diff --git a/howto/dovecot.master.user.md b/howto/dovecot.master.user.md index e7815ae9..f48e0f1e 100644 --- a/howto/dovecot.master.user.md +++ b/howto/dovecot.master.user.md @@ -22,12 +22,12 @@ Retype new password: my_master_password {SSHA512}B0VHomJaMk6aLXOPglgNgJtCUA8JRnOweAwJxRW6NPWSNZ25rG/L6T05DJXH+t8WCQkemBilgkcEi6mq4Kadssivtts= ``` -You can now pick up any username you like, for example, -`my_master_user@non-exist.com`. Now add new master user in file +You can now pick up any username you like, for example, `my_master_user`. +Now add new master user in file `/etc/dovecot/dovecot-master-users-passwords` like below: ``` -my_master_user@non-exist.com:{SSHA512}B0VHomJaMk6aLXOPglgNgJtCU... +my_master_user:{SSHA512}B0VHomJaMk6aLXOPglgNgJtCU... ``` WARNING: Make sure file `dovecot-master-users-password` is owned by Dovecot @@ -38,15 +38,9 @@ the file content. > * on OpenBSD, Dovecot daemon user/group is `_dovecot/_dovecot`. Then you can access user@domain.ltd's mailbox (via either IMAP or POP3 -protocol) as `user@domain.ltd*my_master_user@non-exist.com` with password +protocol) as `user@domain.ltd*my_master_user` with password `my_master_password`. - -Notes: - -* master user name must be in valid email address format. e.g. user@domain.com. - this email address doesn't need to exist. - ## Troubleshooting If it doesn't work for you, please enable debug mode in Dovecot and check diff --git a/html/dovecot.master.user.html b/html/dovecot.master.user.html index d125d29d..dbd8dc1a 100644 --- a/html/dovecot.master.user.html +++ b/html/dovecot.master.user.html @@ -29,10 +29,10 @@ Retype new password: my_master_password {SSHA512}B0VHomJaMk6aLXOPglgNgJtCUA8JRnOweAwJxRW6NPWSNZ25rG/L6T05DJXH+t8WCQkemBilgkcEi6mq4Kadssivtts= -
You can now pick up any username you like, for example,
-my_master_user@non-exist.com
. Now add new master user in file
+
You can now pick up any username you like, for example, my_master_user
.
+Now add new master user in file
/etc/dovecot/dovecot-master-users-passwords
like below:
my_master_user@non-exist.com:{SSHA512}B0VHomJaMk6aLXOPglgNgJtCU...
+my_master_user:{SSHA512}B0VHomJaMk6aLXOPglgNgJtCU...
WARNING: Make sure file dovecot-master-users-password
is owned by Dovecot
@@ -45,13 +45,8 @@ the file content.
Then you can access user@domain.ltd's mailbox (via either IMAP or POP3
-protocol) as user@domain.ltd*my_master_user@non-exist.com
with password
+protocol) as user@domain.ltd*my_master_user
with password
my_master_password
.
-Notes:
-
-- master user name must be in valid email address format. e.g. user@domain.com.
- this email address doesn't need to exist.
-
Troubleshooting
If it doesn't work for you, please enable debug mode in Dovecot and check
its log file. If you don't understand what the log says, please create a new
diff --git a/html/password.hashes.html b/html/password.hashes.html
index 7be8a8da..523b83e3 100644
--- a/html/password.hashes.html
+++ b/html/password.hashes.html
@@ -25,7 +25,9 @@ Dovecot wiki page
(RECOMMENDED) with a prefix: {CRYPT}$1$GfHYI7OE$vlXqMZSyJOSPXAmbXHq250
without a prefix: $1$GfHYI7OE$vlXqMZSyJOSPXAmbXHq250
-Note: Looks like SOGo requires {CRYPT}
prefix.
+Important note: SOGo groupware doesn't support MD5 without a prefix, so
+if you're going to migrate MD5 password hash from old mail server, please
+prepend {CRYPT}
prefix in password hash.
PLAIN-MD5 (unsalted MD5). e.g. 0d2bf3c712402f428d48fed691850bfc
diff --git a/html/sogo-centos-6-mysql.html b/html/sogo-centos-6-mysql.html
index 372c06ec..47d19946 100644
--- a/html/sogo-centos-6-mysql.html
+++ b/html/sogo-centos-6-mysql.html
@@ -220,8 +220,10 @@ support by removing comment mark of below lines in above configuration:
To access SOGo groupware (webmail/calendar/contact), we need to configure
web server.
Apache web server
-SOGo installs config file /etc/httpd/conf.d/SOGo.conf
by default, please
-open it and find below lines:
+
+- SOGo installs Apache config file
/etc/httpd/conf.d/SOGo.conf
by default,
+please open it and find below lines:
+
#ProxyPass /Microsoft-Server-ActiveSync \
# http://127.0.0.1:20000/SOGo/Microsoft-Server-ActiveSync \
# retry=60 connectiontimeout=5 timeout=360
@@ -233,6 +235,11 @@ open it and find below lines:
retry=60 connectiontimeout=5 timeout=360
+
+- Find string
yourhostname
in the same file, replace all yourhostname
by
+your FQDN server hostname. (Tip: you can get your FQDN hostname with command
+hostname -f
.)
+
Nginx web server
If you're running Nginx web server configured by iRedMail, please open file
/etc/nginx/conf.d/default.conf
, add some lines in server {}
configured for
diff --git a/html/sogo-centos-6-openldap.html b/html/sogo-centos-6-openldap.html
index 471bd253..afae7f3d 100644
--- a/html/sogo-centos-6-openldap.html
+++ b/html/sogo-centos-6-openldap.html
@@ -240,7 +240,7 @@ basedn, bind dn/passwordthen in this file, then it's done.
To access SOGo groupware (webmail/calendar/contact), we need to configure
web server.
Apache web server
-SOGo installs config file /etc/httpd/conf.d/SOGo.conf
by default, please
+
SOGo installs Apache config file /etc/httpd/conf.d/SOGo.conf
by default, please
open it and find below lines:
#ProxyPass /Microsoft-Server-ActiveSync \
# http://127.0.0.1:20000/SOGo/Microsoft-Server-ActiveSync \
@@ -253,6 +253,11 @@ open it and find below lines:
retry=60 connectiontimeout=5 timeout=360
+
+- Find string
yourhostname
in the same file, replace all yourhostname
by
+your FQDN server hostname. (Tip: you can get your FQDN hostname with command
+hostname -f
.)
+
Nginx web server
If you're running Nginx web server configured by iRedMail, please open file
/etc/nginx/conf.d/default.conf
, add some lines in server {}
configured for
diff --git a/html/upgrade.iredmail.0.9.0-0.9.1.html b/html/upgrade.iredmail.0.9.0-0.9.1.html
index 8e73a3d0..62cb2707 100644
--- a/html/upgrade.iredmail.0.9.0-0.9.1.html
+++ b/html/upgrade.iredmail.0.9.0-0.9.1.html
@@ -17,11 +17,11 @@
ChangeLog
General (All backends should apply these steps)
- Upgrade Roundcube webmail to the latest stable release
-- [OPTIONAL] Setup Fail2ban to monitor password failures in SOGo log file
-- [OPTIONAL] Add one more Fail2ban filter to help catch spam
-- [OPTIONAL] Fixed: return receipt response rejected by iRedAPD plugin reject_null_sender
+- Fixed: return receipt response rejected by iRedAPD plugin reject_null_sender
- Fixed: Cannot run PHP script under web document root with Nginx.
- Fixed: Incorrect path of command sogo-tool on OpenBSD
+- [OPTIONAL] Setup Fail2ban to monitor password failures in SOGo log file
+- [OPTIONAL] Add one more Fail2ban filter to help catch spam
OpenLDAP backend special
@@ -45,11 +45,11 @@
WARNING: Still working in progress, do NOT apply it.
ChangeLog
+- 2015-02-17: [All backends ] Upgrade Roundcube webmail to the latest stable release
- 2015-02-11: [All backends] [OPTIONAL] Setup Fail2ban to monitor password failures in SOGo log file.
- 2015-02-11: [All backends] Fixed: Cannot run PHP script under web document root with Nginx.
- 2015-02-09: [All backends] [OPTIONAL] Add one more Fail2ban filter to help catch spam.
-- 2015-02-04: [All backends] [OPTIONAL] Fixed: return receipt response rejected
- by iRedAPD plugin
reject_null_sender
.
+- 2015-02-04: [All backends] Fixed: return receipt response rejected by iRedAPD plugin
reject_null_sender
.
- 2015-02-02: [All backends] Fixed: Not backup SOGo database. Note: this step
is not applicable if you don't use SOGo groupware.
- 2015-01-13: [All backends] Fixed: Incorrect path of command
sogo-tool
on OpenBSD.
@@ -87,43 +87,7 @@
After you have additional packages installed, please follow Roundcube official
tutorial to upgrade Roundcube webmail to the latest stable release:
How to upgrade Roundcube
-[OPTIONAL] Setup Fail2ban to monitor password failures in SOGo log file
-To improve server security, we'd better block clients which have too many
-failed login attempts from SOGo.
-Please append below lines in Fail2ban main config file /etc/fail2ban/jail.local
:
-
[SOGo]
-enabled = true
-filter = sogo-auth
-port = http, https
-# without proxy this would be:
-# port = 20000
-action = iptables-multiport[name=SOGo, port="http,https", protocol=tcp]
-logpath = /var/log/sogo/sogo.log
-
-
-Restarting Fail2ban service is required.
-[OPTIONAL] Add one more Fail2ban filter to help catch spam
-We have a new Fail2ban filter to help catch spam, it will scan HELO rejections
-in Postfix log file and invoke iptables to ban client IP address.
-Open file /etc/fail2ban/filters.d/postfix.iredmail.conf
or
-/usr/local/etc/fail2ban/filters.d/postfix.iredmail.conf
(on FreeBSD), append
-below line under [Definition]
section:
- reject: RCPT from (.*)\[<HOST>\]: 504 5.5.2 (.*) Helo command rejected: need fully-qualified hostname
-
-
-After modification, the whole content is:
-[Definition]
-failregex = \[<HOST>\]: SASL (PLAIN|LOGIN) authentication failed
- lost connection after AUTH from (.*)\[<HOST>\]
- reject: RCPT from (.*)\[<HOST>\]: 550 5.1.1
- reject: RCPT from (.*)\[<HOST>\]: 450 4.7.1
- reject: RCPT from (.*)\[<HOST>\]: 554 5.7.1
- reject: RCPT from (.*)\[<HOST>\]: 504 5.5.2 (.*) Helo command rejected: need fully-qualified hostname
-ignoreregex =
-
-
-Restarting Fail2ban service is required.
-[OPTIONAL] Fixed: return receipt response rejected by iRedAPD plugin reject_null_sender
+Fixed: return receipt response rejected by iRedAPD plugin reject_null_sender
Note: this is applicable if you want to keep iRedAPD plugin reject_null_sender
but still able to send return receipt with Roundcube webmail.
According to RFC2298, return receipt envelope sender address must be empty. If
@@ -195,6 +159,42 @@ command and fix it:
# crontab -e -u _sogo
+[OPTIONAL] Setup Fail2ban to monitor password failures in SOGo log file
+To improve server security, we'd better block clients which have too many
+failed login attempts from SOGo.
+Please append below lines in Fail2ban main config file /etc/fail2ban/jail.local
:
+[SOGo]
+enabled = true
+filter = sogo-auth
+port = http, https
+# without proxy this would be:
+# port = 20000
+action = iptables-multiport[name=SOGo, port="http,https", protocol=tcp]
+logpath = /var/log/sogo/sogo.log
+
+
+Restarting Fail2ban service is required.
+[OPTIONAL] Add one more Fail2ban filter to help catch spam
+We have a new Fail2ban filter to help catch spam, it will scan HELO rejections
+in Postfix log file and invoke iptables to ban client IP address.
+Open file /etc/fail2ban/filters.d/postfix.iredmail.conf
or
+/usr/local/etc/fail2ban/filters.d/postfix.iredmail.conf
(on FreeBSD), append
+below line under [Definition]
section:
+ reject: RCPT from (.*)\[<HOST>\]: 504 5.5.2 (.*) Helo command rejected: need fully-qualified hostname
+
+
+After modification, the whole content is:
+[Definition]
+failregex = \[<HOST>\]: SASL (PLAIN|LOGIN) authentication failed
+ lost connection after AUTH from (.*)\[<HOST>\]
+ reject: RCPT from (.*)\[<HOST>\]: 550 5.1.1
+ reject: RCPT from (.*)\[<HOST>\]: 450 4.7.1
+ reject: RCPT from (.*)\[<HOST>\]: 554 5.7.1
+ reject: RCPT from (.*)\[<HOST>\]: 504 5.5.2 (.*) Helo command rejected: need fully-qualified hostname
+ignoreregex =
+
+
+Restarting Fail2ban service is required.
OpenLDAP backend special
Fixed: not backup SOGo database
Note: this step is not applicable if you don't use SOGo groupware.
diff --git a/integrations/0-sogo-centos-6-mysql.md b/integrations/0-sogo-centos-6-mysql.md
index 5085bf73..932979a9 100644
--- a/integrations/0-sogo-centos-6-mysql.md
+++ b/integrations/0-sogo-centos-6-mysql.md
@@ -206,8 +206,8 @@ web server.
### Apache web server
-SOGo installs config file `/etc/httpd/conf.d/SOGo.conf` by default, please
-open it and find below lines:
+* SOGo installs Apache config file `/etc/httpd/conf.d/SOGo.conf` by default,
+please open it and find below lines:
```
#ProxyPass /Microsoft-Server-ActiveSync \
@@ -223,6 +223,10 @@ ProxyPass /Microsoft-Server-ActiveSync \
retry=60 connectiontimeout=5 timeout=360
```
+* Find string `yourhostname` in the same file, replace all `yourhostname` by
+your FQDN server hostname. (Tip: you can get your FQDN hostname with command
+`hostname -f`.)
+
### Nginx web server
If you're running Nginx web server configured by iRedMail, please open file
diff --git a/integrations/0-sogo-centos-6-openldap.md b/integrations/0-sogo-centos-6-openldap.md
index 40bf5819..4b86134e 100644
--- a/integrations/0-sogo-centos-6-openldap.md
+++ b/integrations/0-sogo-centos-6-openldap.md
@@ -222,7 +222,7 @@ web server.
### Apache web server
-SOGo installs config file `/etc/httpd/conf.d/SOGo.conf` by default, please
+SOGo installs Apache config file `/etc/httpd/conf.d/SOGo.conf` by default, please
open it and find below lines:
```
@@ -239,6 +239,10 @@ ProxyPass /Microsoft-Server-ActiveSync \
retry=60 connectiontimeout=5 timeout=360
```
+* Find string `yourhostname` in the same file, replace all `yourhostname` by
+your FQDN server hostname. (Tip: you can get your FQDN hostname with command
+`hostname -f`.)
+
### Nginx web server
If you're running Nginx web server configured by iRedMail, please open file
diff --git a/migrations/password.hashes.md b/migrations/password.hashes.md
index c327a4e8..5a60c3c6 100644
--- a/migrations/password.hashes.md
+++ b/migrations/password.hashes.md
@@ -15,7 +15,9 @@ Below password schemes are supported in iRedAdmin-Pro (which means you can add n
* (RECOMMENDED) with a prefix: `{CRYPT}$1$GfHYI7OE$vlXqMZSyJOSPXAmbXHq250`
* without a prefix: `$1$GfHYI7OE$vlXqMZSyJOSPXAmbXHq250`
- Note: Looks like SOGo requires `{CRYPT}` prefix.
+ __Important note__: SOGo groupware doesn't support MD5 without a prefix, so
+ if you're going to migrate MD5 password hash from old mail server, please
+ prepend `{CRYPT}` prefix in password hash.
* PLAIN-MD5 (unsalted MD5). e.g. `0d2bf3c712402f428d48fed691850bfc`
* SSHA. e.g. `{SSHA}OuCrqL2yWwQIu8a9uvyOQ5V/ZKfL7LJD`
diff --git a/upgrade/0-upgrade.iredmail.0.9.0-0.9.1.md b/upgrade/0-upgrade.iredmail.0.9.0-0.9.1.md
index 12db68da..8b6f4344 100644
--- a/upgrade/0-upgrade.iredmail.0.9.0-0.9.1.md
+++ b/upgrade/0-upgrade.iredmail.0.9.0-0.9.1.md
@@ -7,11 +7,11 @@ __WARNING: Still working in progress, do _NOT_ apply it.__
## ChangeLog
+* 2015-02-17: [All backends ] Upgrade Roundcube webmail to the latest stable release
* 2015-02-11: [All backends] [__OPTIONAL__] Setup Fail2ban to monitor password failures in SOGo log file.
* 2015-02-11: [All backends] Fixed: Cannot run PHP script under web document root with Nginx.
* 2015-02-09: [All backends] [__OPTIONAL__] Add one more Fail2ban filter to help catch spam.
-* 2015-02-04: [All backends] [__OPTIONAL__] Fixed: return receipt response rejected
- by iRedAPD plugin `reject_null_sender`.
+* 2015-02-04: [All backends] Fixed: return receipt response rejected by iRedAPD plugin `reject_null_sender`.
* 2015-02-02: [All backends] Fixed: Not backup SOGo database. Note: this step
is not applicable if you don't use SOGo groupware.
* 2015-01-13: [All backends] Fixed: Incorrect path of command `sogo-tool` on OpenBSD.
@@ -53,55 +53,7 @@ After you have additional packages installed, please follow Roundcube official
tutorial to upgrade Roundcube webmail to the latest stable release:
[How to upgrade Roundcube](http://trac.roundcube.net/wiki/Howto_Upgrade)
-### [__OPTIONAL__] Setup Fail2ban to monitor password failures in SOGo log file
-
-To improve server security, we'd better block clients which have too many
-failed login attempts from SOGo.
-
-Please append below lines in Fail2ban main config file `/etc/fail2ban/jail.local`:
-
-```
-[SOGo]
-enabled = true
-filter = sogo-auth
-port = http, https
-# without proxy this would be:
-# port = 20000
-action = iptables-multiport[name=SOGo, port="http,https", protocol=tcp]
-logpath = /var/log/sogo/sogo.log
-```
-
-Restarting Fail2ban service is required.
-
-### [OPTIONAL] Add one more Fail2ban filter to help catch spam
-
-We have a new Fail2ban filter to help catch spam, it will scan HELO rejections
-in Postfix log file and invoke iptables to ban client IP address.
-
-Open file `/etc/fail2ban/filters.d/postfix.iredmail.conf` or
-`/usr/local/etc/fail2ban/filters.d/postfix.iredmail.conf` (on FreeBSD), append
-below line under `[Definition]` section:
-
-```
- reject: RCPT from (.*)\[\]: 504 5.5.2 (.*) Helo command rejected: need fully-qualified hostname
-```
-
-After modification, the whole content is:
-
-```
-[Definition]
-failregex = \[\]: SASL (PLAIN|LOGIN) authentication failed
- lost connection after AUTH from (.*)\[\]
- reject: RCPT from (.*)\[\]: 550 5.1.1
- reject: RCPT from (.*)\[\]: 450 4.7.1
- reject: RCPT from (.*)\[\]: 554 5.7.1
- reject: RCPT from (.*)\[\]: 504 5.5.2 (.*) Helo command rejected: need fully-qualified hostname
-ignoreregex =
-```
-
-Restarting Fail2ban service is required.
-
-### [OPTIONAL] Fixed: return receipt response rejected by iRedAPD plugin `reject_null_sender`
+### Fixed: return receipt response rejected by iRedAPD plugin `reject_null_sender`
Note: this is applicable if you want to keep iRedAPD plugin `reject_null_sender`
but still able to send return receipt with Roundcube webmail.
@@ -182,6 +134,54 @@ command and fix it:
# crontab -e -u _sogo
```
+### [__OPTIONAL__] Setup Fail2ban to monitor password failures in SOGo log file
+
+To improve server security, we'd better block clients which have too many
+failed login attempts from SOGo.
+
+Please append below lines in Fail2ban main config file `/etc/fail2ban/jail.local`:
+
+```
+[SOGo]
+enabled = true
+filter = sogo-auth
+port = http, https
+# without proxy this would be:
+# port = 20000
+action = iptables-multiport[name=SOGo, port="http,https", protocol=tcp]
+logpath = /var/log/sogo/sogo.log
+```
+
+Restarting Fail2ban service is required.
+
+### [OPTIONAL] Add one more Fail2ban filter to help catch spam
+
+We have a new Fail2ban filter to help catch spam, it will scan HELO rejections
+in Postfix log file and invoke iptables to ban client IP address.
+
+Open file `/etc/fail2ban/filters.d/postfix.iredmail.conf` or
+`/usr/local/etc/fail2ban/filters.d/postfix.iredmail.conf` (on FreeBSD), append
+below line under `[Definition]` section:
+
+```
+ reject: RCPT from (.*)\[\]: 504 5.5.2 (.*) Helo command rejected: need fully-qualified hostname
+```
+
+After modification, the whole content is:
+
+```
+[Definition]
+failregex = \[\]: SASL (PLAIN|LOGIN) authentication failed
+ lost connection after AUTH from (.*)\[\]
+ reject: RCPT from (.*)\[\]: 550 5.1.1
+ reject: RCPT from (.*)\[\]: 450 4.7.1
+ reject: RCPT from (.*)\[\]: 554 5.7.1
+ reject: RCPT from (.*)\[\]: 504 5.5.2 (.*) Helo command rejected: need fully-qualified hostname
+ignoreregex =
+```
+
+Restarting Fail2ban service is required.
+
## OpenLDAP backend special
### Fixed: not backup SOGo database