* Dovecot master user can be non-email.
* Mention to change 'yourhostname' in SOGo config file for Apache.
This commit is contained in:
parent
1d07a830d9
commit
25eac35f61
|
@ -22,12 +22,12 @@ Retype new password: my_master_password
|
|||
{SSHA512}B0VHomJaMk6aLXOPglgNgJtCUA8JRnOweAwJxRW6NPWSNZ25rG/L6T05DJXH+t8WCQkemBilgkcEi6mq4Kadssivtts=
|
||||
```
|
||||
|
||||
You can now pick up any username you like, for example,
|
||||
`my_master_user@non-exist.com`. Now add new master user in file
|
||||
You can now pick up any username you like, for example, `my_master_user`.
|
||||
Now add new master user in file
|
||||
`/etc/dovecot/dovecot-master-users-passwords` like below:
|
||||
|
||||
```
|
||||
my_master_user@non-exist.com:{SSHA512}B0VHomJaMk6aLXOPglgNgJtCU...
|
||||
my_master_user:{SSHA512}B0VHomJaMk6aLXOPglgNgJtCU...
|
||||
```
|
||||
|
||||
WARNING: Make sure file `dovecot-master-users-password` is owned by Dovecot
|
||||
|
@ -38,15 +38,9 @@ the file content.
|
|||
> * on OpenBSD, Dovecot daemon user/group is `_dovecot/_dovecot`.
|
||||
|
||||
Then you can access user@domain.ltd's mailbox (via either IMAP or POP3
|
||||
protocol) as `user@domain.ltd*my_master_user@non-exist.com` with password
|
||||
protocol) as `user@domain.ltd*my_master_user` with password
|
||||
`my_master_password`.
|
||||
|
||||
|
||||
Notes:
|
||||
|
||||
* master user name must be in valid email address format. e.g. user@domain.com.
|
||||
this email address doesn't need to exist.
|
||||
|
||||
## Troubleshooting
|
||||
|
||||
If it doesn't work for you, please enable debug mode in Dovecot and check
|
||||
|
|
|
@ -29,10 +29,10 @@ Retype new password: my_master_password
|
|||
{SSHA512}B0VHomJaMk6aLXOPglgNgJtCUA8JRnOweAwJxRW6NPWSNZ25rG/L6T05DJXH+t8WCQkemBilgkcEi6mq4Kadssivtts=
|
||||
</code></pre>
|
||||
|
||||
<p>You can now pick up any username you like, for example,
|
||||
<code>my_master_user@non-exist.com</code>. Now add new master user in file
|
||||
<p>You can now pick up any username you like, for example, <code>my_master_user</code>.
|
||||
Now add new master user in file
|
||||
<code>/etc/dovecot/dovecot-master-users-passwords</code> like below:</p>
|
||||
<pre><code>my_master_user@non-exist.com:{SSHA512}B0VHomJaMk6aLXOPglgNgJtCU...
|
||||
<pre><code>my_master_user:{SSHA512}B0VHomJaMk6aLXOPglgNgJtCU...
|
||||
</code></pre>
|
||||
|
||||
<p>WARNING: Make sure file <code>dovecot-master-users-password</code> is owned by Dovecot
|
||||
|
@ -45,13 +45,8 @@ the file content.</p>
|
|||
</ul>
|
||||
</blockquote>
|
||||
<p>Then you can access user@domain.ltd's mailbox (via either IMAP or POP3
|
||||
protocol) as <code>user@domain.ltd*my_master_user@non-exist.com</code> with password
|
||||
protocol) as <code>user@domain.ltd*my_master_user</code> with password
|
||||
<code>my_master_password</code>.</p>
|
||||
<p>Notes:</p>
|
||||
<ul>
|
||||
<li>master user name must be in valid email address format. e.g. user@domain.com.
|
||||
this email address doesn't need to exist.</li>
|
||||
</ul>
|
||||
<h2 id="troubleshooting">Troubleshooting</h2>
|
||||
<p>If it doesn't work for you, please enable debug mode in Dovecot and check
|
||||
its log file. If you don't understand what the log says, please create a new
|
||||
|
|
|
@ -25,7 +25,9 @@ Dovecot wiki page
|
|||
<li>(RECOMMENDED) with a prefix: <code>{CRYPT}$1$GfHYI7OE$vlXqMZSyJOSPXAmbXHq250</code></li>
|
||||
<li>without a prefix: <code>$1$GfHYI7OE$vlXqMZSyJOSPXAmbXHq250</code></li>
|
||||
</ul>
|
||||
<p>Note: Looks like SOGo requires <code>{CRYPT}</code> prefix.</p>
|
||||
<p><strong>Important note</strong>: SOGo groupware doesn't support MD5 without a prefix, so
|
||||
if you're going to migrate MD5 password hash from old mail server, please
|
||||
prepend <code>{CRYPT}</code> prefix in password hash.</p>
|
||||
</li>
|
||||
<li>
|
||||
<p>PLAIN-MD5 (unsalted MD5). e.g. <code>0d2bf3c712402f428d48fed691850bfc</code></p>
|
||||
|
|
|
@ -220,8 +220,10 @@ support by removing comment mark of below lines in above configuration:</p>
|
|||
<p>To access SOGo groupware (webmail/calendar/contact), we need to configure
|
||||
web server.</p>
|
||||
<h3 id="apache-web-server">Apache web server</h3>
|
||||
<p>SOGo installs config file <code>/etc/httpd/conf.d/SOGo.conf</code> by default, please
|
||||
open it and find below lines:</p>
|
||||
<ul>
|
||||
<li>SOGo installs Apache config file <code>/etc/httpd/conf.d/SOGo.conf</code> by default,
|
||||
please open it and find below lines:</li>
|
||||
</ul>
|
||||
<pre><code>#ProxyPass /Microsoft-Server-ActiveSync \
|
||||
# http://127.0.0.1:20000/SOGo/Microsoft-Server-ActiveSync \
|
||||
# retry=60 connectiontimeout=5 timeout=360
|
||||
|
@ -233,6 +235,11 @@ open it and find below lines:</p>
|
|||
retry=60 connectiontimeout=5 timeout=360
|
||||
</code></pre>
|
||||
|
||||
<ul>
|
||||
<li>Find string <code>yourhostname</code> in the same file, replace all <code>yourhostname</code> by
|
||||
your FQDN server hostname. (Tip: you can get your FQDN hostname with command
|
||||
<code>hostname -f</code>.)</li>
|
||||
</ul>
|
||||
<h3 id="nginx-web-server">Nginx web server</h3>
|
||||
<p>If you're running Nginx web server configured by iRedMail, please open file
|
||||
<code>/etc/nginx/conf.d/default.conf</code>, add some lines in <code>server {}</code> configured for
|
||||
|
|
|
@ -240,7 +240,7 @@ basedn, bind dn/passwordthen in this file, then it's done.</p>
|
|||
<p>To access SOGo groupware (webmail/calendar/contact), we need to configure
|
||||
web server.</p>
|
||||
<h3 id="apache-web-server">Apache web server</h3>
|
||||
<p>SOGo installs config file <code>/etc/httpd/conf.d/SOGo.conf</code> by default, please
|
||||
<p>SOGo installs Apache config file <code>/etc/httpd/conf.d/SOGo.conf</code> by default, please
|
||||
open it and find below lines:</p>
|
||||
<pre><code>#ProxyPass /Microsoft-Server-ActiveSync \
|
||||
# http://127.0.0.1:20000/SOGo/Microsoft-Server-ActiveSync \
|
||||
|
@ -253,6 +253,11 @@ open it and find below lines:</p>
|
|||
retry=60 connectiontimeout=5 timeout=360
|
||||
</code></pre>
|
||||
|
||||
<ul>
|
||||
<li>Find string <code>yourhostname</code> in the same file, replace all <code>yourhostname</code> by
|
||||
your FQDN server hostname. (Tip: you can get your FQDN hostname with command
|
||||
<code>hostname -f</code>.)</li>
|
||||
</ul>
|
||||
<h3 id="nginx-web-server">Nginx web server</h3>
|
||||
<p>If you're running Nginx web server configured by iRedMail, please open file
|
||||
<code>/etc/nginx/conf.d/default.conf</code>, add some lines in <code>server {}</code> configured for
|
||||
|
|
|
@ -17,11 +17,11 @@
|
|||
<li><a href="#changelog">ChangeLog</a></li>
|
||||
<li><a href="#general-all-backends-should-apply-these-steps">General (All backends should apply these steps)</a><ul>
|
||||
<li><a href="#upgrade-roundcube-webmail-to-the-latest-stable-release">Upgrade Roundcube webmail to the latest stable release</a></li>
|
||||
<li><a href="#optional-setup-fail2ban-to-monitor-password-failures-in-sogo-log-file">[OPTIONAL] Setup Fail2ban to monitor password failures in SOGo log file</a></li>
|
||||
<li><a href="#optional-add-one-more-fail2ban-filter-to-help-catch-spam">[OPTIONAL] Add one more Fail2ban filter to help catch spam</a></li>
|
||||
<li><a href="#optional-fixed-return-receipt-response-rejected-by-iredapd-plugin-reject_null_sender">[OPTIONAL] Fixed: return receipt response rejected by iRedAPD plugin reject_null_sender</a></li>
|
||||
<li><a href="#fixed-return-receipt-response-rejected-by-iredapd-plugin-reject_null_sender">Fixed: return receipt response rejected by iRedAPD plugin reject_null_sender</a></li>
|
||||
<li><a href="#fixed-cannot-run-php-script-under-web-document-root-with-nginx">Fixed: Cannot run PHP script under web document root with Nginx.</a></li>
|
||||
<li><a href="#fixed-incorrect-path-of-command-sogo-tool-on-openbsd">Fixed: Incorrect path of command sogo-tool on OpenBSD</a></li>
|
||||
<li><a href="#optional-setup-fail2ban-to-monitor-password-failures-in-sogo-log-file">[OPTIONAL] Setup Fail2ban to monitor password failures in SOGo log file</a></li>
|
||||
<li><a href="#optional-add-one-more-fail2ban-filter-to-help-catch-spam">[OPTIONAL] Add one more Fail2ban filter to help catch spam</a></li>
|
||||
</ul>
|
||||
</li>
|
||||
<li><a href="#openldap-backend-special">OpenLDAP backend special</a><ul>
|
||||
|
@ -45,11 +45,11 @@
|
|||
<p><strong>WARNING: Still working in progress, do <em>NOT</em> apply it.</strong></p>
|
||||
<h2 id="changelog">ChangeLog</h2>
|
||||
<ul>
|
||||
<li>2015-02-17: [All backends ] Upgrade Roundcube webmail to the latest stable release</li>
|
||||
<li>2015-02-11: [All backends] [<strong>OPTIONAL</strong>] Setup Fail2ban to monitor password failures in SOGo log file.</li>
|
||||
<li>2015-02-11: [All backends] Fixed: Cannot run PHP script under web document root with Nginx.</li>
|
||||
<li>2015-02-09: [All backends] [<strong>OPTIONAL</strong>] Add one more Fail2ban filter to help catch spam.</li>
|
||||
<li>2015-02-04: [All backends] [<strong>OPTIONAL</strong>] Fixed: return receipt response rejected
|
||||
by iRedAPD plugin <code>reject_null_sender</code>.</li>
|
||||
<li>2015-02-04: [All backends] Fixed: return receipt response rejected by iRedAPD plugin <code>reject_null_sender</code>.</li>
|
||||
<li>2015-02-02: [All backends] Fixed: Not backup SOGo database. Note: this step
|
||||
is not applicable if you don't use SOGo groupware.</li>
|
||||
<li>2015-01-13: [All backends] Fixed: Incorrect path of command <code>sogo-tool</code> on OpenBSD.</li>
|
||||
|
@ -87,43 +87,7 @@
|
|||
<p>After you have additional packages installed, please follow Roundcube official
|
||||
tutorial to upgrade Roundcube webmail to the latest stable release:
|
||||
<a href="http://trac.roundcube.net/wiki/Howto_Upgrade">How to upgrade Roundcube</a></p>
|
||||
<h3 id="optional-setup-fail2ban-to-monitor-password-failures-in-sogo-log-file">[<strong>OPTIONAL</strong>] Setup Fail2ban to monitor password failures in SOGo log file</h3>
|
||||
<p>To improve server security, we'd better block clients which have too many
|
||||
failed login attempts from SOGo.</p>
|
||||
<p>Please append below lines in Fail2ban main config file <code>/etc/fail2ban/jail.local</code>:</p>
|
||||
<pre><code>[SOGo]
|
||||
enabled = true
|
||||
filter = sogo-auth
|
||||
port = http, https
|
||||
# without proxy this would be:
|
||||
# port = 20000
|
||||
action = iptables-multiport[name=SOGo, port="http,https", protocol=tcp]
|
||||
logpath = /var/log/sogo/sogo.log
|
||||
</code></pre>
|
||||
|
||||
<p>Restarting Fail2ban service is required.</p>
|
||||
<h3 id="optional-add-one-more-fail2ban-filter-to-help-catch-spam">[OPTIONAL] Add one more Fail2ban filter to help catch spam</h3>
|
||||
<p>We have a new Fail2ban filter to help catch spam, it will scan HELO rejections
|
||||
in Postfix log file and invoke iptables to ban client IP address.</p>
|
||||
<p>Open file <code>/etc/fail2ban/filters.d/postfix.iredmail.conf</code> or
|
||||
<code>/usr/local/etc/fail2ban/filters.d/postfix.iredmail.conf</code> (on FreeBSD), append
|
||||
below line under <code>[Definition]</code> section:</p>
|
||||
<pre><code> reject: RCPT from (.*)\[<HOST>\]: 504 5.5.2 (.*) Helo command rejected: need fully-qualified hostname
|
||||
</code></pre>
|
||||
|
||||
<p>After modification, the whole content is:</p>
|
||||
<pre><code>[Definition]
|
||||
failregex = \[<HOST>\]: SASL (PLAIN|LOGIN) authentication failed
|
||||
lost connection after AUTH from (.*)\[<HOST>\]
|
||||
reject: RCPT from (.*)\[<HOST>\]: 550 5.1.1
|
||||
reject: RCPT from (.*)\[<HOST>\]: 450 4.7.1
|
||||
reject: RCPT from (.*)\[<HOST>\]: 554 5.7.1
|
||||
reject: RCPT from (.*)\[<HOST>\]: 504 5.5.2 (.*) Helo command rejected: need fully-qualified hostname
|
||||
ignoreregex =
|
||||
</code></pre>
|
||||
|
||||
<p>Restarting Fail2ban service is required.</p>
|
||||
<h3 id="optional-fixed-return-receipt-response-rejected-by-iredapd-plugin-reject_null_sender">[OPTIONAL] Fixed: return receipt response rejected by iRedAPD plugin <code>reject_null_sender</code></h3>
|
||||
<h3 id="fixed-return-receipt-response-rejected-by-iredapd-plugin-reject_null_sender">Fixed: return receipt response rejected by iRedAPD plugin <code>reject_null_sender</code></h3>
|
||||
<p>Note: this is applicable if you want to keep iRedAPD plugin <code>reject_null_sender</code>
|
||||
but still able to send return receipt with Roundcube webmail.</p>
|
||||
<p>According to RFC2298, return receipt envelope sender address must be empty. If
|
||||
|
@ -195,6 +159,42 @@ command and fix it:</p>
|
|||
<pre><code># crontab -e -u _sogo
|
||||
</code></pre>
|
||||
|
||||
<h3 id="optional-setup-fail2ban-to-monitor-password-failures-in-sogo-log-file">[<strong>OPTIONAL</strong>] Setup Fail2ban to monitor password failures in SOGo log file</h3>
|
||||
<p>To improve server security, we'd better block clients which have too many
|
||||
failed login attempts from SOGo.</p>
|
||||
<p>Please append below lines in Fail2ban main config file <code>/etc/fail2ban/jail.local</code>:</p>
|
||||
<pre><code>[SOGo]
|
||||
enabled = true
|
||||
filter = sogo-auth
|
||||
port = http, https
|
||||
# without proxy this would be:
|
||||
# port = 20000
|
||||
action = iptables-multiport[name=SOGo, port="http,https", protocol=tcp]
|
||||
logpath = /var/log/sogo/sogo.log
|
||||
</code></pre>
|
||||
|
||||
<p>Restarting Fail2ban service is required.</p>
|
||||
<h3 id="optional-add-one-more-fail2ban-filter-to-help-catch-spam">[OPTIONAL] Add one more Fail2ban filter to help catch spam</h3>
|
||||
<p>We have a new Fail2ban filter to help catch spam, it will scan HELO rejections
|
||||
in Postfix log file and invoke iptables to ban client IP address.</p>
|
||||
<p>Open file <code>/etc/fail2ban/filters.d/postfix.iredmail.conf</code> or
|
||||
<code>/usr/local/etc/fail2ban/filters.d/postfix.iredmail.conf</code> (on FreeBSD), append
|
||||
below line under <code>[Definition]</code> section:</p>
|
||||
<pre><code> reject: RCPT from (.*)\[<HOST>\]: 504 5.5.2 (.*) Helo command rejected: need fully-qualified hostname
|
||||
</code></pre>
|
||||
|
||||
<p>After modification, the whole content is:</p>
|
||||
<pre><code>[Definition]
|
||||
failregex = \[<HOST>\]: SASL (PLAIN|LOGIN) authentication failed
|
||||
lost connection after AUTH from (.*)\[<HOST>\]
|
||||
reject: RCPT from (.*)\[<HOST>\]: 550 5.1.1
|
||||
reject: RCPT from (.*)\[<HOST>\]: 450 4.7.1
|
||||
reject: RCPT from (.*)\[<HOST>\]: 554 5.7.1
|
||||
reject: RCPT from (.*)\[<HOST>\]: 504 5.5.2 (.*) Helo command rejected: need fully-qualified hostname
|
||||
ignoreregex =
|
||||
</code></pre>
|
||||
|
||||
<p>Restarting Fail2ban service is required.</p>
|
||||
<h2 id="openldap-backend-special">OpenLDAP backend special</h2>
|
||||
<h3 id="fixed-not-backup-sogo-database">Fixed: not backup SOGo database</h3>
|
||||
<p>Note: this step is not applicable if you don't use SOGo groupware.</p>
|
||||
|
|
|
@ -206,8 +206,8 @@ web server.
|
|||
|
||||
### Apache web server
|
||||
|
||||
SOGo installs config file `/etc/httpd/conf.d/SOGo.conf` by default, please
|
||||
open it and find below lines:
|
||||
* SOGo installs Apache config file `/etc/httpd/conf.d/SOGo.conf` by default,
|
||||
please open it and find below lines:
|
||||
|
||||
```
|
||||
#ProxyPass /Microsoft-Server-ActiveSync \
|
||||
|
@ -223,6 +223,10 @@ ProxyPass /Microsoft-Server-ActiveSync \
|
|||
retry=60 connectiontimeout=5 timeout=360
|
||||
```
|
||||
|
||||
* Find string `yourhostname` in the same file, replace all `yourhostname` by
|
||||
your FQDN server hostname. (Tip: you can get your FQDN hostname with command
|
||||
`hostname -f`.)
|
||||
|
||||
### Nginx web server
|
||||
|
||||
If you're running Nginx web server configured by iRedMail, please open file
|
||||
|
|
|
@ -222,7 +222,7 @@ web server.
|
|||
|
||||
### Apache web server
|
||||
|
||||
SOGo installs config file `/etc/httpd/conf.d/SOGo.conf` by default, please
|
||||
SOGo installs Apache config file `/etc/httpd/conf.d/SOGo.conf` by default, please
|
||||
open it and find below lines:
|
||||
|
||||
```
|
||||
|
@ -239,6 +239,10 @@ ProxyPass /Microsoft-Server-ActiveSync \
|
|||
retry=60 connectiontimeout=5 timeout=360
|
||||
```
|
||||
|
||||
* Find string `yourhostname` in the same file, replace all `yourhostname` by
|
||||
your FQDN server hostname. (Tip: you can get your FQDN hostname with command
|
||||
`hostname -f`.)
|
||||
|
||||
### Nginx web server
|
||||
|
||||
If you're running Nginx web server configured by iRedMail, please open file
|
||||
|
|
|
@ -15,7 +15,9 @@ Below password schemes are supported in iRedAdmin-Pro (which means you can add n
|
|||
* (RECOMMENDED) with a prefix: `{CRYPT}$1$GfHYI7OE$vlXqMZSyJOSPXAmbXHq250`
|
||||
* without a prefix: `$1$GfHYI7OE$vlXqMZSyJOSPXAmbXHq250`
|
||||
|
||||
Note: Looks like SOGo requires `{CRYPT}` prefix.
|
||||
__Important note__: SOGo groupware doesn't support MD5 without a prefix, so
|
||||
if you're going to migrate MD5 password hash from old mail server, please
|
||||
prepend `{CRYPT}` prefix in password hash.
|
||||
|
||||
* PLAIN-MD5 (unsalted MD5). e.g. `0d2bf3c712402f428d48fed691850bfc`
|
||||
* SSHA. e.g. `{SSHA}OuCrqL2yWwQIu8a9uvyOQ5V/ZKfL7LJD`
|
||||
|
|
|
@ -7,11 +7,11 @@ __WARNING: Still working in progress, do _NOT_ apply it.__
|
|||
|
||||
## ChangeLog
|
||||
|
||||
* 2015-02-17: [All backends ] Upgrade Roundcube webmail to the latest stable release
|
||||
* 2015-02-11: [All backends] [__OPTIONAL__] Setup Fail2ban to monitor password failures in SOGo log file.
|
||||
* 2015-02-11: [All backends] Fixed: Cannot run PHP script under web document root with Nginx.
|
||||
* 2015-02-09: [All backends] [__OPTIONAL__] Add one more Fail2ban filter to help catch spam.
|
||||
* 2015-02-04: [All backends] [__OPTIONAL__] Fixed: return receipt response rejected
|
||||
by iRedAPD plugin `reject_null_sender`.
|
||||
* 2015-02-04: [All backends] Fixed: return receipt response rejected by iRedAPD plugin `reject_null_sender`.
|
||||
* 2015-02-02: [All backends] Fixed: Not backup SOGo database. Note: this step
|
||||
is not applicable if you don't use SOGo groupware.
|
||||
* 2015-01-13: [All backends] Fixed: Incorrect path of command `sogo-tool` on OpenBSD.
|
||||
|
@ -53,55 +53,7 @@ After you have additional packages installed, please follow Roundcube official
|
|||
tutorial to upgrade Roundcube webmail to the latest stable release:
|
||||
[How to upgrade Roundcube](http://trac.roundcube.net/wiki/Howto_Upgrade)
|
||||
|
||||
### [__OPTIONAL__] Setup Fail2ban to monitor password failures in SOGo log file
|
||||
|
||||
To improve server security, we'd better block clients which have too many
|
||||
failed login attempts from SOGo.
|
||||
|
||||
Please append below lines in Fail2ban main config file `/etc/fail2ban/jail.local`:
|
||||
|
||||
```
|
||||
[SOGo]
|
||||
enabled = true
|
||||
filter = sogo-auth
|
||||
port = http, https
|
||||
# without proxy this would be:
|
||||
# port = 20000
|
||||
action = iptables-multiport[name=SOGo, port="http,https", protocol=tcp]
|
||||
logpath = /var/log/sogo/sogo.log
|
||||
```
|
||||
|
||||
Restarting Fail2ban service is required.
|
||||
|
||||
### [OPTIONAL] Add one more Fail2ban filter to help catch spam
|
||||
|
||||
We have a new Fail2ban filter to help catch spam, it will scan HELO rejections
|
||||
in Postfix log file and invoke iptables to ban client IP address.
|
||||
|
||||
Open file `/etc/fail2ban/filters.d/postfix.iredmail.conf` or
|
||||
`/usr/local/etc/fail2ban/filters.d/postfix.iredmail.conf` (on FreeBSD), append
|
||||
below line under `[Definition]` section:
|
||||
|
||||
```
|
||||
reject: RCPT from (.*)\[<HOST>\]: 504 5.5.2 (.*) Helo command rejected: need fully-qualified hostname
|
||||
```
|
||||
|
||||
After modification, the whole content is:
|
||||
|
||||
```
|
||||
[Definition]
|
||||
failregex = \[<HOST>\]: SASL (PLAIN|LOGIN) authentication failed
|
||||
lost connection after AUTH from (.*)\[<HOST>\]
|
||||
reject: RCPT from (.*)\[<HOST>\]: 550 5.1.1
|
||||
reject: RCPT from (.*)\[<HOST>\]: 450 4.7.1
|
||||
reject: RCPT from (.*)\[<HOST>\]: 554 5.7.1
|
||||
reject: RCPT from (.*)\[<HOST>\]: 504 5.5.2 (.*) Helo command rejected: need fully-qualified hostname
|
||||
ignoreregex =
|
||||
```
|
||||
|
||||
Restarting Fail2ban service is required.
|
||||
|
||||
### [OPTIONAL] Fixed: return receipt response rejected by iRedAPD plugin `reject_null_sender`
|
||||
### Fixed: return receipt response rejected by iRedAPD plugin `reject_null_sender`
|
||||
|
||||
Note: this is applicable if you want to keep iRedAPD plugin `reject_null_sender`
|
||||
but still able to send return receipt with Roundcube webmail.
|
||||
|
@ -182,6 +134,54 @@ command and fix it:
|
|||
# crontab -e -u _sogo
|
||||
```
|
||||
|
||||
### [__OPTIONAL__] Setup Fail2ban to monitor password failures in SOGo log file
|
||||
|
||||
To improve server security, we'd better block clients which have too many
|
||||
failed login attempts from SOGo.
|
||||
|
||||
Please append below lines in Fail2ban main config file `/etc/fail2ban/jail.local`:
|
||||
|
||||
```
|
||||
[SOGo]
|
||||
enabled = true
|
||||
filter = sogo-auth
|
||||
port = http, https
|
||||
# without proxy this would be:
|
||||
# port = 20000
|
||||
action = iptables-multiport[name=SOGo, port="http,https", protocol=tcp]
|
||||
logpath = /var/log/sogo/sogo.log
|
||||
```
|
||||
|
||||
Restarting Fail2ban service is required.
|
||||
|
||||
### [OPTIONAL] Add one more Fail2ban filter to help catch spam
|
||||
|
||||
We have a new Fail2ban filter to help catch spam, it will scan HELO rejections
|
||||
in Postfix log file and invoke iptables to ban client IP address.
|
||||
|
||||
Open file `/etc/fail2ban/filters.d/postfix.iredmail.conf` or
|
||||
`/usr/local/etc/fail2ban/filters.d/postfix.iredmail.conf` (on FreeBSD), append
|
||||
below line under `[Definition]` section:
|
||||
|
||||
```
|
||||
reject: RCPT from (.*)\[<HOST>\]: 504 5.5.2 (.*) Helo command rejected: need fully-qualified hostname
|
||||
```
|
||||
|
||||
After modification, the whole content is:
|
||||
|
||||
```
|
||||
[Definition]
|
||||
failregex = \[<HOST>\]: SASL (PLAIN|LOGIN) authentication failed
|
||||
lost connection after AUTH from (.*)\[<HOST>\]
|
||||
reject: RCPT from (.*)\[<HOST>\]: 550 5.1.1
|
||||
reject: RCPT from (.*)\[<HOST>\]: 450 4.7.1
|
||||
reject: RCPT from (.*)\[<HOST>\]: 554 5.7.1
|
||||
reject: RCPT from (.*)\[<HOST>\]: 504 5.5.2 (.*) Helo command rejected: need fully-qualified hostname
|
||||
ignoreregex =
|
||||
```
|
||||
|
||||
Restarting Fail2ban service is required.
|
||||
|
||||
## OpenLDAP backend special
|
||||
|
||||
### Fixed: not backup SOGo database
|
||||
|
|
Loading…
Reference in New Issue