1

Topic: Debian 10 Buster Post

With Debian 10 Buster on the horizon (July 6th per Debian), I wanted to make this post to see what might happen if we update to D10.

It is always recommended to do a snapshot or backup of your data, and I would atleast wait a month and check to make sure all packages are available on Debian Buster before upgrading!!!

What packages will break in iRedMail, and is there a timeline for packages that will be updated soon to fix those issues?

2

Re: Debian 10 Buster Post

Don't upgrade so rush.
We didn't fully test Debian 10 yet, so please wait for some more days after Buster released.

----

Does my reply help a little? How about buying me a cup of coffee ($5) as an encouragement?

buy me a cup of coffee

3

Re: Debian 10 Buster Post

Zhang, I am definitely going to wait to update. The point of this post was for testing details. Once released I plan to spin up another VM and test an upgrade. Not only for iRedMail but also other applications I run.

I plan to post my findings here.

4

Re: Debian 10 Buster Post

wylel wrote:

Zhang, I am definitely going to wait to update. The point of this post was for testing details. Once released I plan to spin up another VM and test an upgrade. Not only for iRedMail but also other applications I run.

I plan to post my findings here.

I'm interested in this project because I want to try to install iredmail on a Raspberry Pi 4 4GB and, for now, the ONLY available OS for this platform is Raspbian based on Debian 10 Buster. Did you found how to install iRedMail on Buster? Files needed to edit?

5 (edited by Neutro 2019-07-05 21:42:10)

Re: Debian 10 Buster Post

Debian 10 has not officially been released yet which means there could be breaking changes between the actual beta and the official release, which means you shouldn't spend time trying to make iredmail on Debian 10 right now.

If you want to try iredmail in the meantime do it with another server on Debian 9 and be patient wink

6

Re: Debian 10 Buster Post

Neutro wrote:

Debian 10 has not officially been released yet. Until it is trying to make iredmail work on it would be a waste of time since the OS might have breaking changes between now and the official release.

If you want to try iredmail in the meantime do it with another server on Debian 9 and be patient wink

It will be released tomorrow and the actual RC3 is almost equal to final release. And Raspberry Pi 4 is supported on Raspbian Buster (Debian 10) only...

7 (edited by Neutro 2019-07-05 22:08:43)

Re: Debian 10 Buster Post

Almost equal is different from equal. Also it is probable that even after the official release the 10.0 will be quickly patched to another version to correct bugs that were not found in the beta since the user pool will be much larger.

You need to respect the devs and give them time to make the necessary work peacefully once Debian 10 is officially released, moreover since iredmail is distributed free of charge wink

Posting here to ask to rush wont make things go any faster anyway.

We understand that you're eager to test iredmail on your Raspberry Pi 4 and that's cool, but you need to be a little more patient smile

8

Re: Debian 10 Buster Post

Neutro wrote:

Almost equal is different from equal. Also it is probable that even after the official release the 10.0 will be quickly patched to another version to correct bugs that were not found in the beta since the user pool will be much larger.

You need to respect the devs and give them time to make the necessary work peacefully once Debian 10 is officially released, moreover since iredmail is distributed free of charge wink

Posting here to ask to rush wont make things go any faster anyway.

We understand that you're eager to test iredmail on your Raspberry Pi 4 and that's cool, but you need to be a little more patient smile

I respect the developers of iRedMail and their work and absolutely do not pretend that they are in a hurry, I was only asking if, while waiting for a new version of iRedMail compatible with Debian 10, someone could suggest some changes to make to the installation script configuration files to allow and try execution on this new Linux distribution ...

9

Re: Debian 10 Buster Post

Hi guys,

I already downloaded the Debian 10 official ISO images, should finish the testing for both iRedMail and iRedMail Easy in one week. You can expect some commits soon here:
https://bitbucket.org/zhb/iredmail/commits/

Stay tuned.

----

Does my reply help a little? How about buying me a cup of coffee ($5) as an encouragement?

buy me a cup of coffee

10

Re: Debian 10 Buster Post

Awesome news. Let me know if you need further testing and I will be happy to do so.

11

Re: Debian 10 Buster Post

Wow, very fast, great! wink

12

Re: Debian 10 Buster Post

ZhangHuangbin wrote:

Hi guys,

I already downloaded the Debian 10 official ISO images, should finish the testing for both iRedMail and iRedMail Easy in one week. You can expect some commits soon here:
https://bitbucket.org/zhb/iredmail/commits/

Stay tuned.

Hello, I'm following your commits on https://bitbucket.org/zhb/iredmail/commits/all, I'm happy to see there are already a couple of good commits for Debian 10, where can I download a iRedMail release including these modifications to test on my Pi 4?

13

Re: Debian 10 Buster Post

Dear all,

iRedMail development edition now works with Debian 10, please help test it by following steps below:

- Download the development edition: https://bitbucket.org/zhb/iredmail/get/tip.tar.bz2
- Install it on Debian 10 by following our installation guides: https://docs.iredmail.org/#install

Notes:

- it still uses /etc/init.d/iptables (with firewall rules in /etc/default/iptables) for firewall, will switch to nftables later.
- I didn't notice any issues till now, but it definitely needs some more testing.

----

Does my reply help a little? How about buying me a cup of coffee ($5) as an encouragement?

buy me a cup of coffee

14

Re: Debian 10 Buster Post

Hi Zhang,

The installation seems to have occurred normally but it seems that fail2ban did not load the rules. The commands:

# iptables -L -n -v

or

# nft list ruleset

They do not return any loaded rules.

15

Re: Debian 10 Buster Post

Noted. I will check this later. Thanks for the feedback. smile

----

Does my reply help a little? How about buying me a cup of coffee ($5) as an encouragement?

buy me a cup of coffee

16 (edited by gondim 2019-07-10 00:04:06)

Re: Debian 10 Buster Post

ZhangHuangbin wrote:

Noted. I will check this later. Thanks for the feedback. smile

Hi Zhang,

With dovecot 2.3 Diffie-Hellman is necessary. Otherwise email clients may display this error in the logs:

Otherwise email clients may display this error in the logs:

Jul  9 11:27:52 mail dovecot: imap-login: Error: Failed to initialize SSL server context: Can't load DH parameters: error:1408518A:SSL routines:ssl3_ctx_ctrl:dh key too small: user=<>, rip=2804:xxxx:xxxx:xxxx:e4c8:f463:d763:1130, lip=2804:xxxx:xxxx:xxxx::163, session=<kv2pXUCNlcsoBBBUDxgAAOTI9GPXYxEw>

Ref: https://wiki2.dovecot.org/Upgrading/2.3#dhparams

For create dh.pem I used: openssl dhparam -out /etc/dovecot/dh.pem 2048

After I created and configured the dh.pem, I had to recreate my imap accounts in thunderbird to normalize the accesses.

I updated my Debian Stretch to Buster and only noticed problems with dovecot, as I explained above. The rest seems to be working. fail2ban working!

17

Re: Debian 10 Buster Post

Maybe it's better remove the "ssl_dh =" setting, and update ssl_cipher_list.

Since v2.3.3+ DH parameter usage is optional and can be omitted. You are invited to amend ciphers to disallow non-ECC based DH algorithms, but if you don't and someone does try to use them, error will be emitted.

Example: ssl_cipher_list=ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW:!DH@STRENGTH

Could you try to comment out "ssl_dh", and append "!DH@STRENGTH" in "ssl_cipher_list"?

----

Does my reply help a little? How about buying me a cup of coffee ($5) as an encouragement?

buy me a cup of coffee

18

Re: Debian 10 Buster Post

ZhangHuangbin wrote:

Maybe it's better remove the "ssl_dh =" setting, and update ssl_cipher_list.

Since v2.3.3+ DH parameter usage is optional and can be omitted. You are invited to amend ciphers to disallow non-ECC based DH algorithms, but if you don't and someone does try to use them, error will be emitted.

Example: ssl_cipher_list=ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW:!DH@STRENGTH

Could you try to comment out "ssl_dh", and append "!DH@STRENGTH" in "ssl_cipher_list"?

Did not work. The error occurred anyway. Give me the full line of the ssl_cipher_list variable. That I replace here to test.

19

Re: Debian 10 Buster Post

Try this:

ssl_cipher_list = ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DH@STRENGTH

----

Does my reply help a little? How about buying me a cup of coffee ($5) as an encouragement?

buy me a cup of coffee

20

Re: Debian 10 Buster Post

ZhangHuangbin wrote:

Try this:

ssl_cipher_list = ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DH@STRENGTH

Sorry, same problem.
Any other suggestions for change? If you need me to test some other configuration, just talk. smile

21

Re: Debian 10 Buster Post

Testing this locally in a VM and it seems to install and run fine. I can get to the Admin panel, iptables is populated, etc.

I dont have an extra domain to test, but I might try one soon. Let me know if there are any logs you want from the install.

22

Re: Debian 10 Buster Post

wylel wrote:

Testing this locally in a VM and it seems to install and run fine. I can get to the Admin panel, iptables is populated, etc.

I dont have an extra domain to test, but I might try one soon. Let me know if there are any logs you want from the install.

Try to acess imap with a client Thunderbird. Verify that connection errors will occur.

I got errors related to DH.

23

Re: Debian 10 Buster Post

I will generate the dh file in next iRedMail release. According to Dovecot wiki, 2048 bit is ok, but 4096 is industry recommended. I'm ok with 4096 of course, the problem is generating it will take a LOOOOOOONG time.

----

Does my reply help a little? How about buying me a cup of coffee ($5) as an encouragement?

buy me a cup of coffee

24

Re: Debian 10 Buster Post

BTW, i will release new iRedMail version via the iRedMail Easy platform next Monday (Jul 15), have to delay Debian 10 support in both iRedMail and iRedMail Easy for few more days.

Issues i noticed on Debian 10 are:

- Switching iptables to nftables
- No chains for Fail2an in iptables (will switch to nftables too)

Hope i can fix them next week, then there will be iRedMail-1.0-beta1 available for public testing.

----

Does my reply help a little? How about buying me a cup of coffee ($5) as an encouragement?

buy me a cup of coffee

25

Re: Debian 10 Buster Post

ZhangHuangbin wrote:

Hope i can fix them next week, then there will be iRedMail-1.0-beta1 available for public testing.

So, this public beta release will include initial support for Debian 10?