Upgrade iRedMail from 0.9.5-1 to 0.9.6

Warning

This tutorial is still a DRAFT, do not apply it.

Paid Remote Upgrade Support

We offer remote upgrade support if you don't want to get your hands dirty, check the details and contact us.

TODO

ChangeLog

General (All backends should apply these steps)

Update /etc/iredmail-release with new iRedMail version number

iRedMail stores the release version in /etc/iredmail-release after installation, it's recommended to update this file after you upgraded iRedMail, so that you can know which version of iRedMail you're running. For example:

0.9.6

Upgrade iRedAPD (Postfix policy server) to the latest stable release (1.9.2)

Please follow below tutorial to upgrade iRedAPD to the latest stable release: Upgrade iRedAPD to the latest stable release

Detailed release notes are available here.

Upgrade iRedAdmin (open source edition) to the latest stable release (0.7.2)

Please follow this tutorial to upgrade iRedAdmin open source edition to the latest stable release: Upgrade iRedAdmin to the latest stable release

Upgrade Roundcube webmail to the latest stable release (1.2.0)

Please follow Roundcube official tutorial to upgrade Roundcube webmail to the latest stable release immediately: How to upgrade Roundcube.

Note: package rsync must be installed on your server before upgrading.

Fixed: HTTProxy vulnerability in Apache and Nginx

For more details about HTTPROXY vulnerability, please read this website: https://httpoxy.org/

Apache

Please append setting below in Apache config file:

RequestHeader unset Proxy early

Restarting Apache service is required.

Nginx

Please open all files under below directories which contains fastcgi_pass parameter:

If config file contains fastcgi_pass parameter, please append below one after it:

fastcgi_param HTTP_PROXY '';

Restart Nginx service is required.

Fixed: not enable opportunistic TLS support in Postfix

iRedMail-0.9.5 and iRedMail-0.9.5-1 didn't enable opportunistic TLS support in Postfix, this causes other servers cannot transfer emails via TLS secure connection. Please fix it with commands below.

postconf -e smtpd_tls_security_level='may'
postfix reload

Fixed: one incorrect HELO restriction rule in Postfix

There's one incorrect HELO restriction rule file helo_access.pcre

It will match HELO identity like [192.168.1.1] which is legal.

/(\d{1,3}[\.-]\d{1,3}[\.-]\d{1,3}[\.-]\d{1,3})/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})

Please replace it by the correct one below (it matches the IP address with /^IP$/ strictly):

/^(\d{1,3}[\.-]\d{1,3}[\.-]\d{1,3}[\.-]\d{1,3})$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})

Fixed: incorrect file owner and permission of config file of Roundcube password plugin

iRedMail-0.9.5-1 and earlier versions didn't correct set file owner and permission of config file of Roundcube password plugin, other system users may be able to see the SQL/LDAP username and password in the config file. Please follow steps below to fix it.

For Apache server:
chown apache:apache /var/www/roundcubemail/plugins/password/config.inc.php
chmod 0400 /var/www/roundcubemail/plugins/password/config.inc.php
For Nginx:
chown nginx:nginx /var/www/roundcubemail/plugins/password/config.inc.php
chmod 0400 /var/www/roundcubemail/plugins/password/config.inc.php

chown www-data:www-data /opt/www/roundcubemail/plugins/password/config.inc.php
chmod 0400 /opt/www/roundcubemail/plugins/password/config.inc.php

chown www:www /usr/local/www/roundcubemail/plugins/password/config.inc.php
chmod 0400 /usr/local/www/roundcubemail/plugins/password/config.inc.php

chown www:www /var/www/roundcubemail/plugins/password/config.inc.php
chmod 0400 /var/www/roundcubemail/plugins/password/config.inc.php

Fixed: Nginx doesn't forward real client IP address to SOGo

iRedMail-0.9.5-1 and earlier releases didn't correctly configure Nginx to forward real client IP address to SOGo, this causes Fail2ban cannot catch bad clients with failed authentication while logging to SOGo. Please try steps below to fix it.

    #proxy_set_header X-Real-IP $remote_addr;
    #proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    #proxy_set_header Host $host;

    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $host;

Fixed: SOGo-3.1.3 (and later releases) changed argument used by sogo-tool command

SOGo-3.1.3 (and late releases) changed sogo-tool argument expire-autoreply to update-autoreply, and it's used in a daily cron job. Please update SOGo cron job to fix it.

All documents are available in BitBucket repository, and published under Creative Commons license. You can download the latest version for offline reading. If you found something wrong, please do contact us to fix it.