Service Changes

  • MTAs changed from sendmail to Postfix 2.3
  • Alternate outbound port standardized to submission port (587) across all servers
  • SSL changed to TLS on port 465
  • Mailboxes over quota will permanently reject e-mail now instead of temporarily deferring
  • POP before SMTP removed (does anyone use this still?)
  • Outbound mail scanning through MIMEDefang disabled
  • DSPAM availability
  • Mail lookup tables moved from hash file to PostgreSQL
  • Majordomo aliases now outside /home/virtual/siteN/fst/etc/aliases; relocated to global map in /etc/postfix
  • Majordomo now sets the uid to the site admin for list configuration
  • UW-IMAP changed to Dovecot for IMAP/POP3
  • POLL support through inotify subsystem used with Dovecot (requires glibc 2.4/kernel internal changes)
  • Mail storage changed from mbox to Maildir (resolves random mailbox locking issues)
  • Default mail spool location changed from /var/spool/mail/username to /home/username/Mail/
  • Additional mailboxes relocated from /home/username/mailbox to /home//Mail/.mailbox/
  • procmail replaced by maildrop for local delivery (new syntax, .procmailrc obsoleted)
  • Per-user/domain combination mailbox segregation, still defaults to /home/username/Mail/
  • Dovecot chroot’s POP3/IMAP sessions, thus /home/username/Mail/ effectively becomes / to the e-mail client
  • .mailboxlist -> subscriptions for IMAP mailbox listings. (This change should be transparent to the e-mail client.)
  • Pine removed from shell e-mail clients, use Mutt
  • open()/fchdir()/chroot() hack implemented with SpamAssassin to break out of the chroot’d jail getpwnam() creates with Ensim’s NSS library. This should speed up message parsing a bit since spamd processes don’t have to continuously respawn after each message parsing.
  • Brought back SpamAssassin daily statistics available in the control panel — for the time being
  • Removed Cyrus SASL for SMTP authentication, using Dovecot’s built-in mechanism now. A while back there were issues with Ensim’s poor implementation of Cyrus SASL that caused authentication to stop working randomly. This was fixed by an additional library provided through them, but hopefully with my changes that shouldn’t be a problem. If authentication randomly stops working though, let me know (it shouldn’t).

Web Server

  • PHP5 rewrite rule changes significantly:
    RewriteCond %{SERVER_PORT} !9000
    RewriteCond %{SCRIPT_FILENAME} \.php5$
    RewriteRule ^(.*)$ http://%{HTTP_HOST}:9000/$1 [L,P]
  • Removed subdomain mappings. Subdomains now check /var/subdomain/name/ and go from there; fixes http://subdomain.[em]shared domain[/em]/ incorrectly mapping on all servers except Gauss
  • If the requested subdomain cannot be found under /var/subdomain/, request defaults to document root in /var/www/html/
  • PHP applications now send e-mails as postmaster@domain by default, overrideable
  • Enforce 64 MB hard limit on PHP scripts
  • Removed superfluous Apache directives that had little effect but added plenty of bloat, e.g. Order allow,deny/Allow from all
  • Removed per-user CGI allowance; inefficient use of resources
  • Removed ServerAdmin directive from Apache configuration for privacy reasons
  • Removed HTTPD20/PROD_SERVER constants from Ensim’s Web server configuration module. This permanently fixes instances when Apache would reload and sites would be redirected to the control panel
  • Dropped .php3 file extension
  • Removed SSL.domain name constant from Apache configuration.
  • Tomcat 5.0 upgraded to Tomcat 5.5
  • Default Rails environment is Production
  • PHP5 no longer logs errors by default; errors logged to page output
  • Removed Ensimized exclog process for logging requests, moving back to pre-3.7 style of CustomLog
  • Removed domain preview program; use hosts override to preview site (still available only under special cases)
  • RubyGems now placed under /usr/local/lib/ruby/gems/, this is done by the GEM_HOME environment variable set in $HOME/.bash_profile. You can now do something like gem install mongrel -y without the installer complaining about permission problems on /usr/bin/. This carries one nasty side effect such that bindir is forcefully set to /usr/local/lib/ruby/gems/1.8/bin, but you can run a symlink to a file in there over to /usr/local/bin. rmagick also builds cleanly.


  • ProFTPD switched to vsftpd
  • Added optional TLS authentication layer on port 21
  • Anonymous FTP disabled
  • Per-user chroot (/home//) now possible — file ticket for per user requests

Control Panel/Misc

  • apnscp permanently retired, replaced by apnscp esprit
  • 40001 – 49999 reserved ports for accounts. 4xxx0 – 4xxx9 allowable port range (10 ports) where xxx = site number, e.g. site1 may use [40010,40019] and site134 may use [41340, 41349] for permitted daemons (absolutely no IRC [NOC policy] and no BitTorrent [our policy] clients or servers)
  • E-mail aliases/forwarder/Majordomo management moved from Ensim to apnscp
  • now correctly maps to esprit (in the case a user clicked on the CP URL during domain preview)
  • Sub-users now have /etc/skel/ contents copied fully
  • Due to incessant whining, cron daemon will automatically start-up is previously installed at start-up. This will change eventually to user-configurable within esprit.
  • CPAN available from the shell

Software Changes

  • Urchin profiles no longer automatic, setup manually through control panel if requested (licensing costs)
  • Ruby 1.8.4 -> 1.8.5
  • ImageMagick 5.x.x -> ImageMagick 6.2.5
  • glibc 2.3 -> 2.4
  • Redhat Enterprise Linux 3 -> CentOS 4.4 (analogous to Redhat Enterprise Linux 4.4)
  • phpize, php-config for PHP5 named phpize5, php-config5; header files moved to /usr/include/php5
  • Apache 2.0 -> 2.2
  • Removed mod_frontpage
  • Kernel upgraded 2.6.9 -> 2.6.19
  • FastCGI bindings now standard
  • PostgreSQL 8.1 -> PostgreSQL 8.2
  • RubyGems 0.9.0 -> 0.9.1
  • BIND 9.2 -> 9.4
  • Java 1.5 -> 1.6/Tomcat 5.0 -> Tomcat 5.5
  • Perl 5.8.5 -> Perl 5.8.8

Internal Changes

  • IRQ balancing changed from kernel-based to software (better reliability on rebalancing IRQs)
  • Intel I/O AT used to offload TCP packet processing onto the NIC
  • Dell Remote Access Card v5 used, requires IPMI interface that is compiled and works as expected
  • Watchdog interface shifted from software (which results in erroneous reboots occasionally) to IPMI-based one in DRAC
  • / (68 -> 135 GB) , /boot (100 MB -> 100 MB), swap (4 -> 2 GB), /tmp (n/a -> 2 GB) mount points, /tmp is RAID0, all others RAID1
  • Track individual RPM files under FST/filelists/service name/app nameapp version.txt
  • FST-installed RPMs now correctly handle symlinks instead of duplicating referent
  • Include MySQL socket monitor to ensure table locks don’t trickle out into global locks
  • Poll individual FST mail spools every 5 minutes for messages waiting in maildrop. These messages occur when sent from the shell.
  • Tomcat relocated from Ensimized /var/tomcat4/ to /opt/tomcat4/
  • Removed all auxiliary Ensim components except for opcenter/ (Ensim’s CP), vh3 Python package, /etc/virtualhosting/, and a few wrapper scripts
  • Removed redundant PAM authentication scripts for IMAP/POP3/FTP for sites. The main one in /etc/pam.d/ handles authentication, each one in FST/etc/pam.d/ just adds unnecessary checks.
  • ACLs no longer recalculate an effective mask; thus adding a user outside the group won’t modify the permission set for other
v4 Platform Release
Tagged on: