606 lines
28 KiB
HTML
606 lines
28 KiB
HTML
<!DOCTYPE html>
|
|
<html>
|
|
<head>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
|
<title>Upgrade iRedMail from 0.9.6 to 0.9.7</title>
|
|
<link rel="stylesheet" type="text/css" href="./css/markdown.css" />
|
|
</head>
|
|
<body>
|
|
|
|
<div id="navigation">
|
|
<a href="https://www.iredmail.org" target="_blank">
|
|
<img alt="iRedMail web site"
|
|
src="./images/logo-iredmail.png"
|
|
style="vertical-align: middle; height: 30px;"
|
|
/>
|
|
<span>iRedMail</span>
|
|
</a>
|
|
// <a href="./index.html">Document Index</a></div><h1 id="upgrade-iredmail-from-096-to-097">Upgrade iRedMail from 0.9.6 to 0.9.7</h1>
|
|
<div class="toc">
|
|
<ul>
|
|
<li><a href="#upgrade-iredmail-from-096-to-097">Upgrade iRedMail from 0.9.6 to 0.9.7</a><ul>
|
|
<li><a href="#changelog">ChangeLog</a></li>
|
|
<li><a href="#general-all-backends-should-apply-these-steps">General (All backends should apply these steps)</a><ul>
|
|
<li><a href="#update-etciredmail-release-with-new-iredmail-version-number">Update /etc/iredmail-release with new iRedMail version number</a></li>
|
|
<li><a href="#upgrade-iredapd-postfix-policy-server-to-the-latest-stable-release-21">Upgrade iRedAPD (Postfix policy server) to the latest stable release (2.1)</a></li>
|
|
<li><a href="#upgrade-iredadmin-open-source-edition-to-the-latest-stable-release-08">Upgrade iRedAdmin (open source edition) to the latest stable release (0.8)</a></li>
|
|
<li><a href="#upgrade-roundcube-webmail-to-the-latest-stable-release-130">Upgrade Roundcube webmail to the latest stable release (1.3.0)</a></li>
|
|
<li><a href="#fixed-improper-order-of-postfix-helo-restriction-rules">Fixed: improper order of Postfix HELO restriction rules.</a></li>
|
|
<li><a href="#fixed-incorrect-owner-and-permission-for-rotated-dovecot-log-files">Fixed: incorrect owner and permission for rotated Dovecot log files</a></li>
|
|
<li><a href="#fixed-incorrect-sessionsave_path-in-php-fpm-pool-config-file-on-rhelcentos">Fixed: incorrect session.save_path in php-fpm pool config file on RHEL/CentOS</a></li>
|
|
<li><a href="#fixed-incorrect-freshclam-setting-updatelogfile">Fixed: incorrect freshclam setting UpdateLogFile</a></li>
|
|
<li><a href="#fail2ban-fixes-an-improper-filter-and-add-new-filter-rule">Fail2ban: fixes an improper filter and add new filter rule</a></li>
|
|
<li><a href="#fail2ban-add-new-jail-for-nginx">Fail2ban: Add new jail for Nginx</a></li>
|
|
<li><a href="#new-new-backup-script-for-sogo">NEW: New backup script for SOGo</a></li>
|
|
<li><a href="#openbsd-upgrade-uwsgi-to-the-latest-2015">OpenBSD: Upgrade uwsgi to the latest 2.0.15</a></li>
|
|
</ul>
|
|
</li>
|
|
<li><a href="#openldap-backend-special">OpenLDAP backend special</a><ul>
|
|
<li><a href="#fixed-avoid-possible-backdooring-mysqldump-backups">Fixed: Avoid possible backdooring mysqldump backups</a></li>
|
|
</ul>
|
|
</li>
|
|
<li><a href="#mysqlmariadb-backend-special">MySQL/MariaDB backend special</a><ul>
|
|
<li><a href="#sql-structure-change-in-vmailalias-sql-table">SQL structure change in vmail.alias SQL table</a><ul>
|
|
<li><a href="#create-required-new-sql-tables">Create required new SQL tables</a></li>
|
|
<li><a href="#migrate-mail-accounts">Migrate mail accounts</a></li>
|
|
<li><a href="#update-postfix-config-files">Update Postfix config files</a></li>
|
|
<li><a href="#drop-unused-sql-columns-and-records-in-vmailalias-table">Drop unused SQL columns and records in vmail.alias table</a></li>
|
|
</ul>
|
|
</li>
|
|
<li><a href="#fixed-avoid-possible-backdooring-mysqldump-backups_1">Fixed: Avoid possible backdooring mysqldump backups</a></li>
|
|
</ul>
|
|
</li>
|
|
<li><a href="#postgresql-backend-specific">PostgreSQL backend specific</a><ul>
|
|
<li><a href="#sql-structure-change-in-vmailalias-sql-table_1">SQL structure change in vmail.alias SQL table</a><ul>
|
|
<li><a href="#create-required-new-sql-tables_1">Create required new SQL tables</a></li>
|
|
<li><a href="#migrate-mail-accounts_1">Migrate mail accounts</a></li>
|
|
<li><a href="#update-postfix-config-files_1">Update Postfix config files</a></li>
|
|
<li><a href="#drop-unused-sql-columns-in-vmailalias-table">Drop unused SQL columns in vmail.alias table</a></li>
|
|
</ul>
|
|
</li>
|
|
</ul>
|
|
</li>
|
|
</ul>
|
|
</li>
|
|
</ul>
|
|
</div>
|
|
<div class="admonition note">
|
|
<p class="admonition-title">Paid Remote Upgrade Support</p>
|
|
<p>We offer remote upgrade support if you don't want to get your hands dirty,
|
|
check <a href="https://www.iredmail.org/support.html">the details</a> and
|
|
<a href="https://www.iredmail.org/contact.html">contact us</a>.</p>
|
|
</div>
|
|
<h2 id="changelog">ChangeLog</h2>
|
|
<ul>
|
|
<li>Nov 12, 2017: Add Fail2ban jail <code>nginx-http-auth</code>.</li>
|
|
<li>Jul 3, 2017: Mention how to upgrade uwsgi (OpenBSD only), iRedAdmin and iRedAPD.</li>
|
|
<li>Jul 2, 2017: Mention Roundcube 1.3.0 requires PHP 5.4.</li>
|
|
<li>Jul 1, 2017: Initial publish.</li>
|
|
</ul>
|
|
<h2 id="general-all-backends-should-apply-these-steps">General (All backends should apply these steps)</h2>
|
|
<h3 id="update-etciredmail-release-with-new-iredmail-version-number">Update <code>/etc/iredmail-release</code> with new iRedMail version number</h3>
|
|
<p>iRedMail stores the release version in <code>/etc/iredmail-release</code> after
|
|
installation, it's recommended to update this file after you upgraded iRedMail,
|
|
so that you can know which version of iRedMail you're running. For example:</p>
|
|
<pre><code>0.9.7
|
|
</code></pre>
|
|
|
|
<h3 id="upgrade-iredapd-postfix-policy-server-to-the-latest-stable-release-21">Upgrade iRedAPD (Postfix policy server) to the latest stable release (2.1)</h3>
|
|
<p>Please follow below tutorial to upgrade iRedAPD to the latest stable release:
|
|
<a href="./upgrade.iredapd.html">Upgrade iRedAPD to the latest stable release</a></p>
|
|
<h3 id="upgrade-iredadmin-open-source-edition-to-the-latest-stable-release-08">Upgrade iRedAdmin (open source edition) to the latest stable release (0.8)</h3>
|
|
<p>Please follow this tutorial to upgrade iRedAdmin open source edition to the
|
|
latest stable release:
|
|
<a href="./migrate.or.upgrade.iredadmin.html">Upgrade iRedAdmin to the latest stable release</a></p>
|
|
<h3 id="upgrade-roundcube-webmail-to-the-latest-stable-release-130">Upgrade Roundcube webmail to the latest stable release (1.3.0)</h3>
|
|
<div class="admonition warning">
|
|
<p class="admonition-title">Roundcube 1.3</p>
|
|
<ul>
|
|
<li>Roundcube 1.3 requires at least <strong>PHP 5.4</strong>. If your server is still running
|
|
PHP 5.3 and cannot upgrade to 5.4, please upgrade Roundcube to the latest
|
|
1.2 branch (1.2.5) instead.</li>
|
|
<li>Roundcube 1.3 no longer supports IE < 10 and old versions of Firefox,
|
|
Chrome and Safari.</li>
|
|
<li>Roundcube 1.3 uses jQuery 3.2 and will not work with current jQuery
|
|
mobile plugin. If you use any third-party plugin, please check its
|
|
website to make sure it's compatible with Roundcube 1.3 before upgrading.</li>
|
|
</ul>
|
|
<p>With the release of Roundcube 1.3.0, the previous stable release branches
|
|
1.2.x and 1.1.x will switch in to LTS low maintenance mode which means
|
|
they will only receive important security updates but no longer any regular
|
|
improvement updates.</p>
|
|
</div>
|
|
<blockquote>
|
|
<p>There're several security fixes in Roundcube 1.2.4 and 1.2.5, all users are
|
|
encouraged to upgrade it as soon as possible. For more details about this
|
|
release, please check Roundcube release notes:</p>
|
|
<ul>
|
|
<li><a href="https://github.com/roundcube/roundcubemail/releases/tag/1.2.4">1.2.4</a></li>
|
|
<li><a href="https://github.com/roundcube/roundcubemail/releases/tag/1.2.5">1.2.5</a></li>
|
|
</ul>
|
|
</blockquote>
|
|
<p>Please follow Roundcube official tutorial to upgrade Roundcube webmail to the
|
|
latest stable release immediately:</p>
|
|
<ul>
|
|
<li><a href="https://github.com/roundcube/roundcubemail/wiki/Upgrade">How to upgrade Roundcube</a>.</li>
|
|
</ul>
|
|
<h3 id="fixed-improper-order-of-postfix-helo-restriction-rules">Fixed: improper order of Postfix HELO restriction rules.</h3>
|
|
<p>iRedMail-0.9.6 and earlier releases didn't configure Postfix to apply custom
|
|
HELO restriction rule before FQDN helo hostname check and DNS verification,
|
|
this way you cannot whitelist some bad HELO hostnames. Please follow steps
|
|
below to fix it.</p>
|
|
<ul>
|
|
<li>Open file <code>/etc/postfix/main.cf</code> (Linux/OpenBSD) or
|
|
<code>/usr/local/etc/postfix/main.cf</code> (FreeBSD), find parameter
|
|
<code>smtpd_helo_restrictions</code> like below:</li>
|
|
</ul>
|
|
<pre><code>smtpd_helo_restrictions =
|
|
permit_mynetworks
|
|
permit_sasl_authenticated
|
|
reject_non_fqdn_helo_hostname
|
|
reject_unknown_helo_hostname
|
|
check_helo_access pcre:/etc/postfix/helo_access.pcre
|
|
</code></pre>
|
|
|
|
<ul>
|
|
<li>Move the <code>check_helo_access</code> line after <code>permit_sasl_authenticated</code>:</li>
|
|
</ul>
|
|
<pre><code>smtpd_helo_restrictions =
|
|
permit_mynetworks
|
|
permit_sasl_authenticated
|
|
check_helo_access pcre:/etc/postfix/helo_access.pcre
|
|
reject_non_fqdn_helo_hostname
|
|
reject_unknown_helo_hostname
|
|
</code></pre>
|
|
|
|
<ul>
|
|
<li>Reloading or restarting Postfix service is required.</li>
|
|
</ul>
|
|
<h3 id="fixed-incorrect-owner-and-permission-for-rotated-dovecot-log-files">Fixed: incorrect owner and permission for rotated Dovecot log files</h3>
|
|
<div class="admonition attention">
|
|
<p class="admonition-title">Attention</p>
|
|
<p>This is applicable to Linux, not FreeBSD and OpenBSD.</p>
|
|
</div>
|
|
<p>iRedMail-0.9.6 and earlier releases have an incorrect logrotate setting for
|
|
Dovecot log file, it causes all Dovecot log files are empty due to no required
|
|
permission to open log files. Please follow steps below to fix it.</p>
|
|
<p>Please open file <code>/etc/logrotate.d/dovecot</code>, find line below:</p>
|
|
<pre><code> create 0600 vmail vmail
|
|
</code></pre>
|
|
|
|
<p>Remove above line and save the change.</p>
|
|
<h3 id="fixed-incorrect-sessionsave_path-in-php-fpm-pool-config-file-on-rhelcentos">Fixed: incorrect session.save_path in php-fpm pool config file on RHEL/CentOS</h3>
|
|
<div class="admonition attention">
|
|
<p class="admonition-title">Attention</p>
|
|
<p>This is applicable to RHEL/CentOS system, and Nginx web server.</p>
|
|
</div>
|
|
<p>iRedMail-0.9.6 doesn't set path for <code>session.save_path</code> parameter in php-fpm
|
|
pool config file <code>/etc/php-fpm.d/www.conf</code>, please fix it with steps below:</p>
|
|
<ul>
|
|
<li>Open file <code>/etc/php-fpm.d/www.conf</code>, find line:</li>
|
|
</ul>
|
|
<pre><code>php_value[session.save_path] = "/var/lib/php/session"
|
|
</code></pre>
|
|
|
|
<ul>
|
|
<li>The directory name should be <code>sessions</code> (ends with <code>s</code>), not <code>session</code>. So
|
|
please change it to:</li>
|
|
</ul>
|
|
<pre><code>php_value[session.save_path] = "/var/lib/php/sessions"
|
|
</code></pre>
|
|
|
|
<ul>
|
|
<li>Restarting php-fpm service is required:</li>
|
|
</ul>
|
|
<pre><code>service php-fpm restart
|
|
</code></pre>
|
|
|
|
<h3 id="fixed-incorrect-freshclam-setting-updatelogfile">Fixed: incorrect freshclam setting <code>UpdateLogFile</code></h3>
|
|
<div class="admonition attention">
|
|
<p class="admonition-title">Attention</p>
|
|
<p>This is applicable to RHEL/CentOS system.</p>
|
|
</div>
|
|
<p>With iRedMail-0.9.6, freshclam program cannot update ClamAV signatures due to
|
|
improper log file permission, please open its config file <code>/etc/freshclam.conf</code>
|
|
or <code>/etc/clamav/freshclam.conf</code>, comment out setting <code>UpdateLogFile</code> to use
|
|
syslog for logging.</p>
|
|
<pre><code>#UpdateLogFile ... # <- Comment out this parameter
|
|
LogSyslog true # <- Make sure you have this line. If not present, please add it manually.
|
|
</code></pre>
|
|
|
|
<h3 id="fail2ban-fixes-an-improper-filter-and-add-new-filter-rule">Fail2ban: fixes an improper filter and add new filter rule</h3>
|
|
<p>iRedMail-0.9.7 fixes an improper filter for Dovecot log file which may cause
|
|
incorrect ban, and adds a new filter for Roundcube log file to help ban bad
|
|
client while Roundcube is running behind a proxy server.</p>
|
|
<ul>
|
|
<li>On Linux:</li>
|
|
</ul>
|
|
<pre><code>cd /etc/fail2ban/filter.d/
|
|
rm -f dovecot.iredmail.conf roundcube.iredmail.conf
|
|
wget https://github.com/iredmail/iRedMail/raw/1.0/samples/fail2ban/filter.d/dovecot.iredmail.conf
|
|
wget https://github.com/iredmail/iRedMail/raw/1.0/samples/fail2ban/filter.d/roundcube.iredmail.conf
|
|
</code></pre>
|
|
|
|
<p>Restarting Fail2ban service is required.</p>
|
|
<h3 id="fail2ban-add-new-jail-for-nginx">Fail2ban: Add new jail for Nginx</h3>
|
|
<div class="admonition attention">
|
|
<p class="admonition-title">Attention</p>
|
|
<p>This is applicable if you run Nginx as web server.</p>
|
|
</div>
|
|
<p>Let's add a new jail to stop bad clients which tried to perform http basic auth
|
|
but failed.</p>
|
|
<p>Create file <code>/etc/fail2ban/jail.d/nginx-http-auth.local</code> with content below:</p>
|
|
<div class="admonition attention">
|
|
<p class="admonition-title">Attention</p>
|
|
<p>If directory <code>/etc/fail2ban/jail.d/</code> doesn't exist, you can append content
|
|
below in file <code>/etc/fail2ban/jail.local</code> instead.</p>
|
|
</div>
|
|
<pre><code>[nginx-http-auth]
|
|
enabled = true
|
|
filter = nginx-http-auth
|
|
action = iptables-multiport[name=nginx, port="80,443", protocol=tcp]
|
|
logpath = /var/log/nginx/error.log
|
|
</code></pre>
|
|
|
|
<p>Restarting Fail2ban service is required.</p>
|
|
<h3 id="new-new-backup-script-for-sogo">NEW: New backup script for SOGo</h3>
|
|
<div class="admonition attention">
|
|
<p class="admonition-title">Attention</p>
|
|
<p>This is not applicable to SOGo-2.x because it doesn't support backing up
|
|
all users' data with command <code>sogo-tool backup /path/to/backup/dir ALL</code>.</p>
|
|
</div>
|
|
<p>iRedMail has script <code>/var/vmail/backup/backup_mysql.sh</code> (or <code>backup_pgsql.sh</code>)
|
|
to backup SOGo database by dumping whole database to a plain SQL file as
|
|
backup. It's not ideal because:</p>
|
|
<ul>
|
|
<li>it's hard to restore single user's data with a plain SQL file.</li>
|
|
<li>if SOGo changes some SQL structure, it's hard to restore all data.</li>
|
|
</ul>
|
|
<p>This new script does backup with <code>sogo-tool backup</code> command to avoid issues
|
|
mentioned above, you can restore a single user's data or all users data with
|
|
<code>sogo-tool restore</code>.</p>
|
|
<p>Please follow steps below to setup this daily cron job.</p>
|
|
<ul>
|
|
<li>Download backup script. We store it under <code>/var/vmail/backup</code>, if you prefer
|
|
a different directory, feel free to change the directory name used in commands
|
|
below:</li>
|
|
</ul>
|
|
<pre><code>cd /var/vmail/backup/
|
|
wget https://github.com/iredmail/iRedMail/raw/1.0/tools/backup_sogo.sh
|
|
chmod 0400 backup_sogo.sh
|
|
</code></pre>
|
|
|
|
<ul>
|
|
<li>This script will create new directory under <code>/var/vmail/backup</code> like below
|
|
to store backup files:</li>
|
|
</ul>
|
|
<pre><code>/var/vmail/backup
|
|
|- sogo/
|
|
|- 2017/ # <- year
|
|
|- 03/ # <- month
|
|
|- 22.tar.bz2 # <- day (file name is: <day>.tar.bz2)
|
|
</code></pre>
|
|
|
|
<p>If you want to use another directory to store backup files, please open file
|
|
<code>backup_sogo.sh</code>, update variable <code>BACKUP_ROOTDIR</code> with the new directory.</p>
|
|
<ul>
|
|
<li>Run command <code>crontab -e -u root</code> to setup root user's cron job. Add content
|
|
below as new job:</li>
|
|
</ul>
|
|
<pre><code># SOGo: backup all users' data at 3:05AM everyday.
|
|
5 3 * * * bash /var/vmail/backup/backup_sogo.sh
|
|
</code></pre>
|
|
|
|
<h3 id="openbsd-upgrade-uwsgi-to-the-latest-2015">OpenBSD: Upgrade uwsgi to the latest 2.0.15</h3>
|
|
<p>uwsgi is the interface between Nginx and iRedAdmin, so if you're running
|
|
iRedAdmin, it's recommended to upgrade uwsgi to the latest version, 2.0.15.</p>
|
|
<p>Steps: Download the latest uwsgi, compile it, then restart uwsgi service.</p>
|
|
<pre><code>cd /root/
|
|
ftp https://projects.unbit.it/downloads/uwsgi-2.0.15.tar.gz
|
|
tar zxf uwsgi-2.0.15.tar.gz
|
|
cd uwsgi-2.0.15
|
|
python setup.py install
|
|
</code></pre>
|
|
|
|
<p>uwsgi should be succesfully installed, then restart uwsgi service:</p>
|
|
<pre><code>rcctl restart uwsgi
|
|
</code></pre>
|
|
|
|
<h2 id="openldap-backend-special">OpenLDAP backend special</h2>
|
|
<h3 id="fixed-avoid-possible-backdooring-mysqldump-backups">Fixed: Avoid possible backdooring mysqldump backups</h3>
|
|
<p>For more details about this backdooring mysqldump backup issue, please read
|
|
blog post:</p>
|
|
<ul>
|
|
<li><a href="https://blog.tarq.io/cve-2016-5483-backdooring-mysqldump-backups/">[CVE-2016-5483] Backdooring mysqldump backups</a>.</li>
|
|
</ul>
|
|
<p>Steps to fix it:</p>
|
|
<ul>
|
|
<li>
|
|
<p>Open the daily MySQL backup script, it's <code>/var/vmail/backup/backup_mysql.sh</code>
|
|
by default. if you use different storage directory during iRedMail
|
|
installation, you can find the base directory with command <code>postconf virtual_mailbox_base</code>.</p>
|
|
</li>
|
|
<li>
|
|
<p>Find variable name <code>CMD_MYSQLDUMP</code> like below:</p>
|
|
</li>
|
|
</ul>
|
|
<pre><code>export CMD_MYSQLDUMP="mysqldump ..."
|
|
</code></pre>
|
|
|
|
<ul>
|
|
<li>Make sure it has argument <code>--skip-comments</code> like below:</li>
|
|
</ul>
|
|
<pre><code>export CMD_MYSQLDUMP="mysqldump ... --skip-comments"
|
|
</code></pre>
|
|
|
|
<ul>
|
|
<li>Save your change. That's it.</li>
|
|
</ul>
|
|
<h2 id="mysqlmariadb-backend-special">MySQL/MariaDB backend special</h2>
|
|
<h3 id="sql-structure-change-in-vmailalias-sql-table">SQL structure change in <code>vmail.alias</code> SQL table</h3>
|
|
<p>We've made some changes to <code>vmail.alias</code> SQL table for easier account
|
|
management. This change introduces 2 new SQL tables (<code>forwardings</code>, <code>alias_moderators</code>),
|
|
and (optionally) dropped few columns in <code>vmail.alias</code> table.</p>
|
|
<p>iRedAPD and iRedAdmin (and iRedAdmin-Pro) have been upgraded to use this new
|
|
SQL structure.</p>
|
|
<div class="admonition warning">
|
|
<p class="admonition-title">Warning</p>
|
|
<p>Please backup SQL database <code>vmail</code> before you run any SQL commands below.</p>
|
|
</div>
|
|
<h4 id="create-required-new-sql-tables">Create required new SQL tables</h4>
|
|
<p>Please connect to MySQL server as MySQL root user, and execute SQL commands
|
|
below to create required new tables:</p>
|
|
<pre><code>USE vmail;
|
|
|
|
CREATE TABLE IF NOT EXISTS alias_moderators (
|
|
id BIGINT(20) UNSIGNED AUTO_INCREMENT,
|
|
address VARCHAR(255) NOT NULL DEFAULT '',
|
|
moderator VARCHAR(255) NOT NULL DEFAULT '',
|
|
domain VARCHAR(255) NOT NULL DEFAULT '',
|
|
dest_domain VARCHAR(255) NOT NULL DEFAULT '',
|
|
PRIMARY KEY (id),
|
|
UNIQUE INDEX (address, moderator),
|
|
INDEX (domain),
|
|
INDEX (dest_domain)
|
|
) ENGINE=InnoDB;
|
|
|
|
-- Forwardings. it contains
|
|
-- - members of mail alias account
|
|
-- - per-account alias addresses
|
|
-- - per-user mail forwarding addresses
|
|
CREATE TABLE IF NOT EXISTS forwardings (
|
|
id BIGINT(20) UNSIGNED AUTO_INCREMENT,
|
|
address VARCHAR(255) NOT NULL DEFAULT '',
|
|
forwarding VARCHAR(255) NOT NULL DEFAULT '',
|
|
domain VARCHAR(255) NOT NULL DEFAULT '',
|
|
dest_domain VARCHAR(255) NOT NULL DEFAULT '',
|
|
-- defines whether it's a standalone mail alias account. 0=no, 1=yes.
|
|
is_list TINYINT(1) NOT NULL DEFAULT 0,
|
|
-- defines whether it's a mail forwarding address of mail user. 0=no, 1=yes.
|
|
is_forwarding TINYINT(1) NOT NULL DEFAULT 0,
|
|
-- defines whether it's a per-account alias address. 0=no, 1=yes.
|
|
is_alias TINYINT(1) NOT NULL DEFAULT 0,
|
|
active TINYINT(1) NOT NULL DEFAULT 1,
|
|
PRIMARY KEY (id),
|
|
UNIQUE INDEX (address, forwarding),
|
|
INDEX (domain),
|
|
INDEX (dest_domain),
|
|
INDEX (is_list),
|
|
INDEX (is_alias)
|
|
) ENGINE=InnoDB;
|
|
</code></pre>
|
|
|
|
<h4 id="migrate-mail-accounts">Migrate mail accounts</h4>
|
|
<p>Please download script used to migrate mail accounts, and run it directly:</p>
|
|
<pre><code>cd /root/
|
|
wget https://github.com/iredmail/iRedMail/raw/1.0/tools/migrate_sql_alias_table.py
|
|
python migrate_sql_alias_table.py
|
|
</code></pre>
|
|
|
|
<p>Note: It will try to read iRedAdmin config file from one of paths below, and
|
|
connects to SQL server as user <code>vmailadmin</code>:</p>
|
|
<ul>
|
|
<li>/opt/www/iredadmin/settings.py (Debian/Ubuntu)</li>
|
|
<li>/var/www/iredadmin/settings.py (CentOS/OpenBSD)</li>
|
|
<li>/usr/share/apache2/iredadmin/settings.py (Debian/Ubuntu with old iRedMail releases)</li>
|
|
<li>/usr/local/www/iredadmin/settings.py (FreeBSD)</li>
|
|
</ul>
|
|
<h4 id="update-postfix-config-files">Update Postfix config files</h4>
|
|
<p>Please run shell commands below to tell Postfix to use new SQL tables.</p>
|
|
<p>Notes: on FreeBSD, the path is <code>/usr/local/etc/postfix/mysql</code>.</p>
|
|
<pre><code>cd /etc/postfix/mysql/
|
|
perl -pi -e 's#alias\.address#forwardings.address#g' *.cf
|
|
perl -pi -e 's#alias\.goto#forwardings.forwarding#g' *.cf
|
|
perl -pi -e 's#alias\.active#forwardings.active#g' *.cf
|
|
perl -pi -e 's#alias\.domain#forwardings.domain#g' *.cf
|
|
perl -pi -e 's#alias,#forwardings,#g' *.cf
|
|
</code></pre>
|
|
|
|
<p>Restarting Postfix service is required.</p>
|
|
<h4 id="drop-unused-sql-columns-and-records-in-vmailalias-table">Drop unused SQL columns and records in <code>vmail.alias</code> table</h4>
|
|
<div class="admonition warning">
|
|
<p class="admonition-title">Warning</p>
|
|
<ul>
|
|
<li>Make sure you have a backup of SQL database <code>vmail</code>.</li>
|
|
<li>Please also upgrade iRedAPD and iRedAdmin-Pro, they need the new SQL
|
|
structure too.</li>
|
|
</ul>
|
|
</div>
|
|
<p>After migration, <code>vmail.alias</code> table contains few sql columns we will never
|
|
use, also old records (accounts) will cause ghost accounts if we don't remove
|
|
them.</p>
|
|
<p>Please connect to MySQL server as MySQL root user, then execute SQL commands
|
|
below:</p>
|
|
<pre><code>USE vmail;
|
|
|
|
-- Remove non-mail-alias account
|
|
DELETE FROM alias WHERE islist <> 1;
|
|
|
|
-- Remove per-domain catch-all account
|
|
DELETE FROM alias WHERE address=domain;
|
|
|
|
-- Drop unused columns
|
|
ALTER TABLE alias DROP COLUMN goto;
|
|
ALTER TABLE alias DROP COLUMN moderators;
|
|
ALTER TABLE alias DROP COLUMN islist;
|
|
ALTER TABLE alias DROP COLUMN is_alias;
|
|
ALTER TABLE alias DROP COLUMN alias_to;
|
|
</code></pre>
|
|
|
|
<h3 id="fixed-avoid-possible-backdooring-mysqldump-backups_1">Fixed: Avoid possible backdooring mysqldump backups</h3>
|
|
<p>For more details about this backdooring mysqldump backup issue, please read
|
|
blog post:</p>
|
|
<ul>
|
|
<li><a href="https://blog.tarq.io/cve-2016-5483-backdooring-mysqldump-backups/">[CVE-2016-5483] Backdooring mysqldump backups</a>.</li>
|
|
</ul>
|
|
<p>Steps to fix it:</p>
|
|
<ul>
|
|
<li>
|
|
<p>Open the daily MySQL backup script, it's <code>/var/vmail/backup/backup_mysql.sh</code>
|
|
by default. if you use different storage directory during iRedMail
|
|
installation, you can find the base directory with command <code>postconf virtual_mailbox_base</code>.</p>
|
|
</li>
|
|
<li>
|
|
<p>Find variable name <code>CMD_MYSQLDUMP</code> like below:</p>
|
|
</li>
|
|
</ul>
|
|
<pre><code>export CMD_MYSQLDUMP="mysqldump ..."
|
|
</code></pre>
|
|
|
|
<ul>
|
|
<li>Make sure it has argument <code>--skip-comments</code> like below:</li>
|
|
</ul>
|
|
<pre><code>export CMD_MYSQLDUMP="mysqldump ... --skip-comments"
|
|
</code></pre>
|
|
|
|
<ul>
|
|
<li>Save your change. That's it.</li>
|
|
</ul>
|
|
<h2 id="postgresql-backend-specific">PostgreSQL backend specific</h2>
|
|
<h3 id="sql-structure-change-in-vmailalias-sql-table_1">SQL structure change in <code>vmail.alias</code> SQL table</h3>
|
|
<p>We've made some changes to <code>vmail.alias</code> SQL table for easier account
|
|
management, this change introduces 2 new SQL tables (<code>forwardings</code>, <code>alias_moderators</code>),
|
|
and (optionally) dropped few columns in <code>vmail.alias</code> table.</p>
|
|
<p>iRedAPD and iRedAdmin (and iRedAdmin-Pro) have been upgraded to use this new
|
|
SQL structure.</p>
|
|
<div class="admonition warning">
|
|
<p class="admonition-title">Warning</p>
|
|
<p>Please backup SQL database <code>vmail</code> before you run any SQL commands below.</p>
|
|
</div>
|
|
<h4 id="create-required-new-sql-tables_1">Create required new SQL tables</h4>
|
|
<p>Please run shell commands below to connect to PostgreSQL server as
|
|
<code>vmailadmin</code> user first:</p>
|
|
<pre><code>su - postgres
|
|
psql -U vmailadmin -d vmail
|
|
</code></pre>
|
|
|
|
<p>Then execute SQL commands below to create required new tables:</p>
|
|
<pre><code>CREATE TABLE alias_moderators (
|
|
id SERIAL PRIMARY KEY,
|
|
address VARCHAR(255) NOT NULL DEFAULT '',
|
|
moderator VARCHAR(255) NOT NULL DEFAULT '',
|
|
domain VARCHAR(255) NOT NULL DEFAULT '',
|
|
dest_domain VARCHAR(255) NOT NULL DEFAULT ''
|
|
);
|
|
|
|
CREATE INDEX idx_alias_moderators_address ON alias_moderators (address);
|
|
CREATE INDEX idx_alias_moderators_moderator ON alias_moderators (moderator);
|
|
CREATE UNIQUE INDEX idx_alias_moderators_address_moderator ON alias_moderators (address, moderator);
|
|
CREATE INDEX idx_alias_moderators_domain ON alias_moderators (domain);
|
|
CREATE INDEX idx_alias_moderators_dest_domain ON alias_moderators (dest_domain);
|
|
|
|
CREATE TABLE forwardings (
|
|
id SERIAL PRIMARY KEY,
|
|
address VARCHAR(255) NOT NULL DEFAULT '',
|
|
forwarding VARCHAR(255) NOT NULL DEFAULT '',
|
|
domain VARCHAR(255) NOT NULL DEFAULT '',
|
|
dest_domain VARCHAR(255) NOT NULL DEFAULT '',
|
|
-- defines whether it's a standalone mail alias account. 0=no, 1=yes.
|
|
is_list INT2 NOT NULL DEFAULT 0,
|
|
-- defines whether it's a mail forwarding address of mail user. 0=no, 1=yes.
|
|
is_forwarding INT2 NOT NULL DEFAULT 0,
|
|
-- defines whether it's a per-account alias address. 0=no, 1=yes.
|
|
is_alias INT2 NOT NULL DEFAULT 0,
|
|
active INT2 NOT NULL DEFAULT 1
|
|
);
|
|
CREATE INDEX idx_forwardings_address ON forwardings (address);
|
|
CREATE INDEX idx_forwardings_forwarding ON forwardings (forwarding);
|
|
CREATE UNIQUE INDEX idx_forwardings_address_forwarding ON forwardings (address, forwarding);
|
|
CREATE INDEX idx_forwardings_domain ON forwardings (domain);
|
|
CREATE INDEX idx_forwardings_dest_domain ON forwardings (dest_domain);
|
|
CREATE INDEX idx_forwardings_is_list ON forwardings (is_list);
|
|
CREATE INDEX idx_forwardings_is_forwarding ON forwardings (is_forwarding);
|
|
CREATE INDEX idx_forwardings_is_alias ON forwardings (is_alias);
|
|
|
|
-- Grant required privilege to vmail user
|
|
GRANT SELECT ON TABLE forwardings to vmail;
|
|
GRANT SELECT ON TABLE alias_moderators to vmail;
|
|
</code></pre>
|
|
|
|
<h4 id="migrate-mail-accounts_1">Migrate mail accounts</h4>
|
|
<p>Please download script used to migrate mail accounts, and run it directly:</p>
|
|
<pre><code>cd /root/
|
|
wget https://github.com/iredmail/iRedMail/raw/1.0/tools/migrate_sql_alias_table.py
|
|
python migrate_sql_alias_table.py
|
|
</code></pre>
|
|
|
|
<p>Note: It will try to read iRedAdmin config file from one of paths below, and
|
|
connects to SQL server as user <code>vmailadmin</code>:</p>
|
|
<ul>
|
|
<li>/opt/www/iredadmin/settings.py (Debian/Ubuntu)</li>
|
|
<li>/var/www/iredadmin/settings.py (CentOS/OpenBSD)</li>
|
|
<li>/usr/share/apache2/iredadmin/settings.py (Debian/Ubuntu with old iRedMail releases)</li>
|
|
<li>/usr/local/www/iredadmin/settings.py (FreeBSD)</li>
|
|
</ul>
|
|
<h4 id="update-postfix-config-files_1">Update Postfix config files</h4>
|
|
<p>Please run shell commands below to tell Postfix to use new SQL tables.</p>
|
|
<p>Notes: on FreeBSD, the path is <code>/usr/local/etc/postfix/pgsql</code>.</p>
|
|
<pre><code>cd /etc/postfix/pgsql/
|
|
perl -pi -e 's#alias\.address#forwardings.address#g' *.cf
|
|
perl -pi -e 's#alias\.goto#forwardings.forwarding#g' *.cf
|
|
perl -pi -e 's#alias\.active#forwardings.active#g' *.cf
|
|
perl -pi -e 's#alias\.domain#forwardings.domain#g' *.cf
|
|
perl -pi -e 's#alias,#forwardings,#g' *.cf
|
|
</code></pre>
|
|
|
|
<p>Restarting Postfix service is required.</p>
|
|
<h4 id="drop-unused-sql-columns-in-vmailalias-table">Drop unused SQL columns in <code>vmail.alias</code> table</h4>
|
|
<div class="admonition warning">
|
|
<p class="admonition-title">Warning</p>
|
|
<ul>
|
|
<li>Make sure you have a backup of SQL database <code>vmail</code>.</li>
|
|
<li>Please also upgrade iRedAPD and iRedAdmin-Pro, they need the new SQL
|
|
structure too.</li>
|
|
</ul>
|
|
</div>
|
|
<p>After migration, few columns in <code>vmail.alias</code> table are not used anymore, it's
|
|
ok to drop them. But it's strongly recommended to keep them for few more days
|
|
until you can confirm all features are working as expected.</p>
|
|
<pre><code>su - postgres
|
|
psql -d vmail
|
|
|
|
-- Remove non-mail-alias account
|
|
DELETE FROM alias WHERE islist <> 1;
|
|
|
|
-- per-domain catch-all account
|
|
DELETE FROM alias WHERE address=domain;
|
|
|
|
-- Drop unused columns
|
|
ALTER TABLE alias DROP COLUMN goto;
|
|
ALTER TABLE alias DROP COLUMN moderators;
|
|
ALTER TABLE alias DROP COLUMN islist;
|
|
ALTER TABLE alias DROP COLUMN is_alias;
|
|
ALTER TABLE alias DROP COLUMN alias_to;
|
|
</code></pre><div class="footer">
|
|
<p style="text-align: center; color: grey;">All documents are available in <a href="https://github.com/iredmail/docs/">GitHub repository</a>, and published under <a href="http://creativecommons.org/licenses/by-nd/3.0/us/" target="_blank">Creative Commons</a> license. You can <a href="https://github.com/iredmail/docs/archive/master.zip">download the latest version</a> for offline reading. If you found something wrong, please do <a href="https://www.iredmail.org/contact.html">contact us</a> to fix it.</p>
|
|
</div>
|
|
<!-- Global site tag (gtag.js) - Google Analytics -->
|
|
<script async src="https://www.googletagmanager.com/gtag/js?id=UA-3293801-21"></script>
|
|
<script>
|
|
window.dataLayer = window.dataLayer || [];
|
|
function gtag(){dataLayer.push(arguments);}
|
|
gtag('js', new Date());
|
|
|
|
gtag('config', 'UA-3293801-21');
|
|
</script>
|
|
</body></html> |