Sync iRedMail upgrade tutorial.

New: upgrade.debian.9-10.html.

en_US/integrations/0-integration.opendmarc.md

@@ -22,8 +22,11 @@ specification. Source code hosted on [GitHub](https://github.com/trusteddomainpr
 
 ## Requirements
 
-* OpenDMARC-1.3.1 is buggy, only the latest OpenDMARC-1.3.2 is required.
-* Supported OS Linux/BSD distributions:
+!!! warning
+
+    OpenDMARC version __1.3.1__ is buggy, hence the latest __1.3.2__ is required.
+
+Supported OS Linux/BSD distributions:
 
 Distribution | Releases | Comment
 ---|---|---
@@ -35,4 +38,28 @@ FreeBSD | 11.x, 12.x | Port `mail/opendmarc`.
 
 ## Install OpenDMARC
 
+* RHEL/CentOS (again, with `epel` repo enabled):
+
+```
+yum clean metadata && yum install opendmarc
+```
+
+* Debian/Ubuntu:
+
+```
+apt-get update && apt-get install opendmarc
+```
+
+* OpenBSD:
+
+```
+pkg_add opendmarc
+```
+
+* FreeBSD:
+
+```
+cd /usr/ports/mail/opendmarc && make install clean
+```
+
 ## Configure OpenDMARC

en_US/upgrade/0-upgrade.debian.9-10.md

@@ -0,0 +1,46 @@
+# Fixes you need after upgrading Debian from 9 to 10
+
+[TOC]
+
+!!! warning
+
+    This is still a DRAFT document, it may miss some other important changes.
+
+## Dovecot
+
+* Remove parameter `ssl_protocols =`.
+* Add new parameter `ssl_min_protocols` like this:
+
+```
+ssl_min_protocols = TLSv1.2
+```
+
+Note: if you need to support old mail client applications which don't support
+`TLSv1.2`, you may need to set it to `TLSv1.1`. Please use `TLSv1.2` if possible.
+
+* If you have plugin `stats` enabled, you need to rename it:
+
+Old | New
+---|---
+`mail_plugins = ... stats` | `mail_plugins = ... old_stats`
+`protocol imap { mail_plugins = ... imap_stats }` | `protocol imap { mail_plugins = ... imap_old_stats}`
+`service stats {}` | `service old-stats {}`<br/>Warning: It's a dash (`-`), not underscore (`_`).
+`fifo_listener stats-mail` | `fifo_listener old-stats-mail`<br/>Warning: It's a dash (`-`), not underscore (`_`).
+`fifo_listener stats-user` | `fifo_listener old-stats-user`<br/>Warning: It's a dash (`-`), not underscore (`_`).
+`unix_listener stats` | `unix_listener old-stats`<br/>Warning: It's a dash (`-`), not underscore (`_`).
+`plugin { stats_refresh = ... }` | `plugin { old_stats_refresh = ...}`
+`plugin { stats_track_cmds = ...}` | `plugin { old_stats_track_cmds = ...}`
+
+## SOGo Groupware
+
+SOGo packages were removed during upgrading Debian, but SOGo team doesn't
+offer nightly build binary packages for Debian 10. We have to remove the
+old apt repo (`/etc/apt/sources.list.d/sogo-nightly.list`) and use the sogo
+packages offered in Debian 10 official apt repo.
+
+```
+rm -f /etc/apt/sources.list.d/sogo-nightly.repo
+apt update
+apt install sogo
+service sogo restart
+```

en_US/upgrade/0-upgrade.iredmail.0.9.9-1.0.md

@@ -157,3 +157,64 @@ Reloading or restarting Postfix service is required.
     * Postfix will use rewritten address in the `Return-Path:` header, if you
       have any sieve rules based on `Return-Path:`, it MAY not work anymore and
       please update your sieve rules to match rewritten address.
+
+### [OPTIONAL] Enable mailbox quota status check in Dovecot and Postfix.
+
+With default iRedMail settings, Postfix accepts email without checking whether
+user's mailbox is over quota, then pipes email to Dovecot LDA for local
+delivery. If mailbox is over quota, Dovecot can not save message to mailbox
+and generates a "sender non-delivery notification" to sender.
+
+With the change below, Postfix will query mailbox quota status from Dovecot
+directly, then reject email if it's over quota. It saves system resource used
+to process this email like spam/virus scanning, and avoids bounce message.
+
+#### Enable quota-status service in Dovecot
+
+Open Dovecot config file `/etc/dovecot/dovecot.conf` (Linux/OpenBSD) or
+`/usr/local/etc/dovecot/dovecot.conf` (FreeBSD), find the `plugin {}` block
+and add 3 new parameters:
+
+```
+plugin {
+    ...
+    # Used by quota-status service.
+    quota_status_success = DUNNO
+    quota_status_nouser = DUNNO
+    quota_status_overquota = "552 5.2.2 Mailbox is full"
+    ...
+}
+```
+
+In same `dovecot.conf`, append settings below __at the end of file__:
+
+* With settings below, Dovecot quota-status service will listen on `127.0.0.1:12340`.
+* You can change the port number `12340` to any other spare one if you want.
+
+```
+service quota-status {
+    executable = quota-status -p postfix
+    client_limit = 1
+    inet_listener {
+        address = 127.0.0.1
+        port = 12340
+    }
+}
+```
+
+Restarting Dovecot service is required.
+
+#### Enable quota status check in Postfix
+
+Open Postfix config file `/etc/postfix/main.cf` (Linux/OpenBSD) or
+`/usr/local/etc/postfix/main.cf` (FreeBSD), find parameter
+`smtpd_recipient_restrictions` and append a new `check_policy_service` setting
+__at the end__ like below:
+
+```
+smtpd_recipient_restrictions =
+    ...
+    check_policy_service inet:127.0.0.1:12340
+```
+
+Restarting Postfix service is required.

html/integration.opendmarc.html

@@ -44,10 +44,11 @@ improve and monitor protection of the domain from fraudulent email.</p>
 <p>OpenDMARC is a free open source software implementation of the DMARC
 specification. Source code hosted on <a href="https://github.com/trusteddomainproject/OpenDMARC">GitHub</a>.</p>
 <h2 id="requirements">Requirements</h2>
-<ul>
-<li>OpenDMARC-1.3.1 is buggy, only the latest OpenDMARC-1.3.2 is required.</li>
-<li>Supported OS Linux/BSD distributions:</li>
-</ul>
+<div class="admonition warning">
+<p class="admonition-title">Warning</p>
+<p>OpenDMARC version <strong>1.3.1</strong> is buggy, hence the latest <strong>1.3.2</strong> is required.</p>
+</div>
+<p>Supported OS Linux/BSD distributions:</p>
 <table>
 <thead>
 <tr>
@@ -85,6 +86,30 @@ specification. Source code hosted on <a href="https://github.com/trusteddomainpr
 </tbody>
 </table>
 <h2 id="install-opendmarc">Install OpenDMARC</h2>
+<ul>
+<li>RHEL/CentOS (again, with <code>epel</code> repo enabled):</li>
+</ul>
+<pre><code>yum clean metadata &amp;&amp; yum install opendmarc
+</code></pre>
+
+<ul>
+<li>Debian/Ubuntu:</li>
+</ul>
+<pre><code>apt-get update &amp;&amp; apt-get install opendmarc
+</code></pre>
+
+<ul>
+<li>OpenBSD:</li>
+</ul>
+<pre><code>pkg_add opendmarc
+</code></pre>
+
+<ul>
+<li>FreeBSD:</li>
+</ul>
+<pre><code>cd /usr/ports/mail/opendmarc &amp;&amp; make install clean
+</code></pre>
+
 <h2 id="configure-opendmarc">Configure OpenDMARC</h2><div class="footer">
     <p style="text-align: center; color: grey;">All documents are available in <a href="https://bitbucket.org/zhb/iredmail-docs/src">BitBucket repository</a>, and published under <a href="http://creativecommons.org/licenses/by-nd/3.0/us/" target="_blank">Creative Commons</a> license. You can <a href="https://bitbucket.org/zhb/iredmail-docs/get/tip.tar.bz2">download the latest version</a> for offline reading. If you found something wrong, please do <a href="https://www.iredmail.org/contact.html">contact us</a> to fix it.</p>
 </div>

html/upgrade.debian.9-10.html

@@ -0,0 +1,108 @@
+<!DOCTYPE html>
+<html>
+    <head>
+        <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+        <title>Fixes you need after upgrading Debian from 9 to 10</title>
+        <link rel="stylesheet" type="text/css" href="./css/markdown.css" />
+    </head>
+    <body>
+
+    <div id="navigation">
+    <a href="https://www.iredmail.org" target="_blank">
+        <img alt="iRedMail web site"
+             src="./images/logo-iredmail.png"
+             style="vertical-align: middle; height: 30px;"
+             />&nbsp;
+        <span>iRedMail</span>
+    </a>
+    &nbsp;&nbsp;//&nbsp;&nbsp;<a href="./index.html">Document Index</a></div><h1 id="fixes-you-need-after-upgrading-debian-from-9-to-10">Fixes you need after upgrading Debian from 9 to 10</h1>
+<div class="toc">
+<ul>
+<li><a href="#fixes-you-need-after-upgrading-debian-from-9-to-10">Fixes you need after upgrading Debian from 9 to 10</a><ul>
+<li><a href="#dovecot">Dovecot</a></li>
+<li><a href="#sogo-groupware">SOGo Groupware</a></li>
+</ul>
+</li>
+</ul>
+</div>
+<div class="admonition warning">
+<p class="admonition-title">Warning</p>
+<p>This is still a DRAFT document, it may miss some other important changes.</p>
+</div>
+<h2 id="dovecot">Dovecot</h2>
+<ul>
+<li>Remove parameter <code>ssl_protocols =</code>.</li>
+<li>Add new parameter <code>ssl_min_protocols</code> like this:</li>
+</ul>
+<pre><code>ssl_min_protocols = TLSv1.2
+</code></pre>
+
+<p>Note: if you need to support old mail client applications which don't support
+<code>TLSv1.2</code>, you may need to set it to <code>TLSv1.1</code>. Please use <code>TLSv1.2</code> if possible.</p>
+<ul>
+<li>If you have plugin <code>stats</code> enabled, you need to rename it:</li>
+</ul>
+<table>
+<thead>
+<tr>
+<th>Old</th>
+<th>New</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td><code>mail_plugins = ... stats</code></td>
+<td><code>mail_plugins = ... old_stats</code></td>
+</tr>
+<tr>
+<td><code>protocol imap { mail_plugins = ... imap_stats }</code></td>
+<td><code>protocol imap { mail_plugins = ... imap_old_stats}</code></td>
+</tr>
+<tr>
+<td><code>service stats {}</code></td>
+<td><code>service old-stats {}</code><br/>Warning: It's a dash (<code>-</code>), not underscore (<code>_</code>).</td>
+</tr>
+<tr>
+<td><code>fifo_listener stats-mail</code></td>
+<td><code>fifo_listener old-stats-mail</code><br/>Warning: It's a dash (<code>-</code>), not underscore (<code>_</code>).</td>
+</tr>
+<tr>
+<td><code>fifo_listener stats-user</code></td>
+<td><code>fifo_listener old-stats-user</code><br/>Warning: It's a dash (<code>-</code>), not underscore (<code>_</code>).</td>
+</tr>
+<tr>
+<td><code>unix_listener stats</code></td>
+<td><code>unix_listener old-stats</code><br/>Warning: It's a dash (<code>-</code>), not underscore (<code>_</code>).</td>
+</tr>
+<tr>
+<td><code>plugin { stats_refresh = ... }</code></td>
+<td><code>plugin { old_stats_refresh = ...}</code></td>
+</tr>
+<tr>
+<td><code>plugin { stats_track_cmds = ...}</code></td>
+<td><code>plugin { old_stats_track_cmds = ...}</code></td>
+</tr>
+</tbody>
+</table>
+<h2 id="sogo-groupware">SOGo Groupware</h2>
+<p>SOGo packages were removed during upgrading Debian, but SOGo team doesn't
+offer nightly build binary packages for Debian 10. We have to remove the
+old apt repo (<code>/etc/apt/sources.list.d/sogo-nightly.list</code>) and use the sogo
+packages offered in Debian 10 official apt repo.</p>
+<pre><code>rm -f /etc/apt/sources.list.d/sogo-nightly.repo
+apt update
+apt install sogo
+service sogo restart
+</code></pre><div class="footer">
+    <p style="text-align: center; color: grey;">All documents are available in <a href="https://bitbucket.org/zhb/iredmail-docs/src">BitBucket repository</a>, and published under <a href="http://creativecommons.org/licenses/by-nd/3.0/us/" target="_blank">Creative Commons</a> license. You can <a href="https://bitbucket.org/zhb/iredmail-docs/get/tip.tar.bz2">download the latest version</a> for offline reading. If you found something wrong, please do <a href="https://www.iredmail.org/contact.html">contact us</a> to fix it.</p>
+</div>
+<!-- Global site tag (gtag.js) - Google Analytics -->
+<script async src="https://www.googletagmanager.com/gtag/js?id=UA-3293801-21"></script>
+<script>
+  window.dataLayer = window.dataLayer || [];
+  function gtag(){dataLayer.push(arguments);}
+  gtag('js', new Date());
+
+  gtag('config', 'UA-3293801-21');
+</script>
+</body></html>

html/upgrade.iredmail.0.9.9-1.0.html

@@ -30,6 +30,11 @@
 <li><a href="#fixed-improper-order-of-postfix-smtpd_sender_restriction-rules">Fixed: improper order of Postfix smtpd_sender_restriction rules</a></li>
 <li><a href="#fail2ban-slightly-loose-filter-rule-for-postfix">Fail2ban: slightly loose filter rule for postfix</a></li>
 <li><a href="#optional-enable-srs-sender-rewriting-scheme-support-in-postfix">[OPTIONAL] Enable SRS (Sender Rewriting Scheme) support in Postfix</a></li>
+<li><a href="#optional-enable-mailbox-quota-status-check-in-dovecot-and-postfix">[OPTIONAL] Enable mailbox quota status check in Dovecot and Postfix.</a><ul>
+<li><a href="#enable-quota-status-service-in-dovecot">Enable quota-status service in Dovecot</a></li>
+<li><a href="#enable-quota-status-check-in-postfix">Enable quota status check in Postfix</a></li>
+</ul>
+</li>
 </ul>
 </li>
 </ul>
@@ -172,7 +177,56 @@ recipient_canonical_classes= envelope_recipient,header_recipient
   please update your sieve rules to match rewritten address.</p>
 </li>
 </ul>
-</div><div class="footer">
+</div>
+<h3 id="optional-enable-mailbox-quota-status-check-in-dovecot-and-postfix">[OPTIONAL] Enable mailbox quota status check in Dovecot and Postfix.</h3>
+<p>With default iRedMail settings, Postfix accepts email without checking whether
+user's mailbox is over quota, then pipes email to Dovecot LDA for local
+delivery. If mailbox is over quota, Dovecot can not save message to mailbox
+and generates a "sender non-delivery notification" to sender.</p>
+<p>With the change below, Postfix will query mailbox quota status from Dovecot
+directly, then reject email if it's over quota. It saves system resource used
+to process this email like spam/virus scanning, and avoids bounce message.</p>
+<h4 id="enable-quota-status-service-in-dovecot">Enable quota-status service in Dovecot</h4>
+<p>Open Dovecot config file <code>/etc/dovecot/dovecot.conf</code> (Linux/OpenBSD) or
+<code>/usr/local/etc/dovecot/dovecot.conf</code> (FreeBSD), find the <code>plugin {}</code> block
+and add 3 new parameters:</p>
+<pre><code>plugin {
+    ...
+    # Used by quota-status service.
+    quota_status_success = DUNNO
+    quota_status_nouser = DUNNO
+    quota_status_overquota = &quot;552 5.2.2 Mailbox is full&quot;
+    ...
+}
+</code></pre>
+
+<p>In same <code>dovecot.conf</code>, append settings below <strong>at the end of file</strong>:</p>
+<ul>
+<li>With settings below, Dovecot quota-status service will listen on <code>127.0.0.1:12340</code>.</li>
+<li>You can change the port number <code>12340</code> to any other spare one if you want.</li>
+</ul>
+<pre><code>service quota-status {
+    executable = quota-status -p postfix
+    client_limit = 1
+    inet_listener {
+        address = 127.0.0.1
+        port = 12340
+    }
+}
+</code></pre>
+
+<p>Restarting Dovecot service is required.</p>
+<h4 id="enable-quota-status-check-in-postfix">Enable quota status check in Postfix</h4>
+<p>Open Postfix config file <code>/etc/postfix/main.cf</code> (Linux/OpenBSD) or
+<code>/usr/local/etc/postfix/main.cf</code> (FreeBSD), find parameter
+<code>smtpd_recipient_restrictions</code> and append a new <code>check_policy_service</code> setting
+<strong>at the end</strong> like below:</p>
+<pre><code>smtpd_recipient_restrictions =
+    ...
+    check_policy_service inet:127.0.0.1:12340
+</code></pre>
+
+<p>Restarting Postfix service is required.</p><div class="footer">
     <p style="text-align: center; color: grey;">All documents are available in <a href="https://bitbucket.org/zhb/iredmail-docs/src">BitBucket repository</a>, and published under <a href="http://creativecommons.org/licenses/by-nd/3.0/us/" target="_blank">Creative Commons</a> license. You can <a href="https://bitbucket.org/zhb/iredmail-docs/get/tip.tar.bz2">download the latest version</a> for offline reading. If you found something wrong, please do <a href="https://www.iredmail.org/contact.html">contact us</a> to fix it.</p>
 </div>
 <!-- Global site tag (gtag.js) - Google Analytics -->