diff --git a/en_US/howto/enable.dnsbl.md b/en_US/howto/enable.dnsbl.md
index bc303c4e..2419630d 100644
--- a/en_US/howto/enable.dnsbl.md
+++ b/en_US/howto/enable.dnsbl.md
@@ -12,21 +12,26 @@ You can enable additional DNSBL services in Postfix to reduce spam. We use
`zen.spamhaus.org` for example below.
* Open Postfix config file `/etc/postfix/main.cf` or
-`/usr/local/etc/postfix/main.cf` (on FreeBSD), append
-`reject_rbl_client zen.spamhaus.org` to parameter `smtpd_recipient_restrictions`.
-Final setting looks like below:
+ `/usr/local/etc/postfix/main.cf` (on FreeBSD), append
+ `reject_rbl_client zen.spamhaus.org` to parameter `smtpd_recipient_restrictions`.
+ Final setting looks like below:
```
smtpd_recipient_restrictions =
...
reject_unauth_destination
- reject_rbl_client zen.spamhaus.org
+ reject_rbl_client zen.spamhaus.org=127.0.0.[2..11]*3
```
It must be placed after `reject_unauth_destination`. You can add more DNSBL
services after `reject_unauth_destination`, and they will be queried in the
specified order.
+Postfix will perform DNS query against `zen.spamhaus.org`, and wait for the
+response code, only `127.0.0.2` to `127.0.0.11` are meaningful, so we use
+`=127.0.0.[2..11]` to tell Postfix only reject clients when we get those
+response code.
+
* Restart or reload Postfix service is required.
!!! note "Another popular DNSBL server"
diff --git a/en_US/upgrade/0-upgrade.iredmail.0.9.6-0.9.7.md b/en_US/upgrade/0-upgrade.iredmail.0.9.6-0.9.7.md
new file mode 100644
index 00000000..70382bbc
--- /dev/null
+++ b/en_US/upgrade/0-upgrade.iredmail.0.9.6-0.9.7.md
@@ -0,0 +1,39 @@
+# Upgrade iRedMail from 0.9.6 to 0.9.7
+
+[TOC]
+
+!!! warning
+
+ THIS IS A DRAFT, DO NOT APPLY ANY STEPS MENTIONED IN THIS TUTORIAL.
+
+!!! note "Paid Remote Upgrade Support"
+
+ We offer remote upgrade support if you don't want to get your hands dirty,
+ check [the details](../support.html) and [contact us](../contact.html).
+
+## ChangeLog
+
+* Feb 9, 2016: Fixed improper Fail2ban filter for Dovecot.
+
+## General (All backends should apply these steps)
+
+### Update `/etc/iredmail-release` with new iRedMail version number
+
+iRedMail stores the release version in `/etc/iredmail-release` after
+installation, it's recommended to update this file after you upgraded iRedMail,
+so that you can know which version of iRedMail you're running. For example:
+
+```
+0.9.7
+```
+
+### Fixed: Improper Fail2ban filter which causes incorrect ban
+
+Please open file `/etc/fail2ban/filter.d/dovecot.iredmail.conf`, remove line
+below:
+
+```
+ \(no auth attempts in .* rip=
zen.spamhaus.org
for example below.
/etc/postfix/main.cf
or
-/usr/local/etc/postfix/main.cf
(on FreeBSD), append
-reject_rbl_client zen.spamhaus.org
to parameter smtpd_recipient_restrictions
.
-Final setting looks like below:/usr/local/etc/postfix/main.cf
(on FreeBSD), append
+ reject_rbl_client zen.spamhaus.org
to parameter smtpd_recipient_restrictions
.
+ Final setting looks like below:
smtpd_recipient_restrictions =
...
reject_unauth_destination
- reject_rbl_client zen.spamhaus.org
+ reject_rbl_client zen.spamhaus.org=127.0.0.[2..11]*3
It must be placed after reject_unauth_destination
. You can add more DNSBL
services after reject_unauth_destination
, and they will be queried in the
specified order.
Postfix will perform DNS query against zen.spamhaus.org
, and wait for the
+response code, only 127.0.0.2
to 127.0.0.11
are meaningful, so we use
+=127.0.0.[2..11]
to tell Postfix only reject clients when we get those
+response code.
Warning
+THIS IS A DRAFT, DO NOT APPLY ANY STEPS MENTIONED IN THIS TUTORIAL.
+Paid Remote Upgrade Support
+We offer remote upgrade support if you don't want to get your hands dirty, +check the details and contact us.
+/etc/iredmail-release
with new iRedMail version numberiRedMail stores the release version in /etc/iredmail-release
after
+installation, it's recommended to update this file after you upgraded iRedMail,
+so that you can know which version of iRedMail you're running. For example:
0.9.7
+
+
+Please open file /etc/fail2ban/filter.d/dovecot.iredmail.conf
, remove line
+below:
\(no auth attempts in .* rip=<HOST>
+
+
+Then restart or reload Fail2ban service.
+ + \ No newline at end of file