We are happy to announce a new release of CipherMail Webmail Messenger.
The virtual appliance images in this release are based on RHEL 8.
NOTE: this release is signed with our new signing key
0x2DBD8E4AB2C1485AE00194E8704B4819C58C56D3. This key has been signed by
our old key.
CipherMail Webmail Messenger 4.0.1 release notes:
- The TLS settings used by Postfix now exclude configurations that are
deemed insufficient by NCSC-NL, like the SSLv3 protocol and RC4
encryption algorithm. Ref: NCSC-NL TLS Guidelines
- Patched JQuery 1.12.4 to fix all open security issues.
- PAM authentication added to the administrative web interface.
Administrators can now log in with their Unix credentials. PAM
authentication can be disabled from the Admin page (after logging in)
or by adding the properties file conf/ciphermail-
webmail.properties.d/disable-pam.properties with content
- The virtual appliance is now based on RHEL 8.
- CipherMail core packages (ciphermail-webmail, ciphermail-webmail-web)
now require the ciphermail-core-os package. There are two packages that
provide the new ciphermail-core-os dependency: ciphermail-core-os-no-
deps and ciphermail-core-os-rhel8. When installing on RHEL 8 or CentOS
Stream 8, use ciphermail-core-os-rhel8. In other cases use ciphermail-
- The back-end log file is now written to /var/log/ciphermail-webmail-
- The front-end log file is now written to /var/log/ciphermail-webmail-
- The Unix domain socket /var/opt/ciphermail/run/postfix/cm-postfix-
socketmap.socket:authorized-recipients was moved to /run/ciphermail/cm-
postfix-socketmap.socket:authorized-recipients. This requires changes
to Postix main.cf (rc_reply_recipient_restrictions setting). The update
script will do this automatically for you.
- A default built-in administrative user is no longer created on first
start. Administrators should log in with their Unix account after which
they can configure a built-in administrative user if needed.
- The IP filter properties file was moved from /etc/djigzo/ip-
filter.properties to /etc/ciphermail/ip-filter/ip-filter.properties.
This required changes to the administrative web interface and console
- Replaced service commands with systemctl in all scripts. The back end
should now be started with systemctl restart ciphermail-webmail-backend
and the front end should be started with systemctl restart ciphermail-
- The graphs to show on the admin homepage are now read from a json
- Unix domain sockets are now placed in /run/ciphermail which is auto-
created by the systemd service.
- The Unix domain socket /usr/share/ciphermail-webmail/var/ciphermail-
dict:ciphermail was moved to /run/ciphermail/ciphermail-
- ciphermail-dict group renamed to cm-dovecot.
- The restore function of the backup page is now only enabled if the
user is logged in via PAM. i.e., with a Unix account. The additional
system password field for restoring has been removed.
- Files from the application directory are now by default owned by
root. Files and directories that should be owned by the back-end user
- There is now only one build of the console app which is shared by the
gateway and webmail messenger.
- The Certbot manage script could no longer detect whether or not a
Let's Encrypt certificate was available or not because the text
returned by Certbot was changed. We now check whether the dir
/etc/letsencrypt/live/ciphermail exists or not.
- Some password fields are now configured with autocomplete="new-
password" to prevent autofilling.
CipherMail email encryption
Email encryption with support for S/MIME,
OpenPGP, PDF encryption and Webmail Messenger.
T: +31 20 290 00 88