So you leased an Ensim/RHEL3 server and need to figure out what to do next? Log into your EV1 customer support area and submit a TT(Trouble Ticket) to have up2date registered on your system. While you are there, submit a TT requesting your "bank" of 7 IP addresses. When they email you back that those were completed, and you have that information in hand then you can continue. First I have to tell you that EV1 has various images that they use to make servers. I guess what image YOU get, depends solely on which tech did the image, or it might be a license thing. So let's get started.

1. Document everything - Get a spiral notebook for notes and RECORD EVERYTHING YOU DO! I use a windows utility called notekeeper(freeware) for this purpose. You can download from here: http://www.customensimbackup.com/download/...0.9-install.exe. You can add notes, folders, encrypt password protect, and most importantly copy and paste commands and codes that you find along the way as a webhosting admin.

2. Accessing the server - Download and install a Windows SSH client program if you haven't done so already. I use the F-Secure SSH Windows client but at $150 a copy, you might want to use PUTTY which is free. You can download PUTTY here: http://www.chiark.greenend.org.uk/~sgtatham/putty/. Your "root" password is the same as the "admin" password that they gave you for your control panel.

3. Preliminary server setup - You already gave EV1 a domain name when signing up or registered one. My IP address "bank" that I was given was "10.0.0.1 thru 10.0.0.7". So(for example)write down:
domain name I submitted: pigglypokes.com
decided server hostname: srvr01.pigglypokes.com
srvr01.pigglypokes.com: 10.0.0.1
ns1.pigglypokes.com: 10.0.0.1
ns2.pigglypokes.com: 10.0.0.2
pigglypokes.com: 10.0.0.2

4. Update your dns records - Log into your control center for EV1 and edit / add / remove your dns records to reflect these changes and match what you wrote down.

5. Configuring the server - Log into your server as root via ssh. Unlike Windows, linux is case sensitive. ALWAYS remember that. If you can't log in as root, submit a TT to EV1. Now type:

Write down the version you have. Should say "4.0.0","4.0.1","4.0.2","4.0.3". Versions "4.0.1 and above" can directly upgrade to "4.0.3". "4.0.0" versions will have to upgrade to 4.0.1 or 4.0.2 first. Now we need to make the server name right. Now type:

Answer the questions. You have all the information so there should't be any issues with this phase. You're setting the hostname, and master ip address for srvr01.pigglypokes.com: "10.0.0.1". When you have completed that, log into your control panel.
- Click site manager on the left, and select add ip based site.
- Add "pigglypokes.com" with IP address "10.0.0.2". Select all the options you want, or unselect the ones that you don't. You can always change this later so it's not "mission critical". The goal is to get it created.
- Select dns on the left, and then zones at the top.
- Click on the zone for "pigglypokes.com".
- Add an "A" record: "ns1.pigglypokes.com => 10.0.0.1". Ignor any "error messages unless it says it "failed" for some reason.
- Add another "A" record: "ns2.pigglypokes.com => 10.0.0.2".
- Add a "NS" record: "pigglypokes.com => ns1.pigglypokes.com".
- Add another "NS" record: "pigglypokes.com => ns2.pigglypokes.com".
- Click on configure at the top.
- Edit the master nameserver to point to ns1.pigglypokes.com.
- Click on virtual nameserver and add ns2.pigglypokes.com with IP address of 10.0.0.2.
Go back to the SSH window and type:

6. Letting the world know - Go to your registrar, and "register" your nameservers. Each registrar has their own method, and their customer support team can assist you if you can't figure it out. Call them if you must! Now submit a TT for reverse DNS entries for NS1.pigglypokes.com and NS2.pigglypokes.com pointing to those IP addies that you decided on. That way certain mail servers won't reject your mail from your machine.

Your server is properly configured and ready for domain names, etc. It will take a day or so for all the changes to be seen world wide, but for the most part, things should start to be working cause you been working at this for awhile. To get to various places:
-ttp://srvr01.pigglypokes.com/admin will take you to your control panel admin / reseller login window.
-ttp://www.pigglypokes.com/admin will take you to your site's control panel.
When you can do that, then you know that it's being seen properly.

To upgrade 4.0.0 to 4.0.1 see case information at: http://kbold.ensim.com/TWKB/ViewCase.asp?QSRuleID=975
and then type:

To upgrade to 4.0.3 from 4.0.1 or 4.0.2 see case information at: http://onlinesupport.ensim.com/TWKB/ViewCa...nowledgeID=1944
You will need to do a few things first. Type

and let it install all the updates. Do not reboot. Do not run:

CODE

/usr/local/sbin/set_pre_maintenance

/usr/local/sbin/set_maintenance

/usr/local/sbin/set_post_maintenance

/sbin/service webppliance restart

Now download the installer and run the upgrade.

Side note: Some folks have had some problems while doing the upgrade(s) of a failed tomcat dependancy.
If you do,

Ok. Upgrade completed? Now type


Now install a firewall. Would suggest reading this wonderful thread. Special thanks go to Steve for his contributions.http://forums.ev1servers.net/showthread.ph...&highlight=kiss

To keep the server's time accurate, see this thread:http://forums.ev1servers.net/showthread.php?t=54129

For a backup script, see this thread: http://forums.ev1servers.net/showthread.php?t=53966

Reducing spam
Download the attachment located below. Upload it to your server.


More to come as I get time to edit this. (check back often)
things to come:

install ioncube loader
install zend optimizer
making php settings user friendly
virtual cron
breaking catch-all's

nice start but are you going to add some security for these folks

There will be additions to this. Kind of petered out after all the typing. Feel free to make suggestions, link references, etc. We can get those added in.

Having all kinds of trouble with "new and improved" spam controls on Ensim 4.0.3.

My old Celery Ron system was much more effective than the new Xeon super-duper server at assassinating spam.

Attempts to rectify the situation have caused more problems.

see this post

http://forum.ev1servers.net/showthread.php?t=53745

for details.

Upgrade to PHP 4.3.10:

http://forum.ev1servers.net/showthread.php...=&postid=324395

Disable Ensim Ignite:

http://forum.ev1servers.net/showthread.php...ighlight=ignite

Cleaning Virtual Domain Quarantined Files:

http://forum.ev1servers.net/showthread.php...&threadid=45387

Remove dashboard or starts with shortcuts page:

http://forum.ensim.com/showthread.php?threadid=11685

ProFTP Ident Lookup:

http://forums.ev1servers.net/showthread.ph...ht=proftp+ident

skeeter1jd,

Thanks for publishing your helpful instructions.

There are many differences between your sendmail.mc and the one on my 4.0.3 server, so would you mind explaining the changes you have made?

Thanks!

Not at all.

First I did a clean install of Ensim as per their instructions. I then took their original sendmail.mc file and added the following lines:



Mailscanner was originally designed to scan for viruses. In that capacity, it takes very little memory to run. The spam checks, and spamassassin checks came later....turning it into quite the memory hog.

My additions makes sendmail check to see if the sender is blackballed somewhere as as spammer, and if clean passes that mail to MailScanner. MailScanner then checks for viruses, and if configured then runs spamassassin. This set up has been tested on mail systems at an ISP running about 1k pieces of mail an hour, and nobody even notices. Well, the spammers do. It won't catch all spam especially if someones email addie made it to "their list". Nothing can. But it will put the majority of it back in its can ... thats for sure.

This concept has been around for a long time, and yea...sometimes the process isn't quite explained.

Thanks skeeter1jd! That makes it much easier than trying to pick the bones out of a diff between your sendmail.mc and mine.

I just installed those sendmail mods today. ... Then I went to send an email.

*I* was rejected. :confused:

njabl.org lists all dynamic IPs. Of course, I connect to the net with dsl, and a dynamic IP. and many of my customers connect with a dynamic IP, and I obviously can't reject them.

Can I comment out njabl from the list in the sendmail.mc file, and then follow the rest of the instructions to have everything else? See, I tried this, and it still rejects the email attempt citing njabl.org, so I'm wondering if I'm missing a step?

edit: ok, I removed the line and tried again. seems to work now. not understanding the format of the mc file, I suppose the comment thang was not right.

sendmail requires authentication first. Click that checkbox on in Outlook, or OE to server autenticate before use.

thanks for your input!@

I don't use OE, and know that of course. I went back and edited the post. I had to remove the FEATURE with njabl.

I should fill in some more facts. The error said my ip wasn't authorized. It referred me to http://njabl.org. I went there, entered my IP, and it confirmed that it knew it was dynamic, and it was in the list, and it was NEVER going to leave their list! (pushy dudes!

So I removed the line that reads FEATURE('dnsbl','dnsbl.njabl.org' ....

I would say this is necessary for anyone who runs mail servers on their box where customers use them from a dynamic IP. If njabl.org knows about you, you're blocked otherwise.

That works too. Enjoy.

i've thought about it, and I suspect something isn't quite right. let me splain ..

shouldn't i be able to include njabl? i thought the rules would let me authorize in (as you more or less indicated). i've always had authorization required for smtp, and am I correct in assuming that is an ensim default? and once I'm authorized, I thought the dsnbl rules are skipped? it's like my outgoing email is being treated like incoming email. at first I accepted this as normal, but now I'm thinking it's not.

i had one other thought. could there be a difference between smtp auth on ensim 3.1 and 4.0.3. could the email programs settings needed for ensim 3.1 be different than ensim 4.0.3?

Incoming and outgoing mail is now scanned which is different from the 3.1 days. Removing the jnabl will not make more spam come in. It's just an open relay check. You can remove it safely.

well snarf.

I have a customer that is reported on spamcop that I'd like to be able to whitelist in this sendmail config. I went to their location, and verified they are clean of viruses, and spyware. Despite that, they have been listed on spamcop. Is there a way to whitelist their connection. Perhaps using this:



I'm not sure how to uncomment the line. Do I remove dnl at the beginning? I feel very nooby on this one unfortunately! And perhaps more important, will this allow them to mail despite the block list mods. I also don't know what a TLS link is.

Actually spamcop is behaving funny. The total number of incidents isn't increasing, yet the time to delisting isn't decreasing. It's fluctuating between 21 and 23 hours the times I've checked. And I repeat, the incident count isn't increasing.

spamcop can be touchy. i would put a dnl in front of the spamcop rbl.

and then remake the sendmail.cf file...restart sendmail

ok, I guess I'll do that.

I'm still trying for that authentication override!

you can try putting the ip addie in /etc/mail/access and restarting sendmail.

xxx.xxx.xxx.xxx ok

There's no magic pill for getting un-blacklisted once it happens. You need to do their dog and poney show, no matter what it is.

well, I'm testing FEATURE(delay_checks). It lets them send, as the rbl checks are being skipped if they authenticate first. This is according to another thread here.

But I get the distinct impression you think this isn't the right way to do things skeeter! I'll pay attention to what happens over the weekend and change it back if necessary. I have my fingers crossed!

Hope you guys don't mind me jumping in for a second...

Either method will work for your immediate purpose. The difference is that by enabling 'delay checks', you are essentially allowing sendmail to automatically whitelist any blacklisted IPs that successfully authenticate on your machine, while the access file method will require manual intervention on your part on a case-by-case basis, usually after your client has already been inconvenienced..

Additionally, with 'delay checks' enabled, you can safely re-add the NJABL (a very reliable and high-quality list, IMO) to your config, since practically nobody runs a legitimate mail server on a dynamic I.P.

IMO, 'delay checks' is an absolute necessity when running DNSBL's to avoid the very scenario you've run into in this thread, and to ensure that those DNSBLs are only applied to the traffic for which they're intended.

-Bob

well, feel free to jump in. it was beginning to feel like a party with only 1 guest.

I actually did add back the njabl when I enabled delay checks. This morning I've received less spam myself, so I'm glad for it. So far so good.

I'm not your typical web host. I actually personally manage pretty much every website on my server. I got the server primarily to provide my design clients with a good host. And there's nothing wrong with making a buck or two on their hosting of course. Initially, I did take on hosting only customers through net orders. But I had problems with fraud purchases, and then one of them got the site solely so they could host the urls within a spam email. The spam wasn't sent through the site's mail server, but the contained images and links were all to that site. Anyway, I decided I didn't want to be bothered with that 'crap', and chose to concentrate on my design and managed hosting customers. Everything on my server is there because I put it there. Customers that update their own site content do so through a custom cms I made out of wordpress. This the long way around saying that I can afford to be pretty tight on the rules for mail, as I personally know every customer on there and manage their content.

I used to have the policy that the customer is the best one to filter their spam using whatever local machine software they choose. I didn't want to be responsible for deleting any legitimate email by accident. I've since changed my mind. I especially have no problem blocking it at the sendmail level, as that's a little different that later deleting received email, as sendmail is sending a reject message. I appreciate skeeter's guide on this very much, as I think it's the 'right' way to do it. I would recommend he mention the delay checks option at the top of this thread for those who might feel they need to enable it.

bah, spammers. they've giving me grey hair.

Yea...there isn't a real "right way" to double check these things. I personally take a dimn view on anyone that got blacklisted for any reason.

Hi.
You wrote in your howto in the item 3 :
----------
3. Preliminary server setup - You already gave EV1 a domain name when signing up or registered one. My IP address "bank" that I was given was "10.0.0.1 thru 10.0.0.7". So(for example)write down:
domain name I submitted: pigglypokes.com
decided server hostname: srvr01.pigglypokes.com
srvr01.pigglypokes.com: 10.0.0.1
ns1.pigglypokes.com: 10.0.0.1
ns2.pigglypokes.com: 10.0.0.2
pigglypokes.com: 10.0.0.2
---------

I have decided the following:

ensim.mehosted.com : 69.93.238.186
ns1.mehosted.com : 69.93.238.186
ns2.mehosted.com : 69.93.238.187
mehosted.com : 69.93.238.187



I've got a question about this item of your howto:
---------------
4. Update your dns records - Log into your control center for EV1 and edit / add / remove your dns records to reflect these changes and match what you wrote down.
---------------

It seams that I can not add records to the theplanet.com DNS myself. I have requested the creation of a new zone with the domain mehosted.com in a theplanet.com DNS. It was done and here is how the zone looks like:

------------
$ORIGIN .
$TTL 86400
mehosted.com IN SOA ns1.theplanet.com support.mehosted.com. (
2007090801 ; serial LAST:bwilliams
900 ; refresh period
900 ; retry period
1209600 ; expire period
86400) ; minimum TTL period

$ORIGIN mehosted.com.
mehosted.com. IN NS ns1.theplanet.com.
mehosted.com. IN NS ns2.theplanet.com.
mehosted.com. IN MX 10 mail
mehosted.com. IN A 69.93.238.187
www IN A 69.93.238.187
ftp IN A 69.93.238.187
mail IN A 69.93.238.187
----------


Now what should I do with
ensim.mehosted.com
ns1.mehosted.com
ns2.mehosted.com
?

Should I create new zone for each of the above? Should it be added to theplanet.com DNS?
I am really confused with it.
Can you please help some how?

Thanks a lot beforehand.