elmau
/
iredmail-doc
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

* Dovecot master user can be non-email. 

* Mention to change 'yourhostname' in SOGo config file for Apache.
This commit is contained in:
Zhang Huangbin 2015-02-18 17:37:41 +08:00
parent 1d07a830d9
commit 25eac35f61
10 changed files with 133 additions and 120 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
howto/dovecot.master.user.md
View File

@ -22,12 +22,12 @@ Retype new password: my_master_password
{SSHA512}B0VHomJaMk6aLXOPglgNgJtCUA8JRnOweAwJxRW6NPWSNZ25rG/L6T05DJXH+t8WCQkemBilgkcEi6mq4Kadssivtts=
```
You can now pick up any username you like, for example,
`my_master_user@non-exist.com`. Now add new master user in file
You can now pick up any username you like, for example, `my_master_user`.
Now add new master user in file
`/etc/dovecot/dovecot-master-users-passwords` like below:
```
my_master_user@non-exist.com:{SSHA512}B0VHomJaMk6aLXOPglgNgJtCU...
my_master_user:{SSHA512}B0VHomJaMk6aLXOPglgNgJtCU...
```
WARNING: Make sure file `dovecot-master-users-password` is owned by Dovecot
@ -38,15 +38,9 @@ the file content.
> * on OpenBSD, Dovecot daemon user/group is `_dovecot/_dovecot`.
Then you can access user@domain.ltd's mailbox (via either IMAP or POP3
protocol) as `user@domain.ltd*my_master_user@non-exist.com` with password
protocol) as `user@domain.ltd*my_master_user` with password
`my_master_password`.
Notes:
* master user name must be in valid email address format. e.g. user@domain.com.
this email address doesn't need to exist.
## Troubleshooting
If it doesn't work for you, please enable debug mode in Dovecot and check

13
html/dovecot.master.user.html
View File

@ -29,10 +29,10 @@ Retype new password: my_master_password
{SSHA512}B0VHomJaMk6aLXOPglgNgJtCUA8JRnOweAwJxRW6NPWSNZ25rG/L6T05DJXH+t8WCQkemBilgkcEi6mq4Kadssivtts=
</code></pre>
<p>You can now pick up any username you like, for example,
<code>my_master_user@non-exist.com</code>. Now add new master user in file
<p>You can now pick up any username you like, for example, <code>my_master_user</code>.
Now add new master user in file
<code>/etc/dovecot/dovecot-master-users-passwords</code> like below:</p>
<pre><code>my_master_user@non-exist.com:{SSHA512}B0VHomJaMk6aLXOPglgNgJtCU...
<pre><code>my_master_user:{SSHA512}B0VHomJaMk6aLXOPglgNgJtCU...
</code></pre>
<p>WARNING: Make sure file <code>dovecot-master-users-password</code> is owned by Dovecot
@ -45,13 +45,8 @@ the file content.</p>
</ul>
</blockquote>
<p>Then you can access user@domain.ltd's mailbox (via either IMAP or POP3
protocol) as <code>user@domain.ltd*my_master_user@non-exist.com</code> with password
protocol) as <code>user@domain.ltd*my_master_user</code> with password
<code>my_master_password</code>.</p>
<p>Notes:</p>
<ul>
<li>master user name must be in valid email address format. e.g. user@domain.com.
this email address doesn't need to exist.</li>
</ul>
<h2 id="troubleshooting">Troubleshooting</h2>
<p>If it doesn't work for you, please enable debug mode in Dovecot and check
its log file. If you don't understand what the log says, please create a new

4
html/password.hashes.html
View File

@ -25,7 +25,9 @@ Dovecot wiki page
<li>(RECOMMENDED) with a prefix: <code>{CRYPT}$1$GfHYI7OE$vlXqMZSyJOSPXAmbXHq250</code></li>
<li>without a prefix: <code>$1$GfHYI7OE$vlXqMZSyJOSPXAmbXHq250</code></li>
</ul>
<p>Note: Looks like SOGo requires <code>{CRYPT}</code> prefix.</p>
<p><strong>Important note</strong>: SOGo groupware doesn't support MD5 without a prefix, so
if you're going to migrate MD5 password hash from old mail server, please
prepend <code>{CRYPT}</code> prefix in password hash.</p>
</li>
<li>
<p>PLAIN-MD5 (unsalted MD5). e.g. <code>0d2bf3c712402f428d48fed691850bfc</code></p>

11
html/sogo-centos-6-mysql.html
View File

@ -220,8 +220,10 @@ support by removing comment mark of below lines in above configuration:</p>
<p>To access SOGo groupware (webmail/calendar/contact), we need to configure
web server.</p>
<h3 id="apache-web-server">Apache web server</h3>
<p>SOGo installs config file <code>/etc/httpd/conf.d/SOGo.conf</code> by default, please
open it and find below lines:</p>
<ul>
<li>SOGo installs Apache config file <code>/etc/httpd/conf.d/SOGo.conf</code> by default,
please open it and find below lines:</li>
</ul>
<pre><code>#ProxyPass /Microsoft-Server-ActiveSync \
# http://127.0.0.1:20000/SOGo/Microsoft-Server-ActiveSync \
# retry=60 connectiontimeout=5 timeout=360
@ -233,6 +235,11 @@ open it and find below lines:</p>
retry=60 connectiontimeout=5 timeout=360
</code></pre>
<ul>
<li>Find string <code>yourhostname</code> in the same file, replace all <code>yourhostname</code> by
your FQDN server hostname. (Tip: you can get your FQDN hostname with command
<code>hostname -f</code>.)</li>
</ul>
<h3 id="nginx-web-server">Nginx web server</h3>
<p>If you're running Nginx web server configured by iRedMail, please open file
<code>/etc/nginx/conf.d/default.conf</code>, add some lines in <code>server {}</code> configured for

7
html/sogo-centos-6-openldap.html
View File

@ -240,7 +240,7 @@ basedn, bind dn/passwordthen in this file, then it's done.</p>
<p>To access SOGo groupware (webmail/calendar/contact), we need to configure
web server.</p>
<h3 id="apache-web-server">Apache web server</h3>
<p>SOGo installs config file <code>/etc/httpd/conf.d/SOGo.conf</code> by default, please
<p>SOGo installs Apache config file <code>/etc/httpd/conf.d/SOGo.conf</code> by default, please
open it and find below lines:</p>
<pre><code>#ProxyPass /Microsoft-Server-ActiveSync \
# http://127.0.0.1:20000/SOGo/Microsoft-Server-ActiveSync \
@ -253,6 +253,11 @@ open it and find below lines:</p>
retry=60 connectiontimeout=5 timeout=360
</code></pre>
<ul>
<li>Find string <code>yourhostname</code> in the same file, replace all <code>yourhostname</code> by
your FQDN server hostname. (Tip: you can get your FQDN hostname with command
<code>hostname -f</code>.)</li>
</ul>
<h3 id="nginx-web-server">Nginx web server</h3>
<p>If you're running Nginx web server configured by iRedMail, please open file
<code>/etc/nginx/conf.d/default.conf</code>, add some lines in <code>server {}</code> configured for

84
html/upgrade.iredmail.0.9.0-0.9.1.html
View File

@ -17,11 +17,11 @@
<li><a href="#changelog">ChangeLog</a></li>
<li><a href="#general-all-backends-should-apply-these-steps">General (All backends should apply these steps)</a><ul>
<li><a href="#upgrade-roundcube-webmail-to-the-latest-stable-release">Upgrade Roundcube webmail to the latest stable release</a></li>
<li><a href="#optional-setup-fail2ban-to-monitor-password-failures-in-sogo-log-file">[OPTIONAL] Setup Fail2ban to monitor password failures in SOGo log file</a></li>
<li><a href="#optional-add-one-more-fail2ban-filter-to-help-catch-spam">[OPTIONAL] Add one more Fail2ban filter to help catch spam</a></li>
<li><a href="#optional-fixed-return-receipt-response-rejected-by-iredapd-plugin-reject_null_sender">[OPTIONAL] Fixed: return receipt response rejected by iRedAPD plugin reject_null_sender</a></li>
<li><a href="#fixed-return-receipt-response-rejected-by-iredapd-plugin-reject_null_sender">Fixed: return receipt response rejected by iRedAPD plugin reject_null_sender</a></li>
<li><a href="#fixed-cannot-run-php-script-under-web-document-root-with-nginx">Fixed: Cannot run PHP script under web document root with Nginx.</a></li>
<li><a href="#fixed-incorrect-path-of-command-sogo-tool-on-openbsd">Fixed: Incorrect path of command sogo-tool on OpenBSD</a></li>
<li><a href="#optional-setup-fail2ban-to-monitor-password-failures-in-sogo-log-file">[OPTIONAL] Setup Fail2ban to monitor password failures in SOGo log file</a></li>
<li><a href="#optional-add-one-more-fail2ban-filter-to-help-catch-spam">[OPTIONAL] Add one more Fail2ban filter to help catch spam</a></li>
</ul>
</li>
<li><a href="#openldap-backend-special">OpenLDAP backend special</a><ul>
@ -45,11 +45,11 @@
<p><strong>WARNING: Still working in progress, do <em>NOT</em> apply it.</strong></p>
<h2 id="changelog">ChangeLog</h2>
<ul>
<li>2015-02-17: [All backends ] Upgrade Roundcube webmail to the latest stable release</li>
<li>2015-02-11: [All backends] [<strong>OPTIONAL</strong>] Setup Fail2ban to monitor password failures in SOGo log file.</li>
<li>2015-02-11: [All backends] Fixed: Cannot run PHP script under web document root with Nginx.</li>
<li>2015-02-09: [All backends] [<strong>OPTIONAL</strong>] Add one more Fail2ban filter to help catch spam.</li>
<li>2015-02-04: [All backends] [<strong>OPTIONAL</strong>] Fixed: return receipt response rejected
by iRedAPD plugin <code>reject_null_sender</code>.</li>
<li>2015-02-04: [All backends] Fixed: return receipt response rejected by iRedAPD plugin <code>reject_null_sender</code>.</li>
<li>2015-02-02: [All backends] Fixed: Not backup SOGo database. Note: this step
is not applicable if you don't use SOGo groupware.</li>
<li>2015-01-13: [All backends] Fixed: Incorrect path of command <code>sogo-tool</code> on OpenBSD.</li>
@ -87,43 +87,7 @@
<p>After you have additional packages installed, please follow Roundcube official
tutorial to upgrade Roundcube webmail to the latest stable release:
<a href="http://trac.roundcube.net/wiki/Howto_Upgrade">How to upgrade Roundcube</a></p>
<h3 id="optional-setup-fail2ban-to-monitor-password-failures-in-sogo-log-file">[<strong>OPTIONAL</strong>] Setup Fail2ban to monitor password failures in SOGo log file</h3>
<p>To improve server security, we'd better block clients which have too many
failed login attempts from SOGo.</p>
<p>Please append below lines in Fail2ban main config file <code>/etc/fail2ban/jail.local</code>:</p>
<pre><code>[SOGo]
enabled = true
filter = sogo-auth
port = http, https
# without proxy this would be:
# port = 20000
action = iptables-multiport[name=SOGo, port=&quot;http,https&quot;, protocol=tcp]
logpath = /var/log/sogo/sogo.log
</code></pre>
<p>Restarting Fail2ban service is required.</p>
<h3 id="optional-add-one-more-fail2ban-filter-to-help-catch-spam">[OPTIONAL] Add one more Fail2ban filter to help catch spam</h3>
<p>We have a new Fail2ban filter to help catch spam, it will scan HELO rejections
in Postfix log file and invoke iptables to ban client IP address.</p>
<p>Open file <code>/etc/fail2ban/filters.d/postfix.iredmail.conf</code> or
<code>/usr/local/etc/fail2ban/filters.d/postfix.iredmail.conf</code> (on FreeBSD), append
below line under <code>[Definition]</code> section:</p>
<pre><code> reject: RCPT from (.*)\[&lt;HOST&gt;\]: 504 5.5.2 (.*) Helo command rejected: need fully-qualified hostname
</code></pre>
<p>After modification, the whole content is:</p>
<pre><code>[Definition]
failregex = \[&lt;HOST&gt;\]: SASL (PLAIN|LOGIN) authentication failed
lost connection after AUTH from (.*)\[&lt;HOST&gt;\]
reject: RCPT from (.*)\[&lt;HOST&gt;\]: 550 5.1.1
reject: RCPT from (.*)\[&lt;HOST&gt;\]: 450 4.7.1
reject: RCPT from (.*)\[&lt;HOST&gt;\]: 554 5.7.1
reject: RCPT from (.*)\[&lt;HOST&gt;\]: 504 5.5.2 (.*) Helo command rejected: need fully-qualified hostname
ignoreregex =
</code></pre>
<p>Restarting Fail2ban service is required.</p>
<h3 id="optional-fixed-return-receipt-response-rejected-by-iredapd-plugin-reject_null_sender">[OPTIONAL] Fixed: return receipt response rejected by iRedAPD plugin <code>reject_null_sender</code></h3>
<h3 id="fixed-return-receipt-response-rejected-by-iredapd-plugin-reject_null_sender">Fixed: return receipt response rejected by iRedAPD plugin <code>reject_null_sender</code></h3>
<p>Note: this is applicable if you want to keep iRedAPD plugin <code>reject_null_sender</code>
but still able to send return receipt with Roundcube webmail.</p>
<p>According to RFC2298, return receipt envelope sender address must be empty. If
@ -195,6 +159,42 @@ command and fix it:</p>
<pre><code># crontab -e -u _sogo
</code></pre>
<h3 id="optional-setup-fail2ban-to-monitor-password-failures-in-sogo-log-file">[<strong>OPTIONAL</strong>] Setup Fail2ban to monitor password failures in SOGo log file</h3>
<p>To improve server security, we'd better block clients which have too many
failed login attempts from SOGo.</p>
<p>Please append below lines in Fail2ban main config file <code>/etc/fail2ban/jail.local</code>:</p>
<pre><code>[SOGo]
enabled = true
filter = sogo-auth
port = http, https
# without proxy this would be:
# port = 20000
action = iptables-multiport[name=SOGo, port=&quot;http,https&quot;, protocol=tcp]
logpath = /var/log/sogo/sogo.log
</code></pre>
<p>Restarting Fail2ban service is required.</p>
<h3 id="optional-add-one-more-fail2ban-filter-to-help-catch-spam">[OPTIONAL] Add one more Fail2ban filter to help catch spam</h3>
<p>We have a new Fail2ban filter to help catch spam, it will scan HELO rejections
in Postfix log file and invoke iptables to ban client IP address.</p>
<p>Open file <code>/etc/fail2ban/filters.d/postfix.iredmail.conf</code> or
<code>/usr/local/etc/fail2ban/filters.d/postfix.iredmail.conf</code> (on FreeBSD), append
below line under <code>[Definition]</code> section:</p>
<pre><code> reject: RCPT from (.*)\[&lt;HOST&gt;\]: 504 5.5.2 (.*) Helo command rejected: need fully-qualified hostname
</code></pre>
<p>After modification, the whole content is:</p>
<pre><code>[Definition]
failregex = \[&lt;HOST&gt;\]: SASL (PLAIN|LOGIN) authentication failed
lost connection after AUTH from (.*)\[&lt;HOST&gt;\]
reject: RCPT from (.*)\[&lt;HOST&gt;\]: 550 5.1.1
reject: RCPT from (.*)\[&lt;HOST&gt;\]: 450 4.7.1
reject: RCPT from (.*)\[&lt;HOST&gt;\]: 554 5.7.1
reject: RCPT from (.*)\[&lt;HOST&gt;\]: 504 5.5.2 (.*) Helo command rejected: need fully-qualified hostname
ignoreregex =
</code></pre>
<p>Restarting Fail2ban service is required.</p>
<h2 id="openldap-backend-special">OpenLDAP backend special</h2>
<h3 id="fixed-not-backup-sogo-database">Fixed: not backup SOGo database</h3>
<p>Note: this step is not applicable if you don't use SOGo groupware.</p>

8
integrations/0-sogo-centos-6-mysql.md
View File

@ -206,8 +206,8 @@ web server.
### Apache web server
SOGo installs config file `/etc/httpd/conf.d/SOGo.conf` by default, please
open it and find below lines:
* SOGo installs Apache config file `/etc/httpd/conf.d/SOGo.conf` by default,
please open it and find below lines:
```
#ProxyPass /Microsoft-Server-ActiveSync \
@ -223,6 +223,10 @@ ProxyPass /Microsoft-Server-ActiveSync \
retry=60 connectiontimeout=5 timeout=360
```
* Find string `yourhostname` in the same file, replace all `yourhostname` by
your FQDN server hostname. (Tip: you can get your FQDN hostname with command
`hostname -f`.)
### Nginx web server
If you're running Nginx web server configured by iRedMail, please open file

6
integrations/0-sogo-centos-6-openldap.md
View File

@ -222,7 +222,7 @@ web server.
### Apache web server
SOGo installs config file `/etc/httpd/conf.d/SOGo.conf` by default, please
SOGo installs Apache config file `/etc/httpd/conf.d/SOGo.conf` by default, please
open it and find below lines:
```
@ -239,6 +239,10 @@ ProxyPass /Microsoft-Server-ActiveSync \
retry=60 connectiontimeout=5 timeout=360
```
* Find string `yourhostname` in the same file, replace all `yourhostname` by
your FQDN server hostname. (Tip: you can get your FQDN hostname with command
`hostname -f`.)
### Nginx web server
If you're running Nginx web server configured by iRedMail, please open file

4
migrations/password.hashes.md
View File

@ -15,7 +15,9 @@ Below password schemes are supported in iRedAdmin-Pro (which means you can add n
* (RECOMMENDED) with a prefix: `{CRYPT}$1$GfHYI7OE$vlXqMZSyJOSPXAmbXHq250`
* without a prefix: `$1$GfHYI7OE$vlXqMZSyJOSPXAmbXHq250`
Note: Looks like SOGo requires `{CRYPT}` prefix.
__Important note__: SOGo groupware doesn't support MD5 without a prefix, so
if you're going to migrate MD5 password hash from old mail server, please
prepend `{CRYPT}` prefix in password hash.
* PLAIN-MD5 (unsalted MD5). e.g. `0d2bf3c712402f428d48fed691850bfc`
* SSHA. e.g. `{SSHA}OuCrqL2yWwQIu8a9uvyOQ5V/ZKfL7LJD`

102
upgrade/0-upgrade.iredmail.0.9.0-0.9.1.md
View File

@ -7,11 +7,11 @@ __WARNING: Still working in progress, do _NOT_ apply it.__
## ChangeLog
* 2015-02-17: [All backends ] Upgrade Roundcube webmail to the latest stable release
* 2015-02-11: [All backends] [__OPTIONAL__] Setup Fail2ban to monitor password failures in SOGo log file.
* 2015-02-11: [All backends] Fixed: Cannot run PHP script under web document root with Nginx.
* 2015-02-09: [All backends] [__OPTIONAL__] Add one more Fail2ban filter to help catch spam.
* 2015-02-04: [All backends] [__OPTIONAL__] Fixed: return receipt response rejected
by iRedAPD plugin `reject_null_sender`.
* 2015-02-04: [All backends] Fixed: return receipt response rejected by iRedAPD plugin `reject_null_sender`.
* 2015-02-02: [All backends] Fixed: Not backup SOGo database. Note: this step
is not applicable if you don't use SOGo groupware.
* 2015-01-13: [All backends] Fixed: Incorrect path of command `sogo-tool` on OpenBSD.
@ -53,55 +53,7 @@ After you have additional packages installed, please follow Roundcube official
tutorial to upgrade Roundcube webmail to the latest stable release:
[How to upgrade Roundcube](http://trac.roundcube.net/wiki/Howto_Upgrade)
### [__OPTIONAL__] Setup Fail2ban to monitor password failures in SOGo log file
To improve server security, we'd better block clients which have too many
failed login attempts from SOGo.
Please append below lines in Fail2ban main config file `/etc/fail2ban/jail.local`:
```
[SOGo]
enabled = true
filter = sogo-auth
port = http, https
# without proxy this would be:
# port = 20000
action = iptables-multiport[name=SOGo, port="http,https", protocol=tcp]
logpath = /var/log/sogo/sogo.log
```
Restarting Fail2ban service is required.
### [OPTIONAL] Add one more Fail2ban filter to help catch spam
We have a new Fail2ban filter to help catch spam, it will scan HELO rejections
in Postfix log file and invoke iptables to ban client IP address.
Open file `/etc/fail2ban/filters.d/postfix.iredmail.conf` or
`/usr/local/etc/fail2ban/filters.d/postfix.iredmail.conf` (on FreeBSD), append
below line under `[Definition]` section:
```
reject: RCPT from (.*)\[<HOST>\]: 504 5.5.2 (.*) Helo command rejected: need fully-qualified hostname
```
After modification, the whole content is:
```
[Definition]
failregex = \[<HOST>\]: SASL (PLAIN|LOGIN) authentication failed
lost connection after AUTH from (.*)\[<HOST>\]
reject: RCPT from (.*)\[<HOST>\]: 550 5.1.1
reject: RCPT from (.*)\[<HOST>\]: 450 4.7.1
reject: RCPT from (.*)\[<HOST>\]: 554 5.7.1
reject: RCPT from (.*)\[<HOST>\]: 504 5.5.2 (.*) Helo command rejected: need fully-qualified hostname
ignoreregex =
```
Restarting Fail2ban service is required.
### [OPTIONAL] Fixed: return receipt response rejected by iRedAPD plugin `reject_null_sender`
### Fixed: return receipt response rejected by iRedAPD plugin `reject_null_sender`
Note: this is applicable if you want to keep iRedAPD plugin `reject_null_sender`
but still able to send return receipt with Roundcube webmail.
@ -182,6 +134,54 @@ command and fix it:
# crontab -e -u _sogo
```
### [__OPTIONAL__] Setup Fail2ban to monitor password failures in SOGo log file
To improve server security, we'd better block clients which have too many
failed login attempts from SOGo.
Please append below lines in Fail2ban main config file `/etc/fail2ban/jail.local`:
```
[SOGo]
enabled = true
filter = sogo-auth
port = http, https
# without proxy this would be:
# port = 20000
action = iptables-multiport[name=SOGo, port="http,https", protocol=tcp]
logpath = /var/log/sogo/sogo.log
```
Restarting Fail2ban service is required.
### [OPTIONAL] Add one more Fail2ban filter to help catch spam
We have a new Fail2ban filter to help catch spam, it will scan HELO rejections
in Postfix log file and invoke iptables to ban client IP address.
Open file `/etc/fail2ban/filters.d/postfix.iredmail.conf` or
`/usr/local/etc/fail2ban/filters.d/postfix.iredmail.conf` (on FreeBSD), append
below line under `[Definition]` section:
```
reject: RCPT from (.*)\[<HOST>\]: 504 5.5.2 (.*) Helo command rejected: need fully-qualified hostname
```
After modification, the whole content is:
```
[Definition]
failregex = \[<HOST>\]: SASL (PLAIN|LOGIN) authentication failed
lost connection after AUTH from (.*)\[<HOST>\]
reject: RCPT from (.*)\[<HOST>\]: 550 5.1.1
reject: RCPT from (.*)\[<HOST>\]: 450 4.7.1
reject: RCPT from (.*)\[<HOST>\]: 554 5.7.1
reject: RCPT from (.*)\[<HOST>\]: 504 5.5.2 (.*) Helo command rejected: need fully-qualified hostname
ignoreregex =
```
Restarting Fail2ban service is required.
## OpenLDAP backend special
### Fixed: not backup SOGo database