Adjust order of restriction rules in Postfix smtpd_helo_restrictions.

This commit is contained in:
Zhang Huangbin 2017-05-03 08:44:51 +08:00
parent 84bbc0a49a
commit d7e43d2997
2 changed files with 82 additions and 9 deletions

View File

@ -31,17 +31,53 @@ so that you can know which version of iRedMail you're running. For example:
0.9.7
```
### Upgrade Roundcube webmail to the latest stable release (1.2.4)
### Upgrade Roundcube webmail to the latest stable release (1.2.5)
> Roundcube 1.2.4 fixes a security issue, all users are encouraged to upgrade
> it as soon as possible. For more details about this release, please check
> Roundcube [release note](https://github.com/roundcube/roundcubemail/releases/tag/1.2.4).
> There're several security fixes in Roundcube 1.2.4 and 1.2.5, all users are
> encouraged to upgrade it as soon as possible. For more details about this
> release, please check Roundcube release notes:
>
> * [1.2.4](https://github.com/roundcube/roundcubemail/releases/tag/1.2.4)
> * [1.2.5](https://github.com/roundcube/roundcubemail/releases/tag/1.2.5)
Please follow Roundcube official tutorial to upgrade Roundcube webmail to the
latest stable release immediately:
* [How to upgrade Roundcube](https://github.com/roundcube/roundcubemail/wiki/Upgrade).
### Fixed: improper order of restriction rules in Postfix smtpd_helo_restrictions
iRedMail-0.9.6 and earlier releases didn't configure Postfix to apply custom
HELO restriction rule before FQDN helo hostname check and DNS verification,
this way you cannot whitelist some bad HELO hostnames. Please follow steps
below to fix it.
* Open file `/etc/postfix/main.cf` (Linux/OpenBSD) or
`/usr/local/etc/postfix/main.cf` (FreeBSD), find parameter
`smtpd_helo_restrictions` like below:
```
smtpd_helo_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_non_fqdn_helo_hostname
reject_unknown_helo_hostname
check_helo_access pcre:/etc/postfix/helo_access.pcre
```
* Move the `check_helo_access` line after `permit_sasl_authenticated`:
```
smtpd_helo_restrictions =
permit_mynetworks
permit_sasl_authenticated
check_helo_access pcre:/etc/postfix/helo_access.pcre
reject_non_fqdn_helo_hostname
reject_unknown_helo_hostname
```
* Reloading or restarting Postfix service is required.
### Fixed: incorrect owner and permission for rotated Dovecot log files
iRedMail-0.9.6 and earlier releases have an incorrect logrotate setting for

View File

@ -22,7 +22,8 @@
<li><a href="#changelog">ChangeLog</a></li>
<li><a href="#general-all-backends-should-apply-these-steps">General (All backends should apply these steps)</a><ul>
<li><a href="#update-etciredmail-release-with-new-iredmail-version-number">Update /etc/iredmail-release with new iRedMail version number</a></li>
<li><a href="#upgrade-roundcube-webmail-to-the-latest-stable-release-124">Upgrade Roundcube webmail to the latest stable release (1.2.4)</a></li>
<li><a href="#upgrade-roundcube-webmail-to-the-latest-stable-release-125">Upgrade Roundcube webmail to the latest stable release (1.2.5)</a></li>
<li><a href="#fixed-improper-order-of-restriction-rules-in-postfix-smtpd_helo_restrictions">Fixed: improper order of restriction rules in Postfix smtpd_helo_restrictions</a></li>
<li><a href="#fixed-incorrect-owner-and-permission-for-rotated-dovecot-log-files">Fixed: incorrect owner and permission for rotated Dovecot log files</a></li>
<li><a href="#fixed-incorrect-sessionsave_path-in-php-fpm-pool-config-file-on-rhelcentos">Fixed: incorrect session.save_path in php-fpm pool config file on RHEL/CentOS</a></li>
<li><a href="#fixed-improper-fail2ban-filter-which-causes-incorrect-ban">Fixed: Improper Fail2ban filter which causes incorrect ban</a></li>
@ -66,17 +67,53 @@ so that you can know which version of iRedMail you're running. For example:</p>
<pre><code>0.9.7
</code></pre>
<h3 id="upgrade-roundcube-webmail-to-the-latest-stable-release-124">Upgrade Roundcube webmail to the latest stable release (1.2.4)</h3>
<h3 id="upgrade-roundcube-webmail-to-the-latest-stable-release-125">Upgrade Roundcube webmail to the latest stable release (1.2.5)</h3>
<blockquote>
<p>Roundcube 1.2.4 fixes a security issue, all users are encouraged to upgrade
it as soon as possible. For more details about this release, please check
Roundcube <a href="https://github.com/roundcube/roundcubemail/releases/tag/1.2.4">release note</a>.</p>
<p>There're several security fixes in Roundcube 1.2.4 and 1.2.5, all users are
encouraged to upgrade it as soon as possible. For more details about this
release, please check Roundcube release notes:</p>
<ul>
<li><a href="https://github.com/roundcube/roundcubemail/releases/tag/1.2.4">1.2.4</a></li>
<li><a href="https://github.com/roundcube/roundcubemail/releases/tag/1.2.5">1.2.5</a></li>
</ul>
</blockquote>
<p>Please follow Roundcube official tutorial to upgrade Roundcube webmail to the
latest stable release immediately:</p>
<ul>
<li><a href="https://github.com/roundcube/roundcubemail/wiki/Upgrade">How to upgrade Roundcube</a>.</li>
</ul>
<h3 id="fixed-improper-order-of-restriction-rules-in-postfix-smtpd_helo_restrictions">Fixed: improper order of restriction rules in Postfix smtpd_helo_restrictions</h3>
<p>iRedMail-0.9.6 and earlier releases didn't configure Postfix to apply custom
HELO restriction rule before FQDN helo hostname check and DNS verification,
this way you cannot whitelist some bad HELO hostnames. Please follow steps
below to fix it.</p>
<ul>
<li>Open file <code>/etc/postfix/main.cf</code> (Linux/OpenBSD) or
<code>/usr/local/etc/postfix/main.cf</code> (FreeBSD), find parameter
<code>smtpd_helo_restrictions</code> like below:</li>
</ul>
<pre><code>smtpd_helo_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_non_fqdn_helo_hostname
reject_unknown_helo_hostname
check_helo_access pcre:/etc/postfix/helo_access.pcre
</code></pre>
<ul>
<li>Move the <code>check_helo_access</code> line after <code>permit_sasl_authenticated</code>:</li>
</ul>
<pre><code>smtpd_helo_restrictions =
permit_mynetworks
permit_sasl_authenticated
check_helo_access pcre:/etc/postfix/helo_access.pcre
reject_non_fqdn_helo_hostname
reject_unknown_helo_hostname
</code></pre>
<ul>
<li>Reloading or restarting Postfix service is required.</li>
</ul>
<h3 id="fixed-incorrect-owner-and-permission-for-rotated-dovecot-log-files">Fixed: incorrect owner and permission for rotated Dovecot log files</h3>
<p>iRedMail-0.9.6 and earlier releases have an incorrect logrotate setting for
Dovecot log file, it causes all Dovecot log files are empty due to no required