diff --git a/en_US/upgrade/0-upgrade.iredmail.0.9.7-0.9.8.md b/en_US/upgrade/0-upgrade.iredmail.0.9.7-0.9.8.md index 70d3b367..dea57242 100644 --- a/en_US/upgrade/0-upgrade.iredmail.0.9.7-0.9.8.md +++ b/en_US/upgrade/0-upgrade.iredmail.0.9.7-0.9.8.md @@ -20,6 +20,7 @@ * New table: `vmail.maillists` * New doc: how to add a standalone (mlmmj) mailing list account * New doc: how to deploy mlmmj + mlmmj-admin +* Jan 31, 2018: New fail2ban jail: postfix-pregreet. * Jan 21, 2018: [LDAP] Update SOGo config file for per-domain global address book. * Jan 19, 2018: Update OpenLDAP config file to index new attributes and fix an ACL. * Jan 19, 2018: Update iRedMail LDAP schema file @@ -55,7 +56,7 @@ and earlier releases contains 3 issues: - it cannot remove old backup files - it doesn't set correct owner and permission on backup files - it cannot find command `sogo-tool` on FreeBSD. This issue causes our script - didn't backup any sogo data at all. + didn't backup any sogo data on FreeBSD at all. To fix them, please download the latest version and override the one on your system: @@ -73,6 +74,69 @@ chown root backup_sogo.sh chmod 0400 backup_sogo.sh ``` +### New fail2ban jail: postfix-pregreet + +!!! attention + + This is not applicable to OpenBSD because we don't have Fail2ban running on + OpenBSD. + +Quote from [Postfix website](http://www.postfix.org/POSTSCREEN_README.html#pregreet): + +> The SMTP protocol is a classic example of a protocol where the server speaks +> before the client. postscreen(8) detects zombies that are in a hurry and that +> speak before their turn. + +Many spammers are in a hurry to start transfer message to your server, we'd +like to block them due to not follow RFC. + +During mail server maintenance, we found many spammers from China mainland +cannot pass this pregreet test and all of them use `ylmf-pc` as HELO hostname. +it's very possible that they're running an illegal Windows XP system which were +installed with a malware Windows XP ISO image. + +Steps to create this new Fail2ban jail: + +* Create new file `/etc/fail2ban/filter.d/postfix-pregreet.conf` with content + below: + +``` +[Definition] + +# Block clients which cannot pass Postfix postscreen pregreet test. +# FYI: http://www.postfix.org/POSTSCREEN_README.html#pregreet +# +# The SMTP protocol is a classic example of a protocol where the server speaks +# before the client. postscreen(8) detects zombies that are in a hurry and that +# speak before their turn. +failregex = postscreen\[\d+\]: PREGREET .* from \[\]:\d+: + +# while setting up new account, Thunderbird doesn't wait for server connection +# greeting/banner, this causes Thunderbird cannot pass the Postfix pregreet +# test and caught by `failregex` rules listed above (the rule contains +# 'PREGREET' line). +# FYI: https://bugzilla.mozilla.org/show_bug.cgi?id=538809#c41 +ignoreregex = postscreen\[\d+\]: PREGREET .* from \[\]:\d+: (EHLO|HELO) we-guess.mozilla.org +``` + +* Create new file `/etc/fail2ban/jail.d/postfix-pregreet.local` with content + below: + + !!! attention + + Please make sure you're using correct Postfix log file in `logpath =` + parameter. On RHEL/CentOS/FreeBSD, it's `/var/log/maillog`. On + Debian/Ubuntu, it's `/var/log/mail.log`. + +``` +[postfix-pregreet-iredmail] +enabled = true +filter = postfix-pregreet.iredmail +logpath = /var/log/maillog +maxretry = 1 +action = iptables-multiports[name=postfix, port="25", protocol=tcp] +``` + ### Fixed: Nginx snippet file hard-codes static file types for iRedAdmin !!! attention @@ -101,7 +165,7 @@ location ~ ^/iredadmin/static/(.*) { # Remove file types Reloading or restarting Nginx service is required. -### [OPTIONAL] Fix improper expected DNSBL filter for site `b.barracudacentral.org` +### Fix unexpected DNSBL query result for site `b.barracudacentral.org` Postfix config file generated by iRedMail enables DNSBL service for postscreen service like below: diff --git a/html/upgrade.iredmail.0.9.7-0.9.8.html b/html/upgrade.iredmail.0.9.7-0.9.8.html index 8d80ddb5..90ac69f9 100644 --- a/html/upgrade.iredmail.0.9.7-0.9.8.html +++ b/html/upgrade.iredmail.0.9.7-0.9.8.html @@ -24,8 +24,9 @@
  • Update /etc/iredmail-release with new iRedMail version number
  • Upgrade iRedAPD (Postfix policy server) to the latest stable release (2.2)
  • Fixed: SOGo backup script contains 3 issues
    • +
  • New fail2ban jail: postfix-pregreet
  • Fixed: Nginx snippet file hard-codes static file types for iRedAdmin
    • -
  • [OPTIONAL] Fix improper expected DNSBL filter for site b.barracudacentral.org
    • +
  • Fix unexpected DNSBL query result for site b.barracudacentral.org
  • [OPTIONAL] Log mail subject, sender, size in mail deliver log
    • @@ -72,6 +73,7 @@ check the details and
  • New doc: how to deploy mlmmj + mlmmj-admin
    • +
  • Jan 31, 2018: New fail2ban jail: postfix-pregreet.
  • Jan 21, 2018: [LDAP] Update SOGo config file for per-domain global address book.
  • Jan 19, 2018: Update OpenLDAP config file to index new attributes and fix an ACL.
  • Jan 19, 2018: Update iRedMail LDAP schema file
    • @@ -100,7 +102,7 @@ and earlier releases contains 3 issues:

  • it cannot remove old backup files
  • it doesn't set correct owner and permission on backup files
  • it cannot find command sogo-tool on FreeBSD. This issue causes our script - didn't backup any sogo data at all.
    • + didn't backup any sogo data on FreeBSD at all.

    To fix them, please download the latest version and override the one on your system:

    @@ -116,6 +118,67 @@ chown root backup_sogo.sh chmod 0400 backup_sogo.sh +

    New fail2ban jail: postfix-pregreet

    +
    +

    Attention

    +

    This is not applicable to OpenBSD because we don't have Fail2ban running on +OpenBSD.

    +
    +

    Quote from Postfix website:

    +
    +

    The SMTP protocol is a classic example of a protocol where the server speaks +before the client. postscreen(8) detects zombies that are in a hurry and that +speak before their turn.

    +
    +

    Many spammers are in a hurry to start transfer message to your server, we'd +like to block them due to not follow RFC.

    +

    During mail server maintenance, we found many spammers from China mainland +cannot pass this pregreet test and all of them use ylmf-pc as HELO hostname. +it's very possible that they're running an illegal Windows XP system which were +installed with a malware Windows XP ISO image.

    +

    Steps to create this new Fail2ban jail:

    + +
    [Definition]
+
+# Block clients which cannot pass Postfix postscreen pregreet test.
+# FYI: http://www.postfix.org/POSTSCREEN_README.html#pregreet
+#
+# The SMTP protocol is a classic example of a protocol where the server speaks
+# before the client. postscreen(8) detects zombies that are in a hurry and that
+# speak before their turn.
+failregex = postscreen\[\d+\]: PREGREET .* from \[<HOST>\]:\d+:
+
+# while setting up new account, Thunderbird doesn't wait for server connection
+# greeting/banner, this causes Thunderbird cannot pass the Postfix pregreet
+# test and caught by `failregex` rules listed above (the rule contains
+# 'PREGREET' line).
+# FYI: https://bugzilla.mozilla.org/show_bug.cgi?id=538809#c41
+ignoreregex = postscreen\[\d+\]: PREGREET .* from \[<HOST>\]:\d+: (EHLO|HELO) we-guess.mozilla.org
+
    + + +
    [postfix-pregreet-iredmail]
+enabled     = true
+filter      = postfix-pregreet.iredmail
+logpath     = /var/log/maillog
+maxretry    = 1
+action      = iptables-multiports[name=postfix, port="25", protocol=tcp]
+
    +

    Fixed: Nginx snippet file hard-codes static file types for iRedAdmin

    Attention

    @@ -137,7 +200,7 @@ hard-codes static file types like below:

    Reloading or restarting Nginx service is required.

    -

    [OPTIONAL] Fix improper expected DNSBL filter for site b.barracudacentral.org

    +

    Fix unexpected DNSBL query result for site b.barracudacentral.org

    Postfix config file generated by iRedMail enables DNSBL service for postscreen service like below:

    postscreen_dnsbl_sites =