WARNING: Still working in progress, do NOT apply it.
reject_null_sender
.sogo-tool
on OpenBSD.Additional notes before upgrading Roundcube webmail 1.1.0 (or later releases):
php-pear-Net-IDNA2
, then
restart Apache service or php5-fpm service (if you're running Nginx):# yum install php-pear-Net-IDNA2
# service httpd restart # <- OR: service php-fpm restart
php-pear
and php5-intl
,
enable intl
module for PHP, then restart Apache service or php5_fpm
service (if you're running Nginx):# apt-get install php-pear php5-intl
# php5enmod intl
# service apache2 resart # <- OR: service php5_fpm restart
php-intl
, then
restart php_fpm
service:# pkg_add -r php-intl
# /etc/rc.d/php_fpm restart
After you have additional packages installed, please follow Roundcube official tutorial to upgrade Roundcube webmail to the latest stable release: How to upgrade Roundcube
reject_null_sender
Note: this is applicable if you want to keep iRedAPD plugin reject_null_sender
but still able to send return receipt with Roundcube webmail.
According to RFC2298, return receipt envelope sender address must be empty. If
you have iRedAPD plugin reject_null_sender
enabled, it will reject return
receipt response. To particularly solve this issue, you can set below setting
in Roundcube config file config/config.inc.php
:
/var/www/roundcubemail/config/config.inc.php
./usr/share/apache2/roundcubemail/config/config.inc.php
./usr/local/www/roundcube/config/config.inc.php
.$config['mdn_use_from'] = true;
Note: if other mail client applications don't set smtp authentication user as
envelope sender of return receipt, same issue will occurs. You must disable
iRedAPD plugin reject_null_sender
in /opt/iredapd/settings.py
to make all
mail clients work.
iRedAPD plugin reject_null_sender
rejects message submitted by sasl
authenticated user but with null sender in From:
header (from=<>
in Postfix
log). If your user's password was cracked by spammer, spammer can use this
account to bypass smtp authentication, but with a null sender in From:
header, throttling won't be triggered.
With previous release of iRedMail, Nginx won't run PHP scripts under sub-directories of web document root, this step will fix it.
/etc/nginx/conf.d/default.conf
(on Linux/OpenBSD)
or /usr/local/etc/nginx/conf.d/default.conf
, add one more setting in
configuration block location ~ \.php$ {}
like below:...
root /var/www/html;
...
location ~ \.php$ {
...
fastcgi_param SCRIPT_FILENAME /var/www/html$fastcgi_script_name; # <- Add this line
}
Notes:
location ~ \.php$ {}
blocks, please update both of them.You must replace /var/www/html
in above sample code to the value of root
setting defined in same config file.
/var/www/html
./var/www
./usr/local/www/apache22/data
.
Note: if you're running Apache-2.4, the directory name should be
apache24
, not apache22
./var/www/htdocs
.sogo-tool
on OpenBSDNote: this step is applicable to only OpenBSD.
Please check user _sogo
's cron job, make sure path to sogo-tool
command is
/usr/local/sbin/sogo-tool
:
# crontab -l -u _sogo
If it's not /usr/local/sbin/sogo-tool
, please edit its cron job with below
command and fix it:
# crontab -e -u _sogo
To improve server security, we'd better block clients which have too many failed login attempts from SOGo.
Please append below lines in Fail2ban main config file /etc/fail2ban/jail.local
:
[SOGo]
enabled = true
filter = sogo-auth
port = http, https
# without proxy this would be:
# port = 20000
action = iptables-multiport[name=SOGo, port="http,https", protocol=tcp]
logpath = /var/log/sogo/sogo.log
Restarting Fail2ban service is required.
We have two new Fail2ban filters to help catch spam:
Steps:
/etc/fail2ban/filters.d/postfix.iredmail.conf
or
/usr/local/etc/fail2ban/filters.d/postfix.iredmail.conf
(on FreeBSD), append
below line under [Definition]
section: reject: RCPT from (.*)\[<HOST>\]: 504 5.5.2 (.*) Helo command rejected: need fully-qualified hostname
After modification, the whole content is:
[Definition]
failregex = \[<HOST>\]: SASL (PLAIN|LOGIN) authentication failed
lost connection after AUTH from (.*)\[<HOST>\]
reject: RCPT from (.*)\[<HOST>\]: 550 5.1.1
reject: RCPT from (.*)\[<HOST>\]: 450 4.7.1
reject: RCPT from (.*)\[<HOST>\]: 554 5.7.1
reject: RCPT from (.*)\[<HOST>\]: 504 5.5.2 (.*) Helo command rejected: need fully-qualified hostname
ignoreregex =
/etc/fail2ban/filters.d/dovecot.iredmail.conf
or
/usr/local/etc/fail2ban/filters.d/dovecot.iredmail.conf
(on FreeBSD), append
below line under [Definition]
section: Aborted login \(no auth attempts in .* rip=<HOST>
After modification, the whole content is:
[Definition]
failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.*
Aborted login \(no auth attempts in .* rip=<HOST>
ignoreregex =
Restarting Fail2ban service is required.
Note: this step is not applicable if you don't use SOGo groupware.
Open backup script /var/vmail/backup/backup_mysql.sh
, append SOGo SQL
database name in variable DATABASES=
. For example:
DATABASES='... sogo'
Save your change and that's all.
ISPs' mail servers send out spams, but also normal business mails. Applying greylisting on them is helpless.
# cd /tmp
# wget https://bitbucket.org/zhb/iredmail/raw/default/iRedMail/samples/cluebringer/greylisting-whitelist.sql
$ mysql -uroot -p
mysql> USE cluebringer;
mysql> SOURCE /tmp/greylisting-whitelist.sql;
That's all.
Please open Dovecot config file /etc/dovecot/dovecot-mysql.conf
(Linux/OpenBSD) or /usr/local/etc/dovecot/dovecot-mysql.conf
(FreeBSD), find
below line:
# Part of file: /etc/dovecot/dovecot-mysql.conf
password_query = SELECT password FROM mailbox WHERE username='%u' AND active='1'
Add additional query AND enable%Ls%Lc=1
like below:
# Part of file: /etc/dovecot/dovecot-mysql.conf
password_query = SELECT password FROM mailbox WHERE username='%u' AND enable%Ls%Lc=1 AND active='1'
Save your change and restart Dovecot service.
Note: this step is not applicable if you don't use SOGo groupware.
Open backup script /var/vmail/backup/backup_mysql.sh
, append SOGo SQL
database name in variable DATABASES=
. For example:
DATABASES='... sogo'
Save your change and that's all.
ISPs' mail servers send out spams, but also normal business mails. Applying greylisting on them is helpless.
# cd /tmp
# wget https://bitbucket.org/zhb/iredmail/raw/default/iRedMail/samples/cluebringer/greylisting-whitelist.sql
$ mysql -uroot -p
mysql> USE cluebringer;
mysql> SOURCE /tmp/greylisting-whitelist.sql;
That's all.
Please open Dovecot config file /etc/dovecot/dovecot-pgsql.conf
(Linux/OpenBSD) or /usr/local/etc/dovecot/dovecot-pgsql.conf
(FreeBSD), find
below line:
# Part of file: /etc/dovecot/dovecot-pgsql.conf
password_query = SELECT password FROM mailbox WHERE username='%u' AND active='1'
Add additional query like below:
# Part of file: /etc/dovecot/dovecot-pgsql.conf
password_query = SELECT password FROM mailbox WHERE username='%u' AND enable%Ls%Lc=1 AND active='1'
Save your change and restart Dovecot service.
Note: this step is not applicable if you don't use SOGo groupware.
Open backup script /var/vmail/backup/backup_mysql.sh
, append SOGo SQL
database name in variable DATABASES=
. For example:
DATABASES='... sogo'
Save your change and that's all.
ISPs' mail servers send out spams, but also normal business mails. Applying greylisting on them is helpless.
# cd /tmp
# wget https://bitbucket.org/zhb/iredmail/raw/default/iRedMail/samples/cluebringer/greylisting-whitelist.sql
Switch to PostgreSQL daemon user, then execute SQL commands to import it:
postgres
.pgsql
._postgresql
.# su - postgres
$ psql -d cluebringer
sql> \i /tmp/greylisting-whitelist.sql;
That's all.
Document published under a CC BY-ND 3.0 license. If you found something wrong, please do contact us to fix it.