122 lines
6.2 KiB
HTML
122 lines
6.2 KiB
HTML
<!DOCTYPE html>
|
|
<html>
|
|
<head>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
|
<title>Upgrade iRedMail from 1.4.2 to 1.4.3</title>
|
|
<link rel="stylesheet" type="text/css" href="./css/markdown.css" />
|
|
</head>
|
|
<body>
|
|
|
|
<div id="navigation">
|
|
<a href="https://www.iredmail.org" target="_blank">
|
|
<img alt="iRedMail web site"
|
|
src="./images/logo-iredmail.png"
|
|
style="vertical-align: middle; height: 30px;"
|
|
/>
|
|
<span>iRedMail</span>
|
|
</a>
|
|
// <a href="./index.html">Document Index</a></div><h1 id="upgrade-iredmail-from-142-to-143">Upgrade iRedMail from 1.4.2 to 1.4.3</h1>
|
|
<div class="toc">
|
|
<ul>
|
|
<li><a href="#upgrade-iredmail-from-142-to-143">Upgrade iRedMail from 1.4.2 to 1.4.3</a><ul>
|
|
<li><a href="#changelog">ChangeLog</a></li>
|
|
<li><a href="#general-all-backends-should-apply-these-changes">General (All backends should apply these changes)</a><ul>
|
|
<li><a href="#update-etciredmail-release-with-new-iredmail-version-number">Update /etc/iredmail-release with new iRedMail version number</a></li>
|
|
<li><a href="#upgrade-mlmmjadmin-to-the-latest-stable-release-313">Upgrade mlmmjadmin to the latest stable release (3.1.3)</a></li>
|
|
<li><a href="#nginx-several-improvements">Nginx: several improvements</a></li>
|
|
<li><a href="#dovecot-enable-new-ssl-cipher-eecdhchacha20-and-remove-the-weak-one-aes256edh">Dovecot: enable new ssl cipher EECDH+CHACHA20 and remove the weak one AES256+EDH</a></li>
|
|
</ul>
|
|
</li>
|
|
</ul>
|
|
</li>
|
|
</ul>
|
|
</div>
|
|
<div class="admonition warning">
|
|
<p class="admonition-title">Warning</p>
|
|
<p>This IS A DRAFT DOCUMENT, DO NOT APPLY IT.</p>
|
|
</div>
|
|
<div class="admonition note">
|
|
<p class="admonition-title">Paid Remote Upgrade Support</p>
|
|
<p>We offer remote upgrade support if you don't want to get your hands dirty,
|
|
check <a href="https://www.iredmail.org/support.html">the details</a> and
|
|
<a href="https://www.iredmail.org/contact.html">contact us</a>.</p>
|
|
</div>
|
|
<h2 id="changelog">ChangeLog</h2>
|
|
<h2 id="general-all-backends-should-apply-these-changes">General (All backends should apply these changes)</h2>
|
|
<h3 id="update-etciredmail-release-with-new-iredmail-version-number">Update <code>/etc/iredmail-release</code> with new iRedMail version number</h3>
|
|
<p>iRedMail stores the release version in <code>/etc/iredmail-release</code> after
|
|
installation, it's recommended to update this file after you upgraded iRedMail,
|
|
so that you can know which version of iRedMail you're running. For example:</p>
|
|
<pre><code>1.4.3
|
|
</code></pre>
|
|
<h3 id="upgrade-mlmmjadmin-to-the-latest-stable-release-313">Upgrade mlmmjadmin to the latest stable release (3.1.3)</h3>
|
|
<p>Please follow below tutorial to upgrade mlmmjadmin to the latest stable release:
|
|
<a href="./upgrade.mlmmjadmin.html">Upgrade mlmmjadmin to the latest stable release</a></p>
|
|
<h3 id="nginx-several-improvements">Nginx: several improvements</h3>
|
|
<div class="admonition attention">
|
|
<p class="admonition-title">Attention</p>
|
|
<p>All credit goes to GitHub user
|
|
<a href="https://github.com/ludovicandrieux">@ludovicandrieux</a>, thanks for the
|
|
contributions. See also:
|
|
<a href="https://github.com/iredmail/iRedMail/issues/136">#136</a>,
|
|
<a href="https://github.com/iredmail/iRedMail/issues/137">#137</a>,
|
|
<a href="https://github.com/iredmail/iRedMail/issues/138">#138</a>.</p>
|
|
</div>
|
|
<ul>
|
|
<li>Enable TLSv1.3. WARNING: It requires Nginx 1.13 or later releases, which is
|
|
available on:<ul>
|
|
<li>CentOS 7 and later</li>
|
|
<li>Debian 10 and later</li>
|
|
<li>Ubuntu 18.04 and later</li>
|
|
<li>FreeBSD</li>
|
|
<li>OpenBSD</li>
|
|
</ul>
|
|
</li>
|
|
<li>Greatly improve the performance of http keep-alive connections over SSL by
|
|
enabling <code>ssl_session_cache</code> parameter. See also:<ul>
|
|
<li><a href="https://vincent.bernat.ch/en/blog/2011-ssl-session-reuse-rfc5077">Speeding up TLS: enabling session reuse</a></li>
|
|
<li><a href="https://www.peterbe.com/plog/ssl_session_cache-ab">ssl_session_cache in Nginx and the ab benchmark</a></li>
|
|
</ul>
|
|
</li>
|
|
<li>Add new ssl cipher: <code>EECDH+CHACHA20</code>. It requires openssl 1.1.0, which is
|
|
available on:<ul>
|
|
<li>CentOS 7 and later</li>
|
|
<li>Debian 9 and later</li>
|
|
<li>Ubuntu 18.04 and later</li>
|
|
<li>FreeBSD</li>
|
|
<li>OpenBSD</li>
|
|
</ul>
|
|
</li>
|
|
<li>Remove weak ssl cipher: <code>AES256+EDH</code>.</li>
|
|
</ul>
|
|
<p>To apply these changes, please open file <code>/etc/nginx/templates/ssl.tmpl</code> with
|
|
your favourite text editor, then:</p>
|
|
<ul>
|
|
<li>Append <code>TLSv1.3</code> in parameter <code>ssl_protocols</code>. For example:</li>
|
|
</ul>
|
|
<pre><code>ssl_protocols TLSv1.2 TLSv1.3;
|
|
</code></pre>
|
|
<ul>
|
|
<li>Prepend <code>EECDH+CHACHA20</code> in parameter <code>ssl_ciphers</code>, also remove <code>AES256+EDH</code>.
|
|
For example:</li>
|
|
</ul>
|
|
<pre><code>ssl_ciphers EECDH+CHACHA20:EECDH+AESGCM:EDH+AESGCM:AES256+EECDH;
|
|
</code></pre>
|
|
<ul>
|
|
<li>Add new parameter <code>ssl_session_cache</code> and optional comment lines:</li>
|
|
</ul>
|
|
<pre><code># Greatly improve the performance of keep-alive connections over SSL.
|
|
# With this enabled, client is not necessary to do a full SSL-handshake for
|
|
# every request, thus saving time and cpu-resources.
|
|
ssl_session_cache shared:SSL:10m;
|
|
</code></pre>
|
|
<p>Restarting Nginx service is required.</p>
|
|
<h3 id="dovecot-enable-new-ssl-cipher-eecdhchacha20-and-remove-the-weak-one-aes256edh">Dovecot: enable new ssl cipher <code>EECDH+CHACHA20</code> and remove the weak one <code>AES256+EDH</code></h3>
|
|
<p>Please open file <code>/etc/dovecot/dovecot.conf</code> (Linux/OpenBSD) or
|
|
<code>/usr/local/etc/dovecot/dovecot.conf</code> (FreeBSD), update parameter
|
|
<code>ssl_cipher_list</code> to:</p>
|
|
<pre><code>ssl_cipher_list = EECDH+CHACHA20:EECDH+AESGCM:EDH+AESGCM:AES256+EECDH
|
|
</code></pre>
|
|
<p>Restarting Dovecot service is required.</p><div class="footer">
|
|
<p style="text-align: center; color: grey;">All documents are available in <a href="https://github.com/iredmail/docs/">GitHub repository</a>, and published under <a href="http://creativecommons.org/licenses/by-nd/3.0/us/" target="_blank">Creative Commons</a> license. You can <a href="https://github.com/iredmail/docs/archive/master.zip">download the latest version</a> for offline reading. If you found something wrong, please do <a href="https://www.iredmail.org/contact.html">contact us</a> to fix it.</p>
|
|
</div></body></html> |