# Upgrade iRedMail from 1.4.2 to 1.4.3

[TOC]

!!! warning

    This IS A DRAFT DOCUMENT, DO NOT APPLY IT.

!!! note "Paid Remote Upgrade Support"

    We offer remote upgrade support if you don't want to get your hands dirty,
    check [the details](https://www.iredmail.org/support.html) and
    [contact us](https://www.iredmail.org/contact.html).

## ChangeLog

## General (All backends should apply these changes)

### Update `/etc/iredmail-release` with new iRedMail version number

iRedMail stores the release version in `/etc/iredmail-release` after
installation, it's recommended to update this file after you upgraded iRedMail,
so that you can know which version of iRedMail you're running. For example:

```
1.4.3
```

### Upgrade mlmmjadmin to the latest stable release (3.1.3)

Please follow below tutorial to upgrade mlmmjadmin to the latest stable release:
[Upgrade mlmmjadmin to the latest stable release](./upgrade.mlmmjadmin.html)

### Nginx: several improvements

!!! attention

    All credit goes to GitHub user
    [@ludovicandrieux](https://github.com/ludovicandrieux), thanks for the
    contributions. See also:
    [#136](https://github.com/iredmail/iRedMail/issues/136), 
    [#137](https://github.com/iredmail/iRedMail/issues/137),
    [#138](https://github.com/iredmail/iRedMail/issues/138).

- Enable TLSv1.3. WARNING: It requires Nginx 1.13 or later releases, which is
  available on:
    - CentOS 7 and later
    - Debian 10 and later
    - Ubuntu 18.04 and later
    - FreeBSD
    - OpenBSD
- Greatly improve the performance of http keep-alive connections over SSL by
  enabling `ssl_session_cache` parameter. See also:
    - [Speeding up TLS: enabling session reuse](https://vincent.bernat.ch/en/blog/2011-ssl-session-reuse-rfc5077)
    - [ssl_session_cache in Nginx and the ab benchmark](https://www.peterbe.com/plog/ssl_session_cache-ab)
- Add new ssl cipher: `EECDH+CHACHA20`. It requires openssl 1.1.0, which is
  available on:
    - CentOS 7 and later
    - Debian 9 and later
    - Ubuntu 18.04 and later
    - FreeBSD
    - OpenBSD
- Remove weak ssl cipher: `AES256+EDH`.

To apply these changes, please open file `/etc/nginx/templates/ssl.tmpl` with
your favourite text editor, then:

- Append `TLSv1.3` in parameter `ssl_protocols`. For example:

```
ssl_protocols TLSv1.2 TLSv1.3;
```

- Prepend `EECDH+CHACHA20` in parameter `ssl_ciphers`, also remove `AES256+EDH`.
  For example:

```
ssl_ciphers EECDH+CHACHA20:EECDH+AESGCM:EDH+AESGCM:AES256+EECDH;
```

- Add new parameter `ssl_session_cache` and optional comment lines:

```
# Greatly improve the performance of keep-alive connections over SSL.
# With this enabled, client is not necessary to do a full SSL-handshake for
# every request, thus saving time and cpu-resources.
ssl_session_cache shared:SSL:10m;
```

Restarting Nginx service is required.

### Dovecot: enable new ssl cipher `EECDH+CHACHA20` and remove the weak one `AES256+EDH`

Please open file `/etc/dovecot/dovecot.conf` (Linux/OpenBSD) or
`/usr/local/etc/dovecot/dovecot.conf` (FreeBSD), update parameter
`ssl_cipher_list` to:

```
ssl_cipher_list = EECDH+CHACHA20:EECDH+AESGCM:EDH+AESGCM:AES256+EECDH
```

Restarting Dovecot service is required.