Sync iredmail upgrade tutorial.
This commit is contained in:
parent
1163c24a92
commit
980974d7bc
|
@ -14,6 +14,7 @@
|
|||
|
||||
## ChangeLog
|
||||
|
||||
* Feb 14, 2018: [SECURITY] Fixed: Nginx snippet file doesn't block access to Roundcube sensitive files.
|
||||
* Feb 11, 2018: netdata integration.
|
||||
* Feb 11, 2018: mlmmj & mlmmjadmin integration.
|
||||
* Feb 11, 2018: OpenBSD: Upgrade uwsgi to the latest 2.0.16
|
||||
|
@ -163,6 +164,47 @@ location ~ ^/iredadmin/static/(.*) { # Remove file types
|
|||
|
||||
Reloading or restarting Nginx service is required.
|
||||
|
||||
### [SECURITY] Fixed: Nginx snippet file doesn't block access to Roundcube sensitive files
|
||||
|
||||
!!! attention
|
||||
|
||||
This is only applicable to Nginx.
|
||||
|
||||
With default iRedMail settings, Nginx doesn't block access to Roundcube
|
||||
sensitive files and `.htaccess` file, this may leak users' PGP keys.
|
||||
Please follow steps below to fix it.
|
||||
|
||||
Please open file `/etc/nginx/templates/roundcube.tmpl` (Linux/OpenBSD) or
|
||||
`/usr/local/etc/nginx/templates/roundcube.tmpl` (FreeBSD), add lines below
|
||||
__ABOVE__ any existing lines:
|
||||
|
||||
```
|
||||
location ~ ^/mail/(bin|SQL|README|INSTALL|LICENSE|CHANGELOG|UPGRADING|config|temp|logs|installer)(.*) { deny all; }
|
||||
location ~ ^/mail/plugins/enigma/home(.*) { deny all; }
|
||||
location ~ (composer.json|jsdeps.json)(.*) { deny all; }
|
||||
```
|
||||
|
||||
Please open file `/etc/nginx/templates/roundcube-subdomain.tmpl` (Linux/OpenBSD) or
|
||||
`/usr/local/etc/nginx/templates/roundcube-subdomain.tmpl` (FreeBSD), add lines below
|
||||
__ABOVE__ any existing lines:
|
||||
|
||||
```
|
||||
location ~ ^/(bin|SQL|README|INSTALL|LICENSE|CHANGELOG|UPGRADING|config|temp|logs|installer)(.*) { deny all; }
|
||||
location ~ ^/plugins/enigma/home(.*) { deny all; }
|
||||
location ~ (composer.json|jsdeps.json)(.*) { deny all; }
|
||||
```
|
||||
|
||||
Open both `/etc/nginx/sites-available/00-default.conf` and `00-default-ssl.conf` (Linux/OpenBSD)
|
||||
or `/usr/local/etc/nginx/sites-available/00-default.conf.tmpl` and `00-default-ssl.conf` (FreeBSD),
|
||||
make sure Nginx template file `misc.tmpl` is loadded first. For example, on
|
||||
Linux/OpenBSD, make sure line below is the first one `include` directive:
|
||||
|
||||
```
|
||||
include /etc/nginx/templates/misc.tmpl;
|
||||
```
|
||||
|
||||
Restarting Nginx service is required.
|
||||
|
||||
### Fix unexpected DNSBL query result for site `b.barracudacentral.org`
|
||||
|
||||
Postfix config file generated by iRedMail enables DNSBL service for postscreen
|
||||
|
|
|
@ -26,6 +26,7 @@
|
|||
<li><a href="#fixed-sogo-backup-script-contains-3-issues">Fixed: SOGo backup script contains 3 issues</a></li>
|
||||
<li><a href="#fail2ban-new-jail-postfix-pregreet">Fail2ban: new jail postfix-pregreet</a></li>
|
||||
<li><a href="#fixed-nginx-snippet-file-hard-codes-static-file-types-for-iredadmin">Fixed: Nginx snippet file hard-codes static file types for iRedAdmin</a></li>
|
||||
<li><a href="#security-fixed-nginx-snippet-file-doesnt-block-access-to-roundcube-sensitive-files">[SECURITY] Fixed: Nginx snippet file doesn't block access to Roundcube sensitive files</a></li>
|
||||
<li><a href="#fix-unexpected-dnsbl-query-result-for-site-bbarracudacentralorg">Fix unexpected DNSBL query result for site b.barracudacentral.org</a></li>
|
||||
<li><a href="#openbsd-upgrade-uwsgi-to-the-latest-2016">OpenBSD: Upgrade uwsgi to the latest 2.0.16</a></li>
|
||||
<li><a href="#optional-log-mail-subject-sender-size-in-mail-deliver-log">[OPTIONAL] Log mail subject, sender, size in mail deliver log</a></li>
|
||||
|
@ -68,6 +69,7 @@ check <a href="https://www.iredmail.org/support.html">the details</a> and
|
|||
</div>
|
||||
<h2 id="changelog">ChangeLog</h2>
|
||||
<ul>
|
||||
<li>Feb 14, 2018: [SECURITY] Fixed: Nginx snippet file doesn't block access to Roundcube sensitive files.</li>
|
||||
<li>Feb 11, 2018: netdata integration.</li>
|
||||
<li>Feb 11, 2018: mlmmj & mlmmjadmin integration.</li>
|
||||
<li>Feb 11, 2018: OpenBSD: Upgrade uwsgi to the latest 2.0.16</li>
|
||||
|
@ -200,6 +202,38 @@ hard-codes static file types like below:</p>
|
|||
</code></pre>
|
||||
|
||||
<p>Reloading or restarting Nginx service is required.</p>
|
||||
<h3 id="security-fixed-nginx-snippet-file-doesnt-block-access-to-roundcube-sensitive-files">[SECURITY] Fixed: Nginx snippet file doesn't block access to Roundcube sensitive files</h3>
|
||||
<div class="admonition attention">
|
||||
<p class="admonition-title">Attention</p>
|
||||
<p>This is only applicable to Nginx.</p>
|
||||
</div>
|
||||
<p>With default iRedMail settings, Nginx doesn't block access to Roundcube
|
||||
sensitive files and <code>.htaccess</code> file, this may leak users' PGP keys.
|
||||
Please follow steps below to fix it.</p>
|
||||
<p>Please open file <code>/etc/nginx/templates/roundcube.tmpl</code> (Linux/OpenBSD) or
|
||||
<code>/usr/local/etc/nginx/templates/roundcube.tmpl</code> (FreeBSD), add lines below
|
||||
<strong>ABOVE</strong> any existing lines:</p>
|
||||
<pre><code>location ~ ^/mail/(bin|SQL|README|INSTALL|LICENSE|CHANGELOG|UPGRADING|config|temp|logs|installer)(.*) { deny all; }
|
||||
location ~ ^/mail/plugins/enigma/home(.*) { deny all; }
|
||||
location ~ (composer.json|jsdeps.json)(.*) { deny all; }
|
||||
</code></pre>
|
||||
|
||||
<p>Please open file <code>/etc/nginx/templates/roundcube-subdomain.tmpl</code> (Linux/OpenBSD) or
|
||||
<code>/usr/local/etc/nginx/templates/roundcube-subdomain.tmpl</code> (FreeBSD), add lines below
|
||||
<strong>ABOVE</strong> any existing lines:</p>
|
||||
<pre><code>location ~ ^/(bin|SQL|README|INSTALL|LICENSE|CHANGELOG|UPGRADING|config|temp|logs|installer)(.*) { deny all; }
|
||||
location ~ ^/plugins/enigma/home(.*) { deny all; }
|
||||
location ~ (composer.json|jsdeps.json)(.*) { deny all; }
|
||||
</code></pre>
|
||||
|
||||
<p>Open both <code>/etc/nginx/sites-available/00-default.conf</code> and <code>00-default-ssl.conf</code> (Linux/OpenBSD)
|
||||
or <code>/usr/local/etc/nginx/sites-available/00-default.conf.tmpl</code> and <code>00-default-ssl.conf</code> (FreeBSD),
|
||||
make sure Nginx template file <code>misc.tmpl</code> is loadded first. For example, on
|
||||
Linux/OpenBSD, make sure line below is the first one <code>include</code> directive:</p>
|
||||
<pre><code> include /etc/nginx/templates/misc.tmpl;
|
||||
</code></pre>
|
||||
|
||||
<p>Restarting Nginx service is required.</p>
|
||||
<h3 id="fix-unexpected-dnsbl-query-result-for-site-bbarracudacentralorg">Fix unexpected DNSBL query result for site <code>b.barracudacentral.org</code></h3>
|
||||
<p>Postfix config file generated by iRedMail enables DNSBL service for postscreen
|
||||
service like below:</p>
|
||||
|
|
Loading…
Reference in New Issue