
To configure how long SME server will try to delivery a message before return a permanent error

mkdir -p /etc/e-smith/templates-custom/var/qmail/control
echo 172800 > /etc/e-smith/templates-custom/var/qmail/control/queuelifetime
expand-template /var/qmail/control/queuelifetime
sv t qmail

The default value is 604800 seconds, or one week. 
The example above shows 172800 seconds, or two days (a weekend for infra upgrade!)

source: http://forums.contribs.org/index.php/topic,47471.0.html

===Double bounce messages===
To stop admin receiving double bounce messages

config setprop qmail DoubleBounceTo someoneuser
signal-event email-update

Or just delete them. You risk losing legitimate double bounces (which are
rare, but you want to look at them when they do occur)

config setprop qmail DoubleBounceTo devnull
signal-event email-update

see a longer explaination [[Email_delete_double-bounce_messages | here]]

===Keep a copy of all emails===
You may need to keep a copy of all emails sent to or from your email server.
This may be for legal, or other reasons.

The following instructions will create a new user account (default is maillog) and forward every email that goes through your SME server to it.

First, log onto the server-manager and create the user '''maillog'''

Go to the SME Command Line (logon as root) and issue the following commands:

config setprop qpsmtpd Bcc enabled
signal-event email-update

Optionally make the forwarding of the emails invisible to the end user. Without it, there will be an X-Copied-To: header in each email. Run this command before the signal-event

config setprop qpsmtpd BccMode bcc

If you want to view the emails, point your email client at the SME and log on as maillog.

You can modify the default user:

config setprop qpsmtpd BccUser someuser

====Keep a copy of outgoing emails only====
In addition to the commands in the [[#Keep_a_copy_of_all_emails | previous section]] we will also have to create a custom template as follows:

Log in as root or a user with root privileges
mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0/
cp /etc/e-smith/templates/var/service/qpsmtpd/config/peers/0/13bcc /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0/
cd /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0/
nano -w 13bcc

change the code to:
{
return "# bcc disabled" unless ($qpsmtpd{Bcc} eq "enabled");
return "bcc mode " . $qpsmtpd{BccMode} . " outgoing " . $qpsmtpd{BccUser};
}

Save by pressing Ctrl x at the same time and confirm with y

Then enable the changes with
signal-event email-update
More info:
perldoc /usr/share/qpsmtpd/plugins/bcc

===Set Helo hostname===
Default is set to the hostname.domain, but sometime you might want to have something else to answer with the same as your reverseDNS. You can do one of the followings to only adjust the helo name:

config setprop smtpd HeloHost mydomainname
signal-event email-update

or the following to adjust the way your server will present itself everywhere (httpd, qpsmtd...) This might trigger the generation of new ssl certificate, so use it only if you are sure this is what you want to do.

config set DomainName mydomainname
signal-event domain-modify
signal-event email-update

===Set max email size===

*IMPORTANT: [[bugzilla: 7876]] points out that if your system has ''/var/service/qpsmtpd/config/databytes'' it should be deleted. (Fixed as of smeserver-qpsmtpd-2.4.0-7.el6.sme.noarch - see [[bugzilla: 8329]]).

There are several components involved in sending email on a SME server. Each component has a size limit that may affect an email message that passes through the server.

Be aware that ''email size'' is not the same thing as ''attachment size''. Binary attachments to email are encoded using techniques that result in email sizes that can be as much as 30% larger than the original attachment. Most major email clients (Thunderbird, Apple Mail, Outlook) allow you to enable a "message size" column in the message list that will show you the size of your email messages ([http://forums.contribs.org/index.php/topic,48366.msg241720.html#msg241720 More]).

{| width="100%" cellspacing="0" cellpadding="5" border="1"
!Subsystem
!Function
!Default Limit
!Command to change size
!Notes
|-
|qmail
|Delivers email to local mailboxes and to remote servers
|15000000
|config setprop qmail MaxMessageSize xx000000
|Value is in BYTES. 15000000 equals approximately 15MB. No value means no limit.
|-
|clamav
|Used to scan emails and attachments
|15M
|config setprop clamav MaxFileSize 15M
|Value includes human-readable abbreviations. "15M" equals 15 MegaBytes.
|-
|clamd
|Involved in attachment virus scanning
|1400000000
|config setprop clamd MemLimit 1400000000
|May require increase per [https://forums.contribs.org/index.php?topic=54070.0;topicseen this forum topic]
|-
|qpsmtpd
|The clamav plugin to qpsmtpd is called with a specified size limit.
|25000000
|config setprop qpsmtpd MaxScannerSize xx000000
|Value is in BYTES. Question: does this value override the setting of 'MaxFileSize', or will the smaller value prevail?
|-
|php
|The php maximum file upload size will determine the largest file you can attach to an email message using horde (or any other php email client)
|10M
|config setprop php UploadMaxFilesize 10M
|
|-
|}
====clamav====
A note about clamav: 
ClamAV includes settings to prevent the scanning of archives that could cause problems if fully expanded; if an attachment cannot be scanned, it will be rejected.

In order for changes to take effect, run:
signal-event email-update

These attributes could result in the rejection of a compressed attachment on a SME server:

*ArchiveMaxCompressionRatio (default 300)
*MaxFiles (default 1500)
*MaxRecursion (default 8)

====spamassassin====
By default the qpsmtpd 'spamassassin' plugin does not pass any messages over 500,000 bytes to spamassassin for scanning.

To change this behavior:
db configuration setprop spamassassin MaxMessageSize 2000000
increases message size to 2,000,000 bytes. Apply the change with
signal-event email-update

===Change Horde Webmail Login Page 'Welcome To' Title===
The login page for Webmail defaults to "Welcome to Horde Webmail". In order to change this to something like "Welcome to MyDomain Mail"
config setprop horde Name "MyDomain Mail"
signal-event email-update

See also:

Other configurable Horde settings [[DB_Variables Configuration#Horde_(webmail)]]

Forum post [http://forums.contribs.org/index.php/topic,31093.0.html 31093]

===Add the admin user as an administrator for Horde===

config setprop horde Administration enabled
signal-event email-update

===Large attachments not displaying in webmail===
Due to limits set in the PHP configuration it might be that webmail will not display large attachments (see also [[bugzilla:3990]]). The following entries are related to the error and can be found in the log files:

'''/var/log/messages'''
Mar 13 00:00:12 box1 httpd: PHP Fatal error: Allowed memory size of 33554432 bytes exhausted (tried to allocate 154 bytes) in /home/httpd/html/horde/imp/lib/MIME/Contents.php on line 173

'''/var/log/httpd/error_log'''
Allowed memory size of 33554432 bytes exhausted (tried to allocate 0 bytes)

The default MemoryLimit setting in PHP is set to 32M the value can be changed using the commands below replacing ''XX'' with the value you desire.
{{Note box|You can set the MemoryLimit any value you like but be sure to add the capital M as a suffix for Megabytes.}}
db configuration setprop php MemoryLimit XXM
expand-template /etc/php.ini
sv t httpd-e-smith

===Disable mail to a user from an external network===
However, this seems to only affect /var/qmail/control/badrcptto - denying external delivery to your users but allowing outbound emails:
http://forums.contribs.org/index.php?topic=40449.5

Can be either a user, pseudonym or group
db accounts setprop groupname/username/pseudonym Visible internal
signal-event email-update

If you want to remove
db accounts delprop groupname/username/pseudonym Visible
signal-event email-update

*If you need to restrict emails for all users you can perform this command line

db accounts show | awk -F "=" '/\=user/ {print $1}' |while read USER; do db accounts setprop $USER Visible internal; done
signal-event email-update

If you want to remove
db accounts show | awk -F "=" '/\=user/ {print $1}' |while read USER; do db accounts delprop $USER Visible; done
signal-event email-update
{{Note box|Please note that admin and other system accounts can not be hidden from external network this way.

Also note that Pseudonyms can be set to internal only using the server-manager.}}

===I can't receive mail at: user@mail.domain.tld===
Add mail.domain.tld as a virtualdomain.
-login to SERVER-MANAGER
-click DOMAINS (on the left)
-click ADD
-type: mail.domain.tld

===How do I find out who is logged into webmail and what IP number.===
This is logged is in /var/log/messages.

===Allow SMTP relay of mail without encryption/authentication===

Change the configuration of the system from the default, so that it no longer requires encryption/authentication before allowing relaying of mail.

* For most case, you really want to allow few specific clients on your LAN or trusted networks, this is done by setting a coma separated list of ip this way (replace IP1, IP2, IP3 by valid ips).
config set qpsmtpd UnauthenticatedRelayClients IP1,IP2,IP3
signal-event email-update

* In some case you would have a whole dedicated network with appliances needing to send email without auth, this is done this way
db networks setprop {$network} RelayRequiresAuth disabled
signal-event email-update

* In case you needs are not fulfilled because you need to accommodate a list of remote IP or a sub network of a larger trusted network, you can create a custom template. Here for reference the accepted formats:
mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/relayclients
# a subnetwork by only using a prefix of full ip
echo "10.10.0.">> /etc/e-smith/templates-custom/var/service/qpsmtpd/config/relayclients/80custom
# an external ip
echo "99.10.1.23" >> /etc/e-smith/templates-custom/var/service/qpsmtpd/config/relayclients/80custom
# an external network you control
echo "164.163.12.1/30" >> /etc/e-smith/templates-custom/var/service/qpsmtpd/config/relayclients/80custom
signal-event email-update

* Disable smtp authentication on all local interfaces as shown in [[Bugzilla: 6522]]

config setprop qpsmtpd RelayRequiresAuth disabled
signal-event email-update

===SMTP Authentication TLS before Auth disable & enable===
Since SME v7.5 the default for SMTP Authentication is 'requires TLS before Auth' to increase security.
Where a SME7.4 or earlier server with SMTP & SSMTP authentication enabled has been upgraded, users are now unable to send mail.
Users will need to enable TLS or Auto for the Authentication encryption setting in their email clients. Some older email clients and devices do not support TLS.

A fix was released in SME7.5.1 to allow this setting to be disabled (ie revert to SME7.4 functionality). Upgrade to SME7.5.1 before using these commands.

To disable this (AUTH without TLS) & revert to SME7.4 defaults do
config setprop qpsmtpd TlsBeforeAuth 0
signal-event email-update

To change back to the sme7.5 & greater default (AUTH with TLS) do
config setprop qpsmtpd TlsBeforeAuth 1
signal-event email-update
See http://forums.contribs.org/index.php/topic,46218.0.html

http://bugs.contribs.org/show_bug.cgi?id=5997

===Internet provider's outgoing port 25 is blocked: How to set an alternative outgoing port for the SMTP server===
If your Internet provider is blocking outgoing smtp port 25 on your internet connection but your provider is offering an alternative outgoing port (or when using some relay service) you can simply set this alternative port by adding it to the 'Address of Internet provider's mail server' value in the 'E-mail delivery settings' screen of the server-manager like this:
<internet providers mail server name or ip-address>:<alternative port>
For example: mail.mydomain.com:587

This setting does not alter the incoming smtp mail server port on SME server, which will still use port 25. Refer to a workaround in http://wiki.contribs.org/PortRedirect

===How do I enable and configure a disclaimer in email messages===
A disclaimer message can be added to the footer of all outgoing email messages.

The message can be the same for all domains or it can be different for all domains.

This functionality is part of sme7.2 release so make sure you have upgraded before doing this.

To create a general disclaimer for all domains on your sme server
config setprop smtpd disclaimer enabled
nano -w /service/qpsmtpd/config/disclaimer
Enter the required disclaimer text

To save & exit
Ctrl o
Ctrl x
To make the changes take effect
signal-event email-update

To create domain specific disclaimers, create seperate domain based disclaimer text files

Delete the general (all domains) disclaimer file if you have already created it
rm /service/qpsmtpd/config/disclaimer
config setprop smtpd disclaimer enabled
nano -w /service/qpsmtpd/config/disclaimer_domain1.com.au
nano -w /service/qpsmtpd/config/disclaimer_domain2.com
nano -w /service/qpsmtpd/config/disclaimer_domain3.org

Enter the required text in each disclaimer file

To save & exit
Ctrl o
Ctrl x
After making any changes remember to do
signal-event email-update

Note if you only wish to have a disclaimer for some domains, then only create a disclaimer text file for those domains

Note also the criteria for when a disclaimer is attached

(see http://bugs.contribs.org/show_bug.cgi?id=2648)

eg a disclaimer is added to internal to external messages but not internal to internal messages.

To disable the disclaimer function for all domains on your sme server
config setprop smtpd disclaimer disabled
signal-event email-update

===Email WBL server manager panel===

There is a server-manager contrib to allow GUI control of email white and black lists, detailed in the wiki article: [[:Email_Whitelist-Blacklist_Control]].

The panel allows easy configuration of functionality that is built into qmail, qpsmtpd and spamassassin. For more information google for qmail & qpsmtpd, read the spamassassin section in this wiki article and see [[:Email#Default_Plugin_Configuration default qpsmtpd plugin confguration]]).

There are two main sections, Blacklist and Whitelist, where you can control settings.

Note that there are subtle differences in syntax between whitelist and blacklist entries

Blacklist - Black lists are used for rejecting e-mail traffic

DNSBL status - DNSBL is an abbreviation for "DNS blacklist".
It is a list of IP addresses known to be spammers.
RHSBL status - RHSBL is an abbreviation for "Right Hand Side Blacklist".
It is a list of domain names known to be spammers.
qpsmtpd badhelo - Check a HELO message delivered from a connecting host.
Reject any that appear in badhelo during the 'helo' stage.
qmail badmailfrom - Check envelope sender addresses.
Reject any that appear (@host or user@host) in badmailfrom during the 'mail'
stage.
spamassassin blacklist_from - Any envelope sender of a mail (*@host or user@host) matching an
entry in blacklist_from will be rejected by spamassassin.

Whitelists - White lists are used for accepting e-mail traffic

Whitelists status - White Lists: ACCEPT
qpsmtpd whitelisthosts - Any IP address listed in whitelisthosts will be exempted
from any further validation during the 'connect' stage.
qpsmtpd whitelisthelo - Any host that issues a HELO matching an entry in whitelisthelo
will be exempted from further validation during the 'helo' stage.
qpsmtpd whitelistsenders - Any envelope sender of a mail (host or user@host) matching an
entry in whitelistsenders will be exempted from further validation
during the 'mail' stage.
spamassassin whitelist_from - Any envelope sender of a mail (*@host or user@host) matching an
entry in whitelist_from will be exempted from spamassassin rejection.

===How to block email from one address to another address with check_badmailfromto plugin===

Enable the check_badmailfromto plugin. Adapted from [http://forums.contribs.org/index.php/topic,35667.0.html this Forum post]

This is based heavily on the similar check_badmailfrom, but this plugin references both the
FROM: and TO: lines, and if they both are present in the badmailfromto
config file (a tab delimited list of FROM/TO pairs), then the message is
blocked as if the recipient (TO) didn't exist. This is specifically designed
to not give the impression that the sender is blocked (good for cases of
harassment).

====Prior SME9.2 : qpsmtpd check_badmailfromto plugin====
To control mail from external locations to internal locations do
mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0
mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/plugins
echo "check_badmailfromto" > /etc/e-smith/templates-custom/var/service/qpsmtpd/config/plugins/31check_badmailfromto
ln -s /etc/e-smith/templates-custom/var/service/qpsmtpd/config/plugins/31check_badmailfromto /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0/31check_badmailfromto
signal-event email-update

To control mail sent from internal locations to internal locations, in addition to the above also do
mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local
ln -s /etc/e-smith/templates-custom/var/service/qpsmtpd/config/plugins/31check_badmailfromto /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local/31check_badmailfromto
signal-event email-update

====Since SME9.2 : qpsmtpd badmailfromto plugin====
remove previous templates, if you are updating
rm /etc/e-smith/templates-custom/var/service/qpsmtpd/config/plugins/31check_badmailfromto \
/etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0/31check_badmailfromto \
/etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local/31check_badmailfromto

To control mail from external locations to internal locations do
mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0
mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/plugins
echo "badmailfromto" > /etc/e-smith/templates-custom/var/service/qpsmtpd/config/plugins/31badmailfromto
ln -s /etc/e-smith/templates-custom/var/service/qpsmtpd/config/plugins/31badmailfromto /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0/31badmailfromto
signal-event email-update

To control mail sent from internal locations to internal locations, in addition to the above also do
mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local
ln -s /etc/e-smith/templates-custom/var/service/qpsmtpd/config/plugins/31badmailfromto /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local/31badmailfromto
signal-event email-update

====For Qmail====

Create and configure the badmailfromto custom template fragment
mkdir -p /etc/e-smith/templates-custom/var/qmail/control/badmailfromto
nano -w /etc/e-smith/templates-custom/var/qmail/control/badmailfromto/template-begin

Type in the From and To pairs that you want to stop email delivery for, with a tab between them and a carriage return at the end of the line, with additional pairs on a new line ie
user@bad-domain.com tab user@yourdomain.com enter
user@bad-domain2 tab user2@yourdomain enter

Note also that wildcards or blank spaces are not supported

eg
john@aol.com mary@yourdomain
bill@yahoo.com paul@yourdomain.com

then save using
Ctrl o
Ctrl x

Expand the template to update the /var/qmail/control/badmailfromto config file
expand-template /var/qmail/control/badmailfromto

Restart mail services
signal-event email-update

===Redirect mail.domain.net to Webmail===
Setup external dns records

Add mail.domain.net in Domains panel in server-manager
db domains setprop mail.dom.ain TemplatePath ProxyPassVirtualHosts ProxyPassTarget http://sme.dom.ain/webmail
signal-event remoteaccess-update

where http://sme.dom.ain/webmail is servername.domainname/webmail

===E-mail Retrieval===
http://wiki.contribs.org/SME_Server:Documentation:Administration_Manual:Chapter13#E-mail_Retrieval

If your ISP does not provide a custom sort field and you experience the following errors occuring when Multidrop is enabled and the "Select Sort Method (for multi-drop)" is set to Default:

fetchmail: warning: multidrop for pop3.mypopserver.com requires envelope option!
fetchmail: warning: Do not ask for support if all mail goes to postmaster!

and/or

fetchmail: warning: multidrop for my.isp.domain requires envelope option!
fetchmail: warning: Do not ask for support if all mail goes to postmaster!

Set "Select Sort Method (for multi-drop) to 'Received' or 'for'
As described at [[bugzilla:5602]] [[bugzilla:6483]]

===Domain Authentication===
{{WIP box|trex1512}}
Major mail hosting companies (Google, Yahoo, Microsoft) have made domain-authentication mandatory so as to not mark incoming mail as spam.

To facilitate this support for DomainKeys and DKIM signing needs to be enabled in SME's mail subsystem. These techniques require the adding of records in the DNS zone for the user's domain. The DKIM/DK/SPF/SenderID configuration has to be added to your your DNS server / registrar.

===How do I remove an email address from the everyone group===
By default, all users are automatically added to the user group "everyone". If you would like to remove a user from this group, connect to the server using SSH or locally log in to the server and issue the commands below. Be sure to substitute the name of the user you want to remove for the word username.

db accounts setprop username EveryoneEmail no
signal-event user-modify username

===How do I remove an email address from any regular group===
By default, all users member of a group "group1" are automatically added as recipients of mail sent to group1@domain. If you would like to remove a user from this group, connect to the server using SSH or locally log in to the server and issue the commands below. Be sure to substitute the name of the user you want to remove for the word username.

db accounts setprop group1 EmailExcludeUsers tom,jack
signal-event group-modify group1

If you want to prevent all the user members from another group "group2" from receiving emails addressed to group1@domain while they are also member of group1, you could connect to the server using SSH or locally log in to the server and issue the commands below. Be sure to substitute the name of the user you want to remove for the word username.

db accounts setprop group1 EmailExcludeGroups group2
signal-event group-modify group1

All members of the group will still be member for all other purpose (samba access to ibays as an example)

This behaviour is only available as per e-smith-qmail-2.4.0-7.sme see bug #9540

===Change the number of logs retained for qpsmtpd and/or sqpsmtpd===
The normal retention is 5 logs for both qpsmptd and sqpsmtpd. This may or may not fit all installations. This information is pulled from bugzilla.

Check your config to see if any change has been made to the default log retention rules. Note there are different rules for qpsmtpd and sqpsmtpd. You have to make changes to both as you require.
config show qpsmtpd
If the KeepLogFiles property isn't listed, the default rules apply. Determine how many logs you would like to keep and apply that to the following example. In the command below, 15 is used to keep 15 qpsmtpd logs.
db configuration setprop qpsmtpd KeepLogFiles 15
Restart multilog with the following.
sv t /service/qpsmtpd/log
Check that your setting saved.
ps aux | grep qpsmtpd | grep multi
Look for the line that ends with /var/log/qpsmtpd and verify the number after n equals your KeepLogFiles property from above.

==DKIM Setup - qpsmtpd version<0.96==

A plugin has been written and is available in SME

To activate it manually follow the steps below, or download a shell script that will do the server based stuff for you & guide you on the DNS stuff [ftp://ftp.gfitc.com.au:2121/e-smith/setup_dkim.sh setup_dkim.sh]:-

Note: I'd recommend reviewing the script first to make sure you're happy to run it on your system

Create a folder:
mkdir /var/service/qpsmtpd/config/dkimkeys/
Then:
cd /var/service/qpsmtpd/config/dkimkeys/
openssl genrsa -out dkim.private 1024
openssl rsa -in dkim.private -pubout -out dkim.public
chown qpsmtpd:qpsmtpd -R /var/service/qpsmtpd/config/dkimkeys/
chmod 0700 dkim.private
For each domain you want to sign:
cp -a dkim.private <fully qualified domain name>.private (less the <> brackets)
Then create a template fragment:
mkdir --parent /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local
echo "dkim_sign keys dkim">/etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local/69dkim_sign
signal-event email-update

Finally propagate your public key "dkim.public" content (<key text>) to your DNS.

Check with your DNS server / registrar. Something similar to the following should work but it varies depending on provider - replace <fully qualified domain name> with your doman details e.g "mydomain.org" (less the <> brackets):

When extracting the key text from the dkim.public file it's on multiple lines. For the key to work for us in the DNS TXT record we need to exclude the header & footer lines & have just the key text as a single line string (the setup_dkim.sh script provides this info in the format required).

default._domainkey.<fully qualified domain name> IN TXT "k=rsa; p=<key text>; t=y"

With Zonedit the following works within your Zone :

Subdomain : default._domainkey

Type : TXT

Text : "v=DKIM1;k=rsa; p=<key text>; t=y"

If you want to customize the signing you can add parameters to the line in /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local/69dkim_sign. Parameters and value are separated by a space only.

#keys : "dk" or "domainkeys" for domainkey signature only, "dkim" for DKIM signature only, default "both" (n.b. above template example is dkim ONLY)
#dk_method : for domainkey method , default "nofws"
#selector : the selector you want, default "default"
#algorithm : algorithm for DKIM signing, default "rsa-sha1"
#dkim_method : for DKIM, default "relaxed"

NB: key files can not be defined in parameters, they need to be in /var/service/qpsmtpd/config/dkimkeys/{SENDER_DOMAIN}.private

{{Tip box|msg=You can verify that your settings are correct by sending an email to [mailto:check-auth@verifier.port25.com check-auth@verifier.port25.com], a free service the purpose of which is to verify if your domain does not contradict mail policies. Please check the answer carefully. See [[bugzilla:4558#c6]] }}

See also : [[bugzilla:8251]] [[bugzilla:8252]]

==DKIM Setup - qpsmtpd version >= 0.96==

Version 0.96 and above supports DKIM natively without the need for extra plugins.

All you have to do is to enable the DKIM signing and promulgate the DNS TXT entries to support it.

Enable the signing:
db configuration setprop qpsmtpd DKIMSigning enabled
signal-event email-update

and then run:
qpsmtpd-print-dns <domain name>

to show the DNS entry(s) required.

Then you have to update your DNS.

{{Tip box|msg=You can verify that your settings are correct by sending an email to [mailto:check-auth@verifier.port25.com check-auth@verifier.port25.com], a free service the purpose of which is to verify if your domain does not contradict mail policies. Please check the answer carefully. See [[bugzilla:4558#c6]] }}

also see [[bugzilla:9694]] and https://wikit.firewall-services.com/doku.php/smedev/qpsmtpd_096#documentation

More details are available [https://wiki.contribs.org/Email#Inbound_DKIM_.2F_SPF_.2F_DMARC here]

Incoming DKIM checking is also enabled out of the box.

In case you got a problem using the DKIM field provided with your DNS provider /registrar, please first contact them to ensure the problem is not how you try to enter the information. In the likelihood, you got "invalid field" or "too long field" errors and your provider is not able to help you or update its interface, you can generate a shorter DKIM key (with 1024 instead of the default 2048) this way:

cd /home/e-smith/dkim_keys/default
mv private private.long
mv public public.long
openssl genrsa -out private 1024
openssl rsa -in private -pubout -out public
chown qpsmtpd:qpsmtpd private
chown root:qpsmtpd public
chmod 0400 private
signal-event email-update
qpsmtpd-print-dns

===Outbound DKIM signing / SPF / DMARC policy FOR MULTIPLE DOMAINS===
The default DKIM key is created in /home/e-smith/dkim_keys/default. To enable DKIM signing for all the domains that you manage:
db configuration setprop qpsmtpd DKIMSigning enabled
signal-event email-update
If you want to disable dkim signing for a domain, you can use:
db domains setprop domain.com DKIMSigning disabled
signal-event email-update
The default behavior is to use the same key pair for all your domains. But you can create other key pairs for specific domain if you want. For example, if you want to use a specific key pair for the domain.net domain:
cd /home/e-smith/dkim_keys
mkdir domain.net
cd domain.net
echo default > selector
openssl genrsa -out private 2048
openssl rsa -in private -out public -pubout
chown qpsmtpd:qpsmtpd private
chmod 400 private
signal-event email-update
Now, the emails using a domain.net sender address will be signed by this new key instead of the default one.

==Domain Keys==

There is a plugin to check incoming mail has been signed

Please read here for more details : http://bugs.contribs.org/show_bug.cgi?id=4569

{{Warning box|msg=There is a plugin for signing with DomainKeys but it is not installed by default. It has not been tested on Koozali SME Server:

http://wiki.qpsmtpd.org/doku.php?id=plugins:spam:domainkeys_sign}}

==Other information==

DomainKeys seem to be deprecated in favour of DKIM.

The DomainKeys plugin only CHECKS incoming email. Spamassassin checks for DKIM.

===Temporary_error_on_maildir_delivery===

In certains cases you have some mailboxes which can't delivery messages and the qmail log say:

deferral: Temporary_error_on_maildir_delivery._(#4.3.0)/

It is probably that your users want to go beyond the upper limit of their quota, [[SME_Server:Documentation:Administration_Manual:Chapter9#Quotas|so you have to increase it]]. This could solve their problems.

==External Access==
===Allow external IMAP mail access===
There was a deliberate decision to remove non-SSL protected username/password
services from the external interface.

{{Warning box|Keep in mind that your passwords, your data won't be protected and will be in clear text over Internet}}

to allow '''unsecure IMAP access'''

config setprop imap access public
signal-event email-update

But before you do this try to use secure IMAP (IMAPS or imap over ssl) with port 993 

===POP3 & webmail HTTP===
I want to set my SMESERVER to allow POP3 (or webmail HTTP) but it's not an option, I only see POP3S (or webmail HTTPS).

The SMESERVER is secure by design. POP3 (or webmail HTTP) is viewed as inadequate security and removed as an option from a standard installation to encourage unknowing administrators to select the 'best practice' option -a secure connection with POP3S, IMAPS, or HTTPS.
{{Warning box|Keep in mind that your passwords, your data won't be protected and will be in clear text over Internet}}
You can still set your SMESERVER to allow POP3 settings by:
config setprop pop3 access public
signal-event email-update

===Allow external pop3 access===

Email settings > POP3 server access in SME 7.1 server-manager allows only pop3s protocol for clients outside the LAN. Some email clients (eg The Bat! v3.98.4) won't allow pop3s connections to SME 7.1 because of ssl version conflict. Until this is sorted out, a workaround is to hack SME to allow regular pop3 on the external interface using the following commands.
{{Warning box|Keep in mind that your passwords, your data won't be protected and will be in clear text over Internet}}
config setprop pop3 access public
signal-event email-update
svc -t /service/pop3s

more information [[bugzilla:2620]]

==Imap==
===Folders with a dot in name===
Email folder names that have a period ('.') in the folder name, will be split into sub-folders.
e.g. folder name 'www.contribs.org' is created as
www
contribs
org
===Dovecot Idle_Notify===
Poor battery consumption issues has been reported with K9-mail on recent Android systems. It is apparent one way of helping this is to modify the imap_idle_notify setting. The default is in Dovecot, and therefore on SME is 2 minutes.

K9 has an idle refresh of 24 mins but it seems with Dovecot defaults at 2 mins it causes lots of wake ups and battery drain.

This is configurable via a config db property.

Default on install
# config show dovecot
dovecot=service
Quotas=enabled
status=enabled

Set dovecot Idle_Notify to 20 minutes

# config setprop dovecot Idle_Notify 20
# config show dovecot
dovecot=service
Idle_Notify=20
Quotas=enabled
status=enabled

Expand template to update *.conf (can also issue a full reconfigure/reboot)

# expand-template /etc/dovecot/dovecot.conf
# dovecot -a |grep imap_idle_notify_interval
imap_idle_notify_interval = 20 mins

==qpsmtpd==
SME uses the [http://smtpd.develooper.com qpsmtpd] smtp daemon.

===Official Description===
qpsmtpd is a flexible smtpd daemon written in Perl. Apart from the core SMTP features, all functionality is implemented in small "extension plugins" using the easy to use object oriented plugin API.

qpsmtpd was originally written as a drop-in qmail-smtpd replacement, but now it also includes smtp forward, postfix, exim and maildir "backends".

qpsmtpd wiki: http://wiki.qpsmtpd.org

===Log watching tool===
qplogtail is a script to to monitor /var/log/qpsmtpd/current, see [[bugzilla:3418]]

===Qpsmtpd for SME versions 9.1 and earlier===
{{Warning box|Please note that the version of qpsmtpd has been upgraded for SME version 9.2 and later to qpsptpd version 0.96. This change has resulted in a lot of changes to the way it works, the plugins (and their names!) and the corresponding database entries, so this section ONLY applies to SME Version 9.1 and earlier, except where the plugin has been retained, See the next section for the new details.}}
====Default Plugin Configuration====
SME uses the following [http://wiki.qpsmtpd.org/plugins qpsmtpd plugins] to evaluate each incoming email.

SME maintains 2 distinct configurations: one for the 'local' networks (as defined in server-manager::Security::Local networks) and another for 'remote' networks (everyone else).

The default configuration of each plugin is indicated in the 'Default Status' column.
{| width="100%" cellspacing="0" cellpadding="5" border="1"
!Plugin
!Purpose
!Default Status
|-
|hosts_allow
|Prohibit more than "InstancesPerIP" connections from any single host (change with 'config setprop smtpd InstancesPerIP'). Allow or deny connections according to the contents of /var/service/qpsmtpd/config/hosts_allow. See [http://svn.perl.org/qpsmtpd/trunk/plugins/hosts_allow hosts_allow SVN code] for more details.
|[http://bugs.contribs.org/show_bug.cgi?id=3352 enabled]
|-
|peers
|Allow different plugin configuration based on the sending computer's IP address. By default SME maintains different configurations for the local networks (in /var/service/qpsmtpd/config/peers/local) and for everyone else (in /var/service/qpsmtpd/config/peers/0)
|enabled
|-
|logging/logterse
|Allow greater logging detail using smaller log files. Optionally supports [[Email_Statistics#qplogsumm.pl|qplogsumm.pl]] to compile qpsmtpd statistics.
|enabled
|-
|auth/auth_cvm_unix_local
|Allow authenticated smtp relay
|enabled (remote) '''disabled (local)'''
|-
|[[qpsmtpd_check_earlytalker|check_earlytalker]]
|reject email from servers that talk out of turn
|enabled (remote) '''disabled (local)'''
|-
|count_unrecognized_commands
|reject email from servers that issue ''X'' invalid commands
|enabled (remote) '''disabled (local)'''
|-
|bcc
|bcc all email to a specific address for archiving
|'''disabled'''
|-
|check_relay
|Check to see if relaying is allowed (in case the recipient is not listed in one of SME's local domains)
|enabled
|-
|check_norelay
|Check to see if the sending server is specifically forbidden to relay through us.
|enabled
|-
|require_resolvable_fromhost
|Check that the domain listed in the sender's email address is resolvable
|enabled (remote) '''disabled (local)'''
|-
|check_basicheaders
|reject email that lacks either a From: or Date: header
|enabled
|-
|rhsbl
|Reject email if the sender's email domain has a reputation for disregarding smtp RFCs.
|'''disabled''' (always disabled for local connections)
|-
|dnsbl
|Reject email from hosts listed in your configured dnsbl servers
|'''disabled'''
|-
|check_badmailfrom
|Reject email where the sender address is listed in /var/service/qpsmtpd/config/badmailfrom
|enabled
|-
|check_badrcptto_patterns
|Reject email addressed to any address matching an expression listed in /var/service/qpsmtpd/config/badrcptto_patterns
|enabled
|-
|check_badrcptto
|Reject email addressed to any address listed in /var/service/qpsmtpd/config/badrcptto
|enabled
|-
|check_spamhelo
|Reject email from hosts that say 'helo ...' using a value in /var/service/qpsmtpd/config/badhelo
|enabled
|-
|check_smtp_forward
|If ''config show DelegateMailServer'' or ''db domains show <domainname> MailServer'' is set (telling SME to deliver email for all domains or just <domainname> to another server), check_smtp_forward will connect to the specified server and will reject the message outright if the internal mail server would also reject it.
|'''disabled''' unless an internal mail server is configured.
|-
|check_goodrcptto
|Accept email only if the recipient address matches an entry in /var/service/qpsmtpd/config/goodrcptto. For domains that are configured to use an internal mail server, the entire domain name will be added to .../goodrcptto.
|enabled
|-
|rcpt_ok
|Return 'OK' if none of the other host checks has returned 'DENY' (??)
|enabled
|-
|pattern_filter
|Reject email according to content patterns (??)
|'''disabled'''
|-
|tnef2mime
|Convert MS TNEF (winmail.dat) and uuencoded attachments to MIME
|enabled
|-
|disclaimer
|Add a configurable disclaimer to email messages
|'''disabled'''
|-
|spamassassin
|Check email using spamassassin, and optionally reject it completely if the score exceeds a configurable value.
|'''disabled''' (always disabled for local connections)
|-
|virus/clamav
|Scan incoming email with ClamAV
|enabled
|-
|queue/qmail-queue
|Deliver the incoming message to qmail for delivery.
|enabled
|-
|}

===Qpsmtpd for SME versions 9.2 and Later===
{{Warning box|Please note that the version of qpsmtpd has been upgraded for SME version 9.2 and later to qpsmtpd version 0.96. This change has resulted in a lot of changes to the way it works, the plugins (and their names!) and the corresponding database entries, so this section ONLY applies to SME Version 9.2 and later version, see the previous section for the details.}}

This section has been taken from the notes prepared by the dev who made the changes, the wiki is [https://wikit.firewall-services.com/doku.php/smedev/qpsmtpd_096#documentation here].

Here is a list of the plugins in use, and a note of any changes that might have occurred:

*logterse: no change
*tls: no change
*auth_cvm_unix_local: no change
*check_earlytalker: '''renamed earlytalker'''
*count_unrecognized_commands: no change
*bcc: no change
*check_relay: '''renamed relay'''
*check_norelay: '''merged into the relay plugin'''
*require_resolvable_fromhost: '''renamed resolvable_fromhost'''
*check_basicheaders: '''renamed headers'''
*rhsbl: no change
*dnsbl: no change
*check_badmailfrom: '''renamed badmailfrom'''
*check_badrcptto_patterns: '''doesn't exist anymore, merged with badrcptto'''
*check_badrcptto: '''renamed badrcptto'''
*check_spamhelo: '''renamed helo'''
*check_smtp_forward: no change
*check_goodrcptto: no change
*rcpt_ok: no change
*pattern_filter: no change
*tnef2mime: no change
*spamassassin: no change
*clamav: no change
*qmail-queue: no change

Here is a section for each of the new plugins which are installed by default. The ones that have not changed are documented [https://wiki.contribs.org/Email#Default_Plugin_Configuration above].

====Karma====

The karma plugin tracks sender history. For each inbound email, various plugins can raise, or lower the "naughtiness" of the connection (eg, if SPF check passes, if the message is spammy etc...). For each host sending us email, the total number of connections, and the number of good and bad connections is recorded in a database. If a host as more bad than good connections in its history, emails will be rejected for 1 day. 3 settings are available for this plugin:

*Karma (enabled|disabled): Default value is disabled. Change to enabled to use the plugin 
*KarmaNegative (integer): Default value is 2. It's the delta between good and bad connection to consider the host naughty enough to block it for 1 day. Eg, with a default value of two, a host can be considered naughty if it sent you 8 good emails and 10 bad ones 
*KarmaStrikes (integer): Default value is 3. This is the threshold for a single email to be considered good or bad. Eg, with the default value of 3, an email needs at least 3 bad karmas (reaches -3) for the connection to be considered bad. On the other side, 3 good karmas are needed for the connection to be considered good. Between the two, the connection is considered neutral and won't be used in the history count

Example:
db configuration setprop qpsmtpd Karma enabled KarmaNegative 3
signal-event email-update

====URIBL====

The URIBL plugin works a bit like RHSBL, except that it checks domain names found in the body of the email. For each URI identified, the corresponding domain name can be submitted to a BL list (through DNS queries). Two settings are available:

*URIBL (enabled|disabled): Default is disabled. Set this to enabled to use the plugin
*UBLList: (Comma separated list addresses): Default value is '''multi.surbl.org:8-16-64-128,black.uribl.com,rhsbl.sorbs.net'''. This can be the same as RBLList. You can also set bitmask to use for combined lists (in the default value, the bitmask is 8-16-64-128)

Example:
db configuration setprop qpsmtpd URIBL enabled UBLList multi.surbl.org,black.uribl.com
signal-event email-update

====Helo====

Previously, the helo plugin was just checking for some known bad helo hostnames used by spammers (aol.com and yahoo.com). Now, it can check much more than that. This plugin is always enabled and has a single setting:

*HeloPolicy: (lenient|rfc|strict). The default value is '''lenient'''.

See https://github.com/smtpd/qpsmtpd/blob/master/plugins/helo for a description of the various tests done at each level

Example:
db configuration setprop qpsmtpd HeloPolicy rfc
signal-event email-update

====Inbound DKIM / SPF / DMARC====

DMARC is a policy on top of DKIM and SPF. By default, SPF and DKIM are now checked on every inbound emails, but no reject is attempted. The dmarc plugin can decide to reject the email (depending on the sender policy). dkim and spf plugins are always enabled. dmarc has two settings:

*DMARCReject (enabled|disabled): Default value is disabled. If set to enabled, the dmarc plugin can decide to reject an email (if the policy of the sender is to reject on alignment failure) 
*DMARCReporting (enabled|disabled): Default value is enabled. If set to enabled, enable reporting (which is the '''r''' in dma'''r'''c). Reporting is a very important part of the DMARC standard. When enabled, you'll record information about email you receive from domains which have published a DMARC policy in a local SQLite database (/var/lib/qpsmtpd/dmarc/reports.sqlite). Then, once a day, you send the aggregate reports to the domain owner so they have feedback. You can set this to disabled if you want to disable this feature 
*SPFRejectPolicy (0|1|2|3|4): Default value is 0. Set the policy to apply in case of SPF failure when the sender hasn't published a DMARC policy. Note: this is only used when no DMARC policy is published by the sender. If there's a DMARC policy, even a "p=none" one (meaning no reject), then the email won't be rejected, even on failed SPF tests.

:*0: do not reject anything
:*1: reject when SPF says fail
:*2: reject when SPF says softfail
:*3: reject when SPF says neutral
:*4: reject when an error occurred (like a syntax error in SPF entry) or if no SPF entry is published

*Inbound DKIM checks are only used by DMARC. No reject solely based on DKIM is supported

Example:
db configuration setprop qpsmtpd DMARCReject disabled SPFRejectPolicy 2
signal-event email-update
====Outbound DKIM signing / SPF / DMARC policy====

Everything is now ready for you to sign your outbound emails, and publish your public key, as well as your SPF and DMARC policy. A default DKIM key is created in /home/e-smith/dkim_keys/default. To enable DKIM signing for all the domain you manage:
db configuration setprop qpsmtpd DKIMSigning enabled
signal-event email-update

If you want to disable dkim signing for a domain, you can use:
db domains setprop domain.com DKIMSigning disabled
signal-event email-update

The default behavior is to use the same key pair for all your domains. But you can create other key pairs for specific domain if you want. For example, if you want to use a specific key pair for the domain.net domain:
cd /home/e-smith/dkim_keys
mkdir domain.net
cd domain.net
echo default > selector
openssl genrsa -out private 2048
openssl rsa -in private -out public -pubout
chown qpsmtpd:qpsmtpd private
chmod 400 private
signal-event email-update

Now, the emails using a domain.net sender address will be signed by this new key instead of the default one.

====Publishing your DNS entries====

Signing your outbound emails is just part of the process. You now need to publish some DNS entries so everyone can check if the email they receive matches your policy. This part is not to be done on your SME Server, but on your public DNS provider. A script helps you by creating some sample DNS entries already formatted for a bind-like zone file. To use it:
qpsmtpd-print-dns <domain name>
If omitted, the primary domain name is assumed.

Example output:
Here are sample DNS entries you should add in your public DNS
The DKIM entry can be copied as is, but others will probably need to be adjusted
to your need. For example, you should either change the reporting email adress
for DMARC (or create the needed pseudonym)

default._domainkey IN TXT "v=DKIM1; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs/Qq3Ntpx2QNdRxGKMeKc2r9ULvyYW633IbLivHznN9JvjJIbS54PGIEk3sSxvZSdpTRAvYlxn/nRi329VmcDK0vJYb2ut2rnZ3VO3r5srm+XEvTNPxij5eU4gqw+5ayySDjqzAMEMc5V7lUMpZ/YiqnscA075XiMF7iEq8Quv1y0LokmgwtxzOXEZap34WXlKyhYzH+D""fabF6SUllmA0ovODNvudzvEOanPlViQ7q7d+Mc3b7X/fzgJfh5P9f5U+iSmzgyGctSb6GX8sqsDMNVEsRZpSE3jd2Z33RDWyW21PGOKB/ZrLiliKfdJbd3Wo7AN7bWsZpQsei2Hsv1niQIDAQAB"
@ IN SPF "v=spf1 mx a -all"
@ IN TXT "v=spf1 mx a -all"
_dmarc IN TXT "v=DMARC1; p=none; adkim=s; aspf=r; rua=mailto:dmarc-feedback@domain.net; pct=100"
All you have to do now is publish those records, but do note that there is a point to consider when publishing the default._domainkey DNS record, as produced by the ''qpsmtpd-print-dns'' command: if the DNS record includes '';t=y'' then as per the DKIM specification ([http://dkim.org/specs/rfc4871-dkimbase.html#keys RFC4781 section 3.6.1]) this means that your ''"...domain is testing DKIM. Verifiers MUST NOT treat messages from signers in testing mode differently from unsigned email, even should the signature fail to verify. Verifiers MAY wish to track testing mode results to assist the signer."''

On the other hand, if no '';t=y'' is included, then it means you are intending to use DKIM in production mode. It might be a good idea to publish the DKIM DNS record first in testing mode ('';t=y'' included), check how things go and if everything is alright, remove the '';t=y'' part.

====Testing====
You can install spfquery:

yum --enablerepo=epel install libspf2 libspf2-progs

Usage (try -help for help):

spfquery -ip=11.22.33.44 -sender=user@aol.com -helo=spammer.tld

Check record via dig

dig -t TXT +short somedomain.co.uk

====Load====
The loadcheck plugin can temporarily deny inbound emails if your server is overloaded. This plugin is always enabled and has a single setting:

*MaxLoad (int number): Default is 7. If your load is above this value, emails from the outside will be deferred.

===Other QPSMTPD Plugins===
The following qpsmtpd plugins will work on a SME server, but are either not included or are not configured by default.
{| width="100%" cellspacing="0" cellpadding="5" border="1"
!Plugin
!Purpose
!Default Status
|-
|[[Qpsmtpd_connection_time|connection_time]]
|Track the total time for each qpsmtpd connection from 'Accepted connection' through 'click, disconnecting', and output the results to the qpsmtpd log file.
|not installed - not clear if this works for SME9.2 (anyone?)
|-
|[[GeoIP]]
|Track the geographic origin of incoming email and optionally reject email from specified countries
|not installed - does work for SME 9.2 and later.
|}

==Internal or External Mail Servers==
SME can be configured as a spam and antivirus filter for one or more "Internal or External" mail servers on a domain-by-domain basis. The mail server specified does not have to be on the same local network as your SME server, & can be hosted on an external site.

===Deliver ALL email to a single internal or external mail server===
You can set the default delivery location for all domains on your SME server to a single ''internal or external'' mail server by setting the mail server address in server-manager::Configuration::E-mail::Change e-mail delivery settings::Address of internal mail server.

Note: ''Address of internal mail server'' must be blank if you want any email delivered to the SME server itself.

===Deliver email for one domain to an internal or external mail server===
You can override the default email delivery destination for individual domains on your SME server (forwarding all email for the specified domain to another server) as follows:

First, create the necessary virtual domains using server-manager::Configuration::Domains::Add Domain.

Then, (assuming your domain is called ''test.com'' and the actual mail server is at ''a.b.c.d'' issue the following commands:
db domains setprop test.com MailServer a.b.c.d
signal-event email-update

A FQDN can also be used for the MailServer property, eg ''aspmx.l.google.com'' instead of the IP address ''a.b.c.d''

db domains setprop test.com MailServer aspmx.l.google.com
signal-event email-update

Remove the internal or external mail server (and return email delivery for ''test.com'' to the default for your SME server) using:
db domains delprop test.com MailServer
signal-event email-update

==Secondary/Backup Mail Server Considerations==

Many people misunderstand the issues of using a secondary or backup
mail server (backup MX) to hold your mail before it gets delivered
to your SME Server. If you consider putting a backup mail server in
place because you are concerned about lost mail because your internet
connection may occasionally drop out, think again and consider the issues
discussed below.

===What is ''Backup MX''===

A backup MX is a system whereby through your DNS records you tell other
servers on the internet that in order to deliver mail to your domain they
first need to try the primary MX record and if they fail to connect they
can try to connect to one or more of your listed backup or secondary mail
servers. See also http://en.wikipedia.org/wiki/MX_record

===The process of delivering email to your SME Server===

So lets look at how mail gets delivered without and with a
''backup mx'' when your Internet link, ISP or server is down.

===='''Without''' a backup MX====

*The sending mail server cannot connect to your server.
*The sending mail server MUST queue the mail and try again later.
*The mail stays on the sender's server.
*The sender's server resends the mail at a later date.

''The requirement to re-queue is a fundamental part of the SMTP protocol - ''
it is not optional. So, if your server is '''offline''' due to a link or ISP
outage, '''the mail just stays at the sender's server until you are once '''
again reachable'''.'''

===='''With''' a backup MX====

*The sending mail server cannot contact your server.
*The sending mail server sends the mail to your secondary MX.
*The secondary MX queues the mail until your link/server is up.
*The mail is queued on an '''untrusted''' third-party mail server (''think about confidential mail between your company and some business partner'').
*The sending mail server's administrator ''thinks'' it has been delivered, according to their logs.
*You have no, or little, visibility over the queued mail.
*When your link comes up, the secondary MX sends the mail on to your server.
*You have added more hops, more systems and more delay to the process.

If you think that a backup MX will protect against broken mail servers
which don't re-queue, you can't. Those servers will drop mail on the floor
at random times, for example when ''their'' Internet link is down.

Those servers are also highly likely to never try your backup MX.

Thankfully those servers are mostly gone from the Internet, but adding a
secondary MX doesn't really improve the chances that they won't drop mail
destined for your server on the floor.

===Backup MX and SPAM Filtering===

On top of the issue, indicated above, there is another issue to consider
and that is what happens with SPAM due to the use of a ''Backup MX''.

Your SME Server takes care of filtering a lot of SPAM by checking on the full
username & domain at the time it is received.

For example if your server hosts '''example.com''' and someone sends
mail to '''joeuser@example.com''', the server will '''only''' accept the mail
if joeuser is a local user/alias/group/pseudonym on the server.
Otherwise, the mail is rejected during the SMTP transaction.

A backup mail server however, generally does not have a full list of
users against which it can check if it should accept the mail for the given
domain. Hence it will accept mail for ''invalid'' users.

So:

*If you trust the secondary MX, you will accept a lot of SPAM when the link comes up.
*If you don't trust it, you will cause a lot of SPAM backscatter as the mail has been accepted at the secondary MX and then later bounced by you.
*Stopping backscatter is why SME Server rejects invalid addresses during the initial SMTP transaction.

The SPAM backscatter can only be stopped if the secondary MX has a full list
of users for your domain to allow filtering to occur.

But:

*You need to be able to configure this secondary MX with such user/domain lists
*You need to maintain these secondary configurations when users are added/deleted from your primary server configuration
*You need to test (regularly) if the secondary is successfully accepting/rejecting mail as required.

Quite a few sites have lost lots of mail through misconfigured backup MX servers. Unfortunately, the time when you find
out they are misconfigured is when you go to use them, and then you find that the backup MX has changed configuration and bounced all of your mail.

Then you realise that this mail could have queued at the sender's site if there hadn't been a broken secondary MX bouncing the mail for you.

*If you bounce mail at your server, you have logs to show what's wrong.
*If your secondary MX bounces your mail, you usually have no way to determine what happened other than via reports from the original senders that your mail bounced.

===Summary===

In summary, if your server/Internet connection is available most (let's say >90%) of
the time, you are generally better off without a secondary MX.

If your server/link is down more than this (e.g. dialup), you should not be delivering mail
directly to your server.

If you still want to consider setting up a seconday MX, ensure that:

*you have fully control of the configuration of each of the email gateways for your domain
*each gateway can make decisions on whether to accept/reject mail for the users at the domain

==Mail server on dynamic IP==
===Problems with running a mail server on SME server using a dynamic external IP from ISP===

This information comes from http://bugs.contribs.org/show_bug.cgi?id=2057#c10

This is the chronological sequence of events that leads to issues with mail servers on dynamic IPs:

1) Server gets dynamic IP

2) Reboot/power fail (without updating dynamic DNS to "offline")

3) Another server/someone else is allocated your old IP while your server is down

4) The other server/person is running a mail server

5) The other server either gets your mail (which is bad) or bounces your mail (also bad)

You have no control over this issue and you will lose mail when it happens. If you have a dynamic IP, the recommended approach is to get someone with a static IP to queue your inbound mail and send it to you on a non-standard port, preferably with an authentication mechanism which queues the mail if the auth fails, just in case someone else happens to have a mail server on the same port (while highly unlikely, this is possible).

Whether this issue is really a problem to end users, depends on how much you "value" your mail. For a home user having their own mail server, it is probably not a great problem if some messages should happen to go astray, but for all other classes of users, you should really avoid running a mail server on a dynamic IP, without implementing a suitable queueing workaround as suggested. Some ISPs change the IP very infrequently eg yearly, so in those cases it is also not a significant problem. Many/most ISP's will issue a new IP every time a connection is lost & re-established, so these situations are more problematic.

==How to re-apply procmail rules==

If you have a folder of email that needs to have the procmail rules applied, then the trick is to be logged in as the email user, and then position your self in the home directory, and then this works:
su <username> -s /bin/bash
cd ~
for m in <fullpath to maildirectory>/cur/*; do echo $m; procmail < $m && rm $m; done

<noinclude>
[[Category:Mail]]
[[Category:Howto]]
</noinclude>

SMEServer Nextcloud

2026-01-06T12:09:30Z

Rdswikiadmin: Created page with "Copied from; https://wiki.koozali.org/Nextcloud {{Languages}}   {{#vardefine:contribname| {{lc: {{#titleparts: {{BASEPAGENAME}} |1}} }} }} {{#vardefine:smecontribname| smeserver-{{lc: {{#titleparts: {{BASEPAGENAME}} |1}} }} }}  {{#vardefine:lang| {{lc: {{#titleparts..."

Copied from; https://wiki.koozali.org/Nextcloud

{{Languages}}


{{#vardefine:contribname| {{lc: {{#titleparts: {{BASEPAGENAME}} |1}} }} }}
{{#vardefine:smecontribname| smeserver-{{lc: {{#titleparts: {{BASEPAGENAME}} |1}} }} }}

{{#vardefine:lang| {{lc: {{#titleparts: {{PAGENAME}} | | -1}} }} |en }}
{{Infobox contribs
|name={{#var:contribname}}
|image=Nextcloud_Logo.svg
|description_image= {{#var:contribname}} logo
|maintainer= Unnilennium
|licence= AGPLv3
|url= https://nextcloud.com
|category= Cloud
|tags=cloud,files,dropbox,seafile,pydio,ajaxplorer,owncloud
}}
===Maintainer===

[[User:Unnilennium|Jean-Philippe Pialasse]]

=== Version ===

{{#smeversion: {{#var:smecontribname}} }}
{{#smeversion: nextcloud-src }}

=== Description ===
Nextcloud is a suite of client-server software for creating and using file hosting services. It is functionally similar to Dropbox, although Nextcloud is free and open-source, allowing anyone to install and operate it on a private server.

As per SME Server Keep It Simple, all your ibays and home folders will be accessible through the nextcloud interface using the "external files" app. You will also have your main user user Nextcloud folder saved under /home/e-smith/files/owncloud/data which is in the default backup path. So you can now enjoy both your own cloud repository with access to the very same files on your samba share!

How do I add my SME users ? They are already there ! Just tell them to connect to https://mydomain/nextcloud. You can also add external users or allow them to register with a nextcloud app.

What are the admin ? By default you have a nextcloudadmin user and the regular SME admin user. First one use the password you can see with "config getprop nextcloud AdminPassword", and second one, well, just use your regular admin password. Then you can manage apps, external files repos and admin group membership.

=== Installation ===

<tabs container="">
<tab name="For sme11">
yum install {{#var:smecontribname}} --enablerepo=smecontribs

</tab>
<tab name="For sme10">
yum install {{#var:smecontribname}} --enablerepo=smecontribs

you might need a second event or sometime ibays folder is not visible
signal-event nextcloud-update

</tab>
<tab name="For sme9">
You do not need to follow the Repo pages of [https://wiki.contribs.org/Fws fws] and [https://wiki.contribs.org/Remi-safe remi-safe] to install those two needed repos, instead use the packages to install them followed by a yum-modify event. Then run the main installation.
yum install smeserver-extrarepositories-remi-safe smeserver-extrarepositories-fws smeserver-extrarepositories-epel
signal-event yum-modify
yum install {{#var:smecontribname}} --enablerepo=smecontribs,epel,fws
signal-event webapps-update
service php-fpm start
service php71-php-fpm start
service php72-php-fpm start
service php73-php-fpm start
signal-event nextcloud-update

you can skip the service php-fpm* commands if it was already installed and running before the installation of nextcloud

then you can do the following and you can safely ignore the signal-event post-upgrade reboot if prompted, unless you also installed other packages that needs to do so.
config set UnsavedChanges no

or do
signal-event post-upgrade
signal-event reboot
then
signal-event nextcloud-update

if you want to add SME user admin as administrator of nextcloud do
OCC group:adduser admin admin
</tab>
</tabs>

you might want to set your default phone region (use your country 2 letter code - low case)
occ config:system:set default_phone_region --value="us"

you might want to have nextcloud accessible to the Internet
config setprop nextcloud access public
signal-event nextcloud-update
if you want to keep access only to <nowiki>https://YOURDOMAIN/nextcloud</nowiki>, you might want to use pretty URL (without index.php in it)
occ config:system:set htaccess.RewriteBase --type string --value "/nextcloud"
occ maintenance:update:htaccess

=== Use a dedicated domain to connect to Nextcloud ===
<tabs container="">
<tab name="For sme11">
first change the first line variable content with you nextcloud domain as defined with your DNS provider.
<syntaxhighlight lang="bash">
NEXTCLOUDDOMAIN="cloud.mydomain.com"
db domains set $NEXTCLOUDDOMAIN domain Description "Nextcloud" Content Primary Nameservers internet TemplatePath NextcloudVirtualHost letsencryptSSLcert enabled
signal-event domain-create $NEXTCLOUDDOMAIN
</syntaxhighlight>

# this one to let nextcloud DAV be redirect correctly and to have collabora and notify_push recognize the domain ### IN PROGRESS###
<syntaxhighlight lang="bash">
config setprop nextcloud VirtualHost $NEXTCLOUDDOMAIN
signal-event nextcloud-update
</syntaxhighlight>

# only if you use a Let's Encrypt certificate
<syntaxhighlight lang="bash">
expand-template /etc/dehydrated/domains.txt
dehydrated -c
</syntaxhighlight>

if you want to use only your dedicated domain and no subdir access, you can enable pretty URL this way
<syntaxhighlight lang="bash">
occ config:system:set htaccess.RewriteBase --type string --value "/"
occ maintenance:update:htaccess
config setprop nextcloud AliasOnPrimary disabled
signal-event nextcloud-update
</syntaxhighlight>
to restore without pretty url and dual access
<syntaxhighlight lang="bash">
occ config:system:delete htaccess.RewriteBase
occ maintenance:update:htaccess
config delprop nextcloud AliasOnPrimary
signal-event nextcloud-update
</syntaxhighlight>

</tab>
<tab name="For sme10">
first change the first line variable content with you nextcloud domain as defined with your DNS provider.
<syntaxhighlight lang="bash">
NEXTCLOUDDOMAIN="cloud.mydomain.com"
db domains set $NEXTCLOUDDOMAIN domain Description "Nextcloud" Content Primary Nameservers internet TemplatePath WebAppVirtualHost DocumentRoot /usr/share/nextcloud RequireSSL enabled letsencryptSSLcert enabled
signal-event domain-create $NEXTCLOUDDOMAIN

# this one to let nextcloud DAV be redirect correctly and to have collabora recognize the domain
config setprop nextcloud VirtualHost $NEXTCLOUDDOMAIN
signal-event nextcloud-update

# only if you use a Let's Encrypt certificate
expand-template /etc/dehydrated/domains.txt
dehydrated -c

</syntaxhighlight>
</tab>
</tabs>

=== Configuration ===
{| class="wikitable"
!property
!default
!values
!
|-
|AdminPassword
|GENERATED
|string
|password for your main admin user for nextcloud (*)
|-
|AdminUser
|nextcloudadmin
|string
|main admin user for your installation (*)
|-
|cliurl
|enabled
|enabled,disabled
|force overwrite.cli.url to https://domain/nextcloud or https://domain if virtualhost is set; disable it if you have specific needs and then use occ command to set your value
|-
|DbName
|nextcloud
|string
|for mysql db
|-
|DbPassword
|GENERATED
|string
|for mysql db
|-
|DbUser
|nextcloud
|string
|for mysql db
|-
|TrustedDomains
|empty
|strings coma separated
|add domain or ip that are in need to be added to default access to nextcloud
|-
|VirtualHost
|empty
|domain name
|domain dedicated to nextcloud, needs to also be defined as domain on the server
|-
|access
|private
|private, public
|
|-
|status
|enabled
|enabled,disabled
|
|-
|MaxUploadSize
|4096M
|number
|if a number will be converted to Megabytes, otherwise use the usual suffix : 2T for 2 terrabytes etc...
|-
|MemoryLimit
|528M
|number
|webinterface : if a number will be converted to Megabytes, otherwise use the usual suffix : 2T for 2 terrabytes etc...
|-
|memory_limit
|1024M
|number
|for cli like occ command or cron: if a number will be converted to Megabytes, otherwise use the usual suffix : 2T for 2 terrabytes etc...
|-
|Shares
|enabled
|enabled,disabled
|add the samba shares from the shared-folders contrib in the nextcloud ibays folder along with regular ibays
|-
|IncludeIbay
|empty
|strings coma separated
|add ibays names that need to be include. If not empty, only the name present here will be accessible via nextcloud. Take precedence over ExcludeIbay. You set it with a random string to exclude all ibays and shares from automatic inclusion.
|-
|ExcludeIbay
|Primary
|strings coma separated
|will exclude from nexcloud access any ibay via nextcloud. Default excludes Primary ibay. If you want to include Primary set it with a random string.
|-
|opcache.memory_consumption
|32
|number
|update this value if Nextcloud says that it should be
|-
|opcache.interned_strings_buffer
|128
|number
|update this value if Nextcloud says that it should be
|-
|PHPBaseDir
|
|colon separated string
|php base dir you want to add to the default example /home/e-smith/files/ibays/musique/files:/usr/share/GeoIP/GeoLite2-Country.mmdb:/proc/cpuinfo
|-
|UseSMB
|enabled
|enabled,disabled
|allow you to set ibay access via samba share or via Local driver in nextcloud. Enabled is for samba, this allow you to access as your user and have your quota accounted. It might be a little slower, and need you to have your password loaded in the session. Local driver if disabled, will let you access only what apache user (www) has right to access as member of a group.
|}
(*) the SME admin user is also an admin of your nextcloud installation. You have two admin account as per default installation on SME Server.

example of setting :
config setprop nextcloud ExcludeIbay ibay1,ibay2
signal-event nextcloud-update

=== LDAP/AD Integration Settings ===
Do not change the LDAP/AD integration settings for "1. Server: Localhost" or you will break the Nextcloud install. If you want to add a second LDAP/AD server, click the "+" symbol to add another configuration and then add the appropriate LDAP/AD settings.

=== Command line ===
if you happen to need tweaking your installation, here is how to access the command line for Nextcloud on SME, we made it easier for you, just log as root and use the OCC command (using capitals), This command will execute for you what you need as the www user, using the needed version of php. Here two examples: <syntaxhighlight lang="bash">
occ maintenance:mode --off
occ maintenance:repair

</syntaxhighlight>to seek for additional command consult Nextcloud documentation : https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/occ_command.html

=== Upgrade ===
yum update {{#var:smecontribname}} {{#var:contribname}} --enablerepo=smecontribs

=== CLI upgrade of Nextcloud software ===
<tabs container="">
<tab name="For sme11">
<syntaxhighlight lang="bash">
/usr/bin/nc_upgrade
/usr/bin/nc_dbupdate
</syntaxhighlight>

alternatively
<syntaxhighlight lang="bash">
occ maintenance:mode --on
sudo -u www /usr/bin/php83 --define memory_limit=1024M -d apc.enable_cli=1 /usr/share/nextcloud/updater/updater.phar
occ upgrade
occ maintenance:mode --off
</syntaxhighlight>

</tab>
<tab name="For sme10">
yum install {{#var:smecont
You should rather prefer the online updater, but in case:<syntaxhighlight lang="bash">
occ maintenance:mode --on
sudo -u www /usr/bin/php74 --define memory_limit=1024M -d apc.enable_cli=1 /usr/share/nextcloud/updater/updater.phar --no-interaction
occ upgrade
occ maintenance:mode --off
</syntaxhighlight>In case of a huge db, you can choose the online updater and then only issue the db update doing<syntaxhighlight lang="bash">
occ upgrade
occ maintenance:mode --off
</syntaxhighlight>

starting 25 to upgrace to 26, you should do
<syntaxhighlight lang="bash">
occ maintenance:mode --on
sudo -u www /usr/bin/php81 --define memory_limit=1024M -d apc.enable_cli=1 /usr/share/nextcloud/updater/updater.phar --no-interaction
occ upgrade
occ maintenance:mode --off
</syntaxhighlight>In case of a huge db, you can choose the online updater and then only issue the db update doing<syntaxhighlight lang="bash">
occ upgrade
occ maintenance:mode --off
</syntaxhighlight>
</tab>
</tabs>

=== Restore info loglevel ===
<syntaxhighlight lang="bash">
occ config:system:set loglevel --value=3
</syntaxhighlight>

=== Migration ===

==== from SME 10 to SME 11 ====

# before migrate to SME11
## upgrade to NC 29 or NC 30 (this might require you to migrate mariadb database from 5.5 to contrib mariadb 10.5, see below in this page)
## make sure you have a nextcloud database in mariadb 10.5 (mysqlshow105)
## make sure you have some backup /home/e-smith/db/mariadb105/nextcloud.dump
## delete nextcloud database from mariadb 5.5
## make sure you do not have any /home/e-smith/db/mysql/nextcloud.dump
## migrate using either migratehelper, console backup or workstation backup
# Install SME 11
## restore backup when you are asked for
## check you have:
### a mariadb nextcloud db ( mariadb-show)
### your data folder : ll /home/e-smith/files/nextcloud
### your current config and software : ll /usr/share/nextcloud/
### configuration key nextcloud : config show nextcloud
### install smeserver-nextcloud

enjoy!

=== Uninstall ===

{{Warning box| if you plan to reinstall and had the nextcloud rpm installed do not yum remove it or rpm -e it as it would put you in a situation where you will not be able to reinstall and restore your old data. nextcloud-src rpm if present do not create such situation and can be removed safely.}}

Uninstalling the rpms
yum remove {{#var:smecontribname}} {{#var:contribname}}-src
rpm -e --justdb nextcloud

those folders will then remain
* /usr/share/nextcloud : software and config
* /home/e-smith/files/nextcloud : user data

also you will have mariadb or mariadb105 with nextcloud db and user.

And finally, db configuration with entry for nextcloud.

If all of those remains as is, a simple reinstall of the contrib will bring back nextcloud running. If you uninstalled it because your install was non functional or want a complete removal, there are extra steps.

In case of deleting either the db or part of the software folder, whenever you will try to reinstall the contrib, process will fail as db and files are not in sync.

In case you need to reinstall from scratch, '''first, backup what you might want to restore latter''':
cd /home/e-smith/files/nextcloud/data
mysqldump nextcloud > nextcloud55.sql
mysqldump105 nextcloud > nextcloud105.sql
config print nextcloud /root/nextcloud.config
tar -czf /root/nextcloud.tar.gz /home/e-smith/files/nextcloud/data /usr/share/nextcloud
then erase all what is remaining:
mysql -e "DROP DATABASE `config getprop nextcloud DbName`;DROP USER IF EXISTS `config getprop nextcloud DbUser`;"
mysql105 -e "DROP DATABASE `config getprop nextcloud DbName`;DROP USER IF EXISTS `config getprop nextcloud DbUser`;"
rm -rf /usr/share/nextcloud
rm -rf /home/e-smith/files/nextcloud
#this one is optional, and should not cause issue if still there
config delete nextcloud

and you should be able to start a new install from scratch

=== Release schedule ===
see https://github.com/nextcloud/server/wiki/Maintenance-and-Release-Schedule

as per 2025/11:
{| class="wikitable"
!Version
!Name
!Release date
!End of life
|-
|33
|Hub 26 Winter
|TBD
|
|-
|32
|Hub 25 Autumn
|2025-09-27
|2026-09
|-
|'''31'''
|Hub 10
|2025-02-25
|2026-02
|-
|'''<s>30</s>'''
|<s>Hub 9</s>
|<s>2024-09-14</s>
|<s>2025-09</s>
|-
|'''<s>29</s>'''
|<s>Hub 8</s>
|<s>2024-04-24</s>
|<s>2025-04</s>
|-
|'''<s>28</s>'''
|<s>Hub 7</s>
|<s>2023-12-12</s>
|<s>2024-12</s>
|-
|'''<s>27</s>'''
|<s>Hub 6</s>
|<s>2023-06-13</s>
|<s>2024-06</s>
|-
|'''<s>26</s>'''
|<s>Hub 4</s>
|<s>2023-03-21</s>
|<s>2024-03</s>
|-
|'''<s>25</s>'''
|<s>Hub 3</s>
|<s>2022-10-19</s>
|<s>2023-10</s>
|-
|'''<s>24</s>'''
|<s>Hub 3</s>
|<s>2022-05-03</s>
|<s>2023-05</s>
|-
|'''<s>23</s>'''
|<s>Hub 2</s>
|<s>2021-11-30</s>
|<s>2022-12</s>
|-
|'''<s>22</s>'''
|<s>Hub</s>
|<s>2021-07-06</s>
|<s>2022-07</s>
|-
|'''<s>21</s>'''
|<s>Hub</s>
|<s>2021-02-22</s>
|<s>2022-02</s>
|-
|'''<s>20</s>'''
|<s>Hub</s>
|<s>2020-10-03</s>
|<s>2021-11</s>
|-
|'''<s>19</s>'''
|<s>Hub</s>
|<s>2020-06-03</s>
|<s>2021-06</s>
|-
|'''<s>18</s>'''
|<s>Hub</s>
|<s>2020-01-16</s>
|<s>2021-01</s>
|}

=== Migrate Database from core mariadb 5.5 to mariadb 10.5 on SME10===
If you are in the situation your are unable to update your nextcloud because of database requirements, you might need to install a newer and then migrate your db.

Here a simple procedure, after having the new db working as a sclo [[Mariadb105]] for SME10 as example.<syntaxhighlight lang="bash">
occ maintenance:mode --on
mysqldump `config getprop nextcloud DbName` > nextcloud.sql
echo "CREATE DATABASE IF NOT EXISTS `config getprop nextcloud DbName` CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci;"| mysql105
mysql105 `config getprop nextcloud DbName`< nextcloud.sql
echo "CREATE USER IF NOT EXISTS `config getprop nextcloud DbUser`@localhost IDENTIFIED BY '`config getprop nextcloud DbPassword`';"| mysql105
echo "GRANT ALL PRIVILEGES ON `config getprop nextcloud DbName`.* TO `config getprop nextcloud DbUser`@localhost; FLUSH PRIVILEGES;" | mysql105
occ config:system:set dbhost --value localhost:/var/lib/mysql/mariadb105.sock --type string
occ maintenance:mode --off
</syntaxhighlight>

After checking that all is working you can then delete yourself the old db from the previous mysql server, or keep it as a backup for a while.
If it fails and just want to go back to previous state:
occ maintenance --on
occ config:system:set host --value localhost --type string
occ maintenance --off

=== File Scan ===
<syntaxhighlight lang="bash">
# scan all, could take hours if you have a lot of files
occ files:scan -v --all
# scan all that is inside a username path (including external storages mounted there)
occ files:scan -v myusername
#scan only a subfolder of a user (path needs a heading / and is relative to /home/e-smith/files/nextcloud/data)
occ files:scan -v --path="/myusername/files/myfolder/mysubfolder" myusername
#For external storage one has to use a user and the mount point in the user space, e.g. admin
occ files:scan -v --path="/admin/files/name_of_external_storage"
</syntaxhighlight>If you use groupgfolders app, then you might consider, to list the golders id<syntaxhighlight lang="bash">
occ groupfolders:list
</syntaxhighlight>then for folder group with id 1<syntaxhighlight lang="bash">
occ groupfolders:scan 1
</syntaxhighlight>

=== Known issues ===
==== Issue importing files in db "Entry path/to/file will not be accessible due to incompatible encoding" ====
<syntaxhighlight lang="bash">
yum install convmv --enablerepo=epel
#first test to see the changes
convmv -f utf-8 -t utf-8 --nfc -r /home/e-smith/files/nextcloud/data/username
#check, then with --notest
convmv -f utf-8 -t utf-8 --nfc -r --notest /home/e-smith/files/nextcloud/data/username
#then rescan
occ files:scan -p /username/files/
</syntaxhighlight>this might also occurs on ibays / home folders and their files not all visibles from nextcloud, simply adapt the path for convmv /home/e-smith/files/ibays/ibayname/files/ or /home/e-smith/files/users/userame/home/

==== Remove legacy nextcloud rpm without deleting /usr/share/nextcloud content ====
for installs done before smeserver-nextcloud 1.2.0-16, the rppm nextcloud was required and was conflicting with web update. Since 1.2.0-16 it is not required anymroe and we use a nextcloud-src rpm which updates itself in /usr/share/nextcloud-src and is only used if you install the first time or restart from scratch your install.
To remove the nextcloud rpm which is not needed and save your files:
rpm -e --justdb nextcloud

source https://unix.stackexchange.com/questions/208722/how-to-remove-an-rpm-package-while-keeping-certain-files
===Reset Database===

For reference, whilst looking at resetting file caches I found this.

It is probably extremely dangerous but wanted to make a note.

https://github.com/nextcloud/server/issues/8113#issuecomment-565876798

=== Bugs ===
Please raise bugs under the SME-Contribs section in [http://bugs.contribs.org/enter_bug.cgi bugzilla]
and select the {{#var:smecontribname}} component or use {{BugzillaFileBug|product=SME%20Contribs|component={{#var:smecontribname}}|title=this link}}

Below is an overview of the current issues for this contrib:{{#bugzilla:columns=id,product,version,status,summary|sort=id|order=desc|component={{#var:smecontribname}} |noresultsmessage=No open bugs found.}}

===Changelog===
Only released version in smecontrib are listed here.

{{#smechangelog: {{#var:smecontribname}} }}


[[Category: Contrib]]


===References===
# https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/occ_command.html
# https://help.nextcloud.com/t/migration-from-mysql-to-mariadb/6816/3
# https://help.nextcloud.com/t/changing-mariadb-socket-when-hosting-multiple-db-ubuntu/68294
# https://markus-blog.de/index.php/2019/10/21/how-to-migrate-nextcloud-17-database-backend-from-mysql-to-postgresql/
# https://www.ullright.org/ullWiki/show/nextcloud-cheatsheet

SMEServer PHP

2026-01-06T11:31:25Z

Rdswikiadmin: Created page with "Copied from; https://wiki.koozali.org/PHP {{Languages|PHP}} Starting with SME 10, the '''php''' module is no longer used for httpd. Instead we rely on '''php-fpm''' which can enable every available version of php. By default we provide the following versions: *54 (maintained by Red-Hat up to CentOS 7 EOL: 30 Jun 2024). *55,56,70,71,72 (Note: unsupported!). *73 (supported up to 6 Dec 2021). *74 (supported up to 28 Nov 2022). *80 (supported up to 26 Nov 2023). ..."

Copied from; https://wiki.koozali.org/PHP

{{Languages|PHP}}
Starting with SME 10, the '''php''' module is no longer used for httpd. Instead we rely on '''php-fpm''' which can enable every available version of php.

By default we provide the following versions:

*54 (maintained by Red-Hat up to CentOS 7 EOL: 30 Jun 2024).
*55,56,70,71,72 (Note: unsupported!).
*73 (supported up to 6 Dec 2021).
*74 (supported up to 28 Nov 2022).
*80 (supported up to 26 Nov 2023).

 
===db keys available to control php configuration and services===
First you need to decide if you want to alter the php behaviour for an ibay or for a specific php version, of for all php versions.
{| class="wikitable"
|+db configuration properties
!keys
!role
!
|-
|php
|customization of /etc/php.ini
|for php54
|-
|php55
|customization of /opt/remi/php55/root/etc/php.ini
| rowspan="11" |if no properties defined, will use php keys properties
|-
|php56
|customization of /opt/remi/php56/root/etc/php.ini
|-
|php70
|customization of /etc/opt/remi/php70/php.ini
|-
|php71
|customization of /etc/opt/remi/php71/php.ini
|-
|php72
|customization of /etc/opt/remi/php72/php.ini
|-
|php73
|customization of /etc/opt/remi/php73/php.ini
|-
|php74
|customization of /etc/opt/remi/php74/php.ini
|-
|php80
|customization of /etc/opt/remi/php80/php.ini
|-
|php81
|customization of /etc/opt/remi/php81/php.ini
|-
|php82
|customization of /etc/opt/remi/php82/php.ini
|-
|php83
|customization of /etc/opt/remi/php83/php.ini
|}
Every version of php has its own php-fpm service running, the related configuration db entry is (as shown in the Table above) php-fpm for php (ie php54), php55-php-fpm for php55 and so on.

If you really want to disable one version of php, shown below is what you need to do for php55, as an example:
config setprop php55-php-fpm status disabled
signal-event webapps-update

===Available properties===
Here is a list of available properties to configure php. You have to choose at which level you want to handle the change.

*Do you want the change for the whole server? -- then probably choose to change it for key php): db configuration setprop php ...
*Do you want the change for a specific version of php? -- then you should probably do it against a specific php key e.g. : db configuration setprop php74 ...
*Do you want to apply the change for a specific ibay? -- this is what we suggest you to do in most cases: db accounts setprop myibay ..

{| class="wikitable"
|+
!php setting
!ibay property
!php.ini property
!default
!note
|-
| -
|PHPVersion
| -
|74
|can vary upon update if left empty
|-
|allow_url_fopen
|AllowUrlFopen
|AllowUrlFopen
|off
|unsecure keep to off
|-
|allow_url_include
| -
| -
|off
|
|-
|auto_prepend_file
|AutoPrependFile
| -
|enabled
|/usr/share/php/auth_translation.php unless disabled
|-
|disable_functions
|DisableFunctions
| -
|system,show_source, symlink,exec,dl,shell_exec,passthru,phpinfo,escapeshellarg,escapeshellcmd
|
|-
|display_errors
|DisplayErrors
| -
|off
|
|-
|error_log
| -
| -
|/var/log/php/$key/error.log
|
|-
|error_reporting
|ErrorReporting
| -
|E_ALL & ~E_NOTICE & ~E_DEPRECATED & ~E_STRICT
|
|-
|expose_php
| -
|ExposePHP
|Off
|
|-
|file_upload
|FileUpload
| -
|Off
|
|-
|mail.add_x_header
| -
|MailAddXHeader
|disabled
|only global, not per php version
|-
|mail.force_extra_parameters
|MailForceSender
|MailForceSender
|root@$DomainName
|ibayname@$DomainName for ibays
|-
|mail.log
| -
|MailLog
|disabled
|
|-
|max_execution_time
|MaxExecutionTime
|MaxExecutionTime
|30
|
|-
|max_file_uploads
| -
|MaxFileUpload
|20
|
|-
|max_input_time
|MaxInputTime
|MaxInputTime
|60
|
|-
|memory_limit
|MemoryLimit
|MemoryLimit
|128M
|
|-
|open_basedir
|PHPBaseDir
| -
|/home/e-smith/files/ibays/IBAYNAME/:/var/lib/php/IBAYNAME/:/usr/share/php/:/usr/share/pear/:/opt/remi/php$version/root/usr/share/pear/:/opt/remi/php$version/root/usr/share/php/
|
|-
|post_max_size
|PostMaxSize
|PostMaxSize
|20M
|
|-
|security.limit_extensions
|AllowPHTML
|
|disabled
|allow php to interprete more file (.php .htm .html .phar .phtml .xml)
|-
|sendmail_from
| -
|MailForceSender
|root@$DomainName
|
|-
|sendmail_path
| -
|SendmailPath
|/usr/sbin/sendmail -t -i
|
|-
|short_open_tag
| -
|ShortOpenTag
|On
|
|-
|upload_max_filesize
|UploadMaxFilesize
|UploadMaxFilesize
|10M
|
|}
if you want to set a specific value for an ibay, here we show how to use php80 for ibay MYIBAY and avoid having any disabled function:
db accounts setprop MYIBAY disable_functions none PHPVersion 80
signal-event webapps-update
{{Note box|It is strongly suggested that you install the smeserver-webhosting contrib enabling you to set your ibay php values from the server-manager. Everything is available and it prevents you from making a mistake in the settings.}}

===Display Error Messages===

By default PHP does not display error messages on screen. Sometimes you get a blank page when executing PHP scripts. Usually some sort of error has occurred, but this error text will '''not''' be displayed as SME Server is configured to not display them. Instead the error messages are reported to the log files of the webserver and the general logfile of the server.

Try to analyze your logfiles:
/var/log/httpd/error_log and /var/log/httpd/access_log and perhaps also /var/log/messages.

{{Warning box|It is strongly advised that you disable "display errors" after you have tracked and solved the problem, as the displayed error message might provide information (like filesystem layout) that only should be known to the system administrators and not to users, let alone people with bad intentions. Thus it is a potential SECURITY RISK. After debugging, disable it again.}}

====Enable changes for all php versions====
If you (for debugging purposes for instance) would like to enable it you can do it with the instructions found below:

mkdir -p /etc/e-smith/templates-custom/etc/php.ini
cp /etc/e-smith/templates/etc/php.ini/30ErrorHandling /etc/e-smith/templates-custom/etc/php.ini

After that:

sed -i /etc/e-smith/templates-custom/etc/php.ini/30ErrorHandling -e 's/display_errors.*/display_errors = On/g'

After that issue the following commands:

signal-event webapps-update

Now access your page again and see what the error is.

====Undo Changes====
If everything works you remove the 30ErrorHandling file from the /etc/e-smith/templates-custom/etc/php.ini folder and issue the last two lines again:

signal-event webapps-update

====Enable changes for a specific ibay====
Starting SME10 and smeserver-php-3.0.0-39
db accounts setprop MYIBAY DisplayErrors enabled
signal-event webapps-update
===Open basedir restriction===
SME Server has a security measure in place which is called 'open basedir restriction'. This measure prevents PHP from executing or invoking other PHP scripts outside the scope of its own tree; in other words it creates a 'sandbox' or 'jail'.

Overall configuration is defined in the php.ini file but you can add an override on a per ibay basis.

====Error message====
The PHP open basedir restriction is usually presented to the user like this in the /var/log/messages file:

Aug 12 17:27:42 homer httpd: PHP Warning: main(): open_basedir restriction in effect. File(/tmp/test.php) is not within the allowed path(s): (/home/e-smith/files/ibays/Primary/html/) in /home/e-smith/files/ibays/Primary/html/test.php on line 2

In general you will find this message in the log files only as by default PHP is configured to prevent the display of error messages to the end users. This can be changed as per [[PHP#Display_Error_Messages|this HowTo]].

====Modifying the PHPBaseDir setting for an ibay====
<ol>
(Please also see: [http://wiki.contribs.org/Useful_Commands#PHP_Related_Commands these] instructions on the [http://wiki.contribs.org/Useful_Commands Useful_Commands] page.)
<li>Open a SME Server shell as root user and document the current setting of the PHPBaseDir directive by writing down the output of the following command:
db accounts getprop ibayname PHPBaseDir
Be careful to write it down to the letter as we need it in the next step.
For the Primary ibay the ouptut of above command would normally look like this:
/home/e-smith/files/ibays/Primary/html/
</li><li>Decide on what directory you would like to add and issue the following:
db accounts setprop ibayname PHPBaseDir value
Replace ibayname with the name of the ibay and value with the old value for the PHPBaseDir directive you have written down and a colon (:) followed by the full path to the directory you would like to add with a tailing slash (/), e.g.
db accounts setprop Primary PHPBaseDir /home/e-smith/files/ibays/Primary/html/:/opt/gallery2/
Above command would allow for invocation of scripts in the /opt/gallery2 path from the Primary ibay html folder by PHP.
To allow uploading of files to via http to a ibay name wiki:
db accounts setprop wiki PHPBaseDir /home/e-smith/files/ibays/wiki/:/tmp/

</li><li>After defining the new setting we need to reflect the change in the configuration file of the web server and have the web server reload it's configuration file. This is done by issuing the following command:
signal-event ibay-modify ibayname

Be sure to replace ibayname with the name of the ibay you have just modified.
</li></ol>
===Upload_tmp_dir===
upload_tmp_dir

From SME Server V8 up to and including SME Server V9, you could sometimes have an error thrown by PHP and would then need to specify a temporary directory (e.g. upload_tmp_dir) which is not set in php.ini. see [[bugzilla:6650]] and [[bugzilla:7652]]. Many php applications need this setting, the best-known culprits are Wordpress, Roundcube, eGroupWare, and there are others. The symptoms observed are that you can't upload contents to the PHP application.

An easy resolution is to make a Custom Template to resolve this issue. See [[Uploadtmpdir]].

=== Advanced use of the php-fpm pools ===

==== For the ibays with php-fpm.d/ibays.conf ====
For the ibays better option is to simply use the contrib [[Webhosting]].

==== For the contrib sharefolders with php-fpm.d/shares.conf ====
Similar to ibays.

==== For the contribs with php-fpm.d/www.conf ====
Please read [[Building Your Contrib]].

==== For your custom needs with php-fpm.d/custom.conf ====
You can build your own pool to use in any place on your server, even in a subfolder of an ibay or in place of the regular ibay php-pool (property PHPCustomPool).

There are two ways in doing that:

===== using db php =====
Using the default template : /etc/e-smith/templates/etc/php-fpm.d/custom.conf , you can set your own pool doing:
db php set MYPOOLNAME pool Version 81 status enabled
here are the accepted supplementary properties, as always missing or empty means using default.
{| class="wikitable"
!property
!default
!values
!information
|-
|status
|enabled
|enabled,disabled
|-
|Version
|
|
|php version to use eg 80 for php 8.0
|-
|MemoryLimit
|128M
|
|-
|MaxExecutionTime
|30
|
|-
|MaxInputTime
|60
|
|-
|AllowUrlFopen
|off
|
|-
|MaxChildren
|15
|
|-
|PostMaxSize
|10M
|
|-
|UploadMaxFilesize
|10M
|
|-
|FileUpload
|enabled
|
|-
|BaseDir
|
|
|-
|DisabledFunctions
|system,show_source,symlink,exec,dl,shell_exec,passthru,phpinfo,escapeshellarg,escapeshellcmd
|
|-
|User
|www
|
|-
|Group
|www
|
|-
|DisplayErrors
|disabled
|
|-
|LogErrors
|disabled
|
|-
|MaxChildren
|15
|
|-
|AutoPrependFile
|enabled
|
|will use the autoprepend file
|-
|MailForceSender
|php\@$DomainName
|
|
|}
You will then need two httpd.conf custom template fragment to use your pool. You will need to change '''MYPOOL''' to what you want
mkdir -p /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/
vim /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/98mypoolusage

<Directory /home/e-smith/files/ibays/test/html/mysubfolder>
SSLRequireSSL
Options None
Options +Indexes
Options +FollowSymLinks
DirectoryIndex index.php index.shtml index.htm index.html
<FilesMatch \.php$>
SetHandler "proxy:unix:/var/run/php-fpm/php80-MYPOOLNAME.sock|fcgi://localhost"
</FilesMatch>
AllowOverride All
order deny,allow
deny from all
allow from all
</Directory>
Then just do:
signal-event webapps-update

===== using a templates-custom =====
You can write your own fragment in /etc/e-smith/templates-custom/etc/php-fpm.d/custom.conf/ e.g. /etc/e-smith/templates-custom/etc/php-fpm.d/custom.conf/15mypool

You will also need to write a httpd fragment similarly to what shown just above.

Here is an example if you want a custom pool for your ibay, in /etc/e-smith/templates-custom/etc/php-fpm.d/ibays.conf/15MYIBAY<syntaxhighlight lang="perl">
{

use esmith::AccountsDB;
use esmith::php;
my $a = esmith::AccountsDB->open_ro || die "Couldn't open the accounts database";
my $ibay = $a->get("MYIBAY");
my $version = PhpFpmVersionToUse($ibay);
my $dynamic = $ibay->prop('CgiBin') || 'disabled';
my $custom = $ibay->prop('CustomPool') || undef;
next unless ($dynamic eq 'enabled' && $version eq $PHP_VERSION && $custom);
my $key = $ibay->key;
my $name = lc $key;
my $pool_name = 'php' . $version . '-' . $name;
$OUT .=<<"_EOF" if ($version eq $PHP_VERSION);

[$pool_name]
user = www
group = www
listen.owner = root
listen.group = www
listen.mode = 0660
listen = /var/run/php-fpm/$pool_name.sock
;
;
;put whatever you need there
;
;
_EOF
}

</syntaxhighlight>

You have then to force the ibay to use it by doing :<syntaxhighlight lang="bash">
db accounts MYIBAY setprop CustomPool enabled
</syntaxhighlight>This will prevent the generation of the default ibay pool in ibays.conf , and let you use /var/run/php-fpm/php$version-$name.sock socket from your template-custom... or from the db php using the same key as the name of the ibay.

===Installation of Composer===

This is made tricky as we do not have the PHP CLI configured.

But we can install it as follows with command line arguments. This is using php7. Check the latest hash file as this changes.

Download:
php74 -d allow_url_fopen=on -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"

Hash check:
php74 -r "if (hash_file('sha384', 'composer-setup.php') === 'e21205b207c3ff031906575712edab6f13eb0b361f2085f1f1237b7126d785e826a450292b6cfd1d64d92e6563bbde02') { echo 'Installer verified'; } else { echo 'Installer corrupt'; unlink('composer-setup.php'); } echo PHP_EOL;"

Install:
php74 -d allow_url_fopen=on ./composer-setup.php

=== Bash script===

Add the code:

nano composer.install

Paste this:

if [ ! -d '/tmp/compose' ]; then
/usr/bin/mkdir -p /tmp/compose
cd /tmp/compose
else
cd /tmp/compose
fi

# Get the setup file
/usr/bin/php74 -d allow_url_fopen=on -r "copy('https://getcomposer.org/installer', '/tmp/compose/composer-setup.php');"

# Hash check
/usr/bin/php74 -r "if (hash_file('sha384', '/tmp/compose/composer-setup.php') === 'dac665fdc30fdd8ec78b38b9800061b4150413ff2e3b6f88543c636f7cd84f6db9189d43a81e5503cda447da73c7e5b6') { echo 'Installer verified'; } else { echo 'Installer corrupt'; unlink('/tmp/compose/composer-setup.php'); } echo PHP_EOL;"

# Install
/usr/bin/php74 -d allow_url_fopen=on /tmp/compose/composer-setup.php
mv /tmp/compose/composer.phar /usr/local/bin/composer

# Tidy
rm -rf /tmp/compose

Save and exit.

Run it:

chmod 0700 composer.install
./composer.install

Check ths file is there:

ll /usr/local/bin/composer

Use with

php74 composer <blah>

=== Bugs ===
Please raise bugs under the SME-Server 10.X section in [http://bugs.contribs.org/enter_bug.cgi Bugzilla] and select the smeserver-php component or use {{BugzillaFileBug|product=SME%20Server%2010.X|component=e-smith-*%20and%20smeserver-*&20packages|title=this link}}.

Below is an overview of the current issues for this package:
{{#bugzilla:columns=id,product,version,status,summary |sort=id|order=desc |component=smeserver-php|noresultsmessage="No open bugs found."}}
----

[[Category: Howto]]
[[Category: Webapps]]

Email Server

2025-12-26T11:44:37Z

Rdswikiadmin:

<gallery mode="packed-hover" widths=150px heights=75px>
File:QMail.jpeg|https://cr.yp.to/qmail.html
File:Postfix.png|http://www.postfix.org/
File:Qpsmtpd.png|https://smtpd.github.io/qpsmtpd/
File:Dovecot.png|https://www.dovecot.org/
File:ClamAV.png|https://www.clamav.net/
File:Spamassassin.jpeg|https://spamassassin.apache.org/
File:Geoiplite2.jpeg|https://www.maxmind.com/
File:Letsencrypt.png|https://letsencrypt.org/
</gallery>
 
=='''A private open source email server provides unlimited configuration, customisation, and users, with no additional cost per user, and mailbox size up to the available storage.'''==
*DKIM Signed Email
*DMARC Policy
*SPF Policy
*DNSBL Blocklists
*RHSBL Blocklists
*URIBL Blocklists
*Whitelist / Blacklist
*Greylisting
*Spam and Virus Filtering
*GeoIP Filtering
*Multi-Domain
*Sieve Email Filtering
*Blind Carbon Copy
*SSL Encrypted IMAP + SMTP + POP3
*TLS Transport to Remote SMTP Hosts
*SSL Webmail with DAV Integration of Calendars, Contacts, Tasks
*Open Source Letsencrypt SSL Domain Verification Certificates, or Commercial SSL Certificates.
 
'''Koozali SME Server is free and open source''' – there are no limitations and you can inspect, integrate, extend and modify however you want.

MediaWiki:Sidebar

2025-12-26T11:37:13Z

Rdswikiadmin:

* Realm Business Systems
** mainpage|mainpage-description
** https://wiki.2clever.uk/index.php/Company|Company
** https://wiki.2clever.uk/index.php/Open_Source|Open Source
** https://wiki.2clever.uk/index.php/Remote_Support|Remote Support
** https://wiki.2clever.uk/index.php/Debian|Debian Linux
** https://wiki.2clever.uk/index.php/Rocky_Linux|Rocky Linux
** https://wiki.2clever.uk/index.php/Virtualisation|Virtualisation
** https://wiki.2clever.uk/index.php/Icinga_Monitoring|Icinga Monitoring
** https://wiki.2clever.uk/index.php/SME_Server|SME Server
** https://wiki.2clever.uk/index.php/Email_Server|Email Server
** https://wiki.2clever.uk/index.php/Nextcloud|Nextcloud
** https://wiki.2clever.uk/index.php/Collabora_Online|Collabora Online
** https://wiki.2clever.uk/index.php/IncrediblePBX|IncrediblePBX
** https://wiki.2clever.uk/index.php/WebERP|WebERP
** https://wiki.2clever.uk/index.php/VPN|Virtual Private Networking
** https://wiki.2clever.uk/index.php/Special:AllPages/|All Pages
** https://wiki.2clever.uk/index.php/Useful_Commands|Useful
** https://wiki.2clever.uk/index.php/Websites|Websites

MediaWiki:Sidebar

2025-12-26T11:36:16Z

Rdswikiadmin:

* Realm Data Systems
** mainpage|mainpage-description
** https://wiki.2clever.uk/index.php/Company|Company
** https://wiki.2clever.uk/index.php/Open_Source|Open Source
** https://wiki.2clever.uk/index.php/Remote_Support|Remote Support
** https://wiki.2clever.uk/index.php/Debian|Debian Linux
** https://wiki.2clever.uk/index.php/Rocky_Linux|Rocky Linux
** https://wiki.2clever.uk/index.php/Virtualisation|Virtualisation
** https://wiki.2clever.uk/index.php/Icinga_Monitoring|Icinga Monitoring
** https://wiki.2clever.uk/index.php/SME_Server|SME Server
** https://wiki.2clever.uk/index.php/Email_Server|Email Server
** https://wiki.2clever.uk/index.php/Nextcloud|Nextcloud
** https://wiki.2clever.uk/index.php/Collabora_Online|Collabora Online
** https://wiki.2clever.uk/index.php/IncrediblePBX|IncrediblePBX
** https://wiki.2clever.uk/index.php/WebERP|WebERP
** https://wiki.2clever.uk/index.php/VPN|Virtual Private Networking
** https://wiki.2clever.uk/index.php/Special:AllPages/|All Pages
** https://wiki.2clever.uk/index.php/Useful_Commands|Useful
** https://wiki.2clever.uk/index.php/Websites|Websites

Disk Maintenance

2025-12-21T06:57:07Z

Rdswikiadmin: /* Format Disk */

===Burn ISO to USB===
dd if=xxx.iso of=/dev/sdc bs=64K
sync

===dd copy continue on errors===
dd if=/dev/sda conv=noerror,sync of=/dev/sdb bs=64K

===ddrescue===

ddrescue -d -f -r3 /dev/sda /dev/sdb -b8192

In this example rescue /dev/sda to /dev/sdb

## No need to partition /dev/sdb beforehand, but if the partition table on /dev/sda ##
## is damaged, you will need to recreate it somehow on /dev/sdb. ##
ddrescue -f -n /dev/sda /dev/sdb logfile
ddrescue -d -f -r3 /dev/sda /dev/sdb logfile

## check for errors ##
fsck -v -f /dev/sdb1
fsck -v -f /dev/sdb2

ddrescue command options;

-f : Overwrite output device or partition.
-n : Do not try to split or retry failed blocks.
-d : Use direct disc access for input file.
-r3 : Exit after given three (3) retries (use -1 as infinity retries).
-b2048 : Sector size of input device [default is set to 512].

===Format Disk===
parted /dev/sdc
mklabel gpt / msdos
unit TB
mkpart primary 0 -0

or; mkpart primary 0.00 1.00TB
quit

mkfs.ext4 -L BACKUP2 /dev/sdc1

mkfs.xfs /dev/vm/sme

mkfs.xfs -L 16TB1 /dev/sdc1

===Label===
e2label /dev/sdd1 USB1
tune2fs -L volume-label device
ntfslabel device new-label
xfs_admin -L label device

===Zero===
Zero MBR; dd if=/dev/zero of=/dev/sdc bs=446 count=1

Zero MBR + Partition Table; dd if=/dev/zero of=/dev/sdc bs=512 count=1

Zero MDADM; dd if=/dev/zero of=/dev/sdc bs=1M count=1024

===Hot remove disk===
umount /dev/sdx

hdparm -Y /dev/sdx

===mdadm repair===
mdadm --manage /dev/md1 --add /dev/sdb3

===mdadm create===
mdadm --create --verbose /dev/md3 --level=mirror --raid-devices=2 /dev/sda1 /dev/sdb1

===After creating, SAVE the RAID configuration===
mdadm --detail --scan >> /etc/mdadm/mdadm.conf

===Mount NTFS===
Read Only;
mount -t ntfs /dev/xxx /mnt/windows -o ro

Read Write;
ntfs-3g /dev/sdaX /mnt/windows

===Add Disk to MDADM===

TEMPPROX:/vm/oldimages# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 1.8T 0 disk
├─sda1 8:1 0 7.5G 0 part
│ └─md0 9:0 0 7.5G 0 raid1 [SWAP]
├─sda2 8:2 0 488M 0 part
│ └─md1 9:1 0 487.7M 0 raid1 /boot
└─sda3 8:3 0 1.8T 0 part
└─md2 9:2 0 1.8T 0 raid1 /
sdb 8:16 0 1.8T 0 disk
└─sdb1 8:17 0 1.8T 0 part /mnt/BACKUP1

TEMPPROX:~# parted /dev/sda
GNU Parted 3.2
Using /dev/sda
Welcome to GNU Parted! Type 'help' to view a list of commands.
(parted) print
Model: ATA WDC WD2003FYYS-0 (scsi)
Disk /dev/sda: 2000GB
Sector size (logical/physical): 512B/512B
Partition Table: msdos
Disk Flags:

Number Start End Size Type File system Flags
1 1049kB 8000MB 7999MB primary boot, raid
2 8000MB 8511MB 512MB primary raid
3 8511MB 2000GB 1992GB primary raid

parted /dev/sdb

mklabel msdos

mkpart primary 1049kB 8000MB

mkpart primary 8000MB 8511MB

mkpart primary 8511MB 2000GB

mdadm --manage /dev/md0 --add /dev/sdb1

mdadm --manage /dev/md1 --add /dev/sdb2

mdadm --manage /dev/md2 --add /dev/sdb3

grub-install /dev/sdb

===Manual Disk swap===

ABPROX:~# smartctl -a /dev/sda
Serial Number: WD-WCAW34414439

ABPROX:~# smartctl -a /dev/sdb
Serial Number: WD-WCAW34329788

ABPROX:~# cat /proc/mdstat
Personalities : [raid1]
md2 : active raid1 sda3[0] sdb3[1]
960505856 blocks super 1.2 [2/2] [UU]
bitmap: 2/8 pages [8KB], 65536KB chunk

md1 : active raid1 sda2[0] sdb2[1]
499392 blocks super 1.2 [2/2] [UU]

md0 : active raid1 sda1[0] sdb1[1]
15616000 blocks super 1.2 [2/2] [UU]

unused devices: <none>

ABPROX:~# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 931.5G 0 disk
├─sda1 8:1 0 14.9G 0 part
│ └─md0 9:0 0 14.9G 0 raid1 [SWAP]
├─sda2 8:2 0 488M 0 part
│ └─md1 9:1 0 487.7M 0 raid1 /boot
└─sda3 8:3 0 916.1G 0 part
└─md2 9:2 0 916G 0 raid1 /
sdb 8:16 0 931.5G 0 disk
├─sdb1 8:17 0 14.9G 0 part
│ └─md0 9:0 0 14.9G 0 raid1 [SWAP]
├─sdb2 8:18 0 488M 0 part
│ └─md1 9:1 0 487.7M 0 raid1 /boot
└─sdb3 8:19 0 916.1G 0 part
└─md2 9:2 0 916G 0 raid1 /
sdc 8:32 0 1.8T 0 disk
└─sdc1 8:33 0 1.8T 0 part /mnt/backups

mdadm --manage /dev/md0 --fail /dev/sda1
mdadm --manage /dev/md0 --remove /dev/sda1

mdadm --manage /dev/md1 --fail /dev/sda2
mdadm --manage /dev/md1 --remove /dev/sda2

mdadm --manage /dev/md2 --fail /dev/sda3
mdadm --manage /dev/md2 --remove /dev/sda3

sfdisk -d /dev/sdb > sfdisk_sdb.output

ABPROX:~# cat sfdisk_sdb.output
# partition table of /dev/sdb
unit: sectors

/dev/sdb1 : start= 2048, size= 31248384, Id=fd, bootable
/dev/sdb2 : start= 31250432, size= 999424, Id=fd
/dev/sdb3 : start= 32249856, size=1921273856, Id=fd
/dev/sdb4 : start= 0, size= 0, Id= 0

sfdisk /dev/sda < sfdisk_sdb.output

mdadm --manage /dev/md0 --add /dev/sda1

mdadm --manage /dev/md1 --add /dev/sda2

mdadm --manage /dev/md2 --add /dev/sda3

ABPROX:~# sfdisk -l /dev/sda

Disk /dev/sda: 121601 cylinders, 255 heads, 63 sectors/track
Units: cylinders of 8225280 bytes, blocks of 1024 bytes, counting from 0

Device Boot Start End #cyls #blocks Id System
/dev/sda1 * 0+ 1945- 1946- 15624192 fd Linux raid autodetect
/dev/sda2 1945+ 2007- 63- 499712 fd Linux raid autodetect
/dev/sda3 2007+ 121601- 119594- 960636928 fd Linux raid autodetect
/dev/sda4 0 - 0 0 0 Empty

ABPROX:~# sfdisk -l /dev/sdb

Disk /dev/sdb: 121601 cylinders, 255 heads, 63 sectors/track
Units: cylinders of 8225280 bytes, blocks of 1024 bytes, counting from 0

Device Boot Start End #cyls #blocks Id System
/dev/sdb1 * 0+ 1945- 1946- 15624192 fd Linux raid autodetect
/dev/sdb2 1945+ 2007- 63- 499712 fd Linux raid autodetect
/dev/sdb3 2007+ 121601- 119594- 960636928 fd Linux raid autodetect
/dev/sdb4 0 - 0 0 0 Empty

---------------------------------
HowTo; write the GRUB boot sector
dd if=/dev/sdb2 of=/dev/sda2

grub-install /dev/sda

grub2-install /dev/sdb

=== FreePBX RAID recovered ===

https://help-grub.gnu.narkive.com/tNbK14Jv/grub2-install-couldn-t-find-physical-volume-null
grub2-install: warning: Couldn't find physical volume `(null)'. Some modules may be missing from core image.
I think I know what happens. Did you reboot after MD was resynced? If not, please try

blockdev --flushbufs /dev/sda1

blockdev --flushbufs /dev/sdb1

grub2-install /dev/sda

grub2-install /dev/sdb

Windows

2025-12-21T06:55:34Z

Rdswikiadmin: Created page with " ===Windows=== Win7 enable administrator run cmd as administrator net user administrator /active:yes MS nonpresent devices set devmgr_show_nonpresent_devices=1 start devmgmt.msc This will repair your TCP/IP settings and LSPs netsh winsock reset catalog powercfg.exe -h off Pagefile information is stored in the registry as a multi_string HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management Double click PagingFiles ===WIN10 F8..."

===Windows===
Win7 enable administrator
run cmd as administrator
net user administrator /active:yes

MS nonpresent devices
set devmgr_show_nonpresent_devices=1
start devmgmt.msc

This will repair your TCP/IP settings and LSPs
netsh winsock reset catalog

powercfg.exe -h off

Pagefile information is stored in the registry as a multi_string
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management
Double click PagingFiles

===WIN10 F8 SafeMode===
bcdedit /set {default} bootmenupolicy legacy

TaxCalcHub

2025-12-21T06:51:54Z

Rdswikiadmin: Created page with " ===Moving the database=== Backup within the program (Administration > Database > Backup) When installed on the other machine restore the backup. The other additional computers might detect there is another database available to connect to but will pick up 2 databases whilst the current database remains on the machine it is on at the moment. When you are happy the data has restored successfully remove the full installation from the old machine: 1. Go to Start > C..."

===Moving the database===
Backup within the program (Administration > Database > Backup)
When installed on the other machine restore the backup.
The other additional computers might detect there is another database available to connect to
but will pick up 2 databases whilst the current database remains on the machine it is on at the moment.
When you are happy the data has restored successfully remove the full installation from the old machine:

1. Go to Start > Control Panel > Uninstall a program
2. Uninstall TaxCalc Hub and PostgreSQL 9.0
3. Now go to My Computer > C:\ > Delete 'TaxCalc Hub' Folder
4. Open Program Files (or Program Files x86 if present) > Delete PostgreSQL' folder
5. Finally, go to Start > type 'cmd' in the search box then press enter
6. Type 'control userpasswords2' > Delete the postgres user
Now you can install the 'additional machine' installation on this computer

===Creating a Connection File===
1. On the server click Windows Start button
2. Select; All Programs / TaxCalc Hub
3. Select; Discovery Response Editor program
4. Select; Create Database Connection File button
5. Save this ASP_DB_Connection.txt file.
6. On the additional machine, drag and drop the ASP_DB_Connection.txt file onto the error dialog box.

===If you still cannot log in, you will likely see a different error===
For TaxCalc to connect to the database the following ports need to be open through the firewall:
5432
3838
6178

Mac Reset Password Single User

2025-12-21T06:48:00Z

Rdswikiadmin: Created page with "==Change Password in Mac OS X Single User Mode== Enter Single User Mode. Reboot the Mac and hold down Command+S at boot to enter into the command line. Run two commands in order to make filesystem changes. The first command checks the Mac OS X filesystem for errors and fixes them. fsck -fy The next command mounts the root Mac OS X drive as writable, allowing you to make changes to the filesystem: mount -uw / After the filesystem is mounted, you can reset any users pas..."

==Change Password in Mac OS X Single User Mode==

Enter Single User Mode. Reboot the Mac and hold down Command+S at boot to enter into the command line.
Run two commands in order to make filesystem changes.
The first command checks the Mac OS X filesystem for errors and fixes them.
fsck -fy
The next command mounts the root Mac OS X drive as writable, allowing you to make changes to the filesystem:
mount -uw /
After the filesystem is mounted, you can reset any users password using the following command:
passwd username

==To reset your keychain in Mac OS X 10.4, Mac OS X 10.5, and Mac OS X 10.6 Snow Leopard or later==
Open Keychain Access, which is in the Utilities folder within the Applications folder.
From the Keychain Access menu, choose Preferences.
Click General, then click Reset My Default Keychain.
Authenticate with your account login password.
Quit Keychain Access.
Restart your computer.

To reset your keychain in Mac OS X 10.3 through 10.3.9:
Open Keychain Access, which is in the Utilities folder within the Applications folder.
From the Window menu, choose Keychain First Aid.
Click Options...
Click Reset My Keychain, which is under the General pane.
Authenticate with your account login password.
Quit Keychain Access.
Restart your computer.

Debian Sudo

2025-12-21T06:46:26Z

Rdswikiadmin: Created page with " apt-get install sudo SVR:/etc# cat sudoers # # This file MUST be edited with the 'visudo' command as root. # # Please consider adding local content in /etc/sudoers.d/ instead of # directly modifying this file. # # See the man page for details on how to write a sudoers file. # Defaults env_reset Defaults mail_badpass Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" # Host alias specification # User alias specificati..."

apt-get install sudo

SVR:/etc# cat sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root ALL=(ALL:ALL) ALL

# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d

# Lines matching CHECK_RAID added by ./check_raid -S on Wed Jun 17 14:45:48 2015
User_Alias CHECK_RAID=nagios
CHECK_RAID ALL=(root) NOPASSWD: /usr/sbin/hpacucli controller all show status
CHECK_RAID ALL=(root) NOPASSWD: /usr/sbin/hpacucli controller * logicaldrive all show

nagios ALL=NOPASSWD: /usr/sbin/hpacucli

Debian APT

2025-12-21T06:45:44Z

Rdswikiadmin: Created page with " =Check for unused packages= dpkg -l | awk '/^rc/ { print $2 }' apt-get purge xxx apt-mark hold smartmontools ALL in one go; apt-get purge $(dpkg -l | awk '/^rc/ { print $2 }') dpkg --get-selections | grep 'hold$' apt-mark unhold openssh-server apt-mark unhold net-tools apt-mark unhold bridge-utils"

=Check for unused packages=
dpkg -l | awk '/^rc/ { print $2 }'

apt-get purge xxx

apt-mark hold smartmontools

ALL in one go;

apt-get purge $(dpkg -l | awk '/^rc/ { print $2 }')

dpkg --get-selections | grep 'hold$'

apt-mark unhold openssh-server
apt-mark unhold net-tools
apt-mark unhold bridge-utils

DNS Record Types

2025-12-21T06:43:00Z

Rdswikiadmin: Created page with "== Resource Records == {| class="wikitable sortable" |- ! |Code ! |Number ! width="90pt"|Defining RFC ! class="unsortable"|Description ! class="unsortable"|Function |- | <div id="A"/>A |1 |RFC 1035 | '''address record'''|| Returns a 32-bit IPv4 address, most commonly used to map hostnames to an IP address of the host, but also used for DNSBLs, storing subnet masks in RFC 1101, etc. |- | <div id="AAAA"/>AAAA |28 |RFC 3596 | '''IPv6 address record'''|| Returns a 128-bit I..."

== Resource Records ==
{| class="wikitable sortable"
|-
! |Code
! |Number
! width="90pt"|Defining RFC
! class="unsortable"|Description
! class="unsortable"|Function
|-
| <div id="A"/>A
|1
|RFC 1035
| '''address record'''|| Returns a 32-bit IPv4 address, most commonly used to map hostnames to an IP address of the host, but also used for DNSBLs, storing subnet masks in RFC 1101, etc.
|-
| <div id="AAAA"/>AAAA
|28
|RFC 3596
| '''IPv6 address record'''|| Returns a 128-bit IPv6 address, most commonly used to map hostnames to an IP address of the host.
|-
| <div id="AFSDB"/>AFSDB
|18
|RFC 1183
|'''AFS database record'''
|Location of database servers of an Andrew File System (AFS) cell. This record is commonly used by AFS clients to contact AFS cells outside their local domain. A subtype of this record is used by the obsolete DCE Distributed File System (DCE/DFS) file system.
|-
| <div id="CERT"/>CERT ||37||RFC 4398||'''Certificate record'''||Stores PKIX, SPKI, Pretty Good Privacy (PGP), etc.
|-
| CNAME record|CNAME
|5
|RFC 1035
| '''Canonical name record'''|| Alias of one name to another: the DNS lookup will continue by retrying the lookup with the new name.
|-
|<div id="DHCID"/>DHCID ||49||RFC 4701||'''DHCP identifier'''||Used in conjunction with the FQDN option to DHCP
|-
|<div id="DLV"/>DLV||32769||RFC 4431||'''DNSSEC Lookaside Validation record'''||For publishing DNSSEC trust anchors outside of the DNS delegation chain. Uses the same format as the DS record. RFC 5074 describes a way of using these records.
|-
|DNAME record (DNAME)
|39
|RFC 2672
|'''delegation name'''
|DNAME will delegate an entire portion of the DNS tree under a new name. In contrast, the CNAME record creates an alias of a single name. Like the CNAME record, the DNS lookup will continue by retrying the lookup with the new name.
|-
|<div id="DNSKEY"/>DNSKEY||48||RFC 4034||'''DNS Key record'''||The key record used in DNSSEC. Uses the same format as the KEY record.
|-
|<div id="DS"/>DS||43||RFC 4034||'''Delegation signer'''||The record used to identify the DNSSEC signing key of a delegated zone
|-
|Host Identity Protocol (HIP)
|55
|RFC 5205
|'''Host Identity Protocol'''
|Method of separating the end-point identifier and locator roles of IP addresses.
|-
|<div id="IPSECKEY"/>IPSECKEY||45||RFC 4025||'''IPSEC Key'''||Key record that can be used with IPSEC
|-
|<div id="KEY"/>KEY||25||RFC 4034||'''Key record'''||Used only for TKEY (RFC 2930). Before RFC 3755 was published, this was also used for DNSSEC, but DNSSEC now uses DNSKEY.
|-
| LOC record (LOC)
|29
|RFC 1876
| '''Location record '''
| Specifies a geographical location associated with a domain name
|-
| MX record (MX)
|15
|RFC 1035
| '''mail exchange record'''
| Maps a domain name to a list of mail exchange servers for that domain
|-
| NAPTR record (NAPTR)
|35
|RFC 3403
| '''Naming Authority Pointer'''
| Allows regular expression based rewriting of domain names which can then be used as URIs, further domain names to lookups, etc.
|-
| <div id="NS"/>NS
|2
|RFC 1035
| '''name server record'''
| Delegates a DNS zone to use the given authoritative name servers
|-
|<div id="NSEC"/>NSEC||47||RFC 4034||'''Next-Secure record'''||Part of DNSSEC—used to prove a name does not exist. Uses the same format as the (obsolete) NXT record.
|-
|<div id="NSEC3"/>NSEC3||50||RFC 5155||'''NSEC record version 3'''||An extension to DNSSEC that allows proof of nonexistence for a name without permitting zonewalking
|-
|<div id="NSEC3PARAM"/>NSEC3PARAM||51||RFC 5155||'''NSEC3 parameters'''||Parameter record for use with NSEC3
|-
| <div id="PTR"/>PTR
|12
|RFC 1035
| '''pointer record'''
| Pointer to a canonical name. Unlike a CNAME, DNS processing does NOT proceed, just the name is returned. The most common use is for implementing reverse DNS lookups, but other uses include such things as Zero configuration networking#Apple's protocol: Multicast DNS/DNS-SD|DNS-SD.
|-
|<div id="RRSIG"/>RRSIG||46||RFC 4034||'''DNSSEC signature'''||Signature for a DNSSEC-secured record set. Uses the same format as the SIG record.
|-
|<div id="SIG"/>SIG||24||RFC 2535||'''Signature'''||Signature record used in SIG(0) (RFC 2931). Until RFC 3755 was published, the SIG record was part of DNSSEC; now RRSIG is used for that.
|-
| <div id="SOA"/>SOA
|6
|RFC 1035
| '''start of authority record'''
| Specifies ''authoritative'' information about a DNS zone, including the primary name server, the email of the domain administrator, the domain serial number, and several timers relating to refreshing the zone.
|-
| Sender Policy Framework (SPF)||99||RFC 4408||'''SPF record'''||Specified as part of the SPF protocol, as an alternative to storing SPF data in TXT records. Uses the same format as the TXT record.
|-
| SRV record|SRV
|33
|RFC 2782
|'''Service locator'''
|Generalized service location record, used for newer protocols instead of creating protocol-specific records such as MX.
|-
| <div id="SSHFP"/>SSHFP
|44
|RFC 4255
|'''SSH Public Key Fingerprint'''
|Resource record for publishing Secure Shell (SSH) public host key fingerprints in the DNS System, in order to aid in verifying the authenticity of the host.
|-
|<div id="TA"/>TA||32768||None||'''DNSSEC Trust Authorities'''||Part of a deployment proposal for DNSSEC without a signed DNS root. See the [http://www.iana.org/assignments/dns-parameters IANA database] and [http://www.watson.org/~weiler/INI1999-19.pdf Weiler Spec]] for details. Uses the same format as the DS record.
|-
| <div id="TXT"/>TXT
|16
|RFC 1035
|'''Text record'''
|Originally for arbitrary human-readable ''text'' in a DNS record. Since the early 1990s, however, this record more often carries machine-readable data, such as specified by RFC 1464, opportunistic encryption, Sender Policy Framework (deprecated), DomainKeys, Zero configuration networking#Apple's protocol: Multicast DNS/DNS-SD|DNS-SD, etc.
|}

BT codes

2025-12-21T06:41:50Z

Rdswikiadmin: Created page with "B. T. NETWORK SERVICE CODES FOR SELECT SERVICES ADSL Line Reset (line_no.)@startup_domain / any password - not null ADSL Performance http://www.speedtester.bt.com enter tel. no. then ADSL login ADSL Speed Test (fixed speed only) speedtest@speedtest_domain / any password - not null visit http://www.speedtester.bt.com, enter your telephone number ADSL Test bt_test@startup_domain / (password ignored) visit http://www.bt.net/digitaldemo Anonymous Call Rejection..."

B. T. NETWORK SERVICE CODES FOR SELECT SERVICES

ADSL Line Reset
(line_no.)@startup_domain / any password - not null

ADSL Performance
http://www.speedtester.bt.com
enter tel. no. then ADSL login

ADSL Speed Test (fixed speed only)
speedtest@speedtest_domain / any password - not null
visit http://www.speedtester.bt.com, enter your telephone number

ADSL Test
bt_test@startup_domain / (password ignored)
visit http://www.bt.net/digitaldemo

Anonymous Call Rejection
SET ANONYMOUS CALL REJECTION *227#
CHECK ACR *#227#
CANCEL ACR #227#

Call Divert on all calls
SET CALL DIVERSION * 21 * [phone number] #
CHECK CALL DIVERSION * # 21 #
CANCEL CALL DIVERSION # 21 #
Call Divert on no reply
SET DIVERSION ON NO REPLY * 61 * [phone number] #
CHECK DIVERSION ON NO REPLY * # 61 #
CANCEL DIVERSION ON NO REPLY # 61 #

Call Divert on busy
SET DIVERSION ON BUSY * 67 * [phone number] #
CHECK DIVERSION ON BUSY * # 67 #
CANCEL DIVERSION ON BUSY # 67 #

Call Divert on no reply or busy
SET DIVERSION ON NO REPLY & BUSY * 66 * [phone number] #
CHECK DIVERSION ON NO REPLY & BUSY * # 66 #
CANCEL DIVERSION ON NO REPLY & BUSY # 66 #

Call Minder (Voicemail)
CALL MINDER SERVICE 1571

Call Waiting
SET CALL WAITING * 43 #
CHECK CALL WAITING * # 43 #
CANCEL CALL WAITING # 43 #

Caller Display
SET CALLER DISPLAY DATA ON *234#
CHECK CALLER DISPLAY DATA *#234#
CANCEL CALLER DISPLAY DATA #234#

Caller ID
WITHHOLD CALLER ID 141 [phone number]
RELEASE CALLER ID 1470 [phone number]
CALLER RETURN 1471
ERASES LAST NUMBER GIVEN ON CALLER RETURN 1475
BLOCK LAST CALL ANSWERED WITH CHOOSE TO REFUSE 14258 [PIN] **
ADD TO LIST OF BLOCKED NUMBERS WITH CHOOSE TO REFUSE 14258 [phone number] #

Charge Advice
SET CHARGE ADVICE (BEFORE A CALL) * 40 * [phone number] #
SET CHARGE ADVICE (FOR ALL CALLS) * 411 #
CHECK CHARGE ADVICE *# 411 #
CANCEL CHARGE ADVICE # 411 #

Choose to Refuse
BLOCK LAST CALL ANSWERED WITH CHOOSE TO REFUSE 14258 [PIN] **
ADD TO LIST OF BLOCKED NUMBERS WITH CHOOSE TO REFUSE 14258 [phone number] #

Incoming Call Barring
SET INCOMING CALL BARRING * 261 #
CHECK INCOMING CALL BARRING * # 261 #
CANCEL INCOMING CALL BARRING # 261 #

Miscellaneous
CHECK WHICH SERVICES ARE ACTIVE * # 001 #
BT LINE TEST & RINGBACK FACILITY 17070
REDIAL LAST NUMBER DIALLED **0

Outgoing Call Barring
SET OUTGOING CALL BARRING * 34 option #
CHECK OUTGOING CALL BARRING * # 34 #
CANCEL OUTGOING CALL BARRING # 34 option * [PIN] #

Reminder Call Service
SET REMINDER CALL (using 24 hour clock with 4 digits) * 55 * [time] #
CHECK REMINDER CALL * # 55 #
CANCEL REMINDER CALL # 55 #
SET REGULAR REMINDER CALL * 56 * [time] * [day option] #
CHECK ALL REGULAR REMINDER CALL * # 56 #
CANCEL A REGULAR REMINDER CALL # 56 * [time] * [day option] #
CANCEL ALL REGULAR REMINDER CALLS # 56 #
Day options numbers: Monday - 1, Tuesday - 2, Wednesday - 3, Thursday - 4, Friday - 5, Saturday - 6, Sunday - 7, Monday - Friday: 8 Every Day - 9.

Remote (Smart) Call Divert on all calls
SET REMOTE CALL DIVERT ON ALL CALLS * 44 * [PIN] * [your full phone number] * [number to divert to] #
CHECK REMOTE CALL DIVERT ON ALL CALLS # 44 * [PIN] * [your full phone number] #
CANCEL REMOTE CALL DIVERT ON ALL CALLS * # 44 * [PIN] * [your full phone number] #

Remote (Smart) Call Divert on no reply
SET REMOTE CALL DIVERT ON NO REPLY * 64 * [PIN] * [your full phone number] * [phone number to divert to] #
CHECK REMOTE CALL DIVERT ON NO REPLY # 64 * [PIN] * [your full phone number] #
CANCEL REMOTE CALL DIVERT ON NO REPLY * # 64 * [PIN] * [your full phone number] #

Remote (Smart) Call Divert on busy
SET REMOTE CALL DIVERT ON BUSY * 65 * [PIN] * [your full phone number] * [phone number to divert to] #
CHECK REMOTE CALL DIVERT ON BUSY # 65 * [PIN] * [your full phone number] #
CANCEL REMOTE CALL DIVERT ON BUSY * # 65 * [PIN] * [your full phone number] #

Ringback
SET RINGBACK [phone number] 5
CHECK RINGBACK *#37#
CANCEL RINGBACK #37#
SET RING BACK INHIBIT *02*37#
CHECK RING BACK INHIBIT *#02*37#
CANCEL RING BACK INHIBIT #02*37#

Quiet Line Test

Unplug everything
Dial 17070, press option 2 (quiet line test)

Distance From Exchange

Dial 17070
Option 3 (fast test)
Option 1 (to say you are authorised)
Option 2 (ring back test). Then put the phone down.
You will get called back by the test facility within about 10 seconds, one of the bits of information given will be distance from exchange (in kilometres).
*The distance result may not be accurate if you have a 'DACs' fitted. It is not 100% accurate but does serve as a guide.

Disk Maintenance

2025-12-21T06:40:26Z

Rdswikiadmin: Created page with " ===Burn ISO to USB=== dd if=xxx.iso of=/dev/sdc bs=64K sync ===dd copy continue on errors=== dd if=/dev/sda conv=noerror,sync of=/dev/sdb bs=64K ===ddrescue=== ddrescue -d -f -r3 /dev/sda /dev/sdb -b8192 In this example rescue /dev/sda to /dev/sdb ## No need to partition /dev/sdb beforehand, but if the partition table on /dev/sda ## ## is damaged, you will need to recreate it somehow on /dev/sdb. ## ddrescue -f -n /dev/sda /dev/sdb logfile ddres..."

===Burn ISO to USB===
dd if=xxx.iso of=/dev/sdc bs=64K
sync

===dd copy continue on errors===
dd if=/dev/sda conv=noerror,sync of=/dev/sdb bs=64K

===ddrescue===

ddrescue -d -f -r3 /dev/sda /dev/sdb -b8192

In this example rescue /dev/sda to /dev/sdb

## No need to partition /dev/sdb beforehand, but if the partition table on /dev/sda ##
## is damaged, you will need to recreate it somehow on /dev/sdb. ##
ddrescue -f -n /dev/sda /dev/sdb logfile
ddrescue -d -f -r3 /dev/sda /dev/sdb logfile

## check for errors ##
fsck -v -f /dev/sdb1
fsck -v -f /dev/sdb2

ddrescue command options;

-f : Overwrite output device or partition.
-n : Do not try to split or retry failed blocks.
-d : Use direct disc access for input file.
-r3 : Exit after given three (3) retries (use -1 as infinity retries).
-b2048 : Sector size of input device [default is set to 512].

===Format Disk===
parted /dev/sdc
mklabel gpt
unit TB
mkpart primary 0 -0

or; mkpart primary 0.00 1.00TB
quit

mkfs.ext4 -L BACKUP2 /dev/sdc1

mkfs.xfs /dev/vm/sme

mkfs.xfs -L 16TB1 /dev/sdc1

===Label===
e2label /dev/sdd1 USB1
tune2fs -L volume-label device
ntfslabel device new-label
xfs_admin -L label device

===Zero===
Zero MBR; dd if=/dev/zero of=/dev/sdc bs=446 count=1

Zero MBR + Partition Table; dd if=/dev/zero of=/dev/sdc bs=512 count=1

Zero MDADM; dd if=/dev/zero of=/dev/sdc bs=1M count=1024

===Hot remove disk===
umount /dev/sdx

hdparm -Y /dev/sdx

===mdadm repair===
mdadm --manage /dev/md1 --add /dev/sdb3

===mdadm create===
mdadm --create --verbose /dev/md3 --level=mirror --raid-devices=2 /dev/sda1 /dev/sdb1

===After creating, SAVE the RAID configuration===
mdadm --detail --scan >> /etc/mdadm/mdadm.conf

===Mount NTFS===
Read Only;
mount -t ntfs /dev/xxx /mnt/windows -o ro

Read Write;
ntfs-3g /dev/sdaX /mnt/windows

===Add Disk to MDADM===

TEMPPROX:/vm/oldimages# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 1.8T 0 disk
├─sda1 8:1 0 7.5G 0 part
│ └─md0 9:0 0 7.5G 0 raid1 [SWAP]
├─sda2 8:2 0 488M 0 part
│ └─md1 9:1 0 487.7M 0 raid1 /boot
└─sda3 8:3 0 1.8T 0 part
└─md2 9:2 0 1.8T 0 raid1 /
sdb 8:16 0 1.8T 0 disk
└─sdb1 8:17 0 1.8T 0 part /mnt/BACKUP1

TEMPPROX:~# parted /dev/sda
GNU Parted 3.2
Using /dev/sda
Welcome to GNU Parted! Type 'help' to view a list of commands.
(parted) print
Model: ATA WDC WD2003FYYS-0 (scsi)
Disk /dev/sda: 2000GB
Sector size (logical/physical): 512B/512B
Partition Table: msdos
Disk Flags:

Number Start End Size Type File system Flags
1 1049kB 8000MB 7999MB primary boot, raid
2 8000MB 8511MB 512MB primary raid
3 8511MB 2000GB 1992GB primary raid

parted /dev/sdb

mklabel msdos

mkpart primary 1049kB 8000MB

mkpart primary 8000MB 8511MB

mkpart primary 8511MB 2000GB

mdadm --manage /dev/md0 --add /dev/sdb1

mdadm --manage /dev/md1 --add /dev/sdb2

mdadm --manage /dev/md2 --add /dev/sdb3

grub-install /dev/sdb

===Manual Disk swap===

ABPROX:~# smartctl -a /dev/sda
Serial Number: WD-WCAW34414439

ABPROX:~# smartctl -a /dev/sdb
Serial Number: WD-WCAW34329788

ABPROX:~# cat /proc/mdstat
Personalities : [raid1]
md2 : active raid1 sda3[0] sdb3[1]
960505856 blocks super 1.2 [2/2] [UU]
bitmap: 2/8 pages [8KB], 65536KB chunk

md1 : active raid1 sda2[0] sdb2[1]
499392 blocks super 1.2 [2/2] [UU]

md0 : active raid1 sda1[0] sdb1[1]
15616000 blocks super 1.2 [2/2] [UU]

unused devices: <none>

ABPROX:~# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 931.5G 0 disk
├─sda1 8:1 0 14.9G 0 part
│ └─md0 9:0 0 14.9G 0 raid1 [SWAP]
├─sda2 8:2 0 488M 0 part
│ └─md1 9:1 0 487.7M 0 raid1 /boot
└─sda3 8:3 0 916.1G 0 part
└─md2 9:2 0 916G 0 raid1 /
sdb 8:16 0 931.5G 0 disk
├─sdb1 8:17 0 14.9G 0 part
│ └─md0 9:0 0 14.9G 0 raid1 [SWAP]
├─sdb2 8:18 0 488M 0 part
│ └─md1 9:1 0 487.7M 0 raid1 /boot
└─sdb3 8:19 0 916.1G 0 part
└─md2 9:2 0 916G 0 raid1 /
sdc 8:32 0 1.8T 0 disk
└─sdc1 8:33 0 1.8T 0 part /mnt/backups

mdadm --manage /dev/md0 --fail /dev/sda1
mdadm --manage /dev/md0 --remove /dev/sda1

mdadm --manage /dev/md1 --fail /dev/sda2
mdadm --manage /dev/md1 --remove /dev/sda2

mdadm --manage /dev/md2 --fail /dev/sda3
mdadm --manage /dev/md2 --remove /dev/sda3

sfdisk -d /dev/sdb > sfdisk_sdb.output

ABPROX:~# cat sfdisk_sdb.output
# partition table of /dev/sdb
unit: sectors

/dev/sdb1 : start= 2048, size= 31248384, Id=fd, bootable
/dev/sdb2 : start= 31250432, size= 999424, Id=fd
/dev/sdb3 : start= 32249856, size=1921273856, Id=fd
/dev/sdb4 : start= 0, size= 0, Id= 0

sfdisk /dev/sda < sfdisk_sdb.output

mdadm --manage /dev/md0 --add /dev/sda1

mdadm --manage /dev/md1 --add /dev/sda2

mdadm --manage /dev/md2 --add /dev/sda3

ABPROX:~# sfdisk -l /dev/sda

Disk /dev/sda: 121601 cylinders, 255 heads, 63 sectors/track
Units: cylinders of 8225280 bytes, blocks of 1024 bytes, counting from 0

Device Boot Start End #cyls #blocks Id System
/dev/sda1 * 0+ 1945- 1946- 15624192 fd Linux raid autodetect
/dev/sda2 1945+ 2007- 63- 499712 fd Linux raid autodetect
/dev/sda3 2007+ 121601- 119594- 960636928 fd Linux raid autodetect
/dev/sda4 0 - 0 0 0 Empty

ABPROX:~# sfdisk -l /dev/sdb

Disk /dev/sdb: 121601 cylinders, 255 heads, 63 sectors/track
Units: cylinders of 8225280 bytes, blocks of 1024 bytes, counting from 0

Device Boot Start End #cyls #blocks Id System
/dev/sdb1 * 0+ 1945- 1946- 15624192 fd Linux raid autodetect
/dev/sdb2 1945+ 2007- 63- 499712 fd Linux raid autodetect
/dev/sdb3 2007+ 121601- 119594- 960636928 fd Linux raid autodetect
/dev/sdb4 0 - 0 0 0 Empty

---------------------------------
HowTo; write the GRUB boot sector
dd if=/dev/sdb2 of=/dev/sda2

grub-install /dev/sda

grub2-install /dev/sdb

=== FreePBX RAID recovered ===

https://help-grub.gnu.narkive.com/tNbK14Jv/grub2-install-couldn-t-find-physical-volume-null
grub2-install: warning: Couldn't find physical volume `(null)'. Some modules may be missing from core image.
I think I know what happens. Did you reboot after MD was resynced? If not, please try

blockdev --flushbufs /dev/sda1

blockdev --flushbufs /dev/sdb1

grub2-install /dev/sda

grub2-install /dev/sdb

Apcupsd

2025-12-21T06:39:07Z

Rdswikiadmin: Created page with " Configuration Directives Used to Set the UPS EEPROM These directives have no effect on the operation of apcupsd but are reserved for use by apctest when bulk programming the values of the UPS EEPROM configuration variables in a Smart-UPS model. UPSNAME <string> Name of UPS. Maximum of 8 characters. BATTDATE [ mm/dd/yy | dd/mm/yy ] Last battery replacement date. Maximum of 8 characters. SENSITIVITY [ H | M | L ] H : High (most sensitive setting) M : Me..."

Configuration Directives Used to Set the UPS EEPROM

These directives have no effect on the operation of apcupsd but are reserved for use by apctest when bulk programming the values of the UPS EEPROM configuration variables in a Smart-UPS model.

UPSNAME <string>

Name of UPS. Maximum of 8 characters.

BATTDATE [ mm/dd/yy | dd/mm/yy ]

Last battery replacement date. Maximum of 8 characters.

SENSITIVITY [ H | M | L ]

H : High (most sensitive setting) M : Medium L : Low (least sensitive setting)

WAKEUP [ 000 | 060 | 180 | 300 ]

The time delay in seconds that the UPS waits after the return of utility power before "waking up" and restoring power to the connected equipment.

SLEEP [ 020 | 180 | 300 | 600 ]

The time delay in seconds for which the UPS waits or "sleeps" after it receives a request to power off the connected system.

LOTRANSFER <voltage>

Low line voltage causing transfer to battery power or activation of SmartBoost. Allowable values depend on the last letter of the firmware or APCMODEL. Typical values are:

D 106 103 100 097
M 177 172 168 182
A 092 090 088 086
I 208 204 200 196

where D = domestic (USA), M = Canada, A = Asia and I = International.

HITRANSFER <voltage>

High line voltage causing transfer to battery power or activation of SmartTrim. Allowable values depend on the last letter of the firmware or APCMODEL. Typical values are:

D 127 130 133 136
M 229 234 239 224
A 108 110 112 114
I 253 257 261 265

where D = domestic (USA), M = Canada, A = Asia and I = International.

RETURNCHARGE [ 00 | 15 | 50 | 90 ]

Percentage of battery charge needed for the UPS to restore power to the connected equipment.

BEEPSTATE [ 0 | T | L | N ]

Alarm delay.

0 : Zero delay after power fails.
T : When power fails plus 30 seconds.
L : When low battery occurs.
N : Never.

LOWBATT <minutes>

Low battery warning occurs when the specified number of minutes remains before the UPS estimates battery power will be exhausted. There are four user-changeable settings: 2, 5, 7, or 10 minutes

OUTPUTVOLTS <voltage>

UPS nominal output voltage when running on battery. Allowable values depend on the last letter of the firmware or APCMODEL. Typical values are:

D 115
M 208
A 100
I 230 240 220 225

where D = domestic (USA), M = Canada, A = Asia and I = International.

SELFTEST [ 336 | 168 | ON | OFF ]

Self test interval in hours (336 = 2 weeks, 168 = 1 week, ON = at power on, OFF = never).

Rocky Linux

2025-12-16T11:32:11Z

Rdswikiadmin:

<gallery mode="packed-hover" widths=200px heights=100px>
File:Rocky.png|https://rockylinux.org/
</gallery>
 
=='''Enterprise Linux, the community way'''==

:'''Rocky Linux is an open-source enterprise operating system designed to be 100% bug-for-bug compatible with Red Hat Enterprise Linux®.'''
 
'''Rocky Linux is free and open source''' – there are no limitations and you can inspect, integrate, extend and modify however you want.

Virtualisation

2025-12-16T11:30:48Z

Rdswikiadmin:

<gallery mode="packed-hover" widths=150px heights=75px>
File:KVM.png|https://www.linux-kvm.org
File:QEMU.png|https://www.qemu.org
File:Libvirt.png|https://libvirt.org/
File:VirtManager.png|https://virt-manager.org/
</gallery>
 
=='''Virtualization is the process of creating several virtual machines (VMs) from one physical machine using software called a hypervisor.'''==

:'''The virtual machines act and perform just like physical machines, sharing the physical machine’s computing resources.'''
:'''With virtualization you can run multiple servers, desktops, operating systems and networks within the same physical machine.'''

:'''KVM''' (for Kernel-based Virtual Machine) is a full virtualization solution for Linux on x86 hardware containing virtualization extensions.
:Using KVM, one can run multiple virtual machines running unmodified Linux or Windows images.
:Each virtual machine has private virtualized hardware: Network, disk, graphics, etc.
:The kernel component of KVM is included in mainline Linux, as of 2.6.20., the userspace component of KVM is included in mainline QEMU, as of 1.3.

:'''QEMU''' is a free and open-source hosted hypervisor that performs hardware virtualization.

:'''LIBVIRT''' is an open-source API, daemon and management tool for managing platform virtualization.
:It can be used to manage KVM, Xen, VMware ESX, QEMU and other virtualization technologies.
:These APIs are widely used in the orchestration layer of hypervisors in the development of a cloud-based solution.

:'''VIRT-MANAGER''' application is a desktop user interface for managing virtual machines through libvirt.
 
'''KVM + LIBVIRT + QEMU + VIRT-MANAGER are free and open source''' – there are no limitations and you can inspect, integrate, extend and modify however you want.

VPN

2025-12-16T11:30:07Z

Rdswikiadmin:

<gallery mode="packed-hover" widths=150px heights=75px>
File:Wireguard.png|https://www.wireguard.com/
File:Openvpn.png|https://openvpn.net/community/
</gallery>
 
=='''Virtual Private Network'''==

:'''A virtual private network is a mechanism for creating a secure connection between a computing device and a computer network, or between two networks, using an insecure communication medium such as the public Internet.'''
 
:'''WireGuard®''' is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the Linux kernel, it is now cross-platform (Windows, macOS, BSD, iOS, Android) and widely deployable.

:'''OpenVPN''' protocol has emerged to establish itself as a de- facto standard in the open source networking space with over 50 million downloads. OpenVPN is entirely a community-supported OSS project which uses the GPL license.

 
:'''Wireguard + OpenVPN''' are free and open source – there are no limitations and you can inspect, integrate, extend and modify however you want.

MediaWiki:Sidebar

2025-12-15T10:12:48Z

Rdswikiadmin:

* Realm Data Systems
** mainpage|mainpage-description
** https://wiki.realmdatasystems.uk/index.php/Company|Company
** https://wiki.realmdatasystems.uk/index.php/Open_Source|Open Source
** https://wiki.realmdatasystems.uk/index.php/Remote_Support|Remote Support
** https://wiki.realmdatasystems.uk/index.php/Debian|Debian Linux
** https://wiki.realmdatasystems.uk/index.php/Rocky_Linux|Rocky Linux
** https://wiki.realmdatasystems.uk/index.php/Virtualisation|Virtualisation
** https://wiki.realmdatasystems.uk/index.php/Icinga_Monitoring|Icinga Monitoring
** https://wiki.realmdatasystems.uk/index.php/SME_Server|SME Server
** https://wiki.realmdatasystems.uk/index.php/Email_Server|Email Server
** https://wiki.realmdatasystems.uk/index.php/Nextcloud|Nextcloud
** https://wiki.realmdatasystems.uk/index.php/Collabora_Online|Collabora Online
** https://wiki.realmdatasystems.uk/index.php/IncrediblePBX|IncrediblePBX
** https://wiki.realmdatasystems.uk/index.php/WebERP|WebERP
** https://wiki.realmdatasystems.uk/index.php/VPN|Virtual Private Networking
** https://wiki.realmdatasystems.uk/index.php/Special:AllPages/|All Pages
** https://wiki.realmdatasystems.uk/index.php/Useful_Commands|Useful
** https://wiki.realmdatasystems.uk/index.php/Websites|Websites

Websites

2025-12-15T10:12:15Z

Rdswikiadmin: Created page with "=== SME === : http://mirror.canada.pialasse.com/releases/ : http://www.mirrorservice.org/sites/mirror.contribs.org/smeserver/releases/ : https://wiki.koozali.org/Category:Contrib === KVM === : https://wiki.debian.org/KVM : https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/virtualization_deployment_and_administration_guide/index : https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/logical_volume_manager_administratio..."

=== SME ===
: http://mirror.canada.pialasse.com/releases/
: http://www.mirrorservice.org/sites/mirror.contribs.org/smeserver/releases/
: https://wiki.koozali.org/Category:Contrib

=== KVM ===
: https://wiki.debian.org/KVM
: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/virtualization_deployment_and_administration_guide/index
: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/logical_volume_manager_administration/index
: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/logical_volume_manager_administration/lvm_cli
: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/logical_volume_manager_administration/lv#lvm_cache_volume_creation
: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/storage_administration_guide/index
: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_and_managing_virtualization/index
: https://www.libvirt.org/kbase/live_full_disk_backup.html
: https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/stable-virtio/virtio-win.iso

=== Nextcloud ===
: https://docs.nextcloud.com/server/latest/admin_manual/index.html
: https://docs.nextcloud.com/server/13/admin_manual/configuration_server/occ_command.html#
: https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/config_sample_php_parameters.html

=== Microsoft ===
: https://azure.microsoft.com/en-us/resources/cloud-computing-dictionary/what-are-private-public-hybrid-clouds

=== Super GRUB2 Disk ===
:https://www.supergrubdisk.org/donate/

=== Other ===
: https://www.server-world.info/en/
: http://www.apcupsd.com/manual/manual.html
: http://www.apcupsd.com/manual/manual.html#configuration-directives-used-to-set-the-ups-eeprom
: https://docs.mojolicious.org/Mojolicious/Guides
: https://en.wikipedia.org/wiki/Private_network
: https://en.wikipedia.org/wiki/Iptables
: https://en.wikipedia.org/wiki/Netfilter

=== RedHat===
: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/4/html/security_guide/index
: https://www.redhat.com/sysadmin/iptables

MediaWiki:Sidebar

2025-12-15T10:10:59Z

Rdswikiadmin:

Useful Commands

2025-12-15T10:10:13Z

Rdswikiadmin: Created page with " === SME === Check added RPM's /sbin/e-smith/audittools/newrpms /sbin/e-smith/audittools/newrpms | grep smeserver Check RPM's rpm -qa smeserver* | sort -d rpm -qa e-smith* | sort -d Check templates /sbin/e-smith/audittools/templates RPM initial install date rpm -qa --last | grep -v "initial install date" Check Repositories http://wiki.contribs.org/SME_Server:Adding_Software /sbin/e-smith/audittools/repositories List Repositories db yum_repositories show c..."

=== SME ===

Check added RPM's
/sbin/e-smith/audittools/newrpms
/sbin/e-smith/audittools/newrpms | grep smeserver

Check RPM's
rpm -qa smeserver* | sort -d
rpm -qa e-smith* | sort -d

Check templates
/sbin/e-smith/audittools/templates

RPM initial install date
rpm -qa --last | grep -v "initial install date"

Check Repositories http://wiki.contribs.org/SME_Server:Adding_Software
/sbin/e-smith/audittools/repositories

List Repositories
db yum_repositories show
cat /home/e-smith/db/yum_repositories

Restore Default Yum Repositories
cd /home/e-smith/db/
mv yum_repositories yum_repositories.po

/etc/e-smith/events/actions/initialize-default-databases

signal-event yum-modify

yum update

Yum; There are unfinished transactions remaining
yum install yum-utils
yum-complete-transaction --cleanup-only

Check RPM Package owning FILE
rpm -qf /usr/bin/nmap

RPM erase single package
rpm -e --nodeps xxx

Check Domain
host -t mx <domain>
host -t a <domain>
host -t soa <domain>
host -t txt <domain>
host -t ns <domain>
host -t txt _dmarc.<domain>
host -t txt default._domainkey.<domain>

Network packet capture and test
tcpdump
tcpdump -i eth1 port 42526 -v
tcpdump -i br0 port 42526 -v
nmap -p 42526 -sU -P0 <domain>
nmap -p 42526 -sT -P0 <domain>

Squid Log Date
perl -pe 's/[\d\.]+/localtime($&)/e' /var/log/squid/access.log

Check Apache modules loaded;
apachectl -t -D DUMP_MODULES

Custom Network
config setprop ExternalInterface EthtoolOpts "speed 10 duplex full autoneg off"

Server Default Backup List
perl -e 'use esmith::Backup;$b=new esmith::Backup;print join("\n",$b->restore_list)."\n"'

Server Reset Initial Restore
config delete PasswordSet
config setprop bootstrap-console Run Yes
signal-event reboot

Redirect website
create redirect ibay
db accounts setprop redirect AllowOverride all
db accounts setprop redirect FollowSymLinks enabled
signal-event ibay-modify redirect

cd /home/e-smith/files/ibays/redirect/html
vim .htaccess
Redirect 301 / http://www.domain.com/

Disable mail to a user from an external network
db accounts setprop groupname/username Visible internal
signal-event email-update

Disable the check for the Date header on the internal interface:
mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local
cd /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local
echo "# 17check_basicheaders disabled by custom template" > 17check_basicheaders
signal-event email-update

cat /etc/e-smith/templates/var/service/qpsmtpd/config/plugins/17check_basicheaders
{
$OUT = "check_basicheaders";

# Note: You can't specify a maximum offset of 0 days, but that's fair
my $days = $smtpd{MaximumDateOffset} || '';

$OUT .= " $days" if ($days);
}

Disable the check for the Date header on the external interface:
mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0
cd /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0
echo "# 17check_basicheaders disabled by custom template" > 17check_basicheaders
signal-event email-update

cat /etc/e-smith/templates/var/service/qpsmtpd/config/peers/0/17check_basicheaders
{
$OUT = "check_basicheaders";

# Note: You can't specify a maximum offset of 0 days, but that's fair
my $days = $smtpd{MaximumDateOffset} || '';

$OUT .= " $days" if ($days);
}

List contents of queued email
# /var/qmail/bin/qmail-qread
14 Dec 2014 03:35:51 GMT #165184302 2886
# find /var/qmail/queue -name 165184302| xargs cat | less

Qmail retry period before return e-mail as undeliverable
default is 604800 seconds = 1 week, 172800 seconds = 2 days
mkdir -p /etc/e-smith/templates-custom/var/qmail/control
echo 172800 > /etc/e-smith/templates-custom/var/qmail/control/queuelifetime
expand-template /var/qmail/control/queuelifetime
sv t qmail

=== unzip ===
tar -xvf xxx.tar
tar -zxvf xxx.tar.gz
tar -xf xxx.tar.xz
unzip xxx.zip
bunzip2 xxx.bz2
bzip2 -d xxx.bz2

=== tar create ===
tar -zcvf archive-name.tar.gz (/directory-name/)file(s)

=== scp ===
scp -rp -P 44 root@192.168.1.1:/.../filename .

=== rsync ===
rsync -aH /affa/smesvr /media/affa/affa/
rsync -aHvzhe ssh --progress root@10.10.15.1:/var/affa/archive /var/affa/
rsync -avzhe "ssh -p 22222" --progress root@123.45.67.89:/mnt/backups/dump/vzdump-qemu-101-2021_09_25-00_00_09.vma.zst /mnt/4TB1/abc
rsync -avzhe "ssh -p 22222" --progress --partial root@123.45.67.89:/mnt/mirror1/dump/fri/SAGESVR.qcow2 /media/owner/WEEKLY/abc

=== .bashrc ===
PS1="\[\e[30m\]\h:\w#\[\e[m\] " BLACK
PS1="\[\e[31m\]\h:\w#\[\e[m\] " RED
PS1="\[\e[32m\]\h:\w#\[\e[m\] " GREEN
PS1="\[\e[34m\]\h:\w#\[\e[m\] " BLUE
PS1="\[\e[36m\]\h:\w#\[\e[m\] " CYAN

export HISTTIMEFORMAT="%d%m%y %T "

Processor info
cat /proc/cpuinfo

Software RAID status
cat /proc/mdstat

Linux check maximum MTU
ping -M do -s 1434 google.co.uk

Windows check maximum MTU
ping google.co.uk -f -l 1434

=== Symbolic link ===
ln -s /path-to-folder(file) foldername(filename)

=== Public key ===
on the HOST server:
affa --send-key targetsvr
ssh-keygen -t ed25519
ssh-keygen -t rsa

cat /root/.ssh/id_rsa.pub

on the TARGET server: add
mkdir -p /root/.ssh
cd /root/.ssh
vim authorized_keys

config setprop sshd PasswordAuthentication no
signal-event remoteaccess-update
config show sshd

=== MySQL ===
mysql
use icinga
REPAIR TABLE icinga_hoststatus;
REPAIR TABLE icinga_logentries;
\q

/etc/init.d/icinga stop
mysqlcheck --databases icinga

Restore mysql db
mysql -u root -p wcuk < wcuk.sql

=== APC ===
Update BATTDATE to the current date.
Kill the apcupsd daemon first, Run apctest to update the UPS eeprom.

Debian;
apt install apcupsd
vim /etc/apcupsd/apcupsd.conf
vim /etc/default/apcupsd
systemctl restart apcupsd.service

cd /etc/init.d/
./apcupsd start

http://www.apcupsd.com/manual/manual.html#red-hat-systems

Compile
SME;
yum install gcc gcc-c++
yum remove gcc gcc-c++

http://sourceforge.net/projects/apcupsd/files/latest/download?source=files

gunzip apcupsd-3.14.13.tar.gz
tar -xvf apcupsd-3.14.13.tar
cd apcupsd-3.14.13
./configure --help
./configure --enable-usb
make
make install

DEBIAN;
apt-get install g++
apt-get install make
./configure --enable-usb
make
make install
vim /etc/apcupsd/apcupsd.conf
cd /etc/init.d
./apcupsd status
./apcupsd start
./apcupsd status

aptitude remove make
aptitude remove g++

additional package removed gcc

IPv6
ipv4="192.168.0.1"; sla="5"; printf "2002:%02x%02x:%02x%02x:%04x::1" `echo $ipv4 | tr "." " "` $sla

=== Vigor ===
vigor sip_alg
sys sip_alg ?
sys sip_alg 0
sys commit

ipsec passthrough
srv nat ipsecpass on

VDSL
WAN / General Setup / VLAN Tag Insertion = Enable / Tag Value = 101

vTiger
vTiger delete demo data SQL command
update vtiger_crmentity set deleted = 1

vTiger >5.04 reset admin password to 'admin'

mysql
use <vtiger_database_name>;
update vtiger_users set user_password = 'adpexzg3FUZAk', crypt_type = '' where user_name = 'admin';

MediaWiki:Sidebar

2025-12-15T10:08:22Z

Rdswikiadmin:

* Realm Data Systems
** mainpage|mainpage-description
** https://wiki.realmdatasystems.uk/index.php/Company|Company
** https://wiki.realmdatasystems.uk/index.php/Open_Source|Open Source
** https://wiki.realmdatasystems.uk/index.php/Remote_Support|Remote Support
** https://wiki.realmdatasystems.uk/index.php/Debian|Debian Linux
** https://wiki.realmdatasystems.uk/index.php/Rocky_Linux|Rocky Linux
** https://wiki.realmdatasystems.uk/index.php/Virtualisation|Virtualisation
** https://wiki.realmdatasystems.uk/index.php/Icinga_Monitoring|Icinga Monitoring
** https://wiki.realmdatasystems.uk/index.php/SME_Server|SME Server
** https://wiki.realmdatasystems.uk/index.php/Email_Server|Email Server
** https://wiki.realmdatasystems.uk/index.php/Nextcloud|Nextcloud
** https://wiki.realmdatasystems.uk/index.php/Collabora_Online|Collabora Online
** https://wiki.realmdatasystems.uk/index.php/IncrediblePBX|IncrediblePBX
** https://wiki.realmdatasystems.uk/index.php/WebERP|WebERP
** https://wiki.realmdatasystems.uk/index.php/VPN|Virtual Private Networking
** https://wiki.realmdatasystems.uk/index.php/Special:AllPages/|All Pages
** https://2clever.uk/index.php/Useful_commands|Useful
** https://2clever.uk/index.php/Websites|Websites

MediaWiki:Sidebar

2025-12-15T10:06:56Z

Rdswikiadmin:

* Realm Data Systems
** mainpage|mainpage-description
** https://wiki.realmdatasystems.uk/index.php/Company|Company
** https://wiki.realmdatasystems.uk/index.php/Open_Source|Open Source
** https://wiki.realmdatasystems.uk/index.php/Remote_Support|Remote Support
** https://wiki.realmdatasystems.uk/index.php/Debian|Debian Linux
** https://wiki.realmdatasystems.uk/index.php/Rocky_Linux|Rocky Linux
** https://wiki.realmdatasystems.uk/index.php/Virtualisation|Virtualisation
** https://wiki.realmdatasystems.uk/index.php/Icinga_Monitoring|Icinga Monitoring
** https://wiki.realmdatasystems.uk/index.php/SME_Server|SME Server
** https://wiki.realmdatasystems.uk/index.php/Email_Server|Email Server
** https://wiki.realmdatasystems.uk/index.php/Nextcloud|Nextcloud
** https://wiki.realmdatasystems.uk/index.php/Collabora_Online|Collabora Online
** https://wiki.realmdatasystems.uk/index.php/IncrediblePBX|IncrediblePBX
** https://wiki.realmdatasystems.uk/index.php/WebERP|WebERP
** https://wiki.realmdatasystems.uk/index.php/VPN|Virtual Private Networking
** https://2clever.uk/index.php/Special:AllPages/|All Pages
** https://2clever.uk/index.php/Useful_commands|Useful
** https://2clever.uk/index.php/Websites|Websites

VPN

2025-12-15T10:06:21Z

Rdswikiadmin: Created page with " <gallery mode="packed-hover" widths=200px heights=100px> File:Wireguard.png|https://www.wireguard.com/ File:Openvpn.png|https://openvpn.net/community/ </gallery> =='''Virtual Private Network'''== :'''A virtual private network is a mechanism for creating a secure connection between a computing device and a computer network, or between two networks, using an insecure communication medium such as the public Internet.''' :'''WireGuard®''' i..."

<gallery mode="packed-hover" widths=200px heights=100px>
File:Wireguard.png|https://www.wireguard.com/
File:Openvpn.png|https://openvpn.net/community/
</gallery>
 
=='''Virtual Private Network'''==

:'''A virtual private network is a mechanism for creating a secure connection between a computing device and a computer network, or between two networks, using an insecure communication medium such as the public Internet.'''
 
:'''WireGuard®''' is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the Linux kernel, it is now cross-platform (Windows, macOS, BSD, iOS, Android) and widely deployable.

:'''OpenVPN''' protocol has emerged to establish itself as a de- facto standard in the open source networking space with over 50 million downloads. OpenVPN is entirely a community-supported OSS project which uses the GPL license.

 
:'''Wireguard + OpenVPN''' are free and open source – there are no limitations and you can inspect, integrate, extend and modify however you want.

File:Openvpn.png

2025-12-15T10:05:14Z

Rdswikiadmin:

File:Wireguard.png

2025-12-15T10:04:59Z

Rdswikiadmin:

MediaWiki:Sidebar

2025-12-15T10:02:39Z

Rdswikiadmin:

* Realm Data Systems
** mainpage|mainpage-description
** https://wiki.realmdatasystems.uk/index.php/Company|Company
** https://wiki.realmdatasystems.uk/index.php/Open_Source|Open Source
** https://wiki.realmdatasystems.uk/index.php/Remote_Support|Remote Support
** https://wiki.realmdatasystems.uk/index.php/Debian|Debian Linux
** https://wiki.realmdatasystems.uk/index.php/Rocky_Linux|Rocky Linux
** https://wiki.realmdatasystems.uk/index.php/Virtualisation|Virtualisation
** https://wiki.realmdatasystems.uk/index.php/Icinga_Monitoring|Icinga Monitoring
** https://wiki.realmdatasystems.uk/index.php/SME_Server|SME Server
** https://wiki.realmdatasystems.uk/index.php/Email_Server|Email Server
** https://wiki.realmdatasystems.uk/index.php/Nextcloud|Nextcloud
** https://wiki.realmdatasystems.uk/index.php/Collabora_Online|Collabora Online
** https://wiki.realmdatasystems.uk/index.php/IncrediblePBX|IncrediblePBX
** https://wiki.realmdatasystems.uk/index.php/WebERP|WebERP
** https://2clever.uk/index.php/VPN|Virtual Private Networking
** https://2clever.uk/index.php/Special:AllPages/|All Pages
** https://2clever.uk/index.php/Useful_commands|Useful
** https://2clever.uk/index.php/Websites|Websites