Release Notes CSG 7.0.30

Collax Security Gateway
24.07.2018

Installation Notes

Update Instructions

To install this update please follow the following steps:

Procedure

  1. It is highly recommended to backup of all server data with the Collax backup system before proceeding. Check that the backup was successful before proceeding with the update (this can be done within the backup information email).
  2. In the administration interface go to System → System Operation → Software → System Update and press Get Package List. This will download the listed update packages. If successful the message Done! will be displayed on the screen.
  3. Click Get Packages to download the update packages.
  4. Click Install. This installs the update. The end of this process is indicated by the message Done!.
  5. A new kernel will now be installed. The system will reboot automatically after installing the update. An appropriate note will be shown if the update process is completed.

New in this Version

Collax Let’s Encrypt: New Add-on module - Let’s Encrypt

With this version, the new add-on module “Collax Let’s Encrypt” is available. Let’s Encrypt is a certification authority offering free X.509 certificates for SSL encryption.

The usual manual processes are simplified by an automated process. The CA of the Let’s Encrypt certificates is a preinstalled, trusted root certification authority of all common web browsers. Thus, browsers do not report a warning or an error encrypting web pages with a Let’s Encrypt certificate. Let’s-Encrypt certificates are primarily intended for the encryption of web pages. But they can also be used for other purposes.

Let’s-Encrypt certificates are valid for 90 days. They can be renewed as often as you like. The renewal process is performed automatically by the Collax Server. A certificate will be renewed 30 days before expiration. The expired certificates are automatically exchanged for the new ones.

GUI: System Information

Collax servers offer extensive possibilities to analyze the entire system. For this purpose, a lot of information is provided: in the left menu area is a section about system information and system usage of the product. With scaled view of the web browser, especially at high monitor resolutions, this could lead to not all sections beeing displayed. This will be adjusted with this update, so that the menu boxes can be displayed even at high zoom rates.

E-Mail: Redirect MIME filtered email to email-address

Under the dialogue “Mail -> Mail Security -> Headers / MIME Filter” you can define your own rules to filter e-mail attachments. It can both be filtered on the file extension as well as being filtered to the MIME content type. So far there were several options as an action for the MIME filter. With this release the new action “Redirect” has been added. If “Redirect” is chosen, the filtered e-mail can be redirected to an individual e-mail address. Per-plus addressing, it can also be redirected directly into an IMAP folder, e.g. “+public.oeffentlicherfolder@FQDN”.

VPN: StrongSwan IPsec

From this version StrongSwan 5.6.3 is going to be implemented.

VPN: IPsec user authentication IKEv2

For a link of type “IPsec VPN” can be specified which method for user authentication should be used. From this version IKEv2 is available as an authentication method.

System Management: Linux Kernel 4.9.112

This update installs Linux kernel 4.9.112.

Changelog

System Management: Proper status emails

With this update, notifications will be sent to the e-mail address of the system owner adapted for the service fcron. The package is responsible for timed, recurrent processes, such as the update status of virus scanners. On the one hand, the status is displayed in the subject line and a distinction is made whether it succeeds or was faulty. Second, the description within the subject becomes more understandable formulated (human readable) and it is directly apparent from which server the status mails are sent.

System Management: Sender of Nagios status emails

With this update, notifications will be sent to the e-mail address of the system owner adapted for the service nagios. The package is responsible for active monitoring. Hereby it is directly visible in the subject of the emails, from which server the status mails are sent.

Issues Fixed in this Version

Security: ClamAV

In the source code of the virus scanner ClamAV security holes have been discovered. These holes will be closed within this software update to the version 0.100.1.

CVE-2017-16932 CVE-2018-0360 CVE-2018-0361

GUI: Focus on input fields

Due to a behavior change within the framework for the presentation of the administration interface, input fields had to be clicked twice during the view in the firefox web browser for beeing focussed. This will be corrected with this update.

E-Mail: Postmaster notification for oversized messages

In the SMTP Receive section, the maximum size of an e-mail can be specified. In the source code of the e-mail retrieval program fetchmail, errors have been corrected, because when fetching emails with oversize, no notification of the postmaster took place. With this release, this behavior is resolved. For newly received oversized emails, the postmaster becomes immediately and then every 8 hours informed, that the email could not be picked

Security: Collax Anti Spam phraselist

The Collax Anti Spam feature powered by Kaspersky ™ includes a number of new and current applications that guarantee the security of e-mail servers. To the methods Collax Anti Spam includes phrasekists that contain phrases that are considered spam or not recognized as spam (blacklist / whitelist). Due to a validation error within the input field in the graphical user interface, certain UTF8 coded phrase lists are not filtered (including umlauts). This release fixes this behavior.

Net: Incorrect inheritance of rules from parent network groups

The firewall matrix provides a unique visual representation of regulated network connections. The configuration of an explicit rule with the default “Apply” without further specific service rules led to a faulty firewall configuration. As expected, the same configuration will now be created with this update as if no rule was specified.

System Management: New syntax for NSClient++ configfile

With this update, configuration files for Collax Server that are appropriate for NSClient ++ will be adapted for the the current syntax. NSClient ++ is an NRPE (Nagios) Agent for Windows. Therefore hosts can be used to specify the services to be monitored for their functionality.

Notes

E-Mail: Collax Virus Protection powered by Kaspersky prior Version 7

Version 7 of the Collax C servers has updated the anti-virus engine and the format of the patterns. This was done to respond to new threats with the best possible protection. Patterns for versions prior to 7.0.0 will be available until December 31, 2017. From 01.01.2018 Kaspersky will not update the patterns for Collax version 5 and older. All installations using the Collax Virus Protection module should therefore, be brought up to date.

E-Mail: Collax Avira AntiVir prior Version 7.0.24

Version 7.0.24 of the Collax C servers has updated the anti-virus engine and the format of the patterns. This was done to respond to new threats with the best possible protection. Patterns for versions prior to 7.0.24 will be available until December 31, 2018. From 01.01.2019 Avira will not update the patterns for Collax version 7.0.22 and older. All installations using the Collax Avira AntiVir module should therefore, be brought up to date.