Mitel Networks SME Server developers site

What is the most up-to-date released version of SME Server (formerly e-smith server and gateway)?
The latest official release of SME Server is 5.6
This release includes many package updates, and some new features. This release is also available as a bundled solution with network-delivered services, SME Server V5 with ServiceLink. For more information see click here All users are encouraged to upgrade to the most recent version of SME Server

Back to top
Can I use the SME Server with my DSL connection?
PPP over Ethernet (PPPoE) is a standard feature in SME Server.
Back to top
Which version of the Linux kernel is used in SME Server?
The current SME Server release uses the Red Hat 2.4.18-5 kernel.
SME Server V5.6 is based on the popular Red Hat Linux (version 7.3).
You can determine kernel version information at any time by issuing the command
```
     /bin/uname -r  
```
at the command prompt.
Back to top
Do you support DHCP on the external interface? I want to use a cablemodem and my cablemodem provider only supports DHCP.
Yes the product does support DHCP on the external interface and we also support dynamic DNS services. Normally, when your ISP changes the IP address assigned to your domain, they will need to re-publish DNS and MX records associating the new IP address with your domain. This will result in an interruption of service for your server. Using a dynamic DNS service expedites the publication of DNS and MX records, resulting in little or no interruption of service for your server.
Dynamic DNS is automatically provided to all ServiceLink-enabled servers.
Back to top
Why should I run my own web and mail servers? My Internet Service Provider can host them and then I never need to think about it.
We've found that running one's own mail server is one of the greatest advantages our server provides. Especially for smaller company, since it makes it much more pleasant to deal with large files. For example, emailing a Powerpoint presentation to a co-worker can tie up even a cable modem for 3 minutes (assuming that a 3Mb file is sent to the ISP and back with roughly a 40K/sec transfer rate). With a local server that transaction would take only a few seconds, and the cable modem would be fully available to other users during that time. Also, for companies that routinely send and receive large files over 10Mb to and from offsite customers (for example graphics companies and print shops) running a local mail server dramatically improves reliability, even with a fast network connection.
With the web server it's less clear. Sometimes it makes sense to have your ISP host your web site. But you'd be surprised - many ISPs put so many customers on each of their servers that their web hosting performance is terrible. For moderate amounts of web traffic, it often makes sense to run a local web server, even with an ISDN connection. Publishing web pages on your SME Server is as simple as dragging the content into the appropriate i-bay -- FTP is avoided. If you get huge amounts of traffic, then your best bet may be to run an SME Server on your ISP's premises (co-location service).
Back to top
Can I install SME Server on a computer that does not meet the minimum specifications (e.g. ISA network cards, no local CDROM, small hard disk)?
The SME Server's primary design goals are simplicity of installation and operation. Installation from a local CDROM and the use of PCI network cards are required to simplify installation. The hardware requirements for a Tier 1 server are also modest and inexpensive.
SME Server is based on RedHat Linux, and so network installations and the use of ISA network cards is possible, but not supported. The freely available peer-support bulletin boards at www.e-smith.org has suggestions from members of the SME Server user community on how to install using these options.
Back to top
I don't have a local CDROM - how do I install SME Server?
We suggest you install a CDROM, at least for the duration of the install. See also Q8.
Back to top
How do I do a network install?
You need to make the CDROM image available via NFS, FTP, SMB or HTTP from another machine on your network. You then need to customize a ks.cfg file on the floppy made from the bootnet.img file, to specify the IP address, protocol, etc of the network install.
Unless you are an experienced linux user, we suggest that you just temporarily attach a CDROM drive.
Back to top
Can I use ISA network cards?
Yes, though SME Server doesn't provide built-in support for them.
Randy Brown has posted instructions one of the user bulletin boards detailing how to install an ISA network card in an SME Server. Thanks Dan.
See also Q6.
Back to top
Why doesn't SME Server support NFS?
We don't currently support NFS on the SME Server as there are a number of problems in doing so, in particular lack of security.
First, NFS is based on trusting the UID/GID provided by the client machine rather than the more trustworthy user-based security we use for all of the other SME Server systems (samba, netatalk).
Second, is the problem of access control to sections of the SME Server. This implies running a common UID/GID regime across your network (always a good idea), which probably implies running something like NIS/YP (which may not be). The other problem with NFS is one of ensuring that the name/IP mappings for the NFS clients remains constant (or is managed when this changes).
So, in short, we don't plan to support NFS at this stage as part of the product. You can easily add the appropriate RPM modules to the server, see the Administration FAQ for details.
Back to top
I was wondering if SME Server supports ASP (Active Server Page) scripting? If so, how do you enable/use it? If not, can it be installed or configured separately?
ASP is a Microsoft proprietary technology designed to run on Microsoft's web server products. It is not available on the SME Server.

There are a number of extremely powerful web scripting languages and interfaces available as open source software. Among them are:
- Zope (http://www.zope.org/) , which uses the python scripting language, and provides an exceptional all-round content management environment.
- mod_perl (http://perl.apache.org/), which provides a powerful and efficient development interface to the Apache web server API in Perl.
- PhP (http://www.php.net/), a full-featured scripting language that integrates extremely well with databases. You can use ASP2PHP (http://asp2php.naken.cc/) to convert ASP code to PHP.
The SME Server comes with build-in support for mod_perl and the PHP scripting language. Many programmers consider either of these alternatives much superior to ASP.

If you still require support for ASP on your SME Server , you can also consider one of the following options:
- Apache::ASP (http://www.apache-asp.org). From their website:
  "Apache::ASP provides an Active Server Pages port to the Apache Web Server with Perl scripting only, and enables developing of dynamic web applications with session management and embedded perl code. There are also many powerful extensions, including XML taglibs, XSLT rendering, and new events not originally part of the ASP API."
- ChiliSoft (http://www.chilisoft.com/) advertises 'platform-independent .asp' on their web page. They provide a commercial application that will run ASP on Linux, as well as a significant number of other platforms.
If you choose one of the last few options, you will need to the read the SME Server documentation carefully, and integrate the application into the SME Server environment. You will find useful documentation about how SME Server's internals work linked from the main page of our developer site.
Back to top
Does the SME Server support Virtual Private Networking (VPNs)?
Yes. The current version supports remote VPN access to the server using the Point-to-Point Tunneling Protocol (PPTP). Please see the SME Server with ServiceLink user manual for more information.
The SME Server with ServiceLink also supports gateway to gateway IPSec VPNs. See http://www.mitel.com/products/ for more information.
Back to top
Does the SME Server allow for multi-hosting of websites from a single IP address?
Yes. Using virtual domains and i-bays you can easily and quickly create multiple domains to be hosted on the SME Server.
Back to top
I plan to use a dialup modem, and my telephone company charges me for every local call and outbound connection. How can I avoid large phone bills?
The SME Server allows you to define separate dialup connection policies for business hours, after business hours, and weekends. You can read more about this feature in the SME Server with ServiceLink User Guide
CAUTION
If you are using a dial-on-demand link to your ISP, please be aware that you can incur very steep phone charges due to dialup connection attempts to the ISP. We are aware of at least one case in which a failed modem link at the ISP resulted in several thousand connection attempts over a couple of days - and a hefty phone bill. If your telephone carrier charges you per-call or per-minute fees, we suggest that you contact your ISP and ask whether it is willing to assume responsibility if a failure at their end results in a large phone bill.
Back to top
Does SME Server V5 support USB modems?
No, USB networking devices are not supported by the kernel shipping with SME Server V5.
Consult your ISP if you have been provided with a USB modem; your ISP may be able to provide or recommend an ethernet modem compatible with the services they are providing.
Back to top
Does the SME server support FrontPage extensions?
Mitel Networks does not currently support FrontPage extensions, although we have heard of people successfully adding this functionality to the SME Server.
We are considering support for FP extensions in future versions, although we are inclined against it due to the inherent security risks. FrontPage is a very large, unauditable application with a history of security vulnerabilities.
If you want to proceed on your own to add FP extensions, we suggest the following resources:
- This Microsoft Product Support Services document outlines how to install FrontPage Server Extensions to an Apache Web Server:
  http://support.microsoft.com/support/kb/articles/Q202/1/98.ASP?LNG=ENG&SA=ALLKB
- Ready-to-Run Software has a page with information about support for FP on Linux/UNIX servers:
  http://www.rtr.com/fpsupport/
- This project provides some tools and information on using FrontPage 2002 on Linux:
  http://www.joshie.com/projects/apache-frontpage/
Back to top
Does the SME Server provide virus protection?
Mitel Networks provides virus protection through ServiceLink, a suite of critical system-management services delivered from our Application Management Center (AMC). A ServiceLink-enabled SME Server automatically downloads virus pattern updates to a sophisticated server-based virus-scanning engine, ensuring detection and blocking of viruses and malicious code.
Back to top
Where can I obtain the source code for your product?
Source for packages created or modified by us can be found in the SRPMS subdirectory of the release at a Mitel Networks SME Server mirror site.
The sources for any other packages in the distribution (e.g. the kernel) can be found on your local RedHat mirror.
We can also provide a copy of all sources used in the product upon request. Please contact smesupport@mitel.com for further details.
Back to top

Answers to Administration

What updates should I apply to my SME Server?
Official e-smith updates are found in the updates directory on our FTP server.
All modules found in the "contrib" area of our FTP site are not supported by e-smith and should be considered works-in-progress. Even if you find a later version in the "contrib" area, it is not supported until it appears in the updates directory.
Refer to the Installing/Upgrading RPMs FAQ for instructions on how to update packages.
SME Server updates are made available as Software Blades to ServiceLink-enabled servers.
Back to top
Is there any mechanism for remote administration of the SME Server?
If you plan to administer your SME Server server remotely, we strongly recommend that you use a secure form of authentication and encryption. There are three secure methods:
- SSH
- PPTP VPN
- SSL (HTTPS)
SSH - One of the easiest and best methods is SSH (secure shell), which provides a secure, encrypted way to login to a remote machine across a network or to copy files from a local machine to a server.
By default, SSH access is turned off -- once publicly enabled you also have the option to allow or disallow root access. You shouldn't need root access in order to perform routine SME Server administration tasks -- logging in as admin will provide you access to the server console, which in turn also provides access to the server-manager.
The SME Server provides both the ssh client programs as well as an ssh server daemon and supports both the SSH1 and SSH2 protocols.
PPTP VPN - The second option is to use a PPTP VPN connection to your server. A PPTP connection is easily established to an SME Server over an existing internet connection much the same way a dialup connection is established in the Windows Dialup Networking panel (or equivalent). Once a PPTP connection is established from the Windows client to the remote SME Server, that client appears to be on the local network hosted by that server. You can then browse to local hostnames, such as http://www/server-manager/ remotely and securely.
SSL (HTTPS) - With the SME Server V5, we added the ability to access the server-manager remotely through a regular web browser using SSL encryption (also known as HTTPS). See the Remote access server-manager panel for details.
NOTE: Remote access to your SME Server using telnet is strongly discouraged. Allowing public telnet access greatly reduces the security of your server. Telnet is disabled by default.
Back to top
How do I bypass the console menu to access a command prompt?
Switch to another virtual terminal, say tty2, by keying ALT-F2. Press ALT-F3 for tty3. Then login as root with admin password. Only root has shell access; if shell access is required for another user the shell can be changed for the user by root using the chsh command. Local shell access should only be granted to trusted local users.
Back to top
I have installed SME Server on a multiprocessor-capable (SMP) machine. When I boot, I have two kernel choices to choose from: 'esmith' and 'esmith up'. What do these options mean?
This question applies only to multiprocessor-capable (SMP) machines

On multiprocessor-capable machines the SME Server installs two default kernels. If you want, you can view these options at boot time and manually choose between them.

When the first splash screen displays, typing CTRL-x will clear it. Type TAB to view a list of kernels with which SME Server can be booted. They are:
- esmith - this is the default SMP-capable kernel. Unless told to do otherwise, the SME Server will boot with this kernel. This is the default choice even if your multiprocessor-capable machine has only one processor.
- esmith-up - This stands for 'e-smith uniprocessor'. This kernel will access only the first processor on any machine.
Machines that are not multiprocessor-capable have only one kernel option by default: 'esmith'. This is the uniprocessor kernel.

Important note:
If your SME Server is running properly, it is NOT necessary to manually choose which kernel to boot from.
Back to top
How do I install/upgrade RPMs?
In order to install RPM packages to any RedHat based system one should familiarize oneself with the rpm command. The most commonly used forms of rpm:
This command will format and display the on-line manual pages for the rpm command:

man rpm
This command says (i)nstall package_name, with (v)erbose output and print (h)ashes for a nice display as archive is unpacked.:

rpm -ivh package_name-version.rpm
Similarly, this command says (U)pgrade package_name, with (v)erbose output and print (h)ashes for a nice display as archive is unpacked.:

rpm -Uvh package_name-version.rpm
The general form of the rpm uninstall command is:

rpm -e package_name-version.rpm
Back to top
I can't seem to find make, gcc or other compiler tools?
The SME Server is not a general purpose Linux operating system - it's a specialized distribution designed to act as a workgroup server and internet gateway. We do not provide compiler tools, including "make" as they are not required for the operation of the system and should not be installed on production gateways in order to preserve the integrity and security of the system.
A system running RedHat linux (or compatible) should be used for preparing any software for installation onto the server. Preferably the RPM binary format should be used to package the software and install it on the server. Please see Questions 5 and 6 for more details.
Please note that you can still develop RPMS on your SME Server without these tools.
Back to top
I've read Question 7, but I still want to compile packages on my SME Server. What will I need?
If you are still certain that you would like to have the ability to compile and make packages directly on your SME Server, you'll need to install the RedHat 7.1 rpms listed below. They can be downloaded from any RedHat mirror site.
- cpp
- glibc-devel
- glib-devel
- make
- libstdc++-devel
- gcc
- gcc-c++
- kernel-headers
Back to top
How do I or my users use send mail (through the SME Server's SMTP server) when outside my local area network?
Ideally, you want to use the SMTP server of the ISP your users are connecting to send the mail when offsite. That usually requires changing the outgoing server (SMTP) name to use a host provided by the ISP when out of the office. This is inconvenient -- though there are options.
- Use a common hostname. Does the hostname 'mail' resolve to a valid SMTP server when connected remotely? If it does, then you can set the SMTP server name to user 'mail', and your users will be able to send mail when offsite as well as when onsite without having to change anything.
- Connect to the SME Server via PPTP, then send email.
- Some email clients allow multiple accounts, such as OE. One account can be used to specify the SMTP server when on the local network, and another accounts used when offsite.
- Use Webmail. See the Other e-mail settings in the server-manager panel for more details. http://www.e-smith.org/docs/manual/4.1/webmail.html
If you allow people outside your local network to send mail using your server, it's almost impossible to stop anyone from using it. This kind of setup is known as an open mail relay, and is certain to be discovered and abused by spammers. If such a thing happens, you can become extremely unpopular in a very short amount of time. And that's ignoring the fact that your system and your network can be overwhelmed by the volume of traffic that gets generated.
Back to top
How do I set the modem initialization string for my modem or ISDN terminal adapter?
It is better to store the modem init in the profile of the modem, rather than specifying an initstring at dial time. You can store init strings in the modem with AT&W by accessing the modem via minicom, or any other serial communication program. For example:
```
   AT&F   AT&C1&D2&Q0%C0   AT&W 
```
This resets to factory condition, sets the required settings (in this case &C1&D2&Q0%C0), then stores the current settings as the reset setting of the modem. (You might need/want AT&F0 and AT&W0 - refer to your modem manual for modem specific AT commands).
The standard reset of ATZ will then restore that condition - no need to change/customize the SME Server setting.
For more instructions on using minicom and other help on modem commands, see http://www.linuxdoc.org/HOWTO/Modem-HOWTO.html
If you really must use a dial time initstring, you can provide it when configuring the dial up settings during the console configuration
Back to top
Is there a way around 12-character i-bay name, account name, and group name limits?
In order to provide compatibility with Windows9x machines we have deliberately set these limits to twelve. You can change the maximum length of these by setting maxIbayNameLength, maxAcctNameLength and maxGroupNameLength. When unset the default is 12. To allow names as long as 15 characters for an ibay for example, execute the following commands:
```
   
        /sbin/e-smith/db configuration set maxAcctNameLength 15   
        /sbin/e-smith/signal-event console-save 
```
Back to top
I would like to add NFS to my SME Server. What things should I do and what should I be aware of?
First, please note that there are security issues to consider before using NFS. See the related Security, Bugs and Problem reporting FAQ entry for more details.
In order to provide NFS you'll need three packages, nfs-utils, portmap and e-smith-nfs. Check your local RedHat mirrors or freshmeat.net for the latest of the first two packages, and the e-smith contrib section for the latest e-smith-nfs. You'll also need to install knfsd-clients on the client machines. Once installed, you'll need hosts.allow entries for portmap, rpc.mountd and rpc.nfsd. See the man pages for more detailed instructions. You may also want to setup NIS if you are going to implement NFS.
The Network Information Service (NIS) provides a simple network lookup service consisting of databases and processes. Its purpose is to provide information that has to be known throughout the network, to all machines on the network. The rpms needed for NIS are ypserv, ypbind, yp-tools and e-smith-ypserv.
Back to top
Can I use other linux administration tools on my SME Server, such as webmin/swat/linuxconf/commanche?
No. We don't support webmin/linuxconf/swat/commanche or any other GUI configuration editors (or the direct hand editing of configuration files) because they are fundamentally incompatible with the SME Server's configuration system.
The SME Server implements an intelligent templated configuration file management system for managing configuration files. Most system configuration files are not modified directly by the server-manager interface; templates for system configuration files are edited and then used to generate the configuration files.
See http://www.e-smith.org/content/architecture/ for details, or http://www.e-smith.org/docs/papers/perl-article.html for a more technical overview. If you would like to manually edit the configuration files, please see http://www.e-smith.org/content/custom/ before doing so.
If the server-manager does not provide a way for you to make the changes you need, we'd like to know about it -- posting to our 'wish' list is the preferred way to let us know: http://www.e-smith.org/bboard/list.php?f=4
Back to top
Where can I find the source code for your kernel -- I can't find it on your CDROM.
We use exactly the same kernel as shipped by RedHat - you can obtain the source code form any RedHat mirror site.
Back to top
Where can I find the .config file used to build your kernel?
We use RedHat's kernel RPM -- you will find the .config file in the source RPM for the kernel RPMs, available from any RedHat mirror.
Back to top
Why isn't chmod via FTP allowed?
chmod is disallowed from FTP so that the administrator must manually allow execute permissions for scripts running on the server. Allowing chmod via FTP means that all users can do this, and that is bad for system security.
Back to top
How do I configure SME Server to use a permanent modem connection?
When you select operation mode "Server and Gateway - Dialup", you are given the option to also select a connection policy. For a permanent modem connection select continuous policy. This should be all that is required for both static and dynamic IP configurations.
If you have been assigned a static IP address by your ISP, then your server should be automatically assigned the correct IP address when it connects, using the IPCP component of PPP (IPCP is the "Internet Protocol Control Protocol" - http://www.faqs.org/rfcs/rfc1332.html). If your server is not allocated the correct IP address when it connects, then you should contact your ISP's support facility.
If your ISP is not able to configure their Remote Access Server (RAS) so that it allocates the correct IP address, then follow the intructions below to create a custom template. With this template in place there is no need to set the remote IP address and subnet mask. We also recommend you do NOT specify external primary and secondary DNS servers.
```
 
# Make a copy in the custom area of the template fragment you  
# need to change 

  mkdir -p /etc/e-smith/templates-custom/etc/diald.conf 
  cp /etc/e-smith/templates/etc/diald.conf/pppd-options    
  /etc/e-smith/templates-custom/etc/diald.conf/pppd-options  

# Edit in place the new template fragment 

  perl -pi -e "s/noipdefault/x.x.x.x:y.y.y.y/" \
    /etc/e-smith/templates-custom/etc/diald.conf/pppd-options 

# Here x.x.x.x refers to your IP address, y.y.y.y refers to  
# the ISP RAS's IP address. You *should* be able to leave y.y.y.y blank  
# Expand the templated configuration file (/etc/diald.conf) and 
# restart diald. 

  /sbin/e-smith/signal-event console-save
```
Back to top
In many cases using a DNS forwarder can offer speed benefits. Why does Mitel recommend that you not use an external Primary or Secondary DNS server?
While specifying primary and secondary name servers may provide a performance improvement by using an ISP's cache, the performance improvements of using an offsite forwarder are relatively minor and are outweighed by reliability concerns.
Large ISPs split their nameservers between recursive and non-recursive nameservers. If a non-recursive server is used as the forwarder, it will result in all queries for domains not hosted at the ISP to fail. We have seen this at a few sites. Less competent ISPs have also been known to run DNS caches which are less reliable than performing the lookups directly.
Entering static forwarders can also result in future name resolution failures when the ISP changes to using different nameservers. Similarly, if people change to a different ISP without changing the nameserver values, they are likely to have a lot of name lookups failed as ISPs should block recursive queries from outside their network.
In summary, the performance benefit is minor while the reliability and ease of setup is significantly improved by not asking for the DNS servers.
Back to top
Can SME Server accept Domain Logons from Win2000 and XP machines?
The SME Server can now act as a domain controller for users on Windows 2000 and XP systems. Prior to version 5.1 domain logon support was limited to Windows NT and 95/98/ME.
Back to top
What does the SME Server backup do?
The backup to desktop will compress the following directories to a file named smeserver.tgz:
- /home/e-smith
- /etc/e-smith/templates-custom
- /etc/e-smith/templates-user-custom
- /etc/ssh
- /root/.ssh
- /etc/passwd
- /etc/shadow
- /etc/group
- /etc/gshadow
- /etc/smbpasswd
The backup to tape will backup all filesystems, however only the files and directories in the above list will be restored. The tape backup does a level 0 [*] backup using a program called flexbackup.
Both methods will backup MySQL data.
[*] Level 0 backups of "all" assume a new tape - this will trigger tape retension and erasure.
Back to top
How can I determine how much space is left on my hard drive?
The command "df" reports filesystem disk space usage. Used with the "-h" and "/" arguments, you are presented with the size of the root partition, how much of that space is used, and how much is available.
```
    [sme-server]# df -h  /  
    Filesystem              Size  Used Avail Use%  Mounted on 
    /dev/hda6               1.2G  310M  838M  27%  / 
```
Type "df --help" for a list of options that can be used with df.
Back to top
Can I define which users have PPTP access?
Yes. By default, all users (whose accounts are activated) can establish PPTP access to the server, if the number of allowed PPTP connections allows it.
In order to disallow PPTP access for a specific user, say "pauln", perform the following commands as root:
Turn PPTP Access off for pauln:
/sbin/e-smith/db accounts setprop pauln PPTPAccess off
Update remote access:
/sbin/e-smith/signal-event remoteaccess-update
The user pauln is no longer able to establish a PPTP connection to the SME Server.
Back to top
Can I install SME Server on one machine and move the disk to another machine?
You should only do this if the machines are identically configured. Many hardware items, most importantly the processor type, are detected at installation time. The installer will choose processor-dependent versions of various important packages, including the kernel. These processor-dependent packages may not run on other processors. If you move the disk to a less capable machine (e.g. from a PIII to a Pentium), the machine is likely to hang just after printing 'freeing cpu memory'. If you move the disk to a more capable machine (e.g. from a Pentium to a PIII), you may not gain all of the performance benefits of the more capable processor. In this case, we recommend that you perform an upgrade (using the same version) to ensure that the correct processor-dependent packages are installed. This will also detect and install the SMP kernel if your newer machine is SMP-capable.
Back to top
I have setup a virtual domain. Can I distinguish mail to ACCOUNT@my_primary_domain.com from ACCOUNT@my_virtual_domain.com and not drop the mail to the same mailbox on the system?
There is only one "user community" created per SME Server; jond@my_primary_domain.com and jond@my_virtual_domain.com is the same user.
Back to top
If I install SME Server on my server with two hard drives, will SME Server recognise/use them both?
At install and upgrade time there should be one disk, or two identical disks to be used as a mirrored pair (software raid). All other disks should be disconnected.
If you have two hard drives, and do not select s/w raid, the installer will rewrite the partition table of the second drive. What the installer will do with the second disk is not defined.
Mounting additional disks after install/upgrade is possible, but some linux knowledge is required.
Back to top
How can I use telnet to login to the server as root?
Using telnet is extremely insecure because it transmits all passwords in the clear. We strongly encourage people to use ssh instead as that provides all the functionality of telnet but does so in a secure manner.
We have long stated our long-term intention to remove telnet access from the base server product (and make it available, perhaps, as an add-on). With version 5, we removed the ability to login via telnet as the "root" user to access the Linux shell. You can still login via telnet as "admin" and access the server console.
If there is some reason why you absolutely cannot use ssh and you want to allow insecure root access via telnet, you must execute the following commands as root on the server:
```
   
    /sbin/e-smith/db configuration setprop telnet PermitRootLogin yes   
    /sbin/e-smith/signal-event remoteaccess-update   
```
Again, we strongly discourage you from doing this and strongly recommend you using ssh.
Back to top
Since the release of 5.1 transparent HTTP proxy is enabled by default. How can I disable it?
To disable transparent proxying of all HTTP request from your LAN, run:
```
    
    /sbin/e-smith/db configuration setprop squid Transparent no
    /sbin/e-smith/signal-event remoteaccess-update 
```
Back to top
Where can I find a PPTP client for my MAC?
There are no (to the best of our knowledge) PPTP MAC clients for MAC versions < OS X that are compatible with the current release of SME Server. DigiTunnel for MAC OS X has been reported to work
Back to top
How can I disable a service/server/daemon that I don't require?
Set the status property of the server to "disabled", then reconfigure and stop the service.
E.g., to disable atalkd (the Apple file-sharing service), change the status property from enabled to disabled:
```
     /sbin/e-smith/db configuration setprop atalkd status disabled 
```
signal the console-save event to reconfigure and stop the service:
```
     /sbin/e-smith/signal-event console-save 
```
NOTE: the console-save event does not reconfigure and restart (or stop) all services. If the console-save event does not reconfigure and stop a particular service you would like disabled refer to the directory listing of /etc/e-smith/events/actions for the appropriate script(s) that are required.
Other methods for stopping/starting services (such as /etc/rc.d/init.d/service stop) may stop the service, but it will not remain disabled after some system events are run (the reboot event, for example).
Back to top
Is there a server-manager panel or software blade that provides a server administrator the ability to manage the firewall? (I.e., open or close specific ports.)
No, firewall management is automatic. If a service is enabled, then the relevant ports are opened, if not, then they are closed (packets are dropped). All outbound connections are permitted, and masqueraded, which is what most sites want. The only inbound connections permitted are those to services which are enabled for public access.
Back to top
Why can't I establish a VPN connection to my office network using my VPN access client (such as the Nortel Extranet Access Client)?
Ipsec masquerading is not enabled by default. To enable ipsec masquerading, run the following commands in a root shell:
```
  /sbin/e-smith/config setprop masq ipsec yes
  /sbin/e-smith/signal-event remoteaccess-update
```
Back to top
How can I increase (or decrease) the file-size restriction on webmail attachments?
The default webmail attachment limit is 2Megabytes. In SME Server versions 5.5 and later you can set the webmail attachment limit by setting the php UploadMaxFilesize property. Once you'd done so you'll need to signal the email-update event. For example, to set the maximum attachment size to 50Megabytes:
```
/sbin/e-smith/db configuration setprop php UploadMaxFilesize 50M
/sbin/e-smith/signal-event email-update
```
For versions prior to 5.5 either a custom-template or manual configuration of the php initialization file is required.
Back to top

Answers to Security, Bugs, and Problem Reporting

How secure is the SME Server? Is it a firewall?
Yes. The SME Server a firewall. We've implemented a full firewalling configuration; IPChains are to provide another layer of filtering, on top of IP masquerading; all non-essential network services are disabled; TCP wrappers are enabled; server programs are configured to communicate only with machines on the local network (where that is appropriate); sendmail has been replaced with qmail to increase security and performance; all remote login facilities are disabled.
A much more detailed description of SME Server security can be found in our SME Server security white paper, located at http://www.e-smith.org/docs/papers/.
Back to top
I think I've found a bug. What do I do?
First consult the bugs page for known bugs. If the bug you are reporting is not already listed please send a detailed description of the bug to smebugs@mitel.com, at which time we can work with you to diagnose any problems.
Thank you for not posting suspected bugs to the SME Server user bulletin boards until after we have confirmed that a bug does or does not exist.
Back to top
Is the SME Server configured to block email relays?
Yes. An unmodified SME Server will deliver mail from the local network to any location, and receive mail from external sites for delivery to the local domain and all configured virtual domains only.
Back to top
Why does my SME Server fail some web-based open relay tests?
Web based open relay tests can only test the mail reception, not the mail delivery. The mail transport agent used in SME Server will appear to fail some of the later tests in the sequence, but will _not_ relay the mail.
These failed tests are called "false positives". The mail will either be bounced or delivered to the local administrator, depending on your choice in the "Other email settings" page.
For more details on relays and relay tests, please see
```
 http://www.faqts.com/knowledge-base/view.phtml/aid/1198/fid/206/lang/en http://www.orbs.org http://www.abuse.net/relay.html 
```
The abuse.net mail relay test does an end-to-end test, actually sending test messages through your server to check for open relays. This is the only way to properly detect open relays.
One specific instance in which many end-to-end relay tests may fail is the "percent hack" test. In Sendmail, the address "user%host@example.com" directs a mail transport to deliver the message to example.com, which will then forward it to user@host. The percent hack is not supported in qmail, and "user%host@example.com" simply refers to the user "user%host". In some versions of SME Server, mail sent to similar addresses will be accepted and then bounced by qmail. Some relay tests will mark that as a (possible) false positive.
A fuller explanation of broken relay testing using the percent hack is available here:
http://homepages.tesco.net/~J.deBoynePollard/FGA/maps-relay-test-is-wrong.html
Back to top
I think I've discovered a security problem. How do I report it?
Please send an email to security@e-smith.com outlining the problem.
Important Note: Please DO NOT post security concerns or suspicions of security problems on any public forum or mailing list. This is standard industry practice, and allows us to quickly confirm the validity of any security reports.
Back to top
Why doesn't the SME Server support NFS?
We don't currently support NFS on the SME Server as there are a number of problems in doing so, in particular the security issues.
First, NFS is based on trusting the UID/GID provided by the client machine rather than the more trustworthy user-based security we use for all of the other SME systems (samba, netatalk).
Second, is the problem of access control to sections of the SME Server. This implies running a common UID/GID regime across your network (always a good idea), which probably implies running something like NIS/YP (which may not be). The other problem with NFS is one of ensuring that the name/IP mappings for the NFS clients remains constant (or is managed when this changes).
So, in short, we don't plan to support NFS at this stage as part of the product.
Back to top
I did a test using a program I got off www.grc.com called Leak Test and the findings were that our firewall was penetrated.
The test located at grc.com tests your server for outbound connections, and on success reports that your firewall has been penetrated. Our policy is that outbound connections are allowed. The server is still well protected from the outside world.
Back to top
I've just checked my SME Server security using a tool called Nessus. (An example of Nessus can be found at www.vulnerabilities.org.) Nessus reports several vulnerabilities detected on port 25/smtp. Should I be concerned?
We investigated several Nessus vulnerability reports in detail when they were first reported to security@e-smith.com. We found that the reports are false positives.
The SMTP server used by SME Server explicitly guards against the buffer overflow attempts mentioned in the Nessus scans. The SMTP server also runs as an unprivileged user in a restricted environment which protects the system against any compromise attempts.
Back to top
How can I log/view all denied packets filtered by the firewall component of my SME Server?
By default, logging of denied packets is turned off. There are three levels of denied packet logging:
- all - every blocked packet is logged
- most - all blocked packets except SMB and RIP
- none - (default) no blocked packets are logged
To change the level of logging:
```
    /sbin/e-smith/db configuration setprop masq Logging most
    /sbin/e-smith/signal-event remoteaccess-update 
```
Denied packets will now be logged to the system log. (/var/log/messages)
Conversely, to turn logging off:
```
    /sbin/e-smith/db configuration setprop masq Logging none   
    /sbin/e-smith/signal-event remoteaccess-update 
```
Back to top
When a user logons to a Window 9x machine, the password is locally kept in a file named "USER.pwl" (where USER can be any username). This poses a serious security risk as the simple encryption used in these files is easy to break. Is there anything I can do about it?
Yes, password caching can be disabled.
What is the PWL file used for?
The purpose of the PWL file is to cache password information. For example, when you access a passworded resource such as an dial-up connection, you are asked whether or not you want to "save" the password. If the option to save the password is selected this password and a resource identifier are cached in the PWL file so that the user will not have to provide the password in the future. While this offers the user convenience, this security model is simply insecure. Those passwords can be easily retrieved by an attacker, who can then in turn use the captured passwords to compromise your network security.
The following instructions explain how to disable password caching.
Start the Registry Editor:
```
    Start->run "regedit" 
```
Go to the following registry item:
```
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Network 
```
Add a key called DisablePwdCaching:
```
   Edit->new->DWORD    Value name: DisablePwdCaching   Value data: 1 
```
Close the registry editor and remove all *.pwl files. Passwords will no longer be cached in PWL files.
If you wish not to disable PWL password caching, we recommend urging your users to use "good" passwords. Good passwords are usually long, contain both alphanumeric and special characters, and do not contain dictionary words. Such passwords are considerably more secure.
Resources:
Winters, Scott "PWL Files: The Achilles' Heel of Windows 9X Client Networks"
http://www.sans.org/infosecFAQ/win/PWL.htm
Back to top
PHP applications running in i-bays can only access files within the same i-bay. Is there a way that the administrator can relax this restriction?
Yes. The administrator can change the PHP Base Directory by executing the following commands (as root):
```
    
/sbin/e-smith/db accounts setprop your_i-bay_name PHPBaseDir /    
/sbin/e-smith/signal-event ibay-modify your_i-bay_name 
```
Note that the PHPBaseDir argument can be more restrictive than the example shown above. For example PHPBaseDir can also be '/home/e-smith/files/'.
Back to top
How do I password protect LILO, the boot loader?
Add the following line to /etc/lilo.conf:
```
     password=your_password 
```
then run
```
     /sbin/lilo -v 
```
The password will be preserved when lilo.conf is regenerated.
Back to top
I see successful CONNECT attempts to remote hosts on port 25 in my Apache log. Am I being used as a mail relay?
You may see something like this in your access log:
```
www.tofu-dog.com 192.168.1.1 - - [08/Dec/2002:21:49:32 +0100]
    "CONNECT mailin-04.mx.aol.com:25 HTTP/1.0" 200 43446 "-" "-"
```
Despite the 200 (Success) response code, this is not a successful relay attempt.
At first glance, it looks like apache was letting the remote user connect through to the AOL mail server, and was transmitting 43446 bytes of mail data, but what is actually happening is a bit stranger. The remote user is sending
```
CONNECT mailin-04.mx.aol.com:25 HTTP/1.0
Host: www.faithful.dk
```
and Apache is sending back index.html from your server, which is 43446 bytes (after line-ending conversion, if necessary).
Since we disallow HTTP CONNECT, sending back the results of an equivalent GET is an unusual but legal response from Apache.
Back to top

Answers to Troubleshooting

Why am I getting "access denied" when I try to access the web-based manager?
This error often means that the SME Server thinks the web-based manager is being accessed from outside the local network (which it is denying for security reasons). If you are running with a single ethernet card, make sure the machine is configured for server-only mode. If running with two ethernet cards, the SME Server automatically assigned one of the cards to the internal network and the other to the external Internet connection. Initially you have to guess which is which, so if you get this error message, try switching the ethernet cables.
This error will also be produced when an invalid username/password is used. A common mistake is to attempt to connect to the server-manager as the 'root' user, instead of the appropriate 'admin' user.
Back to top
I'm trying to install SME Server, but I get the error "kernel image not found" !
Type "accept" to accept the licensing agreement before hitting enter at the prompt.
Back to top
e-mail being sent to users from mailing lists are winding up in the administrators' mailbox. Why, and what can I do about it?
Please refer to the manual for more information about SME Server and multidrop e-mail:

http://edocs.mitel.com/
It is not a problem that can be solved at the SME Server as the information has already been lost. This can be fixed by either of the following:
- Use SMTP directly to your box
- Use ETRN mode to grab e-mail from your ISP
- Ask your ISP to add a custom header which details the "envelope recipient" of the message (this is not the To: line, this is a line which is usually stripped when e-mail is stored in a user mailbox).
Back to top
Whenever I ping any host, I get as the first line of response: "Warning: no SO_TIMESTAMP support, falling back to SIOCGSTAMP". What does this mean?
This is a cosmetic problem that has no ill effects on the system. It is inherited from RedHat. For details on their perception of the problem, and their response to it, see:
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=19952
Back to top
When I shutdown I'm getting the following message regarding the software RAID, with a note about "md1 not unmounted". Is this normal behaviour?
Completely normal, though it may not happen on every shutdown. There are tricky flushing issues with shutting down a RAID system, and the kernel sometimes leaves state information which allows it to complete the flush on the next startup. You will probably see a message to this effect on bootup.
Back to top
Upgrade/Install fails.
Upgrade/install fails, with error messages similar to the following:
```
 Traceback (innermost last):   
File "/usr/bin/anaconda", line 438, in ?     intf.run(todo, test = test)  
File "/var/tmp/anaconda-7.0.1//usr/lib/anaconda/text.py", line 1035, in run     
      rc = apply (step[1](), step[2])   
File "/var/tmp/anaconda-7.0.1//usr/lib/anaconda/textw/esmith_text.py", line 87,      
      instClass = Kickstart("/tmp/upgrade.cfg", 0)   
File "/var/tmp/anaconda-7.0.1//usr/lib/anaconda/kickstart.py", line 575,
      f = open(file, "r") 
IOError: [Errno 2] No such file or directory: '/tmp/upgrade.cfg'  
Local variables in innermost frame:  file: /tmp/upgrade.cfg 
```
This is the result of corrupt boot media.
If you are booting from floppy: create another floppy, using a freshly formatted floppy - preferably formatted on the same machine. Boot floppies need to be 100% flaw free in order for the installation/upgrade to work.
If you are booting from CD-ROM: this is most often the result of an corrupt CD image. You will also see similar messages if the CDROM could not be detected. The image may have been corrupted before burning (during download), or the image may have been corrupted during the burning process.
Before burning the CD, you can check the integrity of the CD image using md5sum, included in all major linux distributions, or available for windows at a mirror site near you. http://www.e-smith.org/download/ (See /pub/e-smith/contrib/DOSWindowApps/)
Back to top
Why is my software RAID system only reporting half the size of available disk space?
In order for Software raid to work correctly, the geometries on both disks must be the same. To correct this problem, first perform a backup of your data. Next, ensure both drives are using "NORMAL" mode in the BIOS. (Normal mode says "just give the truth about the disks".)
If any partition table is found on the disks, the information there will override the geometry specified in the BIOS. To remove any partition tables, perform the following commands as root:
```
   
dd if=/dev/zero of=/dev/hda bs=512 count=1   
```
(This assumes disks are set as primary and secondary masters -- if they are not they should be.) Re-install SME Server, and ensure the correct disk size is being reported. Once this is confirmed, restore your data.
Back to top
The product logo is overlapping the links in the server-manager. Why are the server-manager links not appearing as they do in the manual?
Some browsers cannot properly handle certain directives in the DIV tags in our HTML, resulting in strange behaviour. Browsers known to have problems are:
- KDE Konquerer
- Microsoft Internet Explorer 3
and to a lesser extent
- Netscape 4.x (for both Linux and Win9x)
Usually reloading the frame will correct problems with Netscape.
Back to top
After installation, system hangs at LI...
There are a variety of possible causes for this problem, which is a symptom of the LILO boot loader failing after its second stage. The usual culprit is disk geometry mismatch. A set of approaches for resolving disk geometry problems with LILO can be found in the Linux Newbie Guide, at
```
     http://sunsite.dk/linux-newbie/Linux_LILO.htm#LILO_stops 
```
Back to top
After installation, system hangs at "Enabling swap space".
During system initialization while loading the agpgart module, some HP systems have been known to hang. Since SME Server does not need AGP highres support, the relevant bit in /etc/rc.d/rc.local can be commented out to prevent the system from attempting to load this module.
To fix this, at the lilo boot prompt, use CTRL-X to access the text prompt. Then use
```
     linux single init=/bin/bash rw 
```
to skip the init script that loads the agpgart module. Then edit /etc/rc.d/rc.sysinit and proceed to comment out lines 583 through 585. Save the file and reboot. The system should start up after the edit.
Following is the proper section of the file (already commented):
```
   
# Load agpgart here. This is a hack, and will probably go away soon.   
# if grep "driver: agpgart" /etc/sysconfig/hwconf >/dev/null 2>&1 ; then   
#       modprobe agpgart >/dev/null 2>&1   
# fi 
```
http://www.redhat.com/support/docs/gotchas/7.0/gotchas-7-7.html
Back to top
Why is only half of my available disk space being reported on my software RAID system?
In order for Software raid to work correctly, the geometries on both disks must be the same. To correct this problem, first perform a backup of your data. Next, ensure both drives are using "NORMAL" mode in the BIOS. (Normal mode says "just give the truth about the disks".)
If any partition table is found on the disks, the information there will override the geometry specified in the BIOS. To remove any partition tables, perform the following commands as root:
```
   dd if=/dev/zero of=/dev/hda bs=512 count=1
   dd if=/dev/zero of=/dev/hdc bs=512 count=1 
```
(This assumes disks are set as primary and seconday masters -- if they are not they should be.)
Re-install SME Server, and ensure the correct disk size is being reported. Once this if confirmed, restore your data.
Back to top
Why am I getting the error "open_basedir restriction in effect." from my PHP program(s)?
As a security feature, PHP code running from an i-bay is restricted to only accessing files within that i-bay. To relax this restriction see the relevant entry in the Security FAQ.
Back to top
Why is the Webmail interface English after I have chosen French as my default language?
When a user first logs in, they choose a language. This language choice then gets saved as part of the user's personal preferences. Forever thereafter (or until the user changes their personal options), they will be shown webmail in this language after the login regardless of the language they chose at the login screen.
If a user wants to change his language after login, he chooses Options / Language and then picks the desired language.
Back to top
Why won't my mail client collect mail from my Mitel SME Server?
Some mail clients (such as Eudora 5.2) support encryption through STARTTLS when possible. However, it won't accept the self-generated certificate installed with SME Server version 5.6.
In Eudora, go to Tools/Options/Checking Mail and change the option "Secure Sockets When Receiving" from the default of "If Available, STARTTLS" to "Never". You may need to exit and restart Eudora for this to take effect.
If you encounter this issue with a mail client other than Eudora 5.2 please report this to faq@e-smith.com.
Back to top