Release Notes CSG 7.0.12
Collax Security Gateway
20.09.2017
Installation Notes
Update Instructions
To install this update please follow the following steps:
Procedure
- It is highly recommended to backup of all server data with the Collax backup system before proceeding. Check that the backup was successful before proceeding with the update (this can be done within the backup information email).
- In the administration interface go to System → System Operation → Software → System Update and press Get Package List. This will download the listed update packages. If successful the message Done! will be displayed on the screen.
- Click Get Packages to download the update packages.
- Click Install. This installs the update. The end of this process is indicated by the message Done!.
- A new kernel will now be installed. The system will reboot automatically after installing the update. An appropriate note will be shown if the update process is completed.
New in this Version
Security: Webproxy System Security
Collax webproxy software packages are hardened to reduce the vulnerability and secure the system. See here
GUI: Clone more objects
With this release a framework to clone objects is introduced. It enables the user to generate a clone method. This method copies the given object. Thereby the user can clone external mailboxes or header filters and a bunch of other objects. You can use the right mouse and the action “clone” to make a copy of the object.
E-Mail: SMTP Submission Agent
The dialog under Mail and Messaging → Mail → SMTP Reception is used for configuring the various settings concerning the SMTP reception. With this Collax software update the SMTP Submission Port 587 is beeing added to accept e-mail for validated users. The user has to autheticate to use the service.
E-Mail: Delivery Status Notification
The dialog Mail and Messaging → Mail → SMTP Reception contains the basic settings for the transmission of e-mails in general. With this Collax software update Delivery Status Notifications (DSN) are configurable. DSNs are beeing sent to the sender of an email if the e-mail couldn’t be delivered to its recipient. Delayed message warning time and the maximum time to keep messages in the queue can be configured now.
Web Proxy: Clamcap - Filter engine and Virus notification
Clamcap (Clamav scanning icap server) is a high-performance and reliable interface between the Web Proxy and one or more virus scanners. The inspection of websites will now result in a more detailled description of the virus and the used scanengine in the system logfile.
Web Proxy: Peak and intercept
Normally, the content of encrypted HTTP traffic (HTTPS) cannot be evaluated or filtered, as encryption is used between the Web server and the browser. To analyze HTTPS traffic for content or malware, the interception function can be activated. The section “SSL-Interception” moved to a new postition “HTTPS Requests” to the Basic Settings tab. To filter URLs and domains only the option URL, domain filtering only is to be set in den the dialog Web-Proxy -> Rules.
Web Proxy: Transparent HTTPS proxy
The function of the tranparent HTTPS proxies makes it possible to filter requests to HTTPS pages without the need for Internet users to make repositions on the client side. This dialog is located under Networking -> Web Proxy -> Permissions. This option activates the transparent https proxy server.
Web Proxy: Share CA certificate for download
To analyze HTTPS traffic for content or malware, the interception function can be activated. For the Web proxy to analyze the encrypted traffic, a CA certificate is necessary, which the Web proxy delivers to the browser. For every HTTPS connection, this certificate is sent to the browser. The selected certificate can be provisioned for downloading within the web access for users. Afterwards the CA can be imported on the client PCs in order for the browser to automatically trust this certificate. This CA can be shared within the dialog X.509 Certificates for all users and can be downloaded without authentication using an url.
Misc: Important System Components
This update will also install/update the following important system components:
- phpmyadmin 4.7.3
- curl 7.55
- ghostscript 9.20
- tcpdump 4.7.3
- clamav 0.99.2
Issues Fixed in this Version
Security: Optionsbleed-Bug
In the source code of apache webserver, security holes have been discovered. These holes are going to be closed with this software update.
E-Mail: Postmaster Notification for large e-mails
The maximum size of an individual e-mail can be defined in the dialogue “SMTP reception”. When retrieving e-mail from external mailboxes, the postmaster notification didn’t work properly when exceeding the maximum message size. Within this release the postmaster notification is going to be fiexd.
E-Mail: Default certificate for SMTP reception
To use TLS for incoming smtp connections, a certificate must first be generated or imported for the SMTP service. Due to a validation error, the form with the default certificate could not be saved. This is going to be fixed within this release.
E-Mail: correct date in mailqueue display
All incoming e-mail is buffered in the mail queue. The “Received” column displays that time at which the system received the e-mail. Due to a conversion error, the time was displayed wrong. This is going to be fixed within this release.
Net: DHCP server
Upon start-up, the systems in the local network get their IP address and network configuration from the DHCP server. Due to wrong configuration files, leases and IP adresses have been erroneous. This is going to be fixed with this software update.
VPN: VPN Wizard and NCP Client
The VPN wizard guides you trough the setup and configuration of a virtual private network (VPN). For connections to a NCP Secure Entry Client the configuration for the clients can be downloaded. Due to an error in the wizard this wasn’t possible anymore. This is going to be fixed with this update.
Authentication: LDAP Server stability
In this update many improvements will be implemented for the integration of openldap.
Notes
System Management: Monitoring Media Erros on LSI Controllers
Within this update the active monitoring of media errors on LSI RAID-Controllers has been customized. Up to now a warning information for hard disks with a single media error has been issued, although the controller was able to handle those errors and correct them automatically. From now on the warning threshold is 100 errors.