Sync iRedMail upgrade tutorial.
New: upgrade.debian.9-10.html.
This commit is contained in:
parent
a0c5876a9e
commit
5bfee6359e
|
@ -22,8 +22,11 @@ specification. Source code hosted on [GitHub](https://github.com/trusteddomainpr
|
|||
|
||||
## Requirements
|
||||
|
||||
* OpenDMARC-1.3.1 is buggy, only the latest OpenDMARC-1.3.2 is required.
|
||||
* Supported OS Linux/BSD distributions:
|
||||
!!! warning
|
||||
|
||||
OpenDMARC version __1.3.1__ is buggy, hence the latest __1.3.2__ is required.
|
||||
|
||||
Supported OS Linux/BSD distributions:
|
||||
|
||||
Distribution | Releases | Comment
|
||||
---|---|---
|
||||
|
@ -35,4 +38,28 @@ FreeBSD | 11.x, 12.x | Port `mail/opendmarc`.
|
|||
|
||||
## Install OpenDMARC
|
||||
|
||||
* RHEL/CentOS (again, with `epel` repo enabled):
|
||||
|
||||
```
|
||||
yum clean metadata && yum install opendmarc
|
||||
```
|
||||
|
||||
* Debian/Ubuntu:
|
||||
|
||||
```
|
||||
apt-get update && apt-get install opendmarc
|
||||
```
|
||||
|
||||
* OpenBSD:
|
||||
|
||||
```
|
||||
pkg_add opendmarc
|
||||
```
|
||||
|
||||
* FreeBSD:
|
||||
|
||||
```
|
||||
cd /usr/ports/mail/opendmarc && make install clean
|
||||
```
|
||||
|
||||
## Configure OpenDMARC
|
||||
|
|
|
@ -0,0 +1,46 @@
|
|||
# Fixes you need after upgrading Debian from 9 to 10
|
||||
|
||||
[TOC]
|
||||
|
||||
!!! warning
|
||||
|
||||
This is still a DRAFT document, it may miss some other important changes.
|
||||
|
||||
## Dovecot
|
||||
|
||||
* Remove parameter `ssl_protocols =`.
|
||||
* Add new parameter `ssl_min_protocols` like this:
|
||||
|
||||
```
|
||||
ssl_min_protocols = TLSv1.2
|
||||
```
|
||||
|
||||
Note: if you need to support old mail client applications which don't support
|
||||
`TLSv1.2`, you may need to set it to `TLSv1.1`. Please use `TLSv1.2` if possible.
|
||||
|
||||
* If you have plugin `stats` enabled, you need to rename it:
|
||||
|
||||
Old | New
|
||||
---|---
|
||||
`mail_plugins = ... stats` | `mail_plugins = ... old_stats`
|
||||
`protocol imap { mail_plugins = ... imap_stats }` | `protocol imap { mail_plugins = ... imap_old_stats}`
|
||||
`service stats {}` | `service old-stats {}`<br/>Warning: It's a dash (`-`), not underscore (`_`).
|
||||
`fifo_listener stats-mail` | `fifo_listener old-stats-mail`<br/>Warning: It's a dash (`-`), not underscore (`_`).
|
||||
`fifo_listener stats-user` | `fifo_listener old-stats-user`<br/>Warning: It's a dash (`-`), not underscore (`_`).
|
||||
`unix_listener stats` | `unix_listener old-stats`<br/>Warning: It's a dash (`-`), not underscore (`_`).
|
||||
`plugin { stats_refresh = ... }` | `plugin { old_stats_refresh = ...}`
|
||||
`plugin { stats_track_cmds = ...}` | `plugin { old_stats_track_cmds = ...}`
|
||||
|
||||
## SOGo Groupware
|
||||
|
||||
SOGo packages were removed during upgrading Debian, but SOGo team doesn't
|
||||
offer nightly build binary packages for Debian 10. We have to remove the
|
||||
old apt repo (`/etc/apt/sources.list.d/sogo-nightly.list`) and use the sogo
|
||||
packages offered in Debian 10 official apt repo.
|
||||
|
||||
```
|
||||
rm -f /etc/apt/sources.list.d/sogo-nightly.repo
|
||||
apt update
|
||||
apt install sogo
|
||||
service sogo restart
|
||||
```
|
|
@ -157,3 +157,64 @@ Reloading or restarting Postfix service is required.
|
|||
* Postfix will use rewritten address in the `Return-Path:` header, if you
|
||||
have any sieve rules based on `Return-Path:`, it MAY not work anymore and
|
||||
please update your sieve rules to match rewritten address.
|
||||
|
||||
### [OPTIONAL] Enable mailbox quota status check in Dovecot and Postfix.
|
||||
|
||||
With default iRedMail settings, Postfix accepts email without checking whether
|
||||
user's mailbox is over quota, then pipes email to Dovecot LDA for local
|
||||
delivery. If mailbox is over quota, Dovecot can not save message to mailbox
|
||||
and generates a "sender non-delivery notification" to sender.
|
||||
|
||||
With the change below, Postfix will query mailbox quota status from Dovecot
|
||||
directly, then reject email if it's over quota. It saves system resource used
|
||||
to process this email like spam/virus scanning, and avoids bounce message.
|
||||
|
||||
#### Enable quota-status service in Dovecot
|
||||
|
||||
Open Dovecot config file `/etc/dovecot/dovecot.conf` (Linux/OpenBSD) or
|
||||
`/usr/local/etc/dovecot/dovecot.conf` (FreeBSD), find the `plugin {}` block
|
||||
and add 3 new parameters:
|
||||
|
||||
```
|
||||
plugin {
|
||||
...
|
||||
# Used by quota-status service.
|
||||
quota_status_success = DUNNO
|
||||
quota_status_nouser = DUNNO
|
||||
quota_status_overquota = "552 5.2.2 Mailbox is full"
|
||||
...
|
||||
}
|
||||
```
|
||||
|
||||
In same `dovecot.conf`, append settings below __at the end of file__:
|
||||
|
||||
* With settings below, Dovecot quota-status service will listen on `127.0.0.1:12340`.
|
||||
* You can change the port number `12340` to any other spare one if you want.
|
||||
|
||||
```
|
||||
service quota-status {
|
||||
executable = quota-status -p postfix
|
||||
client_limit = 1
|
||||
inet_listener {
|
||||
address = 127.0.0.1
|
||||
port = 12340
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
Restarting Dovecot service is required.
|
||||
|
||||
#### Enable quota status check in Postfix
|
||||
|
||||
Open Postfix config file `/etc/postfix/main.cf` (Linux/OpenBSD) or
|
||||
`/usr/local/etc/postfix/main.cf` (FreeBSD), find parameter
|
||||
`smtpd_recipient_restrictions` and append a new `check_policy_service` setting
|
||||
__at the end__ like below:
|
||||
|
||||
```
|
||||
smtpd_recipient_restrictions =
|
||||
...
|
||||
check_policy_service inet:127.0.0.1:12340
|
||||
```
|
||||
|
||||
Restarting Postfix service is required.
|
||||
|
|
|
@ -44,10 +44,11 @@ improve and monitor protection of the domain from fraudulent email.</p>
|
|||
<p>OpenDMARC is a free open source software implementation of the DMARC
|
||||
specification. Source code hosted on <a href="https://github.com/trusteddomainproject/OpenDMARC">GitHub</a>.</p>
|
||||
<h2 id="requirements">Requirements</h2>
|
||||
<ul>
|
||||
<li>OpenDMARC-1.3.1 is buggy, only the latest OpenDMARC-1.3.2 is required.</li>
|
||||
<li>Supported OS Linux/BSD distributions:</li>
|
||||
</ul>
|
||||
<div class="admonition warning">
|
||||
<p class="admonition-title">Warning</p>
|
||||
<p>OpenDMARC version <strong>1.3.1</strong> is buggy, hence the latest <strong>1.3.2</strong> is required.</p>
|
||||
</div>
|
||||
<p>Supported OS Linux/BSD distributions:</p>
|
||||
<table>
|
||||
<thead>
|
||||
<tr>
|
||||
|
@ -85,6 +86,30 @@ specification. Source code hosted on <a href="https://github.com/trusteddomainpr
|
|||
</tbody>
|
||||
</table>
|
||||
<h2 id="install-opendmarc">Install OpenDMARC</h2>
|
||||
<ul>
|
||||
<li>RHEL/CentOS (again, with <code>epel</code> repo enabled):</li>
|
||||
</ul>
|
||||
<pre><code>yum clean metadata && yum install opendmarc
|
||||
</code></pre>
|
||||
|
||||
<ul>
|
||||
<li>Debian/Ubuntu:</li>
|
||||
</ul>
|
||||
<pre><code>apt-get update && apt-get install opendmarc
|
||||
</code></pre>
|
||||
|
||||
<ul>
|
||||
<li>OpenBSD:</li>
|
||||
</ul>
|
||||
<pre><code>pkg_add opendmarc
|
||||
</code></pre>
|
||||
|
||||
<ul>
|
||||
<li>FreeBSD:</li>
|
||||
</ul>
|
||||
<pre><code>cd /usr/ports/mail/opendmarc && make install clean
|
||||
</code></pre>
|
||||
|
||||
<h2 id="configure-opendmarc">Configure OpenDMARC</h2><div class="footer">
|
||||
<p style="text-align: center; color: grey;">All documents are available in <a href="https://bitbucket.org/zhb/iredmail-docs/src">BitBucket repository</a>, and published under <a href="http://creativecommons.org/licenses/by-nd/3.0/us/" target="_blank">Creative Commons</a> license. You can <a href="https://bitbucket.org/zhb/iredmail-docs/get/tip.tar.bz2">download the latest version</a> for offline reading. If you found something wrong, please do <a href="https://www.iredmail.org/contact.html">contact us</a> to fix it.</p>
|
||||
</div>
|
||||
|
|
|
@ -0,0 +1,108 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
<head>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
||||
<title>Fixes you need after upgrading Debian from 9 to 10</title>
|
||||
<link rel="stylesheet" type="text/css" href="./css/markdown.css" />
|
||||
</head>
|
||||
<body>
|
||||
|
||||
<div id="navigation">
|
||||
<a href="https://www.iredmail.org" target="_blank">
|
||||
<img alt="iRedMail web site"
|
||||
src="./images/logo-iredmail.png"
|
||||
style="vertical-align: middle; height: 30px;"
|
||||
/>
|
||||
<span>iRedMail</span>
|
||||
</a>
|
||||
// <a href="./index.html">Document Index</a></div><h1 id="fixes-you-need-after-upgrading-debian-from-9-to-10">Fixes you need after upgrading Debian from 9 to 10</h1>
|
||||
<div class="toc">
|
||||
<ul>
|
||||
<li><a href="#fixes-you-need-after-upgrading-debian-from-9-to-10">Fixes you need after upgrading Debian from 9 to 10</a><ul>
|
||||
<li><a href="#dovecot">Dovecot</a></li>
|
||||
<li><a href="#sogo-groupware">SOGo Groupware</a></li>
|
||||
</ul>
|
||||
</li>
|
||||
</ul>
|
||||
</div>
|
||||
<div class="admonition warning">
|
||||
<p class="admonition-title">Warning</p>
|
||||
<p>This is still a DRAFT document, it may miss some other important changes.</p>
|
||||
</div>
|
||||
<h2 id="dovecot">Dovecot</h2>
|
||||
<ul>
|
||||
<li>Remove parameter <code>ssl_protocols =</code>.</li>
|
||||
<li>Add new parameter <code>ssl_min_protocols</code> like this:</li>
|
||||
</ul>
|
||||
<pre><code>ssl_min_protocols = TLSv1.2
|
||||
</code></pre>
|
||||
|
||||
<p>Note: if you need to support old mail client applications which don't support
|
||||
<code>TLSv1.2</code>, you may need to set it to <code>TLSv1.1</code>. Please use <code>TLSv1.2</code> if possible.</p>
|
||||
<ul>
|
||||
<li>If you have plugin <code>stats</code> enabled, you need to rename it:</li>
|
||||
</ul>
|
||||
<table>
|
||||
<thead>
|
||||
<tr>
|
||||
<th>Old</th>
|
||||
<th>New</th>
|
||||
</tr>
|
||||
</thead>
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><code>mail_plugins = ... stats</code></td>
|
||||
<td><code>mail_plugins = ... old_stats</code></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>protocol imap { mail_plugins = ... imap_stats }</code></td>
|
||||
<td><code>protocol imap { mail_plugins = ... imap_old_stats}</code></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>service stats {}</code></td>
|
||||
<td><code>service old-stats {}</code><br/>Warning: It's a dash (<code>-</code>), not underscore (<code>_</code>).</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>fifo_listener stats-mail</code></td>
|
||||
<td><code>fifo_listener old-stats-mail</code><br/>Warning: It's a dash (<code>-</code>), not underscore (<code>_</code>).</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>fifo_listener stats-user</code></td>
|
||||
<td><code>fifo_listener old-stats-user</code><br/>Warning: It's a dash (<code>-</code>), not underscore (<code>_</code>).</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>unix_listener stats</code></td>
|
||||
<td><code>unix_listener old-stats</code><br/>Warning: It's a dash (<code>-</code>), not underscore (<code>_</code>).</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>plugin { stats_refresh = ... }</code></td>
|
||||
<td><code>plugin { old_stats_refresh = ...}</code></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>plugin { stats_track_cmds = ...}</code></td>
|
||||
<td><code>plugin { old_stats_track_cmds = ...}</code></td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<h2 id="sogo-groupware">SOGo Groupware</h2>
|
||||
<p>SOGo packages were removed during upgrading Debian, but SOGo team doesn't
|
||||
offer nightly build binary packages for Debian 10. We have to remove the
|
||||
old apt repo (<code>/etc/apt/sources.list.d/sogo-nightly.list</code>) and use the sogo
|
||||
packages offered in Debian 10 official apt repo.</p>
|
||||
<pre><code>rm -f /etc/apt/sources.list.d/sogo-nightly.repo
|
||||
apt update
|
||||
apt install sogo
|
||||
service sogo restart
|
||||
</code></pre><div class="footer">
|
||||
<p style="text-align: center; color: grey;">All documents are available in <a href="https://bitbucket.org/zhb/iredmail-docs/src">BitBucket repository</a>, and published under <a href="http://creativecommons.org/licenses/by-nd/3.0/us/" target="_blank">Creative Commons</a> license. You can <a href="https://bitbucket.org/zhb/iredmail-docs/get/tip.tar.bz2">download the latest version</a> for offline reading. If you found something wrong, please do <a href="https://www.iredmail.org/contact.html">contact us</a> to fix it.</p>
|
||||
</div>
|
||||
<!-- Global site tag (gtag.js) - Google Analytics -->
|
||||
<script async src="https://www.googletagmanager.com/gtag/js?id=UA-3293801-21"></script>
|
||||
<script>
|
||||
window.dataLayer = window.dataLayer || [];
|
||||
function gtag(){dataLayer.push(arguments);}
|
||||
gtag('js', new Date());
|
||||
|
||||
gtag('config', 'UA-3293801-21');
|
||||
</script>
|
||||
</body></html>
|
|
@ -30,6 +30,11 @@
|
|||
<li><a href="#fixed-improper-order-of-postfix-smtpd_sender_restriction-rules">Fixed: improper order of Postfix smtpd_sender_restriction rules</a></li>
|
||||
<li><a href="#fail2ban-slightly-loose-filter-rule-for-postfix">Fail2ban: slightly loose filter rule for postfix</a></li>
|
||||
<li><a href="#optional-enable-srs-sender-rewriting-scheme-support-in-postfix">[OPTIONAL] Enable SRS (Sender Rewriting Scheme) support in Postfix</a></li>
|
||||
<li><a href="#optional-enable-mailbox-quota-status-check-in-dovecot-and-postfix">[OPTIONAL] Enable mailbox quota status check in Dovecot and Postfix.</a><ul>
|
||||
<li><a href="#enable-quota-status-service-in-dovecot">Enable quota-status service in Dovecot</a></li>
|
||||
<li><a href="#enable-quota-status-check-in-postfix">Enable quota status check in Postfix</a></li>
|
||||
</ul>
|
||||
</li>
|
||||
</ul>
|
||||
</li>
|
||||
</ul>
|
||||
|
@ -172,7 +177,56 @@ recipient_canonical_classes= envelope_recipient,header_recipient
|
|||
please update your sieve rules to match rewritten address.</p>
|
||||
</li>
|
||||
</ul>
|
||||
</div><div class="footer">
|
||||
</div>
|
||||
<h3 id="optional-enable-mailbox-quota-status-check-in-dovecot-and-postfix">[OPTIONAL] Enable mailbox quota status check in Dovecot and Postfix.</h3>
|
||||
<p>With default iRedMail settings, Postfix accepts email without checking whether
|
||||
user's mailbox is over quota, then pipes email to Dovecot LDA for local
|
||||
delivery. If mailbox is over quota, Dovecot can not save message to mailbox
|
||||
and generates a "sender non-delivery notification" to sender.</p>
|
||||
<p>With the change below, Postfix will query mailbox quota status from Dovecot
|
||||
directly, then reject email if it's over quota. It saves system resource used
|
||||
to process this email like spam/virus scanning, and avoids bounce message.</p>
|
||||
<h4 id="enable-quota-status-service-in-dovecot">Enable quota-status service in Dovecot</h4>
|
||||
<p>Open Dovecot config file <code>/etc/dovecot/dovecot.conf</code> (Linux/OpenBSD) or
|
||||
<code>/usr/local/etc/dovecot/dovecot.conf</code> (FreeBSD), find the <code>plugin {}</code> block
|
||||
and add 3 new parameters:</p>
|
||||
<pre><code>plugin {
|
||||
...
|
||||
# Used by quota-status service.
|
||||
quota_status_success = DUNNO
|
||||
quota_status_nouser = DUNNO
|
||||
quota_status_overquota = "552 5.2.2 Mailbox is full"
|
||||
...
|
||||
}
|
||||
</code></pre>
|
||||
|
||||
<p>In same <code>dovecot.conf</code>, append settings below <strong>at the end of file</strong>:</p>
|
||||
<ul>
|
||||
<li>With settings below, Dovecot quota-status service will listen on <code>127.0.0.1:12340</code>.</li>
|
||||
<li>You can change the port number <code>12340</code> to any other spare one if you want.</li>
|
||||
</ul>
|
||||
<pre><code>service quota-status {
|
||||
executable = quota-status -p postfix
|
||||
client_limit = 1
|
||||
inet_listener {
|
||||
address = 127.0.0.1
|
||||
port = 12340
|
||||
}
|
||||
}
|
||||
</code></pre>
|
||||
|
||||
<p>Restarting Dovecot service is required.</p>
|
||||
<h4 id="enable-quota-status-check-in-postfix">Enable quota status check in Postfix</h4>
|
||||
<p>Open Postfix config file <code>/etc/postfix/main.cf</code> (Linux/OpenBSD) or
|
||||
<code>/usr/local/etc/postfix/main.cf</code> (FreeBSD), find parameter
|
||||
<code>smtpd_recipient_restrictions</code> and append a new <code>check_policy_service</code> setting
|
||||
<strong>at the end</strong> like below:</p>
|
||||
<pre><code>smtpd_recipient_restrictions =
|
||||
...
|
||||
check_policy_service inet:127.0.0.1:12340
|
||||
</code></pre>
|
||||
|
||||
<p>Restarting Postfix service is required.</p><div class="footer">
|
||||
<p style="text-align: center; color: grey;">All documents are available in <a href="https://bitbucket.org/zhb/iredmail-docs/src">BitBucket repository</a>, and published under <a href="http://creativecommons.org/licenses/by-nd/3.0/us/" target="_blank">Creative Commons</a> license. You can <a href="https://bitbucket.org/zhb/iredmail-docs/get/tip.tar.bz2">download the latest version</a> for offline reading. If you found something wrong, please do <a href="https://www.iredmail.org/contact.html">contact us</a> to fix it.</p>
|
||||
</div>
|
||||
<!-- Global site tag (gtag.js) - Google Analytics -->
|
||||
|
|
Loading…
Reference in New Issue