740 lines
35 KiB
HTML
740 lines
35 KiB
HTML
<!DOCTYPE html>
|
|
<html>
|
|
<head>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
|
<title>Upgrade iRedMail from 0.9.5-1 to 0.9.6</title>
|
|
<link rel="stylesheet" type="text/css" href="./css/markdown.css" />
|
|
</head>
|
|
<body>
|
|
|
|
<div id="navigation">
|
|
<a href="/index.html" target="_blank">
|
|
<img alt="iRedMail web site"
|
|
src="./images/logo-iredmail.png"
|
|
style="vertical-align: middle; height: 30px;"
|
|
/>
|
|
<span>iRedMail</span>
|
|
</a>
|
|
// <a href="./index.html">Document Index</a></div><h1 id="upgrade-iredmail-from-095-1-to-096">Upgrade iRedMail from 0.9.5-1 to 0.9.6</h1>
|
|
<div class="toc">
|
|
<ul>
|
|
<li><a href="#upgrade-iredmail-from-095-1-to-096">Upgrade iRedMail from 0.9.5-1 to 0.9.6</a><ul>
|
|
<li><a href="#changelog">ChangeLog</a></li>
|
|
<li><a href="#general-all-backends-should-apply-these-steps">General (All backends should apply these steps)</a><ul>
|
|
<li><a href="#update-etciredmail-release-with-new-iredmail-version-number">Update /etc/iredmail-release with new iRedMail version number</a></li>
|
|
<li><a href="#upgrade-iredapd-postfix-policy-server-to-the-latest-stable-release-20">Upgrade iRedAPD (Postfix policy server) to the latest stable release (2.0)</a></li>
|
|
<li><a href="#upgrade-iredadmin-open-source-edition-to-the-latest-stable-release-07">Upgrade iRedAdmin (open source edition) to the latest stable release (0.7)</a></li>
|
|
<li><a href="#upgrade-roundcube-webmail-to-the-latest-stable-release-123">Upgrade Roundcube webmail to the latest stable release (1.2.3)</a></li>
|
|
<li><a href="#fixed-httproxy-vulnerability-in-apache-and-nginx">Fixed: HTTProxy vulnerability in Apache and Nginx</a><ul>
|
|
<li><a href="#apache">Apache</a></li>
|
|
<li><a href="#nginx">Nginx</a></li>
|
|
</ul>
|
|
</li>
|
|
<li><a href="#fixed-not-allow-access-to-well-known-in-nginx">Fixed: not allow access to '/.well-known/' in Nginx</a></li>
|
|
<li><a href="#fixed-postfix-allows-email-sent-through-port-587-without-smtp-authentication-from-trusted-clients">Fixed: Postfix allows email sent through port 587 without smtp authentication from trusted clients</a></li>
|
|
<li><a href="#fixed-not-enable-opportunistic-tls-support-in-postfix">Fixed: not enable opportunistic TLS support in Postfix</a></li>
|
|
<li><a href="#fixed-one-incorrect-helo-restriction-rule-in-postfix">Fixed: one incorrect HELO restriction rule in Postfix</a></li>
|
|
<li><a href="#fixed-incorrect-file-owner-and-permission-of-config-file-of-roundcube-password-plugin">Fixed: incorrect file owner and permission of config file of Roundcube password plugin</a></li>
|
|
<li><a href="#fixed-missing-cron-job-used-to-clean-up-old-roundcube-temporary-files">Fixed: missing cron job used to clean up old Roundcube temporary files</a></li>
|
|
<li><a href="#fixed-nginx-doesnt-forward-real-client-ip-address-to-sogo">Fixed: Nginx doesn't forward real client IP address to SOGo</a></li>
|
|
<li><a href="#fixed-sogo-313-and-later-releases-changed-argument-used-by-sogo-tool-command">Fixed: SOGo-3.1.3 (and later releases) changed argument used by sogo-tool command</a></li>
|
|
<li><a href="#fixed-memcached-listens-on-all-available-ip-addresses-instead-of-127001">Fixed: Memcached listens on all available IP addresses instead of 127.0.0.1</a></li>
|
|
<li><a href="#fixed-awstats-is-world-accessible-with-apache">Fixed: Awstats is world-accessible with Apache</a></li>
|
|
<li><a href="#improve-fail2ban-filter-regular-expression-to-catch-more-pop3imap-spams">Improve Fail2ban filter regular expression to catch more POP3/IMAP spams</a></li>
|
|
<li><a href="#add-more-banned-file-typesextensions-in-amavisd">Add more banned file types/extensions in Amavisd.</a></li>
|
|
</ul>
|
|
</li>
|
|
<li><a href="#openldap-backend-special">OpenLDAP backend special</a><ul>
|
|
<li><a href="#use-the-latest-iredmail-ldap-schema-file">Use the latest iRedMail LDAP schema file</a><ul>
|
|
<li><a href="#update-openldap-config-file-to-index-new-attributes">Update OpenLDAP config file to index new attributes</a></li>
|
|
<li><a href="#download-the-latest-iredmail-ldap-schema-file">Download the latest iRedMail LDAP schema file</a></li>
|
|
</ul>
|
|
</li>
|
|
<li><a href="#fixed-mail-accounts-user-alias-list-are-still-active-when-domain-is-disabled">Fixed: mail accounts (user, alias, list) are still active when domain is disabled</a><ul>
|
|
<li><a href="#update-postfixdovecot-ldap-lookup-files">Update Postfix/Dovecot LDAP lookup files</a></li>
|
|
<li><a href="#add-required-ldap-attributevalue-for-existing-mail-accounts-under-disabled-domains">Add required LDAP attribute/value for existing mail accounts under disabled domains</a></li>
|
|
</ul>
|
|
</li>
|
|
</ul>
|
|
</li>
|
|
<li><a href="#mysqlmariadb-backend-special">MySQL/MariaDB backend special</a><ul>
|
|
<li><a href="#fix-invalid-default-datetime-value-for-some-sql-columns-in-vmail-database">Fix invalid default (datetime) value for some SQL columns in 'vmail' database</a></li>
|
|
</ul>
|
|
</li>
|
|
</ul>
|
|
</li>
|
|
</ul>
|
|
</div>
|
|
<div class="admonition note">
|
|
<p class="admonition-title">Paid Remote Upgrade Support</p>
|
|
<p>We offer remote upgrade support if you don't want to get your hands dirty,
|
|
check <a href="../support.html">the details</a> and <a href="../contact.html">contact us</a>.</p>
|
|
</div>
|
|
<h2 id="changelog">ChangeLog</h2>
|
|
<ul>
|
|
<li>Jan 23, 2016: Initial publish.</li>
|
|
</ul>
|
|
<h2 id="general-all-backends-should-apply-these-steps">General (All backends should apply these steps)</h2>
|
|
<h3 id="update-etciredmail-release-with-new-iredmail-version-number">Update <code>/etc/iredmail-release</code> with new iRedMail version number</h3>
|
|
<p>iRedMail stores the release version in <code>/etc/iredmail-release</code> after
|
|
installation, it's recommended to update this file after you upgraded iRedMail,
|
|
so that you can know which version of iRedMail you're running. For example:</p>
|
|
<pre><code>0.9.6
|
|
</code></pre>
|
|
|
|
<h3 id="upgrade-iredapd-postfix-policy-server-to-the-latest-stable-release-20">Upgrade iRedAPD (Postfix policy server) to the latest stable release (2.0)</h3>
|
|
<p>Please follow below tutorial to upgrade iRedAPD to the latest stable release:
|
|
<a href="./upgrade.iredapd.html">Upgrade iRedAPD to the latest stable release</a></p>
|
|
<p>Detailed release notes are available <a href="./iredapd.releases.html">here</a>.</p>
|
|
<h3 id="upgrade-iredadmin-open-source-edition-to-the-latest-stable-release-07">Upgrade iRedAdmin (open source edition) to the latest stable release (0.7)</h3>
|
|
<p>Please follow this tutorial to upgrade iRedAdmin open source edition to the
|
|
latest stable release:
|
|
<a href="./migrate.or.upgrade.iredadmin.html">Upgrade iRedAdmin to the latest stable release</a></p>
|
|
<h3 id="upgrade-roundcube-webmail-to-the-latest-stable-release-123">Upgrade Roundcube webmail to the latest stable release (1.2.3)</h3>
|
|
<p>Please follow Roundcube official tutorial to upgrade Roundcube webmail to the
|
|
latest stable release immediately: <a href="https://github.com/roundcube/roundcubemail/wiki/Upgrade">How to upgrade Roundcube</a>.</p>
|
|
<p>Note: package <code>rsync</code> must be installed on your server before upgrading.</p>
|
|
<h3 id="fixed-httproxy-vulnerability-in-apache-and-nginx">Fixed: HTTProxy vulnerability in Apache and Nginx</h3>
|
|
<p>For more details about HTTPROXY vulnerability, please read this website: <a href="https://httpoxy.org/">https://httpoxy.org/</a></p>
|
|
<h4 id="apache">Apache</h4>
|
|
<p>Please append setting below in Apache config file:</p>
|
|
<ul>
|
|
<li>on RHEL/CentOS, it's <code>/etc/httpd/conf/httpd.conf</code>.</li>
|
|
<li>on Debian/Ubuntu, it's <code>/etc/apache2/apache2.conf</code>.</li>
|
|
<li>on FreeBSD, it's <code>/usr/local/etc/apache2[X]/httpd.conf</code>. Please replace
|
|
<code>apache2[X]</code> by the real Apache version number here.</li>
|
|
<li>on OpenBSD: not applicable because iRedMail doesn't use Apache on OpenBSD.</li>
|
|
</ul>
|
|
<pre><code>RequestHeader unset Proxy early
|
|
</code></pre>
|
|
|
|
<ul>
|
|
<li>On Debian/Ubuntu, please make sure Apache module <code>headers</code> are enabled:</li>
|
|
</ul>
|
|
<pre><code>a2enmod headers
|
|
</code></pre>
|
|
|
|
<p>Restarting Apache service is required.</p>
|
|
<h4 id="nginx">Nginx</h4>
|
|
<p>Please open all files under below directories which contains <code>fastcgi_pass</code>
|
|
parameter:</p>
|
|
<ul>
|
|
<li>On Linux/OpenBSD:<ul>
|
|
<li><code>/etc/nginx/templates/</code></li>
|
|
<li><code>/etc/nginx/conf.d/</code></li>
|
|
</ul>
|
|
</li>
|
|
<li>On FreeBSD:<ul>
|
|
<li><code>/usr/local/etc/nginx/templates</code></li>
|
|
<li><code>/usr/local/etc/nginx/conf.d/</code></li>
|
|
</ul>
|
|
</li>
|
|
</ul>
|
|
<p>If config file contains <code>fastcgi_pass</code> parameter, please append below one after
|
|
it:</p>
|
|
<pre><code>fastcgi_param HTTP_PROXY '';
|
|
</code></pre>
|
|
|
|
<p>Restart Nginx service is required.</p>
|
|
<h3 id="fixed-not-allow-access-to-well-known-in-nginx">Fixed: not allow access to '/.well-known/' in Nginx</h3>
|
|
<p>It's popular to use Let's Encrypt ssl cert nowadays, but default Nginx config
|
|
file will return a "403 Forbidden" error if you're trying to request new SSL
|
|
cert from Let's Encrypt. Step below will allow access to <code>/.well-known/</code> and
|
|
fix this issue.</p>
|
|
<p>Open Nginx template file <code>misc.tmpl</code>, find lines below:</p>
|
|
<ul>
|
|
<li>If your iRedMail server was installed with iRedMail-0.9.4, it's
|
|
<code>/etc/nginx/templates/misc.tmpl</code> (Linux/OpenBSD) or
|
|
<code>/usr/local/etc/nginx/templates/misc.tmpl</code> (FreeBSD).</li>
|
|
<li>If your iRedMail server was installed with early release and upgraded to
|
|
iRedMail-0.9.4, it's <code>/etc/nginx/conf.d/default.conf</code> (Linux/OpenBSD)
|
|
or <code>/usr/local/etc/nginx/conf.d/default.conf</code> (FreeBSD).</li>
|
|
</ul>
|
|
<pre><code># Deny all attempts to access hidden files such as .htaccess.
|
|
location ~ /\. { deny all; }
|
|
</code></pre>
|
|
|
|
<p>Add lines below ABOVE lines found above:</p>
|
|
<pre><code># Allow access to '^/.well-known/'
|
|
location ~ ^/.well-known/ {
|
|
allow all;
|
|
access_log off;
|
|
log_not_found off;
|
|
autoindex off;
|
|
}
|
|
</code></pre>
|
|
|
|
<p>Save your change and reload Nginx service.</p>
|
|
<h3 id="fixed-postfix-allows-email-sent-through-port-587-without-smtp-authentication-from-trusted-clients">Fixed: Postfix allows email sent through port 587 without smtp authentication from trusted clients</h3>
|
|
<p>iRedMail-0.9.5 and iRedMail-0.9.5-1 allows trusted clients (listed in parameter
|
|
<code>mynetworks=</code>) to send email through port 587 without smtp authentication, this
|
|
is not strict enough and may be used by spammers. All users should be forced
|
|
to send email through port 587 with smtp authentication. Please follow steps
|
|
below to fix it.</p>
|
|
<ul>
|
|
<li>Open Postfix config file <code>master.cf</code>, find the transport <code>submission</code> like
|
|
below:<ul>
|
|
<li>on Linux and OpenBSD, it's <code>/etc/postfix/master.cf</code></li>
|
|
<li>on FreeBSD, it's <code>/usr/local/etc/postfix/master.cf</code></li>
|
|
</ul>
|
|
</li>
|
|
</ul>
|
|
<pre><code>submission ...
|
|
...
|
|
-o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
|
|
</code></pre>
|
|
|
|
<ul>
|
|
<li>Remove <code>permit_mynetworks,</code> and save your change. After modification, it's:</li>
|
|
</ul>
|
|
<pre><code>submission ...
|
|
...
|
|
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
|
|
</code></pre>
|
|
|
|
<ul>
|
|
<li>Restart Postfix service is required to load the changed config file.</li>
|
|
</ul>
|
|
<h3 id="fixed-not-enable-opportunistic-tls-support-in-postfix">Fixed: not enable opportunistic TLS support in Postfix</h3>
|
|
<p>iRedMail-0.9.5 and iRedMail-0.9.5-1 didn't enable opportunistic TLS support in
|
|
Postfix, this causes other servers cannot transfer emails via TLS secure
|
|
connection. Please fix it with commands below. If you already have this
|
|
setting in <code>/etc/postfix/main.cf</code>, it's safe to ignore this step.</p>
|
|
<pre><code>postconf -e smtpd_tls_security_level='may'
|
|
postfix reload
|
|
</code></pre>
|
|
|
|
<h3 id="fixed-one-incorrect-helo-restriction-rule-in-postfix">Fixed: one incorrect HELO restriction rule in Postfix</h3>
|
|
<p>There's one incorrect HELO restriction rule file <code>helo_access.pcre</code></p>
|
|
<ul>
|
|
<li>on Linux/OpenBSD, it's <code>/etc/postfix/helo_access.pcre</code></li>
|
|
<li>on FreeBSD, it's <code>/usr/local/etc/postfix/helo_access.pcre</code></li>
|
|
</ul>
|
|
<p>It will match HELO identity like <code>[192.168.1.1]</code> which is legal.</p>
|
|
<pre><code>/(\d{1,3}[\.-]\d{1,3}[\.-]\d{1,3}[\.-]\d{1,3})/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})
|
|
</code></pre>
|
|
|
|
<p>Please replace it by the correct one below (it matches the IP address with
|
|
<code>/^IP$/</code> strictly):</p>
|
|
<pre><code>/^(\d{1,3}[\.-]\d{1,3}[\.-]\d{1,3}[\.-]\d{1,3})$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})
|
|
</code></pre>
|
|
|
|
<h3 id="fixed-incorrect-file-owner-and-permission-of-config-file-of-roundcube-password-plugin">Fixed: incorrect file owner and permission of config file of Roundcube password plugin</h3>
|
|
<p>iRedMail-0.9.5-1 and earlier versions didn't correct set file owner and
|
|
permission of config file of Roundcube password plugin, other system users may
|
|
be able to see the SQL/LDAP username and password in the config file. Please
|
|
follow steps below to fix it.</p>
|
|
<ul>
|
|
<li>On RHEL/CentOS:</li>
|
|
</ul>
|
|
<h5>For Apache server:</h5>
|
|
|
|
<pre><code>chown apache:apache /var/www/roundcubemail/plugins/password/config.inc.php
|
|
chmod 0400 /var/www/roundcubemail/plugins/password/config.inc.php
|
|
</code></pre>
|
|
|
|
<h5>For Nginx:</h5>
|
|
|
|
<pre><code>chown nginx:nginx /var/www/roundcubemail/plugins/password/config.inc.php
|
|
chmod 0400 /var/www/roundcubemail/plugins/password/config.inc.php
|
|
</code></pre>
|
|
|
|
<ul>
|
|
<li>On Debian/Ubuntu (Note: with old iRedMail release, Roundcube directory is
|
|
<code>/usr/share/apache2/roundcubemail</code>):</li>
|
|
</ul>
|
|
<pre><code>chown www-data:www-data /opt/www/roundcubemail/plugins/password/config.inc.php
|
|
chmod 0400 /opt/www/roundcubemail/plugins/password/config.inc.php
|
|
</code></pre>
|
|
|
|
<ul>
|
|
<li>On FreeBSD:</li>
|
|
</ul>
|
|
<pre><code>chown www:www /usr/local/www/roundcube/plugins/password/config.inc.php
|
|
chmod 0400 /usr/local/www/roundcube/plugins/password/config.inc.php
|
|
</code></pre>
|
|
|
|
<ul>
|
|
<li>On OpenBSD:</li>
|
|
</ul>
|
|
<pre><code>chown www:www /var/www/roundcubemail/plugins/password/config.inc.php
|
|
chmod 0400 /var/www/roundcubemail/plugins/password/config.inc.php
|
|
</code></pre>
|
|
|
|
<h3 id="fixed-missing-cron-job-used-to-clean-up-old-roundcube-temporary-files">Fixed: missing cron job used to clean up old Roundcube temporary files</h3>
|
|
<p>iRedMail didn't run script <code>roundcubemail/bin/gc.sh</code> to clean up old files
|
|
under <code>roundcubemail/temp/</code> directory regularly, this directory will grow
|
|
larger and larger with temporary files.</p>
|
|
<p>Please edit <code>root</code>'s cron job with command below:</p>
|
|
<pre><code># crontab -e -u root
|
|
</code></pre>
|
|
|
|
<p>Then add cron job like below:</p>
|
|
<ul>
|
|
<li>RHEL/CentOS:</li>
|
|
</ul>
|
|
<pre><code># Roundcube: Cleanup old temp files.
|
|
# Defaults to keep for 2 days, controlled by Roundcube parameter $config['temp_dir_ttl'].
|
|
2 2 * * * php /var/www/roundcubemail/bin/gc.sh >/dev/null
|
|
</code></pre>
|
|
|
|
<ul>
|
|
<li>
|
|
<p>Debian/Ubuntu:</p>
|
|
<blockquote>
|
|
<p><strong>WARNING</strong>: with old iRedMail release, Roundcube directory is
|
|
<code>/usr/share/apache2/roundcubemail</code>, please make sure you're using the
|
|
correct one on your server.</p>
|
|
</blockquote>
|
|
</li>
|
|
</ul>
|
|
<pre><code># Roundcube: Cleanup old temp files.
|
|
# Defaults to keep for 2 days, controlled by Roundcube parameter $config['temp_dir_ttl'].
|
|
2 2 * * * php /opt/www/roundcubemail/bin/gc.sh >/dev/null
|
|
</code></pre>
|
|
|
|
<ul>
|
|
<li>FreeBSD:</li>
|
|
</ul>
|
|
<pre><code># Roundcube: Cleanup old temp files.
|
|
# Defaults to keep for 2 days, controlled by Roundcube parameter $config['temp_dir_ttl'].
|
|
2 2 * * * /usr/local/bin/php /usr/local/www/roundcube/bin/gc.sh >/dev/null
|
|
</code></pre>
|
|
|
|
<ul>
|
|
<li>OpenBSD:</li>
|
|
</ul>
|
|
<pre><code># Roundcube: Cleanup old temp files.
|
|
# Defaults to keep for 2 days, controlled by Roundcube parameter $config['temp_dir_ttl'].
|
|
2 2 * * * php /var/www/roundcubemail/bin/gc.sh >/dev/null
|
|
</code></pre>
|
|
|
|
<h3 id="fixed-nginx-doesnt-forward-real-client-ip-address-to-sogo">Fixed: Nginx doesn't forward real client IP address to SOGo</h3>
|
|
<p>iRedMail-0.9.5-1 and earlier releases didn't correctly configure Nginx to
|
|
forward real client IP address to SOGo, this causes Fail2ban cannot catch
|
|
bad clients with failed authentication while logging to SOGo. Please try
|
|
steps below to fix it.</p>
|
|
<ul>
|
|
<li>Open file <code>/etc/nginx/templates/sogo.tmpl</code> (on Linux or OpenBSD) or
|
|
<code>/usr/local/etc/nginx/templates/sogo.tmpl</code> (on FreeBSD), find 3 lines like
|
|
below:</li>
|
|
</ul>
|
|
<pre><code> #proxy_set_header X-Real-IP $remote_addr;
|
|
#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
#proxy_set_header Host $host;
|
|
</code></pre>
|
|
|
|
<ul>
|
|
<li>Remove the leading <code>#</code> to uncomment them:</li>
|
|
</ul>
|
|
<pre><code> proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header Host $host;
|
|
</code></pre>
|
|
|
|
<ul>
|
|
<li>Restart Nginx service.</li>
|
|
</ul>
|
|
<h3 id="fixed-sogo-313-and-later-releases-changed-argument-used-by-sogo-tool-command">Fixed: SOGo-3.1.3 (and later releases) changed argument used by <code>sogo-tool</code> command</h3>
|
|
<p>SOGo-3.1.3 (and late releases) changed <code>sogo-tool</code> argument <code>expire-autoreply</code>
|
|
to <code>update-autoreply</code>, and it's used in a daily cron job. Please update SOGo
|
|
cron job to fix it.</p>
|
|
<ul>
|
|
<li>
|
|
<p>Edit SOGo deamon user's cron job with command.</p>
|
|
<ul>
|
|
<li>On Linux: <code>crontab -e -u sogo</code></li>
|
|
<li>On FreeBSD: <code>crontab -e -u sogod</code></li>
|
|
<li>On OpenBSD: <code>crontab -e -u _sogo</code></li>
|
|
</ul>
|
|
</li>
|
|
<li>
|
|
<p>Replace the argument <code>expire-autoreply</code> by <code>update-autoreply</code>.</p>
|
|
</li>
|
|
</ul>
|
|
<h3 id="fixed-memcached-listens-on-all-available-ip-addresses-instead-of-127001">Fixed: Memcached listens on all available IP addresses instead of <code>127.0.0.1</code></h3>
|
|
<blockquote>
|
|
<p>This step is only applicable when you have SOGo installed, otherwise
|
|
memcached was not installed and running on your server.</p>
|
|
</blockquote>
|
|
<p><a href="http://memcached.org">Memcached</a> is an open-source distributed memory object caching system
|
|
which is generic in nature but often used for speeding up dynamic web
|
|
applications. Memcached does not support any forms of authorization.
|
|
Thus, anyone who can connect to the memcached server has unrestricted
|
|
access to the data stored in it. This allows attackers e.g. to steal
|
|
sensitive data like login credentials for web applications or any other
|
|
kind of content stored with memcached.</p>
|
|
<p>iRedMail-0.9.5-1 and earlier releases didn't configure Memcached to listen on
|
|
only <code>127.0.0.1</code>, steps below fix this issue.</p>
|
|
<ul>
|
|
<li>On RHEL/CentOS, please open file <code>/etc/sysconfig/memcached</code> and update
|
|
parameter <code>OPTIONS=</code> with <code>-l 127.0.0.1</code> option like below:</li>
|
|
</ul>
|
|
<pre><code>OPTIONS="-l 127.0.0.1"
|
|
</code></pre>
|
|
|
|
<p>Then restart memcached service:</p>
|
|
<pre><code>service memcached restart
|
|
</code></pre>
|
|
|
|
<ul>
|
|
<li>On Debian/Ubuntu, please make sure you have setting below in config file
|
|
<code>/etc/memcached.conf</code></li>
|
|
</ul>
|
|
<pre><code>-l 127.0.0.1
|
|
</code></pre>
|
|
|
|
<p>Then restart memcached service:</p>
|
|
<pre><code>service memcached restart
|
|
</code></pre>
|
|
|
|
<ul>
|
|
<li>
|
|
<p>On FreeBSD, please append line below in <code>/etc/rc.conf</code>:</p>
|
|
<div class="admonition note">
|
|
<p class="admonition-title">Note</p>
|
|
<p>If you're updating a jailed FreeBSD system, please change <code>127.0.0.1</code>
|
|
to the IP address of your jail.</p>
|
|
</div>
|
|
</li>
|
|
</ul>
|
|
<pre><code>memcached_flags='-l 127.0.0.1'
|
|
</code></pre>
|
|
|
|
<p>Then restart memcached service:</p>
|
|
<pre><code>service memcached restart
|
|
</code></pre>
|
|
|
|
<ul>
|
|
<li>On OpenBSD, please append line below in <code>/etc/rc.conf.local</code>:</li>
|
|
</ul>
|
|
<pre><code>memcached_flags='-u _memcached -l 127.0.0.1'
|
|
</code></pre>
|
|
|
|
<p>Then restart memcached service:</p>
|
|
<pre><code>rcctl restart memcached
|
|
</code></pre>
|
|
|
|
<h3 id="fixed-awstats-is-world-accessible-with-apache">Fixed: Awstats is world-accessible with Apache</h3>
|
|
<blockquote>
|
|
<p>This is not applicable on OpenBSD system, because we don't have Apache nor Awstats installed.</p>
|
|
</blockquote>
|
|
<p>With iRedMail-0.9.5-1 and earlier release, Awstats was incorrectly configured
|
|
and accessible without authentication. Please follow steps below to fix it.</p>
|
|
<ul>
|
|
<li>Open Awstats config file for Apache, find below lines:<ul>
|
|
<li>On RHEL/CentOS, it's <code>/etc/httpd/conf.d/awstats.conf</code></li>
|
|
<li>On Debian/Ubuntu, it's <code>/etc/apache2/conf-available/awstats.conf</code></li>
|
|
<li>On FreeBSD, it's <code>/usr/local/etc/apache2?/Includes/awstats.conf</code></li>
|
|
</ul>
|
|
</li>
|
|
</ul>
|
|
<pre><code> Require all granted
|
|
Require valid-user
|
|
</code></pre>
|
|
|
|
<ul>
|
|
<li>Remove <code>Require all granted</code>, keep <code>Require valid-user</code>.</li>
|
|
<li>Restart Apache service.</li>
|
|
</ul>
|
|
<h3 id="improve-fail2ban-filter-regular-expression-to-catch-more-pop3imap-spams">Improve Fail2ban filter regular expression to catch more POP3/IMAP spams</h3>
|
|
<blockquote>
|
|
<p>This step is applicable to Linux system.</p>
|
|
</blockquote>
|
|
<p>We have one new Fail2ban filter regular expression to catch unauth clients
|
|
which generates log like below:</p>
|
|
<blockquote>
|
|
<p>Dec 11 16:49:41 imap-login: Info: Disconnected (auth failed, 1 attempts in
|
|
2 secs): user=<a href="mailto:admin@example.net">admin@example.net</a>, method=PLAIN, rip=212.8.246.222,
|
|
lip=10.11.12.13, TLS: Disconnected, session=<xxfH9mhDwgDUCPbe></p>
|
|
</blockquote>
|
|
<p>Steps:</p>
|
|
<ul>
|
|
<li>On Linux:</li>
|
|
</ul>
|
|
<pre><code>cd /etc/fail2ban/filter.d/
|
|
rm -f dovecot.iredmail.conf
|
|
wget https://bitbucket.org/zhb/iredmail/raw/default/iRedMail/samples/fail2ban/filter.d/dovecot.iredmail.conf
|
|
service fail2ban reload
|
|
</code></pre>
|
|
|
|
<ul>
|
|
<li>On FreeBSD and OpenBSD, we don't have Fail2ban configured, so not applicable.</li>
|
|
</ul>
|
|
<h3 id="add-more-banned-file-typesextensions-in-amavisd">Add more banned file types/extensions in Amavisd.</h3>
|
|
<blockquote>
|
|
<p>Note: this is applicable to all Linux/BSD distributions.</p>
|
|
</blockquote>
|
|
<p>We extended banned attachment file types and file name extensions to help
|
|
catch more dangerous email attachments. Please follow steps below to update
|
|
your Amavisd config file.</p>
|
|
<ul>
|
|
<li>
|
|
<p>Open Amavisd config file:</p>
|
|
<ul>
|
|
<li>on RHEL/CentOS: it's <code>/etc/amavisd/amavisd.conf</code></li>
|
|
<li>on Debian/Ubuntu: it's <code>/etc/amavis/conf.d/50-user</code></li>
|
|
<li>on FreeBSD: it's <code>/usr/local/etc/amavisd.conf</code></li>
|
|
<li>on OpenBSD: it's <code>/etc/amavisd.conf</code></li>
|
|
</ul>
|
|
</li>
|
|
<li>
|
|
<p>If you already have parameter <code>$banned_namepath_re</code> in Amavisd config file,
|
|
please replace it by below one. If you don't have it, please add it before
|
|
the last line (<code>1; # insure a defined return</code>) in Amavisd config file.</p>
|
|
</li>
|
|
</ul>
|
|
<pre><code>$banned_namepath_re = new_RE(
|
|
#[qr'T=(rar|arc|arj|zoo|gz|bz2)(,|\t)'xmi => 'DISCARD'], # Compressed file types
|
|
[qr'T=x-(msdownload|msdos-program|msmetafile)(,|\t)'xmi => 'DISCARD'],
|
|
[qr'T=(hta)(,|\t)'xmi => 'DISCARD'],
|
|
|
|
# Dangerous file types
|
|
[qr'T=(9|386|LeChiffre|aaa|abc|aepl|ani|aru|atm|aut|b64|bat|bhx|bin|bkd|blf|bll|bmw|boo|bps|bqf|breaking_bad|buk|bup|bxz|cc|ccc|ce0|ceo|cfxxe|chm|cih|cla|class|cmd|com|cpl|crinf|crjoker|crypt|cryptolocker|cryptowall|ctbl|cxq|cyw|dbd|delf|dev|dlb|dli|dll|dllx|dom|drv|dx|dxz|dyv|dyz|ecc|exe|exe-ms|exe1|exe_renamed|exx|ezt|ezz|fag|fjl|fnr|fuj|good|gzquar|hlp|hlw|hqx|hsq|hts|iva|iws|jar|js|kcd|keybtc@inbox_com|let|lik|lkh|lnk|locky|lok|lol!|lpaq5|magic|mfu|micro|mim|mjg|mjz|mp3|nls|oar|ocx|osa|ozd|pcx|pgm|php2|php3|pid|pif|plc|pr|pzdc|qit|qrn|r5a|rhk|rna|rsc_tmp|s7p|scr|shs|ska|smm|smtmp|sop|spam|ssy|swf|sys|tko|tps|tsa|tti|ttt|txs|upa|uu|uue|uzy|vb|vba|vbe|vbs|vbx|vexe|vxd|vzr|wlpginstall|ws|wsc|wsf|wsh|wss|xdu|xir|xlm|xlv|xnt|xnxx|xtbl|xxe|xxx|xyz|zix|zvz|zzz)(,|\t)'xmi => 'DISCARD'],
|
|
|
|
# Dangerous file name extensions
|
|
[qr'N=.*\.(9|386|LeChiffre|aaa|abc|aepl|ani|aru|atm|aut|b64|bat|bhx|bin|bkd|blf|bll|bmw|boo|bps|bqf|breaking_bad|buk|bup|bxz|cc|ccc|ce0|ceo|cfxxe|chm|cih|cla|class|cmd|com|cpl|crinf|crjoker|crypt|cryptolocker|cryptowall|ctbl|cxq|cyw|dbd|delf|dev|dlb|dli|dll|dllx|dom|drv|dx|dxz|dyv|dyz|ecc|exe|exe-ms|exe1|exe_renamed|exx|ezt|ezz|fag|fjl|fnr|fuj|good|gzquar|hlp|hlw|hqx|hsq|hts|iva|iws|jar|js|kcd|keybtc@inbox_com|let|lik|lkh|lnk|locky|lok|lol!|lpaq5|magic|mfu|micro|mim|mjg|mjz|mp3|nls|oar|ocx|osa|ozd|pcx|pgm|php2|php3|pid|pif|plc|pr|pzdc|qit|qrn|r5a|rhk|rna|rsc_tmp|s7p|scr|shs|ska|smm|smtmp|sop|spam|ssy|swf|sys|tko|tps|tsa|tti|ttt|txs|upa|uu|uue|uzy|vb|vba|vbe|vbs|vbx|vexe|vxd|vzr|wlpginstall|ws|wsc|wsf|wsh|wss|xdu|xir|xlm|xlv|xnt|xnxx|xtbl|xxe|xxx|xyz|zix|zvz|zzz)$'xmi => 'DISCARD'],
|
|
);
|
|
</code></pre>
|
|
|
|
<ul>
|
|
<li>Restart Amavisd service is required.</li>
|
|
</ul>
|
|
<h2 id="openldap-backend-special">OpenLDAP backend special</h2>
|
|
<h3 id="use-the-latest-iredmail-ldap-schema-file">Use the latest iRedMail LDAP schema file</h3>
|
|
<p>iRedMail-0.9.6 introduces 2 new LDAP attributes:</p>
|
|
<ul>
|
|
<li><code>domainPendingAliasName</code>: used by mail domain account, to store new alias
|
|
domain names which is pending for domain ownership verification. Required by
|
|
iRedAdmin-Pro.</li>
|
|
<li><code>domainStatus</code>: used by mail user/alias/list accounts, to indicate domain
|
|
status.</li>
|
|
</ul>
|
|
<h4 id="update-openldap-config-file-to-index-new-attributes">Update OpenLDAP config file to index new attributes</h4>
|
|
<ul>
|
|
<li>
|
|
<p>Please open OpenLDAP config file <code>slapd.conf</code>:</p>
|
|
<ul>
|
|
<li>On RHEL/CentOS, it's <code>/etc/openldap/slapd.conf</code></li>
|
|
<li>On Debian/Ubuntu, it's <code>/etc/ldap/slapd.conf</code></li>
|
|
<li>On FreeBSD, it's <code>/usr/local/etc/openldap/slapd.conf</code></li>
|
|
<li>On OpenBSD:<ul>
|
|
<li>if you're running OpenLDAP, it's <code>/etc/openldap/slapd.conf</code>.</li>
|
|
<li>if you're running ldapd(8) LDAP server, please add a new line
|
|
<code>index domainStats</code> in the <code>namespace xxx {}</code> block.</li>
|
|
</ul>
|
|
</li>
|
|
</ul>
|
|
</li>
|
|
<li>
|
|
<p>for new attribute <code>domainPendingAliasName</code>, please find line below:</p>
|
|
</li>
|
|
</ul>
|
|
<pre><code>access to attrs="objectclass,domainName,mtaTransport,..."
|
|
</code></pre>
|
|
|
|
<p>Add new attribute name <code>domainPendingAliasName</code> in this line (<strong>WARNING</strong>:
|
|
don't leave any whitespace between attribute names and comma):</p>
|
|
<pre><code>access to attrs="domainPendingAliasName,objectclass,domainName,mtaTransport,..."
|
|
</code></pre>
|
|
|
|
<ul>
|
|
<li>for new attribute <code>domainStatus</code>, please find line below:</li>
|
|
</ul>
|
|
<pre><code>access to attrs="employeeNumber,mail,..."
|
|
</code></pre>
|
|
|
|
<p>Add new attribute name <code>domainStatus</code> in this line (<strong>WARNING</strong>: don't leave
|
|
any whitespace between attribute names and comma):</p>
|
|
<pre><code>access to attrs="domainStatus,employeeNumber,mail,..."
|
|
</code></pre>
|
|
|
|
<h4 id="download-the-latest-iredmail-ldap-schema-file">Download the latest iRedMail LDAP schema file</h4>
|
|
<ul>
|
|
<li>On RHEL/CentOS:</li>
|
|
</ul>
|
|
<pre><code>cd /tmp
|
|
wget https://bitbucket.org/zhb/iredmail/raw/default/iRedMail/samples/iredmail/iredmail.schema
|
|
|
|
cd /etc/openldap/schema/
|
|
cp iredmail.schema iredmail.schema.bak
|
|
|
|
cp -f /tmp/iredmail.schema /etc/openldap/schema/
|
|
service slapd restart
|
|
</code></pre>
|
|
|
|
<ul>
|
|
<li>On Debian/Ubuntu:</li>
|
|
</ul>
|
|
<pre><code>cd /tmp
|
|
wget https://bitbucket.org/zhb/iredmail/raw/default/iRedMail/samples/iredmail/iredmail.schema
|
|
|
|
cd /etc/ldap/schema/
|
|
cp iredmail.schema iredmail.schema.bak
|
|
|
|
cp -f /tmp/iredmail.schema /etc/ldap/schema/
|
|
service slapd restart
|
|
</code></pre>
|
|
|
|
<ul>
|
|
<li>On FreeBSD:</li>
|
|
</ul>
|
|
<pre><code>cd /tmp
|
|
wget https://bitbucket.org/zhb/iredmail/raw/default/iRedMail/samples/iredmail/iredmail.schema
|
|
|
|
cd /usr/local/etc/openldap/schema/
|
|
cp iredmail.schema iredmail.schema.bak
|
|
|
|
cp -f /tmp/iredmail.schema /usr/local/etc/openldap/schema/
|
|
service slapd restart
|
|
</code></pre>
|
|
|
|
<ul>
|
|
<li>
|
|
<p>On OpenBSD:</p>
|
|
<blockquote>
|
|
<p>Note: if you're running ldapd as LDAP server, the schema directory is
|
|
<code>/etc/ldap</code>, and service name is <code>ldapd</code>.</p>
|
|
</blockquote>
|
|
</li>
|
|
</ul>
|
|
<pre><code>cd /tmp
|
|
ftp https://bitbucket.org/zhb/iredmail/raw/default/iRedMail/samples/iredmail/iredmail.schema
|
|
|
|
cd /etc/openldap/schema/
|
|
cp iredmail.schema iredmail.schema.bak
|
|
|
|
cp -f /tmp/iredmail.schema /etc/openldap/schema/
|
|
rcctl restart slapd
|
|
</code></pre>
|
|
|
|
<h3 id="fixed-mail-accounts-user-alias-list-are-still-active-when-domain-is-disabled">Fixed: mail accounts (user, alias, list) are still active when domain is disabled</h3>
|
|
<blockquote>
|
|
<p>This fix is applicable to OpenBSD ldapd backend also.</p>
|
|
</blockquote>
|
|
<p>In iRedMail-0.9.5-1 and all earlier releases, if we disable a mail domain,
|
|
all mail accounts (mail users, aliases, lists) are still active and Postfix
|
|
will accept emails sent to them. Steps below fix the issue.</p>
|
|
<h4 id="update-postfixdovecot-ldap-lookup-files">Update Postfix/Dovecot LDAP lookup files</h4>
|
|
<ul>
|
|
<li>On Linux and OpenBSD, run commands:</li>
|
|
</ul>
|
|
<pre><code>cp -rf /etc/postfix/ldap /etc/postfix/ldap.bak
|
|
cd /etc/postfix/ldap/
|
|
perl -pi -e 's#\(accountStatus=active\)#(accountStatus=active)(!(domainStatus=disabled))#g' catchall_maps.cf recipient_bcc_maps_user.cf sender_bcc_maps_user.cf sender_dependent_relayhost_maps_user.cf sender_login_maps.cf transport_maps_user.cf virtual_alias_maps.cf virtual_group_maps.cf virtual_group_members_maps.cf virtual_mailbox_maps.cf
|
|
|
|
cp /etc/dovecot/dovecot-ldap.conf /etc/dovecot/dovecot-ldap.conf.$(date +%Y%m%d)
|
|
perl -pi -e 's#\(accountStatus=active\)#(accountStatus=active)(!(domainStatus=disabled))#g' /etc/dovecot/dovecot-ldap.conf
|
|
</code></pre>
|
|
|
|
<ul>
|
|
<li>On FreeBSD, run commands:</li>
|
|
</ul>
|
|
<pre><code>cp -rf /usr/local/etc/postfix/ldap /usr/local/etc/postfix/ldap.bak
|
|
cd /usr/local/etc/postfix/ldap/
|
|
perl -pi -e 's#\(accountStatus=active\)#(accountStatus=active)(!(domainStatus=disabled))#g' catchall_maps.cf recipient_bcc_maps_user.cf sender_bcc_maps_user.cf sender_dependent_relayhost_maps_user.cf sender_login_maps.cf transport_maps_user.cf virtual_alias_maps.cf virtual_group_maps.cf virtual_group_members_maps.cf virtual_mailbox_maps.cf
|
|
|
|
cp /usr/local/etc/dovecot/dovecot-ldap.conf /usr/local/etc/dovecot/dovecot-ldap.conf.$(date +%Y%m%d)
|
|
perl -pi -e 's#\(accountStatus=active\)#(accountStatus=active)(!(domainStatus=disabled))#g' /usr/local/etc/dovecot/dovecot-ldap.conf
|
|
</code></pre>
|
|
|
|
<ul>
|
|
<li>Restart both Postfix and Dovecot services:<ul>
|
|
<li>on Linux: <code>service postfix restart; service dovecot restart</code></li>
|
|
<li>on FreeBSD: <code>service postfix restart; service dovecot restart</code></li>
|
|
<li>on OpenBSD: <code>rcctl restart postfix; rcctl restart dovecot</code></li>
|
|
</ul>
|
|
</li>
|
|
</ul>
|
|
<h4 id="add-required-ldap-attributevalue-for-existing-mail-accounts-under-disabled-domains">Add required LDAP attribute/value for existing mail accounts under disabled domains</h4>
|
|
<ul>
|
|
<li>Download script to update existing mail accounts:</li>
|
|
</ul>
|
|
<pre><code>cd /root/
|
|
wget https://bitbucket.org/zhb/iredmail/raw/default/extra/update/updateLDAPValues_095_1_to_096.py
|
|
</code></pre>
|
|
|
|
<ul>
|
|
<li>Open downloaded file <code>updateLDAPValues_095_1_to_096.py</code>, set LDAP server
|
|
related settings in this file. For example:</li>
|
|
</ul>
|
|
<pre><code># Part of file: updateLDAPValues_095_1_to_096.py
|
|
|
|
uri = 'ldap://127.0.0.1:389'
|
|
basedn = 'o=domains,dc=example,dc=com'
|
|
bind_dn = 'cn=vmailadmin,dc=example,dc=com'
|
|
bind_pw = 'passwd'
|
|
</code></pre>
|
|
|
|
<p>You can find required LDAP credential in iRedAdmin config file or
|
|
<code>iRedMail.tips</code> file under your iRedMail installation directory. Using either
|
|
<code>cn=Manager,dc=xx,dc=xx</code> or <code>cn=vmailadmin,dc=xx,dc=xx</code> as bind dn is ok, both
|
|
of them have read-write privilege to update mail accounts.</p>
|
|
<ul>
|
|
<li>Execute this script, it will add required data:</li>
|
|
</ul>
|
|
<pre><code># python updateLDAPValues_095_1_to_096.py
|
|
</code></pre>
|
|
|
|
<h2 id="mysqlmariadb-backend-special">MySQL/MariaDB backend special</h2>
|
|
<h3 id="fix-invalid-default-datetime-value-for-some-sql-columns-in-vmail-database">Fix invalid default (datetime) value for some SQL columns in 'vmail' database</h3>
|
|
<p>Default value of some SQL columns in <code>vmail</code> database will become invalid (an error)
|
|
in MySQL 5.7, no matter which version of MySQL you're running, please run SQL
|
|
commands below as SQL root user to fix them.</p>
|
|
<pre><code>USE vmail;
|
|
|
|
ALTER TABLE admin \
|
|
MODIFY passwordlastchange DATETIME NOT NULL DEFAULT '1970-01-01 01:01:01', \
|
|
MODIFY created DATETIME NOT NULL DEFAULT '1970-01-01 01:01:01', \
|
|
MODIFY modified DATETIME NOT NULL DEFAULT '1970-01-01 01:01:01';
|
|
|
|
ALTER TABLE alias \
|
|
MODIFY created DATETIME NOT NULL DEFAULT '1970-01-01 01:01:01', \
|
|
MODIFY modified DATETIME NOT NULL DEFAULT '1970-01-01 01:01:01';
|
|
|
|
ALTER TABLE alias_domain \
|
|
MODIFY created DATETIME NOT NULL DEFAULT '1970-01-01 01:01:01', \
|
|
MODIFY modified DATETIME NOT NULL DEFAULT '1970-01-01 01:01:01';
|
|
|
|
ALTER TABLE domain \
|
|
MODIFY created DATETIME NOT NULL DEFAULT '1970-01-01 01:01:01', \
|
|
MODIFY modified DATETIME NOT NULL DEFAULT '1970-01-01 01:01:01';
|
|
|
|
ALTER TABLE domain_admins \
|
|
MODIFY created DATETIME NOT NULL DEFAULT '1970-01-01 01:01:01', \
|
|
MODIFY modified DATETIME NOT NULL DEFAULT '1970-01-01 01:01:01';
|
|
|
|
ALTER TABLE mailbox \
|
|
MODIFY lastlogindate DATETIME NOT NULL DEFAULT '1970-01-01 01:01:01', \
|
|
MODIFY passwordlastchange DATETIME NOT NULL DEFAULT '1970-01-01 01:01:01', \
|
|
MODIFY created DATETIME NOT NULL DEFAULT '1970-01-01 01:01:01', \
|
|
MODIFY modified DATETIME NOT NULL DEFAULT '1970-01-01 01:01:01';
|
|
|
|
ALTER TABLE recipient_bcc_domain \
|
|
MODIFY created DATETIME NOT NULL DEFAULT '1970-01-01 01:01:01', \
|
|
MODIFY modified DATETIME NOT NULL DEFAULT '1970-01-01 01:01:01';
|
|
|
|
ALTER TABLE recipient_bcc_user \
|
|
MODIFY created DATETIME NOT NULL DEFAULT '1970-01-01 01:01:01', \
|
|
MODIFY modified DATETIME NOT NULL DEFAULT '1970-01-01 01:01:01';
|
|
|
|
ALTER TABLE sender_bcc_domain \
|
|
MODIFY created DATETIME NOT NULL DEFAULT '1970-01-01 01:01:01', \
|
|
MODIFY modified DATETIME NOT NULL DEFAULT '1970-01-01 01:01:01';
|
|
|
|
ALTER TABLE sender_bcc_user \
|
|
MODIFY created DATETIME NOT NULL DEFAULT '1970-01-01 01:01:01', \
|
|
MODIFY modified DATETIME NOT NULL DEFAULT '1970-01-01 01:01:01';
|
|
</code></pre><div class="footer">
|
|
<p style="text-align: center; color: grey;">All documents are available in <a href="https://bitbucket.org/zhb/iredmail-docs/src">BitBucket repository</a>, and published under <a href="http://creativecommons.org/licenses/by-nd/3.0/us/" target="_blank">Creative Commons</a> license. You can <a href="https://bitbucket.org/zhb/iredmail-docs/get/tip.tar.bz2">download the latest version</a> for offline reading. If you found something wrong, please do <a href="http://www.iredmail.org/contact.html">contact us</a> to fix it.</p>
|
|
</div>
|
|
<script type="text/javascript">
|
|
(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
|
|
(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
|
|
m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
|
|
})(window,document,'script','//www.google-analytics.com/analytics.js','ga');
|
|
|
|
ga('create', 'UA-3293801-21', 'auto');
|
|
ga('send', 'pageview');
|
|
</script>
|
|
</body></html> |