]>
Commit | Line | Data |
---|---|---|
e3eaa56a DM |
1 | Administration |
2 | ============== | |
3 | ||
721ce1c0 DW |
4 | The Administration GUI allows you to carry out common tasks |
5 | such as updating software packages, managing quarantines, viewing the | |
6 | status of services, and managing mail queues. It also provides server | |
7 | statistics, in order to verify server health. | |
e3eaa56a DM |
8 | |
9 | ||
10 | Server Administration | |
11 | --------------------- | |
12 | ||
721ce1c0 DW |
13 | Status |
14 | ~~~~~~ | |
e3eaa56a | 15 | |
38d14519 | 16 | [thumbnail="screenshot/pmg-gui-server-status.png", big=1] |
e3eaa56a | 17 | |
721ce1c0 DW |
18 | This page shows statistics about server CPU, memory, disk and network |
19 | usage. You can select the displayed time span from the upper right. | |
e3eaa56a DM |
20 | |
21 | Administrators can open a terminal window using the 'Console' | |
22 | button. It is also possible to trigger a server 'Restart' or | |
23 | 'Shutdown'. | |
24 | ||
25 | ||
26 | Services | |
27 | ~~~~~~~~ | |
28 | ||
38d14519 | 29 | [thumbnail="screenshot/pmg-gui-service-status.png", big=1] |
e3eaa56a | 30 | |
721ce1c0 | 31 | This panel lists all the major services used for mail processing and |
e3eaa56a | 32 | cluster synchronization. If necessary, you can start, stop or restart |
721ce1c0 | 33 | them. The 'Syslog' button shows the system log, filtered for the |
e3eaa56a DM |
34 | selected service. |
35 | ||
36 | Please note that {pmg} uses {systemd} to manage services, so you can | |
db96e742 | 37 | also use the standard `systemctl` command-line tool to manage or view |
e3eaa56a DM |
38 | service status, for example: |
39 | ||
40 | ----- | |
41 | systemctl status postfix | |
42 | ----- | |
43 | ||
44 | ||
9163e56a | 45 | [[pmg_updates]] |
e3eaa56a DM |
46 | Updates |
47 | ~~~~~~~ | |
48 | ||
38d14519 | 49 | [thumbnail="screenshot/pmg-gui-updates.png", big=1] |
e3eaa56a DM |
50 | |
51 | We release software updates on a regular basis, and it is recommended | |
52 | to always run the latest available version. This page shows the | |
70dc6dd1 | 53 | available updates, and administrators can run an upgrade by pressing |
e3eaa56a DM |
54 | the 'Upgrade' button. |
55 | ||
56 | See section xref:pmg_package_repositories[Package Repositories] for | |
721ce1c0 | 57 | details about the available package repositories. |
e3eaa56a DM |
58 | |
59 | ||
60 | Syslog and Tasks | |
61 | ~~~~~~~~~~~~~~~~ | |
62 | ||
38d14519 | 63 | [thumbnail="screenshot/pmg-gui-syslog.png", big=1] |
e3eaa56a | 64 | |
721ce1c0 | 65 | The Syslog page gives you a quick real-time log view. You can use the |
80034065 | 66 | xref:pmg_tracking_center[Tracking Center] to search the logs. |
e3eaa56a | 67 | |
721ce1c0 DW |
68 | The Tasks page provides a history of the administration tasks that you |
69 | carried out on the server, such as upgrading the system. Each task | |
70 | entry provides status information about the task, as well as the | |
71 | output. | |
e3eaa56a DM |
72 | |
73 | Quarantine | |
74 | ---------- | |
75 | ||
fc11986a | 76 | [[pmgadministration_spam_quarantine]] |
e3eaa56a DM |
77 | Spam |
78 | ~~~~ | |
79 | ||
38d14519 | 80 | [thumbnail="screenshot/pmg-gui-spam-quarantine.png", big=1] |
3f02fc6b DM |
81 | |
82 | This panel lets you inspect the mail quarantine. Emails can be safely | |
83 | previewed and if desired, delivered to the original user. | |
84 | ||
721ce1c0 | 85 | The email preview on the web interface is very secure, as malicious |
3f02fc6b | 86 | code (attacking your operating system or email client) is removed by |
70dc6dd1 | 87 | {pmg}. |
3f02fc6b | 88 | |
fc11986a DW |
89 | Users can access their personalized quarantine via the daily spam report or by |
90 | navigating to the URL configured for the quarantine (defaults to | |
91 | `https://<pmg-host>:8006/quarantine`) and logging in with their LDAP credentials | |
92 | (email address and password). | |
515eeac8 | 93 | |
15c8d923 TL |
94 | You can additionally enable user self-service for sending an access link from |
95 | the Quarantine Login page. | |
721ce1c0 | 96 | To enable this on the Quarantine Login page, edit `/etc/pmg/pmg.conf`. See section |
15c8d923 TL |
97 | xref:pmgconfig_spamdetector_quarantine[Spam Detector Configuration - Quarantine] |
98 | for more details about the available settings. | |
515eeac8 | 99 | |
e3eaa56a DM |
100 | |
101 | Virus | |
102 | ~~~~~ | |
103 | ||
3f02fc6b DM |
104 | Allows administrators to inspect quarantined virus mails. |
105 | ||
e3eaa56a | 106 | |
f7d90c0a DC |
107 | Attachment |
108 | ~~~~~~~~~~ | |
109 | ||
110 | Allows administrators to inspect quarantined mails and download their | |
111 | attachments or deliver/delete them. | |
112 | ||
113 | NOTE: Use the options of the 'Remove attachment' action to control the Attachment Quarantine. | |
114 | ||
115 | ||
4a08dffe | 116 | [[pmg_userblackwhitelist]] |
e3eaa56a DM |
117 | User White- and Blacklist |
118 | ~~~~~~~~~~~~~~~~~~~~~~~~~ | |
119 | ||
3f02fc6b DM |
120 | This is mostly useful to debug or verify white- and blacklist user |
121 | settings. The administrator should not change these values because | |
122 | users can manage this themselves. | |
123 | ||
e3eaa56a | 124 | |
80034065 | 125 | [[pmg_tracking_center]] |
e3eaa56a DM |
126 | Tracking Center |
127 | --------------- | |
128 | ||
38d14519 | 129 | [thumbnail="screenshot/pmg-gui-tracking-center.png", big=1] |
b0a8e83b | 130 | |
e30d2fb3 DM |
131 | Email processing is a complex task and involves several service |
132 | daemons. Each daemon logs information to the syslog service. The | |
70dc6dd1 | 133 | problem is that a server analyzes many emails in parallel, so it is |
e30d2fb3 DM |
134 | usually very hard to find all logs corresponding to a specific mail. |
135 | ||
70dc6dd1 | 136 | The Tracking Center simplifies the search for |
395d1740 TL |
137 | emails dramatically. We use highly optimized and safe Rust footnote:[A language |
138 | empowering everyone to build reliable and efficient software. | |
139 | https://www.rust-lang.org/] code to search the available syslog data. This is | |
140 | very fast and powerful, and works for sites processing several million emails | |
141 | per day. | |
e30d2fb3 DM |
142 | |
143 | The result is a list of received mails, including the following data: | |
144 | ||
145 | [cols="s,5d"] | |
146 | |==== | |
721ce1c0 DW |
147 | |Time | Timestamp of first syslog entry found |
148 | |From | Envelope 'From' address (the sender) | |
149 | |To | The email receiver address | |
150 | |Status | Delivery status | |
151 | |Syslog | The corresponding syslog entries are shown if you double | |
152 | click such an entry or if you press the '+' button on the left | |
e30d2fb3 DM |
153 | |==== |
154 | ||
721ce1c0 DW |
155 | To narrow the search down further, you can specify filters and set |
156 | a 'Start' and 'End' time. By default, the start time is set to the | |
157 | last hour. If you still get too many entries, you can try to restrict | |
70dc6dd1 | 158 | the search to a specific sender or receiver address, or search for a |
721ce1c0 | 159 | specific text string in the logs ('Filter' entry). |
e3eaa56a | 160 | |
70dc6dd1 | 161 | NOTE: Search is faster if you use a shorter time interval. |
268f309d | 162 | |
70dc6dd1 | 163 | The 'Status' field summarizes what happened with an email. {pmg} is a |
f29824e9 | 164 | mail proxy, meaning that the proxy receives mails from outside, |
70dc6dd1 | 165 | processes them and finally sends the result to the receiver. |
f29824e9 DM |
166 | |
167 | The first phase is receiving the mail. The proxy may reject the mail | |
721ce1c0 DW |
168 | early or accept the mail and feed it into the filter. The filter |
169 | rules can then block or accept the mail. | |
f29824e9 DM |
170 | |
171 | In the second phase, accepted mails need to be delivered to the | |
70dc6dd1 | 172 | receiver. This action may also fail or succeed. 'Status' |
721ce1c0 | 173 | combines the results from the first and second phase. |
6abb9ee3 | 174 | |
f29824e9 DM |
175 | [options="header",cols="2s,1d,5d"] |
176 | |==== | |
177 | |Status |Phase |Description | |
721ce1c0 | 178 | |rejected |1 | Email rejected (for example, the sender IP is listed on an IP blacklist) |
f29824e9 | 179 | |greylisted |1 | Email temporarily rejected by greylisting |
721ce1c0 DW |
180 | |queued/deferred |1 | Internal email was queued, still trying to deliver |
181 | |queued/bounced |1 | Internal email was queued but not accepted by the target email server (for example, user unknown) | |
182 | |queued/delivered |1 | Internal email was queued and delivered | |
70dc6dd1 | 183 | |quarantine |1 | Email was moved to quarantine |
f29824e9 DM |
184 | |blocked |1 | Email was blocked by filter rules |
185 | |accepted/deferred |2 | Email accepted, still trying to deliver | |
721ce1c0 | 186 | |accepted/bounced |2 | Email accepted, but not accepted by the target email server (for example, user unknown) |
6abb9ee3 | 187 | |accepted/delivered |2 | Email accepted and delivered |
f29824e9 DM |
188 | |==== |
189 | ||
7b7e406b | 190 | [[postfix_queue_administration]] |
e3eaa56a DM |
191 | Postfix Queue Administration |
192 | ---------------------------- | |
193 | ||
38d14519 | 194 | [thumbnail="screenshot/pmg-gui-queue-admin-summary.png", big=1] |
f2bd0439 SI |
195 | |
196 | Mail-queues are one of the central concepts of the SMTP protocol. Once a | |
721ce1c0 | 197 | mail server accepts a mail for further processing it saves it to a queue. |
f2bd0439 | 198 | After the mail is either relayed to another system, stored locally |
7b7e406b | 199 | or discarded, it is deleted from the local mail-queue. |
f2bd0439 SI |
200 | |
201 | If immediate processing is not possible, for example because a downstream | |
721ce1c0 | 202 | mail server is not reachable, the mail remains on the queue for later |
f2bd0439 SI |
203 | processing. |
204 | ||
0972c942 | 205 | The 'Queue Administration' panel provides a summary about the current state |
7b7e406b | 206 | of the postfix mail-queue, similar to the 'qshape (1)' command-line utility. |
7b7e406b | 207 | It shows domains for which mails were not delivered, and how long they have |
f2bd0439 SI |
208 | been queued. |
209 | ||
210 | The three Action Buttons on top provide the most common queue operations: | |
211 | ||
212 | 'Flush Queue':: | |
213 | ||
214 | Attempt to deliver all currently queued mail, for example if a downstream | |
215 | server has become available again. | |
216 | ||
217 | 'Delete All Messages':: | |
218 | ||
219 | Delete all currently queued mail, for example if the queue contains only spam. | |
f2bd0439 SI |
220 | |
221 | 'Discard address verification database':: | |
222 | ||
223 | Clear the recipient verification cache. | |
224 | ||
721ce1c0 DW |
225 | A sudden increase in queued mails should be closely inspected. This |
226 | increase can indicate issues connecting to downstream servers or that | |
227 | one of the servers for which you relay emails sends spam itself. | |
f2bd0439 | 228 | |
0972c942 TL |
229 | Deferred Mail |
230 | ~~~~~~~~~~~~~ | |
38d14519 | 231 | [thumbnail="screenshot/pmg-gui-queue-admin-deferred.png"] |
0972c942 | 232 | |
721ce1c0 DW |
233 | In the 'Deferred Mail' tab, you can examine each deferred email |
234 | separately. In addition to providing contact information about the | |
235 | sender and receiver, you can also check the reason for which an email | |
236 | remains queued. | |
0972c942 | 237 | |
721ce1c0 DW |
238 | You can view the complete headers and filter by sender or receiver of |
239 | queued emails. | |
0972c942 | 240 | |
721ce1c0 | 241 | Here, you can also flush or delete each deferred email independently. |
9163e56a AZ |
242 | |
243 | ||
244 | [[pmg_firmware_updates]] | |
245 | Firmware Updates | |
246 | ---------------- | |
247 | Firmware updates from this chapter should be applied when running {pmg} or | |
248 | Debian on a bare-metal server. Whether configuring firmware updates is | |
249 | appropriate within a virtualized environment, e.g. when using device | |
250 | pass-through, depends strongly on your setup and is therefore out of scope. | |
251 | ||
252 | In addition to regular software updates, firmware updates are also important for | |
253 | reliable and secure operation. | |
254 | ||
255 | When obtaining and applying firmware updates, a combination of available options | |
256 | is recommended to get them as early as possible or at all. | |
257 | ||
258 | The term firmware is usually divided linguistically into microcode (for CPUs) | |
259 | and firmware (for other devices). | |
260 | ||
261 | ||
262 | [[pmg_firmware_persistent]] | |
263 | Persistent Firmware | |
264 | ~~~~~~~~~~~~~~~~~~~ | |
265 | This section is suitable for all devices. Updated microcode, which is usually | |
266 | included in a BIOS/UEFI update, is stored on the motherboard, whereas other | |
267 | firmware is stored on the respective device. This persistent method is | |
268 | especially important for the CPU, as it enables the earliest possible regular | |
269 | loading of the updated microcode at boot time. | |
270 | ||
271 | CAUTION: With some updates, such as for BIOS/UEFI or storage controller, the | |
272 | device configuration could be reset. Please follow the vendor's instructions | |
273 | carefully and back up the current configuration. | |
274 | ||
275 | Please check with your vendor which update methods are available. | |
276 | ||
277 | * Convenient update methods for servers can include Dell's Lifecycle Manager or | |
278 | Service Packs from HPE. | |
279 | ||
280 | * Sometimes there are Linux utilities available as well. Examples are | |
281 | https://network.nvidia.com/support/firmware/mlxup-mft/['mlxup'] for NVIDIA | |
282 | ConnectX or | |
283 | https://techdocs.broadcom.com/us/en/storage-and-ethernet-connectivity/ethernet-nic-controllers/bcm957xxx/adapters/software-installation/updating-the-firmware/manually-updating-the-adapter-firmware-on-linuxesx.html['bnxtnvm'/'niccli'] | |
284 | for Broadcom network cards. | |
285 | ||
286 | * https://fwupd.org[LVFS] could also be an option if there is a cooperation with | |
287 | a https://fwupd.org/lvfs/vendors/[vendor] and | |
288 | https://fwupd.org/lvfs/devices/[supported hardware] in use. The technical | |
289 | requirement for this is that the system was manufactured after 2014, is booted | |
290 | via UEFI and the easiest way is to mount the EFI partition from which you boot | |
291 | (`mount /dev/disk/by-partuuid/<from efibootmgr -v> /boot/efi`) before installing | |
292 | 'fwupd'. | |
293 | ||
294 | TIP: If the update instructions require a host reboot, please do not forget | |
295 | about it. | |
296 | ||
297 | ||
298 | [[pmg_firmware_runtime_files]] | |
299 | Runtime Firmware Files | |
300 | ~~~~~~~~~~~~~~~~~~~~~~ | |
301 | This method stores firmware on the {pmg} operating system and will pass it to a | |
302 | device if its xref:pmg_firmware_persistent[persisted firmware] is less recent. | |
303 | It is supported by devices such as network and graphics cards, but not by those | |
304 | that rely on persisted firmware such as the motherboard and hard disks. | |
305 | ||
306 | In {pmg} the package `pve-firmware` is already installed by default. Therefore, | |
307 | with the normal xref:pmg_updates[system updates (APT)], included firmware of | |
308 | common hardware is automatically kept up to date. | |
309 | ||
310 | An additional xref:pmg_debian_firmware_repo[Debian Firmware Repository] exists, | |
311 | but is not configured by default. | |
312 | ||
313 | If you try to install an additional firmware package but it conflicts, APT will | |
314 | abort the installation. Perhaps the particular firmware can be obtained in | |
315 | another way. | |
316 | ||
317 | ||
318 | [[pmg_firmware_cpu]] | |
319 | CPU Microcode Updates | |
320 | ~~~~~~~~~~~~~~~~~~~~~ | |
321 | Microcode updates are intended to fix found security vulnerabilities and other | |
322 | serious CPU bugs. While the CPU performance can be affected, a patched microcode | |
323 | is usually still more performant than an unpatched microcode where the kernel | |
324 | itself has to do mitigations. Depending on the CPU type, it is possible that | |
325 | performance results of the flawed factory state can no longer be achieved | |
326 | without knowingly running the CPU in an unsafe state. | |
327 | ||
328 | To get an overview of present CPU vulnerabilities and their mitigations, run | |
329 | `lscpu`. Current real-world known vulnerabilities can only show up if the {pmg} | |
330 | host is xref:pmg_updates[up to date], its version not | |
331 | xref:faq-support-table[end of life], and has at least been rebooted since the | |
332 | last kernel update. | |
333 | ||
334 | Besides the recommended microcode update via | |
335 | xref:pmg_firmware_persistent[persistent] BIOS/UEFI updates, there is also an | |
336 | independent method via *Early OS Microcode Updates*. It is convenient to use and | |
337 | also quite helpful when the motherboard vendor no longer provides BIOS/UEFI | |
338 | updates. Regardless of the method in use, a reboot is always needed to apply a | |
339 | microcode update. | |
340 | ||
341 | ||
342 | Set up Early OS Microcode Updates | |
343 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | |
344 | To set up microcode updates that are applied early on boot by the Linux kernel, | |
345 | you need to: | |
346 | ||
347 | . Enable the xref:pmg_debian_firmware_repo[Debian Firmware Repository] | |
348 | . Get the latest available packages: `apt update` (or use the web interface, | |
349 | under Administration -> Updates) | |
350 | . Install the CPU-vendor specific microcode package: | |
351 | - For Intel CPUs: `apt install intel-microcode` | |
352 | - For AMD CPUs: `apt install amd64-microcode` | |
353 | . Reboot the {pmg} host | |
354 | ||
355 | Any future microcode update will also require a reboot to be loaded. | |
356 | ||
357 | ||
358 | Microcode Version | |
359 | ^^^^^^^^^^^^^^^^^ | |
360 | To get the current running microcode revision for comparison or debugging | |
361 | purposes: | |
362 | ||
363 | ---- | |
364 | # grep microcode /proc/cpuinfo | uniq | |
365 | microcode : 0xf0 | |
366 | ---- | |
367 | ||
368 | A microcode package has updates for many different CPUs. But updates | |
369 | specifically for your CPU might not come often. So, just looking at the date on | |
370 | the package won't tell you when the company actually released an update for your | |
371 | specific CPU. | |
372 | ||
373 | If you've installed a new microcode package and rebooted your {pmg} host, and | |
374 | this new microcode is newer than both, the version baked into the CPU and the | |
375 | one from the motherboard's firmware, you'll see a message in the system log | |
376 | saying "microcode updated early". | |
377 | ||
378 | ---- | |
379 | # dmesg | grep microcode | |
380 | [ 0.000000] microcode: microcode updated early to revision 0xf0, date = 2021-11-12 | |
381 | [ 0.896580] microcode: Microcode Update Driver: v2.2. | |
382 | ---- | |
383 | ||
384 | ||
385 | [[pmg_firmware_troubleshooting]] | |
386 | Troubleshooting | |
387 | ^^^^^^^^^^^^^^^ | |
388 | For debugging purposes, the set up Early OS Microcode Update applied regularly | |
389 | at system boot can be temporarily disabled as follows: | |
390 | ||
391 | . Reboot the host to get to the GRUB menu (hold `SHIFT` if it is hidden) | |
392 | . At the desired {pmg} boot entry press `E` | |
393 | . Go to the line which starts with `linux` and append separated by a space | |
394 | *`dis_ucode_ldr`* | |
395 | . Press `CTRL-X` to boot this time without an Early OS Microcode Update | |
396 | ||
397 | If a problem related to a recent microcode update is suspected, a package | |
398 | downgrade should be considered instead of package removal | |
399 | (`apt purge <intel-microcode|amd64-microcode>`). Otherwise, a too old | |
400 | xref:pmg_firmware_persistent[persisted] microcode might be loaded, even | |
401 | though a more recent one would run without problems. | |
402 | ||
403 | A downgrade is possible if an earlier microcode package version is | |
404 | available in the Debian repository, as shown in this example: | |
405 | ||
406 | ---- | |
407 | # apt list -a intel-microcode | |
408 | Listing... Done | |
409 | intel-microcode/stable-security,now 3.20230808.1~deb12u1 amd64 [installed] | |
410 | intel-microcode/stable 3.20230512.1 amd64 | |
411 | ---- | |
412 | ---- | |
413 | # apt install intel-microcode=3.202305* | |
414 | ... | |
415 | Selected version '3.20230512.1' (Debian:12.1/stable [amd64]) for 'intel-microcode' | |
416 | ... | |
417 | dpkg: warning: downgrading intel-microcode from 3.20230808.1~deb12u1 to 3.20230512.1 | |
418 | ... | |
419 | intel-microcode: microcode will be updated at next boot | |
420 | ... | |
421 | ---- | |
422 | ||
423 | To apply an older microcode potentially included in the microcode package for | |
424 | your CPU type, reboot now. | |
425 | ||
426 | [TIP] | |
427 | ==== | |
428 | It makes sense to hold the downgraded package for a while and try more recent | |
429 | versions again at a later time. Even if the package version is the same in the | |
430 | future, system updates may have fixed the experienced problem in the meantime. | |
431 | ---- | |
432 | # apt-mark hold intel-microcode | |
433 | intel-microcode set on hold. | |
434 | ---- | |
435 | ---- | |
436 | # apt-mark unhold intel-microcode | |
437 | # apt update | |
438 | # apt upgrade | |
439 | ---- | |
440 | ==== | |
abe750ed SI |
441 | |
442 | ||
443 | include::system-booting.adoc[] |