elmau
/
iredmail-doc
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

* Dovecot master user can be non-email. 

* Mention to change 'yourhostname' in SOGo config file for Apache.
This commit is contained in:
Zhang Huangbin 2015-02-18 17:37:41 +08:00
parent 1d07a830d9
commit 25eac35f61
10 changed files with 133 additions and 120 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
howto/dovecot.master.user.md
View File

@ -22,12 +22,12 @@ Retype new password: my_master_password
{SSHA512}B0VHomJaMk6aLXOPglgNgJtCUA8JRnOweAwJxRW6NPWSNZ25rG/L6T05DJXH+t8WCQkemBilgkcEi6mq4Kadssivtts= {SSHA512}B0VHomJaMk6aLXOPglgNgJtCUA8JRnOweAwJxRW6NPWSNZ25rG/L6T05DJXH+t8WCQkemBilgkcEi6mq4Kadssivtts=
``` ```
You can now pick up any username you like, for example, You can now pick up any username you like, for example, `my_master_user`.
`my_master_user@non-exist.com`. Now add new master user in file Now add new master user in file
`/etc/dovecot/dovecot-master-users-passwords` like below: `/etc/dovecot/dovecot-master-users-passwords` like below:
``` ```
my_master_user@non-exist.com:{SSHA512}B0VHomJaMk6aLXOPglgNgJtCU... my_master_user:{SSHA512}B0VHomJaMk6aLXOPglgNgJtCU...
``` ```
WARNING: Make sure file `dovecot-master-users-password` is owned by Dovecot WARNING: Make sure file `dovecot-master-users-password` is owned by Dovecot
@ -38,15 +38,9 @@ the file content.
> * on OpenBSD, Dovecot daemon user/group is `_dovecot/_dovecot`. > * on OpenBSD, Dovecot daemon user/group is `_dovecot/_dovecot`.
Then you can access user@domain.ltd's mailbox (via either IMAP or POP3 Then you can access user@domain.ltd's mailbox (via either IMAP or POP3
protocol) as `user@domain.ltd*my_master_user@non-exist.com` with password protocol) as `user@domain.ltd*my_master_user` with password
`my_master_password`. `my_master_password`.
Notes:
* master user name must be in valid email address format. e.g. user@domain.com.
this email address doesn't need to exist.
## Troubleshooting ## Troubleshooting
If it doesn't work for you, please enable debug mode in Dovecot and check If it doesn't work for you, please enable debug mode in Dovecot and check

13
html/dovecot.master.user.html
View File

@ -29,10 +29,10 @@ Retype new password: my_master_password
{SSHA512}B0VHomJaMk6aLXOPglgNgJtCUA8JRnOweAwJxRW6NPWSNZ25rG/L6T05DJXH+t8WCQkemBilgkcEi6mq4Kadssivtts= {SSHA512}B0VHomJaMk6aLXOPglgNgJtCUA8JRnOweAwJxRW6NPWSNZ25rG/L6T05DJXH+t8WCQkemBilgkcEi6mq4Kadssivtts=
</code></pre> </code></pre>
<p>You can now pick up any username you like, for example, <p>You can now pick up any username you like, for example, <code>my_master_user</code>.
<code>my_master_user@non-exist.com</code>. Now add new master user in file Now add new master user in file
<code>/etc/dovecot/dovecot-master-users-passwords</code> like below:</p> <code>/etc/dovecot/dovecot-master-users-passwords</code> like below:</p>
<pre><code>my_master_user@non-exist.com:{SSHA512}B0VHomJaMk6aLXOPglgNgJtCU... <pre><code>my_master_user:{SSHA512}B0VHomJaMk6aLXOPglgNgJtCU...
</code></pre> </code></pre>
<p>WARNING: Make sure file <code>dovecot-master-users-password</code> is owned by Dovecot <p>WARNING: Make sure file <code>dovecot-master-users-password</code> is owned by Dovecot
@ -45,13 +45,8 @@ the file content.</p>
</ul> </ul>
</blockquote> </blockquote>
<p>Then you can access user@domain.ltd's mailbox (via either IMAP or POP3 <p>Then you can access user@domain.ltd's mailbox (via either IMAP or POP3
protocol) as <code>user@domain.ltd*my_master_user@non-exist.com</code> with password protocol) as <code>user@domain.ltd*my_master_user</code> with password
<code>my_master_password</code>.</p> <code>my_master_password</code>.</p>
<p>Notes:</p>
<ul>
<li>master user name must be in valid email address format. e.g. user@domain.com.
this email address doesn't need to exist.</li>
</ul>
<h2 id="troubleshooting">Troubleshooting</h2> <h2 id="troubleshooting">Troubleshooting</h2>
<p>If it doesn't work for you, please enable debug mode in Dovecot and check <p>If it doesn't work for you, please enable debug mode in Dovecot and check
its log file. If you don't understand what the log says, please create a new its log file. If you don't understand what the log says, please create a new

4
html/password.hashes.html
View File

@ -25,7 +25,9 @@ Dovecot wiki page
<li>(RECOMMENDED) with a prefix: <code>{CRYPT}$1$GfHYI7OE$vlXqMZSyJOSPXAmbXHq250</code></li> <li>(RECOMMENDED) with a prefix: <code>{CRYPT}$1$GfHYI7OE$vlXqMZSyJOSPXAmbXHq250</code></li>
<li>without a prefix: <code>$1$GfHYI7OE$vlXqMZSyJOSPXAmbXHq250</code></li> <li>without a prefix: <code>$1$GfHYI7OE$vlXqMZSyJOSPXAmbXHq250</code></li>
</ul> </ul>
<p>Note: Looks like SOGo requires <code>{CRYPT}</code> prefix.</p> <p><strong>Important note</strong>: SOGo groupware doesn't support MD5 without a prefix, so
if you're going to migrate MD5 password hash from old mail server, please
prepend <code>{CRYPT}</code> prefix in password hash.</p>
</li> </li>
<li> <li>
<p>PLAIN-MD5 (unsalted MD5). e.g. <code>0d2bf3c712402f428d48fed691850bfc</code></p> <p>PLAIN-MD5 (unsalted MD5). e.g. <code>0d2bf3c712402f428d48fed691850bfc</code></p>

11
html/sogo-centos-6-mysql.html
View File

@ -220,8 +220,10 @@ support by removing comment mark of below lines in above configuration:</p>
<p>To access SOGo groupware (webmail/calendar/contact), we need to configure <p>To access SOGo groupware (webmail/calendar/contact), we need to configure
web server.</p> web server.</p>
<h3 id="apache-web-server">Apache web server</h3> <h3 id="apache-web-server">Apache web server</h3>
<p>SOGo installs config file <code>/etc/httpd/conf.d/SOGo.conf</code> by default, please <ul>
open it and find below lines:</p> <li>SOGo installs Apache config file <code>/etc/httpd/conf.d/SOGo.conf</code> by default,
please open it and find below lines:</li>
</ul>
<pre><code>#ProxyPass /Microsoft-Server-ActiveSync \ <pre><code>#ProxyPass /Microsoft-Server-ActiveSync \
# http://127.0.0.1:20000/SOGo/Microsoft-Server-ActiveSync \ # http://127.0.0.1:20000/SOGo/Microsoft-Server-ActiveSync \
# retry=60 connectiontimeout=5 timeout=360 # retry=60 connectiontimeout=5 timeout=360
@ -233,6 +235,11 @@ open it and find below lines:</p>
retry=60 connectiontimeout=5 timeout=360 retry=60 connectiontimeout=5 timeout=360
</code></pre> </code></pre>
<ul>
<li>Find string <code>yourhostname</code> in the same file, replace all <code>yourhostname</code> by
your FQDN server hostname. (Tip: you can get your FQDN hostname with command
<code>hostname -f</code>.)</li>
</ul>
<h3 id="nginx-web-server">Nginx web server</h3> <h3 id="nginx-web-server">Nginx web server</h3>
<p>If you're running Nginx web server configured by iRedMail, please open file <p>If you're running Nginx web server configured by iRedMail, please open file
<code>/etc/nginx/conf.d/default.conf</code>, add some lines in <code>server {}</code> configured for <code>/etc/nginx/conf.d/default.conf</code>, add some lines in <code>server {}</code> configured for

7
html/sogo-centos-6-openldap.html
View File

@ -240,7 +240,7 @@ basedn, bind dn/passwordthen in this file, then it's done.</p>
<p>To access SOGo groupware (webmail/calendar/contact), we need to configure <p>To access SOGo groupware (webmail/calendar/contact), we need to configure
web server.</p> web server.</p>
<h3 id="apache-web-server">Apache web server</h3> <h3 id="apache-web-server">Apache web server</h3>
<p>SOGo installs config file <code>/etc/httpd/conf.d/SOGo.conf</code> by default, please <p>SOGo installs Apache config file <code>/etc/httpd/conf.d/SOGo.conf</code> by default, please
open it and find below lines:</p> open it and find below lines:</p>
<pre><code>#ProxyPass /Microsoft-Server-ActiveSync \ <pre><code>#ProxyPass /Microsoft-Server-ActiveSync \
# http://127.0.0.1:20000/SOGo/Microsoft-Server-ActiveSync \ # http://127.0.0.1:20000/SOGo/Microsoft-Server-ActiveSync \
@ -253,6 +253,11 @@ open it and find below lines:</p>
retry=60 connectiontimeout=5 timeout=360 retry=60 connectiontimeout=5 timeout=360
</code></pre> </code></pre>
<ul>
<li>Find string <code>yourhostname</code> in the same file, replace all <code>yourhostname</code> by
your FQDN server hostname. (Tip: you can get your FQDN hostname with command
<code>hostname -f</code>.)</li>
</ul>
<h3 id="nginx-web-server">Nginx web server</h3> <h3 id="nginx-web-server">Nginx web server</h3>
<p>If you're running Nginx web server configured by iRedMail, please open file <p>If you're running Nginx web server configured by iRedMail, please open file
<code>/etc/nginx/conf.d/default.conf</code>, add some lines in <code>server {}</code> configured for <code>/etc/nginx/conf.d/default.conf</code>, add some lines in <code>server {}</code> configured for

84
html/upgrade.iredmail.0.9.0-0.9.1.html
View File

@ -17,11 +17,11 @@
<li><a href="#changelog">ChangeLog</a></li> <li><a href="#changelog">ChangeLog</a></li>
<li><a href="#general-all-backends-should-apply-these-steps">General (All backends should apply these steps)</a><ul> <li><a href="#general-all-backends-should-apply-these-steps">General (All backends should apply these steps)</a><ul>
<li><a href="#upgrade-roundcube-webmail-to-the-latest-stable-release">Upgrade Roundcube webmail to the latest stable release</a></li> <li><a href="#upgrade-roundcube-webmail-to-the-latest-stable-release">Upgrade Roundcube webmail to the latest stable release</a></li>
<li><a href="#optional-setup-fail2ban-to-monitor-password-failures-in-sogo-log-file">[OPTIONAL] Setup Fail2ban to monitor password failures in SOGo log file</a></li> <li><a href="#fixed-return-receipt-response-rejected-by-iredapd-plugin-reject_null_sender">Fixed: return receipt response rejected by iRedAPD plugin reject_null_sender</a></li>
<li><a href="#optional-add-one-more-fail2ban-filter-to-help-catch-spam">[OPTIONAL] Add one more Fail2ban filter to help catch spam</a></li>
<li><a href="#optional-fixed-return-receipt-response-rejected-by-iredapd-plugin-reject_null_sender">[OPTIONAL] Fixed: return receipt response rejected by iRedAPD plugin reject_null_sender</a></li>
<li><a href="#fixed-cannot-run-php-script-under-web-document-root-with-nginx">Fixed: Cannot run PHP script under web document root with Nginx.</a></li> <li><a href="#fixed-cannot-run-php-script-under-web-document-root-with-nginx">Fixed: Cannot run PHP script under web document root with Nginx.</a></li>
<li><a href="#fixed-incorrect-path-of-command-sogo-tool-on-openbsd">Fixed: Incorrect path of command sogo-tool on OpenBSD</a></li> <li><a href="#fixed-incorrect-path-of-command-sogo-tool-on-openbsd">Fixed: Incorrect path of command sogo-tool on OpenBSD</a></li>
<li><a href="#optional-setup-fail2ban-to-monitor-password-failures-in-sogo-log-file">[OPTIONAL] Setup Fail2ban to monitor password failures in SOGo log file</a></li>
<li><a href="#optional-add-one-more-fail2ban-filter-to-help-catch-spam">[OPTIONAL] Add one more Fail2ban filter to help catch spam</a></li>
</ul> </ul>
</li> </li>
<li><a href="#openldap-backend-special">OpenLDAP backend special</a><ul> <li><a href="#openldap-backend-special">OpenLDAP backend special</a><ul>
@ -45,11 +45,11 @@
<p><strong>WARNING: Still working in progress, do <em>NOT</em> apply it.</strong></p> <p><strong>WARNING: Still working in progress, do <em>NOT</em> apply it.</strong></p>
<h2 id="changelog">ChangeLog</h2> <h2 id="changelog">ChangeLog</h2>
<ul> <ul>
<li>2015-02-17: [All backends ] Upgrade Roundcube webmail to the latest stable release</li>
<li>2015-02-11: [All backends] [<strong>OPTIONAL</strong>] Setup Fail2ban to monitor password failures in SOGo log file.</li> <li>2015-02-11: [All backends] [<strong>OPTIONAL</strong>] Setup Fail2ban to monitor password failures in SOGo log file.</li>
<li>2015-02-11: [All backends] Fixed: Cannot run PHP script under web document root with Nginx.</li> <li>2015-02-11: [All backends] Fixed: Cannot run PHP script under web document root with Nginx.</li>
<li>2015-02-09: [All backends] [<strong>OPTIONAL</strong>] Add one more Fail2ban filter to help catch spam.</li> <li>2015-02-09: [All backends] [<strong>OPTIONAL</strong>] Add one more Fail2ban filter to help catch spam.</li>
<li>2015-02-04: [All backends] [<strong>OPTIONAL</strong>] Fixed: return receipt response rejected <li>2015-02-04: [All backends] Fixed: return receipt response rejected by iRedAPD plugin <code>reject_null_sender</code>.</li>
by iRedAPD plugin <code>reject_null_sender</code>.</li>
<li>2015-02-02: [All backends] Fixed: Not backup SOGo database. Note: this step <li>2015-02-02: [All backends] Fixed: Not backup SOGo database. Note: this step
is not applicable if you don't use SOGo groupware.</li> is not applicable if you don't use SOGo groupware.</li>
<li>2015-01-13: [All backends] Fixed: Incorrect path of command <code>sogo-tool</code> on OpenBSD.</li> <li>2015-01-13: [All backends] Fixed: Incorrect path of command <code>sogo-tool</code> on OpenBSD.</li>
@ -87,43 +87,7 @@
<p>After you have additional packages installed, please follow Roundcube official <p>After you have additional packages installed, please follow Roundcube official
tutorial to upgrade Roundcube webmail to the latest stable release: tutorial to upgrade Roundcube webmail to the latest stable release:
<a href="http://trac.roundcube.net/wiki/Howto_Upgrade">How to upgrade Roundcube</a></p> <a href="http://trac.roundcube.net/wiki/Howto_Upgrade">How to upgrade Roundcube</a></p>
<h3 id="optional-setup-fail2ban-to-monitor-password-failures-in-sogo-log-file">[<strong>OPTIONAL</strong>] Setup Fail2ban to monitor password failures in SOGo log file</h3> <h3 id="fixed-return-receipt-response-rejected-by-iredapd-plugin-reject_null_sender">Fixed: return receipt response rejected by iRedAPD plugin <code>reject_null_sender</code></h3>
<p>To improve server security, we'd better block clients which have too many
failed login attempts from SOGo.</p>
<p>Please append below lines in Fail2ban main config file <code>/etc/fail2ban/jail.local</code>:</p>
<pre><code>[SOGo]
enabled = true
filter = sogo-auth
port = http, https
# without proxy this would be:
# port = 20000
action = iptables-multiport[name=SOGo, port=&quot;http,https&quot;, protocol=tcp]
logpath = /var/log/sogo/sogo.log
</code></pre>
<p>Restarting Fail2ban service is required.</p>
<h3 id="optional-add-one-more-fail2ban-filter-to-help-catch-spam">[OPTIONAL] Add one more Fail2ban filter to help catch spam</h3>
<p>We have a new Fail2ban filter to help catch spam, it will scan HELO rejections
in Postfix log file and invoke iptables to ban client IP address.</p>
<p>Open file <code>/etc/fail2ban/filters.d/postfix.iredmail.conf</code> or
<code>/usr/local/etc/fail2ban/filters.d/postfix.iredmail.conf</code> (on FreeBSD), append
below line under <code>[Definition]</code> section:</p>
<pre><code> reject: RCPT from (.*)\[&lt;HOST&gt;\]: 504 5.5.2 (.*) Helo command rejected: need fully-qualified hostname
</code></pre>
<p>After modification, the whole content is:</p>
<pre><code>[Definition]
failregex = \[&lt;HOST&gt;\]: SASL (PLAIN|LOGIN) authentication failed
lost connection after AUTH from (.*)\[&lt;HOST&gt;\]
reject: RCPT from (.*)\[&lt;HOST&gt;\]: 550 5.1.1
reject: RCPT from (.*)\[&lt;HOST&gt;\]: 450 4.7.1
reject: RCPT from (.*)\[&lt;HOST&gt;\]: 554 5.7.1
reject: RCPT from (.*)\[&lt;HOST&gt;\]: 504 5.5.2 (.*) Helo command rejected: need fully-qualified hostname
ignoreregex =
</code></pre>
<p>Restarting Fail2ban service is required.</p>
<h3 id="optional-fixed-return-receipt-response-rejected-by-iredapd-plugin-reject_null_sender">[OPTIONAL] Fixed: return receipt response rejected by iRedAPD plugin <code>reject_null_sender</code></h3>
<p>Note: this is applicable if you want to keep iRedAPD plugin <code>reject_null_sender</code> <p>Note: this is applicable if you want to keep iRedAPD plugin <code>reject_null_sender</code>
but still able to send return receipt with Roundcube webmail.</p> but still able to send return receipt with Roundcube webmail.</p>
<p>According to RFC2298, return receipt envelope sender address must be empty. If <p>According to RFC2298, return receipt envelope sender address must be empty. If
@ -195,6 +159,42 @@ command and fix it:</p>
<pre><code># crontab -e -u _sogo <pre><code># crontab -e -u _sogo
</code></pre> </code></pre>
<h3 id="optional-setup-fail2ban-to-monitor-password-failures-in-sogo-log-file">[<strong>OPTIONAL</strong>] Setup Fail2ban to monitor password failures in SOGo log file</h3>
<p>To improve server security, we'd better block clients which have too many
failed login attempts from SOGo.</p>
<p>Please append below lines in Fail2ban main config file <code>/etc/fail2ban/jail.local</code>:</p>
<pre><code>[SOGo]
enabled = true
filter = sogo-auth
port = http, https
# without proxy this would be:
# port = 20000
action = iptables-multiport[name=SOGo, port=&quot;http,https&quot;, protocol=tcp]
logpath = /var/log/sogo/sogo.log
</code></pre>
<p>Restarting Fail2ban service is required.</p>
<h3 id="optional-add-one-more-fail2ban-filter-to-help-catch-spam">[OPTIONAL] Add one more Fail2ban filter to help catch spam</h3>
<p>We have a new Fail2ban filter to help catch spam, it will scan HELO rejections
in Postfix log file and invoke iptables to ban client IP address.</p>
<p>Open file <code>/etc/fail2ban/filters.d/postfix.iredmail.conf</code> or
<code>/usr/local/etc/fail2ban/filters.d/postfix.iredmail.conf</code> (on FreeBSD), append
below line under <code>[Definition]</code> section:</p>
<pre><code> reject: RCPT from (.*)\[&lt;HOST&gt;\]: 504 5.5.2 (.*) Helo command rejected: need fully-qualified hostname
</code></pre>
<p>After modification, the whole content is:</p>
<pre><code>[Definition]
failregex = \[&lt;HOST&gt;\]: SASL (PLAIN|LOGIN) authentication failed
lost connection after AUTH from (.*)\[&lt;HOST&gt;\]
reject: RCPT from (.*)\[&lt;HOST&gt;\]: 550 5.1.1
reject: RCPT from (.*)\[&lt;HOST&gt;\]: 450 4.7.1
reject: RCPT from (.*)\[&lt;HOST&gt;\]: 554 5.7.1
reject: RCPT from (.*)\[&lt;HOST&gt;\]: 504 5.5.2 (.*) Helo command rejected: need fully-qualified hostname
ignoreregex =
</code></pre>
<p>Restarting Fail2ban service is required.</p>
<h2 id="openldap-backend-special">OpenLDAP backend special</h2> <h2 id="openldap-backend-special">OpenLDAP backend special</h2>
<h3 id="fixed-not-backup-sogo-database">Fixed: not backup SOGo database</h3> <h3 id="fixed-not-backup-sogo-database">Fixed: not backup SOGo database</h3>
<p>Note: this step is not applicable if you don't use SOGo groupware.</p> <p>Note: this step is not applicable if you don't use SOGo groupware.</p>

8
integrations/0-sogo-centos-6-mysql.md
View File

@ -206,8 +206,8 @@ web server.
### Apache web server ### Apache web server
SOGo installs config file `/etc/httpd/conf.d/SOGo.conf` by default, please * SOGo installs Apache config file `/etc/httpd/conf.d/SOGo.conf` by default,
open it and find below lines: please open it and find below lines:
``` ```
#ProxyPass /Microsoft-Server-ActiveSync \ #ProxyPass /Microsoft-Server-ActiveSync \
@ -223,6 +223,10 @@ ProxyPass /Microsoft-Server-ActiveSync \
retry=60 connectiontimeout=5 timeout=360 retry=60 connectiontimeout=5 timeout=360
``` ```
* Find string `yourhostname` in the same file, replace all `yourhostname` by
your FQDN server hostname. (Tip: you can get your FQDN hostname with command
`hostname -f`.)
### Nginx web server ### Nginx web server
If you're running Nginx web server configured by iRedMail, please open file If you're running Nginx web server configured by iRedMail, please open file

6
integrations/0-sogo-centos-6-openldap.md
View File

@ -222,7 +222,7 @@ web server.
### Apache web server ### Apache web server
SOGo installs config file `/etc/httpd/conf.d/SOGo.conf` by default, please SOGo installs Apache config file `/etc/httpd/conf.d/SOGo.conf` by default, please
open it and find below lines: open it and find below lines:
``` ```
@ -239,6 +239,10 @@ ProxyPass /Microsoft-Server-ActiveSync \
retry=60 connectiontimeout=5 timeout=360 retry=60 connectiontimeout=5 timeout=360
``` ```
* Find string `yourhostname` in the same file, replace all `yourhostname` by
your FQDN server hostname. (Tip: you can get your FQDN hostname with command
`hostname -f`.)
### Nginx web server ### Nginx web server
If you're running Nginx web server configured by iRedMail, please open file If you're running Nginx web server configured by iRedMail, please open file

4
migrations/password.hashes.md
View File

@ -15,7 +15,9 @@ Below password schemes are supported in iRedAdmin-Pro (which means you can add n
* (RECOMMENDED) with a prefix: `{CRYPT}$1$GfHYI7OE$vlXqMZSyJOSPXAmbXHq250` * (RECOMMENDED) with a prefix: `{CRYPT}$1$GfHYI7OE$vlXqMZSyJOSPXAmbXHq250`
* without a prefix: `$1$GfHYI7OE$vlXqMZSyJOSPXAmbXHq250` * without a prefix: `$1$GfHYI7OE$vlXqMZSyJOSPXAmbXHq250`
Note: Looks like SOGo requires `{CRYPT}` prefix. __Important note__: SOGo groupware doesn't support MD5 without a prefix, so
if you're going to migrate MD5 password hash from old mail server, please
prepend `{CRYPT}` prefix in password hash.
* PLAIN-MD5 (unsalted MD5). e.g. `0d2bf3c712402f428d48fed691850bfc` * PLAIN-MD5 (unsalted MD5). e.g. `0d2bf3c712402f428d48fed691850bfc`
* SSHA. e.g. `{SSHA}OuCrqL2yWwQIu8a9uvyOQ5V/ZKfL7LJD` * SSHA. e.g. `{SSHA}OuCrqL2yWwQIu8a9uvyOQ5V/ZKfL7LJD`

102
upgrade/0-upgrade.iredmail.0.9.0-0.9.1.md
View File

@ -7,11 +7,11 @@ __WARNING: Still working in progress, do _NOT_ apply it.__
## ChangeLog ## ChangeLog
* 2015-02-17: [All backends ] Upgrade Roundcube webmail to the latest stable release
* 2015-02-11: [All backends] [__OPTIONAL__] Setup Fail2ban to monitor password failures in SOGo log file. * 2015-02-11: [All backends] [__OPTIONAL__] Setup Fail2ban to monitor password failures in SOGo log file.
* 2015-02-11: [All backends] Fixed: Cannot run PHP script under web document root with Nginx. * 2015-02-11: [All backends] Fixed: Cannot run PHP script under web document root with Nginx.
* 2015-02-09: [All backends] [__OPTIONAL__] Add one more Fail2ban filter to help catch spam. * 2015-02-09: [All backends] [__OPTIONAL__] Add one more Fail2ban filter to help catch spam.
* 2015-02-04: [All backends] [__OPTIONAL__] Fixed: return receipt response rejected * 2015-02-04: [All backends] Fixed: return receipt response rejected by iRedAPD plugin `reject_null_sender`.
by iRedAPD plugin `reject_null_sender`.
* 2015-02-02: [All backends] Fixed: Not backup SOGo database. Note: this step * 2015-02-02: [All backends] Fixed: Not backup SOGo database. Note: this step
is not applicable if you don't use SOGo groupware. is not applicable if you don't use SOGo groupware.
* 2015-01-13: [All backends] Fixed: Incorrect path of command `sogo-tool` on OpenBSD. * 2015-01-13: [All backends] Fixed: Incorrect path of command `sogo-tool` on OpenBSD.
@ -53,55 +53,7 @@ After you have additional packages installed, please follow Roundcube official
tutorial to upgrade Roundcube webmail to the latest stable release: tutorial to upgrade Roundcube webmail to the latest stable release:
[How to upgrade Roundcube](http://trac.roundcube.net/wiki/Howto_Upgrade) [How to upgrade Roundcube](http://trac.roundcube.net/wiki/Howto_Upgrade)
### [__OPTIONAL__] Setup Fail2ban to monitor password failures in SOGo log file ### Fixed: return receipt response rejected by iRedAPD plugin `reject_null_sender`
To improve server security, we'd better block clients which have too many
failed login attempts from SOGo.
Please append below lines in Fail2ban main config file `/etc/fail2ban/jail.local`:
```
[SOGo]
enabled = true
filter = sogo-auth
port = http, https
# without proxy this would be:
# port = 20000
action = iptables-multiport[name=SOGo, port="http,https", protocol=tcp]
logpath = /var/log/sogo/sogo.log
```
Restarting Fail2ban service is required.
### [OPTIONAL] Add one more Fail2ban filter to help catch spam
We have a new Fail2ban filter to help catch spam, it will scan HELO rejections
in Postfix log file and invoke iptables to ban client IP address.
Open file `/etc/fail2ban/filters.d/postfix.iredmail.conf` or
`/usr/local/etc/fail2ban/filters.d/postfix.iredmail.conf` (on FreeBSD), append
below line under `[Definition]` section:
```
reject: RCPT from (.*)\[<HOST>\]: 504 5.5.2 (.*) Helo command rejected: need fully-qualified hostname
```
After modification, the whole content is:
```
[Definition]
failregex = \[<HOST>\]: SASL (PLAIN|LOGIN) authentication failed
lost connection after AUTH from (.*)\[<HOST>\]
reject: RCPT from (.*)\[<HOST>\]: 550 5.1.1
reject: RCPT from (.*)\[<HOST>\]: 450 4.7.1
reject: RCPT from (.*)\[<HOST>\]: 554 5.7.1
reject: RCPT from (.*)\[<HOST>\]: 504 5.5.2 (.*) Helo command rejected: need fully-qualified hostname
ignoreregex =
```
Restarting Fail2ban service is required.
### [OPTIONAL] Fixed: return receipt response rejected by iRedAPD plugin `reject_null_sender`
Note: this is applicable if you want to keep iRedAPD plugin `reject_null_sender` Note: this is applicable if you want to keep iRedAPD plugin `reject_null_sender`
but still able to send return receipt with Roundcube webmail. but still able to send return receipt with Roundcube webmail.
@ -182,6 +134,54 @@ command and fix it:
# crontab -e -u _sogo # crontab -e -u _sogo
``` ```
### [__OPTIONAL__] Setup Fail2ban to monitor password failures in SOGo log file
To improve server security, we'd better block clients which have too many
failed login attempts from SOGo.
Please append below lines in Fail2ban main config file `/etc/fail2ban/jail.local`:
```
[SOGo]
enabled = true
filter = sogo-auth
port = http, https
# without proxy this would be:
# port = 20000
action = iptables-multiport[name=SOGo, port="http,https", protocol=tcp]
logpath = /var/log/sogo/sogo.log
```
Restarting Fail2ban service is required.
### [OPTIONAL] Add one more Fail2ban filter to help catch spam
We have a new Fail2ban filter to help catch spam, it will scan HELO rejections
in Postfix log file and invoke iptables to ban client IP address.
Open file `/etc/fail2ban/filters.d/postfix.iredmail.conf` or
`/usr/local/etc/fail2ban/filters.d/postfix.iredmail.conf` (on FreeBSD), append
below line under `[Definition]` section:
```
reject: RCPT from (.*)\[<HOST>\]: 504 5.5.2 (.*) Helo command rejected: need fully-qualified hostname
```
After modification, the whole content is:
```
[Definition]
failregex = \[<HOST>\]: SASL (PLAIN|LOGIN) authentication failed
lost connection after AUTH from (.*)\[<HOST>\]
reject: RCPT from (.*)\[<HOST>\]: 550 5.1.1
reject: RCPT from (.*)\[<HOST>\]: 450 4.7.1
reject: RCPT from (.*)\[<HOST>\]: 554 5.7.1
reject: RCPT from (.*)\[<HOST>\]: 504 5.5.2 (.*) Helo command rejected: need fully-qualified hostname
ignoreregex =
```
Restarting Fail2ban service is required.
## OpenLDAP backend special ## OpenLDAP backend special
### Fixed: not backup SOGo database ### Fixed: not backup SOGo database