elmau
/
iredmail-doc
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
iredmail-doc/html_bk/upgrade.iredmail.0.9.6-0.9....

575 lines
28 KiB
HTML
Raw Permalink Blame History

<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Upgrade iRedMail from 0.9.6 to 0.9.7</title>
<link rel="stylesheet" type="text/css" href="./css/markdown.css" />
</head>
<body>
<div id="navigation">
<a href="https://www.iredmail.org" target="_blank">
<img alt="iRedMail web site"
src="./images/logo-iredmail.png"
style="vertical-align: middle; height: 30px;"
/>&nbsp;
<span>iRedMail</span>
</a>
&nbsp;&nbsp;//&nbsp;&nbsp;<a href="./index.html">Document Index</a></div><h1 id="upgrade-iredmail-from-096-to-097">Upgrade iRedMail from 0.9.6 to 0.9.7</h1>
<div class="toc">
<ul>
<li><a href="#upgrade-iredmail-from-096-to-097">Upgrade iRedMail from 0.9.6 to 0.9.7</a><ul>
<li><a href="#changelog">ChangeLog</a></li>
<li><a href="#general-all-backends-should-apply-these-steps">General (All backends should apply these steps)</a><ul>
<li><a href="#update-etciredmail-release-with-new-iredmail-version-number">Update /etc/iredmail-release with new iRedMail version number</a></li>
<li><a href="#upgrade-iredapd-postfix-policy-server-to-the-latest-stable-release-21">Upgrade iRedAPD (Postfix policy server) to the latest stable release (2.1)</a></li>
<li><a href="#upgrade-iredadmin-open-source-edition-to-the-latest-stable-release-08">Upgrade iRedAdmin (open source edition) to the latest stable release (0.8)</a></li>
<li><a href="#upgrade-roundcube-webmail-to-the-latest-stable-release-130">Upgrade Roundcube webmail to the latest stable release (1.3.0)</a></li>
<li><a href="#fixed-improper-order-of-postfix-helo-restriction-rules">Fixed: improper order of Postfix HELO restriction rules.</a></li>
<li><a href="#fixed-incorrect-owner-and-permission-for-rotated-dovecot-log-files">Fixed: incorrect owner and permission for rotated Dovecot log files</a></li>
<li><a href="#fixed-incorrect-sessionsave_path-in-php-fpm-pool-config-file-on-rhelcentos">Fixed: incorrect session.save_path in php-fpm pool config file on RHEL/CentOS</a></li>
<li><a href="#fixed-incorrect-freshclam-setting-updatelogfile">Fixed: incorrect freshclam setting UpdateLogFile</a></li>
<li><a href="#fail2ban-fixes-an-improper-filter-and-add-new-filter-rule">Fail2ban: fixes an improper filter and add new filter rule</a></li>
<li><a href="#fail2ban-add-new-jail-for-nginx">Fail2ban: Add new jail for Nginx</a></li>
<li><a href="#new-new-backup-script-for-sogo">NEW: New backup script for SOGo</a></li>
<li><a href="#openbsd-upgrade-uwsgi-to-the-latest-2015">OpenBSD: Upgrade uwsgi to the latest 2.0.15</a></li>
</ul>
</li>
<li><a href="#openldap-backend-special">OpenLDAP backend special</a><ul>
<li><a href="#fixed-avoid-possible-backdooring-mysqldump-backups">Fixed: Avoid possible backdooring mysqldump backups</a></li>
</ul>
</li>
<li><a href="#mysqlmariadb-backend-special">MySQL/MariaDB backend special</a><ul>
<li><a href="#sql-structure-change-in-vmailalias-sql-table">SQL structure change in vmail.alias SQL table</a><ul>
<li><a href="#create-required-new-sql-tables">Create required new SQL tables</a></li>
<li><a href="#migrate-mail-accounts">Migrate mail accounts</a></li>
<li><a href="#update-postfix-config-files">Update Postfix config files</a></li>
<li><a href="#drop-unused-sql-columns-and-records-in-vmailalias-table">Drop unused SQL columns and records in vmail.alias table</a></li>
</ul>
</li>
<li><a href="#fixed-avoid-possible-backdooring-mysqldump-backups_1">Fixed: Avoid possible backdooring mysqldump backups</a></li>
</ul>
</li>
<li><a href="#postgresql-backend-specific">PostgreSQL backend specific</a><ul>
<li><a href="#sql-structure-change-in-vmailalias-sql-table_1">SQL structure change in vmail.alias SQL table</a><ul>
<li><a href="#create-required-new-sql-tables_1">Create required new SQL tables</a></li>
<li><a href="#migrate-mail-accounts_1">Migrate mail accounts</a></li>
<li><a href="#update-postfix-config-files_1">Update Postfix config files</a></li>
<li><a href="#drop-unused-sql-columns-in-vmailalias-table">Drop unused SQL columns in vmail.alias table</a></li>
</ul>
</li>
</ul>
</li>
</ul>
</li>
</ul>
</div>
<div class="admonition note">
<p class="admonition-title">Paid Remote Upgrade Support</p>
<p>We offer remote upgrade support if you don't want to get your hands dirty,
check <a href="https://www.iredmail.org/support.html">the details</a> and
<a href="https://www.iredmail.org/contact.html">contact us</a>.</p>
</div>
<h2 id="changelog">ChangeLog</h2>
<ul>
<li>Nov 12, 2017: Add Fail2ban jail <code>nginx-http-auth</code>.</li>
<li>Jul 3, 2017: Mention how to upgrade uwsgi (OpenBSD only), iRedAdmin and iRedAPD.</li>
<li>Jul 2, 2017: Mention Roundcube 1.3.0 requires PHP 5.4.</li>
<li>Jul 1, 2017: Initial publish.</li>
</ul>
<h2 id="general-all-backends-should-apply-these-steps">General (All backends should apply these steps)</h2>
<h3 id="update-etciredmail-release-with-new-iredmail-version-number">Update <code>/etc/iredmail-release</code> with new iRedMail version number</h3>
<p>iRedMail stores the release version in <code>/etc/iredmail-release</code> after
installation, it's recommended to update this file after you upgraded iRedMail,
so that you can know which version of iRedMail you're running. For example:</p>
<pre><code>0.9.7
</code></pre>
<h3 id="upgrade-iredapd-postfix-policy-server-to-the-latest-stable-release-21">Upgrade iRedAPD (Postfix policy server) to the latest stable release (2.1)</h3>
<p>Please follow below tutorial to upgrade iRedAPD to the latest stable release:
<a href="./upgrade.iredapd.html">Upgrade iRedAPD to the latest stable release</a></p>
<h3 id="upgrade-iredadmin-open-source-edition-to-the-latest-stable-release-08">Upgrade iRedAdmin (open source edition) to the latest stable release (0.8)</h3>
<p>Please follow this tutorial to upgrade iRedAdmin open source edition to the
latest stable release:
<a href="./migrate.or.upgrade.iredadmin.html">Upgrade iRedAdmin to the latest stable release</a></p>
<h3 id="upgrade-roundcube-webmail-to-the-latest-stable-release-130">Upgrade Roundcube webmail to the latest stable release (1.3.0)</h3>
<div class="admonition warning">
<p class="admonition-title">Roundcube 1.3</p>
<ul>
<li>Roundcube 1.3 requires at least <strong>PHP 5.4</strong>. If your server is still running
PHP 5.3 and cannot upgrade to 5.4, please upgrade Roundcube to the latest
1.2 branch (1.2.5) instead.</li>
<li>Roundcube 1.3 no longer supports IE &lt; 10 and old versions of Firefox,
Chrome and Safari.</li>
<li>Roundcube 1.3 uses jQuery 3.2 and will not work with current jQuery
mobile plugin. If you use any third-party plugin, please check its
website to make sure it's compatible with Roundcube 1.3 before upgrading.</li>
</ul>
<p>With the release of Roundcube 1.3.0, the previous stable release branches
1.2.x and 1.1.x will switch in to LTS low maintenance mode which means
they will only receive important security updates but no longer any regular
improvement updates.</p>
</div>
<blockquote>
<p>There're several security fixes in Roundcube 1.2.4 and 1.2.5, all users are
encouraged to upgrade it as soon as possible. For more details about this
release, please check Roundcube release notes:</p>
<ul>
<li><a href="https://github.com/roundcube/roundcubemail/releases/tag/1.2.4">1.2.4</a></li>
<li><a href="https://github.com/roundcube/roundcubemail/releases/tag/1.2.5">1.2.5</a></li>
</ul>
</blockquote>
<p>Please follow Roundcube official tutorial to upgrade Roundcube webmail to the
latest stable release immediately:</p>
<ul>
<li><a href="https://github.com/roundcube/roundcubemail/wiki/Upgrade">How to upgrade Roundcube</a>.</li>
</ul>
<h3 id="fixed-improper-order-of-postfix-helo-restriction-rules">Fixed: improper order of Postfix HELO restriction rules.</h3>
<p>iRedMail-0.9.6 and earlier releases didn't configure Postfix to apply custom
HELO restriction rule before FQDN helo hostname check and DNS verification,
this way you cannot whitelist some bad HELO hostnames. Please follow steps
below to fix it.</p>
<ul>
<li>Open file <code>/etc/postfix/main.cf</code> (Linux/OpenBSD) or
<code>/usr/local/etc/postfix/main.cf</code> (FreeBSD), find parameter
<code>smtpd_helo_restrictions</code> like below:</li>
</ul>
<pre><code>smtpd_helo_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_non_fqdn_helo_hostname
reject_unknown_helo_hostname
check_helo_access pcre:/etc/postfix/helo_access.pcre
</code></pre>
<ul>
<li>Move the <code>check_helo_access</code> line after <code>permit_sasl_authenticated</code>:</li>
</ul>
<pre><code>smtpd_helo_restrictions =
permit_mynetworks
permit_sasl_authenticated
check_helo_access pcre:/etc/postfix/helo_access.pcre
reject_non_fqdn_helo_hostname
reject_unknown_helo_hostname
</code></pre>
<ul>
<li>Reloading or restarting Postfix service is required.</li>
</ul>
<h3 id="fixed-incorrect-owner-and-permission-for-rotated-dovecot-log-files">Fixed: incorrect owner and permission for rotated Dovecot log files</h3>
<div class="admonition attention">
<p class="admonition-title">Attention</p>
<p>This is applicable to Linux, not FreeBSD and OpenBSD.</p>
</div>
<p>iRedMail-0.9.6 and earlier releases have an incorrect logrotate setting for
Dovecot log file, it causes all Dovecot log files are empty due to no required
permission to open log files. Please follow steps below to fix it.</p>
<p>Please open file <code>/etc/logrotate.d/dovecot</code>, find line below:</p>
<pre><code> create 0600 vmail vmail
</code></pre>
<p>Remove above line and save the change.</p>
<h3 id="fixed-incorrect-sessionsave_path-in-php-fpm-pool-config-file-on-rhelcentos">Fixed: incorrect session.save_path in php-fpm pool config file on RHEL/CentOS</h3>
<div class="admonition attention">
<p class="admonition-title">Attention</p>
<p>This is applicable to RHEL/CentOS system, and Nginx web server.</p>
</div>
<p>iRedMail-0.9.6 doesn't set path for <code>session.save_path</code> parameter in php-fpm
pool config file <code>/etc/php-fpm.d/www.conf</code>, please fix it with steps below:</p>
<ul>
<li>Open file <code>/etc/php-fpm.d/www.conf</code>, find line:</li>
</ul>
<pre><code>php_value[session.save_path] = &quot;/var/lib/php/session&quot;
</code></pre>
<ul>
<li>The directory name should be <code>sessions</code> (ends with <code>s</code>), not <code>session</code>. So
please change it to:</li>
</ul>
<pre><code>php_value[session.save_path] = &quot;/var/lib/php/sessions&quot;
</code></pre>
<ul>
<li>Restarting php-fpm service is required:</li>
</ul>
<pre><code>service php-fpm restart
</code></pre>
<h3 id="fixed-incorrect-freshclam-setting-updatelogfile">Fixed: incorrect freshclam setting <code>UpdateLogFile</code></h3>
<div class="admonition attention">
<p class="admonition-title">Attention</p>
<p>This is applicable to RHEL/CentOS system.</p>
</div>
<p>With iRedMail-0.9.6, freshclam program cannot update ClamAV signatures due to
improper log file permission, please open its config file <code>/etc/freshclam.conf</code>
or <code>/etc/clamav/freshclam.conf</code>, comment out setting <code>UpdateLogFile</code> to use
syslog for logging.</p>
<pre><code>#UpdateLogFile ... # &lt;- Comment out this parameter
LogSyslog true # &lt;- Make sure you have this line. If not present, please add it manually.
</code></pre>
<h3 id="fail2ban-fixes-an-improper-filter-and-add-new-filter-rule">Fail2ban: fixes an improper filter and add new filter rule</h3>
<p>iRedMail-0.9.7 fixes an improper filter for Dovecot log file which may cause
incorrect ban, and adds a new filter for Roundcube log file to help ban bad
client while Roundcube is running behind a proxy server.</p>
<ul>
<li>On Linux:</li>
</ul>
<pre><code>cd /etc/fail2ban/filter.d/
rm -f dovecot.iredmail.conf roundcube.iredmail.conf
wget https://github.com/iredmail/iRedMail/raw/1.0/samples/fail2ban/filter.d/dovecot.iredmail.conf
wget https://github.com/iredmail/iRedMail/raw/1.0/samples/fail2ban/filter.d/roundcube.iredmail.conf
</code></pre>
<p>Restarting Fail2ban service is required.</p>
<h3 id="fail2ban-add-new-jail-for-nginx">Fail2ban: Add new jail for Nginx</h3>
<div class="admonition attention">
<p class="admonition-title">Attention</p>
<p>This is applicable if you run Nginx as web server.</p>
</div>
<p>Let's add a new jail to stop bad clients which tried to perform http basic auth
but failed.</p>
<p>Create file <code>/etc/fail2ban/jail.d/nginx-http-auth.local</code> with content below:</p>
<div class="admonition attention">
<p class="admonition-title">Attention</p>
<p>If directory <code>/etc/fail2ban/jail.d/</code> doesn't exist, you can append content
below in file <code>/etc/fail2ban/jail.local</code> instead.</p>
</div>
<pre><code>[nginx-http-auth]
enabled = true
filter = nginx-http-auth
action = iptables-multiport[name=nginx, port=&quot;80,443&quot;, protocol=tcp]
logpath = /var/log/nginx/error.log
</code></pre>
<p>Restarting Fail2ban service is required.</p>
<h3 id="new-new-backup-script-for-sogo">NEW: New backup script for SOGo</h3>
<div class="admonition attention">
<p class="admonition-title">Attention</p>
<p>This is not applicable to SOGo-2.x because it doesn't support backing up
all users' data with command <code>sogo-tool backup /path/to/backup/dir ALL</code>.</p>
</div>
<p>iRedMail has script <code>/var/vmail/backup/backup_mysql.sh</code> (or <code>backup_pgsql.sh</code>)
to backup SOGo database by dumping whole database to a plain SQL file as
backup. It's not ideal because:</p>
<ul>
<li>it's hard to restore single user's data with a plain SQL file.</li>
<li>if SOGo changes some SQL structure, it's hard to restore all data.</li>
</ul>
<p>This new script does backup with <code>sogo-tool backup</code> command to avoid issues
mentioned above, you can restore a single user's data or all users data with
<code>sogo-tool restore</code>.</p>
<p>Please follow steps below to setup this daily cron job.</p>
<ul>
<li>Download backup script. We store it under <code>/var/vmail/backup</code>, if you prefer
a different directory, feel free to change the directory name used in commands
below:</li>
</ul>
<pre><code>cd /var/vmail/backup/
wget https://github.com/iredmail/iRedMail/raw/1.0/tools/backup_sogo.sh
chmod 0400 backup_sogo.sh
</code></pre>
<ul>
<li>This script will create new directory under <code>/var/vmail/backup</code> like below
to store backup files:</li>
</ul>
<pre><code>/var/vmail/backup
|- sogo/
|- 2017/ # &lt;- year
|- 03/ # &lt;- month
|- 22.tar.bz2 # &lt;- day (file name is: &lt;day&gt;.tar.bz2)
</code></pre>
<p>If you want to use another directory to store backup files, please open file
<code>backup_sogo.sh</code>, update variable <code>BACKUP_ROOTDIR</code> with the new directory.</p>
<ul>
<li>Run command <code>crontab -e -u root</code> to setup root user's cron job. Add content
below as new job:</li>
</ul>
<pre><code># SOGo: backup all users' data at 3:05AM everyday.
5 3 * * * bash /var/vmail/backup/backup_sogo.sh
</code></pre>
<h3 id="openbsd-upgrade-uwsgi-to-the-latest-2015">OpenBSD: Upgrade uwsgi to the latest 2.0.15</h3>
<p>uwsgi is the interface between Nginx and iRedAdmin, so if you're running
iRedAdmin, it's recommended to upgrade uwsgi to the latest version, 2.0.15.</p>
<p>Steps: Download the latest uwsgi, compile it, then restart uwsgi service.</p>
<pre><code>cd /root/
ftp https://projects.unbit.it/downloads/uwsgi-2.0.15.tar.gz
tar zxf uwsgi-2.0.15.tar.gz
cd uwsgi-2.0.15
python setup.py install
</code></pre>
<p>uwsgi should be succesfully installed, then restart uwsgi service:</p>
<pre><code>rcctl restart uwsgi
</code></pre>
<h2 id="openldap-backend-special">OpenLDAP backend special</h2>
<h3 id="fixed-avoid-possible-backdooring-mysqldump-backups">Fixed: Avoid possible backdooring mysqldump backups</h3>
<p>For more details about this backdooring mysqldump backup issue, please read
blog post:</p>
<ul>
<li><a href="https://blog.tarq.io/cve-2016-5483-backdooring-mysqldump-backups/">[CVE-2016-5483] Backdooring mysqldump backups</a>.</li>
</ul>
<p>Steps to fix it:</p>
<ul>
<li>
<p>Open the daily MySQL backup script, it's <code>/var/vmail/backup/backup_mysql.sh</code>
by default. if you use different storage directory during iRedMail
installation, you can find the base directory with command <code>postconf virtual_mailbox_base</code>.</p>
</li>
<li>
<p>Find variable name <code>CMD_MYSQLDUMP</code> like below:</p>
</li>
</ul>
<pre><code>export CMD_MYSQLDUMP=&quot;mysqldump ...&quot;
</code></pre>
<ul>
<li>Make sure it has argument <code>--skip-comments</code> like below:</li>
</ul>
<pre><code>export CMD_MYSQLDUMP=&quot;mysqldump ... --skip-comments&quot;
</code></pre>
<ul>
<li>Save your change. That's it.</li>
</ul>
<h2 id="mysqlmariadb-backend-special">MySQL/MariaDB backend special</h2>
<h3 id="sql-structure-change-in-vmailalias-sql-table">SQL structure change in <code>vmail.alias</code> SQL table</h3>
<p>We've made some changes to <code>vmail.alias</code> SQL table for easier account
management. This change introduces 2 new SQL tables (<code>forwardings</code>, <code>alias_moderators</code>),
and (optionally) dropped few columns in <code>vmail.alias</code> table.</p>
<p>iRedAPD and iRedAdmin (and iRedAdmin-Pro) have been upgraded to use this new
SQL structure.</p>
<div class="admonition warning">
<p class="admonition-title">Warning</p>
<p>Please backup SQL database <code>vmail</code> before you run any SQL commands below.</p>
</div>
<h4 id="create-required-new-sql-tables">Create required new SQL tables</h4>
<p>Please connect to MySQL server as MySQL root user, and execute SQL commands
below to create required new tables:</p>
<pre><code>USE vmail;
CREATE TABLE IF NOT EXISTS alias_moderators (
id BIGINT(20) UNSIGNED AUTO_INCREMENT,
address VARCHAR(255) NOT NULL DEFAULT '',
moderator VARCHAR(255) NOT NULL DEFAULT '',
domain VARCHAR(255) NOT NULL DEFAULT '',
dest_domain VARCHAR(255) NOT NULL DEFAULT '',
PRIMARY KEY (id),
UNIQUE INDEX (address, moderator),
INDEX (domain),
INDEX (dest_domain)
) ENGINE=InnoDB;
-- Forwardings. it contains
-- - members of mail alias account
-- - per-account alias addresses
-- - per-user mail forwarding addresses
CREATE TABLE IF NOT EXISTS forwardings (
id BIGINT(20) UNSIGNED AUTO_INCREMENT,
address VARCHAR(255) NOT NULL DEFAULT '',
forwarding VARCHAR(255) NOT NULL DEFAULT '',
domain VARCHAR(255) NOT NULL DEFAULT '',
dest_domain VARCHAR(255) NOT NULL DEFAULT '',
-- defines whether it's a standalone mail alias account. 0=no, 1=yes.
is_list TINYINT(1) NOT NULL DEFAULT 0,
-- defines whether it's a mail forwarding address of mail user. 0=no, 1=yes.
is_forwarding TINYINT(1) NOT NULL DEFAULT 0,
-- defines whether it's a per-account alias address. 0=no, 1=yes.
is_alias TINYINT(1) NOT NULL DEFAULT 0,
active TINYINT(1) NOT NULL DEFAULT 1,
PRIMARY KEY (id),
UNIQUE INDEX (address, forwarding),
INDEX (domain),
INDEX (dest_domain),
INDEX (is_list),
INDEX (is_alias)
) ENGINE=InnoDB;
</code></pre>
<h4 id="migrate-mail-accounts">Migrate mail accounts</h4>
<p>Please download script used to migrate mail accounts, and run it directly:</p>
<div class="admonition attention">
<p class="admonition-title">Attention</p>
<p>If you're running Python 3, please download this file instead:
<code>https://github.com/iredmail/iRedMail/raw/master/tools/migrate_sql_alias_table.py</code>,
and run it with command <code>python3 migrate_sql_alias_table.py</code>.</p>
</div>
<pre><code>cd /root/
wget https://github.com/iredmail/iRedMail/raw/1.0/tools/migrate_sql_alias_table.py
python migrate_sql_alias_table.py
</code></pre>
<p>Note: It will try to read iRedAdmin config file from one of paths below, and
connects to SQL server as user <code>vmailadmin</code>:</p>
<ul>
<li>/opt/www/iredadmin/settings.py (Debian/Ubuntu)</li>
<li>/var/www/iredadmin/settings.py (CentOS/OpenBSD)</li>
<li>/usr/share/apache2/iredadmin/settings.py (Debian/Ubuntu with old iRedMail releases)</li>
<li>/usr/local/www/iredadmin/settings.py (FreeBSD)</li>
</ul>
<h4 id="update-postfix-config-files">Update Postfix config files</h4>
<p>Please run shell commands below to tell Postfix to use new SQL tables.</p>
<p>Notes: on FreeBSD, the path is <code>/usr/local/etc/postfix/mysql</code>.</p>
<pre><code>cd /etc/postfix/mysql/
perl -pi -e 's#alias\.address#forwardings.address#g' *.cf
perl -pi -e 's#alias\.goto#forwardings.forwarding#g' *.cf
perl -pi -e 's#alias\.active#forwardings.active#g' *.cf
perl -pi -e 's#alias\.domain#forwardings.domain#g' *.cf
perl -pi -e 's#alias,#forwardings,#g' *.cf
</code></pre>
<p>Restarting Postfix service is required.</p>
<h4 id="drop-unused-sql-columns-and-records-in-vmailalias-table">Drop unused SQL columns and records in <code>vmail.alias</code> table</h4>
<div class="admonition warning">
<p class="admonition-title">Warning</p>
<ul>
<li>Make sure you have a backup of SQL database <code>vmail</code>.</li>
<li>Please also upgrade iRedAPD and iRedAdmin-Pro, they need the new SQL
structure too.</li>
</ul>
</div>
<p>After migration, <code>vmail.alias</code> table contains few sql columns we will never
use, also old records (accounts) will cause ghost accounts if we don't remove
them.</p>
<p>Please connect to MySQL server as MySQL root user, then execute SQL commands
below:</p>
<pre><code>USE vmail;
-- Remove non-mail-alias account
DELETE FROM alias WHERE islist &lt;&gt; 1;
-- Remove per-domain catch-all account
DELETE FROM alias WHERE address=domain;
-- Drop unused columns
ALTER TABLE alias DROP COLUMN goto;
ALTER TABLE alias DROP COLUMN moderators;
ALTER TABLE alias DROP COLUMN islist;
ALTER TABLE alias DROP COLUMN is_alias;
ALTER TABLE alias DROP COLUMN alias_to;
</code></pre>
<h3 id="fixed-avoid-possible-backdooring-mysqldump-backups_1">Fixed: Avoid possible backdooring mysqldump backups</h3>
<p>For more details about this backdooring mysqldump backup issue, please read
blog post:</p>
<ul>
<li><a href="https://blog.tarq.io/cve-2016-5483-backdooring-mysqldump-backups/">[CVE-2016-5483] Backdooring mysqldump backups</a>.</li>
</ul>
<p>Steps to fix it:</p>
<ul>
<li>
<p>Open the daily MySQL backup script, it's <code>/var/vmail/backup/backup_mysql.sh</code>
by default. if you use different storage directory during iRedMail
installation, you can find the base directory with command <code>postconf virtual_mailbox_base</code>.</p>
</li>
<li>
<p>Find variable name <code>CMD_MYSQLDUMP</code> like below:</p>
</li>
</ul>
<pre><code>export CMD_MYSQLDUMP=&quot;mysqldump ...&quot;
</code></pre>
<ul>
<li>Make sure it has argument <code>--skip-comments</code> like below:</li>
</ul>
<pre><code>export CMD_MYSQLDUMP=&quot;mysqldump ... --skip-comments&quot;
</code></pre>
<ul>
<li>Save your change. That's it.</li>
</ul>
<h2 id="postgresql-backend-specific">PostgreSQL backend specific</h2>
<h3 id="sql-structure-change-in-vmailalias-sql-table_1">SQL structure change in <code>vmail.alias</code> SQL table</h3>
<p>We've made some changes to <code>vmail.alias</code> SQL table for easier account
management, this change introduces 2 new SQL tables (<code>forwardings</code>, <code>alias_moderators</code>),
and (optionally) dropped few columns in <code>vmail.alias</code> table.</p>
<p>iRedAPD and iRedAdmin (and iRedAdmin-Pro) have been upgraded to use this new
SQL structure.</p>
<div class="admonition warning">
<p class="admonition-title">Warning</p>
<p>Please backup SQL database <code>vmail</code> before you run any SQL commands below.</p>
</div>
<h4 id="create-required-new-sql-tables_1">Create required new SQL tables</h4>
<p>Please run shell commands below to connect to PostgreSQL server as
<code>vmailadmin</code> user first:</p>
<pre><code>su - postgres
psql -U vmailadmin -d vmail
</code></pre>
<p>Then execute SQL commands below to create required new tables:</p>
<pre><code>CREATE TABLE alias_moderators (
id SERIAL PRIMARY KEY,
address VARCHAR(255) NOT NULL DEFAULT '',
moderator VARCHAR(255) NOT NULL DEFAULT '',
domain VARCHAR(255) NOT NULL DEFAULT '',
dest_domain VARCHAR(255) NOT NULL DEFAULT ''
);
CREATE INDEX idx_alias_moderators_address ON alias_moderators (address);
CREATE INDEX idx_alias_moderators_moderator ON alias_moderators (moderator);
CREATE UNIQUE INDEX idx_alias_moderators_address_moderator ON alias_moderators (address, moderator);
CREATE INDEX idx_alias_moderators_domain ON alias_moderators (domain);
CREATE INDEX idx_alias_moderators_dest_domain ON alias_moderators (dest_domain);
CREATE TABLE forwardings (
id SERIAL PRIMARY KEY,
address VARCHAR(255) NOT NULL DEFAULT '',
forwarding VARCHAR(255) NOT NULL DEFAULT '',
domain VARCHAR(255) NOT NULL DEFAULT '',
dest_domain VARCHAR(255) NOT NULL DEFAULT '',
-- defines whether it's a standalone mail alias account. 0=no, 1=yes.
is_list INT2 NOT NULL DEFAULT 0,
-- defines whether it's a mail forwarding address of mail user. 0=no, 1=yes.
is_forwarding INT2 NOT NULL DEFAULT 0,
-- defines whether it's a per-account alias address. 0=no, 1=yes.
is_alias INT2 NOT NULL DEFAULT 0,
active INT2 NOT NULL DEFAULT 1
);
CREATE INDEX idx_forwardings_address ON forwardings (address);
CREATE INDEX idx_forwardings_forwarding ON forwardings (forwarding);
CREATE UNIQUE INDEX idx_forwardings_address_forwarding ON forwardings (address, forwarding);
CREATE INDEX idx_forwardings_domain ON forwardings (domain);
CREATE INDEX idx_forwardings_dest_domain ON forwardings (dest_domain);
CREATE INDEX idx_forwardings_is_list ON forwardings (is_list);
CREATE INDEX idx_forwardings_is_forwarding ON forwardings (is_forwarding);
CREATE INDEX idx_forwardings_is_alias ON forwardings (is_alias);
-- Grant required privilege to vmail user
GRANT SELECT ON TABLE forwardings to vmail;
GRANT SELECT ON TABLE alias_moderators to vmail;
</code></pre>
<h4 id="migrate-mail-accounts_1">Migrate mail accounts</h4>
<p>Please download script used to migrate mail accounts, and run it directly:</p>
<pre><code>cd /root/
wget https://github.com/iredmail/iRedMail/raw/1.0/tools/migrate_sql_alias_table.py
python migrate_sql_alias_table.py
</code></pre>
<p>Note: It will try to read iRedAdmin config file from one of paths below, and
connects to SQL server as user <code>vmailadmin</code>:</p>
<ul>
<li>/opt/www/iredadmin/settings.py (Debian/Ubuntu)</li>
<li>/var/www/iredadmin/settings.py (CentOS/OpenBSD)</li>
<li>/usr/share/apache2/iredadmin/settings.py (Debian/Ubuntu with old iRedMail releases)</li>
<li>/usr/local/www/iredadmin/settings.py (FreeBSD)</li>
</ul>
<h4 id="update-postfix-config-files_1">Update Postfix config files</h4>
<p>Please run shell commands below to tell Postfix to use new SQL tables.</p>
<p>Notes: on FreeBSD, the path is <code>/usr/local/etc/postfix/pgsql</code>.</p>
<pre><code>cd /etc/postfix/pgsql/
perl -pi -e 's#alias\.address#forwardings.address#g' *.cf
perl -pi -e 's#alias\.goto#forwardings.forwarding#g' *.cf
perl -pi -e 's#alias\.active#forwardings.active#g' *.cf
perl -pi -e 's#alias\.domain#forwardings.domain#g' *.cf
perl -pi -e 's#alias,#forwardings,#g' *.cf
</code></pre>
<p>Restarting Postfix service is required.</p>
<h4 id="drop-unused-sql-columns-in-vmailalias-table">Drop unused SQL columns in <code>vmail.alias</code> table</h4>
<div class="admonition warning">
<p class="admonition-title">Warning</p>
<ul>
<li>Make sure you have a backup of SQL database <code>vmail</code>.</li>
<li>Please also upgrade iRedAPD and iRedAdmin-Pro, they need the new SQL
structure too.</li>
</ul>
</div>
<p>After migration, few columns in <code>vmail.alias</code> table are not used anymore, it's
ok to drop them. But it's strongly recommended to keep them for few more days
until you can confirm all features are working as expected.</p>
<pre><code>su - postgres
psql -d vmail
-- Remove non-mail-alias account
DELETE FROM alias WHERE islist &lt;&gt; 1;
-- per-domain catch-all account
DELETE FROM alias WHERE address=domain;
-- Drop unused columns
ALTER TABLE alias DROP COLUMN goto;
ALTER TABLE alias DROP COLUMN moderators;
ALTER TABLE alias DROP COLUMN islist;
ALTER TABLE alias DROP COLUMN is_alias;
ALTER TABLE alias DROP COLUMN alias_to;
</code></pre><div class="footer">
<p style="text-align: center; color: grey;">All documents are available in <a href="https://github.com/iredmail/docs/">GitHub repository</a>, and published under <a href="http://creativecommons.org/licenses/by-nd/3.0/us/" target="_blank">Creative Commons</a> license. You can <a href="https://github.com/iredmail/docs/archive/master.zip">download the latest version</a> for offline reading. If you found something wrong, please do <a href="https://www.iredmail.org/contact.html">contact us</a> to fix it.</p>
</div></body></html>
Reference in New Issue View Git Blame Copy Permalink