From d7e43d29973269759a3eee1f735377a37a9683a1 Mon Sep 17 00:00:00 2001
From: Zhang Huangbin
Date: Wed, 3 May 2017 08:44:51 +0800
Subject: [PATCH] Adjust order of restriction rules in Postfix
smtpd_helo_restrictions.
---
.../upgrade/0-upgrade.iredmail.0.9.6-0.9.7.md | 44 +++++++++++++++--
html/upgrade.iredmail.0.9.6-0.9.7.html | 47 +++++++++++++++++--
2 files changed, 82 insertions(+), 9 deletions(-)
diff --git a/en_US/upgrade/0-upgrade.iredmail.0.9.6-0.9.7.md b/en_US/upgrade/0-upgrade.iredmail.0.9.6-0.9.7.md
index fb5c6c6d..8d06a684 100644
--- a/en_US/upgrade/0-upgrade.iredmail.0.9.6-0.9.7.md
+++ b/en_US/upgrade/0-upgrade.iredmail.0.9.6-0.9.7.md
@@ -31,17 +31,53 @@ so that you can know which version of iRedMail you're running. For example:
0.9.7
```
-### Upgrade Roundcube webmail to the latest stable release (1.2.4)
+### Upgrade Roundcube webmail to the latest stable release (1.2.5)
-> Roundcube 1.2.4 fixes a security issue, all users are encouraged to upgrade
-> it as soon as possible. For more details about this release, please check
-> Roundcube [release note](https://github.com/roundcube/roundcubemail/releases/tag/1.2.4).
+> There're several security fixes in Roundcube 1.2.4 and 1.2.5, all users are
+> encouraged to upgrade it as soon as possible. For more details about this
+> release, please check Roundcube release notes:
+>
+> * [1.2.4](https://github.com/roundcube/roundcubemail/releases/tag/1.2.4)
+> * [1.2.5](https://github.com/roundcube/roundcubemail/releases/tag/1.2.5)
Please follow Roundcube official tutorial to upgrade Roundcube webmail to the
latest stable release immediately:
* [How to upgrade Roundcube](https://github.com/roundcube/roundcubemail/wiki/Upgrade).
+### Fixed: improper order of restriction rules in Postfix smtpd_helo_restrictions
+
+iRedMail-0.9.6 and earlier releases didn't configure Postfix to apply custom
+HELO restriction rule before FQDN helo hostname check and DNS verification,
+this way you cannot whitelist some bad HELO hostnames. Please follow steps
+below to fix it.
+
+* Open file `/etc/postfix/main.cf` (Linux/OpenBSD) or
+`/usr/local/etc/postfix/main.cf` (FreeBSD), find parameter
+`smtpd_helo_restrictions` like below:
+
+```
+smtpd_helo_restrictions =
+ permit_mynetworks
+ permit_sasl_authenticated
+ reject_non_fqdn_helo_hostname
+ reject_unknown_helo_hostname
+ check_helo_access pcre:/etc/postfix/helo_access.pcre
+```
+
+* Move the `check_helo_access` line after `permit_sasl_authenticated`:
+
+```
+smtpd_helo_restrictions =
+ permit_mynetworks
+ permit_sasl_authenticated
+ check_helo_access pcre:/etc/postfix/helo_access.pcre
+ reject_non_fqdn_helo_hostname
+ reject_unknown_helo_hostname
+```
+
+* Reloading or restarting Postfix service is required.
+
### Fixed: incorrect owner and permission for rotated Dovecot log files
iRedMail-0.9.6 and earlier releases have an incorrect logrotate setting for
diff --git a/html/upgrade.iredmail.0.9.6-0.9.7.html b/html/upgrade.iredmail.0.9.6-0.9.7.html
index ca3e442b..d3acb3eb 100644
--- a/html/upgrade.iredmail.0.9.6-0.9.7.html
+++ b/html/upgrade.iredmail.0.9.6-0.9.7.html
@@ -22,7 +22,8 @@
ChangeLog
General (All backends should apply these steps)
0.9.7
-Upgrade Roundcube webmail to the latest stable release (1.2.4)
+Upgrade Roundcube webmail to the latest stable release (1.2.5)
-Roundcube 1.2.4 fixes a security issue, all users are encouraged to upgrade
-it as soon as possible. For more details about this release, please check
-Roundcube release note.
+There're several security fixes in Roundcube 1.2.4 and 1.2.5, all users are
+encouraged to upgrade it as soon as possible. For more details about this
+release, please check Roundcube release notes:
+
Please follow Roundcube official tutorial to upgrade Roundcube webmail to the
latest stable release immediately:
+Fixed: improper order of restriction rules in Postfix smtpd_helo_restrictions
+iRedMail-0.9.6 and earlier releases didn't configure Postfix to apply custom
+HELO restriction rule before FQDN helo hostname check and DNS verification,
+this way you cannot whitelist some bad HELO hostnames. Please follow steps
+below to fix it.
+
+- Open file
/etc/postfix/main.cf
(Linux/OpenBSD) or
+/usr/local/etc/postfix/main.cf
(FreeBSD), find parameter
+smtpd_helo_restrictions
like below:
+
+smtpd_helo_restrictions =
+ permit_mynetworks
+ permit_sasl_authenticated
+ reject_non_fqdn_helo_hostname
+ reject_unknown_helo_hostname
+ check_helo_access pcre:/etc/postfix/helo_access.pcre
+
+
+
+- Move the
check_helo_access
line after permit_sasl_authenticated
:
+
+smtpd_helo_restrictions =
+ permit_mynetworks
+ permit_sasl_authenticated
+ check_helo_access pcre:/etc/postfix/helo_access.pcre
+ reject_non_fqdn_helo_hostname
+ reject_unknown_helo_hostname
+
+
+
+- Reloading or restarting Postfix service is required.
+
Fixed: incorrect owner and permission for rotated Dovecot log files
iRedMail-0.9.6 and earlier releases have an incorrect logrotate setting for
Dovecot log file, it causes all Dovecot log files are empty due to no required