elmau
/
iredmail-doc
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Sync iredmail upgrade tutorial.

This commit is contained in:
Zhang Huangbin 2018-02-15 00:27:23 +08:00
parent 1163c24a92
commit 980974d7bc
2 changed files with 76 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
en_US/upgrade/0-upgrade.iredmail.0.9.7-0.9.8.md
View File

@ -14,6 +14,7 @@
## ChangeLog
* Feb 14, 2018: [SECURITY] Fixed: Nginx snippet file doesn't block access to Roundcube sensitive files.
* Feb 11, 2018: netdata integration.
* Feb 11, 2018: mlmmj & mlmmjadmin integration.
* Feb 11, 2018: OpenBSD: Upgrade uwsgi to the latest 2.0.16
@ -163,6 +164,47 @@ location ~ ^/iredadmin/static/(.*) { # Remove file types
Reloading or restarting Nginx service is required.
### [SECURITY] Fixed: Nginx snippet file doesn't block access to Roundcube sensitive files
!!! attention
This is only applicable to Nginx.
With default iRedMail settings, Nginx doesn't block access to Roundcube
sensitive files and `.htaccess` file, this may leak users' PGP keys.
Please follow steps below to fix it.
Please open file `/etc/nginx/templates/roundcube.tmpl` (Linux/OpenBSD) or
`/usr/local/etc/nginx/templates/roundcube.tmpl` (FreeBSD), add lines below
__ABOVE__ any existing lines:
```
location ~ ^/mail/(bin|SQL|README|INSTALL|LICENSE|CHANGELOG|UPGRADING|config|temp|logs|installer)(.*) { deny all; }
location ~ ^/mail/plugins/enigma/home(.*) { deny all; }
location ~ (composer.json|jsdeps.json)(.*) { deny all; }
```
Please open file `/etc/nginx/templates/roundcube-subdomain.tmpl` (Linux/OpenBSD) or
`/usr/local/etc/nginx/templates/roundcube-subdomain.tmpl` (FreeBSD), add lines below
__ABOVE__ any existing lines:
```
location ~ ^/(bin|SQL|README|INSTALL|LICENSE|CHANGELOG|UPGRADING|config|temp|logs|installer)(.*) { deny all; }
location ~ ^/plugins/enigma/home(.*) { deny all; }
location ~ (composer.json|jsdeps.json)(.*) { deny all; }
```
Open both `/etc/nginx/sites-available/00-default.conf` and `00-default-ssl.conf` (Linux/OpenBSD)
or `/usr/local/etc/nginx/sites-available/00-default.conf.tmpl` and `00-default-ssl.conf` (FreeBSD),
make sure Nginx template file `misc.tmpl` is loadded first. For example, on
Linux/OpenBSD, make sure line below is the first one `include` directive:
```
include /etc/nginx/templates/misc.tmpl;
```
Restarting Nginx service is required.
### Fix unexpected DNSBL query result for site `b.barracudacentral.org`
Postfix config file generated by iRedMail enables DNSBL service for postscreen

34
html/upgrade.iredmail.0.9.7-0.9.8.html
View File

@ -26,6 +26,7 @@
<li><a href="#fixed-sogo-backup-script-contains-3-issues">Fixed: SOGo backup script contains 3 issues</a></li>
<li><a href="#fail2ban-new-jail-postfix-pregreet">Fail2ban: new jail postfix-pregreet</a></li>
<li><a href="#fixed-nginx-snippet-file-hard-codes-static-file-types-for-iredadmin">Fixed: Nginx snippet file hard-codes static file types for iRedAdmin</a></li>
<li><a href="#security-fixed-nginx-snippet-file-doesnt-block-access-to-roundcube-sensitive-files">[SECURITY] Fixed: Nginx snippet file doesn't block access to Roundcube sensitive files</a></li>
<li><a href="#fix-unexpected-dnsbl-query-result-for-site-bbarracudacentralorg">Fix unexpected DNSBL query result for site b.barracudacentral.org</a></li>
<li><a href="#openbsd-upgrade-uwsgi-to-the-latest-2016">OpenBSD: Upgrade uwsgi to the latest 2.0.16</a></li>
<li><a href="#optional-log-mail-subject-sender-size-in-mail-deliver-log">[OPTIONAL] Log mail subject, sender, size in mail deliver log</a></li>
@ -68,6 +69,7 @@ check <a href="https://www.iredmail.org/support.html">the details</a> and
</div>
<h2 id="changelog">ChangeLog</h2>
<ul>
<li>Feb 14, 2018: [SECURITY] Fixed: Nginx snippet file doesn't block access to Roundcube sensitive files.</li>
<li>Feb 11, 2018: netdata integration.</li>
<li>Feb 11, 2018: mlmmj &amp; mlmmjadmin integration.</li>
<li>Feb 11, 2018: OpenBSD: Upgrade uwsgi to the latest 2.0.16</li>
@ -200,6 +202,38 @@ hard-codes static file types like below:</p>
</code></pre>
<p>Reloading or restarting Nginx service is required.</p>
<h3 id="security-fixed-nginx-snippet-file-doesnt-block-access-to-roundcube-sensitive-files">[SECURITY] Fixed: Nginx snippet file doesn't block access to Roundcube sensitive files</h3>
<div class="admonition attention">
<p class="admonition-title">Attention</p>
<p>This is only applicable to Nginx.</p>
</div>
<p>With default iRedMail settings, Nginx doesn't block access to Roundcube
sensitive files and <code>.htaccess</code> file, this may leak users' PGP keys.
Please follow steps below to fix it.</p>
<p>Please open file <code>/etc/nginx/templates/roundcube.tmpl</code> (Linux/OpenBSD) or
<code>/usr/local/etc/nginx/templates/roundcube.tmpl</code> (FreeBSD), add lines below
<strong>ABOVE</strong> any existing lines:</p>
<pre><code>location ~ ^/mail/(bin|SQL|README|INSTALL|LICENSE|CHANGELOG|UPGRADING|config|temp|logs|installer)(.*) { deny all; }
location ~ ^/mail/plugins/enigma/home(.*) { deny all; }
location ~ (composer.json|jsdeps.json)(.*) { deny all; }
</code></pre>
<p>Please open file <code>/etc/nginx/templates/roundcube-subdomain.tmpl</code> (Linux/OpenBSD) or
<code>/usr/local/etc/nginx/templates/roundcube-subdomain.tmpl</code> (FreeBSD), add lines below
<strong>ABOVE</strong> any existing lines:</p>
<pre><code>location ~ ^/(bin|SQL|README|INSTALL|LICENSE|CHANGELOG|UPGRADING|config|temp|logs|installer)(.*) { deny all; }
location ~ ^/plugins/enigma/home(.*) { deny all; }
location ~ (composer.json|jsdeps.json)(.*) { deny all; }
</code></pre>
<p>Open both <code>/etc/nginx/sites-available/00-default.conf</code> and <code>00-default-ssl.conf</code> (Linux/OpenBSD)
or <code>/usr/local/etc/nginx/sites-available/00-default.conf.tmpl</code> and <code>00-default-ssl.conf</code> (FreeBSD),
make sure Nginx template file <code>misc.tmpl</code> is loadded first. For example, on
Linux/OpenBSD, make sure line below is the first one <code>include</code> directive:</p>
<pre><code> include /etc/nginx/templates/misc.tmpl;
</code></pre>
<p>Restarting Nginx service is required.</p>
<h3 id="fix-unexpected-dnsbl-query-result-for-site-bbarracudacentralorg">Fix unexpected DNSBL query result for site <code>b.barracudacentral.org</code></h3>
<p>Postfix config file generated by iRedMail enables DNSBL service for postscreen
service like below:</p>