跳到主內容

Proxmox Mail Gateway 7.x to 8.X 更新

Proxmox Mail Gateway 已經釋放出新版的 8.0 版,改版內容如下或者連到官方看修改什麼內容 官方 wiki 公告內容

官方最新消息 Proxmox Mail Gateway 8.0 Released

此版改版內容


Released 29. June 2023

  • Based on Debian Bookworm (12.0)
  • Latest 6.2 Kernel as stable default
  • ZFS 2.1.12
  • SpamAssassin 4.0.0 (with updated rulesets)
  • ClamAV 1.0.1
  • PostgreSQL 15.3
Highlights
  • New major release based on the great Debian Bookworm.
  • Seamless upgrade from Proxmox Mail Gateway 7.3, see Upgrade from 7 to 8
     New pmg7to8 pre-flight checking script analyzing the system for common misconfigurations and missed steps during the upgrade
  • Add new text-based UI mode for the installation ISO, written in Rust using the Cursive TUI (Text User Interface) library:
     You can use the new TUI mode to work around issues with launching the GTK based graphical installer, sometimes observed on both very new and rather old hardware.  The new text mode executes the same code for the actual installation as the existing graphical mode.

Changelog Overview

Enhancements in the Rule System
  • When adding a "Match Field" What object, check that the provided regular expression is a valid regular expression.
  • Disable SpamAssassin's naive-Bayesian-style classifier and the auto-whitelisting plugin by default.
     Both features lead to worse detection rates in the Spam Filter in most setups.
     Bayes needs manual training and thorough consideration, as well as continuous maintenance.
     Existing setups are kept without change on upgrade.
     For new setups the old behavior can be enabled through the GUI.
Enhancements in the Rule System
  • Improved Dark color theme:
     The Dark color theme, introduced in Proxmox Mail Gateway 7.3, received a lot of positive feedback from our community, which resulted in further improvements.
  • Improved translations, among others:
    • Ukrainian (NEW)
    • Japanese
    • Simplified Chinese
    • Traditional Chinese
    • The size units (Bytes, KB, MiB,...) are now passed through the translation framework as well, allowing localized variants (e.g., for French).
    • The language selection is now localized and displayed in the currently selected language
  • Disable advanced statistic filters by default, as their behavior may not be immediately clear without consulting the documentation first.
  • HTML-encode rule names before rendering as additional hardening against XSS.
  • The tracking center can now parse the new syslog format for dates that was introduced in Debian Bookworm.
     The logging format of rsyslog was changed to include Timezone information (RFC3339) in the logs, making the Tracking Center more robust across DST changes and year changes.
Access control
  • Add TFA/TOTP lockout to protect against an attacker who has obtained the user password and attempts to guess the second factor:
     If TFA fails too many times in a row, this user account is locked out of TFA for an hour. If TOTP fails too many times in a row, TOTP is disabled for the user account. Using a recovery key will unlock a user account.
Installation ISO
  • Add new text-based UI mode for the installation ISO, written in Rust using the Cursive TUI (Text User Interface) library:
     You can use the new TUI mode to work around issues with launching the GTK based graphical installer, sometimes observed on both very new and rather old hardware.
     The new text mode executes the same code for the actual installation as the existing graphical mode.
  • The version of BusyBox shipped with the ISO was updated to version 1.36.1.
  • Detection of unreasonable system time.
     If the system time is older than the time the installer was created, the system notifies the user with a warning.
  • ethtool is now shipped with the ISO and installed on all systems.
  • systemd-boot is provided by its own package instead of systemd in Debian Bookworm and is installed with the new ISO.
  • The installation ISO now ships the dependencies for extracting text from attachments using SpamAssassin 4, eliminating the need to install the packages manually.
Notable bugfixes and general improvements
  • Add a pmg7to8 CLI tool to assist in upgrading from Proxmox Mail Gateway 7.3 to 8.
  • Fix an issue where an invalid regular expression in a "Match Field" What object would cause pmg-smtp-filter to exit and restart, possibly leading to wrongly denied mails. Instead, pmg-smtp-filter now logs a warning if it encounters an invalid regular expression.
  • During package installation or upgrade, ignore certain transient or obvious errors to avoid leaving the package in a broken state.
  • Fix an issue where the Proxmox Mail Gateway system report would wrongly indicate a DNS misconfiguration.
  • When authenticating via PAM, pass the PAM_RHOST item. With this, it is possible to manually configure PAM such that certain users (for example root@pam) can only log in from certain hosts.
Known Issues & Breaking Changes
  • The advanced statistics filter is now disabled by default.
     To avoid changing the behavior of a Proxmox Mail Gateway 7.3 instance on upgrade, the upgrade process will set the advfilter option to 1 if no explicit value is set.
  • SpamAssassin's naive-Bayesian-style classifier and the auto-whitelisting plugin are now disabled by default.
     To avoid changing the behavior of a Proxmox Mail Gateway 7.3 instance on upgrade, the upgrade process will set each of the use_awl/use_bayes options to 1 if no explicit value is set.

7.x版更新到8.x版


  • 先把現行的 7.X 更新到最新版本
apt update && apt dist-upgrade -y
  • 重啟該主機
reboot -nf
叢集

  • 如果您有使用到叢集服務請先停止該服務
systemctl stop pmgmirror pmgtunnel && systemctl mask pmgmirror pmgtunnel
更新來源庫

  • 更新來源庫 sources.list
sed -i 's/bullseye/bookworm/g' /etc/apt/sources.list
  • 更新訂閱版來源庫 pmg-enterprise.list ,如果沒有用訂閱版來源庫,記要進去註解
echo "deb https://enterprise.proxmox.com/debian/pmg bookworm pmg-enterprise" > /etc/apt/sources.list.d/pmg-enterprise.list
  • 更新來源庫
apt update
更新前先停止服務

  • 停止 pmg 服務
systemctl stop postfix pmg-smtp-filter pmgpolicy pmgdaemon pmgproxy pmgmirror pmgtunnel
  • 屏蔽 postfix 和所有 Proxmox Mailgateway 服務,以防止它們在升級過程中啟動
systemctl mask postfix pmg-smtp-filter pmgpolicy pmgdaemon pmgproxy pmgmirror pmgtunnel
更新服務
  • 開始更新 PMG 服務
apt update && apt dist-upgrade -y

禁用 ClamAV

  • 新的 ClamAV 按訪問掃描服務對於 Proxmox Mail Gateway 設置沒有用,並且對於新安裝被禁用,因為它不僅會減慢整個系統的速度,還會影響 Proxmox Mail Gateway 管理的垃圾郵件和病毒檢測機制。在升級過程中,該服務可能會啟用,然後被標記為失敗。建議禁用該服務:
systemctl disable clamav-clamonacc.service
更新 PostgreSQL 服務
  • 開始更新 PostgreSQL
pg_dropcluster --stop 15 main
  • 設定 15 版為主
pg_upgradecluster -v 15 13 main
  • Unmask postfix and all non-cluster Proxmox Mail Gateway services to enable them again.
systemctl unmask postfix pmg-smtp-filter pmgpolicy pmgdaemon pmgproxy
  • 重啟主機
reboot
  • 移除舊版
apt purge postgresql-13 postgresql-client-13
啟動服務

  • 啟動 PMG 服務
systemctl unmask pmgmirror pmgtunnel && systemctl start pmgmirror pmgtunnel



參考相關網頁