diff --git a/howto/dovecot.master.user.md b/howto/dovecot.master.user.md index e7815ae9..f48e0f1e 100644 --- a/howto/dovecot.master.user.md +++ b/howto/dovecot.master.user.md @@ -22,12 +22,12 @@ Retype new password: my_master_password {SSHA512}B0VHomJaMk6aLXOPglgNgJtCUA8JRnOweAwJxRW6NPWSNZ25rG/L6T05DJXH+t8WCQkemBilgkcEi6mq4Kadssivtts= ``` -You can now pick up any username you like, for example, -`my_master_user@non-exist.com`. Now add new master user in file +You can now pick up any username you like, for example, `my_master_user`. +Now add new master user in file `/etc/dovecot/dovecot-master-users-passwords` like below: ``` -my_master_user@non-exist.com:{SSHA512}B0VHomJaMk6aLXOPglgNgJtCU... +my_master_user:{SSHA512}B0VHomJaMk6aLXOPglgNgJtCU... ``` WARNING: Make sure file `dovecot-master-users-password` is owned by Dovecot @@ -38,15 +38,9 @@ the file content. > * on OpenBSD, Dovecot daemon user/group is `_dovecot/_dovecot`. Then you can access user@domain.ltd's mailbox (via either IMAP or POP3 -protocol) as `user@domain.ltd*my_master_user@non-exist.com` with password +protocol) as `user@domain.ltd*my_master_user` with password `my_master_password`. - -Notes: - -* master user name must be in valid email address format. e.g. user@domain.com. - this email address doesn't need to exist. - ## Troubleshooting If it doesn't work for you, please enable debug mode in Dovecot and check diff --git a/html/dovecot.master.user.html b/html/dovecot.master.user.html index d125d29d..dbd8dc1a 100644 --- a/html/dovecot.master.user.html +++ b/html/dovecot.master.user.html @@ -29,10 +29,10 @@ Retype new password: my_master_password {SSHA512}B0VHomJaMk6aLXOPglgNgJtCUA8JRnOweAwJxRW6NPWSNZ25rG/L6T05DJXH+t8WCQkemBilgkcEi6mq4Kadssivtts= -

You can now pick up any username you like, for example, -my_master_user@non-exist.com. Now add new master user in file +

You can now pick up any username you like, for example, my_master_user. +Now add new master user in file /etc/dovecot/dovecot-master-users-passwords like below:

-
my_master_user@non-exist.com:{SSHA512}B0VHomJaMk6aLXOPglgNgJtCU...
+
my_master_user:{SSHA512}B0VHomJaMk6aLXOPglgNgJtCU...
 

 
 
WARNING: Make sure file dovecot-master-users-password is owned by Dovecot
@@ -45,13 +45,8 @@ the file content.

 
 
 
Then you can access user@domain.ltd's mailbox (via either IMAP or POP3
-protocol) as user@domain.ltd*my_master_user@non-exist.com with password
+protocol) as user@domain.ltd*my_master_user with password
 my_master_password.

-
Notes:

-
 
Troubleshooting

 
If it doesn't work for you, please enable debug mode in Dovecot and check
 its log file. If you don't understand what the log says, please create a new
diff --git a/html/password.hashes.html b/html/password.hashes.html
index 7be8a8da..523b83e3 100644
--- a/html/password.hashes.html
+++ b/html/password.hashes.html
@@ -25,7 +25,9 @@ Dovecot wiki page
 
  • (RECOMMENDED) with a prefix: {CRYPT}$1$GfHYI7OE$vlXqMZSyJOSPXAmbXHq250
    • 
 
  • without a prefix: $1$GfHYI7OE$vlXqMZSyJOSPXAmbXHq250
    • 
 
-
    Note: Looks like SOGo requires {CRYPT} prefix.
    
+
    Important note: SOGo groupware doesn't support MD5 without a prefix, so
+if you're going to migrate MD5 password hash from old mail server, please
+prepend {CRYPT} prefix in password hash.
    
 
 
  • 
 
    PLAIN-MD5 (unsalted MD5). e.g. 0d2bf3c712402f428d48fed691850bfc
    
diff --git a/html/sogo-centos-6-mysql.html b/html/sogo-centos-6-mysql.html
index 372c06ec..47d19946 100644
--- a/html/sogo-centos-6-mysql.html
+++ b/html/sogo-centos-6-mysql.html
@@ -220,8 +220,10 @@ support by removing comment mark of below lines in above configuration:
    
 
    To access SOGo groupware (webmail/calendar/contact), we need to configure
 web server.
    
 
    Apache web server
    
-
    SOGo installs config file /etc/httpd/conf.d/SOGo.conf by default, please
-open it and find below lines:
    
+
      
+
    • SOGo installs Apache config file /etc/httpd/conf.d/SOGo.conf by default,
+please open it and find below lines:
      • 
+
    
 
    #ProxyPass /Microsoft-Server-ActiveSync \
 # http://127.0.0.1:20000/SOGo/Microsoft-Server-ActiveSync \
 # retry=60 connectiontimeout=5 timeout=360
@@ -233,6 +235,11 @@ open it and find below lines:
    
  retry=60 connectiontimeout=5 timeout=360
 
    
 
+
      
+
    • Find string yourhostname in the same file, replace all yourhostname by
+your FQDN server hostname. (Tip: you can get your FQDN hostname with command
+hostname -f.)
      • 
+
    
 
    Nginx web server
    
 
    If you're running Nginx web server configured by iRedMail, please open file
 /etc/nginx/conf.d/default.conf, add some lines in server {} configured for
diff --git a/html/sogo-centos-6-openldap.html b/html/sogo-centos-6-openldap.html
index 471bd253..afae7f3d 100644
--- a/html/sogo-centos-6-openldap.html
+++ b/html/sogo-centos-6-openldap.html
@@ -240,7 +240,7 @@ basedn, bind dn/passwordthen in this file, then it's done.
    
 
    To access SOGo groupware (webmail/calendar/contact), we need to configure
 web server.
    
 
    Apache web server
    
-
    SOGo installs config file /etc/httpd/conf.d/SOGo.conf by default, please
+
    SOGo installs Apache config file /etc/httpd/conf.d/SOGo.conf by default, please
 open it and find below lines:
    
 
    #ProxyPass /Microsoft-Server-ActiveSync \
 # http://127.0.0.1:20000/SOGo/Microsoft-Server-ActiveSync \
@@ -253,6 +253,11 @@ open it and find below lines:
    
  retry=60 connectiontimeout=5 timeout=360
 
    
 
+
      
+
    • Find string yourhostname in the same file, replace all yourhostname by
+your FQDN server hostname. (Tip: you can get your FQDN hostname with command
+hostname -f.)
      • 
+
    
 
    Nginx web server
    
 
    If you're running Nginx web server configured by iRedMail, please open file
 /etc/nginx/conf.d/default.conf, add some lines in server {} configured for
diff --git a/html/upgrade.iredmail.0.9.0-0.9.1.html b/html/upgrade.iredmail.0.9.0-0.9.1.html
index 8e73a3d0..62cb2707 100644
--- a/html/upgrade.iredmail.0.9.0-0.9.1.html
+++ b/html/upgrade.iredmail.0.9.0-0.9.1.html
@@ -17,11 +17,11 @@
 
  • ChangeLog
    • 
 
  • General (All backends should apply these steps)
 
    • 
 
  • OpenLDAP backend special
      
@@ -45,11 +45,11 @@
 
      WARNING: Still working in progress, do NOT apply it.
      
 
      ChangeLog
      
 
        
+
      • 2015-02-17: [All backends ] Upgrade Roundcube webmail to the latest stable release
        • 
 
      • 2015-02-11: [All backends] [OPTIONAL] Setup Fail2ban to monitor password failures in SOGo log file.
        • 
 
      • 2015-02-11: [All backends] Fixed: Cannot run PHP script under web document root with Nginx.
        • 
 
      • 2015-02-09: [All backends] [OPTIONAL] Add one more Fail2ban filter to help catch spam.
        • 
-
      • 2015-02-04: [All backends] [OPTIONAL] Fixed: return receipt response rejected
-              by iRedAPD plugin reject_null_sender.
        • 
+
      • 2015-02-04: [All backends] Fixed: return receipt response rejected by iRedAPD plugin reject_null_sender.
        • 
 
      • 2015-02-02: [All backends] Fixed: Not backup SOGo database. Note: this step
               is not applicable if you don't use SOGo groupware.
        • 
 
      • 2015-01-13: [All backends] Fixed: Incorrect path of command sogo-tool on OpenBSD.
        • 
@@ -87,43 +87,7 @@
 
        After you have additional packages installed, please follow Roundcube official
 tutorial to upgrade Roundcube webmail to the latest stable release:
 How to upgrade Roundcube
        
-
        [OPTIONAL] Setup Fail2ban to monitor password failures in SOGo log file
        
-
        To improve server security, we'd better block clients which have too many
-failed login attempts from SOGo.
        
-
        Please append below lines in Fail2ban main config file /etc/fail2ban/jail.local:
        
-
        [SOGo]
-enabled     = true
-filter      = sogo-auth
-port        = http, https
-# without proxy this would be:
-# port    = 20000
-action      = iptables-multiport[name=SOGo, port="http,https", protocol=tcp]
-logpath     = /var/log/sogo/sogo.log
-
        
-
-
        Restarting Fail2ban service is required.
        
-
        [OPTIONAL] Add one more Fail2ban filter to help catch spam
        
-
        We have a new Fail2ban filter to help catch spam, it will scan HELO rejections
-in Postfix log file and invoke iptables to ban client IP address.
        
-
        Open file /etc/fail2ban/filters.d/postfix.iredmail.conf or
-/usr/local/etc/fail2ban/filters.d/postfix.iredmail.conf (on FreeBSD), append
-below line under [Definition] section:
        
-
                    reject: RCPT from (.*)\[<HOST>\]: 504 5.5.2 (.*) Helo command rejected: need fully-qualified hostname
-
        
-
-
        After modification, the whole content is:
        
-
        [Definition]
-failregex = \[<HOST>\]: SASL (PLAIN|LOGIN) authentication failed
-            lost connection after AUTH from (.*)\[<HOST>\]
-            reject: RCPT from (.*)\[<HOST>\]: 550 5.1.1
-            reject: RCPT from (.*)\[<HOST>\]: 450 4.7.1
-            reject: RCPT from (.*)\[<HOST>\]: 554 5.7.1
-            reject: RCPT from (.*)\[<HOST>\]: 504 5.5.2 (.*) Helo command rejected: need fully-qualified hostname
-ignoreregex =
-
        
-
-
        Restarting Fail2ban service is required.
        
-
        [OPTIONAL] Fixed: return receipt response rejected by iRedAPD plugin reject_null_sender
        
+
        Fixed: return receipt response rejected by iRedAPD plugin reject_null_sender
        
 
        Note: this is applicable if you want to keep iRedAPD plugin reject_null_sender
 but still able to send return receipt with Roundcube webmail.
        
 
        According to RFC2298, return receipt envelope sender address must be empty. If
@@ -195,6 +159,42 @@ command and fix it:
        
 
        # crontab -e -u _sogo
 
        
 
+
        [OPTIONAL] Setup Fail2ban to monitor password failures in SOGo log file
        
+
        To improve server security, we'd better block clients which have too many
+failed login attempts from SOGo.
        
+
        Please append below lines in Fail2ban main config file /etc/fail2ban/jail.local:
        
+
        [SOGo]
+enabled     = true
+filter      = sogo-auth
+port        = http, https
+# without proxy this would be:
+# port    = 20000
+action      = iptables-multiport[name=SOGo, port="http,https", protocol=tcp]
+logpath     = /var/log/sogo/sogo.log
+
        
+
+
        Restarting Fail2ban service is required.
        
+
        [OPTIONAL] Add one more Fail2ban filter to help catch spam
        
+
        We have a new Fail2ban filter to help catch spam, it will scan HELO rejections
+in Postfix log file and invoke iptables to ban client IP address.
        
+
        Open file /etc/fail2ban/filters.d/postfix.iredmail.conf or
+/usr/local/etc/fail2ban/filters.d/postfix.iredmail.conf (on FreeBSD), append
+below line under [Definition] section:
        
+
                    reject: RCPT from (.*)\[<HOST>\]: 504 5.5.2 (.*) Helo command rejected: need fully-qualified hostname
+
        
+
+
        After modification, the whole content is:
        
+
        [Definition]
+failregex = \[<HOST>\]: SASL (PLAIN|LOGIN) authentication failed
+            lost connection after AUTH from (.*)\[<HOST>\]
+            reject: RCPT from (.*)\[<HOST>\]: 550 5.1.1
+            reject: RCPT from (.*)\[<HOST>\]: 450 4.7.1
+            reject: RCPT from (.*)\[<HOST>\]: 554 5.7.1
+            reject: RCPT from (.*)\[<HOST>\]: 504 5.5.2 (.*) Helo command rejected: need fully-qualified hostname
+ignoreregex =
+
        
+
+
        Restarting Fail2ban service is required.
        
 
        OpenLDAP backend special
        
 
        Fixed: not backup SOGo database
        
 
        Note: this step is not applicable if you don't use SOGo groupware.
        
diff --git a/integrations/0-sogo-centos-6-mysql.md b/integrations/0-sogo-centos-6-mysql.md
index 5085bf73..932979a9 100644
--- a/integrations/0-sogo-centos-6-mysql.md
+++ b/integrations/0-sogo-centos-6-mysql.md
@@ -206,8 +206,8 @@ web server.
 
 ### Apache web server
 
-SOGo installs config file `/etc/httpd/conf.d/SOGo.conf` by default, please
-open it and find below lines:
+* SOGo installs Apache config file `/etc/httpd/conf.d/SOGo.conf` by default,
+please open it and find below lines:
 
 ```
 #ProxyPass /Microsoft-Server-ActiveSync \
@@ -223,6 +223,10 @@ ProxyPass /Microsoft-Server-ActiveSync \
  retry=60 connectiontimeout=5 timeout=360
 ```
 
+* Find string `yourhostname` in the same file, replace all `yourhostname` by
+your FQDN server hostname. (Tip: you can get your FQDN hostname with command
+`hostname -f`.)
+
 ### Nginx web server
 
 If you're running Nginx web server configured by iRedMail, please open file
diff --git a/integrations/0-sogo-centos-6-openldap.md b/integrations/0-sogo-centos-6-openldap.md
index 40bf5819..4b86134e 100644
--- a/integrations/0-sogo-centos-6-openldap.md
+++ b/integrations/0-sogo-centos-6-openldap.md
@@ -222,7 +222,7 @@ web server.
 
 ### Apache web server
 
-SOGo installs config file `/etc/httpd/conf.d/SOGo.conf` by default, please
+SOGo installs Apache config file `/etc/httpd/conf.d/SOGo.conf` by default, please
 open it and find below lines:
 
 ```
@@ -239,6 +239,10 @@ ProxyPass /Microsoft-Server-ActiveSync \
  retry=60 connectiontimeout=5 timeout=360
 ```
 
+* Find string `yourhostname` in the same file, replace all `yourhostname` by
+your FQDN server hostname. (Tip: you can get your FQDN hostname with command
+`hostname -f`.)
+
 ### Nginx web server
 
 If you're running Nginx web server configured by iRedMail, please open file
diff --git a/migrations/password.hashes.md b/migrations/password.hashes.md
index c327a4e8..5a60c3c6 100644
--- a/migrations/password.hashes.md
+++ b/migrations/password.hashes.md
@@ -15,7 +15,9 @@ Below password schemes are supported in iRedAdmin-Pro (which means you can add n
     * (RECOMMENDED) with a prefix: `{CRYPT}$1$GfHYI7OE$vlXqMZSyJOSPXAmbXHq250`
     * without a prefix: `$1$GfHYI7OE$vlXqMZSyJOSPXAmbXHq250`
 
-    Note: Looks like SOGo requires `{CRYPT}` prefix.
+    __Important note__: SOGo groupware doesn't support MD5 without a prefix, so
+    if you're going to migrate MD5 password hash from old mail server, please
+    prepend `{CRYPT}` prefix in password hash.
 
 * PLAIN-MD5 (unsalted MD5). e.g. `0d2bf3c712402f428d48fed691850bfc`
 * SSHA. e.g. `{SSHA}OuCrqL2yWwQIu8a9uvyOQ5V/ZKfL7LJD`
diff --git a/upgrade/0-upgrade.iredmail.0.9.0-0.9.1.md b/upgrade/0-upgrade.iredmail.0.9.0-0.9.1.md
index 12db68da..8b6f4344 100644
--- a/upgrade/0-upgrade.iredmail.0.9.0-0.9.1.md
+++ b/upgrade/0-upgrade.iredmail.0.9.0-0.9.1.md
@@ -7,11 +7,11 @@ __WARNING: Still working in progress, do _NOT_ apply it.__
 
 ## ChangeLog
 
+* 2015-02-17: [All backends ] Upgrade Roundcube webmail to the latest stable release
 * 2015-02-11: [All backends] [__OPTIONAL__] Setup Fail2ban to monitor password failures in SOGo log file.
 * 2015-02-11: [All backends] Fixed: Cannot run PHP script under web document root with Nginx.
 * 2015-02-09: [All backends] [__OPTIONAL__] Add one more Fail2ban filter to help catch spam.
-* 2015-02-04: [All backends] [__OPTIONAL__] Fixed: return receipt response rejected
-              by iRedAPD plugin `reject_null_sender`.
+* 2015-02-04: [All backends] Fixed: return receipt response rejected by iRedAPD plugin `reject_null_sender`.
 * 2015-02-02: [All backends] Fixed: Not backup SOGo database. Note: this step
               is not applicable if you don't use SOGo groupware.
 * 2015-01-13: [All backends] Fixed: Incorrect path of command `sogo-tool` on OpenBSD.
@@ -53,55 +53,7 @@ After you have additional packages installed, please follow Roundcube official
 tutorial to upgrade Roundcube webmail to the latest stable release:
 [How to upgrade Roundcube](http://trac.roundcube.net/wiki/Howto_Upgrade)
 
-### [__OPTIONAL__] Setup Fail2ban to monitor password failures in SOGo log file
-
-To improve server security, we'd better block clients which have too many
-failed login attempts from SOGo.
-
-Please append below lines in Fail2ban main config file `/etc/fail2ban/jail.local`:
-
-```
-[SOGo]
-enabled     = true
-filter      = sogo-auth
-port        = http, https
-# without proxy this would be:
-# port    = 20000
-action      = iptables-multiport[name=SOGo, port="http,https", protocol=tcp]
-logpath     = /var/log/sogo/sogo.log
-```
-
-Restarting Fail2ban service is required.
-
-### [OPTIONAL] Add one more Fail2ban filter to help catch spam
-
-We have a new Fail2ban filter to help catch spam, it will scan HELO rejections
-in Postfix log file and invoke iptables to ban client IP address.
-
-Open file `/etc/fail2ban/filters.d/postfix.iredmail.conf` or
-`/usr/local/etc/fail2ban/filters.d/postfix.iredmail.conf` (on FreeBSD), append
-below line under `[Definition]` section:
-
-```
-            reject: RCPT from (.*)\[\]: 504 5.5.2 (.*) Helo command rejected: need fully-qualified hostname
-```
-
-After modification, the whole content is:
-
-```
-[Definition]
-failregex = \[\]: SASL (PLAIN|LOGIN) authentication failed
-            lost connection after AUTH from (.*)\[\]
-            reject: RCPT from (.*)\[\]: 550 5.1.1
-            reject: RCPT from (.*)\[\]: 450 4.7.1
-            reject: RCPT from (.*)\[\]: 554 5.7.1
-            reject: RCPT from (.*)\[\]: 504 5.5.2 (.*) Helo command rejected: need fully-qualified hostname
-ignoreregex =
-```
-
-Restarting Fail2ban service is required.
-
-### [OPTIONAL] Fixed: return receipt response rejected by iRedAPD plugin `reject_null_sender`
+### Fixed: return receipt response rejected by iRedAPD plugin `reject_null_sender`
 
 Note: this is applicable if you want to keep iRedAPD plugin `reject_null_sender`
 but still able to send return receipt with Roundcube webmail.
@@ -182,6 +134,54 @@ command and fix it:
 # crontab -e -u _sogo
 ```
 
+### [__OPTIONAL__] Setup Fail2ban to monitor password failures in SOGo log file
+
+To improve server security, we'd better block clients which have too many
+failed login attempts from SOGo.
+
+Please append below lines in Fail2ban main config file `/etc/fail2ban/jail.local`:
+
+```
+[SOGo]
+enabled     = true
+filter      = sogo-auth
+port        = http, https
+# without proxy this would be:
+# port    = 20000
+action      = iptables-multiport[name=SOGo, port="http,https", protocol=tcp]
+logpath     = /var/log/sogo/sogo.log
+```
+
+Restarting Fail2ban service is required.
+
+### [OPTIONAL] Add one more Fail2ban filter to help catch spam
+
+We have a new Fail2ban filter to help catch spam, it will scan HELO rejections
+in Postfix log file and invoke iptables to ban client IP address.
+
+Open file `/etc/fail2ban/filters.d/postfix.iredmail.conf` or
+`/usr/local/etc/fail2ban/filters.d/postfix.iredmail.conf` (on FreeBSD), append
+below line under `[Definition]` section:
+
+```
+            reject: RCPT from (.*)\[\]: 504 5.5.2 (.*) Helo command rejected: need fully-qualified hostname
+```
+
+After modification, the whole content is:
+
+```
+[Definition]
+failregex = \[\]: SASL (PLAIN|LOGIN) authentication failed
+            lost connection after AUTH from (.*)\[\]
+            reject: RCPT from (.*)\[\]: 550 5.1.1
+            reject: RCPT from (.*)\[\]: 450 4.7.1
+            reject: RCPT from (.*)\[\]: 554 5.7.1
+            reject: RCPT from (.*)\[\]: 504 5.5.2 (.*) Helo command rejected: need fully-qualified hostname
+ignoreregex =
+```
+
+Restarting Fail2ban service is required.
+
 ## OpenLDAP backend special
 
 ### Fixed: not backup SOGo database