Category Archives: Plesk

Issue with horde in Plesk : Attachments not going through !

Once the Plesk panel gets updated to 11.5.x , the horde gets an upgrade as well : to horde 5.

On horde 5, there might be a weird issue in which mails would be sent out fine,  but any attachments would not be. You will not see any errors or warnings, however, the attachments will not be received at the other end.

The issue was , the temporary directory of horde had the wrong ownership of apache:apache. Change this to horde_sysuser:horde_sysgroup and things will be fine.

First check the location of temporary horde directory :

# grep -i tmpdir  /usr/share/psa-horde/config/conf.php

Most of the cases, it should be /tmp ( the default value )

# ls -la /tmp/ | grep .horde

Find the ownership of .horde and check if its apache:apache

Change it to :

# chown -R horde_sysuser:horde_sysgroup /tmp/.horde/
This should solve the problem with attachments !

 

 

Unable to retrieve license keys in Plesk ?

When trying to retrieve license keys from Plesk panel, are you getting an error :

Licensing Server Unreachable: Unable to connect with licensing server.
Please make sure that your network allows communication to ka.parallels.com:5224.

Login to your server via SSH and check if connections are getting through to the Plesk license server :

# telnet ka.parallels.com 5224
Trying 195.214.233.80...

If it is not getting connected, allow the IP ‘195.214.233.80’ in the server firewall.

# csf -a 195.214.233.80
Adding 195.214.233.80 to csf.allow and iptables ACCEPT...

# telnet ka.parallels.com 5224
Trying 195.214.233.80...
Connected to ka.parallels.com.
Escape character is '^]'.
Connection closed by foreign host.

Once this is done, you can try retrieving the license keys from Plesk.

 

Unable to upgrade Plesk from 11.5.x ?

When trying to run an upgrade from Plesk panel or via scripts from the back-end, does this process gets halt due to the error given below ?

Tpsa-proftpd-1.3.5-6.el5.art.x86_64.rpm | 1.7 MB 00:00 warning: xxxx: Header V3 RSA/SHA1 signature: NOKEY, key ID xxxxxx

Fatal error during packages installation: Public key for psa-proftpd-xinetd-1.3.5-6.el5.art.x86_64.rpm is not installed. YumBaseError: Public key for psa-proftpd-xinetd-1.3.5-6.el5.art.x86_64.rpm is not installed ERROR: Failed to run the Yum utility. The Yum utility failed to install the required packages.
Attention! Your software might be inoperable.
Please, contact product technical support.

The upgrade tool is not able to verify the public key for a package. This is mostly due to the outdated version of the repo which provides the package. In this case upgrading the atomic-release will do the job for you.

# yum upgrade atomic-release

Once this is done, re-run the upgrade !

 

Qmail failing to restart !

When trying to restart Qmail are you getting the failure message ?

Check for the mailogs to see if you can spot something. If you are on a plesk server, you can find the logs at /usr/local/psa/var/log/maillog

Do you find an error like :

==================

Date host qmail: xxxxx alert: cannot start: unable to open mutex

Date host qmail: xxxxx alert: cannot start: unable to open mutex

==================

This can happen when you manually try to delete the qmail queue and you might just happen to delete a file from /var/qmail/queue folder. To solve this error, do the following :

# touch /var/qmail/queue/lock/sendmutex
# chown qmails:qmail /var/qmail/queue/lock/sendmutex

Once this is done, restart qmail as

# /etc/init.d/qmail start

Tracking down spamming in Plesk – 2

This post will help you to track down spamming from a Plesk server, if its employed using PHP scripts in any of the domains.

– Use this one to view the folders which have mail PHP scripts enabled and running.

# vi /var/qmail/bin/sendmail-wrapper

#!/bin/sh
(echo X-Additional-Header: $PWD ;cat) | tee -a /var/tmp/mail.send|/var/qmail/bin/sendmail-qmail "$@"

# touch /var/tmp/mail.send
# chmod a+rw /var/tmp/mail.send
# chmod a+x /var/qmail/bin/sendmail-wrapper
# mv /var/qmail/bin/sendmail /var/qmail/bin/sendmail-qmail
# ln -s /var/qmail/bin/sendmail-wrapper /var/qmail/bin/sendmail

– Wait for at some time and then change sendmail back:

# rm -f /var/qmail/bin/sendmail
# mv /var/qmail/bin/sendmail-qmail /var/qmail/bin/sendmail

Once this is completed, run the following command, which will show you all the folders from where mail PHP scripts were run :

# grep X-Additional /var/tmp/mail.send | grep `cat /etc/psa/psa.conf | grep HTTPD_VHOSTS_D | sed -e 's/HTTPD_VHOSTS_D//' `

– If your PHP version is greater than 5.3, you can also consider about enabling extended logging which will help to add a header to all outgoing email and that will help you to track the location of the script which is involved in spamming.

Add the following line to your php.ini file :

mail.add_x_header = On

– Check out the headers ( check this post know about finding the headers from the queue ) and spot the script involved.

 

Tracking down spamming in Plesk – 1

Finding the source of spamming in a server provisioned with Plesk is a tough job.

Some of the useful commands which might help you are given down.

  • Find the number of mails hung in the queue :

# /var/qmail/bin/qmail-qstat

  • To get an idea about the the message headers of mails in queue :

# /var/qmail/bin/qmail-qread

The above one shows the senders and recipients of messages. Now try to find this message in the queue by its ID

# find /var/qmail/queue/mess/ -name XXXXXX ( <- Message ID )

cat the o/p file of the above command and inspect the message headers closely.

Examine the message and find the line “Received” to find out from where it was sent for the first time.

For example, if you find:

1-> Received: (qmail 19514 invoked by uid xxxx ); 13 Sep 2005 17:48:22 +0700

It means that this message was sent via a CGI by user with UID xxxx . Using this UID, it is possible to find the domain:

# grep xxxx /etc/passwd

2-> Received: (qmail 19622 invoked from network); date/time
Received: from external_domain.com (xx.xx.xx.xx)

It means that the message has been accepted and delivered via SMTP, and that the sender is an authorized mail user. This might mean that the password of the email account has been compromised.

You can use the following command to find the users which have attempted to login via authentication. If you find lots of authentication attempts to a particular user/from a particular IP, then it might be the vulnerability present in your server.

# cat /usr/local/psa/var/log/maillog |grep -I smtp_auth |grep -I user

Also, when you check the headers of the mail in the queue, if you find that the mails are received from a particular IP address, like :

Received: (qmail 10728 invoked from network); date

Received: from unknown (HELO User) (xx.xx.xx.xx)

by domain.com with SMTP ; date

We can use the tool tcpdump to find out what is being communicated over the network from/to the IP in question :

# tcpdump -i venet0:0 -n src xx.xx.xx.xx \or dst xx.xx.xx.xx -s 2048 -w /home/wiresharklog.pcap

– Replace  venet0:0 with your appropriate interface

– Replace xx.xx.xx.xx with the IP in question.

You will obtain the logs in /home/wiresharklog.pcap. Open this pcap file using wireshark ( or any related softwares ) and have a glance through the ‘Statistics -> Flow graph’ . Check this if you can spot the connections/packets being sent over.

3-> If the “Received” line contains a UID of the user “apache” (for example, invoked by UID 48), it means that spam was sent through a PHP script. Find this post useful for dealing with this.

There is another case of spamming which has been noticed.

– When checking the qmail maillogs (usr/local/psa/var/log/maillog) :

date  xxxx smtp_auth: SMTP connect from (null)@(null) [xx.xx.xx.xx]
date  xxxx smtp_auth: smtp_auth: SMTP user xxxxx: logged in from (null)@(null) [xx.xx.xx.xx]

We can see that spamming is being done by brute forcing Plesk
email passwords and then authenticating using base 64 encoding on the username.

The built in qmail logging cannot handle this encoding and as a result the logs will just show (null) instead of the username used. This is applicable for servers running on older versions of Plesk.

The solution would be to upgrade Plesk to a more stable version.

Note : You can also check if there are any email accounts within your hosting environments which uses the mail name ‘test’. Around 90% of the accounts created as test are employed with weak passwords which make it easier for hackers to brute-force attack them.

Use this query to find if any such ones are there :

# mysql -uadmin -p`cat /etc/psa/.psa.shadow` psa

# SELECT m.mail_name, d.name FROM mail AS m LEFT JOIN (domains AS d, accounts AS a) ON (m.dom_id = d.id AND m.account_id = a.id) WHERE m.mail_name='test' ;

Hope this was helpful 🙂

Clear Qmail queue – Plesk

In order to clear the Qmail queue, initiate the following commands from shell :

# service qmail stop
# find /var/qmail/queue/mess -type f -exec rm {} \;
# find /var/qmail/queue/info -type f -exec rm {} \;
# find /var/qmail/queue/local -type f -exec rm {} \;
# find /var/qmail/queue/intd -type f -exec rm {} \;
# find /var/qmail/queue/todo -type f -exec rm {} \;
# find /var/qmail/queue/remote -type f -exec rm {} \;
# service qmail start

Another easy way to remove the mails from queue is by initiating :

/usr/local/psa/admin/sbin/mailqueuemng -D

Named not starting in Plesk !

When trying to restart named, you get an error stating that some parameter is not given correctly in a zone file.

It would be a reverse PTR zone file with name something like this:
x.x.x.in-addr.arpa.

Open the zone file using vim , like :

# vim /var/named/run-root/var/xx.xx.xx.in-addr.arpa.db

When you check the file, you can see a mis-configuration in a particular line when compared with other lines. You can easily spot that with your naked eye.

Edit that misconfigured line (check how other lines are written ) and save it and restart named service.

This is a bug which is seen in older versions of Plesk.

Plesk upgrade – CentOS 5, 64 bit !

– Plesk can be upgraded upto version 9.5.4 either from Plesk control
Panel or by using the following script :

# /usr/local/psa/admin/bin/autoinstaller

– Till this version, its pretty straightforward.

– But when trying to upgrade to a version higher with a PHP
version < 5.3, you will face issues.

— We are now trying to Upgrade Plesk using the stock CentOS repo’s and do not depend on any 3rd Party repo’s including the trusted atomic.

— From the version 9.5.4, do an installation again, selecting the
same version number (9.5.4)

# /usr/local/psa/admin/bin/autoinstaller

# After selecting the version from the installation menu, you will find
such a screen in the next page :

==========================

Please select the components of Parallels Plesk Panel you want to install:

Different PHP interpreter versions
14. (*) PHP5 support
15. ( ) PHP5.3 support

==========================

— From this select ’15. ( ) PHP5.3 support’ and proceed with the installation.

— At the end of this installation, you will get Plesk 9.5.4 with PHP
5.3 support, which means you will have the PHP required to upgrade
to the next level, without any further repo’s.

— Although this is the case, when you try to check the PHP version,
you will get something like this :

PHP Warning: PHP Startup: Unable to load dynamic library '/usr/lib64/php/
modules/sqlite.so' - /usr/lib64/php/modules /sqlite.so: cannot open shared
object file: No such file or directory in Unknown on line 0

— Ignore this error for the moment.

— Upgrade Plesk to 11.5 using the auto-installer.

— There should not be errors ( in usual cases), other than the license
error which can be ignored.

— Once Upgrade is completed, we will have to fix the issue with sqlite.so.

— # yum list php*sqlite*

— This is actually a bug in Plesk that this module comes with the
32-bit arch, even if the CentOS arch is 64-bit and all other modules
are installed as 64 bit.

— To get around this, remove the rpm ‘php53-sqlite2’ and install
a 64-bit arch one from RHEL/CentOS.

— Remove it using the command,

# rpm -e --nodeps php53-sqlite2 ( Dont remove using YUM or
without ‘–nodeps’ option )

— Download and install the 64bit arch package

# wget http://plesk-autoinstall.mirror.serverloft.eu/PSA_10.1.1/
dist-rpm-RedHat-el5-x86_64/opt/php53/php53-sqlite2-5.3.2-11011812.x86_64.rpm

— Run the following command to install the Package :

# rpm -i php53-sqlite2-5.3.2-11011812.x86_64.rpm

— Check php -v and ensure things are fine.