We are happy to announce a new minor release of CipherMail Webmail
Messenger. This release ends the support for Webmail 4.1.x
installations and we encourage everyone to update their systems in a
timely manner. This release fixes a few bugs and a security issue and
brings more control over your Webmail installation with Nagios/Icinga
monitoring scripts and improved Ansible playbooks.
You are advised to create a backup before performing the update on any
production system. The full update procedure can be found here:
You can update your CipherMail Webmail installations using the
CipherMail Console menu, or with '$ sudo dnf update' on the command
line. New virtual appliance images and package archives for offline
installation can be obtained through the support portal:
Customers with a CipherMail Gateway high-availability cluster are
advised to update their cluster one node at a time. More information
about cluster updates can be found on our documentation website:
CipherMail Webmail Messenger 4.2.1 release notes:
- CVE-2022-28218: The secret keys used by the Roundcube installation
were inadequately protected, allowing a local attacker to circumvent
two-factor authentication and possibly decrypt passwords. The secret
keys will be automatically rotated after applying this update. This
forces all users to log in again.
- It is now possible to enable HTML message viewing and editing using
Ansible. HTML mail is disabled by default in Webmail Messenger for
- The inactivity timeout of the administrative web interface can now
be configured with Ansible.
- If an error occurs during Ansible playbook execution, the error will
now be logged. A warning will also be shown in the administrative
- Nagios/Icinga check scripts are now provided for use with the
CipherMail monitoring endpoints.
- Add support for monitoring MariaDB.
- The Roundcube configuration is now managed with Ansible.
- Upgrade log4j from version 1.2.15 to 2.17.1. Because of changes to
log4j the logger levels can no longer be managed from the
administrative web interface. We therefore removed this option. Log
levels should now be set in conf/log4j2.xml. Changing the log level
does not require a restart because the change will be applied
automatically after 60 seconds.
- Use the configured webmail logo as the favicon for the user portal.
- Add HTML alternative part to the sign-up and new mail email
- Update Roundcube to 1.4.13.
- Remove CipherMail Console log directory.
- Update dependencies: update jquery to 3.6.0, update HTTP client to
5.1.3, update cxf to 3.3.13, update XML sec to 2.1.7, update jasypt
to 1.9.3, update wss4j to 2.2.7, update netty to 4.1.75, update
spring to 5.3.18, update activeMQ to 5.16.0, update libphonenumber
- Make console script crash-proof, i.e., fallback to shell if console
- Fixed downloading of multiple Webmail messages using a zip archive,
which was broken since the 4.0 release.
- Fixed Roundcube logging, which was broken since the 4.0 release.
- Fixed an Ansible playbook warning regarding authorized SSH keys.
- The Webmail footer used to overflow edit fields when the screen size
was too small.
IT Automation Engineer