Kopano Upgrade to 8.5.8
Kopano version 8.5.8 provides an important fix for two critical CVE's (CVE-2018-8950 and CVE-2018-8951).
Unfortunately, Kopano's recommend upgrade process to patch these vunerabilities makes it difficult or too risky to automatically deploy these packages via the regular ClearOS update process.
You can read more about the Kopano upgrade here.
Kopano on ClearOS
If you are running Kopano on ClearOS 7, it is likely version 8.4.5. You will need to upgrade to Kopano 8.5.8 (2018-04-20).
There are different instructions depending on if you upgraded from Zarafa or if had a fresh Kopano installation. Please look at the mysql_database parameter in /etc/kopano/server.cfg e.g.
grep mysql_database /etc/kopano/server.cfg
For this article we'll call the mysql_database you find DATABASE. Most of the instructions are common using the DATABASE parameter. The mysql user is the same as the DATABASE.
Stop incoming mail
Stop any incoming mail…close your firewall, port 25 from Webconfig. New mail coming in will usually attempt re-delivery so you won't lose any messages.
Stop Kopano Services
systemctl stop kopano-server.service
systemctl stop kopano-gateway.service
Backup the Database
If you don't have an up to date backup of the database, now is a good time to start.
Get the Kopano database password:
[root@system]# cat /var/clearos/system_database/DATABASE
Then dump the database:
[root@system]# /usr/clearos/sandbox/usr/bin/mysqldump -uDATABASE -p"xxx" DATABASE > /tmp/kopano.dmp
Where xxx is the password retrieved from the first step.
Perform the Upgrade
ENABLE_BETA=True yum upgrade "*kopano*" "lib*" "python*"
If you use z-push also do:
ENABLE_BETA=True yum upgrade zarafa-z-push
The “ENABLE_BETA” flag allows you to access the repository where the 8.5.8 packages reside. These packages are not considered to be of 'beta' quality. They have been released by Kopano for production use and verified with their community/customers and ClearCenter's own internal QA team.
If you have previously upgrade from Zarafa, your database and username may be 'zarafa' and not 'kopano'. Use the value of DATABASE looked up earlier in the instructions
Login to the system database using the “xxx” password obtained above.
/usr/clearos/sandbox/usr/bin/mysql -uDATABASE -p"xxx" DATABASE
mysql> SELECT MAX(id) from names;
If this returns a value of 31485 or higher, there are too many entries and the database needs to be cleaned.
mysql> select namestring, count(*) as c from names group by guid,nameid,namestring having c>=2;
If this returns any row(s), the database is inconsistent and needs to be cleaned.
If either of the two cases indicate areas for concern, run from the command line:
The clean-up can take a while depending on your database size and hardware configuration.
If you have any issues, check Kopano's troubleshooting guide.
Check all cfg files exist
Check that following cfg files exist in /etc/kopano:
If any are missing, copy in the config files template from /usr/share/doc/kopano/example-config.
You can copy and paste the following into the command line to check and correct:
KOPANO_CFG="gateway.cfg ical.cfg ldap.cfg presence.cfg search.cfg server.cfg spooler.cfg presence.cfg"
for cfg in $KOPANO_CFG; do
if [ ! -f "/etc/kopano/$cfg" ]; then
cp "/usr/share/doc/kopano/example-config/$cfg" "/etc/kopano/"
chown root.kopano "/etc/kopano/$cfg"
chmod 640 "/etc/kopano/$cfg"
# The last line is intentionally blank to allow an easy copy and paste
Run ClearOS Upgrade Script
Run the following script to fix systemctl unit files for Kopano:
This should be unnecessary as it has already run as part of the yum upgrade, but let's do it anyway.
Start up Services
Open Your Firewall
Re-Open Port 25 on your firewall to allow new mail to come in.
Zarafa on ClearOS
Unfortunately, if you are running Zarafa on ClearOS 6, you have no alternative to patch these vulnerabilities other than upgrading to ClearOS 7 and Kopano.
Follow the upgrading 6 to 7 knowledge base article here.
If you on ClearOS 7, an upgrade to Kopano will work. Follow the Zarafa to Kopano upgrade documentation here.
On completed upgrade, follow the steps at the start of this knowledgbase article to upgrade to 8.5.8.