Release Notes CPS 7.0.4
Collax Platform Server
16.03.2017
Installation Notes
Update Instructions
To install this update please follow the following steps:
Procedure
- It is highly recommended to backup of all server data with the Collax backup system before proceeding. Check that the backup was successful before proceeding with the update (this can be done within the backup information email).
- In the administration interface go to System → System Operation → Software → System Update and press Get Package List. This will download the listed update packages. If successful the message Done! will be displayed on the screen.
- Click Get Packages to download the update packages.
- Click Install. This installs the update. The end of this process is indicated by the message Done!.
- A new kernel will now be installed. The system will reboot automatically after installing the update. An appropriate note will be shown if the update process is completed.
New in this Version
Security: System Security
The new Collax V7 Server is a system which is almost 100% (97%) deterministic/reproducable. The collax build system guarantees that binary-files and system-packages (.deb) are build deterministically. All Collax Servers are hardened to reduce the vulnerability and secure the system.
Security: Improved Protection for ssh Denial-Of-Service Attacks
Within this Update the protection for Denial-Of-Service (DoS) and Brute-Force-Attacks for ssh has been improved. The new function allows to ban the IP address from an offender after a certain number of login attempts.
Security: Linux Kernel 4.4.50
Collax Server 7 is based on the long time support (LTS) Kernel 4.4. It provides better hardware support und more security fixes und is supported until Februar 2018.
Security: Important security relevant System Components
This update will also install/update the following important system components:
- zlib1g 1.2.11
- libgd2 2.2.4
- libpng3 1.6.27
- kernel 4.4.50
- gnutls 3.3.26
- openssl 1.0.2k
- socat 1.7.3.1
- bind 9.9.9.6
- curl 7.52.1
- ntpd 4.2.8p9
- openssh 7.4p1
- samba 4.3.13
- squid 3.5.24
- vim 8.0.329
Security: Amavis - Filter engine and Virus notification
AMaViS (A Mail Virus Scanner) is a high-performance and reliable interface between the mailer (MTA) and one or more virus scanners. The inspection of emails will now result in a more detailled description of the virus and the used scanengine in the virus notification email and the system logfile.
GUI: GUI-Design
With this update the Web interface is going to be improved and more detailed. Based on the recommendation from Google and the tenets and specifics of material design.
GUI: Network Groups
Within this release network groups can be used. Network groups offer a new configuration approach. In the past, permissions have been configured using the user groups. Network and service permissions have been used in one group together. From now on network groups are created and can be used seperately. All services on the Collax Server whose permissions are assigned exclusively on the basis of an IP address from now on use network groups. If a permission is set, the respective network port is opened in the firewall for the associated networks or hosts.
GUI: Transparent user and network permissions
Within this release permissions for users and permissions for networks are differentiated. So there are user groups and network groups from now on. A number of network groups are created by default. The Internet group contains the “Internet” network as member, i.e. all IP addresses outside the local network ranges. Thus, all permissions granted over this network group apply to all computers anywhere on the Internet.
GUI: Host-Elements
There are various input boxes where ip addresses have been used in the previous version. Within this release the usage of ip addresses has been renewed. Collax Server V7 now uses host-elements. The term “host” refers to individual computers that are known to the Server. A host as an existing element is needed for various settings regarding the services. Host-elements replace the input boxes for ip addresses.
GUI: Clean-up form history, wizards and popups
In the dialog “Clean-up” in the menu Status->Toolbox->Clean-up it is possible to remove the browserdata saved by the GUI. Its the form historyi, wizards and the form popups.
Authentication: Status of Active Directory Integration
Within this update the integration of Collax Servers into Active-Directory environments have been extended. An additional field with extended runtime information is displayed. Therefore the Active-Directory-Proxy must be activated. Information regarding the connected Domain-Controller (DC) and other useful information is displayed.
Authentication: Importable Active Directory Groups
For groups from the Active Directory management to be displayed, the system must have joined an Active Directory as member, and the Active Directory proxy must be activated on the system. The listed group can be integrated in the local policies after these have been included in the management. The users of the AD groups will continue to be managed via the Active Directory and are not part of the local system. Within this release some improvements have been implemented.
Authentication: Synchronisation with Active Directory
Until now, the synchronisation of directoy objects in Active-Directory (AD) environments stopped, when the Domain Controller wasn’t reachable during a configuration activation. The synchronisation worked only after a restart of the service or another config activation. The behaviour has been improved within this release through frequent runtime checks if the server is reachable again.
Collax Communication: Allow embedding of the sent PDF in send notifications
Within this release its possible to allow embedding of the sent PDF in send notifications.
Collax Net Security: Firewall Matrix
The firewall matrix is a visual representation of the integrated firewall. From this version on, the matrix can exclusively be used for network groups instead of networks. The upside using network groups insted of networks is a better grouping and better view of the ruleset. Network groups are used for accessing services and relevant for traversing data packets using the Matrix.
Collax Net Security: Optimized network-stack
Changes in the netlink socket for networking connections are beeing improved within this relases.
Collax Net Security: Host Analysis
The new function “Host Analsys” located under “System -> Network -> Firewall” can be used to determine the netgroups which are responsible for a given host. You can use that information to determine which netgroup need to be configured to allow access to specific services.
Collax Net Security: IPv6 Support Preparation ready
All services on the new Collax Server platform are prepared to beeing integrated into IPv6 networks. The IPv6 support will be completed in a future release.
Collax Net Security: Connection monitoring
The behavior of the “aklinkd” program in some situations has been improved. The new service is rewritten and now called linkd4.
Collax Net Security: DynDNS behind Router
With dynamic DNS a system with dynamic IP address can be accessed over a host name provided by a dynamic DNS provider. Within this update its possible to have dynamic DNS names updated even if the server is behind another router.
Collax Web Security: Web Proxy and Web Proxy Rules
Please note that the rule set in Collax Server V7 is beeing rewritten. Important: The rewritten rule set should be checked after upgrading the Server.
Collax Web Security: Transparent proxy
The transparent proxy can be activated for the service http. Data packages for destination port 80 will be redirected from the firewall to the web-proxy service. Until now the configuration of the transparent proxy was done using the firewall matrix. Within this release, the transparent proxy is being configured through the basic settings of the web-proxy-server under “Services -> Web-Proxy -> Web-Proxy-Server”. By enabling the transparent proxy mode, a DNAT-rule for the service http will be created under “Network -> Firewall -> DNAT/Port Forwarding”.
Collax Web Security: No proxy for these hosts
Through the introduction of host-elements, from now on you can configure proxy exceptions for hosts using the select boxes. This dialogue is located under Services -> Web-Proxy -> Web-Proxy-Server in the Options tab. Here you can select the hosts for which no proxy is to be used.
Collax Web Security: Sequence of filter rules and drag n drop
The dialog for defining filter rules is located under Services -> Web-Proxy -> Rules. A rule determines which URL lists are valid at what times and whether the URLs in the lists are blocked or allowed. The sequence of the rules is governed by different priorities and can from now on be changed easily using a new drag n drop action.
Kopano Groupware: Kopano Core replaces Zarafa Collaboration Platform
With this Collax software update Kopano Core is beeing implemented. The previous Zarafa Collaboration Platform is going to be replaced. Kopano Core is a enhancement of the Zarafa Collaboration Platform. The specialty is that the change to Kopano Groupware happens automatically so that the administrative effort is very low. Additionally the plugins File with owncloud support and RTC-baces webmeetings are implemented. Within this update Kopano Core 8.1.1 is going to be installed. Find more information about Kopano on:
Kopano Core Info und Release Notes
Kopano Groupware: WebApp 3.2.0
With this Collax software update the new version 3.2.0 of Kopano WebApp is going to be installed. Please find details here:
https://documentation.kopano.io
Kopano Groupware: Compatibility to Kopano DeskApp
With this Collax software update the new version Kopano Core 8.1.1 is going to be installed. Please note that this version is compatible to Kopano DeskApp. Find more information about Kopano DeskApp on
Kopano Groupware: Integration of Z-Push for ActiveSync Clients
With this Collax software update the support for ActiveSync Clients by Z-Push is going to be implemented through the Collax administration interface. Outlook 2013 and Outlook 2016 can therefore sync their data via Z-Push.
Kopano Groupware: Z-Push Active-Sync Provisioning policies
With this Collax software update an individual set of policy and security settings to the Z-Push synchronization process can be applied. Find more information about it on:
Kopano Groupware: Kopano Outlook Extension
With this Collax software update the support for ActiveSync Clients by Z-Push is going to be implemented through the Collax administration interface. Outlook 2013 and Outlook 2016 can therefore sync their data via Z-Push. With the additional Kopano OL Extension some features have also been added otherwise missing in Outlook, like reply/forward-flags, the global address book (GAB) or out-of-office notifications are added on top of the regular Outlook.
Kopano Outlook Extension und Client Gegenüberstellung
Kopano Groupware: Kopano Backup replaces Zarafa Backup Plus
You can back up the mailboxes, tasks, contacts and appointments with the new performance optimized Kopano Backup. It merely serves as a supplement to common backup mechanisms. The collax integration enables the same administration procedures as before.
Kopano Groupware: Kopano Files-Plug-In
With this Collax software update Kopano Files-Plug-In is beeing implemented. The plugin boosts your productivity by allowing you to use your existing storage solutions right from the WebApp interface. The function Kopano Files for Teams needs a special licence. Find more information on:
Kopano Groupware: Kopano Webmeetings
With this Collax software update Kopano Webmeetings-Plug-In is beeing implemented. Meet online with unparalleled video and audio quality, right within WebApp. The function Kopano Webmeetings needs a special licence. Find more information on:
Zarafa Groupware: Outlook-Client Software Zarafa Client
With this Collax software update the Outlook-Client software for Windows zarafaclient-7.2.4-52167.msi is available. To ensure the auto deployment function for the Zarafa clients with Kopano Groupware it is necessary to update the Zarafa Outlook(tm) clients to 7.2.4 before upgrading the Collax server to version 7.0.4.
Kopano Groupware: New version of Z-Push
With this Collax software update, Z-Push 2.3.5 is going to be installed. More information on:
StrongSwan IPsec
From this version StrongSwan 5.5.0 is going to be implemented.
iOS and Android VPN
From this version iPhone L2TP and Android StrongSwan support is going to be implemented. IKEv2 and IKE Config mode improve the setup of VPN connections.
additional DH-Groups
The Diffie and Hellmann method for exchanging keys for VPN connections has been extended. From now on you can use the DH groups 19 - 26 for key exchange (IKE) and data exchange (ESP).
Additional information can be found here .
new IPSec-proposal
The predefinition of encryption methods and hash algorithms for VPN connections can be assigned to the desired VPN connections. A new and stronger IPsec proposal has been added to the predefined IPsec proposals.
Additional information can be found here .
System Management: New Supervisor
A new service supervisor for the Collax platform is beeing implemented. The supervisor manages system processes and services likemonitoring, logging and starting of processes and services.
System Management: Active Monitoring
Within this update the active monitoring (Nagios) is activated per default after installing the system.
Misc: Important System Components
This update will also install/update the following important system components:
- apache2 2.2.31
- php5 5.6.30
- perl5.8 5.22.1
- python 2.7.12
- openssl 1.0.2k
- libc6 2.18
- kernel 4.4.50
- mariadb 10.0.29
- squid 3.5.24
- samba 4.3.13
- bind 9.9.9.6
- dhcpd 4.3.5
- spamassassin 3.4.1
Misc: SSL/TLS Version and local services
By connecting to various local services like the Webadministration-Service or IMAP, from now on you can choose the encryption method for SSL/TLS. You can either choose “compatible” or “modern” now. Not all clients support modern TLS (TLS 1.2). That’s why due to compatibility reason you can still configure weak TLS (TLS 1.0) for older clients.
Misc: SDK Changes
For information regarding changes to the Collax Software Developement Kit (SDK) please contact our Product Management.
Add-on Software: New Version of Collax Virus Protection
The virus scanner Collax Virus Protection offers comprehensive antivirus protection for email services. Within this Collax system update the scanner is updated to the newest version.
Add-on Software: New Version of Avira Antivir
The virus scanner Avira Antivir offers comprehensive antivirus protection for email services. Within this Collax system update the scanner is updated to the newest version.
Add-on Software: New Version of Clam-AV
The Open Source virus scanner Clam-AV offers comprehensive antivirus protection for email services. Within this Collax system update the scanner is updated to the newest version.
Hardware: Partitionschema
Within this release new installations get a new paritionschema. A new minimal size should be 16GB and the service partition will be removed.
Hardware: PVSCSI Driver for VMWare
VMware’s PVSCSI SCSI-driver has been added to simplify the installation in VMWare environments. The driver supporte VMWare’s para virtualized SCSI HBA.
Hardware: VMCI Driver for VMWare
VMware’s Virtual Machine Communication Interface drivers have been added to simplify the installation in VMWare environments. The driver enables high-speed communication through the VMCI-device.
Hardware: Microsoft Hyper-V-Support
Microsofts Hyper-V Linux Integration Services drivers have been added to simplify the installation in Microsoft Hyper-V environments. The driver enables high-speed communication through the VMBus-network-controller and the SCSI-controller.
Hardware: Additional hardware support for NVMe-devices
This update brings support for NVM Express (NVMe) Devices.
Issues Fixed in this Version
Backup/Restore: Backup Target Server changed to fake FQDN
After the upgrade the backup target server setting had been changed to a wrong FQDN. In this case, the backup job couldn’t proceed successfully. With this version, the backup target server is going to be changed preferably to the IP address originally set. Thereafter the backup jobs can proceed correct.
GUI: Revoke certificates
Using the action “Revoke Certificates” the certificate is deleted and entered in the CRL (Certificate Revocation List) for the CA. From this time on, the certificate is blocked on the Collax server. In this juncture the GUI output details have been to small. With this release we maximize it to the uses screen view.
GUI: Intranet Wizard
The configuration of the Intranet Wizard lead to an error under vertain circumstances when saving the Nameserver form. This is going to be fixed within this release.
GUI: Networklink state label
The graphical status of network links can be shown in bytes per second. Due to an error the view was labeled with bits instead of bytes. This is going to be fixed within this release.
Authentication: Kerberos 5 authentication
By default, Kerberos 5 password-checking tries to verify the mapping between kerberos principal and local user account by reading a ‘.k5login’ file. Since that file usually does not exist, it produced an authentication error. The behaviour has been improved within this release through ignoring the ‘.k5login’ file.
Authentication: Restarting ldap service
When restarting the authentification service ldap it could lead under certain circumstances to an error in some services. The services needed to be restarted too. The behaviour has been improved so that the services work without any intervention.
Collax Communication: Fetchmail - Retrieval times
You can determine multiple times and intervals for executing the defined jobs for retrieving mail from external mailboxes through the dialog “Retrieval Times”. This lead to an error in the generated configuration file so that retrieving e-mail from external mailboxes didn’t work. This is going to be fixed within this update.
Collax Net Security: Forwarding of multiple destination ports
In the form Networking -> Firewall -> DNAT/Port Forwarding services can be forwarded to multiple destination ports. The forwarding of services with multiple destination ports lead to an error in the configuration. Within this release services with multiple destination ports are forwarded correctly.
Collax Net Security: Port Forwarding on PPPoE-Links
Port forwardings are used to forward incoming requests to a different server. If a port forwardig was restricted to a PPPoE-link, it didn’t work correctly. This ist going to be fixed with this software update.
Collax Net Security: Bonding ethernet ports
After creating new ethernet bonding ports, the link could not be started because of a missing startscript. This ist going to be fixed with this software update.
Collax Net Security: MTU calculation
Because of a bad MTU calculation, the Internetlink could not be started under certain circumstances after the Upgrade to Release V7. This ist going to be fixed with this software update.
Collax Net Security: PPtP link names
Under certain circumstances the link scripts for PPtP had an bug, so that the daemon for PPtP could not start. This update fixes this bug.
Collax Net Security: Ethernet-Link to /32 network
Network connections from type Ethernet are defined by an IP-address and the physically connected, reachable network. If the netmask of the network was /32, the connection wasn’t established. Within this release, this case is respected.
Kopano Groupware: Z-Push: Mobile devices - Timeout
The mobile devices dialogue shows status information of all connected Z-Push clients. This dialogue is located under Monitoring/Analysis -> Z-Push -> Mobile devices. Under certain circumstances the search could lead to a timeout. This is going to be fixed with this update.
IPSec L2TP form
When creating new VPN-Connections, it could lead to an error in the ipsec.secrets file after saving the IPSec form. This is going to be fixed with this update.
IPSec startscript
When creating new VPN-Connections, it could lead to an error in the vpn startscript configuration. This is going to be fixed with this update.
Collax Mail Security: NiX-Spam for Spam Filter
The service ixhash.junkemailfilter.com suspended its service and has been removed from the configuration within this update.
Collax Mail Security: SMTPUTF8 extension disabled
The SMTPUTF8 extension allows UTF-8 encoding in email header fields and has been added with the current Postfix version. Since SMPTUTF8 is not yet widely supported, some emails couldn’t be delivered to its recipient. Thus the extension has been disbaled from the configuration within this update.
Notes
Security: Intrusion Detection System (IDS/IPS)
Within this release the network based intrusion detection system (IDS) Snort is not available anymore.
GUI: Event Monitor
Within this release the event monitor prelude is not available anymore.
Collax Net Security: ISDN Link Aggregation
Link Aggregation for ISDN links is not available any more.
Collax Net Security: Remote Access via ISDN
Remote Access via ISDN links is not available any more.
Collax Net Security: Support for Analog Modems
Support for analog modem is not available any more.
Collax Net Security: Multi Level Firewall
Within this release the Collax Module Multi Level Firewall is not available any more.
Collax Net Security: Wake on LAN
Wake on LAN (WOL) is not available any more.
Kopano Groupware: Multi-Server setup
Within this release Multi-Server setup is suppressed at the moment.
Kopano Groupware: Kopano and MySQL Performance Tuning Paramater
This version will extend and adjust tuning parameters for Kopano. For an optimal tuning, the settings of the MySQL database should be optimized. Especially the values for the innodb_buffer_pool_size will be increased. The innodb_log_file_size will also be restricted to 2048M.
Hardware: 32-Bit CPU
Within this release 32-Bit Hardware is not supported any more. This affects installaing and upgrading 32-Bit hardware.
Hardware: HP Smart Array CCISS Driver
The existing Smart Array CCISS-driver is replaced with the new HP Smart Array SCSI (HPSA) driver during the upgrade.