From 4aa730b56c91a8e2be2f858f4f53d154582335dd Mon Sep 17 00:00:00 2001
From: Zhang Huangbin <Zhang Huangbin@localhost>
Date: Wed, 11 Feb 2015 18:07:26 +0800
Subject: [PATCH] Fix another issue in iRedMail-0.9.0: Cannot run PHP script
 under web document root with Nginx.

---
 faq/1-file.locations.md                   | 11 +++-
 html/file.locations.html                  | 13 ++++-
 html/upgrade.iredmail.0.9.0-0.9.1.html    | 64 +++++++++++++++++++++-
 upgrade/0-upgrade.iredmail.0.9.0-0.9.1.md | 67 ++++++++++++++++++++++-
 4 files changed, 145 insertions(+), 10 deletions(-)

diff --git a/faq/1-file.locations.md b/faq/1-file.locations.md
index 6cbb5156..39c9cad5 100644
--- a/faq/1-file.locations.md
+++ b/faq/1-file.locations.md
@@ -118,9 +118,14 @@ Amavisd is configured to log to [Postfix log file](#postfix) by iRedMail.
 
 ## Fail2ban
 
-Main config file is `/etc/fail2ban/jail.local`. All custom settings should be
-placed in `jail.local`, and don't touch `jail.conf`, so that upgrading
-Fail2ban binary package won't override your custom settings.
+* Main config file is `/etc/fail2ban/jail.local`. All custom settings should be
+  placed in `/etc/fail2ban/jail.local`, and don't touch `jail.conf`, so that
+  upgrading Fail2ban binary package won't override your custom settings.
+
+* All filter rules are defined in files under `/etc/fail2ban/filters.d/`.
+* Actions are defined in files under `/etc/fail2ban/actions.d/`.
+
+FreeBSD system is `/usr/local/etc/fail2ban/`.
 
 ## Roundcube webmail
 
diff --git a/html/file.locations.html b/html/file.locations.html
index 82eeb247..96396b90 100644
--- a/html/file.locations.html
+++ b/html/file.locations.html
@@ -160,9 +160,18 @@ on Debian/Ubuntu.</p>
 <h3 id="log-files_2">Log files</h3>
 <p>Amavisd is configured to log to <a href="#postfix">Postfix log file</a> by iRedMail.</p>
 <h2 id="fail2ban">Fail2ban</h2>
+<ul>
+<li>
 <p>Main config file is <code>/etc/fail2ban/jail.local</code>. All custom settings should be
-placed in <code>jail.local</code>, and don't touch <code>jail.conf</code>, so that upgrading
-Fail2ban binary package won't override your custom settings.</p>
+  placed in <code>/etc/fail2ban/jail.local</code>, and don't touch <code>jail.conf</code>, so that
+  upgrading Fail2ban binary package won't override your custom settings.</p>
+</li>
+<li>
+<p>All filter rules are defined in files under <code>/etc/fail2ban/filters.d/</code>.</p>
+</li>
+<li>Actions are defined in files under <code>/etc/fail2ban/actions.d/</code>.</li>
+</ul>
+<p>FreeBSD system is <code>/usr/local/etc/fail2ban/</code>.</p>
 <h2 id="roundcube-webmail">Roundcube webmail</h2>
 <p>Roundcube webmail is installed under below directory by default:</p>
 <ul>
diff --git a/html/upgrade.iredmail.0.9.0-0.9.1.html b/html/upgrade.iredmail.0.9.0-0.9.1.html
index 4205cd4f..ceb66921 100644
--- a/html/upgrade.iredmail.0.9.0-0.9.1.html
+++ b/html/upgrade.iredmail.0.9.0-0.9.1.html
@@ -16,7 +16,9 @@
 <li><a href="#upgrade-iredmail-from-090-to-091">Upgrade iRedMail from 0.9.0 to 0.9.1</a><ul>
 <li><a href="#changelog">ChangeLog</a></li>
 <li><a href="#general-all-backends-should-apply-these-steps">General (All backends should apply these steps)</a><ul>
+<li><a href="#optional-add-one-more-fail2ban-filter-to-help-catch-spam">[OPTIONAL] Add one more Fail2ban filter to help catch spam</a></li>
 <li><a href="#optional-fixed-return-receipt-response-rejected-by-iredapd-plugin-reject_null_sender">[OPTIONAL] Fixed: return receipt response rejected by iRedAPD plugin reject_null_sender</a></li>
+<li><a href="#fixed-cannot-run-php-script-under-web-document-root-with-nginx">Fixed: Cannot run PHP script under web document root with Nginx.</a></li>
 <li><a href="#fixed-incorrect-path-of-command-sogo-tool-on-openbsd">Fixed: Incorrect path of command sogo-tool on OpenBSD</a></li>
 </ul>
 </li>
@@ -38,18 +40,40 @@
 </li>
 </ul>
 </div>
-<p>WARNING: This is still a working in progress draft document, do <strong>NOT</strong> apply it.</p>
+<p><strong>WARNING: Still working in progress, do <em>NOT</em> apply it.</strong></p>
 <h2 id="changelog">ChangeLog</h2>
 <ul>
+<li>2015-02-11: [All backends] Fixed: Cannot run PHP script under web document root with Nginx.</li>
+<li>2015-02-09: [All backends] [<strong>OPTIONAL</strong>] Add one more Fail2ban filter to help catch spam.</li>
 <li>2015-02-04: [All backends] [<strong>OPTIONAL</strong>] Fixed: return receipt response rejected
               by iRedAPD plugin <code>reject_null_sender</code>.</li>
 <li>2015-02-02: [All backends] Fixed: Not backup SOGo database. Note: this step
               is not applicable if you don't use SOGo groupware.</li>
-<li>2015-01-13: [All backends] Fixed: Incorrect path of command 'sogo-tool` on OpenBSD.</li>
+<li>2015-01-13: [All backends] Fixed: Incorrect path of command <code>sogo-tool</code> on OpenBSD.</li>
 <li>2015-01-12: [SQL backends] Fixed: Not apply service restriction in Dovecot
               SQL query file while acting as SASL server.</li>
 </ul>
 <h2 id="general-all-backends-should-apply-these-steps">General (All backends should apply these steps)</h2>
+<h3 id="optional-add-one-more-fail2ban-filter-to-help-catch-spam">[OPTIONAL] Add one more Fail2ban filter to help catch spam</h3>
+<p>We have a new Fail2ban filter to help catch spam, it will scan HELO rejections
+in Postfix log file and invoke iptables to ban client IP address.</p>
+<p>Open file <code>/etc/fail2ban/filters.d/postfix.iredmail.conf</code> or
+<code>/usr/local/etc/fail2ban/filters.d/postfix.iredmail.conf</code> (on FreeBSD), append
+below line under <code>[Definition]</code> section:</p>
+<pre><code>            reject: RCPT from (.*)\[&lt;HOST&gt;\]: 504 5.5.2 (.*) Helo command rejected: need fully-qualified hostname
+</code></pre>
+
+<p>After modification, the whole content is:</p>
+<pre><code>[Definition]
+failregex = \[&lt;HOST&gt;\]: SASL (PLAIN|LOGIN) authentication failed
+            lost connection after AUTH from (.*)\[&lt;HOST&gt;\]
+            reject: RCPT from (.*)\[&lt;HOST&gt;\]: 550 5.1.1
+            reject: RCPT from (.*)\[&lt;HOST&gt;\]: 450 4.7.1
+            reject: RCPT from (.*)\[&lt;HOST&gt;\]: 554 5.7.1
+            reject: RCPT from (.*)\[&lt;HOST&gt;\]: 504 5.5.2 (.*) Helo command rejected: need fully-qualified hostname
+ignoreregex =
+</code></pre>
+
 <h3 id="optional-fixed-return-receipt-response-rejected-by-iredapd-plugin-reject_null_sender">[OPTIONAL] Fixed: return receipt response rejected by iRedAPD plugin <code>reject_null_sender</code></h3>
 <p>Note: this is applicable if you want to keep iRedAPD plugin <code>reject_null_sender</code>
 but still able to send return receipt with Roundcube webmail.</p>
@@ -74,6 +98,42 @@ authenticated user but with null sender in <code>From:</code> header (<code>from
 log). If your user's password was cracked by spammer, spammer can use this
 account to bypass smtp authentication, but with a null sender in <code>From:</code>
 header, throttling won't be triggered.</p>
+<h3 id="fixed-cannot-run-php-script-under-web-document-root-with-nginx">Fixed: Cannot run PHP script under web document root with Nginx.</h3>
+<p>With previous release of iRedMail, Nginx won't run PHP scripts under
+sub-directories of web document root, this step will fix it.</p>
+<ul>
+<li>Open Nginx config file <code>/etc/nginx/conf.d/default.conf</code> (on Linux/OpenBSD)
+or <code>/usr/local/etc/nginx/conf.d/default.conf</code>, add one more setting in
+configuration block <code>location ~ \.php$ {}</code> like below:</li>
+</ul>
+<pre><code>...
+root /var/www/html;
+...
+location ~ \.php$ {
+    ...
+    fastcgi_param SCRIPT_FILENAME /var/www/html$fastcgi_script_name;    # &lt;- Add this line
+}
+</code></pre>
+
+<ul>
+<li>Save your changes and restart Nginx service.</li>
+</ul>
+<p>Notes:</p>
+<ul>
+<li>There're two <code>location ~ \.php$ {}</code> blocks, please update both of them.</li>
+<li>
+<p>You must replace <code>/var/www/html</code> in above sample code to the value of <code>root</code>
+  setting defined in same config file.</p>
+<ul>
+<li>on RHEL/CentOS, it's <code>/var/www/html</code>.</li>
+<li>on Debian/Ubuntu, it's <code>/var/www</code>.</li>
+<li>on FreeBSD, it's <code>/usr/local/www/apache22/data</code>.
+  Note: if you're running Apache-2.4, the directory name should be
+  <code>apache24</code>, not <code>apache22</code>.</li>
+<li>on OpenBSD, it's <code>/var/www/htdocs</code>.</li>
+</ul>
+</li>
+</ul>
 <h3 id="fixed-incorrect-path-of-command-sogo-tool-on-openbsd">Fixed: Incorrect path of command <code>sogo-tool</code> on OpenBSD</h3>
 <p>Note: this step is applicable to only OpenBSD.</p>
 <p>Please check user <code>_sogo</code>'s cron job, make sure path to <code>sogo-tool</code> command is
diff --git a/upgrade/0-upgrade.iredmail.0.9.0-0.9.1.md b/upgrade/0-upgrade.iredmail.0.9.0-0.9.1.md
index e103cde2..026aa362 100644
--- a/upgrade/0-upgrade.iredmail.0.9.0-0.9.1.md
+++ b/upgrade/0-upgrade.iredmail.0.9.0-0.9.1.md
@@ -3,21 +3,48 @@
 [TOC]
 
 
-WARNING: This is still a working in progress draft document, do __NOT__ apply it.
-
+__WARNING: Still working in progress, do _NOT_ apply it.__
 
 ## ChangeLog
 
+* 2015-02-11: [All backends] Fixed: Cannot run PHP script under web document root with Nginx.
+* 2015-02-09: [All backends] [__OPTIONAL__] Add one more Fail2ban filter to help catch spam.
 * 2015-02-04: [All backends] [__OPTIONAL__] Fixed: return receipt response rejected
               by iRedAPD plugin `reject_null_sender`.
 * 2015-02-02: [All backends] Fixed: Not backup SOGo database. Note: this step
               is not applicable if you don't use SOGo groupware.
-* 2015-01-13: [All backends] Fixed: Incorrect path of command 'sogo-tool` on OpenBSD.
+* 2015-01-13: [All backends] Fixed: Incorrect path of command `sogo-tool` on OpenBSD.
 * 2015-01-12: [SQL backends] Fixed: Not apply service restriction in Dovecot
               SQL query file while acting as SASL server.
 
 ## General (All backends should apply these steps)
 
+### [OPTIONAL] Add one more Fail2ban filter to help catch spam
+
+We have a new Fail2ban filter to help catch spam, it will scan HELO rejections
+in Postfix log file and invoke iptables to ban client IP address.
+
+Open file `/etc/fail2ban/filters.d/postfix.iredmail.conf` or
+`/usr/local/etc/fail2ban/filters.d/postfix.iredmail.conf` (on FreeBSD), append
+below line under `[Definition]` section:
+
+```
+            reject: RCPT from (.*)\[<HOST>\]: 504 5.5.2 (.*) Helo command rejected: need fully-qualified hostname
+```
+
+After modification, the whole content is:
+
+```
+[Definition]
+failregex = \[<HOST>\]: SASL (PLAIN|LOGIN) authentication failed
+            lost connection after AUTH from (.*)\[<HOST>\]
+            reject: RCPT from (.*)\[<HOST>\]: 550 5.1.1
+            reject: RCPT from (.*)\[<HOST>\]: 450 4.7.1
+            reject: RCPT from (.*)\[<HOST>\]: 554 5.7.1
+            reject: RCPT from (.*)\[<HOST>\]: 504 5.5.2 (.*) Helo command rejected: need fully-qualified hostname
+ignoreregex =
+```
+
 ### [OPTIONAL] Fixed: return receipt response rejected by iRedAPD plugin `reject_null_sender`
 
 Note: this is applicable if you want to keep iRedAPD plugin `reject_null_sender`
@@ -47,6 +74,40 @@ log). If your user's password was cracked by spammer, spammer can use this
 account to bypass smtp authentication, but with a null sender in `From:`
 header, throttling won't be triggered.
 
+### Fixed: Cannot run PHP script under web document root with Nginx.
+
+With previous release of iRedMail, Nginx won't run PHP scripts under
+sub-directories of web document root, this step will fix it.
+
+* Open Nginx config file `/etc/nginx/conf.d/default.conf` (on Linux/OpenBSD)
+or `/usr/local/etc/nginx/conf.d/default.conf`, add one more setting in
+configuration block `location ~ \.php$ {}` like below:
+
+```
+...
+root /var/www/html;
+...
+location ~ \.php$ {
+    ...
+    fastcgi_param SCRIPT_FILENAME /var/www/html$fastcgi_script_name;    # <- Add this line
+}
+```
+
+* Save your changes and restart Nginx service.
+
+Notes:
+
+* There're two `location ~ \.php$ {}` blocks, please update both of them.
+* You must replace `/var/www/html` in above sample code to the value of `root`
+  setting defined in same config file.
+
+    * on RHEL/CentOS, it's `/var/www/html`.
+    * on Debian/Ubuntu, it's `/var/www`.
+    * on FreeBSD, it's `/usr/local/www/apache22/data`.
+      Note: if you're running Apache-2.4, the directory name should be
+      `apache24`, not `apache22`.
+    * on OpenBSD, it's `/var/www/htdocs`.
+
 ### Fixed: Incorrect path of command `sogo-tool` on OpenBSD
 
 Note: this step is applicable to only OpenBSD.