Update iRedMail upgrade tutorial, iRedAdmin-Pro RESTful API doc.

2017-01-22 09:50:11 +08:00 · 2017-01-22 09:50:11 +08:00 · eaeda697ce
parent 2b2928d726
commit eaeda697ce
4 changed files with 68 additions and 2 deletions
--- a/en_US/iredadmin/2-iredadmin-pro.restful.api.md
+++ b/en_US/iredadmin/2-iredadmin-pro.restful.api.md
@ -284,6 +284,7 @@ Notes:
    </div>

 !!! api "`DELETE`{: .delete } `/api/user/<mail>`{: .url } `Delete an existing mail user`{: .comment }"
+!!! api "`DELETE`{: .delete } `/api/user/<mail>/keep_mailbox_days/<number>`{: .url } `Delete an existing mail user, and keep the mailbox for given days. Defaults to 100 years.`{: .comment } `upcoming`{: .upcoming }"
 !!! api "`PUT`{: .put } `/api/user/<mail>`{: .url } `Update profile of an existing mail user`{: .comment } `Parameters`{: .has_params} "

    <div class="params params_user">
--- a/en_US/upgrade/0-upgrade.iredmail.0.9.5.1-0.9.6.md
+++ b/en_US/upgrade/0-upgrade.iredmail.0.9.5.1-0.9.6.md
@ -13,6 +13,7 @@

 ## ChangeLog

+* Jan 22, 2016: Fixed: Postfix allows email sent through port 587 without smtp authentication from trusted clients 
 * Jan 13, 2016: Fixed: Awstats is world-accessible with Apache.
 * Jan  8, 2016: Fixed: missing cron job used to clean up old Roundcube temporary files.
 * Dec 27, 2016: Add more banned file types/extensions in Amavisd.
@ -133,6 +134,35 @@ location ~ ^/.well-known/ {

 Save your change and reload Nginx service.

+### Fixed: Postfix allows email sent through port 587 without smtp authentication from trusted clients 
+
+iRedMail-0.9.5 and iRedMail-0.9.5-1 allows trusted clients (listed in parameter
+`mynetworks=`) to send email through port 587 without smtp authentication, this
+is not strict enough and may be used by spammers. All users should be forced
+to send email through port 587 with smtp authentication. Please follow steps
+below to fix it.
+
+* Open Postfix config file `master.cf`, find the transport `submission` like
+  below:
+    * on Linux and OpenBSD, it's `/etc/postfix/master.cf`
+    * on FreeBSD, it's `/usr/local/etc/postfix/master.cf`
+
+```
+submission ...
+    ...
+    -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
+```
+
+* Remove `permit_mynetworks,` and save your change. After modification, it's:
+
+```
+submission ...
+    ...
+    -o smtpd_client_restrictions=permit_sasl_authenticated,reject
+```
+
+* Restart Postfix service is required to load the changed config file.
+
 ### Fixed: not enable opportunistic TLS support in Postfix

 iRedMail-0.9.5 and iRedMail-0.9.5-1 didn't enable opportunistic TLS support in
--- a/html/iredadmin-pro.restful.api.html
+++ b/html/iredadmin-pro.restful.api.html
@ -779,6 +779,9 @@ to be a domain admin.</p>
 <p class="admonition-title"><code class="delete">DELETE</code> <code class="url">/api/user/&lt;mail&gt;</code> <code class="comment">Delete an existing mail user</code></p>
 </div>
 <div class="admonition api">
+<p class="admonition-title"><code class="delete">DELETE</code> <code class="url">/api/user/&lt;mail&gt;/keep_mailbox_days/&lt;number&gt;</code> <code class="comment">Delete an existing mail user, and keep the mailbox for given days. Defaults to 100 years.</code> <code class="upcoming">upcoming</code></p>
+</div>
+<div class="admonition api">
 <p class="admonition-title"><code class="put">PUT</code> <code class="url">/api/user/&lt;mail&gt;</code> <code class="comment">Update profile of an existing mail user</code> <code class="has_params">Parameters</code> </p>
 <div class="params params_user">

--- a/html/upgrade.iredmail.0.9.5.1-0.9.6.html
+++ b/html/upgrade.iredmail.0.9.5.1-0.9.6.html
@ -31,6 +31,7 @@
 </ul>
 </li>
 <li><a href="#fixed-not-allow-access-to-well-known-in-nginx">Fixed: not allow access to '/.well-known/' in Nginx</a></li>
+<li><a href="#fixed-postfix-allows-email-sent-through-port-587-without-smtp-authentication-from-trusted-clients">Fixed: Postfix allows email sent through port 587 without smtp authentication from trusted clients</a></li>
 <li><a href="#fixed-not-enable-opportunistic-tls-support-in-postfix">Fixed: not enable opportunistic TLS support in Postfix</a></li>
 <li><a href="#fixed-one-incorrect-helo-restriction-rule-in-postfix">Fixed: one incorrect HELO restriction rule in Postfix</a></li>
 <li><a href="#fixed-incorrect-file-owner-and-permission-of-config-file-of-roundcube-password-plugin">Fixed: incorrect file owner and permission of config file of Roundcube password plugin</a></li>
@ -75,6 +76,7 @@ check <a href="../support.html">the details</a> and <a href="../contact.html">co
 </div>
 <h2 id="changelog">ChangeLog</h2>
 <ul>
+<li>Jan 22, 2016: Fixed: Postfix allows email sent through port 587 without smtp authentication from trusted clients </li>
 <li>Jan 13, 2016: Fixed: Awstats is world-accessible with Apache.</li>
 <li>Jan  8, 2016: Fixed: missing cron job used to clean up old Roundcube temporary files.</li>
 <li>Dec 27, 2016: Add more banned file types/extensions in Amavisd.</li>
@ -172,6 +174,36 @@ location ~ ^/.well-known/ {
 </code></pre>

 <p>Save your change and reload Nginx service.</p>
+<h3 id="fixed-postfix-allows-email-sent-through-port-587-without-smtp-authentication-from-trusted-clients">Fixed: Postfix allows email sent through port 587 without smtp authentication from trusted clients</h3>
+<p>iRedMail-0.9.5 and iRedMail-0.9.5-1 allows trusted clients (listed in parameter
+<code>mynetworks=</code>) to send email through port 587 without smtp authentication, this
+is not strict enough and may be used by spammers. All users should be forced
+to send email through port 587 with smtp authentication. Please follow steps
+below to fix it.</p>
+<ul>
+<li>Open Postfix config file <code>master.cf</code>, find the transport <code>submission</code> like
+  below:<ul>
+<li>on Linux and OpenBSD, it's <code>/etc/postfix/master.cf</code></li>
+<li>on FreeBSD, it's <code>/usr/local/etc/postfix/master.cf</code></li>
+</ul>
+</li>
+</ul>
+<pre><code>submission ...
+    ...
+    -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
+</code></pre>
+
+<ul>
+<li>Remove <code>permit_mynetworks,</code> and save your change. After modification, it's:</li>
+</ul>
+<pre><code>submission ...
+    ...
+    -o smtpd_client_restrictions=permit_sasl_authenticated,reject
+</code></pre>
+
+<ul>
+<li>Restart Postfix service is required to load the changed config file.</li>
+</ul>
 <h3 id="fixed-not-enable-opportunistic-tls-support-in-postfix">Fixed: not enable opportunistic TLS support in Postfix</h3>
 <p>iRedMail-0.9.5 and iRedMail-0.9.5-1 didn't enable opportunistic TLS support in
 Postfix, this causes other servers cannot transfer emails via TLS secure
@ -591,7 +623,7 @@ will accept emails sent to them. Steps below fix the issue.</p>
 <ul>
 <li>On Linux and OpenBSD, run commands:</li>
 </ul>
-<pre><code>cp -rf /etc/postfix/ldap /etc/postfix/ldap.$(date +%Y%m%d)
+<pre><code>cp -rf /etc/postfix/ldap /etc/postfix/ldap.bak
 cd /etc/postfix/ldap/
 perl -pi -e 's#\(accountStatus=active\)#(accountStatus=active)(!(domainStatus=disabled))#g' catchall_maps.cf recipient_bcc_maps_user.cf sender_bcc_maps_user.cf sender_dependent_relayhost_maps_user.cf sender_login_maps.cf transport_maps_user.cf virtual_alias_maps.cf virtual_group_maps.cf virtual_group_members_maps.cf virtual_mailbox_maps.cf

@ -602,7 +634,7 @@ perl -pi -e 's#\(accountStatus=active\)#(accountStatus=active)(!(domainStatus=di
 <ul>
 <li>On FreeBSD, run commands:</li>
 </ul>
-<pre><code>cp -rf /usr/local/etc/postfix/ldap /usr/local/etc/postfix/ldap.$(date +%Y%m%d)
+<pre><code>cp -rf /usr/local/etc/postfix/ldap /usr/local/etc/postfix/ldap.bak
 cd /usr/local/etc/postfix/ldap/
 perl -pi -e 's#\(accountStatus=active\)#(accountStatus=active)(!(domainStatus=disabled))#g' catchall_maps.cf recipient_bcc_maps_user.cf sender_bcc_maps_user.cf sender_dependent_relayhost_maps_user.cf sender_login_maps.cf transport_maps_user.cf virtual_alias_maps.cf virtual_group_maps.cf virtual_group_members_maps.cf virtual_mailbox_maps.cf