216 lines
12 KiB
HTML
216 lines
12 KiB
HTML
<html>
|
|
<head>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
|
<title>Upgrade iRedMail from 0.9.0 to 0.9.1</title>
|
|
<link href="./css/markdown.css" rel="stylesheet"></head>
|
|
</head>
|
|
<body>
|
|
|
|
<div id="navigation">
|
|
<a href="http://www.iredmail.org" target="_blank">iRedMail web site</a>
|
|
|
|
// <a href="./index.html">Document Index</a>
|
|
</div><h1 id="upgrade-iredmail-from-090-to-091">Upgrade iRedMail from 0.9.0 to 0.9.1</h1>
|
|
<div class="toc">
|
|
<ul>
|
|
<li><a href="#upgrade-iredmail-from-090-to-091">Upgrade iRedMail from 0.9.0 to 0.9.1</a><ul>
|
|
<li><a href="#changelog">ChangeLog</a></li>
|
|
<li><a href="#general-all-backends-should-apply-these-steps">General (All backends should apply these steps)</a><ul>
|
|
<li><a href="#optional-add-one-more-fail2ban-filter-to-help-catch-spam">[OPTIONAL] Add one more Fail2ban filter to help catch spam</a></li>
|
|
<li><a href="#optional-fixed-return-receipt-response-rejected-by-iredapd-plugin-reject_null_sender">[OPTIONAL] Fixed: return receipt response rejected by iRedAPD plugin reject_null_sender</a></li>
|
|
<li><a href="#fixed-cannot-run-php-script-under-web-document-root-with-nginx">Fixed: Cannot run PHP script under web document root with Nginx.</a></li>
|
|
<li><a href="#fixed-incorrect-path-of-command-sogo-tool-on-openbsd">Fixed: Incorrect path of command sogo-tool on OpenBSD</a></li>
|
|
</ul>
|
|
</li>
|
|
<li><a href="#openldap-backend-special">OpenLDAP backend special</a><ul>
|
|
<li><a href="#fixed-not-backup-sogo-database">Fixed: not backup SOGo database</a></li>
|
|
</ul>
|
|
</li>
|
|
<li><a href="#mysqlmariadb-backend-special">MySQL/MariaDB backend special</a><ul>
|
|
<li><a href="#fixed-not-apply-service-restriction-in-dovecot-sql-query-file-while-acting-as-sasl-server">Fixed: Not apply service restriction in Dovecot SQL query file while acting as SASL server</a></li>
|
|
<li><a href="#fixed-not-backup-sogo-database_1">Fixed: not backup SOGo database</a></li>
|
|
</ul>
|
|
</li>
|
|
<li><a href="#postgresql-backend-special">PostgreSQL backend special</a><ul>
|
|
<li><a href="#fixed-not-apply-service-restriction-in-dovecot-sql-query-file-while-acting-as-sasl-server_1">Fixed: Not apply service restriction in Dovecot SQL query file while acting as SASL server</a></li>
|
|
<li><a href="#fixed-not-backup-sogo-database_2">Fixed: not backup SOGo database</a></li>
|
|
</ul>
|
|
</li>
|
|
</ul>
|
|
</li>
|
|
</ul>
|
|
</div>
|
|
<p><strong>WARNING: Still working in progress, do <em>NOT</em> apply it.</strong></p>
|
|
<h2 id="changelog">ChangeLog</h2>
|
|
<ul>
|
|
<li>2015-02-11: [All backends] Fixed: Cannot run PHP script under web document root with Nginx.</li>
|
|
<li>2015-02-09: [All backends] [<strong>OPTIONAL</strong>] Add one more Fail2ban filter to help catch spam.</li>
|
|
<li>2015-02-04: [All backends] [<strong>OPTIONAL</strong>] Fixed: return receipt response rejected
|
|
by iRedAPD plugin <code>reject_null_sender</code>.</li>
|
|
<li>2015-02-02: [All backends] Fixed: Not backup SOGo database. Note: this step
|
|
is not applicable if you don't use SOGo groupware.</li>
|
|
<li>2015-01-13: [All backends] Fixed: Incorrect path of command <code>sogo-tool</code> on OpenBSD.</li>
|
|
<li>2015-01-12: [SQL backends] Fixed: Not apply service restriction in Dovecot
|
|
SQL query file while acting as SASL server.</li>
|
|
</ul>
|
|
<h2 id="general-all-backends-should-apply-these-steps">General (All backends should apply these steps)</h2>
|
|
<h3 id="optional-add-one-more-fail2ban-filter-to-help-catch-spam">[OPTIONAL] Add one more Fail2ban filter to help catch spam</h3>
|
|
<p>We have a new Fail2ban filter to help catch spam, it will scan HELO rejections
|
|
in Postfix log file and invoke iptables to ban client IP address.</p>
|
|
<p>Open file <code>/etc/fail2ban/filters.d/postfix.iredmail.conf</code> or
|
|
<code>/usr/local/etc/fail2ban/filters.d/postfix.iredmail.conf</code> (on FreeBSD), append
|
|
below line under <code>[Definition]</code> section:</p>
|
|
<pre><code> reject: RCPT from (.*)\[<HOST>\]: 504 5.5.2 (.*) Helo command rejected: need fully-qualified hostname
|
|
</code></pre>
|
|
|
|
<p>After modification, the whole content is:</p>
|
|
<pre><code>[Definition]
|
|
failregex = \[<HOST>\]: SASL (PLAIN|LOGIN) authentication failed
|
|
lost connection after AUTH from (.*)\[<HOST>\]
|
|
reject: RCPT from (.*)\[<HOST>\]: 550 5.1.1
|
|
reject: RCPT from (.*)\[<HOST>\]: 450 4.7.1
|
|
reject: RCPT from (.*)\[<HOST>\]: 554 5.7.1
|
|
reject: RCPT from (.*)\[<HOST>\]: 504 5.5.2 (.*) Helo command rejected: need fully-qualified hostname
|
|
ignoreregex =
|
|
</code></pre>
|
|
|
|
<h3 id="optional-fixed-return-receipt-response-rejected-by-iredapd-plugin-reject_null_sender">[OPTIONAL] Fixed: return receipt response rejected by iRedAPD plugin <code>reject_null_sender</code></h3>
|
|
<p>Note: this is applicable if you want to keep iRedAPD plugin <code>reject_null_sender</code>
|
|
but still able to send return receipt with Roundcube webmail.</p>
|
|
<p>According to RFC2298, return receipt envelope sender address must be empty. If
|
|
you have iRedAPD plugin <code>reject_null_sender</code> enabled, it will reject return
|
|
receipt response. To particularly solve this issue, you can set below setting
|
|
in Roundcube config file <code>config/config.inc.php</code>:</p>
|
|
<ul>
|
|
<li>on RHEL/CentOS/OpenBSD, it's <code>/var/www/roundcubemail/config/config.inc.php</code>.</li>
|
|
<li>on Debian/Ubuntu, it's <code>/usr/share/apache2/roundcubemail/config/config.inc.php</code>.</li>
|
|
<li>on FreeBSD, it's <code>/usr/local/www/roundcube/config/config.inc.php</code>.</li>
|
|
</ul>
|
|
<pre><code>$config['mdn_use_from'] = true;
|
|
</code></pre>
|
|
|
|
<p>Note: if other mail client applications don't set smtp authentication user as
|
|
envelope sender of return receipt, same issue will occurs. You must disable
|
|
iRedAPD plugin <code>reject_null_sender</code> in <code>/opt/iredapd/settings.py</code> to make all
|
|
mail clients work.</p>
|
|
<p>iRedAPD plugin <code>reject_null_sender</code> rejects message submitted by sasl
|
|
authenticated user but with null sender in <code>From:</code> header (<code>from=<></code> in Postfix
|
|
log). If your user's password was cracked by spammer, spammer can use this
|
|
account to bypass smtp authentication, but with a null sender in <code>From:</code>
|
|
header, throttling won't be triggered.</p>
|
|
<h3 id="fixed-cannot-run-php-script-under-web-document-root-with-nginx">Fixed: Cannot run PHP script under web document root with Nginx.</h3>
|
|
<p>With previous release of iRedMail, Nginx won't run PHP scripts under
|
|
sub-directories of web document root, this step will fix it.</p>
|
|
<ul>
|
|
<li>Open Nginx config file <code>/etc/nginx/conf.d/default.conf</code> (on Linux/OpenBSD)
|
|
or <code>/usr/local/etc/nginx/conf.d/default.conf</code>, add one more setting in
|
|
configuration block <code>location ~ \.php$ {}</code> like below:</li>
|
|
</ul>
|
|
<pre><code>...
|
|
root /var/www/html;
|
|
...
|
|
location ~ \.php$ {
|
|
...
|
|
fastcgi_param SCRIPT_FILENAME /var/www/html$fastcgi_script_name; # <- Add this line
|
|
}
|
|
</code></pre>
|
|
|
|
<ul>
|
|
<li>Save your changes and restart Nginx service.</li>
|
|
</ul>
|
|
<p>Notes:</p>
|
|
<ul>
|
|
<li>There're two <code>location ~ \.php$ {}</code> blocks, please update both of them.</li>
|
|
<li>
|
|
<p>You must replace <code>/var/www/html</code> in above sample code to the value of <code>root</code>
|
|
setting defined in same config file.</p>
|
|
<ul>
|
|
<li>on RHEL/CentOS, it's <code>/var/www/html</code>.</li>
|
|
<li>on Debian/Ubuntu, it's <code>/var/www</code>.</li>
|
|
<li>on FreeBSD, it's <code>/usr/local/www/apache22/data</code>.
|
|
Note: if you're running Apache-2.4, the directory name should be
|
|
<code>apache24</code>, not <code>apache22</code>.</li>
|
|
<li>on OpenBSD, it's <code>/var/www/htdocs</code>.</li>
|
|
</ul>
|
|
</li>
|
|
</ul>
|
|
<h3 id="fixed-incorrect-path-of-command-sogo-tool-on-openbsd">Fixed: Incorrect path of command <code>sogo-tool</code> on OpenBSD</h3>
|
|
<p>Note: this step is applicable to only OpenBSD.</p>
|
|
<p>Please check user <code>_sogo</code>'s cron job, make sure path to <code>sogo-tool</code> command is
|
|
<code>/usr/local/sbin/sogo-tool</code>:</p>
|
|
<pre><code># crontab -l -u _sogo
|
|
</code></pre>
|
|
|
|
<p>If it's not <code>/usr/local/sbin/sogo-tool</code>, please edit its cron job with below
|
|
command and fix it:</p>
|
|
<pre><code># crontab -e -u _sogo
|
|
</code></pre>
|
|
|
|
<h2 id="openldap-backend-special">OpenLDAP backend special</h2>
|
|
<h3 id="fixed-not-backup-sogo-database">Fixed: not backup SOGo database</h3>
|
|
<p>Note: this step is not applicable if you don't use SOGo groupware.</p>
|
|
<p>Open backup script <code>/var/vmail/backup/backup_mysql.sh</code>, append SOGo SQL
|
|
database name in variable <code>DATABASES=</code>. For example:</p>
|
|
<pre><code>DATABASES='... sogo'
|
|
</code></pre>
|
|
|
|
<p>Save your change and that's all.</p>
|
|
<h2 id="mysqlmariadb-backend-special">MySQL/MariaDB backend special</h2>
|
|
<h3 id="fixed-not-apply-service-restriction-in-dovecot-sql-query-file-while-acting-as-sasl-server">Fixed: Not apply service restriction in Dovecot SQL query file while acting as SASL server</h3>
|
|
<p>Please open Dovecot config file <code>/etc/dovecot/dovecot-mysql.conf</code>
|
|
(Linux/OpenBSD) or <code>/usr/local/etc/dovecot/dovecot-mysql.conf</code> (FreeBSD), find
|
|
below line:</p>
|
|
<pre><code># Part of file: /etc/dovecot/dovecot-mysql.conf
|
|
|
|
password_query = SELECT password FROM mailbox WHERE username='%u' AND active='1'
|
|
</code></pre>
|
|
|
|
<p>Add additional query <code>AND enable%Ls%Lc=1</code> like below:</p>
|
|
<pre><code># Part of file: /etc/dovecot/dovecot-mysql.conf
|
|
|
|
password_query = SELECT password FROM mailbox WHERE username='%u' AND enable%Ls%Lc=1 AND active='1'
|
|
</code></pre>
|
|
|
|
<p>Save your change and restart Dovecot service.</p>
|
|
<h3 id="fixed-not-backup-sogo-database_1">Fixed: not backup SOGo database</h3>
|
|
<p>Note: this step is not applicable if you don't use SOGo groupware.</p>
|
|
<p>Open backup script <code>/var/vmail/backup/backup_mysql.sh</code>, append SOGo SQL
|
|
database name in variable <code>DATABASES=</code>. For example:</p>
|
|
<pre><code>DATABASES='... sogo'
|
|
</code></pre>
|
|
|
|
<p>Save your change and that's all.</p>
|
|
<h2 id="postgresql-backend-special">PostgreSQL backend special</h2>
|
|
<h3 id="fixed-not-apply-service-restriction-in-dovecot-sql-query-file-while-acting-as-sasl-server_1">Fixed: Not apply service restriction in Dovecot SQL query file while acting as SASL server</h3>
|
|
<p>Please open Dovecot config file <code>/etc/dovecot/dovecot-pgsql.conf</code>
|
|
(Linux/OpenBSD) or <code>/usr/local/etc/dovecot/dovecot-pgsql.conf</code> (FreeBSD), find
|
|
below line:</p>
|
|
<pre><code># Part of file: /etc/dovecot/dovecot-pgsql.conf
|
|
|
|
password_query = SELECT password FROM mailbox WHERE username='%u' AND active='1'
|
|
</code></pre>
|
|
|
|
<p>Add additional query like below:</p>
|
|
<pre><code># Part of file: /etc/dovecot/dovecot-pgsql.conf
|
|
|
|
password_query = SELECT password FROM mailbox WHERE username='%u' AND enable%Ls%Lc=1 AND active='1'
|
|
</code></pre>
|
|
|
|
<p>Save your change and restart Dovecot service.</p>
|
|
<h3 id="fixed-not-backup-sogo-database_2">Fixed: not backup SOGo database</h3>
|
|
<p>Note: this step is not applicable if you don't use SOGo groupware.</p>
|
|
<p>Open backup script <code>/var/vmail/backup/backup_mysql.sh</code>, append SOGo SQL
|
|
database name in variable <code>DATABASES=</code>. For example:</p>
|
|
<pre><code>DATABASES='... sogo'
|
|
</code></pre>
|
|
|
|
<p>Save your change and that's all.</p><p style="text-align: center; color: grey;">Document published under a <a href="http://creativecommons.org/licenses/by-nd/3.0/us/" target="_blank">CC BY-ND 3.0</a> license. If you found something wrong, please do <a href="http://www.iredmail.org/contact.html">contact us</a> to fix it.<script>
|
|
(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
|
|
(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
|
|
m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
|
|
})(window,document,'script','//www.google-analytics.com/analytics.js','ga');
|
|
|
|
ga('create', 'UA-3293801-21', 'auto');
|
|
ga('send', 'pageview');
|
|
</script>
|
|
</body></html> |