We are happy to announce a new release of the CipherMail Email Encryption Gateway. The virtual appliance images in this release are based on RHEL 8 and CentOS Stream 8. NOTE: this release is signed with our new signing key 0x2DBD8E4AB2C1485AE00194E8704B4819C58C56D3. This key has been signed by our old key. CipherMail Email Encryption Gateway 5.0.2 release notes: **SECURITY fixes** - The TLS settings used by Postfix now exclude configurations that are deemed insufficient by NCSC-NL, like the SSLv3 protocol and RC4 encryption algorithm. Ref: NCSC-NL TLS Guidelines - Patched JQuery 1.12.4 to fix all open security issues. **New features** - PAM authentication added to the administrative web interface. Administrators can now log in with their Unix credentials. PAM authentication can be disabled from the Admin page (after logging in) or by adding the properties file conf/djigzo.properties.d/disable- pam.properties with content pam.enabled=false. **Technical changes** - The enterprise virtual appliance is now based on RHEL 8. [PRO/ENT] - The community virtual appliance is now based on CentOS Stream 8. - CipherMail core packages (djigzo, djigzo-web) now require the ciphermail-core-os package. There are two packages that provide the new ciphermail-core-os dependency: ciphermail-core-os-no-deps and ciphermail-core-os-rhel8. When installing on RHEL 8 or CentOS Stream 8, you should use ciphermail-core-os-rhel8. In other cases, use ciphermail-core-os-no-deps. - The back-end log file is now written to /var/log/ciphermail-gateway- backend.log. - The front-end log file is now written to /var/log/ciphermail-webmail- frontend.log - A default built-in administrative user is no longer created on first start. Administrators should log in with their Unix account after which they can configure new administrative users if needed. - The IP filter properties file (for the Web GUI) was moved from /etc/djigzo/ip-filter.properties to /etc/ciphermail/ip-filter/ip- filter.properties. - Replaced service commands with systemctl in all scripts. The back-end should now be started with systemctl restart ciphermail-gateway-backend and the front-end should be started with systemctl restart ciphermail- gateway-frontend. - The graphs to show on the admin homepage are now read from a json file. [PRO/ENT] - Add option to import/export root certificates with the CertStore tool (use --root-store option). - The Fetchmail service is no longer enabled by default. - The restore function of the backup page is now only enabled if the user is logged in via PAM. i.e., with a Unix account. The additional system password field for restoring has been removed. - Files from the application directory are now by default owned by root. Files and directories that should be owned by the back-end user are excluded. - There is now only one build of the console app which is shared by the gateway and webmail messenger. **Bug fixes** - The Certbot manage script could no longer detect whether or not a Let's Encrypt certificate was available or not because the text returned by Certbot was changed. We now check whether the dir /etc/letsencrypt/live/ciphermail exists or not. [PRO/ENT] - Fix PGP key expiration logic. If a key signature has no expiration date and is the most recent signature, the key should never expire even if there are older signatures that expire. **Miscellaneous** - Some password fields are now configured with autocomplete="new- password" to prevent autofilling. Kind regards, -- Imre Jonk System Administrator CipherMail email encryption Email encryption with support for S/MIME, OpenPGP, PDF encryption and Webmail Messenger. W: https://www.ciphermail.com/ E: info(a)ciphermail.com T: +31 20 290 00 88