diff --git a/en_US/upgrade/0-upgrade.iredmail.0.9.7-0.9.8.md b/en_US/upgrade/0-upgrade.iredmail.0.9.7-0.9.8.md
index 70d3b367..dea57242 100644
--- a/en_US/upgrade/0-upgrade.iredmail.0.9.7-0.9.8.md
+++ b/en_US/upgrade/0-upgrade.iredmail.0.9.7-0.9.8.md
@@ -20,6 +20,7 @@
* New table: `vmail.maillists`
* New doc: how to add a standalone (mlmmj) mailing list account
* New doc: how to deploy mlmmj + mlmmj-admin
+* Jan 31, 2018: New fail2ban jail: postfix-pregreet.
* Jan 21, 2018: [LDAP] Update SOGo config file for per-domain global address book.
* Jan 19, 2018: Update OpenLDAP config file to index new attributes and fix an ACL.
* Jan 19, 2018: Update iRedMail LDAP schema file
@@ -55,7 +56,7 @@ and earlier releases contains 3 issues:
- it cannot remove old backup files
- it doesn't set correct owner and permission on backup files
- it cannot find command `sogo-tool` on FreeBSD. This issue causes our script
- didn't backup any sogo data at all.
+ didn't backup any sogo data on FreeBSD at all.
To fix them, please download the latest version and override the one on your
system:
@@ -73,6 +74,69 @@ chown root backup_sogo.sh
chmod 0400 backup_sogo.sh
```
+### New fail2ban jail: postfix-pregreet
+
+!!! attention
+
+ This is not applicable to OpenBSD because we don't have Fail2ban running on
+ OpenBSD.
+
+Quote from [Postfix website](http://www.postfix.org/POSTSCREEN_README.html#pregreet):
+
+> The SMTP protocol is a classic example of a protocol where the server speaks
+> before the client. postscreen(8) detects zombies that are in a hurry and that
+> speak before their turn.
+
+Many spammers are in a hurry to start transfer message to your server, we'd
+like to block them due to not follow RFC.
+
+During mail server maintenance, we found many spammers from China mainland
+cannot pass this pregreet test and all of them use `ylmf-pc` as HELO hostname.
+it's very possible that they're running an illegal Windows XP system which were
+installed with a malware Windows XP ISO image.
+
+Steps to create this new Fail2ban jail:
+
+* Create new file `/etc/fail2ban/filter.d/postfix-pregreet.conf` with content
+ below:
+
+```
+[Definition]
+
+# Block clients which cannot pass Postfix postscreen pregreet test.
+# FYI: http://www.postfix.org/POSTSCREEN_README.html#pregreet
+#
+# The SMTP protocol is a classic example of a protocol where the server speaks
+# before the client. postscreen(8) detects zombies that are in a hurry and that
+# speak before their turn.
+failregex = postscreen\[\d+\]: PREGREET .* from \[
sogo-tool
on FreeBSD. This issue causes our script
- didn't backup any sogo data at all.To fix them, please download the latest version and override the one on your system:
@@ -116,6 +118,67 @@ chown root backup_sogo.sh chmod 0400 backup_sogo.sh +Attention
+This is not applicable to OpenBSD because we don't have Fail2ban running on +OpenBSD.
+Quote from Postfix website:
+++The SMTP protocol is a classic example of a protocol where the server speaks +before the client. postscreen(8) detects zombies that are in a hurry and that +speak before their turn.
+
Many spammers are in a hurry to start transfer message to your server, we'd +like to block them due to not follow RFC.
+During mail server maintenance, we found many spammers from China mainland
+cannot pass this pregreet test and all of them use ylmf-pc
as HELO hostname.
+it's very possible that they're running an illegal Windows XP system which were
+installed with a malware Windows XP ISO image.
Steps to create this new Fail2ban jail:
+/etc/fail2ban/filter.d/postfix-pregreet.conf
with content
+ below:[Definition]
+
+# Block clients which cannot pass Postfix postscreen pregreet test.
+# FYI: http://www.postfix.org/POSTSCREEN_README.html#pregreet
+#
+# The SMTP protocol is a classic example of a protocol where the server speaks
+# before the client. postscreen(8) detects zombies that are in a hurry and that
+# speak before their turn.
+failregex = postscreen\[\d+\]: PREGREET .* from \[<HOST>\]:\d+:
+
+# while setting up new account, Thunderbird doesn't wait for server connection
+# greeting/banner, this causes Thunderbird cannot pass the Postfix pregreet
+# test and caught by `failregex` rules listed above (the rule contains
+# 'PREGREET' line).
+# FYI: https://bugzilla.mozilla.org/show_bug.cgi?id=538809#c41
+ignoreregex = postscreen\[\d+\]: PREGREET .* from \[<HOST>\]:\d+: (EHLO|HELO) we-guess.mozilla.org
+
+
+Create new file /etc/fail2ban/jail.d/postfix-pregreet.local
with content
+ below:
Attention
+Please make sure you're using correct Postfix log file in logpath =
+parameter. On RHEL/CentOS/FreeBSD, it's /var/log/maillog
. On
+Debian/Ubuntu, it's /var/log/mail.log
.
[postfix-pregreet-iredmail]
+enabled = true
+filter = postfix-pregreet.iredmail
+logpath = /var/log/maillog
+maxretry = 1
+action = iptables-multiports[name=postfix, port="25", protocol=tcp]
+
+
Attention
@@ -137,7 +200,7 @@ hard-codes static file types like below:Reloading or restarting Nginx service is required.
-b.barracudacentral.org
b.barracudacentral.org
Postfix config file generated by iRedMail enables DNSBL service for postscreen service like below:
postscreen_dnsbl_sites =