iredmail-doc/html/upgrade.iredmail.0.9.4-0.9.5.html

<html>
    <head>
        <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
        <title>Upgrade iRedMail from 0.9.4 to 0.9.5</title>
        <link rel="stylesheet" type="text/css" href="./css/markdown.css" />
    </head>
    <body>
    
    <div id="navigation">
    <a href="/index.html" target="_blank">
        <img alt="iRedMail web site"
             src="./images/logo-iredmail.png"
             style="vertical-align: middle; height: 30px;"
             />&nbsp;
        <span>iRedMail</span>
    </a>
    &nbsp;&nbsp;//&nbsp;&nbsp;<a href="./index.html">Document Index</a></div><h1 id="upgrade-iredmail-from-094-to-095">Upgrade iRedMail from 0.9.4 to 0.9.5</h1>
<div class="toc">
<ul>
<li><a href="#upgrade-iredmail-from-094-to-095">Upgrade iRedMail from 0.9.4 to 0.9.5</a><ul>
<li><a href="#changelog">ChangeLog</a></li>
<li><a href="#general-all-backends-should-apply-these-steps">General (All backends should apply these steps)</a><ul>
<li><a href="#update-etciredmail-release-with-new-iredmail-version-number">Update /etc/iredmail-release with new iRedMail version number</a></li>
<li><a href="#upgrade-iredapd-postfix-policy-server-to-the-latest-190">Upgrade iRedAPD (Postfix policy server) to the latest 1.9.0</a></li>
<li><a href="#linux-fixed-not-add-ssh-port-number-in-fail2ban-config-file-jaillocal">[Linux] Fixed: not add ssh port number in Fail2ban config file (jail.local)</a></li>
<li><a href="#rhelcentos-fixed-not-enable-cron-job-to-update-spamassassin-rules">[RHEL/CentOS] Fixed: Not enable cron job to update SpamAssassin rules</a></li>
<li><a href="#rhelcentos-fixed-not-create-required-directory-used-to-store-php-session-files">[RHEL/CentOS] Fixed: Not create required directory used to store PHP session files</a></li>
<li><a href="#fixed-not-perform-banned-file-types-checking-on-rhelcentosopenbsdfreebsd">Fixed: Not perform banned file types checking on RHEL/CentOS/OpenBSD/FreeBSD</a></li>
<li><a href="#fixed-not-add-alias-for-virusalert-on-non-debianubuntu-oses">Fixed: not add alias for virusalert on non-Debian/Ubuntu OSes</a></li>
<li><a href="#optional-add-custom-amavisd-log-template-to-always-log-spamassassin-testing-result">[OPTIONAL] Add custom Amavisd log template to always log SpamAssassin testing result</a></li>
</ul>
</li>
<li><a href="#openldap-backend-special">OpenLDAP backend special</a><ul>
<li><a href="#new-support-postfix-sender_dependent_relayhost_maps">NEW: Support Postfix sender_dependent_relayhost_maps</a><ul>
<li><a href="#summary">Summary</a></li>
<li><a href="#use-the-latest-iredmail-ldap-schema-file">Use the latest iRedMail LDAP schema file</a></li>
<li><a href="#create-ldap-lookup-files">Create LDAP lookup files</a></li>
<li><a href="#update-postfix-settings-in-etcpostfixmaincf">Update Postfix settings in /etc/postfix/main.cf</a></li>
</ul>
</li>
<li><a href="#new-able-to-enabledisable-sogo-access-for-a-single-user">NEW: Able to enable/disable SOGo access for a single user</a><ul>
<li><a href="#add-required-ldap-attributevalue-for-existing-mail-users">Add required LDAP attribute/value for existing mail users</a></li>
<li><a href="#update-sogo-config-file">Update SOGo config file</a></li>
</ul>
</li>
</ul>
</li>
<li><a href="#mysqlmariadb-backend-special">MySQL/MariaDB backend special</a><ul>
<li><a href="#new-support-postfix-sender_dependent_relayhost_maps_1">NEW: Support Postfix sender_dependent_relayhost_maps</a><ul>
<li><a href="#summary_1">Summary</a></li>
<li><a href="#create-sql-table-vmailsender_relayhost">Create SQL table vmail.sender_relayhost</a></li>
<li><a href="#create-sql-lookup-file-sender_dependent_relayhost_mapscf">Create SQL lookup file: sender_dependent_relayhost_maps.cf</a></li>
<li><a href="#update-postfix-settings-in-etcpostfixmaincf_1">Update Postfix settings in /etc/postfix/main.cf</a></li>
</ul>
</li>
<li><a href="#new-able-to-enabledisable-sogo-access-for-a-single-user_1">NEW: Able to enable/disable SOGo access for a single user</a></li>
</ul>
</li>
<li><a href="#postgresql-backend-special">PostgreSQL backend special</a><ul>
<li><a href="#new-support-postfix-sender_dependent_relayhost_maps_2">NEW: Support Postfix sender_dependent_relayhost_maps</a><ul>
<li><a href="#summary_2">Summary</a></li>
<li><a href="#create-sql-table-vmailsender_relayhost_1">Create SQL table vmail.sender_relayhost</a></li>
<li><a href="#create-sql-lookup-file-sender_dependent_relayhost_mapscf_1">Create SQL lookup file: sender_dependent_relayhost_maps.cf</a></li>
<li><a href="#update-postfix-settings-in-etcpostfixmaincf_2">Update Postfix settings in /etc/postfix/main.cf</a></li>
</ul>
</li>
<li><a href="#new-able-to-enabledisable-sogo-access-for-a-single-user_2">NEW: Able to enable/disable SOGo access for a single user</a></li>
</ul>
</li>
</ul>
</li>
</ul>
</div>
<div class="admonition warning">
<p class="admonition-title">Warning</p>
<p><strong>THIS IS STILL A DRAFT DOCUMENT, DO NOT APPLY IT.</strong></p>
</div>
<div class="admonition note">
<p class="admonition-title">Paid Remote Upgrade Support</p>
<p>We offer remote upgrade support if you don't want to get your hands dirty,
check <a href="../support.html">the details</a> and <a href="../contact.html">contact us</a>.</p>
</div>
<h2 id="changelog">ChangeLog</h2>
<ul>
<li>2016-04-26: Fixed: Not perform banned file types checking on RHEL/CentOS/OpenBSD/FreeBSD</li>
<li>2016-04-23: [OPTIONAL] Add custom Amavisd log template to always log SpamAssassin testing result</li>
<li>2016-04-13: Fixed: not add ssh port number in Fail2ban config file.</li>
<li>2016-03-23: [NEW] Able to enable/disable SOGo access for a single user.</li>
<li>2016-03-08: [NEW] Supports Postfix <code>sender_dependent_relayhost_maps</code>.</li>
<li>2016-02-25:<ul>
<li>[RHEL/CentOS] Fixed: Not create required directory used to store PHP session files</li>
<li>[RHEL/CentOS] Fixed: Not enable cron job to update SpamAssassin rules</li>
<li>Fixed: not add alias for <code>virusalert</code> on non-Debian/Ubuntu OSes</li>
</ul>
</li>
</ul>
<h2 id="general-all-backends-should-apply-these-steps">General (All backends should apply these steps)</h2>
<h3 id="update-etciredmail-release-with-new-iredmail-version-number">Update <code>/etc/iredmail-release</code> with new iRedMail version number</h3>
<p>iRedMail stores the release version in <code>/etc/iredmail-release</code> after
installation, it's recommended to update this file after you upgraded iRedMail,
so that you can know which version of iRedMail you're running. For example:</p>
<pre><code># File: /etc/iredmail-release

0.9.5
</code></pre>

<h3 id="upgrade-iredapd-postfix-policy-server-to-the-latest-190">Upgrade iRedAPD (Postfix policy server) to the latest 1.9.0</h3>
<p>Please follow below tutorial to upgrade iRedAPD to the latest stable release:
<a href="./upgrade.iredapd.html">Upgrade iRedAPD to the latest stable release</a></p>
<p>Detailed release notes are available <a href="./iredapd.releases.html">here</a>.</p>
<h3 id="linux-fixed-not-add-ssh-port-number-in-fail2ban-config-file-jaillocal">[Linux] Fixed: not add ssh port number in Fail2ban config file (jail.local)</h3>
<p>iRedMail-0.9.4 doesn't list ssh port number in 2 Fail2ban jails: <code>sshd</code>,
<code>sshd-ddos</code>, this causes Fail2ban doesn't block bad client IP address for
ssh service.</p>
<ul>
<li>Please open Fail2ban config file <code>/etc/fail2ban/jail.local</code>, find lines below:</li>
</ul>
<pre><code>[sshd]
...
action      = iptables-multiport[name=sshd, port=&quot;http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve&quot;, protocol=tcp]

[sshd-ddos]
...
action      = iptables-multiport[name=sshd-ddos, port=&quot;http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve&quot;, protocol=tcp]
</code></pre>

<ul>
<li>Append your ssh service name <code>ssh</code> in the <code>port=</code> parameter like below. If
  you're running ssh service on different port number, please append the port
  number directly:</li>
</ul>
<pre><code>[sshd]
...
action      = iptables-multiport[name=sshd, port=&quot;http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve,ssh&quot;, protocol=tcp]

[sshd-ddos]
...
action      = iptables-multiport[name=sshd-ddos, port=&quot;http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve,ssh&quot;, protocol=tcp]
</code></pre>

<p>Restarting Fail2ban service is required.</p>
<h3 id="rhelcentos-fixed-not-enable-cron-job-to-update-spamassassin-rules">[RHEL/CentOS] Fixed: Not enable cron job to update SpamAssassin rules</h3>
<p>Note: this is applicable to only RHEL and CentOS.</p>
<p>In iRedMail-0.9.4 and earlier releases, iRedMail didn't enable cron job to
update SpamAssassin rules. Please run commands below to fix it.</p>
<pre><code class="shell">perl -pi -e 's/^(SAUPDATE=yes)/#${1}/' /etc/sysconfig/sa-update
echo 'SAUPDATE=yes' &gt;&gt; /etc/sysconfig/sa-update
</code></pre>

<h3 id="rhelcentos-fixed-not-create-required-directory-used-to-store-php-session-files">[RHEL/CentOS] Fixed: Not create required directory used to store PHP session files</h3>
<p>Note: this is applicable to only RHEL and CentOS if you're <strong>running Nginx + php-fpm</strong>.</p>
<p>In iRedMail-0.9.4 and earlier releases, iRedMail didn't create directory used
to store PHP session files, it will cause error when your PHP application tries
to create session file. Please fix it with commands below:</p>
<pre><code class="shell">mkdir /var/lib/php/session
chown root:root /var/lib/php/session
chmod 0773 /var/lib/php/session
chmod o+t /var/lib/php/session
</code></pre>

<h3 id="fixed-not-perform-banned-file-types-checking-on-rhelcentosopenbsdfreebsd">Fixed: Not perform banned file types checking on RHEL/CentOS/OpenBSD/FreeBSD</h3>
<div class="admonition attention">
<p class="admonition-title">Attention</p>
<p>This is <strong>NOT</strong> applicable to Debian and Ubuntu.</p>
</div>
<p>There's a bug in iRedMail-0.9.3 and 0.9.4, it didn't comment out setting
<code>bypass_banned_checks_maps</code> in parameter <code>$policy_bank{'ORIGINATING'} = {}</code>,
this causes Amavisd won't perform banned file types checking for outgoing
emails sent through SMTP AUTH. Please follw steps below to fix it.</p>
<p>Open Amavisd config file, find parameter <code>$policy_bank{'ORIGINATING'} =</code> like
below:
<em> on RHEL/CentOS: it's <code>/etc/amavisd/amavisd.conf</code>
</em> on FreeBSD: it's <code>/usr/local/etc/amavisd.conf</code>
* on OpenBSD: it's <code>/etc/amavisd.conf</code></p>
<pre><code>$policy_bank{'ORIGINATING'} = {
    ...
    bypass_banned_checks_maps =&gt; [1],
    ...
};
</code></pre>

<p>Comment out line <code>bypass_banned_checks_maps</code> like below:</p>
<pre><code>$policy_bank{'ORIGINATING'} = {
    ...
    #bypass_banned_checks_maps =&gt; [1],
    ...
};
</code></pre>

<p>Save the change. Restarting amavisd service is required.</p>
<h3 id="fixed-not-add-alias-for-virusalert-on-non-debianubuntu-oses">Fixed: not add alias for <code>virusalert</code> on non-Debian/Ubuntu OSes</h3>
<div class="admonition attention">
<p class="admonition-title">Attention</p>
<p>This is <strong>NOT</strong> applicable to Debian and Ubuntu.</p>
</div>
<p>There's a bug in iRedMail-0.9.4, it adds alias <code>virusalert</code> on only Debian and
Ubuntu, but not other OSes. Please fix it with below commands:</p>
<ul>
<li>For Linux and OpenBSD:</li>
</ul>
<pre><code class="shell">perl -pi -e 's/(virusalert:.*)/#${1}/g' /etc/postfix/aliases
echo -e '\nvirusalert: root' &gt;&gt; /etc/postfix/aliases
postalias /etc/postfix/aliases
</code></pre>

<ul>
<li>For FreeBSD:</li>
</ul>
<pre><code class="shell">perl -pi -e 's/(virusalert:.*)/#${1}/g' /usr/local/etc/postfix/aliases
echo -e '\nvirusalert: root' &gt;&gt; /usr/local/etc/postfix/aliases
postalias /usr/local/etc/postfix/aliases
</code></pre>

<h3 id="optional-add-custom-amavisd-log-template-to-always-log-spamassassin-testing-result">[OPTIONAL] Add custom Amavisd log template to always log SpamAssassin testing result</h3>
<div class="admonition attention">
<p class="admonition-title">Attention</p>
<p>Note: This step is totally optional.</p>
</div>
<p>It's helpful if you can see SpamAssassin testing result in log file at Amavisd
log_level 0.</p>
<p>Open Amavisd config file <code>amavisd.conf</code>, add below lines in BEFORE the last line <code>1;  # insure a defined return value</code>:</p>
<ul>
<li>on RHEL/CentOS: it's <code>/etc/amavisd/amavisd.conf</code>.</li>
<li>on Debian/Ubuntu: it's <code>/etc/amavis/conf.d/50-user</code>.</li>
<li>on FreeBSD: it's <code>/usr/local/etc/amavisd.conf</code>.</li>
<li>on OpenBSD: it's <code>/etc/amavisd.conf</code>.</li>
</ul>
<pre><code># Custom short log template (at log_level 0), add SpamAssassin testing result (Tests: [xxx])
#
# Note: You can find the original log template at the bottom of
#       /usr/sbin/amavisd-new.
$log_templ = '
[?%#D|#|Passed #
[? [:ccat|major] |#
OTHER|CLEAN|MTA-BLOCKED|OVERSIZED|BAD-HEADER-[:ccat|minor]|SPAMMY|SPAM|\
UNCHECKED[?[:ccat|minor]||-ENCRYPTED|]|BANNED (%F)|INFECTED (%V)]#
 {[:actions_performed]}#
,[?%p|| %p][?%a||[?%l|| LOCAL] [:client_addr_port]][?%e|| \[%e\]] [:mail_addr_decode_octets|%s] -&gt; [%D|[:mail_addr_decode_octets|%D]|,]#
[? %q ||, quarantine: %q]#
[? %Q ||, Queue-ID: %Q]#
[? %m ||, Message-ID: [:mail_addr_decode_octets|%m]]#
[? %r ||, Resent-Message-ID: [:mail_addr_decode_octets|%r]]#
[? %i ||, mail_id: %i]#
, Hits: [:SCORE]#
, size: %z#
[? [:partition_tag] ||, pt: [:partition_tag]]#
[~[:remote_mta_smtp_response]|[&quot;^$&quot;]||[&quot;, queued_as: &quot;]]\
[remote_mta_smtp_response|[~%x|[&quot;queued as ([0-9A-Za-z]+)$&quot;]|[&quot;%1&quot;]|[&quot;%0&quot;]]|/]#
#, Subject: [:dquote|[:mime2utf8|[:header_field_octets|Subject]|100|1]]#
#, From: [:uquote|[:mail_addr_decode_octets|[:rfc2822_from]]]#
[? [:dkim|sig_sd]    ||, dkim_sd=[:dkim|sig_sd]]#
[? [:dkim|newsig_sd] ||, dkim_new=[:dkim|newsig_sd]]#
, %y ms#
[? %#T ||, Tests: \[[%T|,]\]]#
]
[?%#O|#|Blocked #
[? [:ccat|major|blocking] |#
OTHER|CLEAN|MTA-BLOCKED|OVERSIZED|BAD-HEADER-[:ccat|minor]|SPAMMY|SPAM|\
UNCHECKED[?[:ccat|minor]||-ENCRYPTED|]|BANNED (%F)|INFECTED (%V)]#
 {[:actions_performed]}#
,[?%p|| %p][?%a||[?%l|| LOCAL] [:client_addr_port]][?%e|| \[%e\]] [:mail_addr_decode_octets|%s] -&gt; [%O|[:mail_addr_decode_octets|%O]|,]#
[? %q ||, quarantine: %q]#
[? %Q ||, Queue-ID: %Q]#
[? %m ||, Message-ID: [:mail_addr_decode_octets|%m]]#
[? %r ||, Resent-Message-ID: [:mail_addr_decode_octets|%r]]#
[? %i ||, mail_id: %i]#
, Hits: [:SCORE]#
, size: %z#
[? [:partition_tag] ||, pt: [:partition_tag]]#
#, Subject: [:dquote|[:mime2utf8|[:header_field_octets|Subject]|100|1]]#
#, From: [:uquote|[:mail_addr_decode_octets|[:rfc2822_from]]]#
[? [:dkim|sig_sd]    ||, dkim_sd=[:dkim|sig_sd]]#
[? [:dkim|newsig_sd] ||, dkim_new=[:dkim|newsig_sd]]#
, %y ms#
[? %#T ||, Tests: \[[%T|,]\]]#
]';
</code></pre>

<p>Restarting Amavisd service is required.</p>
<h2 id="openldap-backend-special">OpenLDAP backend special</h2>
<h3 id="new-support-postfix-sender_dependent_relayhost_maps">NEW: Support Postfix <code>sender_dependent_relayhost_maps</code></h3>
<h4 id="summary">Summary</h4>
<p>Postfix setting <code>relayhost</code> allows Postfix to relay outbound emails to
specified mail server instead of connecting recipient server directly. Sender
dependent relayhost (controlled by parameter <code>sender_dependent_relayhost_maps</code>)
allows you to define per-user or per-domain relayhost, it
overrides the global <code>relayhost</code> parameter setting. Specified query tables are
searched by the envelope sender address (<code>user@domain.com</code>) and domain name
(<code>@domain.com</code>). For more details, please read Postfix document:</p>
<ul>
<li>Postfix parameter: <a href="http://www.postfix.org/postconf.5.html#sender_dependent_relayhost_maps"><code>sender_dependent_relayhost_maps</code></a></li>
<li>Postfix manual page: <a href="http://www.postfix.org/transport.5.html">transport(5)</a></li>
</ul>
<p>To support <code>sender_dependent_relayhost_maps</code>, we need some modification on
iRedMail server:</p>
<ul>
<li>one updated iRedMail OpenLDAP schema file with new attribute: <code>senderRelayHost</code></li>
<li>two new LDAP lookup files:<ul>
<li><code>/etc/postfix/ldap/sender_dependent_relayhost_maps_domain.cf</code></li>
<li><code>/etc/postfix/ldap/sender_dependent_relayhost_maps_user.cf</code></li>
</ul>
</li>
<li>one new Postfix parameter: <code>sender_dependent_relayhost_maps</code></li>
</ul>
<h4 id="use-the-latest-iredmail-ldap-schema-file">Use the latest iRedMail LDAP schema file</h4>
<ul>
<li>On RHEL/CentOS, OpenBSD:</li>
</ul>
<pre><code>cd /tmp
wget https://bitbucket.org/zhb/iredmail/raw/default/iRedMail/samples/iredmail.schema

cd /etc/openldap/schema/
cp iredmail.schema iredmail.schema.bak

cp -f /tmp/iredmail.schema /etc/openldap/schema/
/etc/init.d/slapd restart     # Use '/etc/rc.d/slapd restart' on OpenBSD
</code></pre>

<ul>
<li>On Debian/Ubuntu:</li>
</ul>
<pre><code>cd /tmp
wget https://bitbucket.org/zhb/iredmail/raw/default/iRedMail/samples/iredmail.schema

cd /etc/ldap/schema/
cp iredmail.schema iredmail.schema.bak

cp -f /tmp/iredmail.schema /etc/ldap/schema/
/etc/init.d/slapd restart
</code></pre>

<ul>
<li>On FreeBSD:</li>
</ul>
<pre><code>cd /tmp
wget https://bitbucket.org/zhb/iredmail/raw/default/iRedMail/samples/iredmail.schema

cd /usr/local/etc/ldap/schema/
cp iredmail.schema iredmail.schema.bak

cp -f /tmp/iredmail.schema /usr/local/etc/openldap/schema/
service slapd restart
</code></pre>

<h4 id="create-ldap-lookup-files">Create LDAP lookup files</h4>
<ul>
<li>On Linux/OpenBSD:</li>
</ul>
<pre><code>cd /etc/postfix/ldap/
cp -p transport_maps_domain.cf sender_dependent_relayhost_maps_domain.cf
cp -p transport_maps_user.cf sender_dependent_relayhost_maps_user.cf
perl -pi -e 's#%s#%d#g' sender_dependent_relayhost_maps_domain.cf
perl -pi -e 's#mtaTransport#senderRelayHost#g' sender_dependent_relayhost_maps*.cf
</code></pre>

<ul>
<li>On FreeBSD:</li>
</ul>
<pre><code>cd /usr/local/etc/postfix/ldap/
cp -p transport_maps_domain.cf sender_dependent_relayhost_maps_domain.cf
cp -p transport_maps_user.cf sender_dependent_relayhost_maps_user.cf
perl -pi -e 's#%s#%d#g' sender_dependent_relayhost_maps_domain.cf
perl -pi -e 's#mtaTransport#senderRelayHost#g' sender_dependent_relayhost_maps*.cf
</code></pre>

<h4 id="update-postfix-settings-in-etcpostfixmaincf">Update Postfix settings in <code>/etc/postfix/main.cf</code></h4>
<p>We need to update 2 parameters in Postfix config file: <code>proxy_read_maps</code>,
<code>sender_dependent_relayhost_maps</code>.</p>
<ul>
<li>On <strong>Linux/OpenBSD</strong>, please run 2 commands below to update Postfix settings:</li>
</ul>
<pre><code>postconf -e proxy_read_maps ='$canonical_maps $lmtp_generic_maps $local_recipient_maps $mydestination $mynetworks $recipient_bcc_maps $recipient_canonical_maps $relay_domains $relay_recipient_maps $relocated_maps $sender_bcc_maps $sender_canonical_maps $smtp_generic_maps $smtpd_sender_login_maps $transport_maps $virtual_alias_domains $virtual_alias_maps $virtual_mailbox_domains $virtual_mailbox_maps $smtpd_sender_restrictions $sender_dependent_relayhost_maps'

postconf -e sender_dependent_relayhost_maps='proxy:ldap:/etc/postfix/ldap/sender_dependent_relayhost_maps_domain.cf, proxy:ldap:/etc/postfix/ldap/sender_dependent_relayhost_maps_user.cf'
</code></pre>

<ul>
<li>On <strong>FreeBSD</strong>, please run 2 commands below to update Postfix settings:</li>
</ul>
<pre><code>postconf -e proxy_read_maps ='$canonical_maps $lmtp_generic_maps $local_recipient_maps $mydestination $mynetworks $recipient_bcc_maps $recipient_canonical_maps $relay_domains $relay_recipient_maps $relocated_maps $sender_bcc_maps $sender_canonical_maps $smtp_generic_maps $smtpd_sender_login_maps $transport_maps $virtual_alias_domains $virtual_alias_maps $virtual_mailbox_domains $virtual_mailbox_maps $smtpd_sender_restrictions $sender_dependent_relayhost_maps'

postconf -e sender_dependent_relayhost_maps='proxy:ldap:/usr/local/etc/postfix/ldap/sender_dependent_relayhost_maps_domain.cf, proxy:ldap:/usr/local/etc/postfix/ldap/sender_dependent_relayhost_maps_user.cf'
</code></pre>

<p>Reload or restart Postfix service is required.</p>
<h3 id="new-able-to-enabledisable-sogo-access-for-a-single-user">NEW: Able to enable/disable SOGo access for a single user</h3>
<p>With steps below, system admin is able to control which users can access SOGo
Groupware (webmail, calendar, contacts, ActiveSync).</p>
<p>To accomplish this, we need to add a new LDAP attribute/value pair
<code>enabledService=sogo</code> for existing mail users, then update SOGo config file to
use this condition while querying user accounts.</p>
<h4 id="add-required-ldap-attributevalue-for-existing-mail-users">Add required LDAP attribute/value for existing mail users</h4>
<ul>
<li>Download below script to update existing mail users:</li>
</ul>
<pre><code># cd /root/
# wget https://bitbucket.org/zhb/iredmail/raw/default/extra/update/updateLDAPValues_094_to_095.py
</code></pre>

<ul>
<li>Open downloaded file <code>updateLDAPValues_094_to_095.py</code>, set LDAP server
  related settings in this file. For example:</li>
</ul>
<pre><code># Part of file: updateLDAPValues_094_to_095.py

uri = 'ldap://127.0.0.1:389'
basedn = 'o=domains,dc=example,dc=com'
bind_dn = 'cn=vmailadmin,dc=example,dc=com'
bind_pw = 'passwd'
</code></pre>

<p>You can find required LDAP credential in iRedAdmin config file or
<code>iRedMail.tips</code> file under your iRedMail installation directory. Using either
<code>cn=Manager,dc=xx,dc=xx</code> or <code>cn=vmailadmin,dc=xx,dc=xx</code> as bind dn is ok, both
of them have read-write privilege to update mail accounts.</p>
<ul>
<li>Execute this script, it will add required data:</li>
</ul>
<pre><code># python updateLDAPValues_094_to_095.py
</code></pre>

<h4 id="update-sogo-config-file">Update SOGo config file</h4>
<ul>
<li>On Linux/OpenBSD, please update file <code>/etc/sogo/sogo.conf</code>.</li>
<li>On FreeBSD, please update file /usr/local/etc/sogo/sogo.conf`.</li>
</ul>
<p>Open SOGo config file <code>sogo.conf</code>, find below line:</p>
<pre><code>filter = &quot;objectClass=mailUser AND accountStatus=active AND enabledService=mail&quot;;
</code></pre>

<p>Add new condition <code>AND enabledService=sogo</code> in <code>filter =</code> setting, the final
setting is:</p>
<pre><code>filter = &quot;objectClass=mailUser AND accountStatus=active AND enabledService=mail AND enabledService=sogo&quot;;
</code></pre>

<p>Save your change and restart SOGo service.</p>
<p>It's now able to enable or disable SOGo access for a single user by adding or
removing <code>enabledService=sogo</code> for this user.</p>
<h2 id="mysqlmariadb-backend-special">MySQL/MariaDB backend special</h2>
<h3 id="new-support-postfix-sender_dependent_relayhost_maps_1">NEW: Support Postfix <code>sender_dependent_relayhost_maps</code></h3>
<h4 id="summary_1">Summary</h4>
<p>Postfix setting <code>relayhost</code> allows Postfix to relay outbound emails to
specified mail server instead of connecting recipient server directly. Sender
dependent relayhost (controlled by parameter <code>sender_dependent_relayhost_maps</code>)
allows you to define per-user or per-domain relayhost, it
overrides the global <code>relayhost</code> parameter setting. Specified query tables are
searched by the envelope sender address (<code>user@domain.com</code>) and domain name
(<code>@domain.com</code>). For more details, please read Postfix document:</p>
<ul>
<li>Postfix parameter: <a href="http://www.postfix.org/postconf.5.html#sender_dependent_relayhost_maps"><code>sender_dependent_relayhost_maps</code></a></li>
<li>Postfix manual page: <a href="http://www.postfix.org/transport.5.html">transport(5)</a></li>
</ul>
<p>To support <code>sender_dependent_relayhost_maps</code>, we need some modification on
iRedMail server:</p>
<ul>
<li>a new SQL table: <code>vmail.sender_relayhost</code></li>
<li>a new SQL lookup file: <code>/etc/postfix/mysql/sender_dependent_relayhost_maps.cf</code></li>
<li>a new Postfix parameter: <code>sender_dependent_relayhost_maps</code></li>
</ul>
<h4 id="create-sql-table-vmailsender_relayhost">Create SQL table <code>vmail.sender_relayhost</code></h4>
<p>Please connect to MySQL server as MySQL root user, and execute SQL commands
below to create this new table:</p>
<pre><code># mysql -uroot -p
sql&gt; USE vmail;
sql&gt; CREATE TABLE IF NOT EXISTS sender_relayhost (
    id BIGINT(20) UNSIGNED AUTO_INCREMENT,
    account VARCHAR(255) NOT NULL DEFAULT '',
    relayhost VARCHAR(255) NOT NULL DEFAULT '',
    PRIMARY KEY (id),
    UNIQUE INDEX (account)
) ENGINE=InnoDB;
</code></pre>

<h4 id="create-sql-lookup-file-sender_dependent_relayhost_mapscf">Create SQL lookup file: <code>sender_dependent_relayhost_maps.cf</code></h4>
<p>Create sql lookup file by copying an existing file:</p>
<ul>
<li>On Linux/OpenBSD:</li>
</ul>
<pre><code>cd /etc/postfix/mysql/
cp -p catchall_maps.cf sender_dependent_relayhost_maps.cf
</code></pre>

<ul>
<li>On FreeBSD:</li>
</ul>
<pre><code>cd /usr/local/etc/postfix/mysql/
cp -p catchall_maps.cf sender_dependent_relayhost_maps.cf
</code></pre>

<p>Open file <code>sender_dependent_relayhost_maps.cf</code>, <strong>REPLACE</strong> the <code>query =</code> line
by below one:</p>
<pre><code>query       = SELECT relayhost FROM sender_relayhost WHERE account='%s' LIMIT 1
</code></pre>

<h4 id="update-postfix-settings-in-etcpostfixmaincf_1">Update Postfix settings in <code>/etc/postfix/main.cf</code></h4>
<p>We need to update 2 parameters in Postfix config file: <code>proxy_read_maps</code>,
<code>sender_dependent_relayhost_maps</code>.</p>
<ul>
<li>On <strong>Linux/OpenBSD</strong>, please run 2 commands below to update Postfix settings:</li>
</ul>
<pre><code>postconf -e proxy_read_maps ='$canonical_maps $lmtp_generic_maps $local_recipient_maps $mydestination $mynetworks $recipient_bcc_maps $recipient_canonical_maps $relay_domains $relay_recipient_maps $relocated_maps $sender_bcc_maps $sender_canonical_maps $smtp_generic_maps $smtpd_sender_login_maps $transport_maps $virtual_alias_domains $virtual_alias_maps $virtual_mailbox_domains $virtual_mailbox_maps $smtpd_sender_restrictions $sender_dependent_relayhost_maps'

postconf -e sender_dependent_relayhost_maps='proxy:mysql:/etc/postfix/mysql/sender_dependent_relayhost_maps.cf'
</code></pre>

<ul>
<li>On <strong>FreeBSD</strong>, please run 2 commands below to update Postfix settings:</li>
</ul>
<pre><code>postconf -e proxy_read_maps ='$canonical_maps $lmtp_generic_maps $local_recipient_maps $mydestination $mynetworks $recipient_bcc_maps $recipient_canonical_maps $relay_domains $relay_recipient_maps $relocated_maps $sender_bcc_maps $sender_canonical_maps $smtp_generic_maps $smtpd_sender_login_maps $transport_maps $virtual_alias_domains $virtual_alias_maps $virtual_mailbox_domains $virtual_mailbox_maps $smtpd_sender_restrictions $sender_dependent_relayhost_maps'

postconf -e sender_dependent_relayhost_maps='proxy:mysql:/usr/local/etc/postfix/mysql/sender_dependent_relayhost_maps.cf'
</code></pre>

<p>Reload or restart Postfix service is required.</p>
<h3 id="new-able-to-enabledisable-sogo-access-for-a-single-user_1">NEW: Able to enable/disable SOGo access for a single user</h3>
<p>With steps below, system admin is able to control which users can access SOGo
Groupware (webmail, calendar, contacts, ActiveSync).</p>
<p>To accomplish this, we need to add a new SQL column <code>enablesogo</code> in SQL table
<code>vmail.mailbox</code>, then re-create SQL VIEW <code>sogo.users</code>.</p>
<p>Before we go further, please find the SQL password for SQL user <code>vmail</code>
in Postfix config file <code>/etc/postfix/mysql/*.cf</code> (on Linux/OpenBSD) or
<code>/usr/local/etc/postfix/mysql/*.cf</code> (on FreeBSD), we need this while
(re-)creating SQL VIEW <code>sogo.users</code>.</p>
<p>Please login to MySQL/MariaDB as SQL root user first:</p>
<pre><code># mysql -uroot -p
</code></pre>

<p>Then execute SQL commands below to add required new SQL column and re-create
SQL VIEW <code>sogo.users</code>:</p>
<pre><code>sql&gt; USE vmail;
sql&gt; ALTER TABLE mailbox ADD COLUMN enablesogo TINYINT(1) NOT NULL DEFAULT 1;
sql&gt; ALTER TABLE mailbox ADD INDEX (enablesogo);

sql&gt; USE sogo;
sql&gt; DROP TABLE users;
sql&gt; CREATE VIEW sogo.users (c_uid, c_name, c_password, c_cn, mail, domain) AS SELECT username, username, password, name, username, domain FROM vmail.mailbox WHERE enablesogo=1 AND active=1;
</code></pre>

<p>It's now able to enable SOGo access for a single user by setting
<code>mailbox.enablesogo=1</code>, or disable the access with <code>mailbox.enablesogo=0</code>.</p>
<h2 id="postgresql-backend-special">PostgreSQL backend special</h2>
<h3 id="new-support-postfix-sender_dependent_relayhost_maps_2">NEW: Support Postfix <code>sender_dependent_relayhost_maps</code></h3>
<h4 id="summary_2">Summary</h4>
<p>Postfix setting <code>relayhost</code> allows Postfix to relay outbound emails to
specified mail server instead of connecting recipient server directly. Sender
dependent relayhost (controlled by parameter <code>sender_dependent_relayhost_maps</code>)
allows you to define per-user or per-domain relayhost, it
overrides the global <code>relayhost</code> parameter setting. Specified query tables are
searched by the envelope sender address (<code>user@domain.com</code>) and domain name
(<code>@domain.com</code>). For more details, please read Postfix document:</p>
<ul>
<li>Postfix parameter: <a href="http://www.postfix.org/postconf.5.html#sender_dependent_relayhost_maps"><code>sender_dependent_relayhost_maps</code></a></li>
<li>Postfix manual page: <a href="http://www.postfix.org/transport.5.html">transport(5)</a></li>
</ul>
<p>To support <code>sender_dependent_relayhost_maps</code>, we need some modification on
iRedMail server:</p>
<ul>
<li>a new SQL table: <code>vmail.sender_relayhost</code></li>
<li>a new SQL lookup file: <code>/etc/postfix/mysql/sender_dependent_relayhost_maps.cf</code></li>
<li>a new Postfix parameter: <code>sender_dependent_relayhost_maps</code></li>
</ul>
<h4 id="create-sql-table-vmailsender_relayhost_1">Create SQL table <code>vmail.sender_relayhost</code></h4>
<p>Please follow steps below to create this new table:</p>
<pre><code># su - postgres
$ psql -d vmail
sql&gt; CREATE TABLE sender_relayhost (
    id SERIAL PRIMARY KEY,
    account VARCHAR(255) NOT NULL DEFAULT '',
    relayhost VARCHAR(255) NOT NULL DEFAULT ''
);

sql&gt; CREATE INDEX idx_sender_relayhost_account ON sender_relayhost (account);
sql&gt; ALTER TABLE sender_relayhost OWNER TO vmailadmin;
sql&gt; GRANT SELECT ON sender_relayhost TO vmail;
</code></pre>

<h4 id="create-sql-lookup-file-sender_dependent_relayhost_mapscf_1">Create SQL lookup file: <code>sender_dependent_relayhost_maps.cf</code></h4>
<p>Create sql lookup file by copying an existing file:</p>
<ul>
<li>On Linux/OpenBSD:</li>
</ul>
<pre><code>cd /etc/postfix/pgsql/
cp -p catchall_maps.cf sender_dependent_relayhost_maps.cf
</code></pre>

<ul>
<li>On FreeBSD:</li>
</ul>
<pre><code>cd /usr/local/etc/postfix/pgsql/
cp -p catchall_maps.cf sender_dependent_relayhost_maps.cf
</code></pre>

<p>Open file <code>sender_dependent_relayhost_maps.cf</code>, <strong>REPLACE</strong> the <code>query =</code> line
by below one:</p>
<pre><code>query       = SELECT relayhost FROM sender_relayhost WHERE account='%s' LIMIT 1
</code></pre>

<h4 id="update-postfix-settings-in-etcpostfixmaincf_2">Update Postfix settings in <code>/etc/postfix/main.cf</code></h4>
<p>We need to update 2 parameters in Postfix config file: <code>proxy_read_maps</code>,
<code>sender_dependent_relayhost_maps</code>.</p>
<ul>
<li>On <strong>Linux/OpenBSD</strong>, please run 2 commands below to update Postfix settings:</li>
</ul>
<pre><code>postconf -e proxy_read_maps ='$canonical_maps $lmtp_generic_maps $local_recipient_maps $mydestination $mynetworks $recipient_bcc_maps $recipient_canonical_maps $relay_domains $relay_recipient_maps $relocated_maps $sender_bcc_maps $sender_canonical_maps $smtp_generic_maps $smtpd_sender_login_maps $transport_maps $virtual_alias_domains $virtual_alias_maps $virtual_mailbox_domains $virtual_mailbox_maps $smtpd_sender_restrictions $sender_dependent_relayhost_maps'

postconf -e sender_dependent_relayhost_maps='proxy:pgsql:/etc/postfix/pgsql/sender_dependent_relayhost_maps.cf'
</code></pre>

<ul>
<li>On <strong>FreeBSD</strong>, please run 2 commands below to update Postfix settings:</li>
</ul>
<pre><code>postconf -e proxy_read_maps ='$canonical_maps $lmtp_generic_maps $local_recipient_maps $mydestination $mynetworks $recipient_bcc_maps $recipient_canonical_maps $relay_domains $relay_recipient_maps $relocated_maps $sender_bcc_maps $sender_canonical_maps $smtp_generic_maps $smtpd_sender_login_maps $transport_maps $virtual_alias_domains $virtual_alias_maps $virtual_mailbox_domains $virtual_mailbox_maps $smtpd_sender_restrictions $sender_dependent_relayhost_maps'

postconf -e sender_dependent_relayhost_maps='proxy:mysql:/usr/local/etc/postfix/mysql/sender_dependent_relayhost_maps.cf'
</code></pre>

<p>Reload or restart Postfix service is required.</p>
<h3 id="new-able-to-enabledisable-sogo-access-for-a-single-user_2">NEW: Able to enable/disable SOGo access for a single user</h3>
<p>With steps below, system admin is able to control which users can access SOGo
Groupware (webmail, calendar, contacts, ActiveSync).</p>
<p>To accomplish this, we need to add a new SQL column <code>enablesogo</code> in SQL table
<code>vmail.mailbox</code>, then re-create SQL VIEW <code>sogo.users</code>.</p>
<p>Before we go further, please find the SQL password for SQL user <code>vmail</code>
in Postfix config file <code>/etc/postfix/pgsql/*.cf</code> (on Linux/OpenBSD) or
<code>/usr/local/etc/postfix/pgsql/*.cf</code> (on FreeBSD), we need this while
(re-)creating SQL VIEW <code>sogo.users</code>.</p>
<p>Please login to PostgreSQL database as SQL root user first:</p>
<ul>
<li>on Linux, the root user name is <code>postgres</code></li>
<li>on FreeBSD, the root user name is <code>pgsql</code></li>
<li>on OpenBSD, the root user name is <code>_postgresql</code></li>
</ul>
<pre><code># su - postgres
$ psql -d vmail
</code></pre>

<p>Then execute SQL commands below to add required new SQL column and re-create
SQL VIEW <code>sogo.users</code>:</p>
<pre><code class="sql">sql&gt; \c vmail;
sql&gt; ALTER TABLE mailbox ADD COLUMN enablesogo INT2 NOT NULL DEFAULT 1;
sql&gt; CREATE INDEX idx_mailbox_enablesogo ON mailbox (enablesogo);

sql&gt; \c sogo;
sql&gt; DROP VIEW users;
</code></pre>

<p>Be careful, you must replace string <code>VMAIL_PASSWORD</code> in SQL command below
by the real password of SQL user <code>vmail</code>:</p>
<pre><code class="sql">sql&gt; CREATE VIEW users
              AS SELECT * FROM dblink('host=127.0.0.1
                                       port=5432
                                       dbname=vmail
                                       user=vmail
                                       password=VMAIL_PASSWORD',
                                       'SELECT username AS c_uid,
                                               username AS c_name,
                                               password AS c_password,
                                               name AS c_cn,
                                               username AS mail,
                                               domain AS domain
                                          FROM mailbox
                                         WHERE enablesogo=1 AND active=1')
              AS users (c_uid VARCHAR(255),
                        c_name VARCHAR(255),
                        c_password VARCHAR(255),
                        c_cn VARCHAR(255),
                        mail VARCHAR(255),
                        domain VARCHAR(255));

sql&gt; ALTER TABLE users OWNER TO sogo;
sql&gt; EXIT;
</code></pre>

<p>It's now able to enable SOGo access for a single user by setting
<code>mailbox.enablesogo=1</code>, or disable the access with <code>mailbox.enablesogo=0</code>.</p><p style="text-align: center; color: grey;">All documents are available in <a href="https://bitbucket.org/zhb/iredmail-docs/src">BitBucket repository</a>, and published under <a href="http://creativecommons.org/licenses/by-nd/3.0/us/" target="_blank">Creative Commons</a> license. If you found something wrong, please do <a href="http://www.iredmail.org/contact.html">contact us</a> to fix it.<script>
  (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
  (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
  m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
  })(window,document,'script','//www.google-analytics.com/analytics.js','ga');

  ga('create', 'UA-3293801-21', 'auto');
  ga('send', 'pageview');
</script>
</body></html>