Release Notes CSG 7.1.24

Collax Security Gateway
07.06.2021

Installation Notes

Update Instructions

To install this update please follow the following steps:

Procedure

  1. It is highly recommended to backup of all server data with the Collax backup system before proceeding. Check that the backup was successful before proceeding with the update (this can be done within the backup information email).
  2. In the administration interface go to System → System Operation → Software → System Update and press Get Package List. This will download the listed update packages. If successful the message Done! will be displayed on the screen.
  3. Click Get Packages to download the update packages.
  4. Click Install. This installs the update. The end of this process is indicated by the message Done!.
  5. A new kernel will now be installed. The system will reboot automatically after installing the update. An appropriate note will be shown if the update process is completed.

New in this Version

GUI: Show password function

The storage of a password on the administration interface has been simplified uniformly. The characters entered are only displayed as dots in all password fields. Next to the input field there is an icon to display the password in clear text and to hide it again. The confirmation field of the password is not applicable. The exception is the administrator password. To prevent unintentional changes, confirmation is still required in a second field.

Net: IPv6: ULA-Generator

With IPv6, the private networks should, as far as possible, be unique worldwide. For the uniqueness with a high procedure is recommended see RFC #4193 , that generates a prefix based on a MAC address and the current time. The ULA generator generates compliant prefixes for the existing interfaces or any MAC address.

System Management: Linux Kernel 4.9.270

This update installs Linux kernel 4.9.270.

Issues Fixed in this Version

E-Mail: 1&1 does not accept mail from Collax servers

The FQDN was previously used to create the sender address for system mails, as indicated in the form for the DNS configuration. With this update, the Mail domain that is configured for SMTP sending in the form. Is instead of the mail domain an alternative SMTP server configured, this will be used. If this is not configured either, the FQDN will continue to be used.

Web Proxy: Web proxy failure

Since the 7.1.22 update, the web proxy could fail in rare cases. A dynamically generated ICMP rule of the firewall prevented a connection from being established. The rule has been corrected with this update.

Net: linkd restarts the VPN connection as soon as it is established

Since the 7.1.22 update, it could happen in multi-WAN configurations that VPN connections were constantly being re-established and thus could not be used. This issue has been resolved in this update.

Notes

E-Mail: Avira AntiVir prior Version 7.1.6

From Avira, an automatic update of the core components of Avira has been carried out. In this context, a new dependency of the libraries has been added, the next time the virus scanner is not started can be resolved. The result is that the virus scanner does not work during a reboot or configuration change is restarted. For security reasons, emails will no longer be delivered. To solve the problem, please update your server to version 7.1.6. Note: As long as the virus scanner is not restarted, it works in its entirety.

E-Mail: Retrieving Mail with SSL and validate server certificate

SSL/TLS encryption can used to retrieve e-mail from external e-mail providers. With the SSL-encrypted collection, expired and self-signed certificates are saved and accepted by the server. If this is not desired, the option “Validate server certificates” can be set with this release.

Important: It is recommended to activate and test the setting “Validate server certificate”. In the past it was common to accept expired and self-signed certificates for encrypted collection. This should no longer be necessary and should be avoided.

E-Mail: Changed ruleset format of Spam Filter SpamAssassin

Please note: On March 1st, the SpamAssassin project will change the format of the ruleset updates. From this date on, only systems that have installed Update 7.1.10 will receive updates.

VPN: Fix for IKEv2 with Microsoft Windows stops after 7.6 hours

VPN connections with IKEv2 and the on-board resources of Microsoft Windows interrupt after exactly 7.6 hours. The error occurs because Microsoft Windows proposes different algorithms during IKE re-encryption than during the first connection. The problem can be solved with a registry fix by changing the value “NegotiateDH2048_AES256” to 1 under HKEY_LOCAL_MACHINE \ SYSTEM
CurrentControlSet \ Services \ RasMan \ Parameters.

Under the following link you will find a REG.file (registry entry) that adds the registry key. Collax assumes no liability for system errors that result from it.