Release history
5.0-2-0
New webmailer version
The new webmailer comes with a bunch of minor and major enhancements. Among these improvements of the user interface, support
for UTF-8 encoded emails and the possibility to forward emails "as original".
In particular the addressbook feature was extended. While the old release offered only very basic possibilities, in the new
release you can store a huge number of different information with each entry. Import and export now features the widely spread
VCard format. Each user may create multiple private address books. In addition to the global addressbook maintained by the
"admin" user, there are now two additional global addressbooks. A shared addressbook all users may edit and an automatically
generated addressbook which contains all local users. It contains the information from the user administration menu.
On systems where the webmail features is used, we recommend to prepare a fresh mailback before updating.
LDAP addressbooks
The automatically generated addressbook with the details from the user administration and all webmail addressbooks are also
published by an LDAP server.
OCR text recognition to fight picture SPAM
With this new anti SPAM option, pictures attached to an email will be analyzed by an OCR text recognition module. The module
is then looking for typical SPAM mail phrases in the extracted text.
Deny web proxy CONNECT to IP address destinations
The CONNECT method is required to forward HTTPS connection through the web proxy. However there is software which misuses
this loophole to tunnel through the firewall. In particular peer-to-peer related software is known to request connections
to IP addresses rather than to a server name. With the new option, you can deny these connections.
Web proxy CONNECT to specific destinations
Up to now it was only possible to open a whole destination port for the CONNECT method. From now on, you can combine the port
with specific server names or IPs, or even deny CONNECT access completely.
Web proxy access to support.microsoft.com
Recently browsers started to show a blank page for support.microsoft.com when compressed transfer has been negotiated. The
web proxy will now prevent transfer encoding for support.microsoft.com. Systems running the web proxy with its tag filter
enabled are not affected, as tag filtering will always prevent transfer encoding.
Revised ADSL -> ISDN fallback
During a fallback, the new code continuously monitors the ADSL connection. Once it is considered to be stable again, the inactivity
timeout of the ISDN connection is lowered to a minimum. So it becomes more likely that ISDN will hangup soon anyway. A new
parameter additionally lets you configure a deadline. It defines, how many minutes after ADSL has been reported to be stable,
an ISDN hangup will be forced.
Life lock of the L2TP server
The L2TP server occasionally stopped to accept new connections.
Greylisting in mail server statistics
There's now a separate entry for connections refused by the greylisting module. These connections are no longer counted as
"Error".
New SPAM filter release
Updated various system components
Minor bugfixes and improvements
5.0-1-8
Update of F-Secure Antivirus
Specially crafted archives could cause a scanner malfunction. The scan process could hang, crash or even execute malicious
code.
Update of unzip
Unzip could crashed or even execute malicious code while processing specially crafted archives.
Configuration of DHCP on any Ethernet interface
The administration interface now supports the configuration of DHCP on all Ethernet interfaces.
Minor bugfixes and improvements
5.0-1-7
Update of F-Secure Antivirus
Specially crafted RAR archives could have bypassed scanning.
Extensions of the web proxy's virusscan and tagfilter module
The new SSL check option prevents tunneling unencrypted connections, using the CONNECT method. CONNECT is required for proxying
HTTPS.
In addition to "object" tags, the tagfilter whitelist introduced in 5.0-1.5 now supports "embed" and "applet" tags, too.
The special treatment of large files in respect to virusscanning applied to files larger than 2GB. The size limit is now adjustable.
Reverse proxy certificate handling
In the past the user interface supported only selfsigned certificates. Now it also supports enroling "real" certificates,
using certificate signing requests. Additional backup and import features are available to backup the underlying cryptograhpic
key pair.
Web-Proxy ICAP client
If both, ICAP's request and response filters were enabled, only the request filter was actually used.
DSL connection hangup
Affected are DSL dial-up connections which are not meant to be always online, but hangup when idle. Every incoming packet
from the Internet has been counted as activity, so the connection might not have been closed as expected. All previous releases
of the 5.0 series are involved.
Harddisk monitoring with SMART
Enable, disable and restart connections in IPSec connection setup
Interface for sending Wake on LAN (WoL) packets
Minor bugfixes and improvements
5.0-1-6
Memory leak in virusscan proxy
The previously updated virusscan proxy suffers from a memory leak when proxy authentication is enabled. The system is running
out of memory in this case.
Minor bugfixes and improvements
5.0-1-5
Update of the OpenSSL crypto library
A potential buffer overflow has been fixed.
Improved web proxy tagfilter
This release introduces a whitelist for the "object" filter. So it is possible to e.g. still allow Flash animations while
filtering out all other object tags. Note that Mozilla based browsers prefer the "embed" tag to insert objects. The whitelist
will soon apply to the "embed" filter, too.
Any filtered tag is now replaced by a conspicious text block which informs of the modification.
Revised email vacation feature
An additional control for the previously introduced vacation email forward feature lets you control whether a copy of each
forwarded mail will be kept or not. Also the input screen is more intuitiv now.
Extended IPSec monitoring
The active VPN connections view contains additional information and offers the possibility to close established connections.
Optimization of userspecific SPAM filter
The throughput of the individual per mailbox SPAM filter is now comparable to the throughput of the global relay SPAM filter.
The userspecific SPAM filter will now process emails up to a size of 250kB.
Access for technical support using SSH reverse tunnel
Getting help from tech support is much easier now. Opening an SSH reverse tunnel to technical support requires no additional
configuration. However the Internet connection must be up and running. As usual you remain under control, as you have to initiate
the connection. As long as the tunnel is open, technical support can connect back into your system. Being an outbound connection,
the tunnel will even bypass upstream NAT routers or firewalls which reject inbound connections.
Reverse proxy support for OWA running on Exchange 2007
An additional redirection for URL path "/owa" to the OWA backend server has been configured.
New F-Secure Anti-Virus release
Disabled extensive debug logging of bandwidth management
Fixed loss of bandwidth management after ISDN dial-up
Fixed potential lockup of the LHA extractor during mail virusscan
Fixed problems while cleaning up temporary files of the mail virusscanner
Minor bugfixes and improvements
5.0-1-4
VPN connections broken after ADSL reconnect
Due to an error in update 5.0-1.3 the VPN server wasn't restarted after establishing an ADSL connection. VPN might have stopped
working afterwards.
Minor bugfixes and improvements
5.0-1-3
Mail server vacation settings
The auto reply option (out of office replies) now features a start and stop date. In addition or as an alternative incoming
mails can be forwarded to a different recipient for the configured period of time.
Proxy autoconf file and WPAD support for easy browser setup
A suitable proxy autoconf file is now available from the administration server. Configure the file's URL manually or use an
Active Directory Group Policy to distribute it. Web Proxy Auto Discovery (WPAD) even allows the browser to automatically detect
the required browser settings. Both, the DHCP based WPAD method and the more common DNS based approach are supported.
Binding IPSec interfaces to DSL interfaces with static IP
When using ADSL as VPN host interface, it is no longer strictly treated like a dynamic interface. It is now possible to directly
bind VPN to ADSL interfaces with static IP. Of course this IP has to be configured in the ADSL interface setup.
Priority of internal and external HTTP server
The default HTTP server responding to requests on the internal (LAN) IP changed. It is now the internal server. This modification
affects only those systems which have the external web server enabled.
Minor bugfixes and improvements
5.0-1-2
Firewall accepted connections from LAN/RAS to port 80 after disabling transparent proxy
Due to a bug in the new firewall of the 5.0 release series, port 80 was accessible for LAN and RAS clients under specific
conditions. At some point in time the transparent web proxy feature had to be enabled on the LAN/RAS interface. Later on,
either proxy authentication must have been enabled or transparent proxy support must have been disabled in the web proxy configuration,
but without disabling the transparent proxy feature in the firewall configuration first.
Dynamic firewall on ADSL and L2TP interfaces
Also due to a bug in the new firewall configuration the dynamic firewall did not work on ADSL and L2TP interfaces.
Web proxy virusscan and files larger than 2GB
When downloading files larger than 2GB, previously an error occured while scanning the file for viruses. When the size of
the requested file is known and exceeds 2GB you can now select the behaviour. Either the download is refused with an error
message beforehand or the file is forwarded without scanning it.
Relay SPAM filter
When tagging an email with empty subject as SPAM, previously a second subject header was added by mistake. Mail clients expect
only one subject header and usually display the original empty header. So you had to open the mail to see that it was actually
recognized as SPAM.
An other problem occured when redirecting tagged mail to a central recipient address. If the new recipient was also part of
the original recipient list, the mail was silently discarded.
Access to admin GUI via reverse proxy
In the previous releases of the 5.0 series you may have encountered problems when accessing the administration GUI via reverse
proxy. Both, JavaScript features and layout have been affected.
Removed mistaken mail notifications with FTP/SCP backup
Minor bugfixes and improvements
5.0-1-1
SNAT in LAN and RAS interfaces
The SNAT option has been ignored on firewall policy rules in LAN and RAS interfaces.
Mail server connection limit by IP
The maximum number of concurrent connections per IP is now configurable. The parameter has been introduced in 5.0-1.0.