We are happy to announce a new release of CipherMail Webmail Messenger.
This release brings full IPv6 support, improved system configuration
with Ansible, custom password policies, and HTML support in encrypted
PDFs. We've also made some changes under the hood and fixed a few bugs.
You are advised to create a backup and practise the upgrade before
performing the upgrade on any production system.
Customers with an active subscription can upgrade their CipherMail
Webmail installations using the CipherMail Console menu, or with
'$ sudo dnf update' on the command line. New virtual appliance images
and package archives for offline installations can be obtained through
the support portal: https://support.ciphermail.com/user/downloads
Customers with a CipherMail Webmail high-availability cluster are
advised to upgrade their cluster one node at a time. More information
about cluster upgrades can be found on our documentation website:
https://www.ciphermail.com/documentation/cluster-administration-guide/clust…
CipherMail Webmail Messenger 4.1.3 release notes:
**SECURITY fixes**
- The portal password policy functionality has been redesigned. A
complex password policy can now be configured. The default portal
password policy is set to require at least 8 characters. This is in
accordance with the latest NIST password guidelines. The old "Min
Password Strength" option has been removed. If "Min Password
Strength" was set to a custom value, please make sure to revisit
this configuration.
- Control characters and null characters now get removed from log
output and subject headers. Because headers can be encoded (for
example with base64), null values and control characters can be
added to the subject and other parts of the message. Because of a
bug in the Java wrapper, logging a null character can temporarily
stop log output.
- Roundcube updated to 1.4.12.
**New features**
- Full IPv6 support. CipherMail products are now fully functional and
supported in IPv4-only, dual-stack and IPv6-only networks. This
includes cluster setups.
- More configuration can now be managed with Ansible: system timezone,
authorized SSH keys, GRUB, serial console, IPv6 support, DHCPv6
client, passwordless sudo, custom Postfix options, additional
trusted CA certificates and secure syslog forwarding.
- HTML email is now fully supported with PDF encryption. The PDF
document will have similar-looking markup as the original HTML
message. Inline images inside the email also end up in the PDF
document. The PDF file is created from a configurable template and
can be modified to match the corporate identity.
**Technical changes**
- The default playbook execution has changed. The new default is to
execute the playbook only against the local machine. Any inventory
changes you've made are now automatically synchronized to any other
cluster nodes, and will be applied once the playbook is started on
those hosts as well. This happens automatically on every CipherMail
package update. You can run the playbook against all inventory hosts
using the `--all-hosts` flag.
- Each Ansible play is now executed against one host at a time.
Running the whole playbook now takes longer when managing a
CipherMail cluster, but this prevents situations where a failure in
the playbook affects the whole cluster.
- The Dovecot configuration is now completely templated.
- If a valid database connection cannot be established, the back-end
service will now keep trying indefinitely.
- When a database connection is retrieved from the database pool, a
check is done to verify whether the database connection is valid.
- We've added non-strict email address checking functions to
EmailAddressUtils. Not all email addresses used in practice are
valid according to RFC 2822. For example, email addresses are not
allowed to end with a full stop. In practice however, most mail
servers accept email addresses ending with that character. In
situations where email checking is not required to be strict, the
full stop will not be treated as an error.
- Because the password policy is now configurable, the portal pages
where the password can be configured no longer show the password
policy. A "password policy URL" option has been added which can
point to a self-hosted page that can explain the configured password
policy.
- Ansible playbook execution now utilizes SSH connection pipelining,
reducing execution times by some 40%.
- All (feemarker) templates are now validated when saved. This
requires that the template is safe for null values, i.e., if a
variable is null, the variable should expand to a default value or
not be used.
- All supplied (freemarker) templates are now null-value safe.
- PDF email templates now contain an alternative HTML part. Some parts
of the PDF email templates can be modified (for example the logo URL
and footer) without having to completely rewrite the template.
- Add `!syslog` and `!pam_session` to the default sudo setting for the
back-end user to stop logging unnecessary messages to
/var/log/messages.
- Remove deprecated SHA-1 admin password encoding. If the admin
password was set in version <= 2.8.6 and the password was never
changed, you need to reset your admin password.
**Bug fixes**
- MariaDB Galera cluster instance startup will now be delayed until
the host is online (that is, the network-online systemd target has
been reached). This prevents a situation where MariaDB would have to
be manually restarted after a host reboot.
- CipherMail MPA and web logs were correctly saved by rsyslog, but
were inadvertently excluded from syslog forwarding. This has been
resolved.
- The Dovecot configuration could fail in some non-cluster
configurations.
- Fix PAM lockout. Clicking the apply button on the 'Administrators'
page caused the application to disable PAM logins, potentially
locking out all administrators.
- DNS settings were not configured on RHEL 8.
- The Azure image would start with network configuration for both
classic interface names and the new, systemd-style predictable
interface names. Microsoft discourages use of the latter on Azure.
We have modified our image building process so that only classic
interface names are used for Azure images.
- The DigitalOcean image would start with network configuration for
both classic interface names and the new, systemd-style predictable
interface names. Predictable interface names actually work well on
DigitalOcean. We have modified our image building process so that
only predictable interface names are used for DigitalOcean images,
just like our non-cloud images.
- Restarting the back end from the web interface resulted in a
stopped back end, i.e., the back end was not started again.
--
Imre Jonk
System Administrator
CipherMail B.V.
We are happy to announce a new release of CipherMail Email
Encryption Gateway. This release brings full IPv6 support, improved
system configuration with Ansible, a feature that allows the sender to
specify the PDF encryption password in the subject line, custom
password policies, HTML support in encrypted PDFs, and support for
PostgreSQL 14. We've also made some changes under the hood and fixed a
few bugs.
Users of the Community Edition can find new distribution packages here:
https://www.ciphermail.com/downloads-gateway-distributions.html
Virtual appliance images are also available for download:
https://www.ciphermail.com/downloads-virtual-appliance.html
You are advised to create a backup and practise the upgrade before
performing the upgrade on any production system. The full upgrade
procedure can be found here:
https://www.ciphermail.com/documentation/gateway-installation-guide/upgrade…
Customers with an active subscription can upgrade their CipherMail
Gateway installations using the CipherMail Console menu, or with
'$ sudo dnf update' on the command line. New virtual appliance images
and package archives for offline installations can be obtained through
the support portal: https://support.ciphermail.com/user/downloads
Customers with a CipherMail Gateway high-availability cluster are
advised to upgrade their cluster one node at a time. More information
about cluster upgrades can be found on our documentation website:
https://www.ciphermail.com/documentation/cluster-administration-guide/clust…
CipherMail Email Encryption Gateway 5.1.3 release notes:
**SECURITY fixes**
- The portal password policy functionality has been redesigned. A
complex password policy can now be configured. The default portal
password policy is set to require at least 8 characters. This is in
accordance with the latest NIST password guidelines. The old "Min
Password Strength" option has been removed. If "Min Password
Strength" was set to a custom value, please make sure to revisit
this configuration.
- Control characters and null characters now get removed from log
output and subject headers. Because headers can be encoded (for
example with base64), null values and control characters can be
added to the subject and other parts of the message. Because of a
bug in the Java wrapper, logging a null character can temporarily
stop log output.
**New features**
- Full IPv6 support. CipherMail products are now fully functional and
supported in IPv4-only, dual-stack and IPv6-only networks. This
includes cluster setups.
- More configuration can now be managed with Ansible: system timezone,
authorized SSH keys, GRUB, serial console, IPv6 support, DHCPv6
client, passwordless sudo, custom Postfix options, additional
trusted CA certificates and secure syslog forwarding. [PRO/ENT]
- A new option called 'Subject Password Trigger' allows the sender to
specify a password on the email subject line. The password is
extracted from the subject line and is then used to encrypt the
email using PDF encryption. To prevent the sender from selecting a
weak password, a password policy can be defined. If the password is
not strong enough, the email will not be sent and the sender will be
notified.
- HTML email is now fully supported with PDF encryption. The PDF
document will have similar-looking markup as the original HTML
message. Inline images inside the email also end up in the PDF
document. The PDF file is created from a configurable template and
can be modified to match the corporate identity. [PRO/ENT]
- Support for SCRAM authentication with PostgreSQL 14. The Postgres
JDB library was updated to 42.2.24 in order for this to work.
- P12Tool (previously PfxTool) now has a renew function.
**Technical changes**
- The default playbook execution has changed. The new default is to
execute the playbook only against the local machine. Any inventory
changes you've made are now automatically synchronized to any other
cluster nodes, and will be applied once the playbook is started on
those hosts as well. This happens automatically on every CipherMail
package update. You can run the playbook against all inventory hosts
using the `--all-hosts` flag.
- Each Ansible play is now executed against one host at a time when
executing the playbook against all inventory hosts. Running the
whole playbook now takes longer when managing a CipherMail cluster,
but this prevents situations where a failure in the playbook affects
the whole cluster. [PRO/ENT]
- If a valid database connection cannot be established, the back-end
service will now keep trying indefinitely.
- When a database connection is retrieved from the database pool, a
check is done to verify whether the database connection is valid.
- We've added non-strict email address checking functions to
EmailAddressUtils. Not all email addresses used in practice are
valid according to RFC 2822. For example, email addresses are not
allowed to end with a full stop. In practice however, most mail
servers accept email addresses ending with that character. In
situations where email checking is not required to be strict, the
full stop will not be treated as an error.
- Because the password policy is now configurable, the portal pages
where the password can be configured no longer show the password
policy. A "password policy URL" option has been added which can
point to a self-hosted page that can explain the configured password
policy.
- Ansible playbook execution now utilizes SSH connection pipelining,
reducing execution times by some 40%. [PRO/ENT]
- All (feemarker) templates are now validated when saved. This
requires that the template is safe for null values, i.e., if a
variable is null, the variable should expand to a default value or
not be used.
- All supplied (freemarker) templates are now null-value safe.
- Add `!syslog` and `!pam_session` to the default sudo setting for the
back-end user to stop logging unnecessary messages to
/var/log/messages.
- Remove deprecated SHA-1 admin password encoding. If the admin
password was set in version <= 2.8.6 and the password was never
changed, you need to reset your admin password.
- New portal passwords are now encoded with the bcrypt password
hashing algorithm.
- Convert 8bit MIME parts to 7bit before S/MIME or PGP signing. This
makes it easier to create email templates because the templates no
longer need to be quoted-printable encoded.
- PDF email templates now contain an alternative HTML part. Some parts
of the PDF email templates can be modified (for example the logo URL
and footer) without having to completely rewrite the template.
- Minor changes: system library updates, PfxTool renamed to P12Tool,
P12Tool now uses long arguments.
- The script which is used to set the hostname, should only add a
localhost entry to /etc/hosts if there is no forward lookup for the
hostname.
- cm-cluster-control command line tool have been replaced by
cm-cluster-manage [PRO/ENT]
**Bug fixes**
- MariaDB Galera cluster instance startup will now be delayed until
the host is online (that is, the network-online systemd target has
been reached). This prevents a situation where MariaDB would have to
be manually restarted after a host reboot. [PRO/ENT]
- CipherMail MPA and web logs were correctly saved by rsyslog, but
were inadvertently excluded from syslog forwarding. This has been
resolved.
- Fix PAM lockout. Clicking the apply button on the 'Administrators'
page caused the application to disable PAM logins, potentially
locking out all administrators.
- The default PGP key server is now set to keys.openpgp.org because
the old key server (ha.pool.sks-keyservers.net) is no longer active.
- DNS settings were not configured on RHEL 8. [PRO/ENT]
- The Azure image would start with network configuration for both
classic interface names and the new, systemd-style predictable
interface names. Microsoft discourages use of the latter on Azure.
We have modified our image building process so that only classic
interface names are used for Azure images.
- The DigitalOcean image would start with network configuration for
both classic interface names and the new, systemd-style predictable
interface names. Predictable interface names actually work well on
DigitalOcean. We have modified our image building process so that
only predictable interface names are used for DigitalOcean images,
just like our non-cloud images.
- Restarting the back end from the web interface resulted in a
stopped back end, i.e., the back end was not started again.
--
Imre Jonk
System Administrator
CipherMail B.V.
