elmau
/
iredmail-doc
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
iredmail-doc/upgrade/0-upgrade.iredmail.0.9.0-0....

6.8 KiB
Raw Blame History

Upgrade iRedMail from 0.9.0 to 0.9.1

[TOC]

WARNING: Still working in progress, do NOT apply it.

ChangeLog

  • 2015-02-11: [All backends] Fixed: Cannot run PHP script under web document root with Nginx.
  • 2015-02-09: [All backends] [OPTIONAL] Add one more Fail2ban filter to help catch spam.
  • 2015-02-04: [All backends] [OPTIONAL] Fixed: return receipt response rejected by iRedAPD plugin reject_null_sender.
  • 2015-02-02: [All backends] Fixed: Not backup SOGo database. Note: this step is not applicable if you don't use SOGo groupware.
  • 2015-01-13: [All backends] Fixed: Incorrect path of command sogo-tool on OpenBSD.
  • 2015-01-12: [SQL backends] Fixed: Not apply service restriction in Dovecot SQL query file while acting as SASL server.

General (All backends should apply these steps)

[OPTIONAL] Add one more Fail2ban filter to help catch spam

We have a new Fail2ban filter to help catch spam, it will scan HELO rejections in Postfix log file and invoke iptables to ban client IP address.

Open file /etc/fail2ban/filters.d/postfix.iredmail.conf or /usr/local/etc/fail2ban/filters.d/postfix.iredmail.conf (on FreeBSD), append below line under [Definition] section:

            reject: RCPT from (.*)\[<HOST>\]: 504 5.5.2 (.*) Helo command rejected: need fully-qualified hostname

After modification, the whole content is:

[Definition]
failregex = \[<HOST>\]: SASL (PLAIN|LOGIN) authentication failed
            lost connection after AUTH from (.*)\[<HOST>\]
            reject: RCPT from (.*)\[<HOST>\]: 550 5.1.1
            reject: RCPT from (.*)\[<HOST>\]: 450 4.7.1
            reject: RCPT from (.*)\[<HOST>\]: 554 5.7.1
            reject: RCPT from (.*)\[<HOST>\]: 504 5.5.2 (.*) Helo command rejected: need fully-qualified hostname
ignoreregex =

[OPTIONAL] Fixed: return receipt response rejected by iRedAPD plugin reject_null_sender

Note: this is applicable if you want to keep iRedAPD plugin reject_null_sender but still able to send return receipt with Roundcube webmail.

According to RFC2298, return receipt envelope sender address must be empty. If you have iRedAPD plugin reject_null_sender enabled, it will reject return receipt response. To particularly solve this issue, you can set below setting in Roundcube config file config/config.inc.php:

  • on RHEL/CentOS/OpenBSD, it's /var/www/roundcubemail/config/config.inc.php.
  • on Debian/Ubuntu, it's /usr/share/apache2/roundcubemail/config/config.inc.php.
  • on FreeBSD, it's /usr/local/www/roundcube/config/config.inc.php.
$config['mdn_use_from'] = true;

Note: if other mail client applications don't set smtp authentication user as envelope sender of return receipt, same issue will occurs. You must disable iRedAPD plugin reject_null_sender in /opt/iredapd/settings.py to make all mail clients work.

iRedAPD plugin reject_null_sender rejects message submitted by sasl authenticated user but with null sender in From: header (from=<> in Postfix log). If your user's password was cracked by spammer, spammer can use this account to bypass smtp authentication, but with a null sender in From: header, throttling won't be triggered.

Fixed: Cannot run PHP script under web document root with Nginx.

With previous release of iRedMail, Nginx won't run PHP scripts under sub-directories of web document root, this step will fix it.

  • Open Nginx config file /etc/nginx/conf.d/default.conf (on Linux/OpenBSD) or /usr/local/etc/nginx/conf.d/default.conf, add one more setting in configuration block location ~ \.php$ {} like below:
...
root /var/www/html;
...
location ~ \.php$ {
    ...
    fastcgi_param SCRIPT_FILENAME /var/www/html$fastcgi_script_name;    # <- Add this line
}
  • Save your changes and restart Nginx service.

Notes:

  • There're two location ~ \.php$ {} blocks, please update both of them.

  • You must replace /var/www/html in above sample code to the value of root setting defined in same config file.

    • on RHEL/CentOS, it's /var/www/html.
    • on Debian/Ubuntu, it's /var/www.
    • on FreeBSD, it's /usr/local/www/apache22/data. Note: if you're running Apache-2.4, the directory name should be apache24, not apache22.
    • on OpenBSD, it's /var/www/htdocs.

Fixed: Incorrect path of command sogo-tool on OpenBSD

Note: this step is applicable to only OpenBSD.

Please check user _sogo's cron job, make sure path to sogo-tool command is /usr/local/sbin/sogo-tool:

# crontab -l -u _sogo

If it's not /usr/local/sbin/sogo-tool, please edit its cron job with below command and fix it:

# crontab -e -u _sogo

OpenLDAP backend special

Fixed: not backup SOGo database

Note: this step is not applicable if you don't use SOGo groupware.

Open backup script /var/vmail/backup/backup_mysql.sh, append SOGo SQL database name in variable DATABASES=. For example:

DATABASES='... sogo'

Save your change and that's all.

MySQL/MariaDB backend special

Fixed: Not apply service restriction in Dovecot SQL query file while acting as SASL server

Please open Dovecot config file /etc/dovecot/dovecot-mysql.conf (Linux/OpenBSD) or /usr/local/etc/dovecot/dovecot-mysql.conf (FreeBSD), find below line:

# Part of file: /etc/dovecot/dovecot-mysql.conf

password_query = SELECT password FROM mailbox WHERE username='%u' AND active='1'

Add additional query AND enable%Ls%Lc=1 like below:

# Part of file: /etc/dovecot/dovecot-mysql.conf

password_query = SELECT password FROM mailbox WHERE username='%u' AND enable%Ls%Lc=1 AND active='1'

Save your change and restart Dovecot service.

Fixed: not backup SOGo database

Note: this step is not applicable if you don't use SOGo groupware.

Open backup script /var/vmail/backup/backup_mysql.sh, append SOGo SQL database name in variable DATABASES=. For example:

DATABASES='... sogo'

Save your change and that's all.

PostgreSQL backend special

Fixed: Not apply service restriction in Dovecot SQL query file while acting as SASL server

Please open Dovecot config file /etc/dovecot/dovecot-pgsql.conf (Linux/OpenBSD) or /usr/local/etc/dovecot/dovecot-pgsql.conf (FreeBSD), find below line:

# Part of file: /etc/dovecot/dovecot-pgsql.conf

password_query = SELECT password FROM mailbox WHERE username='%u' AND active='1'

Add additional query like below:

# Part of file: /etc/dovecot/dovecot-pgsql.conf

password_query = SELECT password FROM mailbox WHERE username='%u' AND enable%Ls%Lc=1 AND active='1'

Save your change and restart Dovecot service.

Fixed: not backup SOGo database

Note: this step is not applicable if you don't use SOGo groupware.

Open backup script /var/vmail/backup/backup_mysql.sh, append SOGo SQL database name in variable DATABASES=. For example:

DATABASES='... sogo'

Save your change and that's all.