iredmail-doc/html/upgrade.iredmail.0.9.6-0.9.7.html

<!DOCTYPE html>
<html>
    <head>
        <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
        <title>Upgrade iRedMail from 0.9.6 to 0.9.7</title>
        <link rel="stylesheet" type="text/css" href="./css/markdown.css" />
    </head>
    <body>
    
    <div id="navigation">
    <a href="/index.html" target="_blank">
        <img alt="iRedMail web site"
             src="./images/logo-iredmail.png"
             style="vertical-align: middle; height: 30px;"
             />&nbsp;
        <span>iRedMail</span>
    </a>
    &nbsp;&nbsp;//&nbsp;&nbsp;<a href="./index.html">Document Index</a></div><h1 id="upgrade-iredmail-from-096-to-097">Upgrade iRedMail from 0.9.6 to 0.9.7</h1>
<div class="toc">
<ul>
<li><a href="#upgrade-iredmail-from-096-to-097">Upgrade iRedMail from 0.9.6 to 0.9.7</a><ul>
<li><a href="#changelog">ChangeLog</a></li>
<li><a href="#general-all-backends-should-apply-these-steps">General (All backends should apply these steps)</a><ul>
<li><a href="#update-etciredmail-release-with-new-iredmail-version-number">Update /etc/iredmail-release with new iRedMail version number</a></li>
<li><a href="#upgrade-roundcube-webmail-to-the-latest-stable-release-125">Upgrade Roundcube webmail to the latest stable release (1.2.5)</a></li>
<li><a href="#fixed-improper-order-of-restriction-rules-in-postfix-smtpd_helo_restrictions">Fixed: improper order of restriction rules in Postfix smtpd_helo_restrictions</a></li>
<li><a href="#fixed-incorrect-owner-and-permission-for-rotated-dovecot-log-files">Fixed: incorrect owner and permission for rotated Dovecot log files</a></li>
<li><a href="#fixed-incorrect-sessionsave_path-in-php-fpm-pool-config-file-on-rhelcentos">Fixed: incorrect session.save_path in php-fpm pool config file on RHEL/CentOS</a></li>
<li><a href="#fixed-improper-fail2ban-filter-which-causes-incorrect-ban">Fixed: Improper Fail2ban filter which causes incorrect ban</a></li>
<li><a href="#new-new-backup-script-for-sogo">NEW: New backup script for SOGo</a></li>
</ul>
</li>
<li><a href="#openldap-backend-special">OpenLDAP backend special</a><ul>
<li><a href="#fixed-avoid-possible-backdooring-mysqldump-backups">Fixed: Avoid possible backdooring mysqldump backups</a></li>
</ul>
</li>
<li><a href="#mysqlmariadb-backend-special">MySQL/MariaDB backend special</a><ul>
<li><a href="#fixed-avoid-possible-backdooring-mysqldump-backups_1">Fixed: Avoid possible backdooring mysqldump backups</a></li>
</ul>
</li>
</ul>
</li>
</ul>
</div>
<div class="admonition warning">
<p class="admonition-title">Warning</p>
<p>THIS IS A DRAFT, DO NOT APPLY ANY STEPS MENTIONED IN THIS TUTORIAL.</p>
</div>
<div class="admonition note">
<p class="admonition-title">Paid Remote Upgrade Support</p>
<p>We offer remote upgrade support if you don't want to get your hands dirty,
check <a href="../support.html">the details</a> and <a href="../contact.html">contact us</a>.</p>
</div>
<h2 id="changelog">ChangeLog</h2>
<ul>
<li>Apr 13, 2017: Fixed: incorrect owner and permission for rotated Dovecot log files</li>
<li>Mar 22, 2017: New backup script for SOGo.</li>
<li>Mar 16, 2017: Fixed: Avoid possible backdooring mysqldump backups</li>
<li>Mar  8, 2017: [RHEL/CentOS][Nginx] Fix incorrect <code>session.save_path</code> in php-fpm pool config file.</li>
<li>Feb  9, 2017: Fixed improper Fail2ban filter for Dovecot.</li>
</ul>
<h2 id="general-all-backends-should-apply-these-steps">General (All backends should apply these steps)</h2>
<h3 id="update-etciredmail-release-with-new-iredmail-version-number">Update <code>/etc/iredmail-release</code> with new iRedMail version number</h3>
<p>iRedMail stores the release version in <code>/etc/iredmail-release</code> after
installation, it's recommended to update this file after you upgraded iRedMail,
so that you can know which version of iRedMail you're running. For example:</p>
<pre><code>0.9.7
</code></pre>

<h3 id="upgrade-roundcube-webmail-to-the-latest-stable-release-125">Upgrade Roundcube webmail to the latest stable release (1.2.5)</h3>
<blockquote>
<p>There're several security fixes in Roundcube 1.2.4 and 1.2.5, all users are
encouraged to upgrade it as soon as possible. For more details about this
release, please check Roundcube release notes:</p>
<ul>
<li><a href="https://github.com/roundcube/roundcubemail/releases/tag/1.2.4">1.2.4</a></li>
<li><a href="https://github.com/roundcube/roundcubemail/releases/tag/1.2.5">1.2.5</a></li>
</ul>
</blockquote>
<p>Please follow Roundcube official tutorial to upgrade Roundcube webmail to the
latest stable release immediately:</p>
<ul>
<li><a href="https://github.com/roundcube/roundcubemail/wiki/Upgrade">How to upgrade Roundcube</a>.</li>
</ul>
<h3 id="fixed-improper-order-of-restriction-rules-in-postfix-smtpd_helo_restrictions">Fixed: improper order of restriction rules in Postfix smtpd_helo_restrictions</h3>
<p>iRedMail-0.9.6 and earlier releases didn't configure Postfix to apply custom
HELO restriction rule before FQDN helo hostname check and DNS verification,
this way you cannot whitelist some bad HELO hostnames. Please follow steps
below to fix it.</p>
<ul>
<li>Open file <code>/etc/postfix/main.cf</code> (Linux/OpenBSD) or
<code>/usr/local/etc/postfix/main.cf</code> (FreeBSD), find parameter
<code>smtpd_helo_restrictions</code> like below:</li>
</ul>
<pre><code>smtpd_helo_restrictions =
    permit_mynetworks
    permit_sasl_authenticated
    reject_non_fqdn_helo_hostname
    reject_unknown_helo_hostname
    check_helo_access pcre:/etc/postfix/helo_access.pcre
</code></pre>

<ul>
<li>Move the <code>check_helo_access</code> line after <code>permit_sasl_authenticated</code>:</li>
</ul>
<pre><code>smtpd_helo_restrictions =
    permit_mynetworks
    permit_sasl_authenticated
    check_helo_access pcre:/etc/postfix/helo_access.pcre
    reject_non_fqdn_helo_hostname
    reject_unknown_helo_hostname
</code></pre>

<ul>
<li>Reloading or restarting Postfix service is required.</li>
</ul>
<h3 id="fixed-incorrect-owner-and-permission-for-rotated-dovecot-log-files">Fixed: incorrect owner and permission for rotated Dovecot log files</h3>
<p>iRedMail-0.9.6 and earlier releases have an incorrect logrotate setting for
Dovecot log file, it causes all Dovecot log files are empty due to no required
permission to open log files. Please follow steps below to fix it.</p>
<p>Please open file <code>/etc/logrotate.d/dovecot</code>, find line below:</p>
<pre><code>    create 0600 vmail vmail
</code></pre>

<p>Remove above line and save the change.</p>
<h3 id="fixed-incorrect-sessionsave_path-in-php-fpm-pool-config-file-on-rhelcentos">Fixed: incorrect session.save_path in php-fpm pool config file on RHEL/CentOS</h3>
<div class="admonition attention">
<p class="admonition-title">Attention</p>
<p>This is applicable to RHEL/CentOS system, and Nginx web server.</p>
</div>
<p>iRedMail-0.9.6 doesn't set path for <code>session.save_path</code> parameter in php-fpm
pool config file <code>/etc/php-fpm.d/www.conf</code>, please fix it with steps below:</p>
<ul>
<li>Open file <code>/etc/php-fpm.d/www.conf</code>, find line:</li>
</ul>
<pre><code>php_value[session.save_path] = &quot;/var/lib/php/session&quot;
</code></pre>

<ul>
<li>The directory name should be <code>sessions</code> (ends with <code>s</code>), not <code>session</code>. So
  please change it to:</li>
</ul>
<pre><code>php_value[session.save_path] = &quot;/var/lib/php/sessions&quot;
</code></pre>

<ul>
<li>Restarting php-fpm service is required:</li>
</ul>
<pre><code>service php-fpm restart
</code></pre>

<h3 id="fixed-improper-fail2ban-filter-which-causes-incorrect-ban">Fixed: Improper Fail2ban filter which causes incorrect ban</h3>
<p>Please open file <code>/etc/fail2ban/filter.d/dovecot.iredmail.conf</code>, remove line
below:</p>
<pre><code>            \(no auth attempts in .* rip=&lt;HOST&gt;
</code></pre>

<p>Then restart or reload Fail2ban service.</p>
<h3 id="new-new-backup-script-for-sogo">NEW: New backup script for SOGo</h3>
<div class="admonition attention">
<p class="admonition-title">Attention</p>
<p>This is not applicable to SOGo-2.x because it doesn't support backing up
all users' data with command <code>sogo-tool backup /path/to/backup/dir ALL</code>.</p>
</div>
<p>iRedMail has script <code>/var/vmail/backup/backup_mysql.sh</code> (or <code>backup_pgsql.sh</code>)
to backup SOGo database by dumping whole database to a plain SQL file as
backup. It's not ideal because:</p>
<ul>
<li>it's hard to restore single user's data with a plain SQL file.</li>
<li>if SOGo changes some SQL structure, it's hard to restore all data.</li>
</ul>
<p>This new script does backup with <code>sogo-tool backup</code> command to avoid issues
mentioned above, you can restore a single user's data or all users data with
<code>sogo-tool restore</code>.</p>
<p>Please follow steps below to setup this daily cron job.</p>
<ul>
<li>Download backup script. We store it under <code>/var/vmail/backup</code>, if you prefer
  a different directory, feel free to change the directory name used in commands
  below:</li>
</ul>
<pre><code>cd /var/vmail/backup/
wget https://bitbucket.org/zhb/iredmail/raw/default/iRedMail/tools/backup_sogo.sh
chmod +x backup_sogo.sh
</code></pre>

<ul>
<li>This script will create new directory under <code>/var/vmail/backup</code> like below
  to store backup files:</li>
</ul>
<pre><code>/var/vmail/backup
            |- sogo/
                |- 2017/                # &lt;- year
                    |- 03/              # &lt;- month
                        |- 22.tar.bz2   # &lt;- day (file name is: &lt;day&gt;.tar.bz2)
</code></pre>

<pre><code>If you prefer a different backup root directory, please open
`backup_sogo.sh`, update variable `BACKUP_ROOTDIR` with the new directory.
</code></pre>
<ul>
<li>
<p>Open file <code>backup_sogo.sh</code>, modify </p>
</li>
<li>
<p>Run command <code>crontab -e -u root</code> to setup root user's cron job. Add content
  below as new job:</p>
</li>
</ul>
<pre><code># SOGo: backup all users' data at 3:05AM everyday.
5   3   *   *   *   bash /var/vmail/backup/backup_sogo.sh
</code></pre>

<h2 id="openldap-backend-special">OpenLDAP backend special</h2>
<h3 id="fixed-avoid-possible-backdooring-mysqldump-backups">Fixed: Avoid possible backdooring mysqldump backups</h3>
<p>For more details about this backdooring mysqldump backup issue, please read
blog post:</p>
<ul>
<li><a href="https://blog.tarq.io/cve-2016-5483-backdooring-mysqldump-backups/">[CVE-2016-5483] Backdooring mysqldump backups</a>.</li>
</ul>
<p>Steps to fix it:</p>
<ul>
<li>
<p>Open the daily MySQL backup script, it's <code>/var/vmail/backup/backup_mysql.sh</code>
  by default. if you use different storage directory during iRedMail
  installation, you can find the base directory with command <code>postconf virtual_mailbox_base</code>.</p>
</li>
<li>
<p>Find variable name <code>CMD_MYSQLDUMP</code> like below:</p>
</li>
</ul>
<pre><code>export CMD_MYSQLDUMP=&quot;mysqldump ...&quot;
</code></pre>

<ul>
<li>Make sure it has argument <code>--skip-comments</code> like below:</li>
</ul>
<pre><code>export CMD_MYSQLDUMP=&quot;mysqldump ... --skip-comments&quot;
</code></pre>

<ul>
<li>Save your change. That's it.</li>
</ul>
<h2 id="mysqlmariadb-backend-special">MySQL/MariaDB backend special</h2>
<h3 id="fixed-avoid-possible-backdooring-mysqldump-backups_1">Fixed: Avoid possible backdooring mysqldump backups</h3>
<p>For more details about this backdooring mysqldump backup issue, please read
blog post:</p>
<ul>
<li><a href="https://blog.tarq.io/cve-2016-5483-backdooring-mysqldump-backups/">[CVE-2016-5483] Backdooring mysqldump backups</a>.</li>
</ul>
<p>Steps to fix it:</p>
<ul>
<li>
<p>Open the daily MySQL backup script, it's <code>/var/vmail/backup/backup_mysql.sh</code>
  by default. if you use different storage directory during iRedMail
  installation, you can find the base directory with command <code>postconf virtual_mailbox_base</code>.</p>
</li>
<li>
<p>Find variable name <code>CMD_MYSQLDUMP</code> like below:</p>
</li>
</ul>
<pre><code>export CMD_MYSQLDUMP=&quot;mysqldump ...&quot;
</code></pre>

<ul>
<li>Make sure it has argument <code>--skip-comments</code> like below:</li>
</ul>
<pre><code>export CMD_MYSQLDUMP=&quot;mysqldump ... --skip-comments&quot;
</code></pre>

<ul>
<li>Save your change. That's it.</li>
</ul><div class="footer">
    <p style="text-align: center; color: grey;">All documents are available in <a href="https://bitbucket.org/zhb/iredmail-docs/src">BitBucket repository</a>, and published under <a href="http://creativecommons.org/licenses/by-nd/3.0/us/" target="_blank">Creative Commons</a> license. You can <a href="https://bitbucket.org/zhb/iredmail-docs/get/tip.tar.bz2">download the latest version</a> for offline reading. If you found something wrong, please do <a href="http://www.iredmail.org/contact.html">contact us</a> to fix it.</p>
</div>
<script type="text/javascript">
  (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
  (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
  m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
  })(window,document,'script','//www.google-analytics.com/analytics.js','ga');

  ga('create', 'UA-3293801-21', 'auto');
  ga('send', 'pageview');
</script>
</body></html>