2015-01-12 06:06:43 -06:00
< html >
< head >
< meta http-equiv = "Content-Type" content = "text/html; charset=utf-8" / >
< title > Upgrade iRedMail from 0.9.0 to 0.9.1< / title >
< link href = "./css/markdown.css" rel = "stylesheet" > < / head >
< / head >
< body >
< div id = "navigation" >
< a href = "http://www.iredmail.org" target = "_blank" > iRedMail web site< / a >
// < a href = "./index.html" > Document Index< / a >
< / div > < h1 id = "upgrade-iredmail-from-090-to-091" > Upgrade iRedMail from 0.9.0 to 0.9.1< / h1 >
< div class = "toc" >
< ul >
< li > < a href = "#upgrade-iredmail-from-090-to-091" > Upgrade iRedMail from 0.9.0 to 0.9.1< / a > < ul >
< li > < a href = "#changelog" > ChangeLog< / a > < / li >
2015-01-13 07:28:36 -06:00
< li > < a href = "#general-all-backends-should-apply-these-steps" > General (All backends should apply these steps)< / a > < ul >
2015-02-16 11:15:29 -06:00
< li > < a href = "#upgrade-roundcube-webmail-to-the-latest-stable-release" > Upgrade Roundcube webmail to the latest stable release< / a > < / li >
2015-02-18 03:37:41 -06:00
< li > < a href = "#fixed-return-receipt-response-rejected-by-iredapd-plugin-reject_null_sender" > Fixed: return receipt response rejected by iRedAPD plugin reject_null_sender< / a > < / li >
2015-02-11 04:07:26 -06:00
< li > < a href = "#fixed-cannot-run-php-script-under-web-document-root-with-nginx" > Fixed: Cannot run PHP script under web document root with Nginx.< / a > < / li >
2015-02-02 04:24:01 -06:00
< li > < a href = "#fixed-incorrect-path-of-command-sogo-tool-on-openbsd" > Fixed: Incorrect path of command sogo-tool on OpenBSD< / a > < / li >
2015-02-18 03:37:41 -06:00
< li > < a href = "#optional-setup-fail2ban-to-monitor-password-failures-in-sogo-log-file" > [OPTIONAL] Setup Fail2ban to monitor password failures in SOGo log file< / a > < / li >
2015-02-24 21:31:14 -06:00
< li > < a href = "#optional-add-two-more-fail2ban-filter-regular-expressios-to-help-catch-spam" > [OPTIONAL] Add two more Fail2ban filter regular expressios to help catch spam< / a > < / li >
2015-02-02 04:24:01 -06:00
< / ul >
< / li >
< li > < a href = "#openldap-backend-special" > OpenLDAP backend special< / a > < ul >
< li > < a href = "#fixed-not-backup-sogo-database" > Fixed: not backup SOGo database< / a > < / li >
2015-02-24 21:31:14 -06:00
< li > < a href = "#optional-bypass-greylisting-for-some-big-isps" > [OPTIONAL] Bypass greylisting for some big ISPs< / a > < / li >
2015-01-13 07:28:36 -06:00
< / ul >
< / li >
2015-01-12 06:06:43 -06:00
< li > < a href = "#mysqlmariadb-backend-special" > MySQL/MariaDB backend special< / a > < ul >
< li > < a href = "#fixed-not-apply-service-restriction-in-dovecot-sql-query-file-while-acting-as-sasl-server" > Fixed: Not apply service restriction in Dovecot SQL query file while acting as SASL server< / a > < / li >
2015-02-02 04:24:01 -06:00
< li > < a href = "#fixed-not-backup-sogo-database_1" > Fixed: not backup SOGo database< / a > < / li >
2015-02-24 21:31:14 -06:00
< li > < a href = "#optional-bypass-greylisting-for-some-big-isps_1" > [OPTIONAL] Bypass greylisting for some big ISPs< / a > < / li >
2015-01-12 06:06:43 -06:00
< / ul >
< / li >
< li > < a href = "#postgresql-backend-special" > PostgreSQL backend special< / a > < ul >
< li > < a href = "#fixed-not-apply-service-restriction-in-dovecot-sql-query-file-while-acting-as-sasl-server_1" > Fixed: Not apply service restriction in Dovecot SQL query file while acting as SASL server< / a > < / li >
2015-02-02 04:24:01 -06:00
< li > < a href = "#fixed-not-backup-sogo-database_2" > Fixed: not backup SOGo database< / a > < / li >
2015-02-24 21:31:14 -06:00
< li > < a href = "#optional-bypass-greylisting-for-some-big-isps_2" > [OPTIONAL] Bypass greylisting for some big ISPs< / a > < / li >
2015-01-12 06:06:43 -06:00
< / ul >
< / li >
< / ul >
< / li >
< / ul >
< / div >
2015-02-11 04:07:26 -06:00
< p > < strong > WARNING: Still working in progress, do < em > NOT< / em > apply it.< / strong > < / p >
2015-01-12 06:06:43 -06:00
< h2 id = "changelog" > ChangeLog< / h2 >
< ul >
2015-02-24 21:31:14 -06:00
< li > 2015-02-25: [All backends] [< strong > OPTIONAL< / strong > ] Bypass greylisting for some big ISPs.< / li >
< li > 2015-02-25: [All backends] [< strong > OPTIONAL< / strong > ] Add one more Fail2ban filter to help catch spam (POP3/IMAP flood).< / li >
< li > 2015-02-17: [All backends ] Upgrade Roundcube webmail to the latest stable release.< / li >
2015-02-15 03:29:35 -06:00
< li > 2015-02-11: [All backends] [< strong > OPTIONAL< / strong > ] Setup Fail2ban to monitor password failures in SOGo log file.< / li >
2015-02-11 04:07:26 -06:00
< li > 2015-02-11: [All backends] Fixed: Cannot run PHP script under web document root with Nginx.< / li >
< li > 2015-02-09: [All backends] [< strong > OPTIONAL< / strong > ] Add one more Fail2ban filter to help catch spam.< / li >
2015-02-18 03:37:41 -06:00
< li > 2015-02-04: [All backends] Fixed: return receipt response rejected by iRedAPD plugin < code > reject_null_sender< / code > .< / li >
2015-02-03 23:19:12 -06:00
< li > 2015-02-02: [All backends] Fixed: Not backup SOGo database. Note: this step
is not applicable if you don't use SOGo groupware.< / li >
2015-02-11 04:07:26 -06:00
< li > 2015-01-13: [All backends] Fixed: Incorrect path of command < code > sogo-tool< / code > on OpenBSD.< / li >
2015-02-03 23:19:12 -06:00
< li > 2015-01-12: [SQL backends] Fixed: Not apply service restriction in Dovecot
SQL query file while acting as SASL server.< / li >
2015-01-12 06:06:43 -06:00
< / ul >
2015-01-13 07:28:36 -06:00
< h2 id = "general-all-backends-should-apply-these-steps" > General (All backends should apply these steps)< / h2 >
2015-02-16 11:15:29 -06:00
< h3 id = "upgrade-roundcube-webmail-to-the-latest-stable-release" > Upgrade Roundcube webmail to the latest stable release< / h3 >
< p > Additional notes before upgrading Roundcube webmail 1.1.0 (or later releases):< / p >
< ul >
< li > for RHEL/CentOS users, please install package < code > php-pear-Net-IDNA2< / code > , then
restart Apache service or php5-fpm service (if you're running Nginx):< / li >
< / ul >
< pre > < code > # yum install php-pear-Net-IDNA2
# service httpd restart # < - OR: service php-fpm restart
< / code > < / pre >
< ul >
< li > for Debian/Ubuntu users, please install package < code > php-pear< / code > and < code > php5-intl< / code > ,
enable < code > intl< / code > module for PHP, then restart Apache service or < code > php5_fpm< / code >
service (if you're running Nginx):< / li >
< / ul >
< pre > < code > # apt-get install php-pear php5-intl
# php5enmod intl
2015-02-28 23:18:41 -06:00
# service apache2 resart # < - OR: service php5_fpm restart
2015-02-16 11:15:29 -06:00
< / code > < / pre >
< ul >
< li > for OpenBSD users, please install package < code > php-intl< / code > , then
restart < code > php_fpm< / code > service:< / li >
< / ul >
< pre > < code > # pkg_add -r php-intl
# /etc/rc.d/php_fpm restart
< / code > < / pre >
< p > After you have additional packages installed, please follow Roundcube official
tutorial to upgrade Roundcube webmail to the latest stable release:
< a href = "http://trac.roundcube.net/wiki/Howto_Upgrade" > How to upgrade Roundcube< / a > < / p >
2015-03-05 21:34:54 -06:00
< p > Note: it's recommended to download the < code > Complete< / code > edition (e.g.
< code > roundcubemail-1.1.0-complete.tar.gz< / code > instead of < code > Dependent< / code > edition (e.g.
< code > roundcubemail-1.1.0.tar.gz< / code > ).< / p >
2015-02-18 03:37:41 -06:00
< h3 id = "fixed-return-receipt-response-rejected-by-iredapd-plugin-reject_null_sender" > Fixed: return receipt response rejected by iRedAPD plugin < code > reject_null_sender< / code > < / h3 >
2015-02-03 23:19:12 -06:00
< p > Note: this is applicable if you want to keep iRedAPD plugin < code > reject_null_sender< / code >
but still able to send return receipt with Roundcube webmail.< / p >
< p > According to RFC2298, return receipt envelope sender address must be empty. If
you have iRedAPD plugin < code > reject_null_sender< / code > enabled, it will reject return
receipt response. To particularly solve this issue, you can set below setting
in Roundcube config file < code > config/config.inc.php< / code > :< / p >
< ul >
< li > on RHEL/CentOS/OpenBSD, it's < code > /var/www/roundcubemail/config/config.inc.php< / code > .< / li >
< li > on Debian/Ubuntu, it's < code > /usr/share/apache2/roundcubemail/config/config.inc.php< / code > .< / li >
< li > on FreeBSD, it's < code > /usr/local/www/roundcube/config/config.inc.php< / code > .< / li >
< / ul >
< pre > < code > $config['mdn_use_from'] = true;
< / code > < / pre >
< p > Note: if other mail client applications don't set smtp authentication user as
2015-02-05 07:02:53 -06:00
envelope sender of return receipt, same issue will occurs. You must disable
2015-02-03 23:19:12 -06:00
iRedAPD plugin < code > reject_null_sender< / code > in < code > /opt/iredapd/settings.py< / code > to make all
mail clients work.< / p >
< p > iRedAPD plugin < code > reject_null_sender< / code > rejects message submitted by sasl
authenticated user but with null sender in < code > From:< / code > header (< code > from=< > < / code > in Postfix
log). If your user's password was cracked by spammer, spammer can use this
account to bypass smtp authentication, but with a null sender in < code > From:< / code >
header, throttling won't be triggered.< / p >
2015-02-11 04:07:26 -06:00
< h3 id = "fixed-cannot-run-php-script-under-web-document-root-with-nginx" > Fixed: Cannot run PHP script under web document root with Nginx.< / h3 >
< p > With previous release of iRedMail, Nginx won't run PHP scripts under
sub-directories of web document root, this step will fix it.< / p >
< ul >
< li > Open Nginx config file < code > /etc/nginx/conf.d/default.conf< / code > (on Linux/OpenBSD)
or < code > /usr/local/etc/nginx/conf.d/default.conf< / code > , add one more setting in
configuration block < code > location ~ \.php$ {}< / code > like below:< / li >
< / ul >
< pre > < code > ...
root /var/www/html;
...
location ~ \.php$ {
...
fastcgi_param SCRIPT_FILENAME /var/www/html$fastcgi_script_name; # < - Add this line
}
< / code > < / pre >
< ul >
< li > Save your changes and restart Nginx service.< / li >
< / ul >
< p > Notes:< / p >
< ul >
< li > There're two < code > location ~ \.php$ {}< / code > blocks, please update both of them.< / li >
< li >
< p > You must replace < code > /var/www/html< / code > in above sample code to the value of < code > root< / code >
setting defined in same config file.< / p >
< ul >
< li > on RHEL/CentOS, it's < code > /var/www/html< / code > .< / li >
< li > on Debian/Ubuntu, it's < code > /var/www< / code > .< / li >
< li > on FreeBSD, it's < code > /usr/local/www/apache22/data< / code > .
Note: if you're running Apache-2.4, the directory name should be
< code > apache24< / code > , not < code > apache22< / code > .< / li >
< li > on OpenBSD, it's < code > /var/www/htdocs< / code > .< / li >
< / ul >
< / li >
< / ul >
2015-02-02 04:24:01 -06:00
< h3 id = "fixed-incorrect-path-of-command-sogo-tool-on-openbsd" > Fixed: Incorrect path of command < code > sogo-tool< / code > on OpenBSD< / h3 >
2015-01-13 07:28:36 -06:00
< p > Note: this step is applicable to only OpenBSD.< / p >
< p > Please check user < code > _sogo< / code > 's cron job, make sure path to < code > sogo-tool< / code > command is
< code > /usr/local/sbin/sogo-tool< / code > :< / p >
< pre > < code > # crontab -l -u _sogo
< / code > < / pre >
2015-01-13 07:39:21 -06:00
< p > If it's not < code > /usr/local/sbin/sogo-tool< / code > , please edit its cron job with below
command and fix it:< / p >
< pre > < code > # crontab -e -u _sogo
< / code > < / pre >
2015-02-18 03:37:41 -06:00
< h3 id = "optional-setup-fail2ban-to-monitor-password-failures-in-sogo-log-file" > [< strong > OPTIONAL< / strong > ] Setup Fail2ban to monitor password failures in SOGo log file< / h3 >
< p > To improve server security, we'd better block clients which have too many
failed login attempts from SOGo.< / p >
< p > Please append below lines in Fail2ban main config file < code > /etc/fail2ban/jail.local< / code > :< / p >
< pre > < code > [SOGo]
enabled = true
filter = sogo-auth
port = http, https
# without proxy this would be:
# port = 20000
action = iptables-multiport[name=SOGo, port=" http,https" , protocol=tcp]
logpath = /var/log/sogo/sogo.log
< / code > < / pre >
< p > Restarting Fail2ban service is required.< / p >
2015-02-24 21:31:14 -06:00
< h3 id = "optional-add-two-more-fail2ban-filter-regular-expressios-to-help-catch-spam" > [OPTIONAL] Add two more Fail2ban filter regular expressios to help catch spam< / h3 >
< p > We have two new Fail2ban filters to help catch spam:< / p >
< ol >
< li > first one will scan HELO rejections in Postfix log file.< / li >
< li > second one will scan aborded pop3/imap login in Dovecot log file.< / li >
< / ol >
< p > Steps:< / p >
< ol >
< li > Open file < code > /etc/fail2ban/filters.d/postfix.iredmail.conf< / code > or
2015-02-18 03:37:41 -06:00
< code > /usr/local/etc/fail2ban/filters.d/postfix.iredmail.conf< / code > (on FreeBSD), append
2015-02-24 21:31:14 -06:00
below line under < code > [Definition]< / code > section:< / li >
< / ol >
2015-02-18 03:37:41 -06:00
< pre > < code > reject: RCPT from (.*)\[< HOST> \]: 504 5.5.2 (.*) Helo command rejected: need fully-qualified hostname
< / code > < / pre >
< p > After modification, the whole content is:< / p >
< pre > < code > [Definition]
failregex = \[< HOST> \]: SASL (PLAIN|LOGIN) authentication failed
lost connection after AUTH from (.*)\[< HOST> \]
reject: RCPT from (.*)\[< HOST> \]: 550 5.1.1
reject: RCPT from (.*)\[< HOST> \]: 450 4.7.1
reject: RCPT from (.*)\[< HOST> \]: 554 5.7.1
reject: RCPT from (.*)\[< HOST> \]: 504 5.5.2 (.*) Helo command rejected: need fully-qualified hostname
ignoreregex =
< / code > < / pre >
2015-02-24 21:31:14 -06:00
< ol >
< li > Open file < code > /etc/fail2ban/filters.d/dovecot.iredmail.conf< / code > or
< code > /usr/local/etc/fail2ban/filters.d/dovecot.iredmail.conf< / code > (on FreeBSD), append
below line under < code > [Definition]< / code > section:< / li >
< / ol >
< pre > < code > Aborted login \(no auth attempts in .* rip=< HOST>
< / code > < / pre >
< p > After modification, the whole content is:< / p >
< pre > < code > [Definition]
failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P< host> \S*),.*
Aborted login \(no auth attempts in .* rip=< HOST>
ignoreregex =
< / code > < / pre >
2015-02-18 03:37:41 -06:00
< p > Restarting Fail2ban service is required.< / p >
2015-02-02 04:24:01 -06:00
< h2 id = "openldap-backend-special" > OpenLDAP backend special< / h2 >
< h3 id = "fixed-not-backup-sogo-database" > Fixed: not backup SOGo database< / h3 >
< p > Note: this step is not applicable if you don't use SOGo groupware.< / p >
< p > Open backup script < code > /var/vmail/backup/backup_mysql.sh< / code > , append SOGo SQL
database name in variable < code > DATABASES=< / code > . For example:< / p >
< pre > < code > DATABASES='... sogo'
< / code > < / pre >
< p > Save your change and that's all.< / p >
2015-02-24 21:31:14 -06:00
< h3 id = "optional-bypass-greylisting-for-some-big-isps" > [< strong > OPTIONAL< / strong > ] Bypass greylisting for some big ISPs< / h3 >
< p > ISPs' mail servers send out spams, but also normal business mails. Applying
greylisting on them is helpless.< / p >
< ul >
< li > Download SQL template file:< / li >
< / ul >
< pre > < code > # cd /tmp
# wget https://bitbucket.org/zhb/iredmail/raw/default/iRedMail/samples/cluebringer/greylisting-whitelist.sql
< / code > < / pre >
< ul >
< li > Login to MySQL database and import this file:< / li >
< / ul >
< pre > < code > $ mysql -uroot -p
mysql> USE cluebringer;
mysql> SOURCE /tmp/greylisting-whitelist.sql;
< / code > < / pre >
< p > That's all.< / p >
2015-01-12 06:06:43 -06:00
< h2 id = "mysqlmariadb-backend-special" > MySQL/MariaDB backend special< / h2 >
< h3 id = "fixed-not-apply-service-restriction-in-dovecot-sql-query-file-while-acting-as-sasl-server" > Fixed: Not apply service restriction in Dovecot SQL query file while acting as SASL server< / h3 >
< p > Please open Dovecot config file < code > /etc/dovecot/dovecot-mysql.conf< / code >
(Linux/OpenBSD) or < code > /usr/local/etc/dovecot/dovecot-mysql.conf< / code > (FreeBSD), find
below line:< / p >
< pre > < code > # Part of file: /etc/dovecot/dovecot-mysql.conf
password_query = SELECT password FROM mailbox WHERE username='%u' AND active='1'
< / code > < / pre >
< p > Add additional query < code > AND enable%Ls%Lc=1< / code > like below:< / p >
< pre > < code > # Part of file: /etc/dovecot/dovecot-mysql.conf
password_query = SELECT password FROM mailbox WHERE username='%u' AND enable%Ls%Lc=1 AND active='1'
< / code > < / pre >
< p > Save your change and restart Dovecot service.< / p >
2015-02-02 04:24:01 -06:00
< h3 id = "fixed-not-backup-sogo-database_1" > Fixed: not backup SOGo database< / h3 >
< p > Note: this step is not applicable if you don't use SOGo groupware.< / p >
< p > Open backup script < code > /var/vmail/backup/backup_mysql.sh< / code > , append SOGo SQL
database name in variable < code > DATABASES=< / code > . For example:< / p >
< pre > < code > DATABASES='... sogo'
< / code > < / pre >
< p > Save your change and that's all.< / p >
2015-02-24 21:31:14 -06:00
< h3 id = "optional-bypass-greylisting-for-some-big-isps_1" > [< strong > OPTIONAL< / strong > ] Bypass greylisting for some big ISPs< / h3 >
< p > ISPs' mail servers send out spams, but also normal business mails. Applying
greylisting on them is helpless.< / p >
< ul >
< li > Download SQL template file:< / li >
< / ul >
< pre > < code > # cd /tmp
# wget https://bitbucket.org/zhb/iredmail/raw/default/iRedMail/samples/cluebringer/greylisting-whitelist.sql
< / code > < / pre >
< ul >
< li > Login to MySQL database and import this file:< / li >
< / ul >
< pre > < code > $ mysql -uroot -p
mysql> USE cluebringer;
mysql> SOURCE /tmp/greylisting-whitelist.sql;
< / code > < / pre >
< p > That's all.< / p >
2015-01-12 06:06:43 -06:00
< h2 id = "postgresql-backend-special" > PostgreSQL backend special< / h2 >
< h3 id = "fixed-not-apply-service-restriction-in-dovecot-sql-query-file-while-acting-as-sasl-server_1" > Fixed: Not apply service restriction in Dovecot SQL query file while acting as SASL server< / h3 >
< p > Please open Dovecot config file < code > /etc/dovecot/dovecot-pgsql.conf< / code >
(Linux/OpenBSD) or < code > /usr/local/etc/dovecot/dovecot-pgsql.conf< / code > (FreeBSD), find
below line:< / p >
< pre > < code > # Part of file: /etc/dovecot/dovecot-pgsql.conf
password_query = SELECT password FROM mailbox WHERE username='%u' AND active='1'
< / code > < / pre >
< p > Add additional query like below:< / p >
< pre > < code > # Part of file: /etc/dovecot/dovecot-pgsql.conf
password_query = SELECT password FROM mailbox WHERE username='%u' AND enable%Ls%Lc=1 AND active='1'
< / code > < / pre >
2015-02-02 04:24:01 -06:00
< p > Save your change and restart Dovecot service.< / p >
< h3 id = "fixed-not-backup-sogo-database_2" > Fixed: not backup SOGo database< / h3 >
< p > Note: this step is not applicable if you don't use SOGo groupware.< / p >
< p > Open backup script < code > /var/vmail/backup/backup_mysql.sh< / code > , append SOGo SQL
database name in variable < code > DATABASES=< / code > . For example:< / p >
< pre > < code > DATABASES='... sogo'
< / code > < / pre >
2015-02-24 21:31:14 -06:00
< p > Save your change and that's all.< / p >
< h3 id = "optional-bypass-greylisting-for-some-big-isps_2" > [< strong > OPTIONAL< / strong > ] Bypass greylisting for some big ISPs< / h3 >
< p > ISPs' mail servers send out spams, but also normal business mails. Applying
greylisting on them is helpless.< / p >
< ul >
< li > Download SQL template file:< / li >
< / ul >
< pre > < code > # cd /tmp
# wget https://bitbucket.org/zhb/iredmail/raw/default/iRedMail/samples/cluebringer/greylisting-whitelist.sql
< / code > < / pre >
< ul >
< li >
< p > Switch to PostgreSQL daemon user, then execute SQL commands to import it:< / p >
< ul >
< li > On Linux, PostgreSQL daemon user is < code > postgres< / code > .< / li >
< li > On FreeBSD, PostgreSQL daemon user is < code > pgsql< / code > .< / li >
< li > On OpenBSD, PostgreSQL daemon user is < code > _postgresql< / code > .< / li >
< / ul >
< / li >
< / ul >
< pre > < code > # su - postgres
$ psql -d cluebringer
sql> \i /tmp/greylisting-whitelist.sql;
< / code > < / pre >
< p > That's all.< / p > < p style = "text-align: center; color: grey;" > Document published under a < a href = "http://creativecommons.org/licenses/by-nd/3.0/us/" target = "_blank" > CC BY-ND 3.0< / a > license. If you found something wrong, please do < a href = "http://www.iredmail.org/contact.html" > contact us< / a > to fix it.< script >
2015-02-05 07:02:53 -06:00
(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
})(window,document,'script','//www.google-analytics.com/analytics.js','ga');
ga('create', 'UA-3293801-21', 'auto');
ga('send', 'pageview');
2015-01-12 06:06:43 -06:00
< / script >
< / body > < / html >