General (All backends should apply these steps)[SOGo]
+enabled = true
+filter = sogo-auth
+port = http, https
+# without proxy this would be:
+# port = 20000
+action = iptables-multiport[name=SOGo, port="http,https", protocol=tcp]
+logpath = /var/log/sogo/sogo.log
+
+
+Restarting Fail2ban service is required.
[OPTIONAL] Add one more Fail2ban filter to help catch spam
We have a new Fail2ban filter to help catch spam, it will scan HELO rejections
in Postfix log file and invoke iptables to ban client IP address.
@@ -74,6 +91,7 @@ failregex = \[<HOST>\]: SASL (PLAIN|LOGIN) authentication failed
ignoreregex =
+Restarting Fail2ban service is required.
[OPTIONAL] Fixed: return receipt response rejected by iRedAPD plugin reject_null_sender
Note: this is applicable if you want to keep iRedAPD plugin reject_null_sender
but still able to send return receipt with Roundcube webmail.
diff --git a/integrations/0-sogo-centos-6-mysql.md b/integrations/0-sogo-centos-6-mysql.md
index ad14caa7..5085bf73 100644
--- a/integrations/0-sogo-centos-6-mysql.md
+++ b/integrations/0-sogo-centos-6-mysql.md
@@ -93,7 +93,10 @@ With below config file, SOGo will listen on address `127.0.0.1`, port `20000`.
WOPort = 127.0.0.1:20000;
// PID file
- //WOPidFile = /var/log/sogo/sogo.log;
+ //WOPidFile = /var/run/sogo/sogo.log;
+
+ // Log file
+ //WOLogFile = /var/log/sogo/sogo.log;
// IMAP connection pool.
// Your performance will slightly increase, as you won't open a new
diff --git a/integrations/0-sogo-centos-6-openldap.md b/integrations/0-sogo-centos-6-openldap.md
index 3f0246b6..40bf5819 100644
--- a/integrations/0-sogo-centos-6-openldap.md
+++ b/integrations/0-sogo-centos-6-openldap.md
@@ -90,7 +90,10 @@ With below config file, SOGo will listen on address `127.0.0.1`, port `20000`.
WOPort = 127.0.0.1:20000;
// PID file
- //WOPidFile = /var/log/sogo/sogo.log;
+ //WOPidFile = /var/run/sogo/sogo.log;
+
+ // Log file
+ //WOLogFile = /var/log/sogo/sogo.log;
// IMAP connection pool.
// Your performance will slightly increase, as you won't open a new
diff --git a/upgrade/0-upgrade.iredmail.0.9.0-0.9.1.md b/upgrade/0-upgrade.iredmail.0.9.0-0.9.1.md
index 026aa362..4817d234 100644
--- a/upgrade/0-upgrade.iredmail.0.9.0-0.9.1.md
+++ b/upgrade/0-upgrade.iredmail.0.9.0-0.9.1.md
@@ -7,6 +7,7 @@ __WARNING: Still working in progress, do _NOT_ apply it.__
## ChangeLog
+* 2015-02-11: [All backends] [__OPTIONAL__] Setup Fail2ban to monitor password failures in SOGo log file.
* 2015-02-11: [All backends] Fixed: Cannot run PHP script under web document root with Nginx.
* 2015-02-09: [All backends] [__OPTIONAL__] Add one more Fail2ban filter to help catch spam.
* 2015-02-04: [All backends] [__OPTIONAL__] Fixed: return receipt response rejected
@@ -19,6 +20,26 @@ __WARNING: Still working in progress, do _NOT_ apply it.__
## General (All backends should apply these steps)
+### [__OPTIONAL__] Setup Fail2ban to monitor password failures in SOGo log file
+
+To improve server security, we'd better block clients which have too many
+failed login attempts from SOGo.
+
+Please append below lines in Fail2ban main config file `/etc/fail2ban/jail.local`:
+
+```
+[SOGo]
+enabled = true
+filter = sogo-auth
+port = http, https
+# without proxy this would be:
+# port = 20000
+action = iptables-multiport[name=SOGo, port="http,https", protocol=tcp]
+logpath = /var/log/sogo/sogo.log
+```
+
+Restarting Fail2ban service is required.
+
### [OPTIONAL] Add one more Fail2ban filter to help catch spam
We have a new Fail2ban filter to help catch spam, it will scan HELO rejections
@@ -45,6 +66,8 @@ failregex = \[\]: SASL (PLAIN|LOGIN) authentication failed
ignoreregex =
```
+Restarting Fail2ban service is required.
+
### [OPTIONAL] Fixed: return receipt response rejected by iRedAPD plugin `reject_null_sender`
Note: this is applicable if you want to keep iRedAPD plugin `reject_null_sender`