SFTP access in Plesk 12.5 for domain users

Not sure why this didn’t work out of the box, but after lots of googling determined that adding some lines to /etc/ssh/sshd_config would allow SFTP to work. Without this it would connect but drop, the client log looking like:

Started a shell/command
 Using SFTP protocol.
 Doing startup conversation with host.
 Type: SSH_FXP_INIT, Size: 5, Number: -1
 Server sent command exit status 1
 Disconnected: All channels closed

The fix was to add this :

Match User UserName
     AllowTCPForwarding no
     X11Forwarding no
     ForceCommand internal-sftp

Plesk documentation implies this is not needed, that it should just work. So maybe there’s something wrong somewhere else but not going to argue with success.

Doing this does break chrootd SSH access, but that’s OK for what I needed. Will have to return to this someday and understand the problem.

Saturday, April 1st, 2017 Linux, Plesk No Comments

More postfix stuff – maybe specific to CentOS 7 and Plesk 12.5

Somewhere along the line I started getting these in my mail log:

postfix/trivial-rewrite[51297]: warning: do not list domain in BOTH mydestination and virtual_alias_domains

I found this:

postfix nags about a domain in BOTH relay_domains and virtual_alias_domains, when it isn’t


postconf parent_domain_matches_subdomains
parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,relay_domains,smtpd_access_maps


Looking back at older parent_domain_matches_subdomains is not present. No idea why it’s there now but I’ve seen Plesk do funny things – also means Plesk will probably do it again if it really was the cause.

Check postfix config:

postfix check
Thursday, November 17th, 2016 Linux, Plesk No Comments

Figuring out Plesk and postfix interaction with PMAS

All works except email submission via port 587 [followup: was failing because ptsmtp was listening to 587 and it shouldn’t].

Plesk MTA info:

and general postfix info related to TLS: has:

smtpd_sender_restrictions = check_sender_access hash:/var/spool/postfix/plesk/blacklists, permit_sasl_authenticated

so nothing funny there with Plesk.

smptd.conf has:

saslauthd_path: /var/spool/postfix/private/plesk_saslauthd

so maybe the question is what does plesk_saslauthd do?  Ultimately didn’t have anything to do with the problems but someday would like to understand why Plesk doesn’t seem to do what’s documented for postfix.



Tuesday, November 15th, 2016 Linux, Plesk No Comments

PMAS configuration

Notes to myself (which are probably specific to my CentOS 7 & Plesk setup with postfix that 1&1 provides by default):

  • RTFM:
  • scripts have to be moved under cgi-bin; suexec resolves the symlinks and uses that path to figure out what can be executed.
  • Looks like everything needs to match the UID of the vhost owner and the normal plesk group psacln.
  • run /pmas/bin/ptsmtp from the command line (and enable debugging from the config) to see what’s going on but keep in mind any UID/GID differences (or maybe there aren’t any).
    Also remember that the init.d/pmas script will have set a bunch of config info in to temp files, and ptsmtp will use that, not an
  • need to make quarantine directory files accessible from the web interface (permissions/group issue).
     setfacl -m default:group:psacln:rw quarantine/

    did not leave the subdirs g+w which seems to lead to problems deleting files. So still not there yet.

  • even though the PTMSTP setup has an entry for the cert files for TLS (or maybe these are for something else?) it expects the files to be: public certificate to be named /pmas/data/server-pub.pem and the private key to be named /pmas/data/server-priv.pem
  • Reminder- just need to cover port 25. No obvious reason to bother with 465, and don’t mess with 587!



Sunday, November 13th, 2016 Linux, Plesk No Comments

Antispam update

Had continued problems with Maia mailguard configuration. The lack of install documentation for the 1.0.4 fork and my lack of knowledge of php made for a bad combination. Also, as I got further in to it it wasn’t clear how to set it up to handle accounts without mailboxes, as well as I realized it had no concept of white and blacklists for subject or body content. With no real mailboxes training of spam assassin remained another question. If I could have gotten it running maybe I would have figured out the answers to those questions and it would have worked out well. But I also note that the mail list for Maia users is mostly silent save for one recent post asking about upgrading to PHP 7, to which nobody responded. I will say that out of the open source things I looked at Maia still seems like the best one for a small server.

Looking now to the paid options, there’s only 2 that are priced for a “hobbyist” server that’s supporting email for some clubs/groups with no formal organization. However I went back to the awesome folks at Process Software (makers of the Precise Mail Anti-Spam System – PMAS, which was available on my old server) and they worked out something for me.

For me, PMAS is simply the best anti-spam software that I have ever come across. At the admin level it lets me see every address in the system regardless of what type they (mailbox, forwarding, mailman, etc) so you can see all quarantined messages in one place.  It sits at port 25 so if anything is rejected the sender gets confirmation that their email did not go through without creating backscatter. It allows words and phrases to be white or black listed. Daily+ spam rule updates avoid the need to futz with training, a problem for a system like this with no mailboxes that systems that use Baysian engines can’t handle.

Tuesday, November 1st, 2016 Linux, Plesk No Comments

Plesk 12.5 CentOS 7 mysql login

…cause I can’t remember these things a year later.

mysql -uadmin -p`cat /etc/psa/.psa.shadow`

Friday, October 28th, 2016 Linux, Plesk No Comments

More things with plesk 12.5 setup

/etc/aliases : fix entry for root to point to a valid email address. run newaliases after changing (maybe retsart postfix too?)

greylisting may get turned on for new domains. Check with:

/usr/local/psa/bin/grey_listing --info-domain domain.tld

turn off with:

/usr/local/psa/bin/grey_listing -ud ldomain.tld -status off

/etc/postfix/ needs:

mydestination = $myhostname, localhost.$mydomain, localhost, localhost.localdomain

Plesk repair utility – hugely useful tool for dealing with issues. Seems like migrating domains leaves some bad thing around.

Ways to test DNSBL is working:  (telnet to 127.0.02)  This is really useful and really hard to find…

Needed to set open_basedir for some php stuff, but doing it from the Plesk panel for php for the domain didn’t seem to work. Can’t tell where it’s even putting it.

found it in vhost.conf.


Thursday, October 20th, 2016 Linux, Plesk No Comments