We are happy to announce a new release of CipherMail Webmail Messenger. The virtual appliance images in this release are based on RHEL 8. NOTE: this release is signed with our new signing key 0x2DBD8E4AB2C1485AE00194E8704B4819C58C56D3. This key has been signed by our old key. CipherMail Webmail Messenger 4.0.1 release notes: **SECURITY fixes** - The TLS settings used by Postfix now exclude configurations that are deemed insufficient by NCSC-NL, like the SSLv3 protocol and RC4 encryption algorithm. Ref: NCSC-NL TLS Guidelines - Patched JQuery 1.12.4 to fix all open security issues. **New features** - PAM authentication added to the administrative web interface. Administrators can now log in with their Unix credentials. PAM authentication can be disabled from the Admin page (after logging in) or by adding the properties file conf/ciphermail- webmail.properties.d/disable-pam.properties with content pam.enabled=false. **Technical changes** - The virtual appliance is now based on RHEL 8. - CipherMail core packages (ciphermail-webmail, ciphermail-webmail-web) now require the ciphermail-core-os package. There are two packages that provide the new ciphermail-core-os dependency: ciphermail-core-os-no- deps and ciphermail-core-os-rhel8. When installing on RHEL 8 or CentOS Stream 8, use ciphermail-core-os-rhel8. In other cases use ciphermail- core-os-no-deps. - The back-end log file is now written to /var/log/ciphermail-webmail- backend.log. - The front-end log file is now written to /var/log/ciphermail-webmail- frontend.log. - The Unix domain socket /var/opt/ciphermail/run/postfix/cm-postfix- socketmap.socket:authorized-recipients was moved to /run/ciphermail/cm- postfix-socketmap.socket:authorized-recipients. This requires changes to Postix main.cf (rc_reply_recipient_restrictions setting). The update script will do this automatically for you. - A default built-in administrative user is no longer created on first start. Administrators should log in with their Unix account after which they can configure a built-in administrative user if needed. - The IP filter properties file was moved from /etc/djigzo/ip- filter.properties to /etc/ciphermail/ip-filter/ip-filter.properties. This required changes to the administrative web interface and console module. - Replaced service commands with systemctl in all scripts. The back end should now be started with systemctl restart ciphermail-webmail-backend and the front end should be started with systemctl restart ciphermail- webmail-frontend. - The graphs to show on the admin homepage are now read from a json file. - Unix domain sockets are now placed in /run/ciphermail which is auto- created by the systemd service. - The Unix domain socket /usr/share/ciphermail-webmail/var/ciphermail- dict:ciphermail was moved to /run/ciphermail/ciphermail- dict:ciphermail. - ciphermail-dict group renamed to cm-dovecot. - The restore function of the backup page is now only enabled if the user is logged in via PAM. i.e., with a Unix account. The additional system password field for restoring has been removed. - Files from the application directory are now by default owned by root. Files and directories that should be owned by the back-end user are excluded. - There is now only one build of the console app which is shared by the gateway and webmail messenger. **Bug fixes** - The Certbot manage script could no longer detect whether or not a Let's Encrypt certificate was available or not because the text returned by Certbot was changed. We now check whether the dir /etc/letsencrypt/live/ciphermail exists or not. **Miscellaneous** - Some password fields are now configured with autocomplete="new- password" to prevent autofilling. -- Imre Jonk System Administrator CipherMail email encryption Email encryption with support for S/MIME, OpenPGP, PDF encryption and Webmail Messenger. W: https://www.ciphermail.com/ E: info(a)ciphermail.com T: +31 20 290 00 88