Fix another issue in iRedMail-0.9.0: Cannot run PHP script under web document root with Nginx.
This commit is contained in:
parent
ea281dc13b
commit
4aa730b56c
|
@ -118,9 +118,14 @@ Amavisd is configured to log to [Postfix log file](#postfix) by iRedMail.
|
|||
|
||||
## Fail2ban
|
||||
|
||||
Main config file is `/etc/fail2ban/jail.local`. All custom settings should be
|
||||
placed in `jail.local`, and don't touch `jail.conf`, so that upgrading
|
||||
Fail2ban binary package won't override your custom settings.
|
||||
* Main config file is `/etc/fail2ban/jail.local`. All custom settings should be
|
||||
placed in `/etc/fail2ban/jail.local`, and don't touch `jail.conf`, so that
|
||||
upgrading Fail2ban binary package won't override your custom settings.
|
||||
|
||||
* All filter rules are defined in files under `/etc/fail2ban/filters.d/`.
|
||||
* Actions are defined in files under `/etc/fail2ban/actions.d/`.
|
||||
|
||||
FreeBSD system is `/usr/local/etc/fail2ban/`.
|
||||
|
||||
## Roundcube webmail
|
||||
|
||||
|
|
|
@ -160,9 +160,18 @@ on Debian/Ubuntu.</p>
|
|||
<h3 id="log-files_2">Log files</h3>
|
||||
<p>Amavisd is configured to log to <a href="#postfix">Postfix log file</a> by iRedMail.</p>
|
||||
<h2 id="fail2ban">Fail2ban</h2>
|
||||
<ul>
|
||||
<li>
|
||||
<p>Main config file is <code>/etc/fail2ban/jail.local</code>. All custom settings should be
|
||||
placed in <code>jail.local</code>, and don't touch <code>jail.conf</code>, so that upgrading
|
||||
Fail2ban binary package won't override your custom settings.</p>
|
||||
placed in <code>/etc/fail2ban/jail.local</code>, and don't touch <code>jail.conf</code>, so that
|
||||
upgrading Fail2ban binary package won't override your custom settings.</p>
|
||||
</li>
|
||||
<li>
|
||||
<p>All filter rules are defined in files under <code>/etc/fail2ban/filters.d/</code>.</p>
|
||||
</li>
|
||||
<li>Actions are defined in files under <code>/etc/fail2ban/actions.d/</code>.</li>
|
||||
</ul>
|
||||
<p>FreeBSD system is <code>/usr/local/etc/fail2ban/</code>.</p>
|
||||
<h2 id="roundcube-webmail">Roundcube webmail</h2>
|
||||
<p>Roundcube webmail is installed under below directory by default:</p>
|
||||
<ul>
|
||||
|
|
|
@ -16,7 +16,9 @@
|
|||
<li><a href="#upgrade-iredmail-from-090-to-091">Upgrade iRedMail from 0.9.0 to 0.9.1</a><ul>
|
||||
<li><a href="#changelog">ChangeLog</a></li>
|
||||
<li><a href="#general-all-backends-should-apply-these-steps">General (All backends should apply these steps)</a><ul>
|
||||
<li><a href="#optional-add-one-more-fail2ban-filter-to-help-catch-spam">[OPTIONAL] Add one more Fail2ban filter to help catch spam</a></li>
|
||||
<li><a href="#optional-fixed-return-receipt-response-rejected-by-iredapd-plugin-reject_null_sender">[OPTIONAL] Fixed: return receipt response rejected by iRedAPD plugin reject_null_sender</a></li>
|
||||
<li><a href="#fixed-cannot-run-php-script-under-web-document-root-with-nginx">Fixed: Cannot run PHP script under web document root with Nginx.</a></li>
|
||||
<li><a href="#fixed-incorrect-path-of-command-sogo-tool-on-openbsd">Fixed: Incorrect path of command sogo-tool on OpenBSD</a></li>
|
||||
</ul>
|
||||
</li>
|
||||
|
@ -38,18 +40,40 @@
|
|||
</li>
|
||||
</ul>
|
||||
</div>
|
||||
<p>WARNING: This is still a working in progress draft document, do <strong>NOT</strong> apply it.</p>
|
||||
<p><strong>WARNING: Still working in progress, do <em>NOT</em> apply it.</strong></p>
|
||||
<h2 id="changelog">ChangeLog</h2>
|
||||
<ul>
|
||||
<li>2015-02-11: [All backends] Fixed: Cannot run PHP script under web document root with Nginx.</li>
|
||||
<li>2015-02-09: [All backends] [<strong>OPTIONAL</strong>] Add one more Fail2ban filter to help catch spam.</li>
|
||||
<li>2015-02-04: [All backends] [<strong>OPTIONAL</strong>] Fixed: return receipt response rejected
|
||||
by iRedAPD plugin <code>reject_null_sender</code>.</li>
|
||||
<li>2015-02-02: [All backends] Fixed: Not backup SOGo database. Note: this step
|
||||
is not applicable if you don't use SOGo groupware.</li>
|
||||
<li>2015-01-13: [All backends] Fixed: Incorrect path of command 'sogo-tool` on OpenBSD.</li>
|
||||
<li>2015-01-13: [All backends] Fixed: Incorrect path of command <code>sogo-tool</code> on OpenBSD.</li>
|
||||
<li>2015-01-12: [SQL backends] Fixed: Not apply service restriction in Dovecot
|
||||
SQL query file while acting as SASL server.</li>
|
||||
</ul>
|
||||
<h2 id="general-all-backends-should-apply-these-steps">General (All backends should apply these steps)</h2>
|
||||
<h3 id="optional-add-one-more-fail2ban-filter-to-help-catch-spam">[OPTIONAL] Add one more Fail2ban filter to help catch spam</h3>
|
||||
<p>We have a new Fail2ban filter to help catch spam, it will scan HELO rejections
|
||||
in Postfix log file and invoke iptables to ban client IP address.</p>
|
||||
<p>Open file <code>/etc/fail2ban/filters.d/postfix.iredmail.conf</code> or
|
||||
<code>/usr/local/etc/fail2ban/filters.d/postfix.iredmail.conf</code> (on FreeBSD), append
|
||||
below line under <code>[Definition]</code> section:</p>
|
||||
<pre><code> reject: RCPT from (.*)\[<HOST>\]: 504 5.5.2 (.*) Helo command rejected: need fully-qualified hostname
|
||||
</code></pre>
|
||||
|
||||
<p>After modification, the whole content is:</p>
|
||||
<pre><code>[Definition]
|
||||
failregex = \[<HOST>\]: SASL (PLAIN|LOGIN) authentication failed
|
||||
lost connection after AUTH from (.*)\[<HOST>\]
|
||||
reject: RCPT from (.*)\[<HOST>\]: 550 5.1.1
|
||||
reject: RCPT from (.*)\[<HOST>\]: 450 4.7.1
|
||||
reject: RCPT from (.*)\[<HOST>\]: 554 5.7.1
|
||||
reject: RCPT from (.*)\[<HOST>\]: 504 5.5.2 (.*) Helo command rejected: need fully-qualified hostname
|
||||
ignoreregex =
|
||||
</code></pre>
|
||||
|
||||
<h3 id="optional-fixed-return-receipt-response-rejected-by-iredapd-plugin-reject_null_sender">[OPTIONAL] Fixed: return receipt response rejected by iRedAPD plugin <code>reject_null_sender</code></h3>
|
||||
<p>Note: this is applicable if you want to keep iRedAPD plugin <code>reject_null_sender</code>
|
||||
but still able to send return receipt with Roundcube webmail.</p>
|
||||
|
@ -74,6 +98,42 @@ authenticated user but with null sender in <code>From:</code> header (<code>from
|
|||
log). If your user's password was cracked by spammer, spammer can use this
|
||||
account to bypass smtp authentication, but with a null sender in <code>From:</code>
|
||||
header, throttling won't be triggered.</p>
|
||||
<h3 id="fixed-cannot-run-php-script-under-web-document-root-with-nginx">Fixed: Cannot run PHP script under web document root with Nginx.</h3>
|
||||
<p>With previous release of iRedMail, Nginx won't run PHP scripts under
|
||||
sub-directories of web document root, this step will fix it.</p>
|
||||
<ul>
|
||||
<li>Open Nginx config file <code>/etc/nginx/conf.d/default.conf</code> (on Linux/OpenBSD)
|
||||
or <code>/usr/local/etc/nginx/conf.d/default.conf</code>, add one more setting in
|
||||
configuration block <code>location ~ \.php$ {}</code> like below:</li>
|
||||
</ul>
|
||||
<pre><code>...
|
||||
root /var/www/html;
|
||||
...
|
||||
location ~ \.php$ {
|
||||
...
|
||||
fastcgi_param SCRIPT_FILENAME /var/www/html$fastcgi_script_name; # <- Add this line
|
||||
}
|
||||
</code></pre>
|
||||
|
||||
<ul>
|
||||
<li>Save your changes and restart Nginx service.</li>
|
||||
</ul>
|
||||
<p>Notes:</p>
|
||||
<ul>
|
||||
<li>There're two <code>location ~ \.php$ {}</code> blocks, please update both of them.</li>
|
||||
<li>
|
||||
<p>You must replace <code>/var/www/html</code> in above sample code to the value of <code>root</code>
|
||||
setting defined in same config file.</p>
|
||||
<ul>
|
||||
<li>on RHEL/CentOS, it's <code>/var/www/html</code>.</li>
|
||||
<li>on Debian/Ubuntu, it's <code>/var/www</code>.</li>
|
||||
<li>on FreeBSD, it's <code>/usr/local/www/apache22/data</code>.
|
||||
Note: if you're running Apache-2.4, the directory name should be
|
||||
<code>apache24</code>, not <code>apache22</code>.</li>
|
||||
<li>on OpenBSD, it's <code>/var/www/htdocs</code>.</li>
|
||||
</ul>
|
||||
</li>
|
||||
</ul>
|
||||
<h3 id="fixed-incorrect-path-of-command-sogo-tool-on-openbsd">Fixed: Incorrect path of command <code>sogo-tool</code> on OpenBSD</h3>
|
||||
<p>Note: this step is applicable to only OpenBSD.</p>
|
||||
<p>Please check user <code>_sogo</code>'s cron job, make sure path to <code>sogo-tool</code> command is
|
||||
|
|
|
@ -3,21 +3,48 @@
|
|||
[TOC]
|
||||
|
||||
|
||||
WARNING: This is still a working in progress draft document, do __NOT__ apply it.
|
||||
|
||||
__WARNING: Still working in progress, do _NOT_ apply it.__
|
||||
|
||||
## ChangeLog
|
||||
|
||||
* 2015-02-11: [All backends] Fixed: Cannot run PHP script under web document root with Nginx.
|
||||
* 2015-02-09: [All backends] [__OPTIONAL__] Add one more Fail2ban filter to help catch spam.
|
||||
* 2015-02-04: [All backends] [__OPTIONAL__] Fixed: return receipt response rejected
|
||||
by iRedAPD plugin `reject_null_sender`.
|
||||
* 2015-02-02: [All backends] Fixed: Not backup SOGo database. Note: this step
|
||||
is not applicable if you don't use SOGo groupware.
|
||||
* 2015-01-13: [All backends] Fixed: Incorrect path of command 'sogo-tool` on OpenBSD.
|
||||
* 2015-01-13: [All backends] Fixed: Incorrect path of command `sogo-tool` on OpenBSD.
|
||||
* 2015-01-12: [SQL backends] Fixed: Not apply service restriction in Dovecot
|
||||
SQL query file while acting as SASL server.
|
||||
|
||||
## General (All backends should apply these steps)
|
||||
|
||||
### [OPTIONAL] Add one more Fail2ban filter to help catch spam
|
||||
|
||||
We have a new Fail2ban filter to help catch spam, it will scan HELO rejections
|
||||
in Postfix log file and invoke iptables to ban client IP address.
|
||||
|
||||
Open file `/etc/fail2ban/filters.d/postfix.iredmail.conf` or
|
||||
`/usr/local/etc/fail2ban/filters.d/postfix.iredmail.conf` (on FreeBSD), append
|
||||
below line under `[Definition]` section:
|
||||
|
||||
```
|
||||
reject: RCPT from (.*)\[<HOST>\]: 504 5.5.2 (.*) Helo command rejected: need fully-qualified hostname
|
||||
```
|
||||
|
||||
After modification, the whole content is:
|
||||
|
||||
```
|
||||
[Definition]
|
||||
failregex = \[<HOST>\]: SASL (PLAIN|LOGIN) authentication failed
|
||||
lost connection after AUTH from (.*)\[<HOST>\]
|
||||
reject: RCPT from (.*)\[<HOST>\]: 550 5.1.1
|
||||
reject: RCPT from (.*)\[<HOST>\]: 450 4.7.1
|
||||
reject: RCPT from (.*)\[<HOST>\]: 554 5.7.1
|
||||
reject: RCPT from (.*)\[<HOST>\]: 504 5.5.2 (.*) Helo command rejected: need fully-qualified hostname
|
||||
ignoreregex =
|
||||
```
|
||||
|
||||
### [OPTIONAL] Fixed: return receipt response rejected by iRedAPD plugin `reject_null_sender`
|
||||
|
||||
Note: this is applicable if you want to keep iRedAPD plugin `reject_null_sender`
|
||||
|
@ -47,6 +74,40 @@ log). If your user's password was cracked by spammer, spammer can use this
|
|||
account to bypass smtp authentication, but with a null sender in `From:`
|
||||
header, throttling won't be triggered.
|
||||
|
||||
### Fixed: Cannot run PHP script under web document root with Nginx.
|
||||
|
||||
With previous release of iRedMail, Nginx won't run PHP scripts under
|
||||
sub-directories of web document root, this step will fix it.
|
||||
|
||||
* Open Nginx config file `/etc/nginx/conf.d/default.conf` (on Linux/OpenBSD)
|
||||
or `/usr/local/etc/nginx/conf.d/default.conf`, add one more setting in
|
||||
configuration block `location ~ \.php$ {}` like below:
|
||||
|
||||
```
|
||||
...
|
||||
root /var/www/html;
|
||||
...
|
||||
location ~ \.php$ {
|
||||
...
|
||||
fastcgi_param SCRIPT_FILENAME /var/www/html$fastcgi_script_name; # <- Add this line
|
||||
}
|
||||
```
|
||||
|
||||
* Save your changes and restart Nginx service.
|
||||
|
||||
Notes:
|
||||
|
||||
* There're two `location ~ \.php$ {}` blocks, please update both of them.
|
||||
* You must replace `/var/www/html` in above sample code to the value of `root`
|
||||
setting defined in same config file.
|
||||
|
||||
* on RHEL/CentOS, it's `/var/www/html`.
|
||||
* on Debian/Ubuntu, it's `/var/www`.
|
||||
* on FreeBSD, it's `/usr/local/www/apache22/data`.
|
||||
Note: if you're running Apache-2.4, the directory name should be
|
||||
`apache24`, not `apache22`.
|
||||
* on OpenBSD, it's `/var/www/htdocs`.
|
||||
|
||||
### Fixed: Incorrect path of command `sogo-tool` on OpenBSD
|
||||
|
||||
Note: this step is applicable to only OpenBSD.
|
||||
|
|
Loading…
Reference in New Issue