Warning
This tutorial is still a DRAFT, do not apply it.
Paid Remote Upgrade Support
We offer remote upgrade support if you don't want to get your hands dirty, check the details and contact us.
sogo-tool
command/etc/iredmail-release
with new iRedMail version numberiRedMail stores the release version in /etc/iredmail-release
after
installation, it's recommended to update this file after you upgraded iRedMail,
so that you can know which version of iRedMail you're running. For example:
0.9.6
Please follow below tutorial to upgrade iRedAPD to the latest stable release: Upgrade iRedAPD to the latest stable release
Detailed release notes are available here.
Please follow this tutorial to upgrade iRedAdmin open source edition to the latest stable release: Upgrade iRedAdmin to the latest stable release
Please follow Roundcube official tutorial to upgrade Roundcube webmail to the latest stable release immediately: How to upgrade Roundcube.
Note: package rsync
must be installed on your server before upgrading.
For more details about HTTPROXY vulnerability, please read this website: https://httpoxy.org/
Please append setting below in Apache config file:
/etc/httpd/conf/httpd.conf
./etc/apache2/apache2.conf
./usr/local/etc/apache2[X]/httpd.conf
. Please replace
apache2[X]
by the real Apache version number here.RequestHeader unset Proxy early
Restarting Apache service is required.
Please open all files under below directories which contains fastcgi_pass
parameter:
/etc/nginx/templates/
/etc/nginx/conf.d/
/usr/local/etc/nginx/templates
/usr/local/etc/nginx/conf.d/
If config file contains fastcgi_pass
parameter, please append below one after
it:
fastcgi_param HTTP_PROXY '';
Restart Nginx service is required.
iRedMail-0.9.5 and iRedMail-0.9.5-1 didn't enable opportunistic TLS support in Postfix, this causes other servers cannot transfer emails via TLS secure connection. Please fix it with commands below.
postconf -e smtpd_tls_security_level='may'
postfix reload
There's one incorrect HELO restriction rule file helo_access.pcre
/etc/postfix/helo_access.pcre
/usr/local/etc/postfix/helo_access.pcre
It will match HELO identity like [192.168.1.1]
which is legal.
/(\d{1,3}[\.-]\d{1,3}[\.-]\d{1,3}[\.-]\d{1,3})/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})
Please replace it by the correct one below (it matches the IP address with
/^IP$/
strictly):
/^(\d{1,3}[\.-]\d{1,3}[\.-]\d{1,3}[\.-]\d{1,3})$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})
iRedMail-0.9.5-1 and earlier versions didn't correct set file owner and permission of config file of Roundcube password plugin, other system users may be able to see the SQL/LDAP username and password in the config file. Please follow steps below to fix it.
chown apache:apache /var/www/roundcubemail/plugins/password/config.inc.php
chmod 0400 /var/www/roundcubemail/plugins/password/config.inc.php
chown nginx:nginx /var/www/roundcubemail/plugins/password/config.inc.php
chmod 0400 /var/www/roundcubemail/plugins/password/config.inc.php
/usr/share/apache2/roundcubemail
):chown www-data:www-data /opt/www/roundcubemail/plugins/password/config.inc.php
chmod 0400 /opt/www/roundcubemail/plugins/password/config.inc.php
chown www:www /usr/local/www/roundcubemail/plugins/password/config.inc.php
chmod 0400 /usr/local/www/roundcubemail/plugins/password/config.inc.php
chown www:www /var/www/roundcubemail/plugins/password/config.inc.php
chmod 0400 /var/www/roundcubemail/plugins/password/config.inc.php
iRedMail-0.9.5-1 and earlier releases didn't correctly configure Nginx to forward real client IP address to SOGo, this causes Fail2ban cannot catch bad clients with failed authentication while logging to SOGo. Please try steps below to fix it.
/etc/nginx/templates/sogo.tmpl
(on Linux or OpenBSD) or
/usr/local/etc/nginx/templates/sogo.tmpl
(on FreeBSD), find 3 lines like
below: #proxy_set_header X-Real-IP $remote_addr;
#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#proxy_set_header Host $host;
#
to uncomment them: proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
sogo-tool
commandSOGo-3.1.3 (and late releases) changed sogo-tool
argument expire-autoreply
to update-autoreply
, and it's used in a daily cron job. Please update SOGo
cron job to fix it.
Edit SOGo deamon user's cron job with command.
crontab -e -u sogo
crontab -e -u sogod
crontab -e -u _sogo
Replace the argument expire-autoreply
by update-autoreply
.