1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

FreeBSD Plesk TIps (7.5.x)

Discussion in 'Plesk for Linux - 8.x and Older' started by jshanley, Dec 5, 2005.

  1. jshanley

    jshanley Guest

    0
     
    Original thread for 7.1.x here for Plesk 7.1.x on FreeBSD. The paths for Horde webmail have changed since 7.1.x, so I probably need to fix that up in the tips, below. Thanks goes out to everyone who posted suggestions/tips in the previous thread.

    Don't forget to patch your Plesk server with the hotfixes! This will patch some security vulnerabilities, and fix some bugs. (Hotfix Page)

    Hotfix list updated: Dec 20th 2005.

    Plesk 7.5.4 on FreeBSD 5.3: Hotfixes: 1 2 3 4 5

    Plesk 7.5.4 on FreeBSD 4.9: Hotfixes: 1 2 3 4 5


    Improving SMTP speed/performance

    Note: They may have fixed this in 7.5.x, but I haven't installed 7.5 on a clean system recently, so I don't remember. I'm leaving this here just in case.

    Improving SMTP response time (connections):

    By default, Plesk on FreeBSD is pretty slow at establishing SMTP connections. This is because it defaults to doing reverse-dns lookups for all SMTP connections, for no good reason. This can slow down your mail sessions significantly (the default timeout on the reverse DNS lookup is 26 seconds.. per connection, which means if there is no reverse-dns for the mailserver trying to connect to you, it will wait 26 seconds before letting the connection continue). We want to change this behaviour so it instantly connects all SMTP sessions.

    Edit /etc/inetd.conf and scroll down to the bottom. The two lines you're looking for start with "smtp" and "smtps".

    Here is a short example of what it looks like:
    smtp stream tcp nowait root /usr/local/psa/qmail/bin/tcp-env tcp-env /usr/local/psa/qmail/bin/relaylock ( ... etc)

    What you want to do is insert -Rt0 after the second "tcp-env" on both of these lines. Here is an example:

    smtp stream tcp nowait root /usr/local/psa/qmail/bin/tcp-env tcp-env -Rt0 /usr/local/psa/qmail/bin/relaylock
    smtps stream tcp nowait root /usr/local/psa/qmail/bin/tcp-env tcp-env -Rt0 /usr/local/psa/qmail/bin/relaylock

    After doing this, kill and restart inetd for the changes to take effect.

    Improving default bounce behaviour:

    By default, Plesk does not handle double-bounces gracefully. We want to throw away double bounces (bounces that cannot be delivered). We can do this with:

    echo "#" > /usr/local/psa/qmail/control/doublebounceto

    Increasing the number of concurrent deliveries:

    By default, Plesk limits mail to 10 local deliveries at a time, and 20 external deliveries at a time. This is usually insufficient for most hosts, so you can change that behaviour by increasing both to, say, 25. Note: It is best to adjust this according to your own server specs and your needs. For example, if you're running on a slow system with low ram, you probably don't want to increase this... etc.

    echo "25" > /usr/local/psa/qmail/control/concurrencylocal
    echo "25" > /usr/local/psa/qmail/control/concurrencyremote

    After creating these files, restart the qmail service.

    TODO: Fixing & Improving SpamAssassin Performance

    the file /etc/sysconfig/spamassassin comes as:
    SPAMDOPTIONS="-d -u qmailq -c -H /var/qmail"

    where the options are:
    -d daemon
    -u run as user...
    -c create users' preferences files
    -H work directory...

    But it can be improved with:
    -x (server, don't check users' files)
    -q (users' prefs stores in sql db)
    -L (local, don't perform dns checks)
    -m10 (10 childs)

    so, a very fast and light (but not powerful) config would be:
    SPAMDOPTIONS="-d -u qmailq -x -L -m5 -H /var/qmail"

    It's important to add the -m10 or -m5 flag, because by default SpamAssassin is not limited - it can spawn 1,000 copies if you're not careful (bringing your server to it's knees). So I always limit the number of spamassassin copies that are allowed to run at once.

    TODO: Accelerating the Admin Interface

    Haven't tried this on 7.5.x, as the web interface performance increased dramatically between 7.1.x and 7.5.x already. I'll try this later using APC or eAccelerator.

    Fixing Webmail Bugs

    Note: The path to webmail files has changed since 7.1.x, I still need to change this tip to reflect that.

    When a user uses the "Password" button/icon in webmail, it stupidly says "Changing password on Example poppassd server". Note: I think they fixed this on 7.5.x, I'll have to check one of my old servers, just in case. I'll leave the tip here until I verify.

    Edit: /usr/local/psa/home/vhosts/webmail/horde/passwd/config/backends.php
    change the line that says
    'name' => 'Example poppassd server', ... to:
    'name' => 'this server',

    Note: The path to webmail files has changed since 7.1.x, I still need to change this tip to reflect that.

    When a user uses the "Password" button/icon in webmail, it shows them just the first part of their username instead of the full email@domain.com address as their username. So, changing their password doesn't work.

    Edit: /usr/local/psa/home/vhosts/webmail/horde/passwd/config/conf.php

    Find the line that says:

    $conf['hooks']['default_username'] = false; ... and change it to
    $conf['hooks']['default_username'] = true;

    Now, create a new file called:

    Note: The path to webmail files has changed since 7.1.x, I still need to change this tip to reflect that.

    /usr/local/psa/home/vhosts/webmail/horde/config/hooks.php

    In this file, paste the following

    Code:
    <?php
    
    /**
    
     * Horde Hooks configuration file. 
    
     **/
    
    
    
    if  (!function_exists('_passwd_hook_default_username')
    ) {
    
        function _passwd_hook_default_username($userid)
    
        {
    
            return $userid;
    
        }
    
    }
    
    /** DO NOT PLACE A ?> AT THE END OF THIS FILE **/
    
    Now users can use the Password button in Webmail, and it will work correctly.
     
  2. jshanley

    jshanley Guest

    0
     
    Adding Spell Check to Webmail

    First, install aspell or ispell from ports:

    /usr/ports/textproc/ispell
    /usr/ports/textproc/aspell

    Note: The path to webmail files has changed since 7.1.x, I still need to change this tip to reflect that.


    Edit: /usr/local/psa/home/vhosts/webmail/horde/imp/config/conf.php

    Find the line:

    $conf['utils']['spellchecker'] = ''; ... and replace it with something like
    $conf['utils']['spellchecker'] = '/usr/local/bin/aspell';

    Get rid of the "This message was sent through IMP" on webmail messages

    # Get rid of the "This message was sent..." at the bottom of webmail messages

    Note: The path to webmail files has changed since 7.1.x, I still need to change this tip to reflect that.


    # home/vhosts/webmail/horde/imp/config/conf.php
    // Should we append the contents of imp/config/trailer.txt to the end
    // of every message sent?
    $conf['msg']['append_trailer'] = false;


    Adding some additional features to Webmail - these will add the ability to view contents of zip/rar/tar files from webmail

    Note: The path to webmail files has changed since 7.1.x, I still need to change this tip to reflect that.

    /usr/local/psa/home/vhosts/webmail/horde/config/mime_drivers.php

    # Fix the wrong location of TAR on BSD
    - $mime_drivers['horde']['tgz']['location'] = '/bin/tar';
    + $mime_drivers['horde']['tgz']['location'] = '/usr/bin/tar';

    # Install RAR (/usr/ports/archivers/rar), then change this line:
    - // $mime_drivers['horde']['rar']['location'] = '/usr/bin/rar';
    + $mime_drivers['horde']['rar']['location'] = '/usr/local/bin/rar';
    # ... and uncomment the rest of the "rar" block (the 6 lines below this one)

    # do "which zipinfo" ; you should already have it installed. If not,
    # You can install it by installing /usr/ports/archivers/zip from ports.
    # Then uncomment this block to enable webmail to utilize it (and display zipfile info)

    /* Location of the zipinfo binary. */
    $mime_drivers['horde']['zip']['location'] = '/usr/local/bin/zipinfo';
    $mime_drivers['horde']['zip']['inline'] = true;
    $mime_drivers['horde']['zip']['handles'] = array(
    'x-extension/zip',
    'application/x-compressed',
    'application/x-zip-compressed');
    $mime_drivers['horde']['zip']['icons'] = array(
    'default' => 'compressed.gif');

    # Allow users to report spam through webmail (they need to open the actual mail to see the "report this message as spam" link though).
    # It's up to you whether you want to give them this ability; there are upsides and downsides to this.

    Note: The path to webmail files has changed since 7.1.x, I still need to change this tip to reflect that.

    # /usr/local/psa/home/vhosts/webmail/horde/imp/config/conf.php

    /**
    ** Spam Reporting
    **/

    // Should we display a "report this message as spam" link in the
    // message view?
    $conf['spam']['reporting'] = true;

    // If so, should we report them via email?
    // No.. actually, dont send an email to the admin
    // $conf['spam']['email'] = 'postmaster@' . $GLOBALS['registry']->getParam('server_name');

    // Should we report them via an external program?
    $conf['spam']['program'] = '/usr/local/psa/spamassassin/bin/spamassassin -r';


    Move deleted messages (in webmail) to the trash folder, instead of leaving them in the inbox and just crossing them out (it looks messy)... we change the "value" from 0 to 1 here.

    Note: The path to webmail files has changed since 7.1.x, I still need to change this tip to reflect that.


    /usr/local/psa/home/vhosts/webmail/horde/imp/config/prefs.php

    // should we move messages to a trash folder instead of just marking
    // them as deleted?
    // a value of 0 = no, 1 = yes
    $_prefs['use_trash'] = array(
    'value' => 1,
    'locked' => false,
    'shared' => false,
    'type' => 'checkbox',
    'desc' => _("When deleting messages, move them to your Trash folder instead of marking them as deleted?")
    );

    FTP Connection Speed Tuning
    Initial FTP connections are extremely slow for many people, once again because by default, Plesk does a reverse-dns lookup on client IPs before connecting them. This is useless and makes your server look like it's running slow. To fix this:

    Edit the file:

    /usr/local/psa/ftpd/etc/proftpd.include

    ... and add the following lines to it:

    # start of proftpd.include. Do not include this line.

    IdentLookups off
    UseReverseDNS off
    Quotas on
    AllowStoreRestart on
    AllowRetrieveRestart on
    TimeoutNoTransfer 900
    TimeoutIdle 1800

    # end of proftpd.include. Do not include this line.

    Hide the "tmp, usr, lib, var" folders when logging in via ftp, so users dont try to delete them, and then call asking why they can't delete these "useless" folders (yeah I'm serious)

    # /usr/local/psa/ftpd/etc/proftpd.conf

    <Directory ~>
    HideGroup wheel
    </Directory>

    <Directory ~>
    HideNoAccess yes
    </Directory>

    Installing Plone/Zope on Plesk:

    Link

    Changing the page title for the login screen and within the control panel.

    cd /usr/local/psa/admin/htdocs/javascript
    cp common.js common.js.orig
    open common.js with your text editor and at the top of the page add this:
    document.title = '**WHAT EVER YOU WANT**';

    Save the file, browse to your control panel and the browsers title bar should now reflect what you wanted for the title.




    2 - "Changing password on this server"

    I like best to see "Changing password on domain.com", it can be done by replacing:

    $backends['poppassd'] = array(
    'name' => 'poppasswd server',

    with

    $domain = substr($_SERVER['SERVER_NAME'], 8);
    $backends['poppassd'] = array(
    // 'name' => 'poppasswd server',
    'name' => $domain,

    in the file ...horde/passwd/config/backends.php


    3 - Change the "Welcome to Horde" message at the login page to "Welcome to <domainname>"

    This can be done in the file .../imp/login.php

    By replacing $title = sprintf(_("Welcome to %s"), $registry->get('name', ($imp_auth) ? 'horde' : null));

    with:

    $domain = substr($_SERVER['SERVER_NAME'], 8);
    $title = sprintf(_("Welcome to %s"), $registry->get('name', ($imp_auth) ? 'horde' : null) . " - " . $domain);
     
  3. jshanley

    jshanley Guest

    0
     
    Continued...

    Installing mod_security

    Installing mod_security:

    The most recent PHP vulnerabilities scared me, so I decided it was time to install mod_security. Note that these are just "basic" rules; you may want to browse the rules here for a nice extensive list. Note that lots of mod_security rules may slow down your server. Also, some rules are duplicated here and in the other rulesets at the above link, so you'll want to clean them up before integrating them.

    # Credit for the original writeup goes to:
    # http://www.eth0.us/mod_security
    #
    # Some modifications for FreeBSD 5.x


    # http://www.modsecurity.org/download/index.html
    fetch http://www.modsecurity.org/download...he-1.9.1.tar.gz

    tar -zxvf modsecurity-apache-1.9.1.tar.gz
    cd modsecurity-apache-1.9.1/apache2
    /usr/local/psa/apache/bin/apxs -cia mod_security.c
    # Back up current config as "httpd.conf-2005-12-03" or whatever.
    cp /usr/local/psa/apache/conf/httpd.conf /usr/local/psa/apache/conf/httpd.conf-`date -j "+%Y-%m-%d"`

    pico /usr/local/psa/apache/conf/httpd.conf

    # At the end of all the other LoadModule lines, add:
    LoadModule security_module libexec/mod_security.so

    # At the bottom of your httpd.conf file, add:

    ####### MOD SECURITY RULES ##############
    <IfModule mod_security.c>
    # Turn the filtering engine On or Off
    SecFilterEngine On

    # Change Server: string
    SecServerSignature "Apache"


    # This setting should be set to On only if the Web site is
    # using the Unicode encoding. Otherwise it may interfere with
    # the normal Web site operation.
    SecFilterCheckUnicodeEncoding Off

    # The audit engine works independently and
    # can be turned On of Off on the per-server or
    # on the per-directory basis. "On" will log everything,
    # "DynamicOrRelevant" will log dynamic requests or violations,
    # and "RelevantOnly" will only log policy violations
    SecAuditEngine RelevantOnly

    # The name of the audit log file
    SecAuditLog logs/audit_log

    # Should mod_security inspect POST payloads
    SecFilterScanPOST On

    # Action to take by default
    SecFilterDefaultAction "deny,log,status:403"

    ## ## ## ## ## ## ## ## ## ##
    ## ## ## ## ## ## ## ## ## ##

    # Require HTTP_USER_AGENT and HTTP_HOST in all requests
    # SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"

    # Require Content-Length to be provided with
    # every POST request
    SecFilterSelective REQUEST_METHOD "^POST$" chain
    SecFilterSelective HTTP_Content-Length "^$"

    # Don't accept transfer encodings we know we don't handle
    # (and you don't need it anyway)
    SecFilterSelective HTTP_Transfer-Encoding "!^$"

    # Protecting from XSS attacks through the PHP session cookie
    SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$"
    SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$"

    SecFilter "viewtopic\.php\?" chain
    SecFilter "chr\(([0-9]{1,3})\)" "deny,log"

    # Block various methods of downloading files to a server
    SecFilterSelective THE_REQUEST "wget "
    SecFilterSelective THE_REQUEST "lynx "
    SecFilterSelective THE_REQUEST "scp "
    SecFilterSelective THE_REQUEST "ftp "
    SecFilterSelective THE_REQUEST "cvs "
    SecFilterSelective THE_REQUEST "rcp "
    SecFilterSelective THE_REQUEST "curl "
    SecFilterSelective THE_REQUEST "telnet "
    SecFilterSelective THE_REQUEST "ssh "
    SecFilterSelective THE_REQUEST "echo "
    SecFilterSelective THE_REQUEST "links -dump "
    SecFilterSelective THE_REQUEST "links -dump-charset "
    SecFilterSelective THE_REQUEST "links -dump-width "
    SecFilterSelective THE_REQUEST "links http:// "
    SecFilterSelective THE_REQUEST "links ftp:// "
    SecFilterSelective THE_REQUEST "links -source "
    SecFilterSelective THE_REQUEST "mkdir "
    SecFilterSelective THE_REQUEST "cd /tmp "
    SecFilterSelective THE_REQUEST "cd /var/tmp "
    SecFilterSelective THE_REQUEST "cd /etc/httpd/proxy "
    SecFilterSelective THE_REQUEST "/config.php?v=1&DIR "
    SecFilterSelective THE_REQUEST "/../../ "
    SecFilterSelective THE_REQUEST "&highlight=%2527%252E "
    SecFilterSelective THE_REQUEST "changedir=%2Ftmp%2F.php "
    SecFilterSelective THE_REQUEST "arta\.zip "
    SecFilterSelective THE_REQUEST "cmd=cd\x20/var "
    SecFilterSelective THE_REQUEST "HCL_path=http "
    SecFilterSelective THE_REQUEST "clamav-partial "
    SecFilterSelective THE_REQUEST "vi\.recover "
    SecFilterSelective THE_REQUEST "netenberg "
    SecFilterSelective THE_REQUEST "psybnc "
    SecFilterSelective THE_REQUEST "fantastico_de_luxe "
    #Block BCC/PHP Spam
    SecFilterSelective THE_REQUEST "bcc:|Bcc:|BCc:|BCC:|bCc:|bCC:|bcC:|BcC:"
    # WEB-PHP phpbb quick-reply.php arbitrary command attempt
    SecFilterSelective THE_REQUEST "/quick-reply\.php" chain
    SecFilter "phpbb_root_path="
    </IfModule>

    ####### END MOD SECURITY RULES ##############
     
  4. jshanley

    jshanley Guest

    0
     
    Upgrading to 7.5.4

    Upgrading to 7.5.4 Tips

    1) Update your ports tree.
    2) install Perl 5.8.7 (required for Plesk 7.5.4):

    cd /usr/ports/lang/perl5.8 && make && make deinstall && make install

    3) Install needed Perl modules.

    # cpan
    <run through cpan configuration>

    Here's a list that I use; some are used by SpamAssassin, some are used by others. Note: Text::Iconv is a -new- requirement for Plesk when using Perl 5.8.7

    (from the CPAN command line):

    cpan> install Getopt::Long File::Copy Digest::Nilsimsa URI::Escape Net::ping Digest::MD5 Digest::SHA1 Digest::HMAC HTML::parser HTML::Tagset IO::Stringy MIME::Base64 Mail::Internet MIME::Entity Net::DNS Time::HiRes Mail::Audit Mail::pOP3Client Cwd File::Spec DB_File Term::ANSIColor Pod::Man Digest::BubbleBabble ExtUtils::MakeMaker Pod::Usage Net::SMTP Net::Ident Text::Iconv

    4) Backup your Plesk installation.

    5) Download Plesk 7.5.4 and install it FROM THE COMMANDLINE (not through the web interface).

    6) Download and re-install the ioncube loaders IF you
    use any 3rd party products that require it[/b[ (like the 4PSA products); the Plesk upgrade will remove the zend_encoder = <blah> line that used to be there.. PHP versions have changed, which is another reason to update the ioncube loader(s).

    7) check to see if syslogd is still running; when I upgraded, plesk had killed it - so SpamAssassin wouldn't actually start. They may have fixed this bug by now. Anyway, If it's not running, restart it. Both times I did the upgrade on FreeBSD 5.3, it did NOT restart syslogd. You can tell because during the last part of the install, you'll see something like this:

    Plesk: Apache server has been started
    Plesk: Qmail has been started
    psa: Courier-IMAP server has been started
    Plesk: pgsql has been started

    unix dgram connect: No such file or directory at /usr/local/psa/spamassassin/bin/spamd line 310
    unix dgram connect: No such file or directory at /usr/local/psa/spamassassin/bin/spamd line 310
    Plesk: SpamAssassin has been started


    In reality, spamassassin was not started, because it couldn't open the logfile, because syslogd was not running.

    Restart syslogd with:

    # /usr/sbin/syslogd -ss

    .. and then restart plesk

    # /usr/local/psa/rc.d/psa restart

    8) If necessary, restart the machine.

    If you find any problems/bugs with the Plesk 7.5.4 update, It'd be good to post them here to make it easy to find.
     
  5. jshanley

    jshanley Guest

    0
     
    Permissions Issues

    BUG: Plesk has insufficient maximum mysql connections for mchk on Plesk 7.5.4 / FreeBSD, so sometimes (depending on the number of domains/mailboxes), running mchk will produce a "too many connections" error and quit.

    FIX: Run mchk in daemon mode, or create /usr/local/psa/mysql/var/my.cnf and increase the maximum connections in the config file. An example of my.cnf would be:

     
  6. jshanley

    jshanley Guest

    0
     
    MailMan

    BUG: The Mailman web interface doesn't work after doing a restore. I don't know if the bug is there in 7.5.4 stock, or if it only came up after I did the restore - but either way ... if you can't get to your mailing list web interface on FreeBSD, do these two things:

    # chmod +x /usr/local/psa/mailman/cron/*
    # /usr/local/psa/mailman/bin/check_perms -f

    Kinda funny that their check_perms script DOESN'T notice that all the files in the cron folder are not executable, but whatever. heh.
     
  7. jest3r_fbsd

    jest3r_fbsd Guest

    0
     
    has anyone here upgraded to PHP5 successfully with FreeBSD?
     
  8. DCNet_James

    DCNet_James Guest

    0
     
    I've included this entire thread and started a forum for FreeBSD and Plesk on my own board so I can go back to my fixes as well as other peoples'. Of course I gave full credit to you as well as a link to this post for reposting on my forum.

    http://noc.secondcitytech.com/

    Thx
    James
     
  9. geeza@

    geeza@ Basic Pleskian

    24
    23%
    Joined:
    Sep 1, 2005
    Messages:
    77
    Likes Received:
    0
    Firstly hats to jshanley for creating such a useful thread :D. Secondly, does anyone have any experience of doing a buildworld after Plesk is installed? Is it possible keep up with the latest 5.3 Release patches using buildworld without breaking Plesk?
     
  10. Artur

    Artur Guest

    0
     
    bump? buildworld?
     
  11. steve0

    steve0 Guest

    0
     
    Your better off to use freebsd-update instead, it gives you the patches without needing buildworld . .

    If plesk breaks because of a security patch you can undo your changes easily with "freebsd-update rollback"

    you can also add a cron job to run it during the night and inform you of any new patches etc on a daily bases, . . you can see exactly what is breaking plesk and take appropriate measures.

    Buildworld breaks plesk sometimes, but once is enough - and you can't undo it.

    Just my opinion :)
     
  12. geeza@

    geeza@ Basic Pleskian

    24
    23%
    Joined:
    Sep 1, 2005
    Messages:
    77
    Likes Received:
    0
    Thanks very much Steve I'll have a look at freebsd-update :).
     
  13. Artur

    Artur Guest

    0
     
    excellent thread, thank you!
     
  14. VIB-host

    VIB-host Guest

    0
     
    Re: Continued...

    DO NOT USE modsecurity-apache_2.1.0 IT WILL FAIL YOUR PLESK TO START
     
  15. DCNet_James

    DCNet_James Guest

    0
     
    DST 2007 Update script

    If you're running FBSD prior to 5.5 or 6.2, the DST update is pretty easy, but if you haven't done it yet, here is a script that will take care of it for you...

    http://marcus.digitalchicago.net/~jrprice/development/shell-util/dst2007/update_dst.sh

    It will download the latest zoneinfo, run tzsetup, and then sync to time.nist.gov.

    This is setup for North American users. Other countries you may need to modify the country in the script.

    Thanks,
    James
     
Loading...