4.2-3-0
Mail server
A critical vulnerability has been discovered in the mail server. To attack the mail server, direct SMTP access is required.
If Internet access to the SMTP port has not been granted by the system's firewall policy, the system cannot be attacked from
the Internet.
Anti spyware concept
In addition to the previously released proxylist category several other components offer anti ad-/spyware options now. This
includes:
A user agent filter can now be enabled in the web proxy. The focus of this option is to detect ad- or spyware which is already
installed as a browser extension, possibly pretending to be a useful tool. Furthermore the filter will prevent some ad-/spyware
to contact its vendor. From a technical point of view the web proxy compares the contents of the user agent header provided
in the clients' requests with an integrated list of well known ad- and spyware.
The blackhole DNS feature also addresses ad- and spyware which has already been deployed on local clients. Most attempts of
these malicious programs to "call home" start with a DNS query. When blackhole DNS is enabled, requests for well known ad-
and spyware domains will be answered with the IP 192.0.2.34 instead of the real IP address. The firewall in turn blocks connections
to this specific IP. Check the firewall log to see which client has ad- or spyware installed.
Finally the firewall has a list of ad- and spyware server IPs. Enabling this feature, you will defeat both, attempts to download
ad-/spyware and outbound connections of programms already installed.
Please note that the classification of software as ad- or spyware is a subject of disputes. Apparrently useful tools may have
characteristics of ad- or spyware. Enable ad- and spyware defense only if you and the affected users will accept potential
restrictions
Web proxy filter for peer-to-peer and instant messengers
Just like the anti ad-/spyware user agent filter mentioned above the web proxy provides additional user agent filters for
peer-to-peer and instant messenging software. If the user agent header provides enough information to identify a request of
banned client software, access will be denied.
Target specific upstream proxy
In previous releases the web proxy included configuration options for a single upstream proxy for all destinations and an
exception list for direct connections. Now there's an additional list to configure upstream proxies per destination IP or
domain.
RAS IP addresses per user
You can now assign an individual IP address for each RAS user. It applies to the RAS services L2TP/IPSec VPN, ISDN PPP dial-in
and analogue modem. The personal IP can be used to define an individual firewall policy for each RAS user.
In addition it will be possible to determine which of the RAS services each user may use. Previously a user was either accepted
by any or none of the services.
Mail routing for single recipients
The mail routing feature has been extended. In addition to routing a whole recpient domain (e.g. to an internal mail server)
it is now possible to route single recipient addresses, too. This feature comes in handy if you need to forward some local
addresses to a mail server in the Internet, as e.g. external workers have to poll their email from the POP server of your
ISP.
Automatic email archive
This feature helps to build up a central email archive. An additional recipient can be added automatically to every email.
It can be configured separately for inbound and outbound emails. The recipient can be a local mailbox or any external address.
With this option it should be easy to feed any archive system. It is not intended to be used as a fullfeatured longterm archive
itself. Please make sure that the relevant privacy acts and regulations will be obeyed before you enable this feature.
Mail server statistics
An email statistics, partially with graphics, has been added.
Mail backups exceeding the 2GB or 4GB limit
The mail backup uses the common ZIP file format which is unfortunately limited to files smaller than 2GB. Furthermore the
resulting archive must not exceed 4GB. The backup will now automatically use the ZIP64 format instead of ZIP if it expects
to reach one of the limits.
New backup file format
All backup files are now plain ZIP files. This makes it very easy to create the files expected by the centralized management
module for remote configuration changes. An extra tool is no longer needed.
Of course you can still install backup files with the old file format.
Miscalculation in Internet statistics
If the Internet interface was not available for a longer period of time, the values reported for the monthly transfer volume
became wrong.
Corrupted Kaspersky virus scanner signatures
The new release uses a Kaspersky program to update the signatures. The old way of mirroring sometimes resulted in a corrupted
set of signatures. As an option, the new updater is able to choose the signature server used for downloading automatically.
Installation of Kaspersky key file on systems by centralized management module
Improved F-Secure virusscan integration
SPAM filter crashed when encountering unusual large headers
New version of the HTTP/HTTPS servers
Updated OpenSSL crypto library
Minor bugfixes and improvements
4.2-2-5
F-Secure Anti-Virus
It was possible to execute commands on the system with specially craftetd ZIP archives. In addition the contents of manipulated
ZIP and RAR archives was not scanned.
Destination IP for firewall rules "LAN -> Internet interface"
In previous releases you had to enter a firewall rule in the more complicated "* -> Internet interface" area if you wanted
to grant access to a single Internet IP only. This is no longer necessary as long as you don't want to restrict the source
IP, too, or you want to grant access to a whole destination network.
Adding a whole email domain to the greylist sender or recipient whitelist didn't work.
Scheduled updates delayed for more than 24 hours started too early
Minor bugfixes and improvements
4.2-2-4
SSL library allows attacker to force negotiation of SSLv2 connections
In certain cases a successful man-in-the-middle attack could be used to force the negotiation of SSLv2 connections. SSLv2
is known to be cryptographically weak. The update will install a patched SSL library.
4.2-2-3
Buffer overflow in POP3/IMAP4 server
This update will install a new POP3/IMAP4 server. Authenticated users were able to trigger a buffer overflow in the old server.
Crashes of the virusscan proxy at some sites
Entries for scheduled mail retrieval on "Sat + Sun" have been ignored
Minor bugfixes and improvements
4.2-2-2
F-Secure Anti-Virus and Policy-Manager Server
The old signature updater can process only a limited number of signature files. F-Secure promised that old versions will keep
working until 31st December 2005. After this date the signature update may fail.
Proxylist category "Spyware"
This option is part of the web proxie's URL filter. Enable it to deny access to certain web servers related to spyware.
HTML in the mail server's boilerplate feature
The boilerplate feature allows adding text to every outgoing email, e.g. to append a disclaimer. It is now possible to include
HTML tags which gives you more flexibility when appending the boilerplate to HTML mails. The tags will be removed automatically
when appending to plain text mails.
Local IP networks of the DNS server
In previous releases it was possible to specify a set of client IP's which are allowed to use the DNS forwarder feature (recursion).
However this worked only for local IP's as specified in the setup.
Now the list specifies IP adresses considered to be local. Besides DNS forwarder access, this will also control access to
non-public DNS zones. Previously only local IP's as specified by setup were allowed.
Please check if this modification will change the behaviour on your system. If no local IP's (former recursion clients) have
been specified your system is not affected.
Missing IPSec restart after uploading a new local certificate
Diagnostics and manual hangup feature for ADSL connections
4.2-2-1
Mail client patch
An exploitable buffer overflow has been discovered in the mail client.
Mail client TLS problems
With the new release we also decided to disable the automatic detection of POP servers with TLS capability. This feature sometimes
caused problems in the past. It will be re-enabled as soon as the problem has been solved. It is however still possible to
force encrypted POP connections by enabling the respective configuration option.
SOCKS 4/5 proxy
Being a generic proxy, SOCKS can be used by many different applications. Often it is even possible to socksify applications
without builtin proxy support. A SOCKS client program is required for this.
As a generic proxy works on the curcuit level it does not understand the protocols and datatypes it forwards. Therefore it
can not provide sophisticated security features like e.g. virusscan. The way it is configured reminds of firewall rules. But
in addition to global rules which apply to every SOCKS client, it is also possible to configure per-user rules. Users have
to authenticate themselves if they want to use these rules. Hence SOCKS gives you the possiblity to recreate the concepts
of user specific firewall rules.
Stopped IPSec with persistent ADSL connections
When starting or restarting an "always online" ADSL dial-up connection a manual start of IPSec VPN was sometimes necessary.
Corrupted mailboxes
Starting with release 4.2-1.0 it was possible to damage a mailbox when editing its contents. The problem occured whenever
no email was selected but the process was ended with "Finish". There was however no risk of loosing mails.
message complaining about missing inbox-admin.rbu
On some systems a message occured every time a mailbackup file was created. There was no further impact.