From f01d245b998edbc004c623f37215baffb3dd1952 Mon Sep 17 00:00:00 2001
From: Zhang Huangbin
Date: Wed, 8 Jun 2016 13:22:14 +0800
Subject: [PATCH] Sync iRedMail upgrade tutorial.
---
.../0-upgrade.iredmail.0.9.5.1-0.9.6.md | 70 ++++++++++++++++--
html/upgrade.iredmail.0.9.5.1-0.9.6.html | 72 +++++++++++++++++--
2 files changed, 130 insertions(+), 12 deletions(-)
diff --git a/en_US/upgrade/0-upgrade.iredmail.0.9.5.1-0.9.6.md b/en_US/upgrade/0-upgrade.iredmail.0.9.5.1-0.9.6.md
index f39b4b5d..7426ba02 100644
--- a/en_US/upgrade/0-upgrade.iredmail.0.9.5.1-0.9.6.md
+++ b/en_US/upgrade/0-upgrade.iredmail.0.9.5.1-0.9.6.md
@@ -2,24 +2,25 @@
[TOC]
+!!! warning
+
+ This tutorial is still a __DRAFT__, do not apply it.
+
!!! note "Paid Remote Upgrade Support"
We offer remote upgrade support if you don't want to get your hands dirty,
check [the details](../support.html) and [contact us](../contact.html).
-!!! warning
-
- This tutorial is still a __DRAFT__, do not apply it.
-
## TODO
* Separated SOGo address book for LDAP backend.
-* Set correct file owner for config file of Roundcube password plugin (0600, apache/nginx).
## ChangeLog
+* Jun 8, 2016: Set correct file owner for config file of Roundcube password plugin.
+* Jun 8, 2016: Fixed: one incorrect HELO restriction rule in Postfix
* May 27, 2016: Fixed: not enable opportunistic TLS support in Postfix.
-* May 24, 2016: initial __DRAFT__.
+* May 24, 2016: Initial __DRAFT__.
## General (All backends should apply these steps)
@@ -63,3 +64,60 @@ connection. Please fix it with commands below.
postconf -e smtpd_tls_security_level='may'
postfix reload
```
+
+### Fixed: one incorrect HELO restriction rule in Postfix
+
+There's one incorrect HELO restriction rule file `helo_access.pcre`
+
+* on Linux/OpenBSD, it's `/etc/postfix/helo_access.pcre`
+* on FreeBSD, it's `/usr/local/etc/postfix/helo_access.pcre`
+
+It will match HELO identity like `[192.168.1.1]` which is legal.
+```
+/(\d{1,3}[\.-]\d{1,3}[\.-]\d{1,3}[\.-]\d{1,3})/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})
+```
+
+Please replace it by the correct one below (it matches the IP address with
+`/^IP$/` strictly):
+```
+/^(\d{1,3}[\.-]\d{1,3}[\.-]\d{1,3}[\.-]\d{1,3})$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})
+```
+
+### Fixed: incorrect file owner and permission of config file of Roundcube password plugin
+
+iRedMail-0.9.5-1 and earlier versions didn't correct set file owner and
+permission of config file of Roundcube password plugin, other system users may
+be able to see the SQL/LDAP username and password in the config file. Please
+follow steps below to fix it.
+
+* On RHEL/CentOS:
+
+For Apache server:
+```
+chown apache:apache /var/www/roundcubemail/plugins/password/config.inc.php
+chmod 0400 /var/www/roundcubemail/plugins/password/config.inc.php
+```
+For Nginx:
+```
+chown nginx:nginx /var/www/roundcubemail/plugins/password/config.inc.php
+chmod 0400 /var/www/roundcubemail/plugins/password/config.inc.php
+```
+
+* On Debian/Ubuntu (Note: with old iRedMail release, Roundcube directory is
+ `/usr/share/apache2/roundcubemail`):
+```
+chown www-data:www-data /opt/www/roundcubemail/plugins/password/config.inc.php
+chmod 0400 /opt/www/roundcubemail/plugins/password/config.inc.php
+```
+
+* On FreeBSD:
+```
+chown www:www /usr/local/www/roundcubemail/plugins/password/config.inc.php
+chmod 0400 /usr/local/www/roundcubemail/plugins/password/config.inc.php
+```
+
+* On FreeBSD:
+```
+chown www:www /var/www/roundcubemail/plugins/password/config.inc.php
+chmod 0400 /var/www/roundcubemail/plugins/password/config.inc.php
+```
diff --git a/html/upgrade.iredmail.0.9.5.1-0.9.6.html b/html/upgrade.iredmail.0.9.5.1-0.9.6.html
index 93bd1a12..59f0ed7d 100644
--- a/html/upgrade.iredmail.0.9.5.1-0.9.6.html
+++ b/html/upgrade.iredmail.0.9.5.1-0.9.6.html
@@ -27,30 +27,33 @@
Upgrade iRedAdmin (open source edition) to the latest stable release (0.7.2)
Upgrade Roundcube webmail to the latest stable release (1.2.0)
Fixed: not enable opportunistic TLS support in Postfix
+Fixed: one incorrect HELO restriction rule in Postfix
+Fixed: incorrect file owner and permission of config file of Roundcube password plugin
+
+
Warning
+
This tutorial is still a DRAFT, do not apply it.
+
Paid Remote Upgrade Support
We offer remote upgrade support if you don't want to get your hands dirty,
check the details and contact us.
-
-
Warning
-
This tutorial is still a DRAFT, do not apply it.
-
TODO
- Separated SOGo address book for LDAP backend.
-- Set correct file owner for config file of Roundcube password plugin (0600, apache/nginx).
ChangeLog
+- Jun 8, 2016: Set correct file owner for config file of Roundcube password plugin.
+- Jun 8, 2016: Fixed: one incorrect HELO restriction rule in Postfix
- May 27, 2016: Fixed: not enable opportunistic TLS support in Postfix.
-- May 24, 2016: initial DRAFT.
+- May 24, 2016: Initial DRAFT.
General (All backends should apply these steps)
Update /etc/iredmail-release
with new iRedMail version number
@@ -78,6 +81,63 @@ Postfix, this causes other servers cannot transfer emails via TLS secure
connection. Please fix it with commands below.
postconf -e smtpd_tls_security_level='may'
postfix reload
+
+
+Fixed: one incorrect HELO restriction rule in Postfix
+There's one incorrect HELO restriction rule file helo_access.pcre
+
+- on Linux/OpenBSD, it's
/etc/postfix/helo_access.pcre
+- on FreeBSD, it's
/usr/local/etc/postfix/helo_access.pcre
+
+It will match HELO identity like [192.168.1.1]
which is legal.
+/(\d{1,3}[\.-]\d{1,3}[\.-]\d{1,3}[\.-]\d{1,3})/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})
+
+
+Please replace it by the correct one below (it matches the IP address with
+/^IP$/
strictly):
+/^(\d{1,3}[\.-]\d{1,3}[\.-]\d{1,3}[\.-]\d{1,3})$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})
+
+
+Fixed: incorrect file owner and permission of config file of Roundcube password plugin
+iRedMail-0.9.5-1 and earlier versions didn't correct set file owner and
+permission of config file of Roundcube password plugin, other system users may
+be able to see the SQL/LDAP username and password in the config file. Please
+follow steps below to fix it.
+
+For Apache server:
+
+chown apache:apache /var/www/roundcubemail/plugins/password/config.inc.php
+chmod 0400 /var/www/roundcubemail/plugins/password/config.inc.php
+
+
+For Nginx:
+
+chown nginx:nginx /var/www/roundcubemail/plugins/password/config.inc.php
+chmod 0400 /var/www/roundcubemail/plugins/password/config.inc.php
+
+
+
+- On Debian/Ubuntu (Note: with old iRedMail release, Roundcube directory is
+
/usr/share/apache2/roundcubemail
):
+
+chown www-data:www-data /opt/www/roundcubemail/plugins/password/config.inc.php
+chmod 0400 /opt/www/roundcubemail/plugins/password/config.inc.php
+
+
+
+chown www:www /usr/local/www/roundcubemail/plugins/password/config.inc.php
+chmod 0400 /usr/local/www/roundcubemail/plugins/password/config.inc.php
+
+
+
+chown www:www /var/www/roundcubemail/plugins/password/config.inc.php
+chmod 0400 /var/www/roundcubemail/plugins/password/config.inc.php