Dear all,

Roundcube team has released new versions of Roundcube 1.1 and 1.2
branches to address a security vulnerability, please upgrade it on your
iRedMail server(s) as soon as possible.

*) Original announcement published by Roundcube team:
http://lists.roundcube.net/pipermail/us … 11450.html

*) You can find upgrade tutorial here:
https://github.com/roundcube/roundcubemail/wiki/Upgrade

Note: according to Roundcube document[1], Roundcube 1.2 branch requires
PHP 5.3.7 or greater, please check php version before upgrading.

Needless to say, BACKUP YOUR DATA BEFORE UPGRADING.

[1] Roundcube Install Requirements:
https://github.com/roundcube/roundcubem … quirements

Dear all,

iRedMail-0.9.6 stable release has been released.

• Download it: http://www.iredmail.org/download.html

• Upgrade tutorials are available here: http://www.iredmail.org/docs/iredmail.releases.html

• We offer paid remote upgrade support if you don't want to get your hands dirty.

Below are changes since iRedMail-0.9.5-1:

Supports new distribution release

• Ubuntu 16.10. WARNING: Ubuntu 16.10 will end of life in July 2017, Ubuntu 16.04 LTS edition is recommended for a production server.

• OpenBSD 6.0. OpenBSD 5.9 is not supported anymore.

• FreeBSD 11.0

Improvements

• iRedMail Installer: Able to choose not to install web server and web applications.

• Use rsyslog (requires version 8.x) instead of internal logging system for Dovecot on CentOS 7 and Ubuntu 16.04, 16.10.
  

  • rsyslog is default syslog program on CentOS, Debian and Ubuntu. With rsyslog, we're able to discard log messages which matches given regular expressions if it produces too fast. for example, HAProxy performs health check every few seconds for POP3/IMAP (and other) services, we can easily discard those health check related logs to save disk space.

• Switch Awstats user authentication from SQL/LDAP to basic auth based on file, Awstats is now available for both Apache and Nginx.

• Nginx:
  

  • Add HSTS header for Roundcube, iRedAdmin, SOGo.

  • Add sample config files to run Roundcube, iRedAdmin, SOGo as a subdomain.

• Roundcube webmail:
  

  • Enable plugin `enigma` by default for PGP encryption. WARNING: The plugin uses gpg binary on the server and stores all keys (including private keys of the users) on the server. Encryption/decryption is done server-side. So, this plugin is for users that trust the server.

  • If you get error `Identity must have a user name defined` while first trying to generate gpg key, please add a name for your email account in Roundcube: `Settings -> Identities`.

• SOGo: List all contacts by default in SOGo global address book.

• FreeBSD: Switch from OpenSSL to LibreSSL by default.

Fixed issues

• LDAP backends: mail accounts (user, alias, list) are still active when domain is disabled.

• Fix the HTTPROXY vulnerability in Apache and Nginx. Reference: https://httpoxy.org/

• Not convert domain name and email address to lower cases while creating mail accounts with scripts tools/create_mail_user_*. Thanks Santosh Gupta <head.it _at_ satmatechnologies.com> for the report.

• SOGo: Not correctly redirect access to https in Apache.

• Postfix:
  

  • Not enable opportunistic TLS support for remote smtp clients.

  • Incorrect HELO restriction rule which causes Postfix rejects smtp session with HELO "[IP_ADDRESS]" (with squared brackets).

• Nginx:
  

  • Not allow access to '/.well-known/'.

  • Not forward real client IP address to SOGo.

  • Config file for catch-all virtual host `default.conf` has been renamed to `00-default.conf`, to make sure it will be loaded before other virtual host config files.

• Roundcube webmail:
  

  • Missing cron job used to clean up old Roundcube temporary files (bin/gc.sh).

  • Not set proper file owner (apache/nginx) and permission (0600) for config file of password plugin.

• iRedAPD: Not add FreeBSD Jail IP address as trusted client. This causes mail delivery failure while sending to user under same domain. Thanks Erez Zabusky <erez_z _at_ cre8ip.com> for the report.

• OpenBSD:
  

  • not enable uwsgi service.

  • not create symbol links for PHP programs.

Updated packages

• Roundcube -> 1.2.3

• iRedAPD -> 2.0

• iRedAdmin -> 0.7

• uwsgi -> 2.0.14 (OpenBSD only)

• FreeBSD: php-7.0, mysql-5.7

Dear all,

iRedAdmin-Pro-LDAP-2.7.0 (a.k.a. iRedAdmin-Pro for OpenLDAP backend) is now available for upgrading and purchasing.

• IMPORTANT NOTE: Please upgrade iRedMail to the latest iRedMail-0.9.6 before upgrading iRedAdmin-Pro.

• Upgrade tutorials for iRedAdmin-Pro are available here: http://www.iredmail.org/docs/migrate.or … admin.html

How to download the latest iRedAdmin-Pro

iRedAdmin-Pro customers can get download link of this new release by following steps below:

• Login to iRedAdmin-Pro as global admin

• Click "License" on the top-right corner, it will show you basic license info and a "Download" button if new version is available for upgrading.

If above steps don't work for you, please send an email to support @ iredmail.org to get download link of the latest release.

Below are detailed changes since iRedAdmin-Pro-LDAP-2.6.1.

RESTful API

RESTful API has been largely improved and ready for integration with your own applications. If you need an API which has not yet been implemented, don't hesitate to contact us.

You can find detailed API document here: http://www.iredmail.org/docs/iredadmin- … l.api.html

• Several parameter names have been changed for simplification:
  

  • old: `cn` -> new: `name`

  • old: `mailQuota` -> new: `quota`

  • old: `preferredLanguage` -> new: `language`

• Variable names used in returned JSON data have been changed to avoid possible namespace conflict:
  

  • old: {'success': ...,  'msg': ...}

  • new: {'_success': ..., '_msg': ...}

• NEW: /api/users/<domain>: Update profiles for all users under domain.

• NEW: /api/users/<domain>/password: Update all user passwords under domain.

• NEW: /api/ldif/<account_type>/<account>: export account in ldif format

• NEW: /api/domain/admins/<domain>: manage domain admins.

• NEW: Verify given (plain) password against the one stored in LDAP.
  

  • /api/verify_password/user/<mail>

  • /api/verify_password/admin/<mail>

• NEW: /api/admin/<mail>: create and manage standalone domain admins.

• Able to delete mail domain or user with option to keep mailboxes for given days.

• Able to update more domain profiles (/api/domain/<domain>):
  

  • default mailbox quota for new user

  • max mailbox quota of newly created mail user

  • catch-all account

  • inbound and outbound relay

  • sender bcc, recipient bcc

  • set max number of users, aliases, mailing lists

  • disabled domain profiles

  • disabled user profiles

  • disabled user preferences

  • disabled mail services

• Able to update more user profiles (/api/user/<mail>):
  

  • mail forwarding

  • employee id

  • per-user alias addresses

• Able to change email address of user/alias/mailing list accounts.

• Able to set members while creating mail alias account.

• Able to reset, add, remove members while updating mail alias or mailing list account.

• Able to get profile of existing mail domain/user/alias/mailing list.

• NEW: Able to manage global, per-domain and per-user spam policy.

• Fixed: Cannot set per-domain quota while creating domain.

Improvements

• Normal domain admin is now able to create new mail domains with limits like number of max domains/users/alias/lists/quota. Note: new mail domain added by normal domain admin requires domain ownership verification. For more details, please check our tutorial: http://www.iredmail.org/docs/iredadmin- … ation.html.

• Able to use domain name as primary MX server (IP address is recommended).

• Able to enable/disable pop3/imap/smtp/sogo/managesieve services for existing or newly created mail users under domain in domain profile page.

• Able to explicitly enable/disable greylisting for domain/user.

• Able to set access policy while creating mailing list.

• Able to set timezone while creating mail domain.

• Able to schedule date to delete mailboxes while removing domain or mail users. Note: This feature requires a daily cron job to run `tools/delete_mailboxes.py` which should be added automatically while upgrading iRedAdmin.

• Able to manage additional/custom LDAP attributes for mail user on web UI. Check comment for parameter `ADDITIONAL_MANAGED_USER_ATTRIBUTES` in `libs/default_settings.py` for more details.

• Able to add custom LDAP objectClass and attribute/values for newly created mail user (not manageable on web UI). Please read comment of parameters `ADDITIONAL_USER_OBJECTCLASSES` and `ADDITIONAL_USER_ATTRIBUTES` in file `libs/default_settings.py` for more details.

• New: tools/update_password_with_csv.py, used to reset password by reading password from CSV file (format: '<email> <password>').

• tools/dump_disclaimer.py: able to dump disclaimer for alias domains.

• tools/cleanup_amavisd_db.py: Huge performance improvement with dirty read (SELECT) while cleaning up old records in Amavisd database.

• tools/notify_quarantined_recipients.py:
  

  • able to track last notify time and notify new quarantined emails only.

  • able to notify users under backup MX domains with command line argument '--notify-backupmx'.

  • correctly encode mail subject and sender name

Fixed issues

• SECURITY: iRedAdmin accepts any password on FreeBSD and OpenBSD if password is stored in BCRYPT hash.

• Not revoke admin privilege after deleted standalone admin account.

• Standalone admin account can be an email address under locally hosted mail domain. This causes conflict when there's a normal mail user with same email address.

• Normal domain admin cannot view/update its own profile if it doesn't manage its own domain.

• Not check current email address existence while changing account email address.

• Cannot use domain name as Primary MX in backup mx setting page.

• Mail accounts (user, alias, list) are still active when domain is disabled.

• Global admin cannot view BCC in user profile page if it's disabled in domain profile page ( tab 'Advanced' -> 'BCC' in 'Disabled User Profiles'). Thanks labasus <labas _at_ gmx dot co.uk> for the report.

• Cannot use non-ascii characters in mail subject and body of notification mail used to notify local recipient of quarantined mails.

• Normal domain admin can view or update global domain admin's profile.

• Cannot save submitted greylisting whitelists while there's a duplicate sender inserted by `tools/spf_to_greylist_whitelists.py`. Thanks Juan Bou Riquer <jbou _at_ cancun.com.mx> for the report.

• Incorrect pages while viewing disabled accounts. Thanks to Li Wei <liwei _at_ bond520.com> for the report.

• Not specify path to python command to run 'tools/cleanup_db.py' in upgrade script, this causes error in cron job.

• Not apply max user quota while creating new user or updating user profile.

• iOS devices may have problem with character '^' in password. we remove it from allowed special character for randomly generated password.

• Creating domain in invalid domain format causes 'internal server error'.

• OpenBSD ldapd(*) cannot handle MOD_DELETE correctly, it will remove all values of this attribute instead of removing just the one we specified. As a workaround, we define ldap server name in parameter 'LDAP_SERVER_PRODUCT_NAME'.

• Fix the html target="_blank" vulnerability.

Updated translations

Please help us translate iRedAdmin-Pro to your language: http://www.iredmail.org/docs/translate.iredadmin.html.

• Update Traditional Chinese (zh_TW). Thanks rain <rain6966@gmail>.

• Update Simplified Chinese (zh_CN).

Dear all,

iRedAdmin-Pro-SQL-2.5.0 (iRedAdmin-Pro for MySQL, MariaDB and PostgreSQL backends) is now available for upgrading and purchasing.

• IMPORTANT NOTE: Please upgrade iRedMail to the latest iRedMail-0.9.6 before upgrading iRedAdmin-Pro.

• Upgrade tutorials for iRedAdmin-Pro are available here: http://www.iredmail.org/docs/migrate.or … admin.html

How to download the latest iRedAdmin-Pro

iRedAdmin-Pro customers can get download link of this new release by following steps below:

• Login to iRedAdmin-Pro as global admin

• Click "License" on the top-right corner, it will show you basic license info and a "Download" button if new version is available for upgrading.

If above steps don't work for you, please send an email to support @ iredmail.org to get download link of the latest release.

Below are detailed changes since iRedAdmin-Pro-SQL-2.3.1:

RESTful API

RESTful API has been largely improved and ready for integration with your own applications. If you need an API which has not yet been implemented, don't hesitate to contact us.

You can find detailed API document here: http://www.iredmail.org/docs/iredadmin- … l.api.html

• Several parameter names have been changed for simplification:
  

  • old: `cn` -> new: `name`

  • old: `mailQuota` -> new: `quota`

  • old: `preferredLanguage` -> new: `language`

• Variable names used in returned JSON data have been changed to avoid possible namespace conflict:
  

  • old: {'success': ...,  'msg': ...}

  • new: {'_success': ..., '_msg': ...}

• NEW: /api/users/<domain>: Update profiles for all users under domain.

• NEW: /api/users/<domain>/password: Update all user passwords under domain.

• NEW: /api/domain/admins/<domain>: manage domain admins.

• NEW: Verify given (plain) password against the one stored in LDAP.
  

  • /api/verify_password/user/<mail>

  • /api/verify_password/admin/<mail>

• NEW: /api/admin/<mail>: manage standalone domain admins.

• Able to delete mail domain or user with option to keep mailboxes for given days.

• Able to update more domain profiles (/api/domain/<domain>):
  

  • default mailbox quota for new user.

  • max mailbox quota of newly created mail user

  • catch-all account

  • inbound and outbound relay

  • sender bcc, recipient bcc

  • set max number of users, aliases, mailing lists

  • disabled domain profiles

  • disabled user profiles

  • disabled user preferences

• Able to update more user profiles (/api/user/<mail>):
  

  • mail forwarding

  • employee id

  • per-user alias addresses

• Able to change email address of user/alias accounts.

• Able to set members while creating mail alias account.

• Able to update members while updating mail alias account.

• Able to get profile of existing mail domain/user/alias.

• NEW: Able to manage global, per-domain and per-user spam policy.

• Fixed: Cannot set per-domain quota while creating domain.

Improvements

• Normal domain admin is now able to create new mail domains with limits like number of max domains/users/alias/lists/quota. Note: new mail domain added by normal domain admin requires domain ownership verification. For more details, please check our tutorial: http://www.iredmail.org/docs/iredadmin- … ation.html

• Able to use domain name as primary MX server (IP address is recommended).

• Able to enable/disable pop3/imap/smtp/sogo/managesieve services for existing or newly created mail users under domain in domain profile page.

• Able to enable/explicitly disable greylisting for domain/user.

• Able to schedule date to delete mailboxes while removing domain or mail users. Note: This feature requires a daily cron job to run `tools/delete_mailboxes.py` which should be added automatically while upgrading iRedAdmin.

• Able to set access policy while creating mail alias account.

• Able to set timezone while creating mail domain.

• New: tools/update_password_with_csv.py, used to reset password by reading password from CSV file (format: '<email> <password>').

• tools/dump_disclaimer.py: able to dump disclaimer for alias domains.

• tools/cleanup_amavisd_db.py: Huge performance improvement with dirty read (SELECT) while cleaning up old records in Amavisd database.

• tools/notify_quarantined_recipients.py:
  

  • able to track last notify time and notify for new quarantined emails only.

  • able to notify users under backup MX domains with command line argument '--notify-backupmx'.

  • correctly encode mail subject and sender name

Fixed issues

• SECURITY: iRedAdmin accepts any password on FreeBSD and OpenBSD if password is stored in BCRYPT hash.

• Standalone admin account cannot change its own password.

• Standalone admin account can be an email address under locally hosted mail domain. This causes conflict when there's a normal mail user with same email address.

• Normal domain admin cannot view/update its own profile if it doesn't manage its own domain.

• Not check current email address existence while changing account email address.

• Not update sql column `mailbox.local_part` while changing account email address.

• Not remove per-user alias addresses while removing user account.

• Cannot use domain name as Primary MX in backup mx setting page.

• Cannot delete mail user account due to incorrect PostgreSQL command.

• Cannot use non-ascii characters in mail subject and body of notification mail used to notify local recipient of quarantined mails.

• Cannot search mail accounts with PostgreSQL backend.

• Normal domain admin can view or update global domain admin's profile.

• Cannot save submitted greylisting whitelists while there's a duplicate sender inserted by `tools/spf_to_greylist_whitelists.py`. Thanks Juan Bou Riquer <jbou _at_ cancun.com.mx> for the report.

• Incorrect pages while viewing disabled accounts. Thanks to Li Wei <liwei _at_ bond520.com> for the report.

• Incorrectly count number of mail alias accounts in domain list page. Thanks to Santosh Gupta <head.it _at_ satmatechnologies.com> for the report.

• Separated normail domain admin cannot change its own password.

• Able to set unlimited mailbox quota when per-domain quota was set.

• Cannot handle mail alias members if some character is in uppercase.

• Not specify path to python command to run 'tools/cleanup_db.py' in upgrade script, this causes error in cron job.

• Incorrectly update domain backupmx status while updating profile under tab 'General'.

• iOS devices may have problem with character '^' in password. we remove it from allowed special character for randomly generated password.

• Creating domain in invalid domain format causes 'internal server error'.

• Fix the html target="_blank" vulnerability.

Updated translations

• Update Traditional Chinese (zh_TW). Thanks rain <rain6966@gmail>.

• Update Simplified Chinese (zh_CN).

Dear all,

There’re 2 security fixes you need to follow immediately:

*) Roundcube webmail 1.2.4 (and 1.1.8) has been released on March 10, 2017. Including a fix for a recently reported security XSS issue with CSS styles inside an SVG tag.

Please upgrade Roundcube as soon as possible to fix it.

*) Possible backdooring mysqldump backups.

Quote from: https://blog.tarq.io/cve-2016-5483-back … p-backups/

If you're running iRedMail with one of OpenLDAP, ldapd (OpenBSD only), MySQL, MariaDB backends, please follow steps below to fix it:

- Open the daily MySQL backup script, it's /var/vmail/backup/backup_mysql.sh by default. if you use different storage directory during iRedMail installation, you can find the base directory with command "postconf virtual_mailbox_base”.

- Find variable name CMD_MYSQLDUMP like below:

export CMD_MYSQLDUMP="mysqldump ..."

- Make sure it has argument "--skip-comments" like below:

export CMD_MYSQLDUMP="mysqldump ... --skip-comments"

- Save the change.

Dear all,

iRedAdmin-Pro-SQL-2.6.0 (iRedAdmin-Pro for MySQL, MariaDB and PostgreSQL backends) is now available for upgrading and purchasing.

• IMPORTANT NOTE: Please upgrade iRedMail to the latest iRedMail-0.9.6 before upgrading iRedAdmin-Pro.

• Upgrade tutorials for iRedAdmin-Pro are available here: http://www.iredmail.org/docs/migrate.or … admin.html

How to download the latest iRedAdmin-Pro

iRedAdmin-Pro customers can get download link of this new release by following steps below:

• Login to iRedAdmin-Pro as global admin

• Click "License" on the top-right corner, it will show you basic license info and a "Download" button if new version is available for upgrading.

If above steps don't work for you, please send an email to support @ iredmail.org to get download link of the latest release.

Below are detailed changes since iRedAdmin-Pro-SQL-2.5.0:

Fixed issues

• RESTful API: Fixed an issue which cannot save a (email) copy while updating per-user mail forwarding. Thanks Wes Cossick <wes _at_ hoa-express.com> for the report.

• Not correctly enable alias domain after domain ownership verification.

• Should not require domain ownership verification if alias domain was added by global admin.

• Not disable white/blacklisting actions in 'Quarantined Mails' page if white/blacklist is disabled by domain admin in user preferences. Thanks Rain <rain6966@gmail> for the report.

• Cannot create new mail user due to miss sql column name in 'GROUP BY' statement.

• tools/notify_quarantined_recipients.py:
  

  • unicode error if mail subject contains unicode characters.

  • unicode error if system default encoding is 'ascii'. Thanks Rain <rain6966@gmail> for the report.

• tools/upgrade_iredadmin.sh cannot create new MySQL table due to missing required privilege.

Dear all,

iRedAdmin-Pro-LDAP-2.8.0 (iRedAdmin-Pro for OpenLDAP and OpenBSD ldapd(8) backends) is now available for upgrading and purchasing.

• IMPORTANT NOTE: Please upgrade iRedMail to the latest iRedMail-0.9.6 before upgrading iRedAdmin-Pro.

• Upgrade tutorials for iRedAdmin-Pro are available here: http://www.iredmail.org/docs/migrate.or … admin.html

How to download the latest iRedAdmin-Pro

iRedAdmin-Pro customers can get download link of this new release by following steps below:

• Login to iRedAdmin-Pro as global admin

• Click "License" on the top-right corner, it will show you basic license info and a "Download" button if new version is available for upgrading.

If above steps don't work for you, please send an email to support @ iredmail.org to get download link of the latest release.

Below are detailed changes since iRedAdmin-Pro-LDAP-2.7.0:

Improvements

• Able to assign a server-wide free and unique uid/gid number while creating new user with placeholders '%(next_uid)d' and '%(next_gid)d' in parameter 'ADDITIONAL_USER_ATTRIBUTES'.

Fixed issues

• Not correctly enable alias domain after domain ownership verification.

• Not disable white/blacklisting actions in 'Quarantined Mails' page if white/blacklist is disabled by domain admin in user preferences. Thanks Rain <rain6966@gmail> for the report.

• Normal mail user cannot login (self-service). Thanks jobu <buthe _at_ gugw.tu-darmstadt.de> for the report in forum.

• tools/upgrade_iredadmin.sh cannot create new MySQL table due to missing required privilege.

• Searching doesn't work.

• tools/notify_quarantined_recipients.py:
  

  • unicode error if mail subject contains unicode characters.

  • unicode error if system default encoding is 'ascii'. Thanks Rain <rain6966@gmail> for the report.

• tools/*.py cannot successfully get LDAP connection cursor.

Dear all,

iRedMail-0.9.7 stable release has been released.

And another good news: we have more and more EU customers, so we have open an European office in Ljublana, Slovenia, to offer better tech support. You can find the office address in the "Contact" page.

• Download it: http://www.iredmail.org/download.html

• Upgrade tutorials are available here: http://www.iredmail.org/docs/iredmail.releases.html

• We offer paid remote upgrade support if you don't want to get your hands dirty.

Below are changes since iRedMail-0.9.6, and planned changes in next release.

Supports new distribution release

• OpenBSD 6.1. OpenBSD 6.0 is not supported anymore.

• Ubuntu 17.04. Ubuntu 16.10 is not supported anymore.

• Debian 9 (code name: stretch).

Improvements

• SQL structure change (for SQL backends): drop few columns in sql table
  `vmail.alias`, and creates 2 new tables: forwardings, alias_moderators. For
  more technical details, please check this issue:
  https://bitbucket.org/zhb/iredmail/issues/101

• SOGo: New script 'tools/backup_sogo.sh'. used to backs up SOGo data with 'sogo-tool backup' command.

• Fail2ban:
  

  • Add one new regular expession to filter Roundcube log.

  • Enable 2 new jails: apache-auth, nginx-http-auth.

  • Split jail.local to multiple modular jail config files under /etc/fail2ban/jail.d.

• Nginx: Use different directories to store different type of config files for easier customization.
  

  • /etc/nginx/conf.d/ - store configurations used inside 'http {}'

  • /etc/nginx/sites-available/ - store config files for web sites. All files under this directory are NOT loaded by default.

  • /etc/nginx/sites-enabled/ - store config files for web sites. All files under this directory will be loaded by default. Usually file under this directory is a symbol link to file under /etc/nginx/sites-available/. This way we can easily enable or disable a site without renaming or moving its config file.

  • /etc/nginx/sites-conf.d/ - store per-site modular config files. for example, for web domain 'iredmail.org', we use directory '/etc/nginx/sites-conf.d/iredmail.org/' to store modular config files for all its http settings, and '/etc/nginx/sites-conf.d/iredmail.org-ssl/' for all https settings. You can use a prefixed digital number or letter to define the order loaded by Nginx. For example, '00-listen.conf' will be loaded before other files.

• Generate /root/.my.cnf-<sql-user>:
  

  • /root/my.cnf-vmail

  • /root/my.cnf-vmailadmin

  • /root/my.cnf-amavisd

  • /root/my.cnf-iredapd

  • /root/my.cnf-iredadmin

  • /root/my.cnf-sogo

  • /root/my.cnf-roundcube

Fixed issues

• Enable 'iterate_query =' in 'dovecot-mysql.conf', so that doveadm works fine if it needs to get all mail users.

• Not enable cron job for iRedAdmin script: tools/delete_mailboxes.py. Thanks sergiocesar <sergio _at_ winc.net> for the report.

• tools/backup_mysql.sh: Backup sql databases with mysqldump option '--skip-comments' to avoid possible backdooring hack. FYI: https://blog.tarq.io/cve-2016-5483-back … p-backups/

• FreeBSD:
  

  • installing port 'archives/arj' interrupts iRedMail installation. This is caused by global variable 'LANGUAGE=C'.

  • Cannot reset MySQL (5.7) password.

Updated packages

• Roundcube webmail -> 1.3.0

• iRedAPD -> 2.1

• iRedAdmin -> 0.8

• uwsgi -> 2.0.15 (OpenBSD only)

Planned changes in next release

• Completely drop Apache support. Nginx will be the only one web server shipped by iRedMail.

• Integrate a mailing list manager like Mailman or mlmmj (preferred).

Dear all,

iRedAdmin-Pro-SQL-2.7.0 (iRedAdmin-Pro for MySQL, MariaDB and PostgreSQL backends) is now available for upgrading and purchasing.

• IMPORTANT NOTE: Please upgrade iRedMail to the latest iRedMail-0.9.6 before upgrading iRedAdmin-Pro.

• Upgrade tutorials for iRedAdmin-Pro are available here: http://www.iredmail.org/docs/migrate.or … admin.html

How to download the latest iRedAdmin-Pro

iRedAdmin-Pro customers can get download link of this new release by following steps below:

• Login to iRedAdmin-Pro as global admin

• Click "License" on the top-right corner, it will show you basic license info and a "Download" button if new version is available for upgrading.

If above steps don't work for you, please send an email to support @ iredmail.org to get download link of the latest release.

Below are detailed changes since iRedAdmin-Pro-SQL-2.6.0:

RESTful API

• NEW: Able to manage global, per-domain and per-user greylisting settings, whitelist senders, and global whitelisted SPF domains.

Improvements

• While removing mail user account, option 'Keep (mailbox) forever' now log a null delete date instead of keeping for 100 years. Thanks mejo <jonas _at_ freesources.org> for the feedback in forum.

• Able to manage whitelists/blacklists based on reverse DNS name of sender server IP address. Sponsored development by Daniel Senie <dts _at_ amaranth.com>.

• Able to search accounts based on per-user alias address and mail forwarding address.

• Display per-user alias addresses and mail forwarding addresses in search result page.

• Able to define custom favicon.ico with parameter BRAND_FAVICON.

• Able to use CIDR network as whitelist/blacklists. e.g. 192.168.1.0/24, 2002::1234:abcd:ffff:c0a8:101/64. Sponsored development by Daniel Senie <dts _at_ amaranth.com>.

• Able to generate and verify SHA512 password hash.

• New: tools/reset_user_password.py, used to reset user password.

Fixed issues

• RESTful API:
  

  • Not remove admin privilege after revoked domain admin privilege if admin doesn't manage any domain anymore.

  • Not correctly set per-domain enabled/disabled domain profiles.

  • Cannot get per-domain sender dependent relayhost while getting domain profile.

  • Cannot correctly remove per-domain sender/recipient BCC settings.

  • Cannot correctly reset per-domain transport if domain was marked as backup MX.

  • Not correctly update profiles (password, global admin privilege) for standalone admin account.

  • Cannot set per-user alias addresses while creating new mail user.

  • Cannot add or remove per-user alias addresses while updating user profile.

  • User mailbox quota was removed while updating user profile. Thanks Dorian Gutowski <dorian _at_ 604media.com> for the report.

• Not use default transport setting while creating new domain.

• Not delete managed domains if user (which has admin privilege) after revoked admin privilege.

• Not store plain password while user changing password -- if iRedAdmin-Pro is configured to store plain password. Thanks Sergio <sergio _at_ winc.net> for the report.

• Not remove per-account wblist/greylisting/throttle settings and tracking data while removing account.

• Not correctly count accounts while listing accounts with first letter of email address.

• Not correctly page if current account list page is filtered with first letter of email address.

• Not remove throttle and greylisting settings while removing domains.

• Spam policy (quarantining) doesn't fully working.

• If user is assigned as moderator of mail alias account, after user was removed, it still exists in alias moderator list.

• Not use custom settings while getting top sender/recipients on Dashboard page. Thanks nicolasfo <nicolas _at_ franceoxygene.fr> for the report.

• Not update backupmx status while disabling 'Relay without verifying local recipients' in domain profile page, tab 'Relay'. Thanks Luftar Braha <luftar.braha _at_ gmail> for the report.

• tools/notify_quarantined_recipients.py: Not convert time to local time zone. Thanks roy.wong <roy.wong _at_ jmi.com.hk> for the report.

Dear all,

iRedAdmin-Pro-LDAP-2.9.0 (iRedAdmin-Pro for OpenLDAP and OpenBSD ldapd(8) backends) is now available for upgrading and purchasing.

• IMPORTANT NOTE: Please upgrade iRedMail to the latest iRedMail-0.9.6 before upgrading iRedAdmin-Pro.

• Upgrade tutorials for iRedAdmin-Pro are available here: http://www.iredmail.org/docs/migrate.or … admin.html

How to download the latest iRedAdmin-Pro

iRedAdmin-Pro customers can get download link of this new release by following steps below:

• Login to iRedAdmin-Pro as global admin

• Click "License" on the top-right corner, it will show you basic license info and a "Download" button if new version is available for upgrading.

If above steps don't work for you, please send an email to support @ iredmail.org to get download link of the latest release.

Below are detailed changes since iRedAdmin-Pro-LDAP-2.8.0:

RESTful API

• NEW: Able to manage global, per-domain and per-user greylisting settings, whitelist senders, and global whitelisted SPF domains.

Improvements

• While removing mail user account, option 'Keep (mailbox) forever' now log a null delete date instead of keeping for 100 years. Thanks mejo <jonas _at_ freesources.org> for the feedback in forum.

• Able to manage whitelists/blacklists based on reverse DNS name of sender server IP address. Sponsored development by Daniel Senie <dts _at_ amaranth.com>.

• Able to define custom favicon.ico with parameter BRAND_FAVICON.

• Able to use CIDR network as whitelist/blacklists. e.g. 192.168.1.0/24, 2002::1234:abcd:ffff:c0a8:101/64. Sponsored development by Daniel Senie <dts _at_ amaranth.com>.

• Able to generate and verify SHA512 password hash.

• New: tools/reset_user_password.py, used to reset user password.

Fixed issues

• Not store plain password while user changing password -- if iRedAdmin-Pro is configured to store plain password. Thanks Sergio <sergio _at_ winc.net> for the report.

• Cannot get number of quarantined emails if logged in as normal domain admin. Thank Paul Tan <paul _at_ iqon-asia.com> for the report.

• Not remove per-account wblist/greylisting/throttle settings and tracking data while removing account.

• Not correctly page if current account list page is filtered with first letter of email address.

• Spam policy (quarantining) doesn't fully working.

• Not use custom settings while getting top sender/recipients on Dashboard page. Thanks nicolasfo <nicolas _at_ franceoxygene.fr> for the report.

• tools/notify_quarantined_recipients.py: Not convert time to local time zone. Thanks roy.wong <roy.wong _at_ jmi.com.hk> for the report.

Dear all,

iRedAdmin-Pro-LDAP-3.0 (iRedAdmin-Pro for OpenLDAP and OpenBSD ldapd(8) backends) is now available for upgrading and purchasing.

• IMPORTANT NOTE: Please upgrade iRedMail to the latest iRedMail-0.9.7 before upgrading iRedAdmin-Pro.

• Upgrade tutorials for iRedAdmin-Pro are available here: http://www.iredmail.org/docs/migrate.or … admin.html

How to download the latest iRedAdmin-Pro

iRedAdmin-Pro customers can get download link of this new release by following steps below:

• Login to iRedAdmin-Pro as global admin

• Click "License" on the top-right corner, it will show you basic license info and a "Download" button if new version is available for upgrading.

If above steps don't work for you, please send an email to support @ iredmail.org to get download link of the latest release.

Below are detailed changes since iRedAdmin-Pro-LDAP-2.9.0:

RESTful API

• NEW: Able to list all managed domains (/domains).

• NEW: Able to manage per-usre enabled mail services (`/user/<mail>`).

• NEW: Able to promote mail user to be a global admin (`/user/<mail>`).

• Enhancement: Return managed domain names while getting user (must have admin privilege) or admin profile.

• Enhancement: Return per-domain catchall addresses in domain profile.

• Fixed: It always requires password while updating domain admin profile.

• LDAP attribute 'accountSetting' is now converted to a dictionary in returned JSON.

    - Old value: {'accountSetting': ['create_new_domains:yes'], ...}
    - New value: {'accountSetting': {'create_new_domains': 'yes',
                                     'create_max_domains': 5, ...}}

Improvements

• Able to filter domains in the "Managed Domains" section on user/admin profile page.

Fixed issues

• Not add per-user alias address while adding alias domain. Thanks acomav <davow _at_ onthenet.com.au> for the report in forum.

• Not correctly display min password length in domain profile page.

• Cannot save wildcard sender addresses for whitelist/blacklists.

• Top 10 Senders/Recipients show non-local users.

• Not correctly paginate domain list.

• Cannot store maildir path of removed user due to incorrect variable type.

• Not use current date as password last change date for created user.

Dear all,

iRedAdmin-Pro-SQL-2.8.0 (iRedAdmin-Pro for MySQL, MariaDB and PostgreSQL backends) is now available for upgrading and purchasing.

• IMPORTANT NOTE: Please upgrade iRedMail to the latest iRedMail-0.9.7 before upgrading iRedAdmin-Pro.

• Upgrade tutorials for iRedAdmin-Pro are available here: http://www.iredmail.org/docs/migrate.or … admin.html

How to download the latest iRedAdmin-Pro

iRedAdmin-Pro customers can get download link of this new release by following steps below:

• Login to iRedAdmin-Pro as global admin

• Click "License" on the top-right corner, it will show you basic license info and a "Download" button if new version is available for upgrading.

If above steps don't work for you, please send an email to support @ iredmail.org to get download link of the latest release.

Below are detailed changes since iRedAdmin-Pro-SQL-2.7.0:

RESTful API

• NEW: Able to list all managed domains (/domains).

• NEW: Able to manage per-usre enabled mail services (/user/<mail>).

• NEW: Able to promote mail user to be a global admin (/user/<mail>).

• Enhancement: Return managed domain names while getting user (must have admin privilege) or admin profile.

• Fixed: It always requires password while updating domain admin profile.

Improvements

• Able to filter domains in the "Managed Domains" section on user/admin profile page.

Fixed issues

• Cannot view domain list and domain profile with MariaDB-10.x. Thanks Torkil Liseth <torkil.liseth _at_ gmail.com> for the feedback.

• Not delete records in `forwardings` table while removing mail alias account. Thanks lamagra <slawek _at_ studio-it.pl> for the report in forum. To delete dead / orphan mail alias accounts, please run SQL commands:

sql> USE vmail;
sql> DELETE FROM forwardings WHERE is_list=1 AND address NOT IN (SELECT address FROM alias);

• Cannot update per-domain bcc if there's alias domain.

• Not return 'INVALID_CREDENTIALS' if login with a not-existing domain name.

• If login as normal domain admin, search result will return matched accounts not in managed domain.

• If a mail user is marked as domain admin with privilege to mark other user as admin, it's able to assign user to any domain hosted on server.

• Cannot use '*@domain.com' as alias moderator.

• Cannot save wildcard sender addresses for whitelist/blacklists.

• Top 10 Senders/Recipients show non-local users.

• Not correctly paginate domain list.

• Cannot store maildir path of removed user due to incorrect variable type.

• Not use current date as password last change date for created user.

• Cannot update per-domain throttle settings.

Dear all,

iRedMail-0.9.5-1 stable release has been released.

• Download it: http://www.iredmail.org/download.html

• Upgrade tutorials are available here: http://www.iredmail.org/docs/iredmail.releases.html

• We offer paid remote upgrade support if you don't want to get your hands dirty.

Changes since iRedMail-0.9.5:

Fixed issues

• Postfix:
  

  • Cannot deliver email to system account.

• OpenLDAP
  

  • Incorrect default password scheme if module 'pw-sha2' is not available.

• PHP
  

  • Allow functions: 'popen', 'openlog'. Required by Roundcube.

• Incorrect compress command used in logrotate config files.

• Add missing package 'mcrypt' on RHEL/CentOS 6.

Updated packages

• iRedAPD-1.9.1 (fixes one bug in 'tools/spf_to_greylist_whitelists.py')

See Also

• Release Notes of iRedMail-0.9.5

Dear all,

SOGo Team "made the decision to close down the public package repositories. From now on, in order to access the production builds of SOGo for various Linux distributions, you will need a proper support contract from Inverse."
https://sogo.nu/news/2016/article/sogo- … ories.html

The options of support contract are listed here:
https://sogo.nu/support/index.html#support-plans

As a temporary solution, we have to switch the yum/apt repo to nightly builds in iRedMail, but there're some third-party Debian/Ubuntu apt repositories available, use it on your own.

Note: iRedMail-0.9.5-1 has been re-packed with this change.

RHEL/CentOS

* Open file /etc/yum.repos.d/SOGo.repo, find the `baseurl=` setting like below:

* Change it to:

Debian

* Open file /etc/apt/sources.list, find the SOGo repo like below

* Change it to:

* Run 'apt-get update'.

Ubuntu

* Open file /etc/apt/sources.list, find the SOGo repo like below

* Change it to:

* Run 'apt-get update'.

The third-party Debian/Ubuntu apt repositories

* http://www.mail-archive.com/users%40sog … 24909.html
* http://www.mail-archive.com/users%40sog … 24962.html

Dear all,

We just found a critical security issue of iRedAdmin (both open source edition and iRedAdmin-Pro) on FreeBSD and OpenBSD system, please upgrade it immediately.

Note: iRedMail-0.9.5-1 was repacked with new iRedAdmin release (0.6.2) which contains this fix today.

The Issue

iRedAdmin calls an incorrect function to verify BCRYPT password hash while admin trying to login, if the admin account exists, iRedAdmin accepts any password and the admin logs in.

Affected Linux/BSD distributions

BCRYPT is available on FreeBSD and OpenBSD, but not Linux, so this issue impacts only FreeBSD and OpenBSD systems.

Affected iRedAdmin versions

This bug was introduced in iRedAdmin (both open source edition and iRedAdmin-Pro) on May 3, 2016, versions released after May 3 contain this bug:

• iRedAdmin-0.6.1 (shipped by iRedMail-0.9.5-1)

• iRedAdmin-Pro-SQL-2.4.0

• iRedAdmin-Pro-LDAP-2.6.0

How to fix it

• For iRedAdmin open source edition, please download the latest iRedAdmin-0.6.2 and follow our tutorial to upgrade it: http://www.iredmail.org/docs/migrate.or … admin.html

• For iRedAdmin-Pro, please login to iRedAdmin-Pro as global admin, click the "License" button on top-right corner, click "Send me an email with download link" button to get the latest iRedAdmin-Pro release, then follow our tutorial to upgrade it: http://www.iredmail.org/docs/migrate.or … admin.html

Dear all,

Roundcube team has released new versions of Roundcube 1.1 and 1.2
branches to address a security vulnerability, please upgrade it on your
iRedMail server(s) as soon as possible.

*) Original announcement published by Roundcube team:
http://lists.roundcube.net/pipermail/us … 11450.html

*) You can find upgrade tutorial here:
https://github.com/roundcube/roundcubemail/wiki/Upgrade

Note: according to Roundcube document[1], Roundcube 1.2 branch requires
PHP 5.3.7 or greater, please check php version before upgrading.

Needless to say, BACKUP YOUR DATA BEFORE UPGRADING.

[1] Roundcube Install Requirements:
https://github.com/roundcube/roundcubem … quirements

Dear all,

iRedMail-0.9.6 stable release has been released.

• Download it: http://www.iredmail.org/download.html

• Upgrade tutorials are available here: http://www.iredmail.org/docs/iredmail.releases.html

• We offer paid remote upgrade support if you don't want to get your hands dirty.

Below are changes since iRedMail-0.9.5-1:

Supports new distribution release

• Ubuntu 16.10. WARNING: Ubuntu 16.10 will end of life in July 2017, Ubuntu 16.04 LTS edition is recommended for a production server.

• OpenBSD 6.0. OpenBSD 5.9 is not supported anymore.

• FreeBSD 11.0

Improvements

• iRedMail Installer: Able to choose not to install web server and web applications.

• Use rsyslog (requires version 8.x) instead of internal logging system for Dovecot on CentOS 7 and Ubuntu 16.04, 16.10.
  

  • rsyslog is default syslog program on CentOS, Debian and Ubuntu. With rsyslog, we're able to discard log messages which matches given regular expressions if it produces too fast. for example, HAProxy performs health check every few seconds for POP3/IMAP (and other) services, we can easily discard those health check related logs to save disk space.

• Switch Awstats user authentication from SQL/LDAP to basic auth based on file, Awstats is now available for both Apache and Nginx.

• Nginx:
  

  • Add HSTS header for Roundcube, iRedAdmin, SOGo.

  • Add sample config files to run Roundcube, iRedAdmin, SOGo as a subdomain.

• Roundcube webmail:
  

  • Enable plugin `enigma` by default for PGP encryption. WARNING: The plugin uses gpg binary on the server and stores all keys (including private keys of the users) on the server. Encryption/decryption is done server-side. So, this plugin is for users that trust the server.

  • If you get error `Identity must have a user name defined` while first trying to generate gpg key, please add a name for your email account in Roundcube: `Settings -> Identities`.

• SOGo: List all contacts by default in SOGo global address book.

• FreeBSD: Switch from OpenSSL to LibreSSL by default.

Fixed issues

• LDAP backends: mail accounts (user, alias, list) are still active when domain is disabled.

• Fix the HTTPROXY vulnerability in Apache and Nginx. Reference: https://httpoxy.org/

• Not convert domain name and email address to lower cases while creating mail accounts with scripts tools/create_mail_user_*. Thanks Santosh Gupta <head.it _at_ satmatechnologies.com> for the report.

• SOGo: Not correctly redirect access to https in Apache.

• Postfix:
  

  • Not enable opportunistic TLS support for remote smtp clients.

  • Incorrect HELO restriction rule which causes Postfix rejects smtp session with HELO "[IP_ADDRESS]" (with squared brackets).

• Nginx:
  

  • Not allow access to '/.well-known/'.

  • Not forward real client IP address to SOGo.

  • Config file for catch-all virtual host `default.conf` has been renamed to `00-default.conf`, to make sure it will be loaded before other virtual host config files.

• Roundcube webmail:
  

  • Missing cron job used to clean up old Roundcube temporary files (bin/gc.sh).

  • Not set proper file owner (apache/nginx) and permission (0600) for config file of password plugin.

• iRedAPD: Not add FreeBSD Jail IP address as trusted client. This causes mail delivery failure while sending to user under same domain. Thanks Erez Zabusky <erez_z _at_ cre8ip.com> for the report.

• OpenBSD:
  

  • not enable uwsgi service.

  • not create symbol links for PHP programs.

Updated packages

• Roundcube -> 1.2.3

• iRedAPD -> 2.0

• iRedAdmin -> 0.7

• uwsgi -> 2.0.14 (OpenBSD only)

• FreeBSD: php-7.0, mysql-5.7

Dear all,

iRedAdmin-Pro-LDAP-2.7.0 (a.k.a. iRedAdmin-Pro for OpenLDAP backend) is now available for upgrading and purchasing.

• IMPORTANT NOTE: Please upgrade iRedMail to the latest iRedMail-0.9.6 before upgrading iRedAdmin-Pro.

• Upgrade tutorials for iRedAdmin-Pro are available here: http://www.iredmail.org/docs/migrate.or … admin.html

How to download the latest iRedAdmin-Pro

iRedAdmin-Pro customers can get download link of this new release by following steps below:

• Login to iRedAdmin-Pro as global admin

• Click "License" on the top-right corner, it will show you basic license info and a "Download" button if new version is available for upgrading.

If above steps don't work for you, please send an email to support @ iredmail.org to get download link of the latest release.

Below are detailed changes since iRedAdmin-Pro-LDAP-2.6.1.

RESTful API

RESTful API has been largely improved and ready for integration with your own applications. If you need an API which has not yet been implemented, don't hesitate to contact us.

You can find detailed API document here: http://www.iredmail.org/docs/iredadmin- … l.api.html

• Several parameter names have been changed for simplification:
  

  • old: `cn` -> new: `name`

  • old: `mailQuota` -> new: `quota`

  • old: `preferredLanguage` -> new: `language`

• Variable names used in returned JSON data have been changed to avoid possible namespace conflict:
  

  • old: {'success': ...,  'msg': ...}

  • new: {'_success': ..., '_msg': ...}

• NEW: /api/users/<domain>: Update profiles for all users under domain.

• NEW: /api/users/<domain>/password: Update all user passwords under domain.

• NEW: /api/ldif/<account_type>/<account>: export account in ldif format

• NEW: /api/domain/admins/<domain>: manage domain admins.

• NEW: Verify given (plain) password against the one stored in LDAP.
  

  • /api/verify_password/user/<mail>

  • /api/verify_password/admin/<mail>

• NEW: /api/admin/<mail>: create and manage standalone domain admins.

• Able to delete mail domain or user with option to keep mailboxes for given days.

• Able to update more domain profiles (/api/domain/<domain>):
  

  • default mailbox quota for new user

  • max mailbox quota of newly created mail user

  • catch-all account

  • inbound and outbound relay

  • sender bcc, recipient bcc

  • set max number of users, aliases, mailing lists

  • disabled domain profiles

  • disabled user profiles

  • disabled user preferences

  • disabled mail services

• Able to update more user profiles (/api/user/<mail>):
  

  • mail forwarding

  • employee id

  • per-user alias addresses

• Able to change email address of user/alias/mailing list accounts.

• Able to set members while creating mail alias account.

• Able to reset, add, remove members while updating mail alias or mailing list account.

• Able to get profile of existing mail domain/user/alias/mailing list.

• NEW: Able to manage global, per-domain and per-user spam policy.

• Fixed: Cannot set per-domain quota while creating domain.

Improvements

• Normal domain admin is now able to create new mail domains with limits like number of max domains/users/alias/lists/quota. Note: new mail domain added by normal domain admin requires domain ownership verification. For more details, please check our tutorial: http://www.iredmail.org/docs/iredadmin- … ation.html.

• Able to use domain name as primary MX server (IP address is recommended).

• Able to enable/disable pop3/imap/smtp/sogo/managesieve services for existing or newly created mail users under domain in domain profile page.

• Able to explicitly enable/disable greylisting for domain/user.

• Able to set access policy while creating mailing list.

• Able to set timezone while creating mail domain.

• Able to schedule date to delete mailboxes while removing domain or mail users. Note: This feature requires a daily cron job to run `tools/delete_mailboxes.py` which should be added automatically while upgrading iRedAdmin.

• Able to manage additional/custom LDAP attributes for mail user on web UI. Check comment for parameter `ADDITIONAL_MANAGED_USER_ATTRIBUTES` in `libs/default_settings.py` for more details.

• Able to add custom LDAP objectClass and attribute/values for newly created mail user (not manageable on web UI). Please read comment of parameters `ADDITIONAL_USER_OBJECTCLASSES` and `ADDITIONAL_USER_ATTRIBUTES` in file `libs/default_settings.py` for more details.

• New: tools/update_password_with_csv.py, used to reset password by reading password from CSV file (format: '<email> <password>').

• tools/dump_disclaimer.py: able to dump disclaimer for alias domains.

• tools/cleanup_amavisd_db.py: Huge performance improvement with dirty read (SELECT) while cleaning up old records in Amavisd database.

• tools/notify_quarantined_recipients.py:
  

  • able to track last notify time and notify new quarantined emails only.

  • able to notify users under backup MX domains with command line argument '--notify-backupmx'.

  • correctly encode mail subject and sender name

Fixed issues

• SECURITY: iRedAdmin accepts any password on FreeBSD and OpenBSD if password is stored in BCRYPT hash.

• Not revoke admin privilege after deleted standalone admin account.

• Standalone admin account can be an email address under locally hosted mail domain. This causes conflict when there's a normal mail user with same email address.

• Normal domain admin cannot view/update its own profile if it doesn't manage its own domain.

• Not check current email address existence while changing account email address.

• Cannot use domain name as Primary MX in backup mx setting page.

• Mail accounts (user, alias, list) are still active when domain is disabled.

• Global admin cannot view BCC in user profile page if it's disabled in domain profile page ( tab 'Advanced' -> 'BCC' in 'Disabled User Profiles'). Thanks labasus <labas _at_ gmx dot co.uk> for the report.

• Cannot use non-ascii characters in mail subject and body of notification mail used to notify local recipient of quarantined mails.

• Normal domain admin can view or update global domain admin's profile.

• Cannot save submitted greylisting whitelists while there's a duplicate sender inserted by `tools/spf_to_greylist_whitelists.py`. Thanks Juan Bou Riquer <jbou _at_ cancun.com.mx> for the report.

• Incorrect pages while viewing disabled accounts. Thanks to Li Wei <liwei _at_ bond520.com> for the report.

• Not specify path to python command to run 'tools/cleanup_db.py' in upgrade script, this causes error in cron job.

• Not apply max user quota while creating new user or updating user profile.

• iOS devices may have problem with character '^' in password. we remove it from allowed special character for randomly generated password.

• Creating domain in invalid domain format causes 'internal server error'.

• OpenBSD ldapd(*) cannot handle MOD_DELETE correctly, it will remove all values of this attribute instead of removing just the one we specified. As a workaround, we define ldap server name in parameter 'LDAP_SERVER_PRODUCT_NAME'.

• Fix the html target="_blank" vulnerability.

Updated translations

Please help us translate iRedAdmin-Pro to your language: http://www.iredmail.org/docs/translate.iredadmin.html.

• Update Traditional Chinese (zh_TW). Thanks rain <rain6966@gmail>.

• Update Simplified Chinese (zh_CN).

Dear all,

iRedAdmin-Pro-SQL-2.5.0 (iRedAdmin-Pro for MySQL, MariaDB and PostgreSQL backends) is now available for upgrading and purchasing.

• IMPORTANT NOTE: Please upgrade iRedMail to the latest iRedMail-0.9.6 before upgrading iRedAdmin-Pro.

• Upgrade tutorials for iRedAdmin-Pro are available here: http://www.iredmail.org/docs/migrate.or … admin.html

How to download the latest iRedAdmin-Pro

iRedAdmin-Pro customers can get download link of this new release by following steps below:

• Login to iRedAdmin-Pro as global admin

• Click "License" on the top-right corner, it will show you basic license info and a "Download" button if new version is available for upgrading.

If above steps don't work for you, please send an email to support @ iredmail.org to get download link of the latest release.

Below are detailed changes since iRedAdmin-Pro-SQL-2.3.1:

RESTful API

RESTful API has been largely improved and ready for integration with your own applications. If you need an API which has not yet been implemented, don't hesitate to contact us.

You can find detailed API document here: http://www.iredmail.org/docs/iredadmin- … l.api.html

• Several parameter names have been changed for simplification:
  

  • old: `cn` -> new: `name`

  • old: `mailQuota` -> new: `quota`

  • old: `preferredLanguage` -> new: `language`

• Variable names used in returned JSON data have been changed to avoid possible namespace conflict:
  

  • old: {'success': ...,  'msg': ...}

  • new: {'_success': ..., '_msg': ...}

• NEW: /api/users/<domain>: Update profiles for all users under domain.

• NEW: /api/users/<domain>/password: Update all user passwords under domain.

• NEW: /api/domain/admins/<domain>: manage domain admins.

• NEW: Verify given (plain) password against the one stored in LDAP.
  

  • /api/verify_password/user/<mail>

  • /api/verify_password/admin/<mail>

• NEW: /api/admin/<mail>: manage standalone domain admins.

• Able to delete mail domain or user with option to keep mailboxes for given days.

• Able to update more domain profiles (/api/domain/<domain>):
  

  • default mailbox quota for new user.

  • max mailbox quota of newly created mail user

  • catch-all account

  • inbound and outbound relay

  • sender bcc, recipient bcc

  • set max number of users, aliases, mailing lists

  • disabled domain profiles

  • disabled user profiles

  • disabled user preferences

• Able to update more user profiles (/api/user/<mail>):
  

  • mail forwarding

  • employee id

  • per-user alias addresses

• Able to change email address of user/alias accounts.

• Able to set members while creating mail alias account.

• Able to update members while updating mail alias account.

• Able to get profile of existing mail domain/user/alias.

• NEW: Able to manage global, per-domain and per-user spam policy.

• Fixed: Cannot set per-domain quota while creating domain.

Improvements

• Normal domain admin is now able to create new mail domains with limits like number of max domains/users/alias/lists/quota. Note: new mail domain added by normal domain admin requires domain ownership verification. For more details, please check our tutorial: http://www.iredmail.org/docs/iredadmin- … ation.html

• Able to use domain name as primary MX server (IP address is recommended).

• Able to enable/disable pop3/imap/smtp/sogo/managesieve services for existing or newly created mail users under domain in domain profile page.

• Able to enable/explicitly disable greylisting for domain/user.

• Able to schedule date to delete mailboxes while removing domain or mail users. Note: This feature requires a daily cron job to run `tools/delete_mailboxes.py` which should be added automatically while upgrading iRedAdmin.

• Able to set access policy while creating mail alias account.

• Able to set timezone while creating mail domain.

• New: tools/update_password_with_csv.py, used to reset password by reading password from CSV file (format: '<email> <password>').

• tools/dump_disclaimer.py: able to dump disclaimer for alias domains.

• tools/cleanup_amavisd_db.py: Huge performance improvement with dirty read (SELECT) while cleaning up old records in Amavisd database.

• tools/notify_quarantined_recipients.py:
  

  • able to track last notify time and notify for new quarantined emails only.

  • able to notify users under backup MX domains with command line argument '--notify-backupmx'.

  • correctly encode mail subject and sender name

Fixed issues

• SECURITY: iRedAdmin accepts any password on FreeBSD and OpenBSD if password is stored in BCRYPT hash.

• Standalone admin account cannot change its own password.

• Standalone admin account can be an email address under locally hosted mail domain. This causes conflict when there's a normal mail user with same email address.

• Normal domain admin cannot view/update its own profile if it doesn't manage its own domain.

• Not check current email address existence while changing account email address.

• Not update sql column `mailbox.local_part` while changing account email address.

• Not remove per-user alias addresses while removing user account.

• Cannot use domain name as Primary MX in backup mx setting page.

• Cannot delete mail user account due to incorrect PostgreSQL command.

• Cannot use non-ascii characters in mail subject and body of notification mail used to notify local recipient of quarantined mails.

• Cannot search mail accounts with PostgreSQL backend.

• Normal domain admin can view or update global domain admin's profile.

• Cannot save submitted greylisting whitelists while there's a duplicate sender inserted by `tools/spf_to_greylist_whitelists.py`. Thanks Juan Bou Riquer <jbou _at_ cancun.com.mx> for the report.

• Incorrect pages while viewing disabled accounts. Thanks to Li Wei <liwei _at_ bond520.com> for the report.

• Incorrectly count number of mail alias accounts in domain list page. Thanks to Santosh Gupta <head.it _at_ satmatechnologies.com> for the report.

• Separated normail domain admin cannot change its own password.

• Able to set unlimited mailbox quota when per-domain quota was set.

• Cannot handle mail alias members if some character is in uppercase.

• Not specify path to python command to run 'tools/cleanup_db.py' in upgrade script, this causes error in cron job.

• Incorrectly update domain backupmx status while updating profile under tab 'General'.

• iOS devices may have problem with character '^' in password. we remove it from allowed special character for randomly generated password.

• Creating domain in invalid domain format causes 'internal server error'.

• Fix the html target="_blank" vulnerability.

Updated translations

• Update Traditional Chinese (zh_TW). Thanks rain <rain6966@gmail>.

• Update Simplified Chinese (zh_CN).

Dear all,

There’re 2 security fixes you need to follow immediately:

*) Roundcube webmail 1.2.4 (and 1.1.8) has been released on March 10, 2017. Including a fix for a recently reported security XSS issue with CSS styles inside an SVG tag.

Please upgrade Roundcube as soon as possible to fix it.

*) Possible backdooring mysqldump backups.

Quote from: https://blog.tarq.io/cve-2016-5483-back … p-backups/

If you're running iRedMail with one of OpenLDAP, ldapd (OpenBSD only), MySQL, MariaDB backends, please follow steps below to fix it:

- Open the daily MySQL backup script, it's /var/vmail/backup/backup_mysql.sh by default. if you use different storage directory during iRedMail installation, you can find the base directory with command "postconf virtual_mailbox_base”.

- Find variable name CMD_MYSQLDUMP like below:

export CMD_MYSQLDUMP="mysqldump ..."

- Make sure it has argument "--skip-comments" like below:

export CMD_MYSQLDUMP="mysqldump ... --skip-comments"

- Save the change.