SFTP access in Plesk 12.5 for domain users

Not sure why this didn’t work out of the box, but after lots of googling determined that adding some lines to /etc/ssh/sshd_config would allow SFTP to work. Without this it would connect but drop, the client log looking like:

Started a shell/command
 Using SFTP protocol.
 Doing startup conversation with host.
 Type: SSH_FXP_INIT, Size: 5, Number: -1
 Server sent command exit status 1
 Disconnected: All channels closed

The fix was to add this :

Match User UserName
     AllowTCPForwarding no
     X11Forwarding no
     ForceCommand internal-sftp

Plesk documentation implies this is not needed, that it should just work. So maybe there’s something wrong somewhere else but not going to argue with success.

Doing this does break chrootd SSH access, but that’s OK for what I needed. Will have to return to this someday and understand the problem.

Saturday, April 1st, 2017 Linux, Plesk No Comments

PMAS install final note

The last issue was also a permissions issue, ptsmtp needs to run with the same group (psacln) that Plesk uses for Apache so that the quarantine script can manipulate the files in /pmas/quarantine. This did require a patch to pmasplug.so to create files and directories with 0775 permissions (instead of 0755), i.e. g+w was missing. (and there’s still the ACL so that anything else that manipulates it will use the correct group; ptsmtp is different as it runs as root and that appears to override the ACL settings)

In summary there were just 3 things to deal with, the rest was just me making mistakes :

  • install needs some 32 bit libs that my system lacked
  • on my system all of the cgi-bin need to be in the actual vhost domain tree, not symlinked (due to suexec configuration) and all the UID GID must match the vhost’s (which for Plesk the GID is psacln).
  • Set the execute GID of ptsmtp to match (and get the modifed pmasplug.so)
  • (ok, it’s a 4th one, but it’s a *don’t*: Don’t mess with port 587)

And now I have anti-spam perfection to handle the mail lists for some local clubs.



Thursday, November 17th, 2016 Linux No Comments

More postfix stuff – maybe specific to CentOS 7 and Plesk 12.5

Somewhere along the line I started getting these in my mail log:

postfix/trivial-rewrite[51297]: warning: do not list domain s648499454.onlinehome.us in BOTH mydestination and virtual_alias_domains

I found this:

postfix nags about a domain in BOTH relay_domains and virtual_alias_domains, when it isn’t


postconf parent_domain_matches_subdomains
parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,relay_domains,smtpd_access_maps


Looking back at older main.cf parent_domain_matches_subdomains is not present. No idea why it’s there now but I’ve seen Plesk do funny things – also means Plesk will probably do it again if it really was the cause.

Check postfix config:

postfix check
Thursday, November 17th, 2016 Linux, Plesk No Comments

Diagnosing PMAS failure to authenticate

Learned something about this CentOS 7 Plesk postfix system. If you change smtp in services, postfix will use the new port number for outbound connections too. So to relocate postfix’s inbound connections on 25 need to change them in the master.cf. Or create smtp_alt, not sure one way is better than the other but if it’s in services netstat will name it.

To enable postfix detailed debug, add:

debug_peer_list =

to main.cf. Use commas to separate multiple addresses.

Don’t forget the

postfix reload

Also useful is showing what process is using what port (with numeric port #)

lsof -i -P

Running PTSMTP without breaking mail while testing.

So in hindsight this is obvious.  Leave postfix at ports 25 & 587. Set PMAS configuration to use (lets say ports 225 for its inbound connections), and for the outbound side use the standard ports. Remember you *must* run init.d/pmas start after making a change to get the temporary .conf files written out, otherwise ptsmtp will use the config from the last time you ran.

Can even punch a few holes in the firewall to allow outside mail clients to try the PTSMTP listening ports.


Tuesday, November 15th, 2016 Linux No Comments

Figuring out Plesk and postfix interaction with PMAS

All works except email submission via port 587 [followup: was failing because ptsmtp was listening to 587 and it shouldn’t].

Plesk MTA info: http://kb.parallels.com/Attachments/kcs-15646/MTA_presentation.pdf

and general postfix info related to TLS: http://postfix.state-of-mind.de/patrick.koetter/smtpauth/postfix_tls_support.html

main.cf has:

smtpd_sender_restrictions = check_sender_access hash:/var/spool/postfix/plesk/blacklists, permit_sasl_authenticated

so nothing funny there with Plesk.

smptd.conf has:

saslauthd_path: /var/spool/postfix/private/plesk_saslauthd

so maybe the question is what does plesk_saslauthd do?  Ultimately didn’t have anything to do with the problems but someday would like to understand why Plesk doesn’t seem to do what’s documented for postfix.



Tuesday, November 15th, 2016 Linux, Plesk No Comments

PMAS configuration

Notes to myself (which are probably specific to my CentOS 7 & Plesk setup with postfix that 1&1 provides by default):

  • RTFM: http://www.pmas.process.com/documentation/html/
  • scripts have to be moved under cgi-bin; suexec resolves the symlinks and uses that path to figure out what can be executed.
  • Looks like everything needs to match the UID of the vhost owner and the normal plesk group psacln.
  • run /pmas/bin/ptsmtp from the command line (and enable debugging from the config) to see what’s going on but keep in mind any UID/GID differences (or maybe there aren’t any).
    Also remember that the init.d/pmas script will have set a bunch of config info in to temp files, and ptsmtp will use that, not an
  • need to make quarantine directory files accessible from the web interface (permissions/group issue).
     setfacl -m default:group:psacln:rw quarantine/

    did not leave the subdirs g+w which seems to lead to problems deleting files. So still not there yet.

  • even though the PTMSTP setup has an entry for the cert files for TLS (or maybe these are for something else?) it expects the files to be: public certificate to be named /pmas/data/server-pub.pem and the private key to be named /pmas/data/server-priv.pem
  • Reminder- just need to cover port 25. No obvious reason to bother with 465, and don’t mess with 587!



Sunday, November 13th, 2016 Linux, Plesk No Comments

Mail testing (again)

Couple of useful sites to help check out your mail server.

Basic SMTP check: http://mxtoolbox.com/diagnostic.aspx

Tools to check TLS with: http://checktls.com/

SMTP test: https://www.wormly.com/tools

And of course can always telnet to port 25 or 587 and simulate a typical transaction:

EHLO atmob.org

MAIL FROM:me@here.com
RCPT TO:you@there.com
Subject: manual test 1


(entered one line at a time, including the blank lines)

Sunday, November 13th, 2016 Linux No Comments

PMAS installation

The awesome folks over at Process Software made me a super great offer to continue using  their PreciseMail Anti-Spam Gateway on my new server.  In addition to my own website I’m hosting mail lists for a number of clubs (at no charge) as there just aren’t a lot of good email list solutions (with reasonable anti spam) out there for small groups that need to communicate to their membership (I run mailman).

So I’ve scrapped my attempts on the other things which were ASSP: looks like it would do what I want but way too complex for a part time/limited admin skill person to figure out, and Maia: not currently maintained and limited documentation, as well as not clear how it could be trained with no actual mailboxes on the system.

Installation only hit one little snag, my CentOS 7 system doesn’t have many 32 bit libs installed and the PMAS install needs some. If you get errors just add the missing packages and rerun the installer.



Sunday, November 13th, 2016 Linux No Comments

Antispam update

Had continued problems with Maia mailguard configuration. The lack of install documentation for the 1.0.4 fork and my lack of knowledge of php made for a bad combination. Also, as I got further in to it it wasn’t clear how to set it up to handle accounts without mailboxes, as well as I realized it had no concept of white and blacklists for subject or body content. With no real mailboxes training of spam assassin remained another question. If I could have gotten it running maybe I would have figured out the answers to those questions and it would have worked out well. But I also note that the mail list for Maia users is mostly silent save for one recent post asking about upgrading to PHP 7, to which nobody responded. I will say that out of the open source things I looked at Maia still seems like the best one for a small server.

Looking now to the paid options, there’s only 2 that are priced for a “hobbyist” server that’s supporting email for some clubs/groups with no formal organization. However I went back to the awesome folks at Process Software (makers of the Precise Mail Anti-Spam System – PMAS, which was available on my old server) and they worked out something for me.

For me, PMAS is simply the best anti-spam software that I have ever come across. At the admin level it lets me see every address in the system regardless of what type they (mailbox, forwarding, mailman, etc) so you can see all quarantined messages in one place.  It sits at port 25 so if anything is rejected the sender gets confirmation that their email did not go through without creating backscatter. It allows words and phrases to be white or black listed. Daily+ spam rule updates avoid the need to futz with training, a problem for a system like this with no mailboxes that systems that use Baysian engines can’t handle.

Tuesday, November 1st, 2016 Linux, Plesk No Comments

Plesk 12.5 CentOS 7 mysql login

…cause I can’t remember these things a year later.

mysql -uadmin -p`cat /etc/psa/.psa.shadow`

Friday, October 28th, 2016 Linux, Plesk No Comments