iRedMail
// Document IndexAttention
Check out the lightweight on-premises email archiving software developed by iRedMail team: Spider Email Archiver.
Paid Remote Upgrade Support
We offer remote upgrade support if you don't want to get your hands dirty, check the details and contact us.
@lookup_sql_dsn is disabled in Amavisd, you
can use SQL username/password defined in @storage_sql_dsn
instead.policy.policy_name to VARCHAR(255).msgs.spam_level in amavisd database.policy.policy_name in amavisd database.vmail database: mailbox.enableindexer-worker.iRedMail stores the release version in /etc/iredmail-release after
installation, it's recommended to update this file after you upgraded iRedMail,
so that you can know which version of iRedMail you're running. For example:
# File: /etc/iredmail-release
0.9.0
Please follow Roundcube official tutorial to upgrade Roundcube webmail to the latest stable release immediately: How to upgrade Roundcube.
Please follow below tutorial to upgrade iRedAPD to the latest stable release: Upgrade iRedAPD to the latest stable release
Important Notes
amavisd_wblist.reject_null_sender (as first
plugin listed in iRedAPD parameter plugins =) to prevent spam.iRedAPD-1.4.4 fixes several issues and brings some new features:
iRedAPD now works with Postfix parameter smtpd_end_of_data_restrictions
(smtp protocol state END-OF-MESSAGE).
New plugins:
reject_null_sender: prevent authenticated user to send spam as null
sender (from=<> in Postfix log file).
amavisd_wblist: it uses per-recipient white/blacklists stored in
Amavisd SQL database to reject emails sent from blacklisted senders and
bypass whitelisted senders.
White/blacklist could be global (server-wide) setting, per-domain setting, or per-user setting. Priority: per-user > per-domain > global.
amavisd_message_size_limit: limit size of single incoming mail.
Message size limit could be global (server-wide) setting, per-domain setting, or per-user setting. Priority: per-user > per-domain > global.
Plugin reject_sender_login_mismatch now will allow user to send as their
own alias addresses by default. You can still set
ALLOWED_LOGIN_MISMATCH_STRICTLY = False in iRedAPD config file
(/opt/iredapd/settings.py) to allow user to send as any sender if you want.
It's recommended to enable this plugin right after plugin reject_null_sender.
Suggested order of above 3 plugins are (if you enabled them):
plugins = ['reject_null_sender', 'reject_sender_login_mismatch', 'amavisd_wblist', ...]
Important Notes
If you want to manage white/blacklists with the latest iRedAdmin-Pro, you
have to enable plugin amavisd_wblist.
Plugin amavisd_wblist and amavisd_message_size_limit requires additional
database related settings in iRedAPD config file, please set correct values
for them. You can find SQL database settings in Amavisd config file,
in parameter @lookup_sql_dsn =, if @lookup_sql_dsn is disabled, you can
find them in @storage_sql_dsn =.
amavisd_db_server = '127.0.0.1'
amavisd_db_port = 3306
amavisd_db_name = 'amavisd'
amavisd_db_user = 'amavisd'
amavisd_db_password = 'password'
Please follow this tutorial to upgrade iRedAdmin open source edition to the latest stable release: Upgrade iRedAdmin to the latest stable release
I believe you already heard about the POODLE issue of SSL protocol v3.
POODLE stands for Padding Oracle On Downgraded Legacy Encryption. This
vulnerability allows a man-in-the-middle attacker to decrypt ciphertext using
a padding oracle side-channel attack. More details are available in the
upstream OpenSSL advisory: Vulnerability Summary for CVE-2014-3566.
The safest short-term response is to disable SSLv3 support.
Please add or update SSLProtocol setting in Apache config file like below:
/etc/httpd/conf.d/ssl.conf./etc/apache2/apache2.conf./usr/local/etc/apache2[X]/httpd.conf. Please replace
apache2[X] by the real Apache version number here.SSLProtocol ALL -SSLv2 -SSLv3
Restarting Apache service is required.
Please execute commands below to disable SSLv3 in Postfix:
postconf -e smtpd_tls_protocols='!SSLv2 !SSLv3'
postconf -e smtp_tls_protocols='!SSLv2 !SSLv3'
postconf -e lmtp_tls_protocols='!SSLv2 !SSLv3'
postconf -e smtpd_tls_mandatory_protocols='!SSLv2 !SSLv3'
postconf -e smtp_tls_mandatory_protocols='!SSLv2 !SSLv3'
postconf -e lmtp_tls_mandatory_protocols='!SSLv2 !SSLv3'
Restarting Postfix service is required.
Please add below setting in Dovecot main config file /etc/dovecot/dovecot.conf
(on Linux/OpenBSD) or /usr/local/etc/dovecot/dovecot.conf (on FreeBSD).
ssl_protocols = !SSLv2 !SSLv3
Restarting Dovecot service is required.
NOTE: This step is wrong, please do not apply it. If you already applied it, please revert your changes.
if you send email to user user@domain.com and mail list/alias list@domain.com,
and user@ is member of list@, then user@ will receive duplicate email.
Currently, we don't have Postfix parameter receive_override_options= set in
/etc/postfix/main.cf, instead, we have it in transport 127.0.0.1:10025
(Amavisd) like this:
# Part of file: /etc/postfix/master.cf
127.0.0.1:10025 inet n - - - - smtpd
...
-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_address_mappings
Without receive_override_options=no_address_mappings in main.cf:
Postfix will enable canonical address mapping, virtual alias map expansion,
address masquerading, and automatic BCC (blind carbon-copy) recipients
BEFORE injecting emails to content filter (Amavisd, in our case). For
example, if you forward email to 3 email addresses, Postfix will expand the
original recipient to 3 recipients, then Amavisd will get 3 emails for
scanning. But with receive_override_options=no_address_mappings, Postfix
won't expand original recipient to 3 addresses, and Amavisd gets only 1 email
for scanning. It slightly improves mail server performance.
If a blacklisted sender (stored in Amavisd SQL database, not in Policyd/Cluebringer) sends email to user who forwards email to other addresses, Amavisd will quarantine the one sent to original recipient, but bypass emails sent to forwarded addresses.
Please apply below steps to fix above issues:
receive_override_options in Postfix with below shell command:# postconf -e receive_override_options='no_address_mappings'
/etc/postfix/master.cf (On Linux/OpenBSD) or
/usr/local/etc/postfix/master.cf (on FreeBSD), find setting for transport
127.0.0.1:10025, remove no_address_mappings for its
receive_override_options option:# Part of file: /etc/postfix/master.cf
# ORIGINAL setting
# -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_address_mappings
# MODIFIED setting
-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks
Note
If you want to disable content_filter= in Postfix, please
comment out receive_override_options= in Postfix config file main.cf too,
otherwise canonical address mapping, virtual alias map expansion, address
masquerading, and automatic BCC (blind carbon-copy) recipients will not work.
NOTE: This step is applicable to only Red Hat/CentOS 6.
Amavisd config file /etc/amavisd/amavisd.conf must be owned by group amavis,
otherwise after you upgraded to Red Hat/CentOS 7, Amavisd service cannot start.
# chgrp amavis /etc/amavisd/amavisd.conf
NOTE: This step is applicable to only Debian and Ubuntu.
Please update file /etc/default/spamassassin to set CRON=1, so that
SpamAssassin daily cron job will update SpamAssassin rules automatically.
# Part of file: /etc/default/spamassassin
CRON=1
Note: this is an optional step.
Please follow our separate tutorial here.
NOTE: This step is wrong, please do not apply it. If you already applied it, please revert your changes.
Please open file /etc/postfix/ldap/transport_maps_domain.cf (on Linux/OpenBSD)
or /usr/local/etc/postfix/ldap/transport_maps_domain.cf (on FreeBSD), add
additional LDAP filter (!(domainBackupMX=yes)) in query = parameter:
# Part of file: /etc/postfix/ldap/transport_maps_domain.cf
# OLD setting
#query_filter = (&(objectClass=mailDomain)(accountStatus=active)(enabledService=mail)(|(domainName=%s)(domainAliasName=%s)))
# NEW setting
query_filter = (&(objectClass=mailDomain)(accountStatus=active)(enabledService=mail)(|(domainName=%s)(domainAliasName=%s))(!(domainBackupMX=yes)))
Restarting Postfix service is required.
We will add new LDAP attribute/value pair for existing mail users:
enabledService=indexer-worker. It's used by Dovecot.
# cd /root/
# wget https://github.com/iredmail/iRedMail/raw/1.0/update/ldap/updateLDAPValues_087_to_090.py
updateLDAPValues_087_to_090.py, set LDAP server related
settings in this file. For example:# Part of file: updateLDAPValues_087_to_090.py
uri = 'ldap://127.0.0.1:389'
basedn = 'o=domains,dc=example,dc=com'
bind_dn = 'cn=vmailadmin,dc=example,dc=com'
bind_pw = 'passwd'
You can find required LDAP credential in iRedAdmin config file or iRedMail.tips
file under your iRedMail installation directory. Using either
cn=Manager,dc=xx,dc=xx or cn=vmailadmin,dc=xx,dc=xx as bind dn is ok.
# python updateLDAPValues_087_to_090.py
That's all.
amavisd databaseWe need indexes for some SQL columns in amavisd database:
policy.policy_name, msgs.spam_level. Both are used by iRedAdmin-Pro.
Now connect to SQL server as MySQL root user, create new columns, add required INDEX:
$ mysql -uroot -p
mysql> USE amavisd;
mysql> ALTER TABLE policy MODIFY COLUMN policy_name VARCHAR(255) NOT NULL DEFAULT '';
mysql> CREATE UNIQUE INDEX policy_idx_policy_name ON policy (policy_name);
mysql> CREATE INDEX msgs_idx_spam_level ON msgs (spam_level);
NOTE: This step is wrong, please do not apply it. If you already applied it, please revert your changes.
Please open file /etc/postfix/mysql/transport_maps_domain.cf (on Linux/OpenBSD)
or /usr/local/etc/postfix/mysql/transport_maps_domain.cf (on FreeBSD), add
additional SQL statement AND backupmx=0 in query = parameter:
# Part of file: /etc/postfix/mysql/transport_maps_domain.cf
# OLD setting
#query = SELECT transport FROM domain WHERE domain='%s' AND active=1
# NEW setting
query = SELECT transport FROM domain WHERE domain='%s' AND active=1 AND backupmx=0
Restarting Postfix service is required.
vmail and amavisd databasesWe need new SQL columns in vmail database: mailbox.enableindexer-worker,
it's used by Dovecot.
We need new indexes for some 2 columns in amavisd database:
policy.policy_name, msgs.spam_level. Both are used by iRedAdmin-Pro.
Now connect to SQL server as MySQL root user, create new columns, add required indexes:
$ mysql -uroot -p
mysql> USE vmail;
mysql> ALTER TABLE mailbox ADD COLUMN `enableindexer-worker` TINYINT(1) NOT NULL DEFAULT 1;
mysql> ALTER TABLE mailbox ADD INDEX (`enableindexer-worker`);
mysql> USE amavisd;
mysql> ALTER TABLE policy MODIFY COLUMN policy_name VARCHAR(255) NOT NULL DEFAULT '';
mysql> CREATE UNIQUE INDEX policy_idx_policy_name ON policy (policy_name);
mysql> CREATE INDEX msgs_idx_spam_level ON msgs (spam_level);
NOTE: This step is wrong, please do not apply it. If you already applied it, please revert your changes.
Please open file /etc/postfix/pgsql/transport_maps_domain.cf (on Linux/OpenBSD)
or /usr/local/etc/postfix/pgsql/transport_maps_domain.cf (on FreeBSD), add
additional SQL statement AND backupmx=0 in query = parameter:
# Part of file: /etc/postfix/pgsql/transport_maps_domain.cf
# OLD setting
#query = SELECT transport FROM domain WHERE domain='%s' AND active=1
# NEW setting
query = SELECT transport FROM domain WHERE domain='%s' AND active=1 AND backupmx=0
Restarting Postfix service is required.
vmail and amavisd databasesWe need new SQL columns in vmail database: mailbox.enableindexer-worker,
it's used by Dovecot.
We need new indexes for some 2 columns in amavisd database:
policy.policy_name, msgs.spam_level. Both are used by iRedAdmin-Pro.
Now connect to SQL server as PostgreSQL admin user, create new columns, add required indexes:
# su - postgres
$ psql -d vmail
sql> ALTER TABLE mailbox ADD COLUMN "enableindexer-worker" INT2 NOT NULL DEFAULT 1;
sql> CREATE INDEX idx_mailbox_enableindexer_worker ON mailbox ("enableindexer-worker");
sql> \c amavisd;
sql> ALTER TABLE policy ALTER COLUMN policy_name TYPE varchar(255);
sql> CREATE UNIQUE INDEX policy_idx_policy_name ON policy (policy_name);
sql> CREATE INDEX msgs_idx_spam_level ON msgs (spam_level);