This is still a DRAFT document, do NOT apply it.
We offer remote upgrade service, check the price and contact us.
daemonze =
line in /etc/uwsgi.ini
.vmail
database: alias.is_alias
, alias.alias_to
.outbound_wblist
in amavisd
database.${extension}
while delivering message to mailbox./etc/iredmail-release
with new iRedMail version numberiRedMail stores the release version in /etc/iredmail-release
after
installation, it's recommended to update this file after you upgraded iRedMail,
so that you can know which version of iRedMail you're running. For example:
# File: /etc/iredmail-release
0.9.3
Note: iRedAPD-1.7.0 requires a new SQL database, please create it by following upgrade tutorial.
Please follow below tutorial to upgrade iRedAPD to the latest stable release: Upgrade iRedAPD to the latest stable release
Detailed release notes are available here: iRedAPD release notes.
Please follow Roundcube official tutorial to upgrade Roundcube webmail to the latest stable release immediately: How to upgrade Roundcube
In iRedMail-0.9.2 and earlier releases, Amavisd will signing DKIM on inbound message, this is wrong. Please follow steps below to fix it.
With below changes, Amavisd will aply policy bank 'ORIGINATING' to emails submitted through submission (port 587) by smtp authenticated user. This way we clearly separate emails submitted by authenticated users and inbound message sent by others, and Amavisd won't sign DKIM on inbound message anymore.
Open Amavisd config file, make sure you have below settings. If they don't exist, please add them or update them.
/etc/amavisd/amavisd.conf
./etc/amavis/conf.d/50-user
./usr/local/etc/amavisd.conf
./etc/amavisd.conf
.$inet_socket_port = [10024, 10026, 9998];
$interface_policy{'10026'} = 'ORIGINATING';
We will configure Postfix to pipe email submitted by authenticated user through port 10026, others through port 10024. And port 9998 is used to manage quarantined mails.
$policy_bank{'ORIGINATING'} = {
block, comment out forward_method
line in the block: #forward_method => 'smtp:[127.0.0.1]:10027',
Comment out below line in Amavisd config file:
WARNING: Do NOT remove originating => 1,
in ALL $policy_bank
blocks.
$originating = 1;
$policy_bank{'MYUSERS'}
block:#$policy_blank{'MYUSERS'} = {
# ...
#}
Restart Amavisd service.
Open Postfix config file /etc/postfix/master.cf
(Linux/OpenBSD) or
/usr/local/etc/postfix/master.cf
(FreeBSD), update transport submission
to use content_filter=smtp-amavis:[127.0.0.1]:10026
as content filter like
below:
submission inet n - n - - smtpd
... [omit other settings here] ...
-o content_filter=smtp-amavis:[127.0.0.1]:10026
iRedMail configures Dovecot to send warning message to local user when the mailbox quota is 85%, 90% or 95% full, but the priorities is wrong. Please fix it with steps below.
/etc/dovecot/dovecot.conf
(Linux/OpenBSD) or /usr/local/etc/dovecot/dovecot.conf
(FreeBSD): quota_warning = storage=85%% quota-warning 85 %u
quota_warning2 = storage=90%% quota-warning 90 %u
quota_warning3 = storage=95%% quota-warning 95 %u
quota_warning
has the highest priority, quota_warning3
has the lowest
priority. Only the command for the first exceeded limit is executed, so we must
configure the highest limit first.
With above setting, when the mailbox quota goes from 70% to 98% directly, it sends warning message to notify user that the quota is 85% full, this is wrong, it's expected to be warned as 95% full instead.
quota_warning = storage=95%% quota-warning 95 %u
quota_warning2 = storage=90%% quota-warning 90 %u
quota_warning3 = storage=85%% quota-warning 85 %u
Restart Dovecot service is required.
For more details, please read Dovecot document: Quota Configuration
Note: This is applicable to Dovecot-2.2.x. if you're running Dovecot-2.1.x or earlier versions, please skip this step.
Check Dovecot version number with below command first:
# dovecot --version
Open Dovecot config file /etc/dovecot/dovecot.conf
(Linux/OpenBSD) or
/usr/local/etc/dovecot/dovecot.conf
(FreeBSD), find below setting:
namespace {
type = private
...
inbox = yes
...
}
Add below alias folders inside the same namespace {}
block:
mailbox "Sent Items" {
auto = no
special_use = \Sent
}
mailbox "Deleted Messages" {
auto = no
special_use = \Trash
}
mailbox "Deleted Messages" {
auto = no
special_use = \Trash
}
# Archive
mailbox Archive {
auto = subscribe
special_use = \Archive
}
mailbox Archives {
auto = no
special_use = \Archive
}
Restart Dovecot service is required.
It's recommended to setup a daily cron job to keep Roundcube SQL database slick and clean, it removes all records that are marked as deleted.
Please add cron job for user root
with command:
# crontab -e -u root
Then add cron job below:
# Cleanup Roundcube SQL database.
2 2 * * * php /var/www/roundcubemail/bin/cleandb.sh >/dev/null
# Cleanup Roundcube SQL database.
2 2 * * * php /opt/www/roundcubemail/bin/cleandb.sh >/dev/null
WARNING: with old iRedMail release, Roundcube directory is
/usr/share/apache2/roundcubemail
, please use the correct one on your server.
# Cleanup Roundcube SQL database.
2 2 * * * php /usr/local/www/roundcube/bin/cleandb.sh >/dev/null
# Cleanup Roundcube SQL database.
2 2 * * * php /var/www/roundcubemail/bin/cleandb.sh >/dev/null
Note: you can skip this step if you don't run SOGo groupware, and iRedMail doesn't install SOGo on FreeBSD due to missing required ports in official ports tree.
The Dovecot Master User created by iRedMail and used by SOGo doesn't contain a mail domain name, this will cause login failure.
If you don't append a (non-exist) mail domain name in Dovecot Master User
account, Dovecot will use the domain name of your login username. For example,
if your real user is myuser@mydomain.com
, when you try to access this user's
mailbox as Dovecot Master User myuser@mydomain.com*my_master_user
, it will
trigger Dovecot to verify user my_master_user@mydomain.com
which doesn't
exist on your server, then this login attempt fails.
Please follow steps below to fix it.
/etc/dovecot/dovecot-master-users
(Linux/OpenBSD),
find the account used by SOGo:sogo_sieve_master:...
sogo_sieve_master@not-exist.com:...
/etc/sogo/sieve.cred
, append the same mail domain name for the
sieve account:sogo_sieve_master@not-exist.com:...
That's all.
Note: this is applicable to iRedMail server which has SOGo groupware installed and running.
iRedMail sets up 3 cron jobs for SOGo, 2 of them are running every minute. You can check the cron jobs with command below. Note:
sogo
on all Linux distributions._sogo
on OpenBSD.# crontab -u sogo -l
* * * * * /usr/sbin/sogo-tool expire-sessions 30
* * * * * /usr/sbin/sogo-ealarms-notify
It always complains with error message like below:
sogo-tool[27443] Failed to create lock directory '/var/lib/sogo/GNUstep/Defaults/.lck/.GNUstepDefaults.lck'
sogo-ealarms-notify[27790] Warning ... someone broke our lock (/var/lib/sogo/GNUstep/Defaults/.lck/.GNUstepDefaults.lck) ... and may have interfered with updating defaults data in file.
According to
SOGo mailing list,
replied by SOGo developer Christian Mack, This is a known problem, but
harmless, as the lock is not really needed here. The work around is to use one
cron entry only for both (jobs).
Please edit the cron job with command below:
# crontab -u sogo -e
Then group those 2 jobs into one cron job like below (note, use semicolon ;
to separate jobs):
* * * * * /usr/sbin/sogo-tool expire-sessions 30; /usr/sbin/sogo-ealarms-notify
That's all.
SOGo uses UTF-7
as sieve folder encoding by default, this is improper, we
must use UTF-8
instead, otherwise mail folder names with non-ASCII characters
cannot be correctly created or displayed.
To fix this, please add below setting in SOGo config file /etc/sogo/sogo.conf
(Linux/OpenBSD) or /usr/local/etc/sogo/sogo.conf
(FreeBSD):
SOGoSieveFolderEncoding = UTF-8;
Restarting SOGo service is required.
daemonze =
line in /etc/uwsgi.ini
NOTE: this is required by RHEL/CentOS 7, and not applicable to other Linux/BSD distributions.
daemonze =
line set in /etc/uwsgi.ini
is required by RHEL/CentOS 6, but
not RHEL/CentOS 7, and it will cause uwsgi
service fail. Please remove or
comment out this line and restart uwsgi
service.
NOTE: this is required by RHEL/CentOS 7, and not applicable to other Linux/BSD distributions.
iRedMail-0.9.2 and earlier versions won't set default firewall zone if you didn't choose to restart firewall immediately, so after iRedMail installation, you must set the default firewall zone manually with steps below.
/etc/firewalld/firewalld.conf
, find parameter DefaultZone=
. If
it's not set by iRedMail installer, it will be DefaultZone=public
:DefaultZone=public
public
by iredmail
, it will open ports required by ssh and
mail services. The zone file is /etc/firewalld/zones/iredmail.xml
, please
make sure you have correct ssh port number in this file.DefaultZone=iredmail
firewall-cmd --complete-reload
${extension}
while delivering message to mailboxWith iRedMail-0.9.2 and earlier releases, email sent to user
username+Ext@domain.com
(upper case E
) will be delivered to folder
ext
(lower case e
) of username@domain.com
's mailbox. This fix will
preserve the case of address extension.
/etc/postfix/master.cf
(Linux/OpenBSD) or
/usr/local/etc/postfix/master.cf
(FreeBSD), find below lines:# Use dovecot deliver program as LDA.
dovecot unix - n n - - pipe
flags=DRhu ...
flags=DRhu
by flags=DRh
(remove u
) in the third line: flags=DRh ...
With default OpenLDAP ACL control set by iRedMail, every mail user has permission to query the whole LDAP tree (although cannot query sensitive info like password), we'd better remove this ACL control due to security concern.
Please open OpenLDAP config file slapd.conf
, and find below lines:
/etc/openldap/slapd.conf
./etc/ldap/slapd.conf
./usr/local/etc/openldap/slapd.conf
./etc/openldap/slapd.conf
.access to dn.subtree="o=domains,dc=example,dc=com"
by anonymous auth
by self write
by dn.exact="cn=vmail,dc=example,dc=com" read
by dn.exact="cn=vmailadmin,dc=example,dc=com" write
by dn.regex="mail=[^,]+,ou=Users,domainName=$1,o=domains,dc=example,dc=com$" read
by users read
The LDAP suffix dc=example,dc=com
might be different on your server.
by dn.regex="mail=..."
), and replace the line by users read
by by users none
.access to dn.subtree="o=domains,dc=example,dc=com"
by anonymous auth
by self write
by dn.exact="cn=vmail,dc=example,dc=com" read
by dn.exact="cn=vmailadmin,dc=example,dc=com" write
by users none
iRedMail has both Dovecot Master User and Dovecot acl
plugin enabled by
default, if acl
plugin is enabled, the Master User is still subject to ACLs
just like any other user, which means that by default the Master User has no
access to any mailboxes of the user. Please fix this issue by following steps
below.
/etc/dovecot/dovecot-ldap.conf
(Linux/OpenBSD) or
/usr/local/etc/dovecot/dovecot-ldap.conf
(FreeBSD), find below line:user_attrs = mail=user, ...
mail=master_user
in user_attrs
like below:user_attrs = mail=master_user,mail=user, ...
outbound_wblist
in amavisd
databaseWe need a new SQL table outbound_wblist
in amavisd
database, it's used
to store white/blacklists for outbound message, required by iRedAPD plugin
amavisd_wblist
.
Please connect to MySQL server as MySQL root user, create new table:
$ mysql -uroot -p
mysql> USE amavisd;
mysql> CREATE TABLE outbound_wblist (rid integer unsigned NOT NULL, sid integer unsigned NOT NULL, wb varchar(10) NOT NULL, PRIMARY KEY (rid,sid));
After table created, please restart iRedAPD service.
vmail
database: alias.is_alias
, alias.alias_to
iRedMail-0.9.3 offers per-user alias address support, that means mail user
john.smith@domain.com
can have additional email addresses like
john@domain.com
, js@domain.com
and more, all emails sent to these addresses
will be delivered to same mailbox. With per-user alias address support, you
don't need to create many mail alias accounts anymore.
Per-user alias address requires 2 new SQL columns:
alias.is_alias
: this column marks a SQL record is a per-user alias account.alias.alias_to
: this column stores the target address (it's
john.smith@domain.com
as described above). Its value is same as alias.goto
when this sql record is a per-user alias, but alias.goto
is not good for
indexed searching, so we create alias.alias_to
as an alternative.Please follow steps below to create required SQL columns:
$ mysql -uroot -p
sql> USE vmail;
sql> ALTER TABLE alias ADD COLUMN is_alias TINYINT(1) NOT NULL DEFAULT 0;
sql> ALTER TABLE alias ADD COLUMN alias_to VARCHAR(255) NOT NULL DEFAULT '';
sql> ALTER TABLE alias ADD INDEX (is_alias);
sql> ALTER TABLE alias ADD INDEX (alias_to);
Sample usage: add additional email addresses
extra@domain.com
for existing useruser@domain.com
:
sql> USE vmail;
sql> INSERT INTO alias (address, goto, is_alias, alias_to, domain)
VALUES ('extra@domain.com', 'user@domain.com', 1, 'user@domain.com', 'domain.com');
Notes:
- Values of column
alias.goto
andalias.alias_to
are the same.- You can add as many additional email addresses as you want.
- In above sample,
extra@domain.com
can be an email address belong to your alias domain.
outbound_wblist
in amavisd
databaseWe need a new SQL table outbound_wblist
in amavisd
database, it's used
to store white/blacklists for outbound message, required by iRedAPD plugin
amavisd_wblist
.
Please connect to MySQL server as MySQL root user, create new table:
$ mysql -uroot -p
mysql> USE amavisd;
mysql> CREATE TABLE outbound_wblist (rid integer unsigned NOT NULL, sid integer unsigned NOT NULL, wb varchar(10) NOT NULL, PRIMARY KEY (rid,sid));
After table created, please restart iRedAPD service.
iRedMail doesn't enable global address book by default, this step will help you enable isolated per-domain global address book.
iRedMail creates a SQL VIEW sogo.users
in SOGo SQL database, but it doesn't
contain a domain
column, if you enable global address book, every user is
able to search ALL mail accounts hosted on iRedMail server, so we need to drop
existing SQL VIEW, then re-create it with domain
column for isolated
per-domain global address book.
Now connect to MySQL server as root
user, drop existing SQL VIEW
sogo.users
, then re-create it:
$ mysql -uroot -p
sql> USE sogo;
sql> DROP VIEW users;
sql> CREATE VIEW sogo.users (c_uid, c_name, c_password, c_cn, mail, domain) AS SELECT username, username, password, name, username, domain FROM vmail.mailbox WHERE active=1;
Open SOGo config file /etc/sogo/sogo.conf
(Linux, OpenBSD) or
/usr/local/etc/sogo/sogo.conf
(FreeBSD), find the SOGoUserSources
block
defined for SQL backend. for example:
// Authentication using SQL
SOGoUserSources = (
{
...
//isAddressBook = YES;
//displayName = "Global Address Book";
}
);
Uncomment isAddressBook
and displayName
lines, and add two new parameters
like below:
isAddressBook = YES;
displayName = "Global Address Book";
SOGoEnableDomainBasedUID = YES;
DomainFieldName = "domain";
Restart SOGo service is required.
vmail
database: alias.is_alias
, alias.alias_to
iRedMail-0.9.3 offers per-user alias address support, that means mail user
john.smith@domain.com
can have additional email addresses like
john@domain.com
, js@domain.com
and more, all emails sent to these addresses
will be delivered to same mailbox. With per-user alias address support, you
don't need to create many mail alias accounts anymore.
Per-user alias address requires 2 new SQL columns:
alias.is_alias
: this column marks a SQL record is a per-user alias account.alias.alias_to
: this column stores the target address (it's
john.smith@domain.com
as described above). Its value is same as alias.goto
when this sql record is a per-user alias, but alias.goto
is not good for
indexed searching, so we create alias.alias_to
as an alternative.Please follow steps below to create required SQL columns:
# su - postgres
$ psql -d vmail
sql> ALTER TABLE alias ADD COLUMN is_alias INT2 NOT NULL DEFAULT 0;
sql> ALTER TABLE alias ADD COLUMN alias_to alias_to VARCHAR(255) NOT NULL DEFAULT '';
sql> CREATE INDEX idx_alias_is_alias ON alias (is_alias);
sql> CREATE INDEX idx_alias_alias_to ON alias (alias_to);
Sample usage: add additional email addresses
extra@domain.com
for existing useruser@domain.com
:
sql> USE vmail;
sql> INSERT INTO alias (address, goto, is_alias, alias_to, domain)
VALUES ('extra@domain.com', 'user@domain.com', 1, 'user@domain.com', 'domain.com');
Notes:
- Values of column
alias.goto
andalias.alias_to
are the same.- You can add as many additional email addresses as you want.
- In above sample,
extra@domain.com
can be an email address belong to your alias domain.
outbound_wblist
in amavisd
databaseWe need a new SQL table outbound_wblist
in amavisd
database, it's used
to store white/blacklists for outbound message, required by iRedAPD plugin
amavisd_wblist
.
Please switch to PostgreSQL daemon user, then execute SQL commands to import it:
* On Linux, PostgreSQL daemon user is `postgres`.
* On FreeBSD, PostgreSQL daemon user is `pgsql`.
* On OpenBSD, PostgreSQL daemon user is `_postgresql`.
# su - postgres
$ psql -d cluebringer -d amavisd
sql> CREATE TABLE outbound_wblist (rid integer NOT NULL CHECK (rid >= 0), sid integer NOT NULL CHECK (sid >= 0), wb varchar(10) NOT NULL, PRIMARY KEY (rid,sid));
After table created, please restart iRedAPD service.
iRedMail doesn't enable global address book by default, this step will help you enable isolated per-domain global address book.
iRedMail creates a SQL VIEW sogo.users
in SOGo SQL database, but it doesn't
contain a domain
column, if you enable global address book, every user is
able to search ALL mail accounts hosted on iRedMail server, so we need to drop
existing SQL VIEW, then re-create it with domain
column for isolated
per-domain global address book.
Before we go further, we must find the SQL username/password used to query
vmail
SQL database in /etc/postfix/pgsql/*.cf
(on FreeBSD, it's
/usr/local/etc/postfix/pgsql/*.cf
). for example:
hosts = 127.0.0.1
port = 3306
user = vmail
password = NGtLm0jFiwwOH5AeQtTsSAkScUMdFc
dbname = vmail
We need SQL server address, port, user, password and database name.
Now connect to PostgreSQL server as admin user, drop existing SQL VIEW
sogo.users
, and re-create it.
WARNING: You must replace the
vmail
database username and password by the real ones found in/etc/postfix/pgsql/*.cf
.
# su - postgres
$ psql -d sogo
sql> DROP TABLE users;
sql> CREATE VIEW users AS SELECT * FROM dblink('host=127.0.0.1 port=5432 user=vmail password=NGtLm0jFiwwOH5AeQtTsSAkScUMdFc dbname=vmail', 'SELECT username AS c_uid, username AS c_name, password AS c_password, name AS c_cn, username AS mail, domain AS domain FROM mailbox WHERE active=1') AS users (c_uid VARCHAR(255), c_name VARCHAR(255), c_password VARCHAR(255), c_cn VARCHAR(255), mail VARCHAR(255), domain VARCHAR(255));
sql> ALTER TABLE users OWNER TO sogo;
Open SOGo config file /etc/sogo/sogo.conf
(Linux, OpenBSD) or
/usr/local/etc/sogo/sogo.conf
(FreeBSD), find the SOGoUserSources
block
defined for SQL backend. for example:
// Authentication using SQL
SOGoUserSources = (
{
...
//isAddressBook = YES;
//displayName = "Global Address Book";
}
);
Uncomment isAddressBook
and displayName
lines, and add two new parameters
like below:
isAddressBook = YES;
displayName = "Global Address Book";
SOGoEnableDomainBasedUID = YES;
DomainFieldName = "domain";
Restart SOGo service is required.
Document published under a CC BY-ND 3.0 license. If you found something wrong, please do contact us to fix it.