1

Topic: iRedMail-1.0 has been released.

Dear all,

The great final iRedMail-1.0 has been released. I started iRedMail in 2007, cannot believe it's been 12 years. big_smile But what's next? A dockerized edition. smile

Introduce "iRedMail Easy" - the new deployment, upgrade and support platform

iRedMail Easy is the new web-based deployment, (one-click) upgrade and technical support platform introduced few months ago, we release new version frequently (currently one new release per month), with the one-click upgrade support, you can easily keep the iRedMail server up to date without caring about any technical details. It's the recommend way to deploy NEW iRedMail server and get technical support.

For more details, please check our website, the comparison of iRedMail Easy and classic downloadable installer is available too: https://www.iredmail.org/easy.html

If you need to upgrade existing iRedMail server to the iRedMail Easy platform, please check our tutorial: Migrate from iRedMail to iRedMail Easy platform.

Major changes since iRedMail-0.9.9.

Supports new distribution releases
  • Debian 10

  • OpenBSD 6.6

Drop support for old distribution releases
  • OpenBSD 6.4, 6.5.

  • Ubuntu 16.04, 18.10. NOTE: We have no plan to support non-LTS Ubuntu edition anymore, only the latest LTS edition will be supported.

Drop support for backend
  • Drop support for OpenBSD ldapd backend.

Removed OpenDMARC integration

We removed OpenDMARC integration due to internal bug which caused incorrect
email rejection. Bug reported to upstream: https://github.com/trusteddomainproject … /issues/50.

Seems OpenDMARC project is not active for years, we have no plan to integrate it again shortly.

Improvements
  • Dovecot:

    • Enable quota-status service. Postfix can query this service and reject email immediately if user's mailbox is over quota.

    • Enable tracking user loast login time by default for MySQL/MariaDB and OpenLDAP backends. Note: Dovecot doesn't support this with PostgreSQL yet.

  • Netdata:

    • Replace few Python collector by Go modules for better performance.

    • Disable email notification since netdata is too sensitive and the notification message is "useless".

    • Disable sending anonymous statistics to netdata cloud.

  • tools/backup_*.sh: Remove old empty backup directory.

Fixed issues
  • Timeout for clamd service to load virus database is too short on CentOS 7.

  • Rejects the new Facebook servers which contain IP address in their HELO identities.

  • Incorect SSL CA file path on FreeBSD.

  • Improper postrotate command for log files on Linux.

  • Improper order of restriction rules in Postfix `smtpd_sender_restrictions` setting.

  • Fail2ban jail config file doesn't correctly set sshd port number(s).

  • Loose Fail2ban filter rules (postfix/dovecot) to reduce negative bans.

  • [Linux] Not send kill signal to php-fpm daemon process to reopen log file after logrotation.

  • tools/create_mail_user_OpenLDAP.py: Fix missing comma which causes incorrect value of ldap attribute 'enabledService'. Thanks Michael Chong.

Updated packages
  • Roundcube webmail -> 1.4.1

  • iRedAPD -> 3.3

  • iRedAdmin -> 0.9.9

  • netdata -> 1.19.0

  • mlmmjadmin -> 2.1

  • php -> 7.3 (FreeBSD only)

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: iRedMail-1.0 has been released.

We moved source code from bitbucket to github:

- iRedMail: https://github.com/iredmail/iRedMail
- iRedAPD: https://github.com/iredmail/iRedAPD
- iRedAdmin (open source edition): https://github.com/iredmail/iRedAdmin
- mlmmjadmin: https://github.com/iredmail/mlmmjadmin

3 (edited by CrashXRU 2019-12-09 11:58:50)

Re: iRedMail-1.0 has been released.

great work!

ZhangHuangbin wrote:

dockerized edition.

this would be a fresh continuation and the possibility of a seamless update



the only thing, I refused netdata
maybe there are regular problems with a memory leak, and monitoring is performed on zabbix


Thought in the final version for Debian 10, there will be no mistakes

due to the fact that there is no iptables
but it is used nftables

Dec 09 10:52:04 mail systemd[1]: Starting LSB: Control ip6tables firewall....
Dec 09 10:52:05 mail systemd[1]: ip6tables.service: Control process exited, code=exited, status=1/FAILURE
Dec 09 10:52:05 mail systemd[1]: ip6tables.service: Failed with result 'exit-code'.
Dec 09 10:52:05 mail systemd[1]: Failed to start LSB: Control ip6tables firewall..
Dec 09 10:52:04 mail systemd[1]: Starting LSB: Control iptables firewall....
Dec 09 10:52:05 mail systemd[1]: iptables.service: Control process exited, code=exited, status=1/FAILURE
Dec 09 10:52:05 mail systemd[1]: iptables.service: Failed with result 'exit-code'.
Dec 09 10:52:05 mail systemd[1]: Failed to start LSB: Control iptables firewall..

Can I remove these scripts from startup?

4

Re: iRedMail-1.0 has been released.

Should I update to Debian 10 Buster before or after running the upgrade of iRedMail?

5

Re: iRedMail-1.0 has been released.

CrashXRU wrote:

Can I remove these scripts from startup?

Sure. You can replace iptables by nftables.

6

Re: iRedMail-1.0 has been released.

wylel wrote:

Should I update to Debian 10 Buster before or after running the upgrade of iRedMail?

I suggest upgrading iRedMail first and running for few days, then upgrade OS. smile

7

Re: iRedMail-1.0 has been released.

Could you please help me set smtpd_sender_restrictions and smtpd_recipient_restrictions? Here is what I have:

smtpd_sender_restrictions = permit_mynetworks, reject_sender_login_mismatch, permit_sasl_authenticated, ch
eck_sender_access pcre:/etc/postfix/sender_access.pcre

smtpd_recipient_restrictions = reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_non_f
qdn_sender, reject_non_fqdn_recipient, reject_unlisted_recipient, check_policy_service inet:127.0.0.1:7777
, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_rbl_client sbl-xbl.spamh
aus.org, permit

8

Re: iRedMail-1.0 has been released.

ZhangHuangbin wrote:
wylel wrote:

Should I update to Debian 10 Buster before or after running the upgrade of iRedMail?

I suggest upgrading iRedMail first and running for few days, then upgrade OS. smile

Got it, will do and report any issues.

9

Re: iRedMail-1.0 has been released.

FMB wrote:

Could you please help me set smtpd_sender_restrictions and smtpd_recipient_restrictions? Here is what I have:

You can check our sample config files here:
https://github.com/iredmail/iRedMail/bl … in.cf#L182
https://github.com/iredmail/iRedMail/bl … in.cf#L191

10

Re: iRedMail-1.0 has been released.

Updating to iRedMail-1.0 on Debian 9 seems to work as expected. The next step is going to be upgrading to Debian 10.

11

Re: iRedMail-1.0 has been released.

Thanks.

12 (edited by wylel 2019-12-12 12:55:45)

Re: iRedMail-1.0 has been released.

I updated to 1.0 and ran it, everything was fine. I upgraded from Debian 9 to 10. I had a few issues, one was MariaDB did not like innodb settings (syntaxes removed). Fixed that issue and that works fine. Had some issues with Nextcloud (unrelated), but one issue I am still having is I cannot connect with STARTLS to IMAP.

I am now getting the following error in mail log.

Dec 11 22:41:07 mail postfix/pipe[7604]: 47YJxv4RzSz8sb2: to=<mail>, orig_to=<www-data@hostname>, relay=dovecot, delay=4735, delays=4735/0.52/0/0.14, dsn=4.3.0, status=deferred (temporary failure)

13

Re: iRedMail-1.0 has been released.

wylel wrote:

I updated to 1.0 and ran it, everything was fine. I upgraded from Debian 9 to 10. I had a few issues, one was MariaDB did not like innodb settings (syntaxes removed). Fixed that issue and that works fine. Had some issues with Nextcloud (unrelated), but one issue I am still having is I cannot connect with STARTLS to IMAP.

I am now getting the following error in mail log.

Dec 11 22:41:07 mail postfix/pipe[7604]: 47YJxv4RzSz8sb2: to=<mail>, orig_to=<www-data@hostname>, relay=dovecot, delay=4735, delays=4735/0.52/0/0.14, dsn=4.3.0, status=deferred (temporary failure)

What length is the key used in your certificate?
As of Debian 10 the minimum requirements for the length of the key is 2048 bits.

14

Re: iRedMail-1.0 has been released.

mir wrote:
wylel wrote:

I updated to 1.0 and ran it, everything was fine. I upgraded from Debian 9 to 10. I had a few issues, one was MariaDB did not like innodb settings (syntaxes removed). Fixed that issue and that works fine. Had some issues with Nextcloud (unrelated), but one issue I am still having is I cannot connect with STARTLS to IMAP.

I am now getting the following error in mail log.

Dec 11 22:41:07 mail postfix/pipe[7604]: 47YJxv4RzSz8sb2: to=<mail>, orig_to=<www-data@hostname>, relay=dovecot, delay=4735, delays=4735/0.52/0/0.14, dsn=4.3.0, status=deferred (temporary failure)

What length is the key used in your certificate?
As of Debian 10 the minimum requirements for the length of the key is 2048 bits.

Its 2048. SMTP authenticates fine and can be reached using STARTLS, but IMAP cannot.

15

Re: iRedMail-1.0 has been released.

wylel wrote:
mir wrote:
wylel wrote:

I updated to 1.0 and ran it, everything was fine. I upgraded from Debian 9 to 10. I had a few issues, one was MariaDB did not like innodb settings (syntaxes removed). Fixed that issue and that works fine. Had some issues with Nextcloud (unrelated), but one issue I am still having is I cannot connect with STARTLS to IMAP.

I am now getting the following error in mail log.

Dec 11 22:41:07 mail postfix/pipe[7604]: 47YJxv4RzSz8sb2: to=<mail>, orig_to=<www-data@hostname>, relay=dovecot, delay=4735, delays=4735/0.52/0/0.14, dsn=4.3.0, status=deferred (temporary failure)

What length is the key used in your certificate?
As of Debian 10 the minimum requirements for the length of the key is 2048 bits.

Its 2048. SMTP authenticates fine and can be reached using STARTLS, but IMAP cannot.

Sounds like a MUA problem. Any log from your mail client or Dovecot you would like to share?

16

Re: iRedMail-1.0 has been released.

wylel wrote:

Dec 11 22:41:07 mail postfix/pipe[7604]: 47YJxv4RzSz8sb2: to=<mail>, orig_to=<www-data@hostname>, relay=dovecot, delay=4735, delays=4735/0.52/0/0.14, dsn=4.3.0, status=deferred (temporary failure)

Any related error in Dovecot log file (/var/log/dovecot/*.log)?

17

Re: iRedMail-1.0 has been released.

Okay long post. With Dovecot 2.3, it changes some things (which ships with Debian).

I get this error:

Dec 12 19:27:45 mail dovecot: imap-login: Error: Failed to initialize SSL server context: Unknown ssl_min_protocol setting '!SSLv3': user=<>,

(commented out the session stuff and IP stuff). I had already changed ssl_protocols to ssl_min_protocol.

 ssl_protocols = !SSLv3

has been removed and should be replaced with

ssl_min_protocol = SSLv3

or instead of SSLv3, replace it with

TLSv1.2

.

Now, I get the following error

Dec 12 19:35:35 mail dovecot: imap-login: Error: Failed to initialize SSL server context: Can't load DH parameters: error:1408518A:SSL routines:ssl3_ctx_ctrl:dh key too small: user=<>,

.

The following article says to create a dh.pem file and add it to the config, but not sure what that might break? Can you confirm? https://www.rattis.net/2019/03/19/dovec … -problems/

Still the same problem, when I try to auth with Thunderbird, those are the errors I get above in imap.log. Thunderbird says: "The IMAP server does not support the selected authentication method."

18

Re: iRedMail-1.0 has been released.

The correct one is "ssl_min_protocol = TLSv1.2". If you have old MUA which doesn't support TLSv1.2, try to use TLSv1 instead.
You can find a DH parameter file in /etc/ssl/ on Debian, generated by iRedMail during installation.

19 (edited by wylel 2019-12-13 10:14:12)

Re: iRedMail-1.0 has been released.

Got it, fixed that with adding that file path to ssl_dh in the dovecot.conf.

Next error:

Dec 12 19:52:06 mail dovecot: imap(email): Error: Plugin 'imap_stats' not found from directory /usr/lib/dovecot/modules

Heres the LS of whats in /usr/lib/dovecot/modules

https://paste.debian.net/1120856/

20

Re: iRedMail-1.0 has been released.

wylel wrote:

Got it, fixed that with adding that file path to ssl_dh in the dovecot.conf.

Next error:

Dec 12 19:52:06 mail dovecot: imap(email): Error: Plugin 'imap_stats' not found from directory /usr/lib/dovecot/modules

Heres the LS of whats in /usr/lib/dovecot/modules

https://paste.debian.net/1120856/

I had to replace "stats" in the plugins section and imap_stats to old_stats and imap_old_stats respectively. This might not be the best way to do this, but it works now.

21

Re: iRedMail-1.0 has been released.

@wylel: You need this: https://docs.iredmail.org/upgrade.dovecot.2.2-2.3.html

22

Re: iRedMail-1.0 has been released.

ZhangHuangbin wrote:

@wylel: You need this: https://docs.iredmail.org/upgrade.dovecot.2.2-2.3.html

I had it working, I did those changes and did the SQL but on each first command I get this:

ERROR 1060 (42S21): Duplicate column name 'enablesievetls'

23

Re: iRedMail-1.0 has been released.

You upgraded iRedMail to 1.0, it has the updated SQL structures, so no need to add them again.

24 (edited by lauris.neimanis 2019-12-14 07:00:04)

Re: iRedMail-1.0 has been released.

Tray to upgrade from 9.9 to 1.0. Manege to get to the step where I upgraded iRedAPD to 3.3, but can't get positive test on SRS (https://docs.iredmail.org/srs.html).

root@mx1:~# telnet localhost 7778
Trying ::1...
Trying 127.0.0.1...
telnet: Unable to connect to remote host: Connection refused
root@mx1:~# lsof -i -P -n | grep 7778
root@mx1:~#
root@mx1:~# cat /opt/iredapd/settings.py
############################################################
# DO NOT MODIFY THIS LINE, IT'S USED TO IMPORT DEFAULT SETTINGS.
from libs.default_settings import *
############################################################

# Listen address and port.
listen_address = "127.0.0.1"
listen_port = "7777"

# Run as a low privileged user.
run_as_user = "iredapd"

# Path to pid file.
pid_file = '/var/run/iredapd.pid'

# Path to log file.
# Set 'log_file = /dev/null' if you don't want to keep the log.
log_file = "/var/log/iredapd/iredapd.log"

# Log level: info, debug.
log_level = "info"

# Backend: ldap, mysql, pgsql.
backend = "mysql"

# Enabled plugins.
plugins = ["reject_null_sender", "wblist_rdns", "reject_sender_login_mismatch", "greylisting", "throttle", "amavisd_wblist", "sql_alias_access_policy"]

# For LDAP backend.
#
# LDAP server setting.
# Uri must starts with ldap:// or ldaps:// (TLS/SSL).
#
# Tip: You can get binddn, bindpw from /etc/postfix/ldap/*.cf.
#
ldap_uri = 'ldap://127.0.0.1:389'
ldap_basedn = 'o=domains,dc=iredmail,dc=org'
ldap_binddn = 'cn=vmail,dc=iredmail,dc=org'
ldap_bindpw = 'password'

# For SQL (MySQL/MariaDB/PostgreSQL) backends, used to query mail accounts.
vmail_db_server = "127.0.0.1"
vmail_db_port = "3306"
vmail_db_name = "vmail"
vmail_db_user = "vmail"
vmail_db_password = "some password"

# For Amavisd policy lookup and white/blacklists.
amavisd_db_server = "127.0.0.1"
amavisd_db_port = "3306"
amavisd_db_name = "amavisd"
amavisd_db_user = "amavisd"
amavisd_db_password = "some password"

# iRedAPD database, used for greylisting, throttle.
iredapd_db_server = "127.0.0.1"
iredapd_db_port = "3306"
iredapd_db_name = "iredapd"
iredapd_db_user = "iredapd"
iredapd_db_password = "some password"

MYNETWORKS = ['192.168.4.0/24', '192.168.3.0/24', '192.168.5.0/24']

LOCAL_TIMEZONE = 'GMT+02:00'
srs_forward_port = '7778'
srs_reverse_port = '7779'
srs_domain = 'mx1.example.com'
srs_secrets = []

25 (edited by mir 2019-12-14 18:11:58)

Re: iRedMail-1.0 has been released.

Just did the last step in the process of upgrading from Debian 9 to Debian 10 as well as upgrading to iRedMail 1.0. Everything went smoothly except for one missing information in the process of adapting the configuration from dovecot-2.2 to dovecot-2.3 which prevented dovecot from starting. The problem was to add this to the dovecot.conf file: ssl_dh = </etc/ssl/dh2048_param.pem

The file does not exist so to be able to have dovecot running again the following command needs to be run as user root: openssl dhparam 2048 > /etc/ssl/dh2048_param.pem

System: Debian 9 to Debian 10
Backend: Openldap