Kopano Upgrade to 8.7.x
Kopano version 8.5.8 provides an important fix for two critical CVE's (CVE-2018-8950 and CVE-2018-8951). Kopano 8.7.x is an upgrade to 8.5.8.
Unfortunately, Kopano's recommend upgrade process to patch these vulnerabilities makes it difficult to automatically deploy these packages via the regular ClearOS update process.
Kopano on ClearOS
If you are running Kopano on ClearOS 7, it is likely version 8.4.5. You will need to upgrade to Kopano 8.7.5 (2019-12-11).
grep mysql_database /etc/kopano/server.cfg
For this article we'll call the mysql_database you find DATABASE. Most of the instructions are common using the DATABASE parameter. The mysql user is the same as the DATABASE.
Stop incoming mail
Stop any incoming mail…close your firewall, port 25 from Webconfig. New mail coming in will usually attempt re-delivery so you won't lose any messages.
Stop Kopano Services
systemctl stop kopano-server kopano-gateway kopano-dagent
Backup the Database
If you don't have an up to date backup of the database, now is a good time to start.
DATABASE is kopano
Get the Kopano database password:
[root@system]# cat /var/clearos/system_database/kopano
Then dump the database:
[root@system]# /usr/clearos/sandbox/usr/bin/mysqldump -ukopano -p"xxx" kopano > /tmp/kopano.dmp
Where xxx is the password retrieved from the first step.
DATABASE is zarafa
Get the Kopano database password:
[root@system]# cat /var/clearos/system_database/zarafa
Then dump the database:
[root@system]# /usr/clearos/sandbox/usr/bin/mysqldump -uzarafa -p"xxx" zarafa > /tmp/kopano.dmp
Where xxx is the password retrieved from the first step.
Perform the Upgrade
yum upgrade *kopano* --enablerepo=clearos-paid-testing
Check Database
Login to the system database using the “xxx” password obtained above.
DATABASE is kopano
/usr/clearos/sandbox/usr/bin/mysql -ukopano -p"xxx" kopano
DATABASE is zarafa
/usr/clearos/sandbox/usr/bin/mysql -uzarafa -p"xxx" zarafa
Then, for either database:
Run:
MariaDB> SELECT MAX(id) from names;
If this returns a value of 31485 or higher, there are too many entries and the database needs to be cleaned.
Run:
MariaDB> select namestring, count(*) as c from names group by guid,nameid,namestring having c>=2;
If this returns any row(s), the database is inconsistent and needs to be cleaned.
Exit MariaDB:
MariaDB [kopano]> quit
If either of the two cases indicate areas for concern, run from the command line:
kopano-dbadm np-stat kopano-dbadm k-1216
If you have any issues, check Kopano's troubleshooting guide.
Check all cfg files exist
Check that following cfg files exist in /etc/kopano:
gateway.cfg ical.cfg ldap.cfg presence.cfg search.cfg server.cfg spooler.cfg
If any are missing, you must run the upgrade script below.
Run ClearOS Upgrade Script
Run the following script to fix systemctl unit files for Kopano:
/usr/clearos/apps/kopano/deploy/upgrade
This should be unnecessary as it has already run as part of the yum upgrade, but let's do it anyway.
Start up Services
Run:
systemctl restart kopano-dagent kopano-server kopano-gateway kopano-ical kopano-monitor kopano-spooler kopano-search httpd
Open Your Firewall
Re-Open Port 25 on your firewall to allow new mail to come in.
Zarafa on ClearOS
ClearOS 6
Unfortunately, if you are running Zarafa on ClearOS 6, you have no alternative to patch these vulnerabilities other than upgrading to ClearOS 7 and Kopano.
Follow the upgrading 6 to 7 knowledge base article here.
ClearOS 7
If you on ClearOS 7, an upgrade to Kopano will work. Follow the Zarafa to Kopano upgrade documentation here.
Troubleshooting
libxapian22 dependency issue
This can be an issue for ex-Zarafa users. If you see an error message performing the upgrade:
Transaction check error: file /usr/lib64/libxapian.so.22 from install of xapian-core-libs-1.2.22-1.el7.x86_64 conflicts with file from package libxapian22-1.2.21-1.7.x86_64
Please do an:
rpm -e libxapian22 --nodeps
Do not use “yum” to uninstall.
libtcmalloc.so.4 error
If you see an installation error referencing libtcmalloc.so.4 blocking the upgrade, please do an:
rpm -e --nodeps libtcmalloc4
The installation should proceed and you should notice gperftools-libs being installed from the centos repos.
Do not use “yum” to uninstall.
Ex-zarafa users
Please check you fully completed the Zarafa to Kopano Upgrade instructions so you have removed all zarafa* packages and disabled the Zarafa repos. You can check with:
rpm -qa | grep zarafa
The only zarafa package you should have is zarafa-z-push.
Outlook shows Disconnected after upgrade
If Outlook shows the black warning triangle and “Disconnected” in the status bar, please check the log file /var/log/z-push/z-push-error.log. If you see errors like:
08/10/2019 13:20:35 [ 4610] [FATAL] [test] Fatal error: /usr/share/zarafa-z-push/lib/utils/utils.php:1144 - Call to undefined function mb_detect_encoding() (1)
Please install php-mbstring and php-soap with a:
yum install php-mbstring php-soap -y systemctl restart httpd