2021-09-14 21:56:18 -05:00
<!DOCTYPE html>
< html >
< head >
< meta http-equiv = "Content-Type" content = "text/html; charset=utf-8" / >
< title > Upgrade iRedMail from 1.4.2 to 1.4.3< / title >
< link rel = "stylesheet" type = "text/css" href = "./css/markdown.css" / >
< / head >
< body >
< div id = "navigation" >
< a href = "https://www.iredmail.org" target = "_blank" >
< img alt = "iRedMail web site"
src="./images/logo-iredmail.png"
style="vertical-align: middle; height: 30px;"
/>
< span > iRedMail< / span >
< / a >
// < a href = "./index.html" > Document Index< / a > < / div > < h1 id = "upgrade-iredmail-from-142-to-143" > Upgrade iRedMail from 1.4.2 to 1.4.3< / h1 >
< div class = "toc" >
< ul >
< li > < a href = "#upgrade-iredmail-from-142-to-143" > Upgrade iRedMail from 1.4.2 to 1.4.3< / a > < ul >
< li > < a href = "#changelog" > ChangeLog< / a > < / li >
< li > < a href = "#general-all-backends-should-apply-these-changes" > General (All backends should apply these changes)< / a > < ul >
< li > < a href = "#update-etciredmail-release-with-new-iredmail-version-number" > Update /etc/iredmail-release with new iRedMail version number< / a > < / li >
2021-09-28 08:31:15 -05:00
< li > < a href = "#upgrade-mlmmjadmin-to-the-latest-stable-release-313" > Upgrade mlmmjadmin to the latest stable release (3.1.3)< / a > < / li >
2021-09-14 21:56:18 -05:00
< li > < a href = "#nginx-several-improvements" > Nginx: several improvements< / a > < / li >
2021-09-14 22:07:16 -05:00
< li > < a href = "#dovecot-enable-new-ssl-cipher-eecdhchacha20-and-remove-the-weak-one-aes256edh" > Dovecot: enable new ssl cipher EECDH+CHACHA20 and remove the weak one AES256+EDH< / a > < / li >
2021-09-14 21:56:18 -05:00
< / ul >
< / li >
< / ul >
< / li >
< / ul >
< / div >
< div class = "admonition warning" >
< p class = "admonition-title" > Warning< / p >
< p > This IS A DRAFT DOCUMENT, DO NOT APPLY IT.< / p >
< / div >
< div class = "admonition note" >
< p class = "admonition-title" > Paid Remote Upgrade Support< / p >
< p > We offer remote upgrade support if you don't want to get your hands dirty,
check < a href = "https://www.iredmail.org/support.html" > the details< / a > and
< a href = "https://www.iredmail.org/contact.html" > contact us< / a > .< / p >
< / div >
< h2 id = "changelog" > ChangeLog< / h2 >
< h2 id = "general-all-backends-should-apply-these-changes" > General (All backends should apply these changes)< / h2 >
< h3 id = "update-etciredmail-release-with-new-iredmail-version-number" > Update < code > /etc/iredmail-release< / code > with new iRedMail version number< / h3 >
< p > iRedMail stores the release version in < code > /etc/iredmail-release< / code > after
installation, it's recommended to update this file after you upgraded iRedMail,
so that you can know which version of iRedMail you're running. For example:< / p >
< pre > < code > 1.4.3
< / code > < / pre >
2021-09-28 08:31:15 -05:00
< h3 id = "upgrade-mlmmjadmin-to-the-latest-stable-release-313" > Upgrade mlmmjadmin to the latest stable release (3.1.3)< / h3 >
< p > Please follow below tutorial to upgrade mlmmjadmin to the latest stable release:
< a href = "./upgrade.mlmmjadmin.html" > Upgrade mlmmjadmin to the latest stable release< / a > < / p >
2021-09-14 21:56:18 -05:00
< h3 id = "nginx-several-improvements" > Nginx: several improvements< / h3 >
< div class = "admonition attention" >
< p class = "admonition-title" > Attention< / p >
< p > All credit goes to GitHub user
< a href = "https://github.com/ludovicandrieux" > @ludovicandrieux< / a > , thanks for the
contributions. See also:
< a href = "https://github.com/iredmail/iRedMail/issues/136" > #136< / a > ,
< a href = "https://github.com/iredmail/iRedMail/issues/137" > #137< / a > ,
< a href = "https://github.com/iredmail/iRedMail/issues/138" > #138< / a > .< / p >
< / div >
< ul >
< li > Enable TLSv1.3. WARNING: It requires Nginx 1.13 or later releases, which is
available on:< ul >
< li > CentOS 7 and later< / li >
< li > Debian 10 and later< / li >
2021-09-15 09:54:15 -05:00
< li > Ubuntu 18.04 and later< / li >
2021-09-14 21:56:18 -05:00
< li > FreeBSD< / li >
< li > OpenBSD< / li >
< / ul >
< / li >
< li > Greatly improve the performance of http keep-alive connections over SSL by
2021-09-14 22:11:40 -05:00
enabling < code > ssl_session_cache< / code > parameter. See also:< ul >
< li > < a href = "https://vincent.bernat.ch/en/blog/2011-ssl-session-reuse-rfc5077" > Speeding up TLS: enabling session reuse< / a > < / li >
< li > < a href = "https://www.peterbe.com/plog/ssl_session_cache-ab" > ssl_session_cache in Nginx and the ab benchmark< / a > < / li >
< / ul >
< / li >
2021-09-14 21:56:18 -05:00
< li > Add new ssl cipher: < code > EECDH+CHACHA20< / code > . It requires openssl 1.1.0, which is
available on:< ul >
< li > CentOS 7 and later< / li >
< li > Debian 9 and later< / li >
2021-09-15 09:54:15 -05:00
< li > Ubuntu 18.04 and later< / li >
2021-09-14 21:56:18 -05:00
< li > FreeBSD< / li >
< li > OpenBSD< / li >
< / ul >
< / li >
< li > Remove weak ssl cipher: < code > AES256+EDH< / code > .< / li >
< / ul >
< p > To apply these changes, please open file < code > /etc/nginx/templates/ssl.tmpl< / code > with
your favourite text editor, then:< / p >
< ul >
< li > Append < code > TLSv1.3< / code > in parameter < code > ssl_protocols< / code > . For example:< / li >
< / ul >
< pre > < code > ssl_protocols TLSv1.2 TLSv1.3;
< / code > < / pre >
< ul >
< li > Prepend < code > EECDH+CHACHA20< / code > in parameter < code > ssl_ciphers< / code > , also remove < code > AES256+EDH< / code > .
For example:< / li >
< / ul >
< pre > < code > ssl_ciphers EECDH+CHACHA20:EECDH+AESGCM:EDH+AESGCM:AES256+EECDH;
< / code > < / pre >
< ul >
< li > Add new parameter < code > ssl_session_cache< / code > and optional comment lines:< / li >
< / ul >
< pre > < code > # Greatly improve the performance of keep-alive connections over SSL.
# With this enabled, client is not necessary to do a full SSL-handshake for
# every request, thus saving time and cpu-resources.
ssl_session_cache shared:SSL:10m;
< / code > < / pre >
2021-09-14 22:07:16 -05:00
< p > Restarting Nginx service is required.< / p >
< h3 id = "dovecot-enable-new-ssl-cipher-eecdhchacha20-and-remove-the-weak-one-aes256edh" > Dovecot: enable new ssl cipher < code > EECDH+CHACHA20< / code > and remove the weak one < code > AES256+EDH< / code > < / h3 >
< p > Please open file < code > /etc/dovecot/dovecot.conf< / code > (Linux/OpenBSD) or
< code > /usr/local/etc/dovecot/dovecot.conf< / code > (FreeBSD), update parameter
< code > ssl_cipher_list< / code > to:< / p >
< pre > < code > ssl_cipher_list = EECDH+CHACHA20:EECDH+AESGCM:EDH+AESGCM:AES256+EECDH
< / code > < / pre >
< p > Restarting Dovecot service is required.< / p > < div class = "footer" >
2021-09-14 21:56:18 -05:00
< p style = "text-align: center; color: grey;" > All documents are available in < a href = "https://github.com/iredmail/docs/" > GitHub repository< / a > , and published under < a href = "http://creativecommons.org/licenses/by-nd/3.0/us/" target = "_blank" > Creative Commons< / a > license. You can < a href = "https://github.com/iredmail/docs/archive/master.zip" > download the latest version< / a > for offline reading. If you found something wrong, please do < a href = "https://www.iredmail.org/contact.html" > contact us< / a > to fix it.< / p >
< / div > < / body > < / html >