From 5bfee6359eeac51170c939b27ed1f90846b783c3 Mon Sep 17 00:00:00 2001 From: Zhang Huangbin Date: Wed, 17 Jul 2019 14:09:55 +0800 Subject: [PATCH] Sync iRedMail upgrade tutorial. New: upgrade.debian.9-10.html. --- en_US/integrations/0-integration.opendmarc.md | 31 ++++- en_US/upgrade/0-upgrade.debian.9-10.md | 46 ++++++++ en_US/upgrade/0-upgrade.iredmail.0.9.9-1.0.md | 61 ++++++++++ html/integration.opendmarc.html | 33 +++++- html/upgrade.debian.9-10.html | 108 ++++++++++++++++++ html/upgrade.iredmail.0.9.9-1.0.html | 56 ++++++++- 6 files changed, 328 insertions(+), 7 deletions(-) create mode 100644 en_US/upgrade/0-upgrade.debian.9-10.md create mode 100644 html/upgrade.debian.9-10.html diff --git a/en_US/integrations/0-integration.opendmarc.md b/en_US/integrations/0-integration.opendmarc.md index 52ddd317..567254d3 100644 --- a/en_US/integrations/0-integration.opendmarc.md +++ b/en_US/integrations/0-integration.opendmarc.md @@ -22,8 +22,11 @@ specification. Source code hosted on [GitHub](https://github.com/trusteddomainpr ## Requirements -* OpenDMARC-1.3.1 is buggy, only the latest OpenDMARC-1.3.2 is required. -* Supported OS Linux/BSD distributions: +!!! warning + + OpenDMARC version __1.3.1__ is buggy, hence the latest __1.3.2__ is required. + +Supported OS Linux/BSD distributions: Distribution | Releases | Comment ---|---|--- @@ -35,4 +38,28 @@ FreeBSD | 11.x, 12.x | Port `mail/opendmarc`. ## Install OpenDMARC +* RHEL/CentOS (again, with `epel` repo enabled): + +``` +yum clean metadata && yum install opendmarc +``` + +* Debian/Ubuntu: + +``` +apt-get update && apt-get install opendmarc +``` + +* OpenBSD: + +``` +pkg_add opendmarc +``` + +* FreeBSD: + +``` +cd /usr/ports/mail/opendmarc && make install clean +``` + ## Configure OpenDMARC diff --git a/en_US/upgrade/0-upgrade.debian.9-10.md b/en_US/upgrade/0-upgrade.debian.9-10.md new file mode 100644 index 00000000..b34ba6b2 --- /dev/null +++ b/en_US/upgrade/0-upgrade.debian.9-10.md @@ -0,0 +1,46 @@ +# Fixes you need after upgrading Debian from 9 to 10 + +[TOC] + +!!! warning + + This is still a DRAFT document, it may miss some other important changes. + +## Dovecot + +* Remove parameter `ssl_protocols =`. +* Add new parameter `ssl_min_protocols` like this: + +``` +ssl_min_protocols = TLSv1.2 +``` + +Note: if you need to support old mail client applications which don't support +`TLSv1.2`, you may need to set it to `TLSv1.1`. Please use `TLSv1.2` if possible. + +* If you have plugin `stats` enabled, you need to rename it: + +Old | New +---|--- +`mail_plugins = ... stats` | `mail_plugins = ... old_stats` +`protocol imap { mail_plugins = ... imap_stats }` | `protocol imap { mail_plugins = ... imap_old_stats}` +`service stats {}` | `service old-stats {}`
Warning: It's a dash (`-`), not underscore (`_`). +`fifo_listener stats-mail` | `fifo_listener old-stats-mail`
Warning: It's a dash (`-`), not underscore (`_`). +`fifo_listener stats-user` | `fifo_listener old-stats-user`
Warning: It's a dash (`-`), not underscore (`_`). +`unix_listener stats` | `unix_listener old-stats`
Warning: It's a dash (`-`), not underscore (`_`). +`plugin { stats_refresh = ... }` | `plugin { old_stats_refresh = ...}` +`plugin { stats_track_cmds = ...}` | `plugin { old_stats_track_cmds = ...}` + +## SOGo Groupware + +SOGo packages were removed during upgrading Debian, but SOGo team doesn't +offer nightly build binary packages for Debian 10. We have to remove the +old apt repo (`/etc/apt/sources.list.d/sogo-nightly.list`) and use the sogo +packages offered in Debian 10 official apt repo. + +``` +rm -f /etc/apt/sources.list.d/sogo-nightly.repo +apt update +apt install sogo +service sogo restart +``` diff --git a/en_US/upgrade/0-upgrade.iredmail.0.9.9-1.0.md b/en_US/upgrade/0-upgrade.iredmail.0.9.9-1.0.md index dcd3451e..6b0c4c35 100644 --- a/en_US/upgrade/0-upgrade.iredmail.0.9.9-1.0.md +++ b/en_US/upgrade/0-upgrade.iredmail.0.9.9-1.0.md @@ -157,3 +157,64 @@ Reloading or restarting Postfix service is required. * Postfix will use rewritten address in the `Return-Path:` header, if you have any sieve rules based on `Return-Path:`, it MAY not work anymore and please update your sieve rules to match rewritten address. + +### [OPTIONAL] Enable mailbox quota status check in Dovecot and Postfix. + +With default iRedMail settings, Postfix accepts email without checking whether +user's mailbox is over quota, then pipes email to Dovecot LDA for local +delivery. If mailbox is over quota, Dovecot can not save message to mailbox +and generates a "sender non-delivery notification" to sender. + +With the change below, Postfix will query mailbox quota status from Dovecot +directly, then reject email if it's over quota. It saves system resource used +to process this email like spam/virus scanning, and avoids bounce message. + +#### Enable quota-status service in Dovecot + +Open Dovecot config file `/etc/dovecot/dovecot.conf` (Linux/OpenBSD) or +`/usr/local/etc/dovecot/dovecot.conf` (FreeBSD), find the `plugin {}` block +and add 3 new parameters: + +``` +plugin { + ... + # Used by quota-status service. + quota_status_success = DUNNO + quota_status_nouser = DUNNO + quota_status_overquota = "552 5.2.2 Mailbox is full" + ... +} +``` + +In same `dovecot.conf`, append settings below __at the end of file__: + +* With settings below, Dovecot quota-status service will listen on `127.0.0.1:12340`. +* You can change the port number `12340` to any other spare one if you want. + +``` +service quota-status { + executable = quota-status -p postfix + client_limit = 1 + inet_listener { + address = 127.0.0.1 + port = 12340 + } +} +``` + +Restarting Dovecot service is required. + +#### Enable quota status check in Postfix + +Open Postfix config file `/etc/postfix/main.cf` (Linux/OpenBSD) or +`/usr/local/etc/postfix/main.cf` (FreeBSD), find parameter +`smtpd_recipient_restrictions` and append a new `check_policy_service` setting +__at the end__ like below: + +``` +smtpd_recipient_restrictions = + ... + check_policy_service inet:127.0.0.1:12340 +``` + +Restarting Postfix service is required. diff --git a/html/integration.opendmarc.html b/html/integration.opendmarc.html index 5a5f64bb..07420575 100644 --- a/html/integration.opendmarc.html +++ b/html/integration.opendmarc.html @@ -44,10 +44,11 @@ improve and monitor protection of the domain from fraudulent email.

OpenDMARC is a free open source software implementation of the DMARC specification. Source code hosted on GitHub.

Requirements

- +
+

Warning

+

OpenDMARC version 1.3.1 is buggy, hence the latest 1.3.2 is required.

+
+

Supported OS Linux/BSD distributions:

@@ -85,6 +86,30 @@ specification. Source code hosted on Install OpenDMARC + +
yum clean metadata && yum install opendmarc
+
+ + +
apt-get update && apt-get install opendmarc
+
+ + +
pkg_add opendmarc
+
+ + +
cd /usr/ports/mail/opendmarc && make install clean
+
+

Configure OpenDMARC

All documents are available in BitBucket repository, and published under Creative Commons license. You can download the latest version for offline reading. If you found something wrong, please do contact us to fix it.

diff --git a/html/upgrade.debian.9-10.html b/html/upgrade.debian.9-10.html new file mode 100644 index 00000000..04b00ebf --- /dev/null +++ b/html/upgrade.debian.9-10.html @@ -0,0 +1,108 @@ + + + + + Fixes you need after upgrading Debian from 9 to 10 + + + + +

Fixes you need after upgrading Debian from 9 to 10

+
+ +
+
+

Warning

+

This is still a DRAFT document, it may miss some other important changes.

+
+

Dovecot

+ +
ssl_min_protocols = TLSv1.2
+
+ +

Note: if you need to support old mail client applications which don't support +TLSv1.2, you may need to set it to TLSv1.1. Please use TLSv1.2 if possible.

+ +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
OldNew
mail_plugins = ... statsmail_plugins = ... old_stats
protocol imap { mail_plugins = ... imap_stats }protocol imap { mail_plugins = ... imap_old_stats}
service stats {}service old-stats {}
Warning: It's a dash (-), not underscore (_).
fifo_listener stats-mailfifo_listener old-stats-mail
Warning: It's a dash (-), not underscore (_).
fifo_listener stats-userfifo_listener old-stats-user
Warning: It's a dash (-), not underscore (_).
unix_listener statsunix_listener old-stats
Warning: It's a dash (-), not underscore (_).
plugin { stats_refresh = ... }plugin { old_stats_refresh = ...}
plugin { stats_track_cmds = ...}plugin { old_stats_track_cmds = ...}
+

SOGo Groupware

+

SOGo packages were removed during upgrading Debian, but SOGo team doesn't +offer nightly build binary packages for Debian 10. We have to remove the +old apt repo (/etc/apt/sources.list.d/sogo-nightly.list) and use the sogo +packages offered in Debian 10 official apt repo.

+
rm -f /etc/apt/sources.list.d/sogo-nightly.repo
+apt update
+apt install sogo
+service sogo restart
+
+

All documents are available in BitBucket repository, and published under Creative Commons license. You can download the latest version for offline reading. If you found something wrong, please do contact us to fix it.

+
+ + + + \ No newline at end of file diff --git a/html/upgrade.iredmail.0.9.9-1.0.html b/html/upgrade.iredmail.0.9.9-1.0.html index 16c61a38..3488810c 100644 --- a/html/upgrade.iredmail.0.9.9-1.0.html +++ b/html/upgrade.iredmail.0.9.9-1.0.html @@ -30,6 +30,11 @@
  • Fixed: improper order of Postfix smtpd_sender_restriction rules
  • Fail2ban: slightly loose filter rule for postfix
  • [OPTIONAL] Enable SRS (Sender Rewriting Scheme) support in Postfix
    • +
  • [OPTIONAL] Enable mailbox quota status check in Dovecot and Postfix. +
    • @@ -172,7 +177,56 @@ recipient_canonical_classes= envelope_recipient,header_recipient please update your sieve rules to match rewritten address.

    -
    +
    +

    [OPTIONAL] Enable mailbox quota status check in Dovecot and Postfix.

    +

    With default iRedMail settings, Postfix accepts email without checking whether +user's mailbox is over quota, then pipes email to Dovecot LDA for local +delivery. If mailbox is over quota, Dovecot can not save message to mailbox +and generates a "sender non-delivery notification" to sender.

    +

    With the change below, Postfix will query mailbox quota status from Dovecot +directly, then reject email if it's over quota. It saves system resource used +to process this email like spam/virus scanning, and avoids bounce message.

    +

    Enable quota-status service in Dovecot

    +

    Open Dovecot config file /etc/dovecot/dovecot.conf (Linux/OpenBSD) or +/usr/local/etc/dovecot/dovecot.conf (FreeBSD), find the plugin {} block +and add 3 new parameters:

    +
    plugin {
+    ...
+    # Used by quota-status service.
+    quota_status_success = DUNNO
+    quota_status_nouser = DUNNO
+    quota_status_overquota = "552 5.2.2 Mailbox is full"
+    ...
+}
+
    + +

    In same dovecot.conf, append settings below at the end of file:

    + +
    service quota-status {
+    executable = quota-status -p postfix
+    client_limit = 1
+    inet_listener {
+        address = 127.0.0.1
+        port = 12340
+    }
+}
+
    + +

    Restarting Dovecot service is required.

    +

    Enable quota status check in Postfix

    +

    Open Postfix config file /etc/postfix/main.cf (Linux/OpenBSD) or +/usr/local/etc/postfix/main.cf (FreeBSD), find parameter +smtpd_recipient_restrictions and append a new check_policy_service setting +at the end like below:

    +
    smtpd_recipient_restrictions =
+    ...
+    check_policy_service inet:127.0.0.1:12340
+
    + +

    Restarting Postfix service is required.

    All documents are available in BitBucket repository, and published under Creative Commons license. You can download the latest version for offline reading. If you found something wrong, please do contact us to fix it.