400 lines
19 KiB
HTML
400 lines
19 KiB
HTML
<!DOCTYPE html>
|
|
<html>
|
|
<head>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
|
<title>Upgrade iRedMail from 0.9.1 to 0.9.2</title>
|
|
<link rel="stylesheet" type="text/css" href="./css/markdown.css" />
|
|
</head>
|
|
<body>
|
|
|
|
<div id="navigation">
|
|
<a href="https://www.iredmail.org" target="_blank">
|
|
<img alt="iRedMail web site"
|
|
src="./images/logo-iredmail.png"
|
|
style="vertical-align: middle; height: 30px;"
|
|
/>
|
|
<span>iRedMail</span>
|
|
</a>
|
|
// <a href="./index.html">Document Index</a></div><h1 id="upgrade-iredmail-from-091-to-092">Upgrade iRedMail from 0.9.1 to 0.9.2</h1>
|
|
<div class="toc">
|
|
<ul>
|
|
<li><a href="#upgrade-iredmail-from-091-to-092">Upgrade iRedMail from 0.9.1 to 0.9.2</a><ul>
|
|
<li><a href="#changelog">ChangeLog</a></li>
|
|
<li><a href="#general-all-backends-should-apply-these-steps">General (All backends should apply these steps)</a><ul>
|
|
<li><a href="#update-etciredmail-release-with-new-iredmail-version-number">Update /etc/iredmail-release with new iRedMail version number</a></li>
|
|
<li><a href="#fix-the-logjam-attack">Fix 'The Logjam Attack'</a><ul>
|
|
<li><a href="#generating-a-unique-dh-group">Generating a Unique DH Group</a></li>
|
|
<li><a href="#update-apache-setting">Update Apache setting</a></li>
|
|
<li><a href="#update-nginx-setting">Update Nginx setting</a></li>
|
|
<li><a href="#update-dovecot-setting">Update Dovecot setting</a></li>
|
|
<li><a href="#update-postfix-setting">Update Postfix setting</a></li>
|
|
</ul>
|
|
</li>
|
|
<li><a href="#upgrade-iredapd-postfix-policy-server-to-the-latest-160">Upgrade iRedAPD (Postfix policy server) to the latest 1.6.0</a></li>
|
|
<li><a href="#rhelcentos-7-update-cluebringer-package-to-avoid-database-connection-failure">[RHEL/CentOS 7] Update Cluebringer package to avoid database connection failure</a></li>
|
|
<li><a href="#rhelcentos-update-uwsgi-config-file-to-make-it-work-with-new-uwsgi-package">[RHEL/CentOS] Update uwsgi config file to make it work with new uwsgi package</a></li>
|
|
<li><a href="#rhelcentos-dont-ban-applicationoctet-stream-dat-file-types-in-amavisd">[RHEL/CentOS] Don't ban application/octet-stream, dat file types in Amavisd</a></li>
|
|
<li><a href="#update-sogo-to-the-latest-stable-release-v230">Update SOGo to the latest stable release, v2.3.0</a></li>
|
|
<li><a href="#optional-update-one-fail2ban-filter-regular-expression-to-help-catch-dos-attacks-to-smtp-service">[OPTIONAL] Update one Fail2ban filter regular expression to help catch DoS attacks to SMTP service</a></li>
|
|
</ul>
|
|
</li>
|
|
<li><a href="#openldap-backend-special">OpenLDAP backend special</a><ul>
|
|
<li><a href="#fixed-catch-all-support-doesnt-work-with-email-address-which-contains-address-extension">Fixed: catch-all support doesn't work with email address which contains address extension</a></li>
|
|
</ul>
|
|
</li>
|
|
</ul>
|
|
</li>
|
|
</ul>
|
|
</div>
|
|
<div class="admonition note">
|
|
<p class="admonition-title">Paid Remote Upgrade Support</p>
|
|
<p>We offer remote upgrade support if you don't want to get your hands dirty,
|
|
check <a href="https://www.iredmail.org/support.html">the details</a> and
|
|
<a href="https://www.iredmail.org/contact.html">contact us</a>.</p>
|
|
</div>
|
|
<h2 id="changelog">ChangeLog</h2>
|
|
<ul>
|
|
<li>2015-08-19: Mention that ssl cert file name on old iRedMail releases is <code>iRedMail_CA.pem</code>, not <code>iRedMail.crt</code>.</li>
|
|
<li>2015-06-03: Fixed: <code>SSLOpenSSLConfCmd</code> is used on Ubuntu 15.04 and later releases, not on other Linux/BSD distributions.</li>
|
|
</ul>
|
|
<hr />
|
|
<ul>
|
|
<li>2015-06-03: Initial release.</li>
|
|
</ul>
|
|
<h2 id="general-all-backends-should-apply-these-steps">General (All backends should apply these steps)</h2>
|
|
<h3 id="update-etciredmail-release-with-new-iredmail-version-number">Update <code>/etc/iredmail-release</code> with new iRedMail version number</h3>
|
|
<p>iRedMail stores the release version in <code>/etc/iredmail-release</code> after
|
|
installation, it's recommended to update this file after you upgraded iRedMail,
|
|
so that you can know which version of iRedMail you're running. For example:</p>
|
|
<pre><code># File: /etc/iredmail-release
|
|
|
|
0.9.2
|
|
</code></pre>
|
|
|
|
<h3 id="fix-the-logjam-attack">Fix 'The Logjam Attack'</h3>
|
|
<p>For more details about The Logjam Attack, please visit this web site:
|
|
<a href="https://weakdh.org">The Logjam Attack</a>. It also provides a detailed
|
|
<a href="https://weakdh.org/sysadmin.html">tutorial</a> to help you fix this issue. We
|
|
show you how to fix it on your iRedMail server based on that tutorial.</p>
|
|
<h4 id="generating-a-unique-dh-group">Generating a Unique DH Group</h4>
|
|
<ul>
|
|
<li>On RHEL/CentOS:</li>
|
|
</ul>
|
|
<pre><code># openssl dhparam -out /etc/pki/tls/dhparams.pem 2048
|
|
</code></pre>
|
|
|
|
<ul>
|
|
<li>On Debian, Ubuntu, FreeBSD, OpenBSD:</li>
|
|
</ul>
|
|
<pre><code># openssl dhparam -out /etc/ssl/dhparams.pem 2048
|
|
</code></pre>
|
|
|
|
<h4 id="update-apache-setting">Update Apache setting</h4>
|
|
<p>Note: This step is applicable if you have Apache running on your server.</p>
|
|
<hr />
|
|
<ul>
|
|
<li>Check your Apache version first:</li>
|
|
</ul>
|
|
<pre><code># apachectl -v
|
|
</code></pre>
|
|
|
|
<ul>
|
|
<li>
|
|
<p>Find below settings in Apache SSL config file and update them to below
|
|
values. If they don't exist, please add them.</p>
|
|
<ul>
|
|
<li>on RHEL/CentOS, it's <code>/etc/httpd/conf.d/ssl.conf</code>.</li>
|
|
<li>on Debian/Ubuntu, it's <code>/etc/apache2/sites-available/default-ssl</code> (or <code>default-ssl.conf</code>).</li>
|
|
<li>on FreeBSD, it's <code>/usr/local/etc/apache2*/extra/httpd-ssl.conf</code>.</li>
|
|
<li>on OpenBSD, it's not applicable since we don't have Apache installed.</li>
|
|
</ul>
|
|
</li>
|
|
</ul>
|
|
<pre><code>SSLProtocol all -SSLv2 -SSLv3
|
|
|
|
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
|
|
|
|
SSLHonorCipherOrder on
|
|
</code></pre>
|
|
|
|
<p>On Ubuntu 15.04 and later releases, please add one additional setting:</p>
|
|
<pre><code>SSLOpenSSLConfCmd DHParameters /etc/ssl/dhparams.pem
|
|
</code></pre>
|
|
|
|
<hr />
|
|
<p>Applicable to all Linux/BSD distributions:</p>
|
|
<hr />
|
|
<p>If you're running Apache older than version 2.4.8, please append the DHparams
|
|
generated above to the end of the certificate file. Note: if you use a bought
|
|
SSL certificate, append it to your cert file. <strong>Note</strong>: if you upgraded
|
|
iRedMail from an old release, the file name will be <code>iRedMail_CA.pem</code> instead
|
|
of <code>iRedMail.crt</code>.</p>
|
|
<ul>
|
|
<li>On RHEL/CentOS: <code># cat /etc/pki/tls/dhparams.pem >> /etc/pki/tls/certs/iRedMail.crt</code></li>
|
|
<li>
|
|
<p>Debian/Ubuntu: <code># cat /etc/ssl/dhparams.pem >> /etc/ssl/certs/iRedMail.crt</code></p>
|
|
</li>
|
|
<li>
|
|
<p>Reloading or restarting Apache service is required:</p>
|
|
</li>
|
|
</ul>
|
|
<pre><code># service httpd restart
|
|
</code></pre>
|
|
|
|
<h4 id="update-nginx-setting">Update Nginx setting</h4>
|
|
<p>Add or update below settings in <code>/etc/nginx/conf.d/default.conf</code> (Linux/OpenBSD)
|
|
or <code>/usr/local/etc/nginx/conf.d/default.conf</code> (FreeBSD):</p>
|
|
<pre><code>ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
|
|
|
|
ssl_prefer_server_ciphers on;
|
|
ssl_dhparam /etc/ssl/dhparams.pem;
|
|
</code></pre>
|
|
|
|
<p>Note: on RHEL/CentOS, the path to <code>dhparams.pem</code> is <code>/etc/pki/tls/dhparams.pem</code>.</p>
|
|
<p>Reloading or restarting Nginx service is required:</p>
|
|
<pre><code># service nginx restart
|
|
</code></pre>
|
|
|
|
<h4 id="update-dovecot-setting">Update Dovecot setting</h4>
|
|
<p>Check Dovecot version number first:</p>
|
|
<pre><code># dovecot --version
|
|
</code></pre>
|
|
|
|
<p>Update Dovecot config file <code>/etc/dovecot/dovecot.conf</code> (Linux/OpenBSD) or
|
|
<code>/usr/local/etc/dovecot/dovecot.conf</code> (FreeBSD):</p>
|
|
<pre><code>ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
|
|
</code></pre>
|
|
|
|
<p>If you're running Dovecot-2.2.6 or later releases, please add some additional
|
|
settings in <code>dovecot.conf</code>:</p>
|
|
<pre><code># Dovecot 2.2.6 or later releases
|
|
ssl_prefer_server_ciphers = yes
|
|
|
|
# Dovecot will regenerate dhparams.pem itself, here we ask it to regenerate
|
|
# with 2048 key length.
|
|
ssl_dh_parameters_length = 2048
|
|
</code></pre>
|
|
|
|
<p>Reloading or restarting Dovecot service is required:</p>
|
|
<pre><code># service dovecot restart
|
|
</code></pre>
|
|
|
|
<h4 id="update-postfix-setting">Update Postfix setting</h4>
|
|
<p>Update Postfix settings with below commands:</p>
|
|
<pre><code># postconf -e smtpd_tls_exclude_ciphers='aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA'
|
|
# postconf -e smtpd_tls_dh1024_param_file='/etc/ssl/dhparams.pem'
|
|
</code></pre>
|
|
|
|
<p>Note: on RHEL/CentOS, the path to <code>dhparams.pem</code> is <code>/etc/pki/tls/dhparams.pem</code>.</p>
|
|
<p>Reloading or restarting Postfix service is required:</p>
|
|
<pre><code># service postfix restart
|
|
</code></pre>
|
|
|
|
<h3 id="upgrade-iredapd-postfix-policy-server-to-the-latest-160">Upgrade iRedAPD (Postfix policy server) to the latest 1.6.0</h3>
|
|
<p>Please follow below tutorial to upgrade iRedAPD to the latest stable release:
|
|
<a href="./upgrade.iredapd.html">Upgrade iRedAPD to the latest stable release</a></p>
|
|
<p>Detailed release notes are available here: <a href="./iredapd.releases.html">iRedAPD release notes</a>.</p>
|
|
<h3 id="rhelcentos-7-update-cluebringer-package-to-avoid-database-connection-failure">[RHEL/CentOS 7] Update Cluebringer package to avoid database connection failure</h3>
|
|
<p>Note: This is applicable to only RHEL/CentOS 7.</p>
|
|
<p>With old Cluebringer RPM package, Cluebringer starts before SQL database starts,
|
|
this causes Cluebringer cannot connect to SQL database, and all your Cluebringer
|
|
settings is not applied at all. Updating Cluebringer package to version
|
|
<code>2.0.14-5</code> fixes this issue.</p>
|
|
<p>How to update package:</p>
|
|
<pre><code># yum clean metadata
|
|
# yum update cluebringer
|
|
# systemctl enable cbpolicyd
|
|
</code></pre>
|
|
|
|
<p>New package will remove old SysV script <code>/etc/init.d/cbpolicyd</code>, and install
|
|
<code>/usr/lib/systemd/system/cbpolicyd.service</code> for service control. You have to
|
|
manage it (start, stop, restart) with <code>systemctl</code> command.</p>
|
|
<h3 id="rhelcentos-update-uwsgi-config-file-to-make-it-work-with-new-uwsgi-package">[RHEL/CentOS] Update uwsgi config file to make it work with new uwsgi package</h3>
|
|
<p>A new version of uwsgi package was submitted to EPEL repo, so if you update
|
|
packages with command <code>yum update</code>, it will be installed. But it's not
|
|
compatible with settings configured by iRedMail, this causes uwsgi service
|
|
cannot be started, and iRedAdmin is unaccessible. Below steps fix this issue.</p>
|
|
<ul>
|
|
<li>Make sure you're running the uwsgi package provided in EPEL repo:</li>
|
|
</ul>
|
|
<pre><code># yum clean metadata
|
|
# yum update uwsgi
|
|
</code></pre>
|
|
|
|
<p>It will create file <code>/etc/uwsgi.ini</code> and directory <code>/etc/uwsgi.d/</code>.</p>
|
|
<ul>
|
|
<li>Copy a working <code>/etc/uwsgi.ini</code> config file from iRedMail repo directly, and
|
|
create required log directory:</li>
|
|
</ul>
|
|
<pre><code># cd /tmp/
|
|
# wget https://github.com/iredmail/iRedMail/raw/0.9.2/iRedMail/samples/nginx/uwsgi.ini
|
|
# mv /etc/uwsgi.ini /etc/uwsgi.ini.bak
|
|
# mv /tmp/uwsgi.ini /etc/uwsgi.ini
|
|
# mkdir /var/log/uwsgi
|
|
# chown root:root /var/log/uwsgi
|
|
</code></pre>
|
|
|
|
<ul>
|
|
<li>Now copy old uwsgi instance config file of iRedAdmin to new directory:</li>
|
|
</ul>
|
|
<pre><code># mv /etc/uwsgi/iredadmin.ini /etc/uwsgi.d/
|
|
# rmdir /etc/uwsgi
|
|
</code></pre>
|
|
|
|
<p>Note: if you don't have <code>/etc/uwsgi/iredadmin.ini</code>, it's ok to use below
|
|
one. Be careful, if your web server is running as different daemon user and
|
|
group, you must update <code>chown-socket =</code> line with correct daemon user/group
|
|
name.</p>
|
|
<pre><code>[uwsgi]
|
|
plugins = python
|
|
vhost = true
|
|
socket = /var/run/uwsgi_iredadmin.socket
|
|
pidfile = /var/run/uwsgi_iredadmin.pid
|
|
chown-socket = apache:apache
|
|
chmod-socket = 660
|
|
uid = iredadmin
|
|
gid = iredadmin
|
|
enable-threads = true
|
|
</code></pre>
|
|
|
|
<ul>
|
|
<li>Restart uwsgi service.</li>
|
|
</ul>
|
|
<pre><code># service uwsgi restart
|
|
</code></pre>
|
|
|
|
<h3 id="rhelcentos-dont-ban-applicationoctet-stream-dat-file-types-in-amavisd">[RHEL/CentOS] Don't ban <code>application/octet-stream, dat</code> file types in Amavisd</h3>
|
|
<p>Note: This is applicable to only RHEL/CentOS.</p>
|
|
<ul>
|
|
<li>Find below lines in Amavisd config file <code>/etc/amavisd/amavisd.conf</code>:</li>
|
|
</ul>
|
|
<pre><code>$banned_namepath_re = new_RE(
|
|
# Unknown binary files.
|
|
[qr'M=application/(zip|rar|arc|arj|zoo|gz|bz2|octet-stream)(,|\t).*T=dat(,|\t)'xmi => 'DISCARD'],
|
|
...
|
|
);
|
|
</code></pre>
|
|
|
|
<ul>
|
|
<li>Remove <code>|octet-stream</code> in 3rd line. After modified, it's:</li>
|
|
</ul>
|
|
<pre><code>$banned_namepath_re = new_RE(
|
|
# Unknown binary files.
|
|
[qr'M=application/(zip|rar|arc|arj|zoo|gz|bz2)(,|\t).*T=dat(,|\t)'xmi => 'DISCARD'],
|
|
...
|
|
);
|
|
</code></pre>
|
|
|
|
<ul>
|
|
<li>Restart Amavisd service.</li>
|
|
</ul>
|
|
<pre><code># service amavisd restart
|
|
</code></pre>
|
|
|
|
<h3 id="update-sogo-to-the-latest-stable-release-v230">Update SOGo to the latest stable release, v2.3.0</h3>
|
|
<p><strong>Note: this step is required if you're running SOGo on RHEL/CentOS, Debian/Ubuntu.</strong></p>
|
|
<p>SOGo team released new stable version v2.3.0 on Jun 2, it requires system
|
|
admin to run a shell script to update SQL structure manually if you're currently
|
|
running an old version of SOGo. We suggest you read SOGo official upgrade
|
|
tutorial in <code>Upgrading</code> section of
|
|
<a href="http://www.sogo.nu/files/docs/SOGo%20Installation%20Guide.pdf">Installation Guide</a>.</p>
|
|
<p>SOGo-2.3.0 ships this update script, please find it with your package management
|
|
tool like <code>yum</code>, <code>dpkg</code>.</p>
|
|
<ul>
|
|
<li>
|
|
<p>Update SOGo packages:</p>
|
|
<ul>
|
|
<li>on RHEL/CentOS: <code># yum update</code></li>
|
|
<li>on Debian/Ubuntu: <code># apt-get update && apt-get upgrade</code></li>
|
|
<li>on OpenBSD: new SOGo version is not available in ports tree on OpenBSD
|
|
5.7, so you have to stick with current old version on OpenBSD. But if
|
|
you need to update to SOGo-2.3.0 someday, you should apply this step
|
|
too.</li>
|
|
</ul>
|
|
</li>
|
|
</ul>
|
|
<p>Find the update script shipped in SOGo-2.3.0 and run it:</p>
|
|
<ul>
|
|
<li>on RHEL/CentOS:</li>
|
|
</ul>
|
|
<pre><code># rpm -ql sogo | grep 'sql-update-2.2.17'
|
|
/usr/share/doc/sogo-2.3.0/sql-update-2.2.17_to_2.3.0-mysql.sh # <- for MySQL
|
|
/usr/share/doc/sogo-2.3.0/sql-update-2.2.17_to_2.3.0.sh # <- for PostgreSQL
|
|
</code></pre>
|
|
|
|
<ul>
|
|
<li>on Debian/Ubuntu:</li>
|
|
</ul>
|
|
<pre><code># dpkg -L sogo | grep 'sql-update-2.2.17'
|
|
/usr/share/doc/sogo/sql-update-2.2.17_to_2.3.0-mysql.sh # <- for MySQL
|
|
/usr/share/doc/sogo/sql-update-2.2.17_to_2.3.0.sh # <- for PostgreSQL
|
|
</code></pre>
|
|
|
|
<p>Please pick the one for your SQL server. here we use the one for MySQL
|
|
backend on CentOS for example:</p>
|
|
<pre><code># bash /usr/share/doc/sogo-2.3.0/sql-update-2.2.17_to_2.3.0-mysql.sh
|
|
Username (root): root
|
|
Hostname (127.0.0.1):
|
|
Database (root): sogo
|
|
This script will ask for the sql password twice
|
|
Converting c_partstates from VARCHAR(255) to mediumtext in calendar quick tables
|
|
Enter password:
|
|
Enter password:
|
|
</code></pre>
|
|
|
|
<p>After you typed correct SQL admin account and password (twice), the script will
|
|
update SQL database and exit silently.</p>
|
|
<ul>
|
|
<li>
|
|
<p>Restart SOGo service.</p>
|
|
<ul>
|
|
<li>on RHEL/CentOS: <code># service sogod restart</code></li>
|
|
<li>on Debian/Ubuntu: <code># service sogo restart</code></li>
|
|
</ul>
|
|
</li>
|
|
</ul>
|
|
<h3 id="optional-update-one-fail2ban-filter-regular-expression-to-help-catch-dos-attacks-to-smtp-service">[OPTIONAL] Update one Fail2ban filter regular expression to help catch DoS attacks to SMTP service</h3>
|
|
<ul>
|
|
<li>Open file <code>/etc/fail2ban/filter.d/postfix.iredmail.conf</code> or
|
|
<code>/usr/local/etc/fail2ban/filter.d/postfix.iredmail.conf</code> (on FreeBSD), find
|
|
below line under <code>[Definition]</code> section:</li>
|
|
</ul>
|
|
<pre><code> lost connection after AUTH from (.*)\[<HOST>\]
|
|
</code></pre>
|
|
|
|
<ul>
|
|
<li>Update above line to below one:</li>
|
|
</ul>
|
|
<pre><code> lost connection after (AUTH|UNKNOWN|EHLO) from (.*)\[<HOST>\]
|
|
</code></pre>
|
|
|
|
<p>Restarting Fail2ban service is required.</p>
|
|
<h2 id="openldap-backend-special">OpenLDAP backend special</h2>
|
|
<h3 id="fixed-catch-all-support-doesnt-work-with-email-address-which-contains-address-extension">Fixed: catch-all support doesn't work with email address which contains address extension</h3>
|
|
<p>In iRedMail-0.9.1 and earlier versions, there's a known bug that per-domain
|
|
catch-all support doesn't work with email address which contains address
|
|
extension. for example, email address <code>username+extension@domain.com</code>. Below
|
|
command fixes this issue.</p>
|
|
<p>Notes:</p>
|
|
<ul>
|
|
<li>on Linux/OpenBSD, it's <code>/etc/postfix/ldap/catchall_maps.cf</code>.</li>
|
|
<li>on FreeBSD, it's <code>/usr/local/etc/postfix/ldap/catchall_maps.cf</code></li>
|
|
</ul>
|
|
<pre><code># perl -pi -e 's#@%d#%s#g' /etc/postfix/ldap/catchall_maps.cf
|
|
</code></pre>
|
|
|
|
<ul>
|
|
<li>Restart Postfix service is required.</li>
|
|
</ul><div class="footer">
|
|
<p style="text-align: center; color: grey;">All documents are available in <a href="https://github.com/iredmail/docs/">GitHub repository</a>, and published under <a href="http://creativecommons.org/licenses/by-nd/3.0/us/" target="_blank">Creative Commons</a> license. You can <a href="https://github.com/iredmail/docs/archive/master.zip">download the latest version</a> for offline reading. If you found something wrong, please do <a href="https://www.iredmail.org/contact.html">contact us</a> to fix it.</p>
|
|
</div>
|
|
<!-- Global site tag (gtag.js) - Google Analytics -->
|
|
<script async src="https://www.googletagmanager.com/gtag/js?id=UA-3293801-21"></script>
|
|
<script>
|
|
window.dataLayer = window.dataLayer || [];
|
|
function gtag(){dataLayer.push(arguments);}
|
|
gtag('js', new Date());
|
|
|
|
gtag('config', 'UA-3293801-21');
|
|
</script>
|
|
</body></html> |