1

Topic: iRedMail-0.9.0-rc2 has been released

Dear all,

iRedMail-0.9.0-rc2 has been released, we need your help to test it before tagging it as stable release.

* Download it directly with this link: https://bitbucket.org/zhb/iredmail/down … c3.tar.bz2
* IMPORTANT NOTE: it's not recommended for production use. and we don't provide upgrade tutorial for beta/rc releases.

This release candidate supports 2 new distribution releases, and provides better RHEL/CentOS 7 support.
Most important improvement is iRedMail now integrates SOGo Groupware, works on RHEL/CentOS 6, Debian 7, Ubuntu 12.04 and 14.04.

Below are the full changes since iRedMail-0.9.0-rc1:

SOGo Groupware integration

SOGo is a groupware server with a focus on scalability and open standards. SOGo is released under the GNU GPL/LGPL v2 and above.

SOGo provides a rich AJAX-based Web interface and supports multiple native clients through the use of standard protocols such as CalDAV, CardDAV and GroupDAV, as well as Microsoft ActiveSync.

o SOGo Groupware is now available on below Linux distributions and releases:

    - RHEL/CentOS 6. SOGo project doesn't provide RPMs for CentOS 7 yet.
    - Debian 7.
    - Ubuntu 12.04 and 14.04. No official packages for 14.10 yet.
    - OpenBSD 5.6.

o If you choose to install both Roundcube webmail and SOGo, Managesieve
  service is disabled in SOGo by default, because sieve rules generated
  by SOGo is not compatible with Roundcube webmail. but if you don't
  install Roundcube, managesieve will be enabled in SOGo by default, plus
  vacation and forwarding support.

o User cannot change password with LDAP/PGSQL backend.
Supported new distribution releases:
  • Ubuntu 14.10 (utopic).

  • OpenBSD 5.6. Note: Only Nginx is used as web server, the new built-in httpd daemon (not Apache-1.3) is not used. OpenBSD 5.5 is not supported anymore.

Improvements:
  • Use SSHA512 as default password hash for all backends on Linux, and BCRYPT on FreeBSD and OpenBSD. Both Roundcube password plugin and iRedAdmin support them. Important notes:

    • if you want to login to Awstats/Cluebringer, you have to reset admin password to MD5 since Apache sql/ldap auth doesn't support SSHA512/BCRYPT. Maybe we should retire Awstats/Cluebringer webui in iRedMail-1.0. Let me know your opinion please.

    • If you're integrating some third-party applications which don't support SSHA512/BCRYPT, you have to reset existing            passwords to the one it supported (e.g. SSHA, MD5).

  • Enable global sieve script in Dovecot to move spam to Junk folder by default.

  • Disable SSLv3 in Postfix, Dovecot, Apache, Nginx.

  • Add new index for SQL column 'msgs.spam_level' in 'amavisd' database.

Fixed issues
  • Not detect domain backupmx status while querying Postfix per-domain transport.

Removed packages

Below packages are removed from iRedMail for security concern and their own package dependences:

  • phpMyAdmin

  • phpPgAdmin

  • phpLDAPadmin

If you need a sql management tool, please try http://adminer.org/ (web-based, a single PHP file) or other desktop applications instead.

For local LDAP management, you can try ldapvi (http://www.lichteblau.com/ldapvi/) in terminal. For remote LDAP management, you can try http://www.ldapadmin.org/ on Windows PC, or Apache Directory Studio on Windows/Linux/BSD/Mac: http://directory.apache.org/studio/ (Java application).

New iRedAPD release has some improvements too:
  • Detect alias domains while check mail list access policy (plugins/sql_alias_access_policy.py)

  • New plugin: plugins/amavisd_wblist.py. Used to reject blacklisted enders and bypass whitelisted senders in Amavisd per-recipient white/blacklists stored in SQL table 'amavisd.wblist'.

  • New plugin: plugins/amavisd_reject_message_size_limit.py, works with Postfix 'smtpd_end_of_data_restrictions'. Used to reject email if current message size exceeds per-recipient message_size_limit stored in Amavisd database (column `policy.message_size_limit`).

New iRedAdmin release (open source edition) has some improvements too:
    * Improvements:
        + Able to generate 'CRAM-MD5' password hash with command `doveadm pw`.
        + Able to generate bcrypt password hash with Python module 'bcrypt' or
          'py-bcrypt'.
          NOTE: It works on BSD systems, but not Linux. Since libc shpped in
                most Linux distributions doesn't bcrypt, Dovecot cannot verify
                bcrypt hash on Linux.

    * New tool scripts:
        - tools/upgrade_iredadmin.py.
          Used to upgrade iRedAdmin from old release. Works with both
          iRedAdmin open source edition and iRedAdmin-Pro.

        - tools/cleanup_amavisd_db.py.
          Used to Cleanup old records from Amavisd database. It's safe to
          execute it manually.

        - tools/sync_cluebringer_internal_domains.py.
          Sync mail domain names from SQL/LDAP to cluebringer policy group
          '%internal_domains'.

2

Re: iRedMail-0.9.0-rc2 has been released

ZhangHuangbin wrote:

For local LDAP management, you can try ldapvi (http://www.lichteblau.com/ldapvi/) in terminal. For remote LDAP management, you can try http://www.ldapadmin.org/ on Windows PC, or Apache Directory Studio on Windows/Linux/BSD/Mac: http://directory.apache.org/studio/ (Java application).

Another open source LDAP management tool I can recommend is jxplorer (http://jxplorer.org/)

3

Re: iRedMail-0.9.0-rc2 has been released

Hi,

i broke lots of applications (many haven't yet been upgraded while they are great they are on the upgrade list but aren't ready yet) . could you quickly tell how to reset all the passwords and how to set it back to how it was in previous releases ?

thanks,

4

Re: iRedMail-0.9.0-rc2 has been released

riverco wrote:

could you quickly tell how to reset all the passwords and how to set it back to how it was in previous releases ?

Please create a new forum topic for your issues.

To reset passwords, you can update SQL/LDAP directly.

----

Does my reply help a little? How about buying me a cup of coffee ($5) as an encouragement?

buy me a cup of coffee

5

Re: iRedMail-0.9.0-rc2 has been released

Hi Zhang,

Minor bug: the backup script in 0.9.0-rc2 - /var/vmail/backup/backup_mysql.sh
still mentions the same tables multiple times.

an the cron jobs are installed with insecure permissions:
**Unmatched Entries**
INSECURE MODE (mode 0600 expected) (crontabs/root)
INSECURE MODE (mode 0600 expected) (crontabs/amavis)
INSECURE MODE (mode 0600 expected) (crontabs/root)
INSECURE MODE (mode 0600 expected) (crontabs/amavis)

I have fixed these manually.

Best regards,
Henrik

6

Re: iRedMail-0.9.0-rc2 has been released

Hi Henrik,

Fixed moment ago, thanks for your feedback. smile
https://bitbucket.org/zhb/iredmail/comm … 3f0a4f54b5

----

Does my reply help a little? How about buying me a cup of coffee ($5) as an encouragement?

buy me a cup of coffee

7 (edited by henriknoerr 2014-11-25 20:51:37)

Re: iRedMail-0.9.0-rc2 has been released

ZhangHuangbin wrote:

Hi Henrik,

Fixed moment ago, thanks for your feedback. smile
https://bitbucket.org/zhb/iredmail/comm … 3f0a4f54b5

No problem - It is me appreciating your work smile

One thing I noticed is that roundcube is installed with root:root permissions (/usr/share/apache2/roundcubemail)
Wouldn't it be cleaner to give the directories www-data rights.
I have manually changed the rights to the nginx user:

sudo chown -R www-data:www-data /usr/share/apache2/roundcubemail-1.0.3
find /usr/share/apache2/roundcubemail-1.0.3 -type d -exec chmod 750 {} \;
find /usr/share/apache2/roundcubemail-1.0.3 -type f -exec chmod 640 {} \;

/Henrik

8

Re: iRedMail-0.9.0-rc2 has been released

henriknoerr wrote:

Wouldn't it be cleaner to give the directories www-data rights.

It's not necessary.

Directory "temp/" and "logs/" under Roundcube are owned by www-data, so that it can log in "logs/*" or store user uploaded temporary file. We already have proper file permission on required directories, so main roundcube files owned by root is not a bad idea.

----

Does my reply help a little? How about buying me a cup of coffee ($5) as an encouragement?

buy me a cup of coffee

9

Re: iRedMail-0.9.0-rc2 has been released

Can you confirm wheather the patch "How to add a custom service in iRedAdmin-Pro" which you described in "http://www.iredmail.org/forum/topic6939 … inpro.html" is within the new 0.9.0 release?

10

Re: iRedMail-0.9.0-rc2 has been released

Hi,

sogo does not support SSHA512. to be able to connect , i needed to change the password to SSHA

Rgds

11

Re: iRedMail-0.9.0-rc2 has been released

Merijn wrote:

Can you confirm wheather the patch "How to add a custom service in iRedAdmin-Pro" which you described in "http://www.iredmail.org/forum/topic6939 … inpro.html" is within the new 0.9.0 release?

It will be available in next release of iRedAdmin-Pro-LDAP.

----

Does my reply help a little? How about buying me a cup of coffee ($5) as an encouragement?

buy me a cup of coffee

12

Re: iRedMail-0.9.0-rc2 has been released

saidmsl wrote:

sogo does not support SSHA512. to be able to connect , i needed to change the password to SSHA

It will be switched back to SSHA with LDAP backend in final release (iRedMail-0.9.0). (fixed in development version days ago.)

----

Does my reply help a little? How about buying me a cup of coffee ($5) as an encouragement?

buy me a cup of coffee

13

Re: iRedMail-0.9.0-rc2 has been released

May I know where I can download it?
This link: https://bitbucket.org/zhb/iredmail/down … c2.tar.bz2  can't be downloaded now.

14

Re: iRedMail-0.9.0-rc2 has been released

bruce wrote:

May I know where I can download it?
This link: https://bitbucket.org/zhb/iredmail/down … c2.tar.bz2  can't be downloaded now.

That's because current version is RC3 already, which is available at https://bitbucket.org/zhb/iredmail/down … c3.tar.bz2

15

Re: iRedMail-0.9.0-rc2 has been released

Thank you for your nice and soon reply.

mbiki wrote:
bruce wrote:

May I know where I can download it?
This link: https://bitbucket.org/zhb/iredmail/down … c2.tar.bz2  can't be downloaded now.

That's because current version is RC3 already, which is available at https://bitbucket.org/zhb/iredmail/down … c3.tar.bz2

16

Re: iRedMail-0.9.0-rc2 has been released

Hi ,
glad the newest RC3 is been made available for download - Thanks for effort .

my setup : iRedMail-0.9.0-rc3 on new clean basic server CentOS 6.6 X86_64 , iptables and selinux disable

May I know whats gone wrong ? It shows following error in my box :
[root@mail iRedMail-0.9.0-rc3]# bash iRedMail.sh
< SKIP > Function: check_new_iredmail.
< SKIP > Function: create_repo_rhel.
< SKIP > Function: fetch_misc.
< SKIP > Function: check_md5.
< INFO > Install package: dialog
< INFO > Installing package(s): dialog
Loaded plugins: fastestmirror, security
Setting up Install Process
Loading mirror speeds from cached hostfile
Error: Cannot retrieve metalink for repository: epel. Please verify its path and try again
< ERROR > Installation failed, please check the terminal output.
< ERROR > If you're not sure what the problem is, try to get help in iRedMail
< ERROR > forum: http://www.iredmail.org/forum/
[root@mail iRedMail-0.9.0-rc3]#

Thanks.

17

Re: iRedMail-0.9.0-rc2 has been released

myzyzy wrote:

Error: Cannot retrieve metalink for repository: epel. Please verify its path and try again

Looks like a network issue, you cannot access EPEL mirror site defined in /etc/yum.repos.d/epel.repo.
You can try to perform some actions with yum to verify it. For example:

# yum repolist
# yum search 'amavisd-new'
# yum provides 'amavisd-new'

----

Does my reply help a little? How about buying me a cup of coffee ($5) as an encouragement?

buy me a cup of coffee

18

Re: iRedMail-0.9.0-rc2 has been released

Yes, it is a network issue..(behind some sort of corporate fwall must be one of it)
My workaround on this one was , use http instead of https:// of the mirrorlist path URL at the [epel] section in the epel.repo file.
Now all is installed fine (ldap in my case) .

Thank you .

19 (edited by myzyzy 2014-12-09 09:09:39)

Re: iRedMail-0.9.0-rc2 has been released

my setup : iRedMail-0.9.0-rc3 on new clean basic server CentOS 6.6 X86_64 , ldap , iptables and selinux disable


Another question,
how would I disabled installed roundcube in order for managesieve to be enabled in SOGo (now roundcube+SOGo) , and vice versa.

Regards,

20

Re: iRedMail-0.9.0-rc2 has been released

myzyzy wrote:

how would I disabled installed roundcube in order for managesieve to be enabled in SOGo (now roundcube+SOGo) , and vice versa.

Disable Roundcube in Apache/Nginx, so that no one can access it. Then enable sieve support in SOGo (/etc/sogo/sogo.conf).

Just a remind, as already mentioned in iRedMail-0.9.0-rc2 release notes:

o If you choose to install both Roundcube webmail and SOGo, Managesieve
  service is disabled in SOGo by default, because sieve rules generated
  by SOGo is not compatible with Roundcube webmail. but if you don't
  install Roundcube, managesieve will be enabled in SOGo by default, plus
  vacation and forwarding support.

----

Does my reply help a little? How about buying me a cup of coffee ($5) as an encouragement?

buy me a cup of coffee

21

Re: iRedMail-0.9.0-rc2 has been released

Hello,
First Thank You for iRedMail its awesome.

Setup Fresh Install of iRedMail-0.9.0-rc3 CentOS 6.6 X86_64 selinux disable 
Install SOGo, do not install Roundcube
Install Nginx do not install Apache
Sieve was still disabled and I had to enable it manually by adding a few lines to the sogo.conf

SOGoSieveServer = sieve://127.0.0.1:4190;
SOGoSieveScriptsEnabled = YES;
SOGoVacationEnabled = YES;
SOGoForwardEnabled = YES;

Cannot access /awstats/ and /cluebringer/ sites the /etc/nginx/conf.d/default.conf does not seem to include the server locations for these web applications.

Thank You For all your hard work

22

Re: iRedMail-0.9.0-rc2 has been released

mikeytown wrote:

Sieve was still disabled and I had to enable it manually by adding a few lines to the sogo.conf
SOGoSieveServer = sieve://127.0.0.1:4190;
SOGoSieveScriptsEnabled = YES;
SOGoVacationEnabled = YES;
SOGoForwardEnabled = YES;

Will try to reproduce this issue and come back to you later.

mikeytown wrote:

Cannot access /awstats/ and /cluebringer/ sites the /etc/nginx/conf.d/default.conf does not seem to include the server locations for these web applications.

Nginx doesn't have official/built-in modules for SQL/LDAP authentication, so cannot authentication users with virtual mail accounts in Awstats/Cluebringer webui.

----

Does my reply help a little? How about buying me a cup of coffee ($5) as an encouragement?

buy me a cup of coffee

23

Re: iRedMail-0.9.0-rc2 has been released

mikeytown wrote:

Install SOGo, do not install Roundcube
Sieve was still disabled and I had to enable it manually by adding a few lines to the sogo.conf

Confirmed it's a bug in the latest development version of iRedMail, fixed moment ago. Commit log:
https://bitbucket.org/zhb/iredmail/comm … 2eb93b7feb

----

Does my reply help a little? How about buying me a cup of coffee ($5) as an encouragement?

buy me a cup of coffee

24

Re: iRedMail-0.9.0-rc2 has been released

Some errors are being sent by root to sogo@domain.com

To resolve I added an entry in etc/postfix/aliases
sogo: root

25

Re: iRedMail-0.9.0-rc2 has been released

mikeytown wrote:

Some errors are being sent by root to sogo@domain.com

To resolve I added an entry in etc/postfix/aliases
sogo: root

The below errors are being sent from Cron Daemon
Cron <sogo@mail> /usr/sbin/sogo-tool expire-sessions 30
2014-12-16 15:52:27.899 sogo-tool[4639] Failed to lock user defaults database even after breaking old locks!
2014-12-16 15:52:27.929 sogo-tool[4639] Warning ... someone broke our lock (/var/lib/sogo/GNUstep/Defaults/.GNUstepDefaults.lck) ... and may have interfered with updating defaults data in file.

Cron <sogo@mail> /usr/sbin/sogo-ealarms-notify
2014-12-16 15:52:27.894 sogo-ealarms-notify[4634] Failed to lock user defaults database even after breaking old locks!
2014-12-16 15:52:27.943 sogo-ealarms-notify[4634] Warning ... someone broke our lock (/var/lib/sogo/GNUstep/Defaults/.GNUstepDefaults.lck) ... and may have interfered with updating defaults data in file.