elmau
/
iredmail-doc
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Sync upgrade tutorial for new LDAP attribute 'allowNets' and SQL column 'mailbox.allow_nets'.

This commit is contained in:
Zhang Huangbin 2015-03-25 20:36:46 +08:00
parent 85f41980a5
commit bd5875349d
5 changed files with 319 additions and 58 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
TODO.md
View File

@ -1,5 +1,7 @@
# TODO
https://bitbucket.org/zhb/iredmail/commits/b721a9c376f67a4a11b4b1761386a266cfd11f96
* How to install and configure SOGo groupware
* How to install and configure Nginx
* How to custom SpamAssassin scores

16
convert.sh
View File

@ -49,6 +49,11 @@ all_chapter_dirs="installation \
# - summary: _summary.md
echo "We're migrating [old wiki documents](http://www.iredmail.org/wiki) to Markdown format for easier maintenance, all documents are available [here](https://bitbucket.org/zhb/docs.iredmail.org/src)." > ${INDEX_MD}
# Compile all Markdown files.
if echo "$@" | grep -q -- '--all' &>/dev/null; then
compile_all='YES'
fi
article_counter=0
echo -n "* Processing Markdown files: "
@ -106,15 +111,10 @@ for chapter_dir in ${all_chapter_dirs}; do
fi
# Convert modified file
if echo ${CHANGED_FILES} | grep ${article_file} > /dev/null; then
compile_this_file='YES'
fi
echo ${CHANGED_FILES} | grep ${article_file} &> /dev/null
compile_this_file="$?"
if echo "$@" | grep -q -- '--all'; then
compile_all='YES'
fi
if [ X"${compile_this_file}" == X'YES' -o X"${compile_all}" == X'YES' ]; then
if [ X"${compile_this_file}" == X'0' -o X"${compile_all}" == X'YES' ]; then
echo -e "\n* Converting: ${article_file}"
${CMD_CONVERT} ${article_file} ${OUTPUT_DIR} \
output_filename="${article_html_file}" \

1
html/css/markdown.css
View File

@ -57,6 +57,7 @@ code {
line-height: 1.5;
font-size: 13px;
}
h3 code { font-size: 18px; }
aside {
display: block;
float: right;

177
html/upgrade.iredmail.0.9.0-0.9.1.html
View File

@ -26,18 +26,22 @@
</ul>
</li>
<li><a href="#openldap-backend-special">OpenLDAP backend special</a><ul>
<li><a href="#use-the-latest-ldap-schema-file-provided-by-iredmail">Use the latest LDAP schema file provided by iRedMail</a></li>
<li><a href="#restrict-mail-user-to-login-from-specified-ip-addresses-or-networks">Restrict mail user to login from specified IP addresses or networks</a></li>
<li><a href="#fixed-not-backup-sogo-database">Fixed: not backup SOGo database</a></li>
<li><a href="#optional-bypass-greylisting-for-some-big-isps">[OPTIONAL] Bypass greylisting for some big ISPs</a></li>
</ul>
</li>
<li><a href="#mysqlmariadb-backend-special">MySQL/MariaDB backend special</a><ul>
<li><a href="#fixed-not-apply-service-restriction-in-dovecot-sql-query-file-while-acting-as-sasl-server">Fixed: Not apply service restriction in Dovecot SQL query file while acting as SASL server</a></li>
<li><a href="#add-new-sql-column-in-vmail-database">Add new SQL column in vmail database</a></li>
<li><a href="#restrict-mail-user-to-login-from-specified-ip-addresses-or-networks-and-apply-service-restriction-while-acting-as-sasl-server">Restrict mail user to login from specified IP addresses or networks, and apply service restriction while acting as SASL server</a></li>
<li><a href="#fixed-not-backup-sogo-database_1">Fixed: not backup SOGo database</a></li>
<li><a href="#optional-bypass-greylisting-for-some-big-isps_1">[OPTIONAL] Bypass greylisting for some big ISPs</a></li>
</ul>
</li>
<li><a href="#postgresql-backend-special">PostgreSQL backend special</a><ul>
<li><a href="#fixed-not-apply-service-restriction-in-dovecot-sql-query-file-while-acting-as-sasl-server_1">Fixed: Not apply service restriction in Dovecot SQL query file while acting as SASL server</a></li>
<li><a href="#add-new-sql-column-in-vmail-database_1">Add new SQL column in vmail database</a></li>
<li><a href="#restrict-mail-user-to-login-from-specified-ip-addresses-or-networks-and-apply-service-restriction-while-acting-as-sasl-server_1">Restrict mail user to login from specified IP addresses or networks, and apply service restriction while acting as SASL server</a></li>
<li><a href="#fixed-not-backup-sogo-database_2">Fixed: not backup SOGo database</a></li>
<li><a href="#optional-bypass-greylisting-for-some-big-isps_2">[OPTIONAL] Bypass greylisting for some big ISPs</a></li>
</ul>
@ -49,6 +53,9 @@
<p><strong>WARNING: Still working in progress, do <em>NOT</em> apply it.</strong></p>
<h2 id="changelog">ChangeLog</h2>
<ul>
<li>2015-02-25: [All backends] Add new LDAP attribute <code>allowNets</code> and SQL column
<code>mailbox.allow_nets</code>, which used to restrict mail user to login
from specified IP addresses or networks.</li>
<li>2015-02-25: [All backends] Upgrade iRedAPD to 1.4.5.</li>
<li>2015-02-25: [All backends] [<strong>OPTIONAL</strong>] Bypass greylisting for some big ISPs.</li>
<li>2015-02-25: [All backends] [<strong>OPTIONAL</strong>] Add one more Fail2ban filter to help catch spam (POP3/IMAP flood).</li>
@ -247,6 +254,78 @@ ignoreregex =
<p>Restarting Fail2ban service is required.</p>
<h2 id="openldap-backend-special">OpenLDAP backend special</h2>
<h3 id="use-the-latest-ldap-schema-file-provided-by-iredmail">Use the latest LDAP schema file provided by iRedMail</h3>
<p>We have a new attribute <code>allowNets</code> for mail user in the latest LDAP schema
file. With this new attribute, you can restrict mail users to login from
specified IP addresses or networks, multiple IP/nets must be separated by
comma.</p>
<p>Steps to use the latest LDAP schema file are:</p>
<ul>
<li>Download the newest iRedMail ldap schema file</li>
<li>Copy old ldap schema file as a backup copy</li>
<li>Replace the old one</li>
<li>Restart OpenLDAP service.</li>
</ul>
<p>Here we go:</p>
<ul>
<li>On RHEL/CentOS, OpenBSD:</li>
</ul>
<pre><code># cd /tmp
# wget https://bitbucket.org/zhb/iredmail/raw/default/iRedMail/samples/iredmail.schema
# cd /etc/openldap/schema/
# cp iredmail.schema iredmail.schema.bak
# cp -f /tmp/iredmail.schema /etc/openldap/schema/
# /etc/init.d/slapd restart
</code></pre>
<ul>
<li>On Debian/Ubuntu:</li>
</ul>
<pre><code># cd /tmp
# wget https://bitbucket.org/zhb/iredmail/raw/default/iRedMail/samples/iredmail.schema
# cd /etc/ldap/schema/
# cp iredmail.schema iredmail.schema.bak
# cp -f /tmp/iredmail.schema /etc/ldap/schema/
# /etc/init.d/slapd restart
</code></pre>
<ul>
<li>On FreeBSD:</li>
</ul>
<pre><code># cd /tmp
# wget https://bitbucket.org/zhb/iredmail/raw/default/iRedMail/samples/iredmail.schema
# cd /usr/local/etc/ldap/schema/
# cp iredmail.schema iredmail.schema.bak
# cp -f /tmp/iredmail.schema /usr/local/etc/openldap/schema/
# /etc/init.d/slapd restart
</code></pre>
<h3 id="restrict-mail-user-to-login-from-specified-ip-addresses-or-networks">Restrict mail user to login from specified IP addresses or networks</h3>
<p>With the latest LDAP schema file, it's able to restrict mail users to login
from specified IP/networks.</p>
<p>Open Dovecot config file <code>/etc/dovecot/dovecot-ldap.conf</code> (Linux/OpenBSD) or
<code>/usr/local/etc/dovecot/dovecot-ldap.conf</code> (FreeBSD), append
<code>allowNets=allow_nets</code> in parameter <code>pass_attrs</code>. The final setting should be:</p>
<pre><code>pass_attrs = mail=user,userPassword=password,allowNets=allow_nets
</code></pre>
<p>Restarting Dovecot service is required.</p>
<p>Sample usage: allow user <code>user@domain.com</code> to login from IP <code>172.16.244.1</code> and
network <code>192.168.1.0/24</code>:</p>
<pre><code>dn: mail=user@domain.com,ou=Users,domainName=domain.com,o=domains,dc=xx,dc=xx
objectClass: mailUser
mail: user@domain.com
allowNets: 192.168.1.10,192.168.1.0/24
...
</code></pre>
<p>To remove this restriction, just remove attribute <code>allowNets</code> for this user.</p>
<h3 id="fixed-not-backup-sogo-database">Fixed: not backup SOGo database</h3>
<p>Note: this step is not applicable if you don't use SOGo groupware.</p>
<p>Open backup script <code>/var/vmail/backup/backup_mysql.sh</code>, append SOGo SQL
@ -275,22 +354,45 @@ mysql&gt; SOURCE /tmp/greylisting-whitelist.sql;
<p>That's all.</p>
<h2 id="mysqlmariadb-backend-special">MySQL/MariaDB backend special</h2>
<h3 id="fixed-not-apply-service-restriction-in-dovecot-sql-query-file-while-acting-as-sasl-server">Fixed: Not apply service restriction in Dovecot SQL query file while acting as SASL server</h3>
<p>Please open Dovecot config file <code>/etc/dovecot/dovecot-mysql.conf</code>
(Linux/OpenBSD) or <code>/usr/local/etc/dovecot/dovecot-mysql.conf</code> (FreeBSD), find
below line:</p>
<pre><code># Part of file: /etc/dovecot/dovecot-mysql.conf
password_query = SELECT password FROM mailbox WHERE username='%u' AND active='1'
<h3 id="add-new-sql-column-in-vmail-database">Add new SQL column in <code>vmail</code> database</h3>
<p>We have a new SQL column <code>mailbox.allow_nets</code> in <code>vmail</code> database, it's used
to restrict mail users to login from specified IP addresses or networks,
multiple IP/nets must be separated by comma.</p>
<p>Connect to SQL server as MySQL root user, create new column:</p>
<pre><code>$ mysql -uroot -p
mysql&gt; USE vmail;
mysql&gt; ALTER TABLE mailbox ADD COLUMN `allow_nets` TEXT DEFAULT NULL;
</code></pre>
<p>Add additional query <code>AND enable%Ls%Lc=1</code> like below:</p>
<pre><code># Part of file: /etc/dovecot/dovecot-mysql.conf
password_query = SELECT password FROM mailbox WHERE username='%u' AND enable%Ls%Lc=1 AND active='1'
<h3 id="restrict-mail-user-to-login-from-specified-ip-addresses-or-networks-and-apply-service-restriction-while-acting-as-sasl-server">Restrict mail user to login from specified IP addresses or networks, and apply service restriction while acting as SASL server</h3>
<ul>
<li>
<p>With new SQL column <code>mailbox.allow_nets</code>, it's able to restrict mail users to
login from specified IP/networks. We have sample usage below.</p>
</li>
<li>
<p>With new service restriction, it's able to enable or disable smtp service for
mail users.</p>
</li>
</ul>
<p>Open Dovecot config file <code>/etc/dovecot/dovecot-mysql.conf</code> (Linux/OpenBSD) or
<code>/usr/local/etc/dovecot/dovecot-mysql.conf</code> (FreeBSD), then:</p>
<ul>
<li>append <code>allow_nets</code> in parameter <code>password_query</code></li>
<li>append <code>AND enable%Ls%Lc=1</code> in <code>WHERE</code> statement</li>
</ul>
<p>The final setting should be:</p>
<pre><code>password_query = SELECT password, allow_nets FROM mailbox WHERE username='%u' AND enable%Ls%Lc=1 AND active='1'
</code></pre>
<p>Save your change and restart Dovecot service.</p>
<p>Restarting Dovecot service is required.</p>
<p>Sample usage: allow user <code>user@domain.com</code> to login from IP <code>172.16.244.1</code> and
network <code>192.168.1.0/24</code>:</p>
<pre><code>sql&gt; USE vmail;
sql&gt; UPDATE mailbox SET allow_nets='172.16.244.1,192.168.1.0/24';
</code></pre>
<p>To remove this restriction, just set <code>mailbox.allow_nets</code> to <code>NULL</code>, not empty string.</p>
<h3 id="fixed-not-backup-sogo-database_1">Fixed: not backup SOGo database</h3>
<p>Note: this step is not applicable if you don't use SOGo groupware.</p>
<p>Open backup script <code>/var/vmail/backup/backup_mysql.sh</code>, append SOGo SQL
@ -319,22 +421,45 @@ mysql&gt; SOURCE /tmp/greylisting-whitelist.sql;
<p>That's all.</p>
<h2 id="postgresql-backend-special">PostgreSQL backend special</h2>
<h3 id="fixed-not-apply-service-restriction-in-dovecot-sql-query-file-while-acting-as-sasl-server_1">Fixed: Not apply service restriction in Dovecot SQL query file while acting as SASL server</h3>
<p>Please open Dovecot config file <code>/etc/dovecot/dovecot-pgsql.conf</code>
(Linux/OpenBSD) or <code>/usr/local/etc/dovecot/dovecot-pgsql.conf</code> (FreeBSD), find
below line:</p>
<pre><code># Part of file: /etc/dovecot/dovecot-pgsql.conf
password_query = SELECT password FROM mailbox WHERE username='%u' AND active='1'
<h3 id="add-new-sql-column-in-vmail-database_1">Add new SQL column in <code>vmail</code> database</h3>
<p>We have a new SQL column <code>mailbox.allow_nets</code> in <code>vmail</code> database, it's used
to restrict mail users to login from specified IP addresses or networks,
multiple IP/nets must be separated by comma.</p>
<p>Now connect to PostgreSQL server as admin user, create new column:</p>
<pre><code># su - postgres
$ psql -d vmail
sql&gt; ALTER TABLE mailbox ADD COLUMN allow_nets TEXT DEFAULT NULL;
</code></pre>
<p>Add additional query like below:</p>
<pre><code># Part of file: /etc/dovecot/dovecot-pgsql.conf
password_query = SELECT password FROM mailbox WHERE username='%u' AND enable%Ls%Lc=1 AND active='1'
<h3 id="restrict-mail-user-to-login-from-specified-ip-addresses-or-networks-and-apply-service-restriction-while-acting-as-sasl-server_1">Restrict mail user to login from specified IP addresses or networks, and apply service restriction while acting as SASL server</h3>
<ul>
<li>
<p>With new SQL column <code>mailbox.allow_nets</code>, it's able to restrict mail users to
login from specified IP/networks. We have sample usage below.</p>
</li>
<li>
<p>With new service restriction, it's able to enable or disable smtp service for
mail users.</p>
</li>
</ul>
<p>Open Dovecot config file <code>/etc/dovecot/dovecot-pgsql.conf</code> (Linux/OpenBSD) or
<code>/usr/local/etc/dovecot/dovecot-pgsql.conf</code> (FreeBSD), then:</p>
<ul>
<li>append <code>allow_nets</code> in parameter <code>password_query</code></li>
<li>append <code>AND enable%Ls%Lc=1</code> in <code>WHERE</code> statement</li>
</ul>
<p>The final setting should be:</p>
<pre><code>password_query = SELECT password, allow_nets FROM mailbox WHERE username='%u' AND enable%Ls%Lc=1 AND active='1'
</code></pre>
<p>Save your change and restart Dovecot service.</p>
<p>Restarting Dovecot service is required.</p>
<p>Sample usage: allow user <code>user@domain.com</code> to login from IP <code>172.16.244.1</code> and
network <code>192.168.1.0/24</code>:</p>
<pre><code>sql&gt; \c vmail;
sql&gt; UPDATE mailbox SET allow_nets='172.16.244.1,192.168.1.0/24';
</code></pre>
<p>To remove this restriction, just set <code>mailbox.allow_nets</code> to <code>NULL</code>, not empty string.</p>
<h3 id="fixed-not-backup-sogo-database_2">Fixed: not backup SOGo database</h3>
<p>Note: this step is not applicable if you don't use SOGo groupware.</p>
<p>Open backup script <code>/var/vmail/backup/backup_mysql.sh</code>, append SOGo SQL

181
upgrade/0-upgrade.iredmail.0.9.0-0.9.1.md
View File

@ -7,6 +7,9 @@ __WARNING: Still working in progress, do _NOT_ apply it.__
## ChangeLog
* 2015-02-25: [All backends] Add new LDAP attribute `allowNets` and SQL column
`mailbox.allow_nets`, which used to restrict mail user to login
from specified IP addresses or networks.
* 2015-02-25: [All backends] Upgrade iRedAPD to 1.4.5.
* 2015-02-25: [All backends] [__OPTIONAL__] Bypass greylisting for some big ISPs.
* 2015-02-25: [All backends] [__OPTIONAL__] Add one more Fail2ban filter to help catch spam (POP3/IMAP flood).
@ -237,6 +240,88 @@ Restarting Fail2ban service is required.
## OpenLDAP backend special
### Use the latest LDAP schema file provided by iRedMail
We have a new attribute `allowNets` for mail user in the latest LDAP schema
file. With this new attribute, you can restrict mail users to login from
specified IP addresses or networks, multiple IP/nets must be separated by
comma.
Steps to use the latest LDAP schema file are:
* Download the newest iRedMail ldap schema file
* Copy old ldap schema file as a backup copy
* Replace the old one
* Restart OpenLDAP service.
Here we go:
* On RHEL/CentOS, OpenBSD:
```
# cd /tmp
# wget https://bitbucket.org/zhb/iredmail/raw/default/iRedMail/samples/iredmail.schema
# cd /etc/openldap/schema/
# cp iredmail.schema iredmail.schema.bak
# cp -f /tmp/iredmail.schema /etc/openldap/schema/
# /etc/init.d/slapd restart
```
* On Debian/Ubuntu:
```
# cd /tmp
# wget https://bitbucket.org/zhb/iredmail/raw/default/iRedMail/samples/iredmail.schema
# cd /etc/ldap/schema/
# cp iredmail.schema iredmail.schema.bak
# cp -f /tmp/iredmail.schema /etc/ldap/schema/
# /etc/init.d/slapd restart
```
* On FreeBSD:
```
# cd /tmp
# wget https://bitbucket.org/zhb/iredmail/raw/default/iRedMail/samples/iredmail.schema
# cd /usr/local/etc/ldap/schema/
# cp iredmail.schema iredmail.schema.bak
# cp -f /tmp/iredmail.schema /usr/local/etc/openldap/schema/
# /etc/init.d/slapd restart
```
### Restrict mail user to login from specified IP addresses or networks
With the latest LDAP schema file, it's able to restrict mail users to login
from specified IP/networks.
Open Dovecot config file `/etc/dovecot/dovecot-ldap.conf` (Linux/OpenBSD) or
`/usr/local/etc/dovecot/dovecot-ldap.conf` (FreeBSD), append
`allowNets=allow_nets` in parameter `pass_attrs`. The final setting should be:
```
pass_attrs = mail=user,userPassword=password,allowNets=allow_nets
```
Restarting Dovecot service is required.
Sample usage: allow user `user@domain.com` to login from IP `172.16.244.1` and
network `192.168.1.0/24`:
```
dn: mail=user@domain.com,ou=Users,domainName=domain.com,o=domains,dc=xx,dc=xx
objectClass: mailUser
mail: user@domain.com
allowNets: 192.168.1.10,192.168.1.0/24
...
```
To remove this restriction, just remove attribute `allowNets` for this user.
### Fixed: not backup SOGo database
Note: this step is not applicable if you don't use SOGo groupware.
@ -274,27 +359,51 @@ That's all.
## MySQL/MariaDB backend special
### Fixed: Not apply service restriction in Dovecot SQL query file while acting as SASL server
### Add new SQL column in `vmail` database
Please open Dovecot config file `/etc/dovecot/dovecot-mysql.conf`
(Linux/OpenBSD) or `/usr/local/etc/dovecot/dovecot-mysql.conf` (FreeBSD), find
below line:
We have a new SQL column `mailbox.allow_nets` in `vmail` database, it's used
to restrict mail users to login from specified IP addresses or networks,
multiple IP/nets must be separated by comma.
Connect to SQL server as MySQL root user, create new column:
```
# Part of file: /etc/dovecot/dovecot-mysql.conf
password_query = SELECT password FROM mailbox WHERE username='%u' AND active='1'
$ mysql -uroot -p
mysql> USE vmail;
mysql> ALTER TABLE mailbox ADD COLUMN `allow_nets` TEXT DEFAULT NULL;
```
Add additional query `AND enable%Ls%Lc=1` like below:
### Restrict mail user to login from specified IP addresses or networks, and apply service restriction while acting as SASL server
* With new SQL column `mailbox.allow_nets`, it's able to restrict mail users to
login from specified IP/networks. We have sample usage below.
* With new service restriction, it's able to enable or disable smtp service for
mail users.
Open Dovecot config file `/etc/dovecot/dovecot-mysql.conf` (Linux/OpenBSD) or
`/usr/local/etc/dovecot/dovecot-mysql.conf` (FreeBSD), then:
* append `allow_nets` in parameter `password_query`
* append `AND enable%Ls%Lc=1` in `WHERE` statement
The final setting should be:
```
# Part of file: /etc/dovecot/dovecot-mysql.conf
password_query = SELECT password FROM mailbox WHERE username='%u' AND enable%Ls%Lc=1 AND active='1'
password_query = SELECT password, allow_nets FROM mailbox WHERE username='%u' AND enable%Ls%Lc=1 AND active='1'
```
Save your change and restart Dovecot service.
Restarting Dovecot service is required.
Sample usage: allow user `user@domain.com` to login from IP `172.16.244.1` and
network `192.168.1.0/24`:
```
sql> USE vmail;
sql> UPDATE mailbox SET allow_nets='172.16.244.1,192.168.1.0/24';
```
To remove this restriction, just set `mailbox.allow_nets` to `NULL`, not empty string.
### Fixed: not backup SOGo database
@ -333,27 +442,51 @@ That's all.
## PostgreSQL backend special
### Fixed: Not apply service restriction in Dovecot SQL query file while acting as SASL server
### Add new SQL column in `vmail` database
Please open Dovecot config file `/etc/dovecot/dovecot-pgsql.conf`
(Linux/OpenBSD) or `/usr/local/etc/dovecot/dovecot-pgsql.conf` (FreeBSD), find
below line:
We have a new SQL column `mailbox.allow_nets` in `vmail` database, it's used
to restrict mail users to login from specified IP addresses or networks,
multiple IP/nets must be separated by comma.
Now connect to PostgreSQL server as admin user, create new column:
```
# Part of file: /etc/dovecot/dovecot-pgsql.conf
password_query = SELECT password FROM mailbox WHERE username='%u' AND active='1'
# su - postgres
$ psql -d vmail
sql> ALTER TABLE mailbox ADD COLUMN allow_nets TEXT DEFAULT NULL;
```
Add additional query like below:
### Restrict mail user to login from specified IP addresses or networks, and apply service restriction while acting as SASL server
* With new SQL column `mailbox.allow_nets`, it's able to restrict mail users to
login from specified IP/networks. We have sample usage below.
* With new service restriction, it's able to enable or disable smtp service for
mail users.
Open Dovecot config file `/etc/dovecot/dovecot-pgsql.conf` (Linux/OpenBSD) or
`/usr/local/etc/dovecot/dovecot-pgsql.conf` (FreeBSD), then:
* append `allow_nets` in parameter `password_query`
* append `AND enable%Ls%Lc=1` in `WHERE` statement
The final setting should be:
```
# Part of file: /etc/dovecot/dovecot-pgsql.conf
password_query = SELECT password FROM mailbox WHERE username='%u' AND enable%Ls%Lc=1 AND active='1'
password_query = SELECT password, allow_nets FROM mailbox WHERE username='%u' AND enable%Ls%Lc=1 AND active='1'
```
Save your change and restart Dovecot service.
Restarting Dovecot service is required.
Sample usage: allow user `user@domain.com` to login from IP `172.16.244.1` and
network `192.168.1.0/24`:
```
sql> \c vmail;
sql> UPDATE mailbox SET allow_nets='172.16.244.1,192.168.1.0/24';
```
To remove this restriction, just set `mailbox.allow_nets` to `NULL`, not empty string.
### Fixed: not backup SOGo database