Adjust order of restriction rules in Postfix smtpd_helo_restrictions.
This commit is contained in:
parent
84bbc0a49a
commit
d7e43d2997
|
@ -31,17 +31,53 @@ so that you can know which version of iRedMail you're running. For example:
|
||||||
0.9.7
|
0.9.7
|
||||||
```
|
```
|
||||||
|
|
||||||
### Upgrade Roundcube webmail to the latest stable release (1.2.4)
|
### Upgrade Roundcube webmail to the latest stable release (1.2.5)
|
||||||
|
|
||||||
> Roundcube 1.2.4 fixes a security issue, all users are encouraged to upgrade
|
> There're several security fixes in Roundcube 1.2.4 and 1.2.5, all users are
|
||||||
> it as soon as possible. For more details about this release, please check
|
> encouraged to upgrade it as soon as possible. For more details about this
|
||||||
> Roundcube [release note](https://github.com/roundcube/roundcubemail/releases/tag/1.2.4).
|
> release, please check Roundcube release notes:
|
||||||
|
>
|
||||||
|
> * [1.2.4](https://github.com/roundcube/roundcubemail/releases/tag/1.2.4)
|
||||||
|
> * [1.2.5](https://github.com/roundcube/roundcubemail/releases/tag/1.2.5)
|
||||||
|
|
||||||
Please follow Roundcube official tutorial to upgrade Roundcube webmail to the
|
Please follow Roundcube official tutorial to upgrade Roundcube webmail to the
|
||||||
latest stable release immediately:
|
latest stable release immediately:
|
||||||
|
|
||||||
* [How to upgrade Roundcube](https://github.com/roundcube/roundcubemail/wiki/Upgrade).
|
* [How to upgrade Roundcube](https://github.com/roundcube/roundcubemail/wiki/Upgrade).
|
||||||
|
|
||||||
|
### Fixed: improper order of restriction rules in Postfix smtpd_helo_restrictions
|
||||||
|
|
||||||
|
iRedMail-0.9.6 and earlier releases didn't configure Postfix to apply custom
|
||||||
|
HELO restriction rule before FQDN helo hostname check and DNS verification,
|
||||||
|
this way you cannot whitelist some bad HELO hostnames. Please follow steps
|
||||||
|
below to fix it.
|
||||||
|
|
||||||
|
* Open file `/etc/postfix/main.cf` (Linux/OpenBSD) or
|
||||||
|
`/usr/local/etc/postfix/main.cf` (FreeBSD), find parameter
|
||||||
|
`smtpd_helo_restrictions` like below:
|
||||||
|
|
||||||
|
```
|
||||||
|
smtpd_helo_restrictions =
|
||||||
|
permit_mynetworks
|
||||||
|
permit_sasl_authenticated
|
||||||
|
reject_non_fqdn_helo_hostname
|
||||||
|
reject_unknown_helo_hostname
|
||||||
|
check_helo_access pcre:/etc/postfix/helo_access.pcre
|
||||||
|
```
|
||||||
|
|
||||||
|
* Move the `check_helo_access` line after `permit_sasl_authenticated`:
|
||||||
|
|
||||||
|
```
|
||||||
|
smtpd_helo_restrictions =
|
||||||
|
permit_mynetworks
|
||||||
|
permit_sasl_authenticated
|
||||||
|
check_helo_access pcre:/etc/postfix/helo_access.pcre
|
||||||
|
reject_non_fqdn_helo_hostname
|
||||||
|
reject_unknown_helo_hostname
|
||||||
|
```
|
||||||
|
|
||||||
|
* Reloading or restarting Postfix service is required.
|
||||||
|
|
||||||
### Fixed: incorrect owner and permission for rotated Dovecot log files
|
### Fixed: incorrect owner and permission for rotated Dovecot log files
|
||||||
|
|
||||||
iRedMail-0.9.6 and earlier releases have an incorrect logrotate setting for
|
iRedMail-0.9.6 and earlier releases have an incorrect logrotate setting for
|
||||||
|
|
|
@ -22,7 +22,8 @@
|
||||||
<li><a href="#changelog">ChangeLog</a></li>
|
<li><a href="#changelog">ChangeLog</a></li>
|
||||||
<li><a href="#general-all-backends-should-apply-these-steps">General (All backends should apply these steps)</a><ul>
|
<li><a href="#general-all-backends-should-apply-these-steps">General (All backends should apply these steps)</a><ul>
|
||||||
<li><a href="#update-etciredmail-release-with-new-iredmail-version-number">Update /etc/iredmail-release with new iRedMail version number</a></li>
|
<li><a href="#update-etciredmail-release-with-new-iredmail-version-number">Update /etc/iredmail-release with new iRedMail version number</a></li>
|
||||||
<li><a href="#upgrade-roundcube-webmail-to-the-latest-stable-release-124">Upgrade Roundcube webmail to the latest stable release (1.2.4)</a></li>
|
<li><a href="#upgrade-roundcube-webmail-to-the-latest-stable-release-125">Upgrade Roundcube webmail to the latest stable release (1.2.5)</a></li>
|
||||||
|
<li><a href="#fixed-improper-order-of-restriction-rules-in-postfix-smtpd_helo_restrictions">Fixed: improper order of restriction rules in Postfix smtpd_helo_restrictions</a></li>
|
||||||
<li><a href="#fixed-incorrect-owner-and-permission-for-rotated-dovecot-log-files">Fixed: incorrect owner and permission for rotated Dovecot log files</a></li>
|
<li><a href="#fixed-incorrect-owner-and-permission-for-rotated-dovecot-log-files">Fixed: incorrect owner and permission for rotated Dovecot log files</a></li>
|
||||||
<li><a href="#fixed-incorrect-sessionsave_path-in-php-fpm-pool-config-file-on-rhelcentos">Fixed: incorrect session.save_path in php-fpm pool config file on RHEL/CentOS</a></li>
|
<li><a href="#fixed-incorrect-sessionsave_path-in-php-fpm-pool-config-file-on-rhelcentos">Fixed: incorrect session.save_path in php-fpm pool config file on RHEL/CentOS</a></li>
|
||||||
<li><a href="#fixed-improper-fail2ban-filter-which-causes-incorrect-ban">Fixed: Improper Fail2ban filter which causes incorrect ban</a></li>
|
<li><a href="#fixed-improper-fail2ban-filter-which-causes-incorrect-ban">Fixed: Improper Fail2ban filter which causes incorrect ban</a></li>
|
||||||
|
@ -66,17 +67,53 @@ so that you can know which version of iRedMail you're running. For example:</p>
|
||||||
<pre><code>0.9.7
|
<pre><code>0.9.7
|
||||||
</code></pre>
|
</code></pre>
|
||||||
|
|
||||||
<h3 id="upgrade-roundcube-webmail-to-the-latest-stable-release-124">Upgrade Roundcube webmail to the latest stable release (1.2.4)</h3>
|
<h3 id="upgrade-roundcube-webmail-to-the-latest-stable-release-125">Upgrade Roundcube webmail to the latest stable release (1.2.5)</h3>
|
||||||
<blockquote>
|
<blockquote>
|
||||||
<p>Roundcube 1.2.4 fixes a security issue, all users are encouraged to upgrade
|
<p>There're several security fixes in Roundcube 1.2.4 and 1.2.5, all users are
|
||||||
it as soon as possible. For more details about this release, please check
|
encouraged to upgrade it as soon as possible. For more details about this
|
||||||
Roundcube <a href="https://github.com/roundcube/roundcubemail/releases/tag/1.2.4">release note</a>.</p>
|
release, please check Roundcube release notes:</p>
|
||||||
|
<ul>
|
||||||
|
<li><a href="https://github.com/roundcube/roundcubemail/releases/tag/1.2.4">1.2.4</a></li>
|
||||||
|
<li><a href="https://github.com/roundcube/roundcubemail/releases/tag/1.2.5">1.2.5</a></li>
|
||||||
|
</ul>
|
||||||
</blockquote>
|
</blockquote>
|
||||||
<p>Please follow Roundcube official tutorial to upgrade Roundcube webmail to the
|
<p>Please follow Roundcube official tutorial to upgrade Roundcube webmail to the
|
||||||
latest stable release immediately:</p>
|
latest stable release immediately:</p>
|
||||||
<ul>
|
<ul>
|
||||||
<li><a href="https://github.com/roundcube/roundcubemail/wiki/Upgrade">How to upgrade Roundcube</a>.</li>
|
<li><a href="https://github.com/roundcube/roundcubemail/wiki/Upgrade">How to upgrade Roundcube</a>.</li>
|
||||||
</ul>
|
</ul>
|
||||||
|
<h3 id="fixed-improper-order-of-restriction-rules-in-postfix-smtpd_helo_restrictions">Fixed: improper order of restriction rules in Postfix smtpd_helo_restrictions</h3>
|
||||||
|
<p>iRedMail-0.9.6 and earlier releases didn't configure Postfix to apply custom
|
||||||
|
HELO restriction rule before FQDN helo hostname check and DNS verification,
|
||||||
|
this way you cannot whitelist some bad HELO hostnames. Please follow steps
|
||||||
|
below to fix it.</p>
|
||||||
|
<ul>
|
||||||
|
<li>Open file <code>/etc/postfix/main.cf</code> (Linux/OpenBSD) or
|
||||||
|
<code>/usr/local/etc/postfix/main.cf</code> (FreeBSD), find parameter
|
||||||
|
<code>smtpd_helo_restrictions</code> like below:</li>
|
||||||
|
</ul>
|
||||||
|
<pre><code>smtpd_helo_restrictions =
|
||||||
|
permit_mynetworks
|
||||||
|
permit_sasl_authenticated
|
||||||
|
reject_non_fqdn_helo_hostname
|
||||||
|
reject_unknown_helo_hostname
|
||||||
|
check_helo_access pcre:/etc/postfix/helo_access.pcre
|
||||||
|
</code></pre>
|
||||||
|
|
||||||
|
<ul>
|
||||||
|
<li>Move the <code>check_helo_access</code> line after <code>permit_sasl_authenticated</code>:</li>
|
||||||
|
</ul>
|
||||||
|
<pre><code>smtpd_helo_restrictions =
|
||||||
|
permit_mynetworks
|
||||||
|
permit_sasl_authenticated
|
||||||
|
check_helo_access pcre:/etc/postfix/helo_access.pcre
|
||||||
|
reject_non_fqdn_helo_hostname
|
||||||
|
reject_unknown_helo_hostname
|
||||||
|
</code></pre>
|
||||||
|
|
||||||
|
<ul>
|
||||||
|
<li>Reloading or restarting Postfix service is required.</li>
|
||||||
|
</ul>
|
||||||
<h3 id="fixed-incorrect-owner-and-permission-for-rotated-dovecot-log-files">Fixed: incorrect owner and permission for rotated Dovecot log files</h3>
|
<h3 id="fixed-incorrect-owner-and-permission-for-rotated-dovecot-log-files">Fixed: incorrect owner and permission for rotated Dovecot log files</h3>
|
||||||
<p>iRedMail-0.9.6 and earlier releases have an incorrect logrotate setting for
|
<p>iRedMail-0.9.6 and earlier releases have an incorrect logrotate setting for
|
||||||
Dovecot log file, it causes all Dovecot log files are empty due to no required
|
Dovecot log file, it causes all Dovecot log files are empty due to no required
|
||||||
|
|
Loading…
Reference in New Issue