355 lines
18 KiB
HTML
355 lines
18 KiB
HTML
<html>
|
|
<head>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
|
<title>Upgrade iRedMail from 0.9.0 to 0.9.1</title>
|
|
<link href="./css/markdown.css" rel="stylesheet"></head>
|
|
</head>
|
|
<body>
|
|
|
|
<div id="navigation">
|
|
<a href="http://www.iredmail.org" target="_blank">iRedMail web site</a>
|
|
|
|
// <a href="./index.html">Document Index</a>
|
|
</div><h1 id="upgrade-iredmail-from-090-to-091">Upgrade iRedMail from 0.9.0 to 0.9.1</h1>
|
|
<div class="toc">
|
|
<ul>
|
|
<li><a href="#upgrade-iredmail-from-090-to-091">Upgrade iRedMail from 0.9.0 to 0.9.1</a><ul>
|
|
<li><a href="#changelog">ChangeLog</a></li>
|
|
<li><a href="#general-all-backends-should-apply-these-steps">General (All backends should apply these steps)</a><ul>
|
|
<li><a href="#upgrade-roundcube-webmail-to-the-latest-stable-release">Upgrade Roundcube webmail to the latest stable release</a></li>
|
|
<li><a href="#fixed-return-receipt-response-rejected-by-iredapd-plugin-reject_null_sender">Fixed: return receipt response rejected by iRedAPD plugin reject_null_sender</a></li>
|
|
<li><a href="#fixed-cannot-run-php-script-under-web-document-root-with-nginx">Fixed: Cannot run PHP script under web document root with Nginx.</a></li>
|
|
<li><a href="#fixed-incorrect-path-of-command-sogo-tool-on-openbsd">Fixed: Incorrect path of command sogo-tool on OpenBSD</a></li>
|
|
<li><a href="#optional-setup-fail2ban-to-monitor-password-failures-in-sogo-log-file">[OPTIONAL] Setup Fail2ban to monitor password failures in SOGo log file</a></li>
|
|
<li><a href="#optional-add-two-more-fail2ban-filter-regular-expressios-to-help-catch-spam">[OPTIONAL] Add two more Fail2ban filter regular expressios to help catch spam</a></li>
|
|
</ul>
|
|
</li>
|
|
<li><a href="#openldap-backend-special">OpenLDAP backend special</a><ul>
|
|
<li><a href="#fixed-not-backup-sogo-database">Fixed: not backup SOGo database</a></li>
|
|
<li><a href="#optional-bypass-greylisting-for-some-big-isps">[OPTIONAL] Bypass greylisting for some big ISPs</a></li>
|
|
</ul>
|
|
</li>
|
|
<li><a href="#mysqlmariadb-backend-special">MySQL/MariaDB backend special</a><ul>
|
|
<li><a href="#fixed-not-apply-service-restriction-in-dovecot-sql-query-file-while-acting-as-sasl-server">Fixed: Not apply service restriction in Dovecot SQL query file while acting as SASL server</a></li>
|
|
<li><a href="#fixed-not-backup-sogo-database_1">Fixed: not backup SOGo database</a></li>
|
|
<li><a href="#optional-bypass-greylisting-for-some-big-isps_1">[OPTIONAL] Bypass greylisting for some big ISPs</a></li>
|
|
</ul>
|
|
</li>
|
|
<li><a href="#postgresql-backend-special">PostgreSQL backend special</a><ul>
|
|
<li><a href="#fixed-not-apply-service-restriction-in-dovecot-sql-query-file-while-acting-as-sasl-server_1">Fixed: Not apply service restriction in Dovecot SQL query file while acting as SASL server</a></li>
|
|
<li><a href="#fixed-not-backup-sogo-database_2">Fixed: not backup SOGo database</a></li>
|
|
<li><a href="#optional-bypass-greylisting-for-some-big-isps_2">[OPTIONAL] Bypass greylisting for some big ISPs</a></li>
|
|
</ul>
|
|
</li>
|
|
</ul>
|
|
</li>
|
|
</ul>
|
|
</div>
|
|
<p><strong>WARNING: Still working in progress, do <em>NOT</em> apply it.</strong></p>
|
|
<h2 id="changelog">ChangeLog</h2>
|
|
<ul>
|
|
<li>2015-02-25: [All backends] [<strong>OPTIONAL</strong>] Bypass greylisting for some big ISPs.</li>
|
|
<li>2015-02-25: [All backends] [<strong>OPTIONAL</strong>] Add one more Fail2ban filter to help catch spam (POP3/IMAP flood).</li>
|
|
<li>2015-02-17: [All backends ] Upgrade Roundcube webmail to the latest stable release.</li>
|
|
<li>2015-02-11: [All backends] [<strong>OPTIONAL</strong>] Setup Fail2ban to monitor password failures in SOGo log file.</li>
|
|
<li>2015-02-11: [All backends] Fixed: Cannot run PHP script under web document root with Nginx.</li>
|
|
<li>2015-02-09: [All backends] [<strong>OPTIONAL</strong>] Add one more Fail2ban filter to help catch spam.</li>
|
|
<li>2015-02-04: [All backends] Fixed: return receipt response rejected by iRedAPD plugin <code>reject_null_sender</code>.</li>
|
|
<li>2015-02-02: [All backends] Fixed: Not backup SOGo database. Note: this step
|
|
is not applicable if you don't use SOGo groupware.</li>
|
|
<li>2015-01-13: [All backends] Fixed: Incorrect path of command <code>sogo-tool</code> on OpenBSD.</li>
|
|
<li>2015-01-12: [SQL backends] Fixed: Not apply service restriction in Dovecot
|
|
SQL query file while acting as SASL server.</li>
|
|
</ul>
|
|
<h2 id="general-all-backends-should-apply-these-steps">General (All backends should apply these steps)</h2>
|
|
<h3 id="upgrade-roundcube-webmail-to-the-latest-stable-release">Upgrade Roundcube webmail to the latest stable release</h3>
|
|
<p>Additional notes before upgrading Roundcube webmail 1.1.0 (or later releases):</p>
|
|
<ul>
|
|
<li>for RHEL/CentOS users, please install package <code>php-pear-Net-IDNA2</code>, then
|
|
restart Apache service or php5-fpm service (if you're running Nginx):</li>
|
|
</ul>
|
|
<pre><code># yum install php-pear-Net-IDNA2
|
|
# service httpd restart # <- OR: service php-fpm restart
|
|
</code></pre>
|
|
|
|
<ul>
|
|
<li>for Debian/Ubuntu users, please install package <code>php-pear</code> and <code>php5-intl</code>,
|
|
enable <code>intl</code> module for PHP, then restart Apache service or <code>php5_fpm</code>
|
|
service (if you're running Nginx):</li>
|
|
</ul>
|
|
<pre><code># apt-get install php-pear php5-intl
|
|
# php5enmod intl
|
|
</code></pre>
|
|
|
|
<ul>
|
|
<li>for OpenBSD users, please install package <code>php-intl</code>, then
|
|
restart <code>php_fpm</code> service:</li>
|
|
</ul>
|
|
<pre><code># pkg_add -r php-intl
|
|
# /etc/rc.d/php_fpm restart
|
|
</code></pre>
|
|
|
|
<p>After you have additional packages installed, please follow Roundcube official
|
|
tutorial to upgrade Roundcube webmail to the latest stable release:
|
|
<a href="http://trac.roundcube.net/wiki/Howto_Upgrade">How to upgrade Roundcube</a></p>
|
|
<h3 id="fixed-return-receipt-response-rejected-by-iredapd-plugin-reject_null_sender">Fixed: return receipt response rejected by iRedAPD plugin <code>reject_null_sender</code></h3>
|
|
<p>Note: this is applicable if you want to keep iRedAPD plugin <code>reject_null_sender</code>
|
|
but still able to send return receipt with Roundcube webmail.</p>
|
|
<p>According to RFC2298, return receipt envelope sender address must be empty. If
|
|
you have iRedAPD plugin <code>reject_null_sender</code> enabled, it will reject return
|
|
receipt response. To particularly solve this issue, you can set below setting
|
|
in Roundcube config file <code>config/config.inc.php</code>:</p>
|
|
<ul>
|
|
<li>on RHEL/CentOS/OpenBSD, it's <code>/var/www/roundcubemail/config/config.inc.php</code>.</li>
|
|
<li>on Debian/Ubuntu, it's <code>/usr/share/apache2/roundcubemail/config/config.inc.php</code>.</li>
|
|
<li>on FreeBSD, it's <code>/usr/local/www/roundcube/config/config.inc.php</code>.</li>
|
|
</ul>
|
|
<pre><code>$config['mdn_use_from'] = true;
|
|
</code></pre>
|
|
|
|
<p>Note: if other mail client applications don't set smtp authentication user as
|
|
envelope sender of return receipt, same issue will occurs. You must disable
|
|
iRedAPD plugin <code>reject_null_sender</code> in <code>/opt/iredapd/settings.py</code> to make all
|
|
mail clients work.</p>
|
|
<p>iRedAPD plugin <code>reject_null_sender</code> rejects message submitted by sasl
|
|
authenticated user but with null sender in <code>From:</code> header (<code>from=<></code> in Postfix
|
|
log). If your user's password was cracked by spammer, spammer can use this
|
|
account to bypass smtp authentication, but with a null sender in <code>From:</code>
|
|
header, throttling won't be triggered.</p>
|
|
<h3 id="fixed-cannot-run-php-script-under-web-document-root-with-nginx">Fixed: Cannot run PHP script under web document root with Nginx.</h3>
|
|
<p>With previous release of iRedMail, Nginx won't run PHP scripts under
|
|
sub-directories of web document root, this step will fix it.</p>
|
|
<ul>
|
|
<li>Open Nginx config file <code>/etc/nginx/conf.d/default.conf</code> (on Linux/OpenBSD)
|
|
or <code>/usr/local/etc/nginx/conf.d/default.conf</code>, add one more setting in
|
|
configuration block <code>location ~ \.php$ {}</code> like below:</li>
|
|
</ul>
|
|
<pre><code>...
|
|
root /var/www/html;
|
|
...
|
|
location ~ \.php$ {
|
|
...
|
|
fastcgi_param SCRIPT_FILENAME /var/www/html$fastcgi_script_name; # <- Add this line
|
|
}
|
|
</code></pre>
|
|
|
|
<ul>
|
|
<li>Save your changes and restart Nginx service.</li>
|
|
</ul>
|
|
<p>Notes:</p>
|
|
<ul>
|
|
<li>There're two <code>location ~ \.php$ {}</code> blocks, please update both of them.</li>
|
|
<li>
|
|
<p>You must replace <code>/var/www/html</code> in above sample code to the value of <code>root</code>
|
|
setting defined in same config file.</p>
|
|
<ul>
|
|
<li>on RHEL/CentOS, it's <code>/var/www/html</code>.</li>
|
|
<li>on Debian/Ubuntu, it's <code>/var/www</code>.</li>
|
|
<li>on FreeBSD, it's <code>/usr/local/www/apache22/data</code>.
|
|
Note: if you're running Apache-2.4, the directory name should be
|
|
<code>apache24</code>, not <code>apache22</code>.</li>
|
|
<li>on OpenBSD, it's <code>/var/www/htdocs</code>.</li>
|
|
</ul>
|
|
</li>
|
|
</ul>
|
|
<h3 id="fixed-incorrect-path-of-command-sogo-tool-on-openbsd">Fixed: Incorrect path of command <code>sogo-tool</code> on OpenBSD</h3>
|
|
<p>Note: this step is applicable to only OpenBSD.</p>
|
|
<p>Please check user <code>_sogo</code>'s cron job, make sure path to <code>sogo-tool</code> command is
|
|
<code>/usr/local/sbin/sogo-tool</code>:</p>
|
|
<pre><code># crontab -l -u _sogo
|
|
</code></pre>
|
|
|
|
<p>If it's not <code>/usr/local/sbin/sogo-tool</code>, please edit its cron job with below
|
|
command and fix it:</p>
|
|
<pre><code># crontab -e -u _sogo
|
|
</code></pre>
|
|
|
|
<h3 id="optional-setup-fail2ban-to-monitor-password-failures-in-sogo-log-file">[<strong>OPTIONAL</strong>] Setup Fail2ban to monitor password failures in SOGo log file</h3>
|
|
<p>To improve server security, we'd better block clients which have too many
|
|
failed login attempts from SOGo.</p>
|
|
<p>Please append below lines in Fail2ban main config file <code>/etc/fail2ban/jail.local</code>:</p>
|
|
<pre><code>[SOGo]
|
|
enabled = true
|
|
filter = sogo-auth
|
|
port = http, https
|
|
# without proxy this would be:
|
|
# port = 20000
|
|
action = iptables-multiport[name=SOGo, port="http,https", protocol=tcp]
|
|
logpath = /var/log/sogo/sogo.log
|
|
</code></pre>
|
|
|
|
<p>Restarting Fail2ban service is required.</p>
|
|
<h3 id="optional-add-two-more-fail2ban-filter-regular-expressios-to-help-catch-spam">[OPTIONAL] Add two more Fail2ban filter regular expressios to help catch spam</h3>
|
|
<p>We have two new Fail2ban filters to help catch spam:</p>
|
|
<ol>
|
|
<li>first one will scan HELO rejections in Postfix log file.</li>
|
|
<li>second one will scan aborded pop3/imap login in Dovecot log file.</li>
|
|
</ol>
|
|
<p>Steps:</p>
|
|
<ol>
|
|
<li>Open file <code>/etc/fail2ban/filters.d/postfix.iredmail.conf</code> or
|
|
<code>/usr/local/etc/fail2ban/filters.d/postfix.iredmail.conf</code> (on FreeBSD), append
|
|
below line under <code>[Definition]</code> section:</li>
|
|
</ol>
|
|
<pre><code> reject: RCPT from (.*)\[<HOST>\]: 504 5.5.2 (.*) Helo command rejected: need fully-qualified hostname
|
|
</code></pre>
|
|
|
|
<p>After modification, the whole content is:</p>
|
|
<pre><code>[Definition]
|
|
failregex = \[<HOST>\]: SASL (PLAIN|LOGIN) authentication failed
|
|
lost connection after AUTH from (.*)\[<HOST>\]
|
|
reject: RCPT from (.*)\[<HOST>\]: 550 5.1.1
|
|
reject: RCPT from (.*)\[<HOST>\]: 450 4.7.1
|
|
reject: RCPT from (.*)\[<HOST>\]: 554 5.7.1
|
|
reject: RCPT from (.*)\[<HOST>\]: 504 5.5.2 (.*) Helo command rejected: need fully-qualified hostname
|
|
ignoreregex =
|
|
</code></pre>
|
|
|
|
<ol>
|
|
<li>Open file <code>/etc/fail2ban/filters.d/dovecot.iredmail.conf</code> or
|
|
<code>/usr/local/etc/fail2ban/filters.d/dovecot.iredmail.conf</code> (on FreeBSD), append
|
|
below line under <code>[Definition]</code> section:</li>
|
|
</ol>
|
|
<pre><code> Aborted login \(no auth attempts in .* rip=<HOST>
|
|
</code></pre>
|
|
|
|
<p>After modification, the whole content is:</p>
|
|
<pre><code>[Definition]
|
|
failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.*
|
|
Aborted login \(no auth attempts in .* rip=<HOST>
|
|
ignoreregex =
|
|
</code></pre>
|
|
|
|
<p>Restarting Fail2ban service is required.</p>
|
|
<h2 id="openldap-backend-special">OpenLDAP backend special</h2>
|
|
<h3 id="fixed-not-backup-sogo-database">Fixed: not backup SOGo database</h3>
|
|
<p>Note: this step is not applicable if you don't use SOGo groupware.</p>
|
|
<p>Open backup script <code>/var/vmail/backup/backup_mysql.sh</code>, append SOGo SQL
|
|
database name in variable <code>DATABASES=</code>. For example:</p>
|
|
<pre><code>DATABASES='... sogo'
|
|
</code></pre>
|
|
|
|
<p>Save your change and that's all.</p>
|
|
<h3 id="optional-bypass-greylisting-for-some-big-isps">[<strong>OPTIONAL</strong>] Bypass greylisting for some big ISPs</h3>
|
|
<p>ISPs' mail servers send out spams, but also normal business mails. Applying
|
|
greylisting on them is helpless.</p>
|
|
<ul>
|
|
<li>Download SQL template file:</li>
|
|
</ul>
|
|
<pre><code># cd /tmp
|
|
# wget https://bitbucket.org/zhb/iredmail/raw/default/iRedMail/samples/cluebringer/greylisting-whitelist.sql
|
|
</code></pre>
|
|
|
|
<ul>
|
|
<li>Login to MySQL database and import this file:</li>
|
|
</ul>
|
|
<pre><code>$ mysql -uroot -p
|
|
mysql> USE cluebringer;
|
|
mysql> SOURCE /tmp/greylisting-whitelist.sql;
|
|
</code></pre>
|
|
|
|
<p>That's all.</p>
|
|
<h2 id="mysqlmariadb-backend-special">MySQL/MariaDB backend special</h2>
|
|
<h3 id="fixed-not-apply-service-restriction-in-dovecot-sql-query-file-while-acting-as-sasl-server">Fixed: Not apply service restriction in Dovecot SQL query file while acting as SASL server</h3>
|
|
<p>Please open Dovecot config file <code>/etc/dovecot/dovecot-mysql.conf</code>
|
|
(Linux/OpenBSD) or <code>/usr/local/etc/dovecot/dovecot-mysql.conf</code> (FreeBSD), find
|
|
below line:</p>
|
|
<pre><code># Part of file: /etc/dovecot/dovecot-mysql.conf
|
|
|
|
password_query = SELECT password FROM mailbox WHERE username='%u' AND active='1'
|
|
</code></pre>
|
|
|
|
<p>Add additional query <code>AND enable%Ls%Lc=1</code> like below:</p>
|
|
<pre><code># Part of file: /etc/dovecot/dovecot-mysql.conf
|
|
|
|
password_query = SELECT password FROM mailbox WHERE username='%u' AND enable%Ls%Lc=1 AND active='1'
|
|
</code></pre>
|
|
|
|
<p>Save your change and restart Dovecot service.</p>
|
|
<h3 id="fixed-not-backup-sogo-database_1">Fixed: not backup SOGo database</h3>
|
|
<p>Note: this step is not applicable if you don't use SOGo groupware.</p>
|
|
<p>Open backup script <code>/var/vmail/backup/backup_mysql.sh</code>, append SOGo SQL
|
|
database name in variable <code>DATABASES=</code>. For example:</p>
|
|
<pre><code>DATABASES='... sogo'
|
|
</code></pre>
|
|
|
|
<p>Save your change and that's all.</p>
|
|
<h3 id="optional-bypass-greylisting-for-some-big-isps_1">[<strong>OPTIONAL</strong>] Bypass greylisting for some big ISPs</h3>
|
|
<p>ISPs' mail servers send out spams, but also normal business mails. Applying
|
|
greylisting on them is helpless.</p>
|
|
<ul>
|
|
<li>Download SQL template file:</li>
|
|
</ul>
|
|
<pre><code># cd /tmp
|
|
# wget https://bitbucket.org/zhb/iredmail/raw/default/iRedMail/samples/cluebringer/greylisting-whitelist.sql
|
|
</code></pre>
|
|
|
|
<ul>
|
|
<li>Login to MySQL database and import this file:</li>
|
|
</ul>
|
|
<pre><code>$ mysql -uroot -p
|
|
mysql> USE cluebringer;
|
|
mysql> SOURCE /tmp/greylisting-whitelist.sql;
|
|
</code></pre>
|
|
|
|
<p>That's all.</p>
|
|
<h2 id="postgresql-backend-special">PostgreSQL backend special</h2>
|
|
<h3 id="fixed-not-apply-service-restriction-in-dovecot-sql-query-file-while-acting-as-sasl-server_1">Fixed: Not apply service restriction in Dovecot SQL query file while acting as SASL server</h3>
|
|
<p>Please open Dovecot config file <code>/etc/dovecot/dovecot-pgsql.conf</code>
|
|
(Linux/OpenBSD) or <code>/usr/local/etc/dovecot/dovecot-pgsql.conf</code> (FreeBSD), find
|
|
below line:</p>
|
|
<pre><code># Part of file: /etc/dovecot/dovecot-pgsql.conf
|
|
|
|
password_query = SELECT password FROM mailbox WHERE username='%u' AND active='1'
|
|
</code></pre>
|
|
|
|
<p>Add additional query like below:</p>
|
|
<pre><code># Part of file: /etc/dovecot/dovecot-pgsql.conf
|
|
|
|
password_query = SELECT password FROM mailbox WHERE username='%u' AND enable%Ls%Lc=1 AND active='1'
|
|
</code></pre>
|
|
|
|
<p>Save your change and restart Dovecot service.</p>
|
|
<h3 id="fixed-not-backup-sogo-database_2">Fixed: not backup SOGo database</h3>
|
|
<p>Note: this step is not applicable if you don't use SOGo groupware.</p>
|
|
<p>Open backup script <code>/var/vmail/backup/backup_mysql.sh</code>, append SOGo SQL
|
|
database name in variable <code>DATABASES=</code>. For example:</p>
|
|
<pre><code>DATABASES='... sogo'
|
|
</code></pre>
|
|
|
|
<p>Save your change and that's all.</p>
|
|
<h3 id="optional-bypass-greylisting-for-some-big-isps_2">[<strong>OPTIONAL</strong>] Bypass greylisting for some big ISPs</h3>
|
|
<p>ISPs' mail servers send out spams, but also normal business mails. Applying
|
|
greylisting on them is helpless.</p>
|
|
<ul>
|
|
<li>Download SQL template file:</li>
|
|
</ul>
|
|
<pre><code># cd /tmp
|
|
# wget https://bitbucket.org/zhb/iredmail/raw/default/iRedMail/samples/cluebringer/greylisting-whitelist.sql
|
|
</code></pre>
|
|
|
|
<ul>
|
|
<li>
|
|
<p>Switch to PostgreSQL daemon user, then execute SQL commands to import it:</p>
|
|
<ul>
|
|
<li>On Linux, PostgreSQL daemon user is <code>postgres</code>.</li>
|
|
<li>On FreeBSD, PostgreSQL daemon user is <code>pgsql</code>.</li>
|
|
<li>On OpenBSD, PostgreSQL daemon user is <code>_postgresql</code>.</li>
|
|
</ul>
|
|
</li>
|
|
</ul>
|
|
<pre><code># su - postgres
|
|
$ psql -d cluebringer
|
|
sql> \i /tmp/greylisting-whitelist.sql;
|
|
</code></pre>
|
|
|
|
<p>That's all.</p><p style="text-align: center; color: grey;">Document published under a <a href="http://creativecommons.org/licenses/by-nd/3.0/us/" target="_blank">CC BY-ND 3.0</a> license. If you found something wrong, please do <a href="http://www.iredmail.org/contact.html">contact us</a> to fix it.<script>
|
|
(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
|
|
(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
|
|
m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
|
|
})(window,document,'script','//www.google-analytics.com/analytics.js','ga');
|
|
|
|
ga('create', 'UA-3293801-21', 'auto');
|
|
ga('send', 'pageview');
|
|
</script>
|
|
</body></html> |