Upgrade iRedMail from 0.9.0 to 0.9.1

Attention

Check out the lightweight on-premises email archiving software developed by iRedMail team: Spider Email Archiver.

Paid Remote Upgrade Support

We offer remote upgrade support if you don't want to get your hands dirty, check the details and contact us.

ChangeLog

General (All backends should apply these steps)

Update /etc/iredmail-release with new iRedMail version number

iRedMail stores the release version in /etc/iredmail-release after installation, it's recommended to update this file after you upgraded iRedMail, so that you can know which version of iRedMail you're running. For example:

# File: /etc/iredmail-release

0.9.1

Upgrade Roundcube webmail to the latest stable release

Additional notes before upgrading Roundcube webmail 1.1.0 (or later releases):

# apt-get install php-pear php5-intl
# php5enmod intl
# service apache2 restart    # <- OR: `service php5_fpm restart` if you're running Nginx
# pkg_add -r php-intl
# /etc/rc.d/php_fpm restart

Please download the Complete edition (e.g. roundcubemail-1.1.1-complete.tar.gz) instead of Dependent edition (e.g. roundcubemail-1.1.1.tar.gz).

After you have additional packages installed, please follow Roundcube official tutorial to upgrade Roundcube webmail to the latest stable release: How to upgrade Roundcube.

Notes:

// Required if you're running PHP 5.6
$config['imap_conn_options'] = array(
    'ssl' => array(
        'verify_peer'  => false,
        'verify_peer_name' => false,
    ),
);

$config['smtp_conn_options'] = array(
    'ssl' => array(
        'verify_peer'      => false,
        'verify_peer_name' => false,
    ),
);

Upgrade iRedAPD (Postfix policy server) to the latest 1.5.0

Please follow below tutorial to upgrade iRedAPD to the latest stable release: Upgrade iRedAPD to the latest stable release

Detailed release notes are available here: iRedAPD release notes.

Note:

iRedAPD-1.5.0 is able to log rejection and other non-DUNNO actions in iRedAdmin database, admin can view the log under menu System -> Admin Log of iRedAdmin. If you want to log these actions, please add below new parameters in iRedAPD config file /opt/iredapd/settings.py:

# Log reject (and other non-DUNNO) action in iRedAdmin SQL database
log_action_in_db = True
iredadmin_db_server = '127.0.0.1'
iredadmin_db_port = '3306'
iredadmin_db_name = 'iredadmin'
iredadmin_db_user = 'iredadmin'
iredadmin_db_password = 'password'

You can find SQL username/password of iRedAdmin database in iRedAdmin config file.

Fixed: return receipt response rejected by iRedAPD plugin reject_null_sender

Note: this is applicable if you want to keep iRedAPD plugin reject_null_sender but still able to send return receipt with Roundcube webmail.

According to RFC2298, return receipt envelope sender address must be empty. If you have iRedAPD plugin reject_null_sender enabled, it will reject return receipt response. To particularly solve this issue, you can set below setting in Roundcube config file config/config.inc.php:

$config['mdn_use_from'] = true;

Note: if other mail client applications don't set smtp authentication user as envelope sender of return receipt, same issue will occurs. You must disable iRedAPD plugin reject_null_sender in /opt/iredapd/settings.py to make all mail clients work.

iRedAPD plugin reject_null_sender rejects message submitted by sasl authenticated user but with null sender in From: header (from=<> in Postfix log). If your user's password was cracked by spammer, spammer can use this account to bypass smtp authentication, but with a null sender in From: header, throttling won't be triggered.

Fixed: Amavisd cannot ban zipped .exe attachment file.

Note: this is applicable to only RHEL/CentOS.

Amavisd on some Linux/BSD distribution uses $banned_namepath_re instead of $banned_filename_re to check banned file types, but it ($banned_namepath_re) was not defined, so we define some blocked file types here.

Please append below settings in Amavisd config file /etc/amavisd/amavisd.conf, before the last line (1; # insure a defined return) in the same file:

# Amavisd on some Linux/BSD distribution use \$banned_namepath_re
# instead of \$banned_filename_re, so we define some blocked file
# types here.
#
# Sample input for $banned_namepath_re:
#
#   P=p003\tL=1\tM=multipart/mixed\nP=p002\tL=1/2\tM=application/octet-stream\tT=dat\tN=my_docum.zip
#
# What it means:
#   - T: type. e.g. zip archive.
#   - M: MIME type. e.g. application/octet-stream.
#   - N: suggested (MIME) name. e.g. my_docum.zip.

$banned_namepath_re = new_RE(
    [qr'T=(zip|rar|arc|arj|zoo|gz|bz2)(,|\t)'xmi => 'DISCARD'],     # Compressed file types
    [qr'T=x-(msdownload|msdos-program|msmetafile|wmf)(,|\t)'xmi => 'DISCARD'],
    [qr'T=(hta)(,|\t)'xmi => 'DISCARD'],

    # Dangerous file types
    [qr'T=(9|386|LeChiffre|aaa|abc|aepl|ani|aru|atm|aut|b64|bat|bhx|bkd|blf|bll|bmw|boo|bps|bqf|breaking_bad|buk|bup|bxz|cc|ccc|ce0|ceo|cfxxe|chm|cih|cla|class|cmd|com|cpl|crinf|crjoker|crypt|cryptolocker|cryptowall|ctbl|cxq|cyw|dbd|delf|dev|dlb|dli|dll|dllx|dom|drv|dx|dxz|dyv|dyz|ecc|exe|exe-ms|exe1|exe_renamed|exx|ezt|ezz|fag|fjl|fnr|fuj|good|gzquar|hlp|hlw|hqx|hsq|hts|iva|iws|jar|js|kcd|keybtc@inbox_com|let|lik|lkh|lnk|locky|lok|lol!|lpaq5|magic|mfu|micro|mim|mjg|mjz|mp3|nls|oar|ocx|osa|ozd|pcx|pgm|php2|php3|pid|pif|plc|pr|pzdc|qit|qrn|r5a|rhk|rna|rsc_tmp|s7p|scr|shs|ska|smm|smtmp|sop|spam|ssy|swf|sys|tko|tps|tsa|tti|ttt|txs|upa|uu|uue|uzy|vb|vba|vbe|vbs|vbx|vexe|vxd|vzr|wlpginstall|wmf|ws|wsc|wsf|wsh|wss|xdu|xir|xlm|xlv|xnt|xnxx|xtbl|xxe|xxx|xyz|zix|zvz|zzz)(,|\t)'xmi => 'DISCARD'],

    # Dangerous file name extensions
    [qr'N=.*\.(9|386|LeChiffre|aaa|abc|aepl|ani|aru|atm|aut|b64|bat|bhx|bkd|blf|bll|bmw|boo|bps|bqf|breaking_bad|buk|bup|bxz|cc|ccc|ce0|ceo|cfxxe|chm|cih|cla|class|cmd|com|cpl|crinf|crjoker|crypt|cryptolocker|cryptowall|ctbl|cxq|cyw|dbd|delf|dev|dlb|dli|dll|dllx|dom|drv|dx|dxz|dyv|dyz|ecc|exe|exe-ms|exe1|exe_renamed|exx|ezt|ezz|fag|fjl|fnr|fuj|good|gzquar|hlp|hlw|hqx|hsq|hts|iva|iws|jar|js|kcd|keybtc@inbox_com|let|lik|lkh|lnk|locky|lok|lol!|lpaq5|magic|mfu|micro|mim|mjg|mjz|mp3|nls|oar|ocx|osa|ozd|pcx|pgm|php2|php3|pid|pif|plc|pr|pzdc|qit|qrn|r5a|rhk|rna|rsc_tmp|s7p|scr|shs|ska|smm|smtmp|sop|spam|ssy|swf|sys|tko|tps|tsa|tti|ttt|txs|upa|uu|uue|uzy|vb|vba|vbe|vbs|vbx|vexe|vxd|vzr|wlpginstall|wmf|ws|wsc|wsf|wsh|wss|xdu|xir|xlm|xlv|xnt|xnxx|xtbl|xxe|xxx|xyz|zix|zvz|zzz)$'xmi => 'DISCARD'],
);

Restarting Amavisd service is required.

Fixed: Amavisd cannot detect .exe file in rar compressed attachment.

Note: This fix is applicable to RHEL/CentOS, Debian and Ubuntu.

Steps to fix this issue on RHEL/CentOS:

# yum clean metadata
# yum install unrar
# service amavisd restart

Steps to fix this issue on Debian:

# apt-get install unrar-free
# service amavis restart

Steps to fix this issue on Ubuntu:

# For Ubuntu 14.04 LTS
deb http://[ubuntu_mirror_site]/ubuntu/ trusty main restricted universe multiverse
deb http://[ubuntu_mirror_site]/ubuntu/ trusty-updates main restricted universe multiverse

# For Ubuntu 15.04
deb http://[ubuntu_mirror_site]/ubuntu/ vivid main restricted universe multiverse
deb http://[ubuntu_mirror_site]/ubuntu/ vivid-updates main restricted universe multiverse
# apt-get remove --purge unrar-free
# apt-get install unrar
$unrar = ['unrar-nonfree'];
# service amavis restart

Fixed: Cannot run PHP script under web document root with Nginx.

With previous release of iRedMail, Nginx won't run PHP scripts under sub-directories of web document root, this step will fix it.

...
root /var/www/html;
...
location ~ \.php$ {
    ...
    fastcgi_param SCRIPT_FILENAME /var/www/html$fastcgi_script_name;    # <- Add this line
}

Notes:

Fixed: Incorrect log file and owner/group in logrotate config file: /etc/logrotate.d/policyd

Note: This is applicable to Linux and FreeBSD, we don't have Cluebringer installed on OpenBSD.

iRedMail-0.9.0 generates logrotate config file /etc/logrotate.d/policyd with incorrect log file name and owner/group.

The original setting looks like below:

/var/log/amavisd.log {
    ...
    create 0600 amavis amavis
    ...
}

Please change the log file name and owner/group to below settings:

/var/log/cbpolicyd.log {
    ...
    create 0600 cluebringer cluebringer
    ...
}

Note: on FreeBSD, the owner/group name is policyd, not cluebringer.

Fixed: Incorrect path of command sogo-tool on OpenBSD

Note: this step is applicable to only OpenBSD.

Please check user _sogo's cron job, make sure path to sogo-tool command is /usr/local/sbin/sogo-tool:

# crontab -l -u _sogo

If it's not /usr/local/sbin/sogo-tool, please edit its cron job with below command and fix it:

# crontab -e -u _sogo

[OPTIONAL] Make Dovecot subscribe newly created folder automatically

With default iRedMail setting, Dovecot will create folder automatically (for example, send email to user+extension@domain.com will create folder extension in user@domain.com's mailbox), but not subscribe it. Below change will make it subscribe to new folder automatically.

protocol lda {
    ...
}
protocol lda {
    ...
    lda_mailbox_autosubscribe = yes
}

[OPTIONAL] Setup Fail2ban to monitor password failures in SOGo log file

To improve server security, we'd better block clients which have too many failed login attempts from SOGo.

Please append below lines in Fail2ban main config file /etc/fail2ban/jail.local:

[SOGo]
enabled     = true
filter      = sogo-auth
port        = http, https
# without proxy this would be:
# port    = 20000
action      = iptables-multiport[name=SOGo, port="http,https", protocol=tcp]
logpath     = /var/log/sogo/sogo.log

Restarting Fail2ban service is required.

[OPTIONAL] Add two more Fail2ban filter regular expressios to help catch spam

We have two new Fail2ban filters to help catch spam:

  1. first one will scan HELO rejections in Postfix log file.
  2. second one will scan aborded pop3/imap login in Dovecot log file.

Steps:

  1. Open file /etc/fail2ban/filter.d/postfix.iredmail.conf or /usr/local/etc/fail2ban/filter.d/postfix.iredmail.conf (on FreeBSD), append below line under [Definition] section:
            reject: RCPT from (.*)\[<HOST>\]: 504 5.5.2 (.*) Helo command rejected: need fully-qualified hostname

After modification, the whole content is:

[Definition]
failregex = \[<HOST>\]: SASL (PLAIN|LOGIN) authentication failed
            lost connection after AUTH from (.*)\[<HOST>\]
            reject: RCPT from (.*)\[<HOST>\]: 550 5.1.1
            reject: RCPT from (.*)\[<HOST>\]: 450 4.7.1
            reject: RCPT from (.*)\[<HOST>\]: 554 5.7.1
            reject: RCPT from (.*)\[<HOST>\]: 504 5.5.2 (.*) Helo command rejected: need fully-qualified hostname
ignoreregex =
  1. Open file /etc/fail2ban/filter.d/dovecot.iredmail.conf or /usr/local/etc/fail2ban/filter.d/dovecot.iredmail.conf (on FreeBSD), replace its content by below text:
[Definition]
failregex = Authentication failure.* rip=<HOST>
            Aborted login \(no auth attempts in .* rip=<HOST>
            Aborted login \(auth failed.* rip=<HOST>
            Aborted login \(tried to use disallowed .* rip=<HOST>
            Aborted login \(tried to use disabled .* rip=<HOST>

ignoreregex =

Restarting Fail2ban service is required.

OpenLDAP backend special

Use the latest LDAP schema file provided by iRedMail

We have a new attribute allowNets for mail user in the latest LDAP schema file. With this new attribute, you can restrict mail users to login from specified IP addresses or networks, multiple IP/nets must be separated by comma.

Steps to use the latest LDAP schema file are:

Here we go:

# cd /tmp
# wget https://github.com/iredmail/iRedMail/raw/1.0/samples/iredmail/iredmail.schema

# cd /etc/openldap/schema/
# cp iredmail.schema iredmail.schema.bak

# cp -f /tmp/iredmail.schema /etc/openldap/schema/
# /etc/init.d/slapd restart
# cd /tmp
# wget https://github.com/iredmail/iRedMail/raw/1.0/samples/iredmail/iredmail.schema

# cd /etc/ldap/schema/
# cp iredmail.schema iredmail.schema.bak

# cp -f /tmp/iredmail.schema /etc/ldap/schema/
# /etc/init.d/slapd restart
# cd /tmp
# wget https://github.com/iredmail/iRedMail/raw/1.0/samples/iredmail/iredmail.schema

# cd /usr/local/etc/openldap/schema/
# cp iredmail.schema iredmail.schema.bak

# cp -f /tmp/iredmail.schema /usr/local/etc/openldap/schema/
# service slapd restart

Restrict mail user to login from specified IP addresses or networks

With the latest LDAP schema file, it's able to restrict mail users to login from specified IP/networks.

Open Dovecot config file /etc/dovecot/dovecot-ldap.conf (Linux/OpenBSD) or /usr/local/etc/dovecot/dovecot-ldap.conf (FreeBSD), append allowNets=allow_nets in parameter pass_attrs. The final setting should be:

pass_attrs      = mail=user,userPassword=password,allowNets=allow_nets

Restarting Dovecot service is required.

Sample usage: allow user user@domain.com to login from IP 172.16.244.1 and network 192.168.1.0/24:

dn: mail=user@domain.com,ou=Users,domainName=domain.com,o=domains,dc=xx,dc=xx
objectClass: mailUser
mail: user@domain.com
allowNets: 192.168.1.10,192.168.1.0/24
...

To remove this restriction, just remove attribute allowNets for this user.

Fixed: not backup SOGo database

Note: this step is not applicable if you don't use SOGo groupware.

Open backup script /var/vmail/backup/backup_mysql.sh, append SOGo SQL database name in variable DATABASES=. For example:

DATABASES='... sogo'

Save your change and that's all.

Fixed: drop retired column in Amavisd database: policy.spam_modifies_subj

Note: This is applicable to Amavisd-new-2.7.0 and later releases.

Amavisd drops column policy.spam_modifies_subj since amavisd-new-2.7.0 release, we'd better remove this column.

Login to MySQL server as root user, then execute below SQL commands to drop it:

mysql> USE amavisd;
mysql> ALTER TABLE policy DROP COLUMN spam_modifies_subj;

[OPTIONAL] Bypass greylisting for some big ISPs

ISPs' mail servers send out spams, but also normal business mails. Applying greylisting on them is helpless.

# cd /tmp
# wget https://github.com/iredmail/iRedMail/raw/fd52316fc12651768c69671ddcfbafc211cd4689/iRedMail/samples/cluebringer/greylisting-whitelist.sql
$ mysql -uroot -p
mysql> USE cluebringer;
mysql> SOURCE /tmp/greylisting-whitelist.sql;

That's all.

MySQL/MariaDB backend special

Add new SQL column in vmail database

We have a new SQL column mailbox.allow_nets in vmail database, it's used to restrict mail users to login from specified IP addresses or networks, multiple IP/nets must be separated by comma.

Connect to SQL server as MySQL root user, create new column:

$ mysql -uroot -p
mysql> USE vmail;
mysql> ALTER TABLE mailbox ADD COLUMN `allow_nets` TEXT DEFAULT NULL;

Restrict mail user to login from specified IP addresses or networks, and apply service restriction while acting as SASL server

Open Dovecot config file /etc/dovecot/dovecot-mysql.conf (Linux/OpenBSD) or /usr/local/etc/dovecot/dovecot-mysql.conf (FreeBSD), then:

The final setting should be:

password_query = SELECT password, allow_nets FROM mailbox WHERE username='%u' AND enable%Ls%Lc=1 AND active='1'

Restarting Dovecot service is required.

Sample usage: allow user user@domain.com to login from IP 172.16.244.1 and network 192.168.1.0/24:

sql> USE vmail;
sql> UPDATE mailbox SET allow_nets='172.16.244.1,192.168.1.0/24' WHERE username='user@domain.com`;

To remove this restriction, just set mailbox.allow_nets to NULL, not empty string.

Fixed: user+extension@domain.com doesn't work with per-domain catch-all

With iRedMail-0.9.0 and earlier versions, if you have per-domain catch-all enabled, email sent to user+extension@domain.com will be delivered to catch-all address instead of user@domain.com. Below steps fix this issue.

query = ... WHERE alias.address='%d' AND alias.address=domain.domain ...
query = ... WHERE alias.address='%d' AND '%u' NOT LIKE '%%+%%' AND alias.address=domain.domain ...

Fixed: not backup SOGo database

Note: this step is not applicable if you don't use SOGo groupware.

Open backup script /var/vmail/backup/backup_mysql.sh, append SOGo SQL database name in variable DATABASES=. For example:

DATABASES='... sogo'

Save your change and that's all.

Fixed: drop retired column in Amavisd database: policy.spam_modifies_subj

Note: This is applicable to Amavisd-new-2.7.0 and later releases.

Amavisd drops column policy.spam_modifies_subj since amavisd-new-2.7.0 release, we'd better remove this column.

Login to MySQL server as root user, then execute below SQL commands to drop it:

mysql> USE amavisd;
mysql> ALTER TABLE policy DROP COLUMN spam_modifies_subj;

[OPTIONAL] Bypass greylisting for some big ISPs

ISPs' mail servers send out spams, but also normal business mails. Applying greylisting on them is helpless.

# cd /tmp
# wget https://github.com/iredmail/iRedMail/raw/fd52316fc12651768c69671ddcfbafc211cd4689/iRedMail/samples/cluebringer/greylisting-whitelist.sql
$ mysql -uroot -p
mysql> USE cluebringer;
mysql> SOURCE /tmp/greylisting-whitelist.sql;

That's all.

PostgreSQL backend special

Add new SQL column in vmail database

We have a new SQL column mailbox.allow_nets in vmail database, it's used to restrict mail users to login from specified IP addresses or networks, multiple IP/nets must be separated by comma.

Now connect to PostgreSQL server as admin user, create new column:

# su - postgres
$ psql -d vmail
sql> ALTER TABLE mailbox ADD COLUMN allow_nets TEXT DEFAULT NULL;

Restrict mail user to login from specified IP addresses or networks, and apply service restriction while acting as SASL server

Open Dovecot config file /etc/dovecot/dovecot-pgsql.conf (Linux/OpenBSD) or /usr/local/etc/dovecot/dovecot-pgsql.conf (FreeBSD), then:

The final setting should be:

password_query = SELECT password, allow_nets FROM mailbox WHERE username='%u' AND enable%Ls%Lc=1 AND active='1'

Restarting Dovecot service is required.

Sample usage: allow user user@domain.com to login from IP 172.16.244.1 and network 192.168.1.0/24:

sql> \c vmail;
sql> UPDATE mailbox SET allow_nets='172.16.244.1,192.168.1.0/24' WHERE username='user@domain.com`;

To remove this restriction, just set mailbox.allow_nets to NULL, not empty string.

Fixed: user+extension@domain.com doesn't work with per-domain catch-all

With iRedMail-0.9.0 and earlier versions, if you have per-domain catch-all enabled, email sent to user+extension@domain.com will be delivered to catch-all address instead of user@domain.com. Below steps fix this issue.

query = ... WHERE alias.address='%d' AND alias.address=domain.domain ...
query = ... WHERE alias.address='%d' AND '%u' NOT LIKE '%%+%%' AND alias.address=domain.domain ...

Fixed: not backup SOGo database

Note: this step is not applicable if you don't use SOGo groupware.

Open backup script /var/vmail/backup/backup_mysql.sh, append SOGo SQL database name in variable DATABASES=. For example:

DATABASES='... sogo'

Save your change and that's all.

Fixed: drop retired column in Amavisd database: policy.spam_modifies_subj

Note: This is applicable to Amavisd-new-2.7.0 and later releases.

Amavisd drops column policy.spam_modifies_subj since amavisd-new-2.7.0 release, we'd better remove this column.

Login to PostgreSQL server as admin user, then execute below SQL commands to drop it:

sql> \c amavisd;
sql> ALTER TABLE policy DROP COLUMN spam_modifies_subj;

[OPTIONAL] Bypass greylisting for some big ISPs

ISPs' mail servers send out spams, but also normal business mails. Applying greylisting on them is helpless.

# cd /tmp
# wget https://github.com/iredmail/iRedMail/raw/fd52316fc12651768c69671ddcfbafc211cd4689/iRedMail/samples/cluebringer/greylisting-whitelist.sql
# su - postgres
$ psql -d cluebringer
sql> \i /tmp/greylisting-whitelist.sql;

That's all.