elmau
/
iredmail-doc
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
iredmail-doc/html_bk/upgrade.iredmail.0.9.5.1-0....

717 lines
37 KiB
HTML
Raw Permalink Blame History

<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Upgrade iRedMail from 0.9.5-1 to 0.9.6</title>
<link rel="stylesheet" type="text/css" href="./css/markdown.css" />
</head>
<body>
<div id="navigation">
<a href="https://www.iredmail.org" target="_blank">
<img alt="iRedMail web site"
src="./images/logo-iredmail.png"
style="vertical-align: middle; height: 30px;"
/>&nbsp;
<span>iRedMail</span>
</a>
&nbsp;&nbsp;//&nbsp;&nbsp;<a href="./index.html">Document Index</a></div><h1 id="upgrade-iredmail-from-095-1-to-096">Upgrade iRedMail from 0.9.5-1 to 0.9.6</h1>
<div class="toc">
<ul>
<li><a href="#upgrade-iredmail-from-095-1-to-096">Upgrade iRedMail from 0.9.5-1 to 0.9.6</a><ul>
<li><a href="#changelog">ChangeLog</a></li>
<li><a href="#general-all-backends-should-apply-these-steps">General (All backends should apply these steps)</a><ul>
<li><a href="#update-etciredmail-release-with-new-iredmail-version-number">Update /etc/iredmail-release with new iRedMail version number</a></li>
<li><a href="#upgrade-iredapd-postfix-policy-server-to-the-latest-stable-release-20">Upgrade iRedAPD (Postfix policy server) to the latest stable release (2.0)</a></li>
<li><a href="#upgrade-iredadmin-open-source-edition-to-the-latest-stable-release-07">Upgrade iRedAdmin (open source edition) to the latest stable release (0.7)</a></li>
<li><a href="#upgrade-roundcube-webmail-to-the-latest-stable-release-123">Upgrade Roundcube webmail to the latest stable release (1.2.3)</a></li>
<li><a href="#fixed-httproxy-vulnerability-in-apache-and-nginx">Fixed: HTTProxy vulnerability in Apache and Nginx</a><ul>
<li><a href="#apache">Apache</a></li>
<li><a href="#nginx">Nginx</a></li>
</ul>
</li>
<li><a href="#fixed-not-allow-access-to-well-known-in-nginx">Fixed: not allow access to '/.well-known/' in Nginx</a></li>
<li><a href="#fixed-postfix-allows-email-sent-through-port-587-without-smtp-authentication-from-trusted-clients">Fixed: Postfix allows email sent through port 587 without smtp authentication from trusted clients</a></li>
<li><a href="#fixed-not-enable-opportunistic-tls-support-in-postfix">Fixed: not enable opportunistic TLS support in Postfix</a></li>
<li><a href="#fixed-one-incorrect-helo-restriction-rule-in-postfix">Fixed: one incorrect HELO restriction rule in Postfix</a></li>
<li><a href="#fixed-incorrect-file-owner-and-permission-of-config-file-of-roundcube-password-plugin">Fixed: incorrect file owner and permission of config file of Roundcube password plugin</a></li>
<li><a href="#fixed-missing-cron-job-used-to-clean-up-old-roundcube-temporary-files">Fixed: missing cron job used to clean up old Roundcube temporary files</a></li>
<li><a href="#fixed-nginx-doesnt-forward-real-client-ip-address-to-sogo">Fixed: Nginx doesn't forward real client IP address to SOGo</a></li>
<li><a href="#fixed-sogo-313-and-later-releases-changed-argument-used-by-sogo-tool-command">Fixed: SOGo-3.1.3 (and later releases) changed argument used by sogo-tool command</a></li>
<li><a href="#fixed-memcached-listens-on-all-available-ip-addresses-instead-of-127001">Fixed: Memcached listens on all available IP addresses instead of 127.0.0.1</a></li>
<li><a href="#fixed-awstats-is-world-accessible-with-apache">Fixed: Awstats is world-accessible with Apache</a></li>
<li><a href="#improve-fail2ban-filter-regular-expression-to-catch-more-pop3imap-spams">Improve Fail2ban filter regular expression to catch more POP3/IMAP spams</a></li>
<li><a href="#add-more-banned-file-typesextensions-in-amavisd">Add more banned file types/extensions in Amavisd.</a></li>
</ul>
</li>
<li><a href="#openldap-backend-special">OpenLDAP backend special</a><ul>
<li><a href="#use-the-latest-iredmail-ldap-schema-file">Use the latest iRedMail LDAP schema file</a><ul>
<li><a href="#update-openldap-config-file-to-index-new-attributes">Update OpenLDAP config file to index new attributes</a></li>
<li><a href="#download-the-latest-iredmail-ldap-schema-file">Download the latest iRedMail LDAP schema file</a></li>
</ul>
</li>
<li><a href="#fixed-mail-accounts-user-alias-list-are-still-active-when-domain-is-disabled">Fixed: mail accounts (user, alias, list) are still active when domain is disabled</a><ul>
<li><a href="#update-postfixdovecot-ldap-lookup-files">Update Postfix/Dovecot LDAP lookup files</a></li>
<li><a href="#add-required-ldap-attributevalue-for-existing-mail-accounts-under-disabled-domains">Add required LDAP attribute/value for existing mail accounts under disabled domains</a></li>
</ul>
</li>
</ul>
</li>
<li><a href="#mysqlmariadb-backend-special">MySQL/MariaDB backend special</a><ul>
<li><a href="#fix-invalid-default-datetime-value-for-some-sql-columns-in-vmail-database">Fix invalid default (datetime) value for some SQL columns in 'vmail' database</a></li>
</ul>
</li>
</ul>
</li>
</ul>
</div>
<div class="admonition note">
<p class="admonition-title">Paid Remote Upgrade Support</p>
<p>We offer remote upgrade support if you don't want to get your hands dirty,
check <a href="https://www.iredmail.org/support.html">the details</a> and
<a href="https://www.iredmail.org/contact.html">contact us</a>.</p>
</div>
<h2 id="changelog">ChangeLog</h2>
<ul>
<li>Jan 23, 2016: Initial publish.</li>
</ul>
<h2 id="general-all-backends-should-apply-these-steps">General (All backends should apply these steps)</h2>
<h3 id="update-etciredmail-release-with-new-iredmail-version-number">Update <code>/etc/iredmail-release</code> with new iRedMail version number</h3>
<p>iRedMail stores the release version in <code>/etc/iredmail-release</code> after
installation, it's recommended to update this file after you upgraded iRedMail,
so that you can know which version of iRedMail you're running. For example:</p>
<pre><code>0.9.6
</code></pre>
<h3 id="upgrade-iredapd-postfix-policy-server-to-the-latest-stable-release-20">Upgrade iRedAPD (Postfix policy server) to the latest stable release (2.0)</h3>
<p>Please follow below tutorial to upgrade iRedAPD to the latest stable release:
<a href="./upgrade.iredapd.html">Upgrade iRedAPD to the latest stable release</a></p>
<p>Detailed release notes are available <a href="./iredapd.releases.html">here</a>.</p>
<h3 id="upgrade-iredadmin-open-source-edition-to-the-latest-stable-release-07">Upgrade iRedAdmin (open source edition) to the latest stable release (0.7)</h3>
<p>Please follow this tutorial to upgrade iRedAdmin open source edition to the
latest stable release:
<a href="./migrate.or.upgrade.iredadmin.html">Upgrade iRedAdmin to the latest stable release</a></p>
<h3 id="upgrade-roundcube-webmail-to-the-latest-stable-release-123">Upgrade Roundcube webmail to the latest stable release (1.2.3)</h3>
<p>Please follow Roundcube official tutorial to upgrade Roundcube webmail to the
latest stable release immediately: <a href="https://github.com/roundcube/roundcubemail/wiki/Upgrade">How to upgrade Roundcube</a>.</p>
<p>Note: package <code>rsync</code> must be installed on your server before upgrading.</p>
<h3 id="fixed-httproxy-vulnerability-in-apache-and-nginx">Fixed: HTTProxy vulnerability in Apache and Nginx</h3>
<p>For more details about HTTPROXY vulnerability, please read this website: <a href="https://httpoxy.org/">https://httpoxy.org/</a></p>
<h4 id="apache">Apache</h4>
<p>Please append setting below in Apache config file:</p>
<ul>
<li>on RHEL/CentOS, it's <code>/etc/httpd/conf/httpd.conf</code>.</li>
<li>on Debian/Ubuntu, it's <code>/etc/apache2/apache2.conf</code>.</li>
<li>on FreeBSD, it's <code>/usr/local/etc/apache2[X]/httpd.conf</code>. Please replace
<code>apache2[X]</code> by the real Apache version number here.</li>
<li>on OpenBSD: not applicable because iRedMail doesn't use Apache on OpenBSD.</li>
</ul>
<pre><code>RequestHeader unset Proxy early
</code></pre>
<ul>
<li>On Debian/Ubuntu, please make sure Apache module <code>headers</code> are enabled:</li>
</ul>
<pre><code>a2enmod headers
</code></pre>
<p>Restarting Apache service is required.</p>
<h4 id="nginx">Nginx</h4>
<p>Please open all files under below directories which contains <code>fastcgi_pass</code>
parameter:</p>
<ul>
<li>On Linux/OpenBSD:<ul>
<li><code>/etc/nginx/templates/</code></li>
<li><code>/etc/nginx/conf.d/</code></li>
</ul>
</li>
<li>On FreeBSD:<ul>
<li><code>/usr/local/etc/nginx/templates</code></li>
<li><code>/usr/local/etc/nginx/conf.d/</code></li>
</ul>
</li>
</ul>
<p>If config file contains <code>fastcgi_pass</code> parameter, please append below one after
it:</p>
<pre><code>fastcgi_param HTTP_PROXY '';
</code></pre>
<p>Restart Nginx service is required.</p>
<h3 id="fixed-not-allow-access-to-well-known-in-nginx">Fixed: not allow access to '/.well-known/' in Nginx</h3>
<p>It's popular to use Let's Encrypt ssl cert nowadays, but default Nginx config
file will return a "403 Forbidden" error if you're trying to request new SSL
cert from Let's Encrypt. Step below will allow access to <code>/.well-known/</code> and
fix this issue.</p>
<p>Open Nginx template file <code>misc.tmpl</code>, find lines below:</p>
<ul>
<li>If your iRedMail server was installed with iRedMail-0.9.4, it's
<code>/etc/nginx/templates/misc.tmpl</code> (Linux/OpenBSD) or
<code>/usr/local/etc/nginx/templates/misc.tmpl</code> (FreeBSD).</li>
<li>If your iRedMail server was installed with early release and upgraded to
iRedMail-0.9.4, it's <code>/etc/nginx/conf.d/default.conf</code> (Linux/OpenBSD)
or <code>/usr/local/etc/nginx/conf.d/default.conf</code> (FreeBSD).</li>
</ul>
<pre><code># Deny all attempts to access hidden files such as .htaccess.
location ~ /\. { deny all; }
</code></pre>
<p>Add lines below ABOVE lines found above:</p>
<pre><code># Allow access to '^/.well-known/'
location ~ ^/.well-known/ {
allow all;
access_log off;
log_not_found off;
autoindex off;
}
</code></pre>
<p>Save your change and reload Nginx service.</p>
<h3 id="fixed-postfix-allows-email-sent-through-port-587-without-smtp-authentication-from-trusted-clients">Fixed: Postfix allows email sent through port 587 without smtp authentication from trusted clients</h3>
<p>iRedMail-0.9.5 and iRedMail-0.9.5-1 allows trusted clients (listed in parameter
<code>mynetworks=</code>) to send email through port 587 without smtp authentication, this
is not strict enough and may be used by spammers. All users should be forced
to send email through port 587 with smtp authentication. Please follow steps
below to fix it.</p>
<ul>
<li>Open Postfix config file <code>master.cf</code>, find the transport <code>submission</code> like
below:<ul>
<li>on Linux and OpenBSD, it's <code>/etc/postfix/master.cf</code></li>
<li>on FreeBSD, it's <code>/usr/local/etc/postfix/master.cf</code></li>
</ul>
</li>
</ul>
<pre><code>submission ...
...
-o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
</code></pre>
<ul>
<li>Remove <code>permit_mynetworks,</code> and save your change. After modification, it's:</li>
</ul>
<pre><code>submission ...
...
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
</code></pre>
<ul>
<li>Restart Postfix service is required to load the changed config file.</li>
</ul>
<h3 id="fixed-not-enable-opportunistic-tls-support-in-postfix">Fixed: not enable opportunistic TLS support in Postfix</h3>
<p>iRedMail-0.9.5 and iRedMail-0.9.5-1 didn't enable opportunistic TLS support in
Postfix, this causes other servers cannot transfer emails via TLS secure
connection. Please fix it with commands below. If you already have this
setting in <code>/etc/postfix/main.cf</code>, it's safe to ignore this step.</p>
<pre><code>postconf -e smtpd_tls_security_level='may'
postfix reload
</code></pre>
<h3 id="fixed-one-incorrect-helo-restriction-rule-in-postfix">Fixed: one incorrect HELO restriction rule in Postfix</h3>
<p>There's one incorrect HELO restriction rule file <code>helo_access.pcre</code></p>
<ul>
<li>on Linux/OpenBSD, it's <code>/etc/postfix/helo_access.pcre</code></li>
<li>on FreeBSD, it's <code>/usr/local/etc/postfix/helo_access.pcre</code></li>
</ul>
<p>It will match HELO identity like <code>[192.168.1.1]</code> which is legal.</p>
<pre><code>/(\d{1,3}[\.-]\d{1,3}[\.-]\d{1,3}[\.-]\d{1,3})/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})
</code></pre>
<p>Please replace it by the correct one below (it matches the IP address with
<code>/^IP$/</code> strictly):</p>
<pre><code>/^(\d{1,3}[\.-]\d{1,3}[\.-]\d{1,3}[\.-]\d{1,3})$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})
</code></pre>
<h3 id="fixed-incorrect-file-owner-and-permission-of-config-file-of-roundcube-password-plugin">Fixed: incorrect file owner and permission of config file of Roundcube password plugin</h3>
<p>iRedMail-0.9.5-1 and earlier versions didn't correct set file owner and
permission of config file of Roundcube password plugin, other system users may
be able to see the SQL/LDAP username and password in the config file. Please
follow steps below to fix it.</p>
<ul>
<li>On RHEL/CentOS:</li>
</ul>
<h5>For Apache server:</h5>
<pre><code>chown apache:apache /var/www/roundcubemail/plugins/password/config.inc.php
chmod 0400 /var/www/roundcubemail/plugins/password/config.inc.php
</code></pre>
<h5>For Nginx:</h5>
<pre><code>chown nginx:nginx /var/www/roundcubemail/plugins/password/config.inc.php
chmod 0400 /var/www/roundcubemail/plugins/password/config.inc.php
</code></pre>
<ul>
<li>On Debian/Ubuntu (Note: with old iRedMail release, Roundcube directory is
<code>/usr/share/apache2/roundcubemail</code>):</li>
</ul>
<pre><code>chown www-data:www-data /opt/www/roundcubemail/plugins/password/config.inc.php
chmod 0400 /opt/www/roundcubemail/plugins/password/config.inc.php
</code></pre>
<ul>
<li>On FreeBSD:</li>
</ul>
<pre><code>chown www:www /usr/local/www/roundcube/plugins/password/config.inc.php
chmod 0400 /usr/local/www/roundcube/plugins/password/config.inc.php
</code></pre>
<ul>
<li>On OpenBSD:</li>
</ul>
<pre><code>chown www:www /var/www/roundcubemail/plugins/password/config.inc.php
chmod 0400 /var/www/roundcubemail/plugins/password/config.inc.php
</code></pre>
<h3 id="fixed-missing-cron-job-used-to-clean-up-old-roundcube-temporary-files">Fixed: missing cron job used to clean up old Roundcube temporary files</h3>
<p>iRedMail didn't run script <code>roundcubemail/bin/gc.sh</code> to clean up old files
under <code>roundcubemail/temp/</code> directory regularly, this directory will grow
larger and larger with temporary files.</p>
<p>Please edit <code>root</code>'s cron job with command below:</p>
<pre><code># crontab -e -u root
</code></pre>
<p>Then add cron job like below:</p>
<ul>
<li>RHEL/CentOS:</li>
</ul>
<pre><code># Roundcube: Cleanup old temp files.
# Defaults to keep for 2 days, controlled by Roundcube parameter $config['temp_dir_ttl'].
2 2 * * * php /var/www/roundcubemail/bin/gc.sh &gt;/dev/null
</code></pre>
<ul>
<li>
<p>Debian/Ubuntu:</p>
<blockquote>
<p><strong>WARNING</strong>: with old iRedMail release, Roundcube directory is
<code>/usr/share/apache2/roundcubemail</code>, please make sure you're using the
correct one on your server.</p>
</blockquote>
</li>
</ul>
<pre><code># Roundcube: Cleanup old temp files.
# Defaults to keep for 2 days, controlled by Roundcube parameter $config['temp_dir_ttl'].
2 2 * * * php /opt/www/roundcubemail/bin/gc.sh &gt;/dev/null
</code></pre>
<ul>
<li>FreeBSD:</li>
</ul>
<pre><code># Roundcube: Cleanup old temp files.
# Defaults to keep for 2 days, controlled by Roundcube parameter $config['temp_dir_ttl'].
2 2 * * * /usr/local/bin/php /usr/local/www/roundcube/bin/gc.sh &gt;/dev/null
</code></pre>
<ul>
<li>OpenBSD:</li>
</ul>
<pre><code># Roundcube: Cleanup old temp files.
# Defaults to keep for 2 days, controlled by Roundcube parameter $config['temp_dir_ttl'].
2 2 * * * php /var/www/roundcubemail/bin/gc.sh &gt;/dev/null
</code></pre>
<h3 id="fixed-nginx-doesnt-forward-real-client-ip-address-to-sogo">Fixed: Nginx doesn't forward real client IP address to SOGo</h3>
<p>iRedMail-0.9.5-1 and earlier releases didn't correctly configure Nginx to
forward real client IP address to SOGo, this causes Fail2ban cannot catch
bad clients with failed authentication while logging to SOGo. Please try
steps below to fix it.</p>
<ul>
<li>Open file <code>/etc/nginx/templates/sogo.tmpl</code> (on Linux or OpenBSD) or
<code>/usr/local/etc/nginx/templates/sogo.tmpl</code> (on FreeBSD), find 3 lines like
below:</li>
</ul>
<pre><code> #proxy_set_header X-Real-IP $remote_addr;
#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#proxy_set_header Host $host;
</code></pre>
<ul>
<li>Remove the leading <code>#</code> to uncomment them:</li>
</ul>
<pre><code> proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
</code></pre>
<ul>
<li>Restart Nginx service.</li>
</ul>
<h3 id="fixed-sogo-313-and-later-releases-changed-argument-used-by-sogo-tool-command">Fixed: SOGo-3.1.3 (and later releases) changed argument used by <code>sogo-tool</code> command</h3>
<p>SOGo-3.1.3 (and late releases) changed <code>sogo-tool</code> argument <code>expire-autoreply</code>
to <code>update-autoreply</code>, and it's used in a daily cron job. Please update SOGo
cron job to fix it.</p>
<ul>
<li>
<p>Edit SOGo deamon user's cron job with command.</p>
<ul>
<li>On Linux: <code>crontab -e -u sogo</code></li>
<li>On FreeBSD: <code>crontab -e -u sogod</code></li>
<li>On OpenBSD: <code>crontab -e -u _sogo</code></li>
</ul>
</li>
<li>
<p>Replace the argument <code>expire-autoreply</code> by <code>update-autoreply</code>.</p>
</li>
</ul>
<h3 id="fixed-memcached-listens-on-all-available-ip-addresses-instead-of-127001">Fixed: Memcached listens on all available IP addresses instead of <code>127.0.0.1</code></h3>
<blockquote>
<p>This step is only applicable when you have SOGo installed, otherwise
memcached was not installed and running on your server.</p>
</blockquote>
<p><a href="http://memcached.org">Memcached</a> is an open-source distributed memory object caching system
which is generic in nature but often used for speeding up dynamic web
applications. Memcached does not support any forms of authorization.
Thus, anyone who can connect to the memcached server has unrestricted
access to the data stored in it. This allows attackers e.g. to steal
sensitive data like login credentials for web applications or any other
kind of content stored with memcached.</p>
<p>iRedMail-0.9.5-1 and earlier releases didn't configure Memcached to listen on
only <code>127.0.0.1</code>, steps below fix this issue.</p>
<ul>
<li>On RHEL/CentOS, please open file <code>/etc/sysconfig/memcached</code> and update
parameter <code>OPTIONS=</code> with <code>-l 127.0.0.1</code> option like below:</li>
</ul>
<pre><code>OPTIONS=&quot;-l 127.0.0.1&quot;
</code></pre>
<p>Then restart memcached service:</p>
<pre><code>service memcached restart
</code></pre>
<ul>
<li>On Debian/Ubuntu, please make sure you have setting below in config file
<code>/etc/memcached.conf</code></li>
</ul>
<pre><code>-l 127.0.0.1
</code></pre>
<p>Then restart memcached service:</p>
<pre><code>service memcached restart
</code></pre>
<ul>
<li>
<p>On FreeBSD, please append line below in <code>/etc/rc.conf</code>:</p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>If you're updating a jailed FreeBSD system, please change <code>127.0.0.1</code>
to the IP address of your jail.</p>
</div>
</li>
</ul>
<pre><code>memcached_flags='-l 127.0.0.1'
</code></pre>
<p>Then restart memcached service:</p>
<pre><code>service memcached restart
</code></pre>
<ul>
<li>On OpenBSD, please append line below in <code>/etc/rc.conf.local</code>:</li>
</ul>
<pre><code>memcached_flags='-u _memcached -l 127.0.0.1'
</code></pre>
<p>Then restart memcached service:</p>
<pre><code>rcctl restart memcached
</code></pre>
<h3 id="fixed-awstats-is-world-accessible-with-apache">Fixed: Awstats is world-accessible with Apache</h3>
<blockquote>
<p>This is not applicable on OpenBSD system, because we don't have Apache nor Awstats installed.</p>
</blockquote>
<p>With iRedMail-0.9.5-1 and earlier release, Awstats was incorrectly configured
and accessible without authentication. Please follow steps below to fix it.</p>
<ul>
<li>Open Awstats config file for Apache, find below lines:<ul>
<li>On RHEL/CentOS, it's <code>/etc/httpd/conf.d/awstats.conf</code></li>
<li>On Debian/Ubuntu, it's <code>/etc/apache2/conf-available/awstats.conf</code></li>
<li>On FreeBSD, it's <code>/usr/local/etc/apache2?/Includes/awstats.conf</code></li>
</ul>
</li>
</ul>
<pre><code> Require all granted
Require valid-user
</code></pre>
<ul>
<li>Remove <code>Require all granted</code>, keep <code>Require valid-user</code>.</li>
<li>Restart Apache service.</li>
</ul>
<h3 id="improve-fail2ban-filter-regular-expression-to-catch-more-pop3imap-spams">Improve Fail2ban filter regular expression to catch more POP3/IMAP spams</h3>
<blockquote>
<p>This step is applicable to Linux system.</p>
</blockquote>
<p>We have one new Fail2ban filter regular expression to catch unauth clients
which generates log like below:</p>
<blockquote>
<p>Dec 11 16:49:41 imap-login: Info: Disconnected (auth failed, 1 attempts in
2 secs): user=<a href="&#109;&#97;&#105;&#108;&#116;&#111;&#58;&#97;&#100;&#109;&#105;&#110;&#64;&#101;&#120;&#97;&#109;&#112;&#108;&#101;&#46;&#110;&#101;&#116;">&#97;&#100;&#109;&#105;&#110;&#64;&#101;&#120;&#97;&#109;&#112;&#108;&#101;&#46;&#110;&#101;&#116;</a>, method=PLAIN, rip=212.8.246.222,
lip=10.11.12.13, TLS: Disconnected, session=<xxfH9mhDwgDUCPbe></p>
</blockquote>
<p>Steps:</p>
<ul>
<li>On Linux:</li>
</ul>
<pre><code>cd /etc/fail2ban/filter.d/
rm -f dovecot.iredmail.conf
wget https://github.com/iredmail/iRedMail/raw/1.0/samples/fail2ban/filter.d/dovecot.iredmail.conf
service fail2ban reload
</code></pre>
<ul>
<li>On FreeBSD and OpenBSD, we don't have Fail2ban configured, so not applicable.</li>
</ul>
<h3 id="add-more-banned-file-typesextensions-in-amavisd">Add more banned file types/extensions in Amavisd.</h3>
<blockquote>
<p>Note: this is applicable to all Linux/BSD distributions.</p>
</blockquote>
<p>We extended banned attachment file types and file name extensions to help
catch more dangerous email attachments. Please follow steps below to update
your Amavisd config file.</p>
<ul>
<li>
<p>Open Amavisd config file:</p>
<ul>
<li>on RHEL/CentOS: it's <code>/etc/amavisd/amavisd.conf</code></li>
<li>on Debian/Ubuntu: it's <code>/etc/amavis/conf.d/50-user</code></li>
<li>on FreeBSD: it's <code>/usr/local/etc/amavisd.conf</code></li>
<li>on OpenBSD: it's <code>/etc/amavisd.conf</code></li>
</ul>
</li>
<li>
<p>If you already have parameter <code>$banned_namepath_re</code> in Amavisd config file,
please replace it by below one. If you don't have it, please add it before
the last line (<code>1; # insure a defined return</code>) in Amavisd config file.</p>
</li>
</ul>
<pre><code>$banned_namepath_re = new_RE(
#[qr'T=(rar|arc|arj|zoo|gz|bz2)(,|\t)'xmi =&gt; 'DISCARD'], # Compressed file types
[qr'T=x-(msdownload|msdos-program|msmetafile)(,|\t)'xmi =&gt; 'DISCARD'],
[qr'T=(hta)(,|\t)'xmi =&gt; 'DISCARD'],
# Dangerous mime types
[qr'T=(9|386|LeChiffre|aaa|abc|aepl|ani|aru|atm|aut|b64|bat|bhx|bkd|blf|bll|bmw|boo|bps|bqf|breaking_bad|buk|bup|bxz|cc|ccc|ce0|ceo|cfxxe|chm|cih|cla|class|cmd|com|cpl|crinf|crjoker|crypt|cryptolocker|cryptowall|ctbl|cxq|cyw|dbd|delf|dev|dlb|dli|dll|dllx|dom|drv|dx|dxz|dyv|dyz|ecc|exe|exe-ms|exe1|exe_renamed|exx|ezt|ezz|fag|fjl|fnr|fuj|good|gzquar|hlp|hlw|hqx|hsq|hts|iva|iws|jar|js|kcd|keybtc@inbox_com|let|lik|lkh|lnk|locky|lok|lol!|lpaq5|magic|mfu|micro|mim|mjg|mjz|nls|oar|ocx|osa|ozd|pcx|pgm|php2|php3|pid|pif|plc|pr|pzdc|qit|qrn|r5a|rhk|rna|rsc_tmp|s7p|scr|shs|ska|smm|smtmp|sop|spam|ssy|swf|sys|tko|tps|tsa|tti|ttt|txs|upa|uu|uue|uzy|vb|vba|vbe|vbs|vbx|vexe|vxd|vzr|wlpginstall|ws|wsc|wsf|wsh|wss|xdu|xir|xlm|xlv|xnt|xnxx|xtbl|xxe|xxx|xyz|zix|zvz|zzz)(,|\t)'xmi =&gt; 'DISCARD'],
# Dangerous file name extensions
[qr'N=.*\.(9|386|LeChiffre|aaa|abc|aepl|ani|aru|atm|aut|b64|bat|bhx|bkd|blf|bll|bmw|boo|bps|bqf|breaking_bad|buk|bup|bxz|cc|ccc|ce0|ceo|cfxxe|chm|cih|cla|class|cmd|com|cpl|crinf|crjoker|crypt|cryptolocker|cryptowall|ctbl|cxq|cyw|dbd|delf|dev|dlb|dli|dll|dllx|dom|drv|dx|dxz|dyv|dyz|ecc|exe|exe-ms|exe1|exe_renamed|exx|ezt|ezz|fag|fjl|fnr|fuj|good|gzquar|hlp|hlw|hqx|hsq|hts|iva|iws|jar|js|kcd|keybtc@inbox_com|let|lik|lkh|lnk|locky|lok|lol!|lpaq5|magic|mfu|micro|mim|mjg|mjz|nls|oar|ocx|osa|ozd|pcx|pgm|php2|php3|pid|pif|plc|pr|pzdc|qit|qrn|r5a|rhk|rna|rsc_tmp|s7p|scr|shs|ska|smm|smtmp|sop|spam|ssy|swf|sys|tko|tps|tsa|tti|ttt|txs|upa|uu|uue|uzy|vb|vba|vbe|vbs|vbx|vexe|vxd|vzr|wlpginstall|ws|wsc|wsf|wsh|wss|xdu|xir|xlm|xlv|xnt|xnxx|xtbl|xxe|xxx|xyz|zix|zvz|zzz)$'xmi =&gt; 'DISCARD'],
);
</code></pre>
<ul>
<li>Restart Amavisd service is required.</li>
</ul>
<h2 id="openldap-backend-special">OpenLDAP backend special</h2>
<h3 id="use-the-latest-iredmail-ldap-schema-file">Use the latest iRedMail LDAP schema file</h3>
<p>iRedMail-0.9.6 introduces 2 new LDAP attributes:</p>
<ul>
<li><code>domainPendingAliasName</code>: used by mail domain account, to store new alias
domain names which is pending for domain ownership verification. Required by
iRedAdmin-Pro.</li>
<li><code>domainStatus</code>: used by mail user/alias/list accounts, to indicate domain
status.</li>
</ul>
<h4 id="update-openldap-config-file-to-index-new-attributes">Update OpenLDAP config file to index new attributes</h4>
<ul>
<li>
<p>Please open OpenLDAP config file <code>slapd.conf</code>:</p>
<ul>
<li>On RHEL/CentOS, it's <code>/etc/openldap/slapd.conf</code></li>
<li>On Debian/Ubuntu, it's <code>/etc/ldap/slapd.conf</code></li>
<li>On FreeBSD, it's <code>/usr/local/etc/openldap/slapd.conf</code></li>
<li>On OpenBSD:<ul>
<li>if you're running OpenLDAP, it's <code>/etc/openldap/slapd.conf</code>.</li>
<li>if you're running ldapd(8) LDAP server, please add a new line
<code>index domainStats</code> in the <code>namespace xxx {}</code> block.</li>
</ul>
</li>
</ul>
</li>
<li>
<p>for new attribute <code>domainPendingAliasName</code>, please find line below:</p>
</li>
</ul>
<pre><code>access to attrs=&quot;objectclass,domainName,mtaTransport,...&quot;
</code></pre>
<p>Add new attribute name <code>domainPendingAliasName</code> in this line (<strong>WARNING</strong>:
don't leave any whitespace between attribute names and comma):</p>
<pre><code>access to attrs=&quot;domainPendingAliasName,objectclass,domainName,mtaTransport,...&quot;
</code></pre>
<ul>
<li>for new attribute <code>domainStatus</code>, please find line below:</li>
</ul>
<pre><code>access to attrs=&quot;employeeNumber,mail,...&quot;
</code></pre>
<p>Add new attribute name <code>domainStatus</code> in this line (<strong>WARNING</strong>: don't leave
any whitespace between attribute names and comma):</p>
<pre><code>access to attrs=&quot;domainStatus,employeeNumber,mail,...&quot;
</code></pre>
<h4 id="download-the-latest-iredmail-ldap-schema-file">Download the latest iRedMail LDAP schema file</h4>
<ul>
<li>On RHEL/CentOS:</li>
</ul>
<pre><code>cd /tmp
wget https://github.com/iredmail/iRedMail/raw/1.0/samples/iredmail/iredmail.schema
cd /etc/openldap/schema/
cp iredmail.schema iredmail.schema.bak
cp -f /tmp/iredmail.schema /etc/openldap/schema/
service slapd restart
</code></pre>
<ul>
<li>On Debian/Ubuntu:</li>
</ul>
<pre><code>cd /tmp
wget https://github.com/iredmail/iRedMail/raw/1.0/samples/iredmail/iredmail.schema
cd /etc/ldap/schema/
cp iredmail.schema iredmail.schema.bak
cp -f /tmp/iredmail.schema /etc/ldap/schema/
service slapd restart
</code></pre>
<ul>
<li>On FreeBSD:</li>
</ul>
<pre><code>cd /tmp
wget https://github.com/iredmail/iRedMail/raw/1.0/samples/iredmail/iredmail.schema
cd /usr/local/etc/openldap/schema/
cp iredmail.schema iredmail.schema.bak
cp -f /tmp/iredmail.schema /usr/local/etc/openldap/schema/
service slapd restart
</code></pre>
<ul>
<li>
<p>On OpenBSD:</p>
<blockquote>
<p>Note: if you're running ldapd as LDAP server, the schema directory is
<code>/etc/ldap</code>, and service name is <code>ldapd</code>.</p>
</blockquote>
</li>
</ul>
<pre><code>cd /tmp
ftp https://github.com/iredmail/iRedMail/raw/1.0/samples/iredmail/iredmail.schema
cd /etc/openldap/schema/
cp iredmail.schema iredmail.schema.bak
cp -f /tmp/iredmail.schema /etc/openldap/schema/
rcctl restart slapd
</code></pre>
<h3 id="fixed-mail-accounts-user-alias-list-are-still-active-when-domain-is-disabled">Fixed: mail accounts (user, alias, list) are still active when domain is disabled</h3>
<blockquote>
<p>This fix is applicable to OpenBSD ldapd backend also.</p>
</blockquote>
<p>In iRedMail-0.9.5-1 and all earlier releases, if we disable a mail domain,
all mail accounts (mail users, aliases, lists) are still active and Postfix
will accept emails sent to them. Steps below fix the issue.</p>
<h4 id="update-postfixdovecot-ldap-lookup-files">Update Postfix/Dovecot LDAP lookup files</h4>
<ul>
<li>On Linux and OpenBSD, run commands:</li>
</ul>
<pre><code>cp -rf /etc/postfix/ldap /etc/postfix/ldap.bak
cd /etc/postfix/ldap/
perl -pi -e 's#\(accountStatus=active\)#(accountStatus=active)(!(domainStatus=disabled))#g' catchall_maps.cf recipient_bcc_maps_user.cf sender_bcc_maps_user.cf sender_dependent_relayhost_maps_user.cf sender_login_maps.cf transport_maps_user.cf virtual_alias_maps.cf virtual_group_maps.cf virtual_group_members_maps.cf virtual_mailbox_maps.cf
cp /etc/dovecot/dovecot-ldap.conf /etc/dovecot/dovecot-ldap.conf.$(date +%Y%m%d)
perl -pi -e 's#\(accountStatus=active\)#(accountStatus=active)(!(domainStatus=disabled))#g' /etc/dovecot/dovecot-ldap.conf
</code></pre>
<ul>
<li>On FreeBSD, run commands:</li>
</ul>
<pre><code>cp -rf /usr/local/etc/postfix/ldap /usr/local/etc/postfix/ldap.bak
cd /usr/local/etc/postfix/ldap/
perl -pi -e 's#\(accountStatus=active\)#(accountStatus=active)(!(domainStatus=disabled))#g' catchall_maps.cf recipient_bcc_maps_user.cf sender_bcc_maps_user.cf sender_dependent_relayhost_maps_user.cf sender_login_maps.cf transport_maps_user.cf virtual_alias_maps.cf virtual_group_maps.cf virtual_group_members_maps.cf virtual_mailbox_maps.cf
cp /usr/local/etc/dovecot/dovecot-ldap.conf /usr/local/etc/dovecot/dovecot-ldap.conf.$(date +%Y%m%d)
perl -pi -e 's#\(accountStatus=active\)#(accountStatus=active)(!(domainStatus=disabled))#g' /usr/local/etc/dovecot/dovecot-ldap.conf
</code></pre>
<ul>
<li>Restart both Postfix and Dovecot services:<ul>
<li>on Linux: <code>service postfix restart; service dovecot restart</code></li>
<li>on FreeBSD: <code>service postfix restart; service dovecot restart</code></li>
<li>on OpenBSD: <code>rcctl restart postfix; rcctl restart dovecot</code></li>
</ul>
</li>
</ul>
<h4 id="add-required-ldap-attributevalue-for-existing-mail-accounts-under-disabled-domains">Add required LDAP attribute/value for existing mail accounts under disabled domains</h4>
<ul>
<li>Download script to update existing mail accounts:</li>
</ul>
<pre><code>cd /root/
wget https://github.com/iredmail/iRedMail/raw/1.0/update/ldap/updateLDAPValues_095_1_to_096.py
</code></pre>
<ul>
<li>Open downloaded file <code>updateLDAPValues_095_1_to_096.py</code>, set LDAP server
related settings in this file. For example:</li>
</ul>
<pre><code># Part of file: updateLDAPValues_095_1_to_096.py
uri = 'ldap://127.0.0.1:389'
basedn = 'o=domains,dc=example,dc=com'
bind_dn = 'cn=vmailadmin,dc=example,dc=com'
bind_pw = 'passwd'
</code></pre>
<p>You can find required LDAP credential in iRedAdmin config file or
<code>iRedMail.tips</code> file under your iRedMail installation directory. Using either
<code>cn=Manager,dc=xx,dc=xx</code> or <code>cn=vmailadmin,dc=xx,dc=xx</code> as bind dn is ok, both
of them have read-write privilege to update mail accounts.</p>
<ul>
<li>Execute this script, it will add required data:</li>
</ul>
<pre><code># python updateLDAPValues_095_1_to_096.py
</code></pre>
<h2 id="mysqlmariadb-backend-special">MySQL/MariaDB backend special</h2>
<h3 id="fix-invalid-default-datetime-value-for-some-sql-columns-in-vmail-database">Fix invalid default (datetime) value for some SQL columns in 'vmail' database</h3>
<p>Default value of some SQL columns in <code>vmail</code> database will become invalid (an error)
in MySQL 5.7, no matter which version of MySQL you're running, please run SQL
commands below as SQL root user to fix them.</p>
<pre><code>USE vmail;
ALTER TABLE admin \
MODIFY passwordlastchange DATETIME NOT NULL DEFAULT '1970-01-01 01:01:01', \
MODIFY created DATETIME NOT NULL DEFAULT '1970-01-01 01:01:01', \
MODIFY modified DATETIME NOT NULL DEFAULT '1970-01-01 01:01:01';
ALTER TABLE alias \
MODIFY created DATETIME NOT NULL DEFAULT '1970-01-01 01:01:01', \
MODIFY modified DATETIME NOT NULL DEFAULT '1970-01-01 01:01:01';
ALTER TABLE alias_domain \
MODIFY created DATETIME NOT NULL DEFAULT '1970-01-01 01:01:01', \
MODIFY modified DATETIME NOT NULL DEFAULT '1970-01-01 01:01:01';
ALTER TABLE domain \
MODIFY created DATETIME NOT NULL DEFAULT '1970-01-01 01:01:01', \
MODIFY modified DATETIME NOT NULL DEFAULT '1970-01-01 01:01:01';
ALTER TABLE domain_admins \
MODIFY created DATETIME NOT NULL DEFAULT '1970-01-01 01:01:01', \
MODIFY modified DATETIME NOT NULL DEFAULT '1970-01-01 01:01:01';
ALTER TABLE mailbox \
MODIFY lastlogindate DATETIME NOT NULL DEFAULT '1970-01-01 01:01:01', \
MODIFY passwordlastchange DATETIME NOT NULL DEFAULT '1970-01-01 01:01:01', \
MODIFY created DATETIME NOT NULL DEFAULT '1970-01-01 01:01:01', \
MODIFY modified DATETIME NOT NULL DEFAULT '1970-01-01 01:01:01';
ALTER TABLE recipient_bcc_domain \
MODIFY created DATETIME NOT NULL DEFAULT '1970-01-01 01:01:01', \
MODIFY modified DATETIME NOT NULL DEFAULT '1970-01-01 01:01:01';
ALTER TABLE recipient_bcc_user \
MODIFY created DATETIME NOT NULL DEFAULT '1970-01-01 01:01:01', \
MODIFY modified DATETIME NOT NULL DEFAULT '1970-01-01 01:01:01';
ALTER TABLE sender_bcc_domain \
MODIFY created DATETIME NOT NULL DEFAULT '1970-01-01 01:01:01', \
MODIFY modified DATETIME NOT NULL DEFAULT '1970-01-01 01:01:01';
ALTER TABLE sender_bcc_user \
MODIFY created DATETIME NOT NULL DEFAULT '1970-01-01 01:01:01', \
MODIFY modified DATETIME NOT NULL DEFAULT '1970-01-01 01:01:01';
UPDATE admin SET passwordlastchange='1970-01-01 01:01:01' WHERE passwordlastchange &lt; '1970-01-01 01:01:01';
UPDATE admin SET created='1970-01-01 01:01:01' WHERE created &lt; '1970-01-01 01:01:01';
UPDATE admin SET modified='1970-01-01 01:01:01' WHERE modified &lt; '1970-01-01 01:01:01';
UPDATE alias SET created='1970-01-01 01:01:01' WHERE created &lt; '1970-01-01 01:01:01';
UPDATE alias SET modified='1970-01-01 01:01:01' WHERE modified &lt; '1970-01-01 01:01:01';
UPDATE alias_domain SET created='1970-01-01 01:01:01' WHERE created &lt; '1970-01-01 01:01:01';
UPDATE alias_domain SET modified='1970-01-01 01:01:01' WHERE modified &lt; '1970-01-01 01:01:01';
UPDATE domain SET created='1970-01-01 01:01:01' WHERE created &lt; '1970-01-01 01:01:01';
UPDATE domain SET modified='1970-01-01 01:01:01' WHERE modified &lt; '1970-01-01 01:01:01';
UPDATE domain_admins SET created='1970-01-01 01:01:01' WHERE created &lt; '1970-01-01 01:01:01';
UPDATE domain_admins SET modified='1970-01-01 01:01:01' WHERE modified &lt; '1970-01-01 01:01:01';
UPDATE mailbox SET lastlogindate='1970-01-01 01:01:01' WHERE lastlogindate &lt; '1970-01-01 01:01:01';
UPDATE mailbox SET passwordlastchange='1970-01-01 01:01:01' WHERE passwordlastchange &lt; '1970-01-01 01:01:01';
UPDATE mailbox SET created='1970-01-01 01:01:01' WHERE created &lt; '1970-01-01 01:01:01';
UPDATE mailbox SET modified='1970-01-01 01:01:01' WHERE modified &lt; '1970-01-01 01:01:01';
UPDATE recipient_bcc_domain SET created='1970-01-01 01:01:01' WHERE created &lt; '1970-01-01 01:01:01';
UPDATE recipient_bcc_domain SET modified='1970-01-01 01:01:01' WHERE modified &lt; '1970-01-01 01:01:01';
UPDATE recipient_bcc_user SET created='1970-01-01 01:01:01' WHERE created &lt; '1970-01-01 01:01:01';
UPDATE recipient_bcc_user SET modified='1970-01-01 01:01:01' WHERE modified &lt; '1970-01-01 01:01:01';
UPDATE sender_bcc_domain SET created='1970-01-01 01:01:01' WHERE created &lt; '1970-01-01 01:01:01';
UPDATE sender_bcc_domain SET modified='1970-01-01 01:01:01' WHERE modified &lt; '1970-01-01 01:01:01';
UPDATE sender_bcc_user SET created='1970-01-01 01:01:01' WHERE created &lt; '1970-01-01 01:01:01';
UPDATE sender_bcc_user SET modified='1970-01-01 01:01:01' WHERE modified &lt; '1970-01-01 01:01:01';
</code></pre><div class="footer">
<p style="text-align: center; color: grey;">All documents are available in <a href="https://github.com/iredmail/docs/">GitHub repository</a>, and published under <a href="http://creativecommons.org/licenses/by-nd/3.0/us/" target="_blank">Creative Commons</a> license. You can <a href="https://github.com/iredmail/docs/archive/master.zip">download the latest version</a> for offline reading. If you found something wrong, please do <a href="https://www.iredmail.org/contact.html">contact us</a> to fix it.</p>
</div></body></html>
Reference in New Issue View Git Blame Copy Permalink