Release Notes CBS 7.0.4

Collax Business Server
16.03.2017

Installation Notes

Update Instructions

To install this update please follow the following steps:

Procedure

  1. It is highly recommended to backup of all server data with the Collax backup system before proceeding. Check that the backup was successful before proceeding with the update (this can be done within the backup information email).
  2. In the administration interface go to System → System Operation → Software → System Update and press Get Package List. This will download the listed update packages. If successful the message Done! will be displayed on the screen.
  3. Click Get Packages to download the update packages.
  4. Click Install. This installs the update. The end of this process is indicated by the message Done!.
  5. A new kernel will now be installed. The system will reboot automatically after installing the update. An appropriate note will be shown if the update process is completed.

New in this Version

Security: System Security

The new Collax V7 Server is a system which is almost 100% (97%) deterministic/reproducable. The collax build system guarantees that binary-files and system-packages (.deb) are build deterministically. All Collax Servers are hardened to reduce the vulnerability and secure the system.

Security: Improved Protection for ssh Denial-Of-Service Attacks

Within this Update the protection for Denial-Of-Service (DoS) and Brute-Force-Attacks for ssh has been improved. The new function allows to ban the IP address from an offender after a certain number of login attempts.

Security: Linux Kernel 4.4.50

Collax Server 7 is based on the long time support (LTS) Kernel 4.4. It provides better hardware support und more security fixes und is supported until Februar 2018.

Security: Important security relevant System Components

This update will also install/update the following important system components:

  • zlib1g 1.2.11
  • libgd2 2.2.4
  • libpng3 1.6.27
  • kernel 4.4.50
  • gnutls 3.3.26
  • openssl 1.0.2k
  • socat 1.7.3.1
  • bind 9.9.9.6
  • curl 7.52.1
  • ntpd 4.2.8p9
  • openssh 7.4p1
  • samba 4.3.13
  • squid 3.5.24
  • vim 8.0.329

Security: Amavis - Filter engine and Virus notification

AMaViS (A Mail Virus Scanner) is a high-performance and reliable interface between the mailer (MTA) and one or more virus scanners. The inspection of emails will now result in a more detailled description of the virus and the used scanengine in the virus notification email and the system logfile.

GUI: GUI-Design

With this update the Web interface is going to be improved and more detailed. Based on the recommendation from Google and the tenets and specifics of material design.

GUI: Network Groups

Within this release network groups can be used. Network groups offer a new configuration approach. In the past, permissions have been configured using the user groups. Network and service permissions have been used in one group together. From now on network groups are created and can be used seperately. All services on the Collax Server whose permissions are assigned exclusively on the basis of an IP address from now on use network groups. If a permission is set, the respective network port is opened in the firewall for the associated networks or hosts.

GUI: Transparent user and network permissions

Within this release permissions for users and permissions for networks are differentiated. So there are user groups and network groups from now on. A number of network groups are created by default. The Internet group contains the “Internet” network as member, i.e. all IP addresses outside the local network ranges. Thus, all permissions granted over this network group apply to all computers anywhere on the Internet.

GUI: Host-Elements

There are various input boxes where ip addresses have been used in the previous version. Within this release the usage of ip addresses has been renewed. Collax Server V7 now uses host-elements. The term “host” refers to individual computers that are known to the Server. A host as an existing element is needed for various settings regarding the services. Host-elements replace the input boxes for ip addresses.

GUI: Clean-up form history, wizards and popups

In the dialog “Clean-up” in the menu Status->Toolbox->Clean-up it is possible to remove the browserdata saved by the GUI. Its the form historyi, wizards and the form popups.

GUI: Add hosts to Network group

A Network groupd can consist of a network and mutliple hosts. Within this update its possible to add a host to a Network group directly within the dialog of the network group via a multilist element.

Web Proxy: Web Proxy and Web Proxy Rules

Please note that the rule set in Collax Server V7 is beeing rewritten. Important: The rewritten rule set should be checked after upgrading the Server.

Web Proxy: Transparent proxy

The transparent proxy can be activated for the service http. Data packages for destination port 80 will be redirected from the firewall to the web-proxy service. Until now the configuration of the transparent proxy was done using the firewall matrix. Within this release, the transparent proxy is being configured through the basic settings of the web-proxy-server under “Services -> Web-Proxy -> Web-Proxy-Server”. By enabling the transparent proxy mode, a DNAT-rule for the service http will be created under “Network -> Firewall -> DNAT/Port Forwarding”.

Web Proxy: No proxy for these hosts

Through the introduction of host-elements, from now on you can configure proxy exceptions for hosts using the select boxes. This dialogue is located under Services -> Web-Proxy -> Web-Proxy-Server in the Options tab. Here you can select the hosts for which no proxy is to be used.

Web Proxy: Sequence of filter rules and drag n drop

The dialog for defining filter rules is located under Services -> Web-Proxy -> Rules. A rule determines which URL lists are valid at what times and whether the URLs in the lists are blocked or allowed. The sequence of the rules is governed by different priorities and can from now on be changed easily using a new drag n drop action.

Net: Firewall Matrix

The firewall matrix is a visual representation of the integrated firewall. From this version on, the matrix can exclusively be used for network groups instead of networks. The upside using network groups insted of networks is a better grouping and better view of the ruleset. Network groups are used for accessing services and relevant for traversing data packets using the Matrix.

Net: Optimized network-stack

Changes in the netlink socket for networking connections are beeing improved within this relases.

Net: Host Analysis

The new function “Host Analsys” located under “System -> Network -> Firewall” can be used to determine the netgroups which are responsible for a given host. You can use that information to determine which netgroup need to be configured to allow access to specific services.

Net: IPv6 Support Preparation ready

All services on the new Collax Server platform are prepared to beeing integrated into IPv6 networks. The IPv6 support will be completed in a future release.

Net: Connection monitoring

The behavior of the “aklinkd” program in some situations has been improved. The new service is rewritten and now called linkd4.

Net: DynDNS behind Router

With dynamic DNS a system with dynamic IP address can be accessed over a host name provided by a dynamic DNS provider. Within this update its possible to have dynamic DNS names updated even if the server is behind another router.

VPN: StrongSwan IPsec

From this version StrongSwan 5.5.0 is going to be implemented.

VPN: iOS and Android VPN

From this version iPhone L2TP and Android StrongSwan support is going to be implemented. IKEv2 and IKE Config mode improve the setup of VPN connections.

VPN: additional DH-Groups

The Diffie and Hellmann method for exchanging keys for VPN connections has been extended. From now on you can use the DH groups 19 - 26 for key exchange (IKE) and data exchange (ESP).

Additional information can be found here .

VPN: new IPSec-proposal

The predefinition of encryption methods and hash algorithms for VPN connections can be assigned to the desired VPN connections. A new and stronger IPsec proposal has been added to the predefined IPsec proposals.

Additional information can be found here .

Authentication: Status of Active Directory Integration

Within this update the integration of Collax Servers into Active-Directory environments have been extended. An additional field with extended runtime information is displayed. Therefore the Active-Directory-Proxy must be activated. Information regarding the connected Domain-Controller (DC) and other useful information is displayed.

Authentication: Importable Active Directory Groups

For groups from the Active Directory management to be displayed, the system must have joined an Active Directory as member, and the Active Directory proxy must be activated on the system. The listed group can be integrated in the local policies after these have been included in the management. The users of the AD groups will continue to be managed via the Active Directory and are not part of the local system. Within this release some improvements have been implemented.

Authentication: Synchronisation with Active Directory

Until now, the synchronisation of directoy objects in Active-Directory (AD) environments stopped, when the Domain Controller wasn’t reachable during a configuration activation. The synchronisation worked only after a restart of the service or another config activation. The behaviour has been improved within this release through frequent runtime checks if the server is reachable again.

Fax: Allow embedding of the sent PDF in send notifications

Within this release its possible to allow embedding of the sent PDF in send notifications.

Kopano Groupware: Kopano Core replaces Zarafa Collaboration Platform

With this Collax software update Kopano Core is beeing implemented. The previous Zarafa Collaboration Platform is going to be replaced. Kopano Core is a enhancement of the Zarafa Collaboration Platform. The specialty is that the change to Kopano Groupware happens automatically so that the administrative effort is very low. Additionally the plugins File with owncloud support and RTC-baces webmeetings are implemented. Within this update Kopano Core 8.1.1 is going to be installed. Find more information about Kopano on:

Kopano Core Info und Release Notes

Kopano Groupware: WebApp 3.2.0

With this Collax software update the new version 3.2.0 of Kopano WebApp is going to be installed. Please find details here:

https://documentation.kopano.io

Kopano Groupware: Compatibility to Kopano DeskApp

With this Collax software update the new version Kopano Core 8.1.1 is going to be installed. Please note that this version is compatible to Kopano DeskApp. Find more information about Kopano DeskApp on

Kopano Deskapp

Kopano Groupware: Integration of Z-Push for ActiveSync Clients

With this Collax software update the support for ActiveSync Clients by Z-Push is going to be implemented through the Collax administration interface. Outlook 2013 and Outlook 2016 can therefore sync their data via Z-Push.

Mobiler Zugriff

Kopano Groupware: Z-Push Active-Sync Provisioning policies

With this Collax software update an individual set of policy and security settings to the Z-Push synchronization process can be applied. Find more information about it on:

Mobile Policies

Kopano Groupware: Kopano Outlook Extension

With this Collax software update the support for ActiveSync Clients by Z-Push is going to be implemented through the Collax administration interface. Outlook 2013 and Outlook 2016 can therefore sync their data via Z-Push. With the additional Kopano OL Extension some features have also been added otherwise missing in Outlook, like reply/forward-flags, the global address book (GAB) or out-of-office notifications are added on top of the regular Outlook.

Kopano Outlook Extension und Client Gegenüberstellung

Kopano Groupware: Kopano Backup replaces Zarafa Backup Plus

You can back up the mailboxes, tasks, contacts and appointments with the new performance optimized Kopano Backup. It merely serves as a supplement to common backup mechanisms. The collax integration enables the same administration procedures as before.

Kopano Groupware: Kopano Files-Plug-In

With this Collax software update Kopano Files-Plug-In is beeing implemented. The plugin boosts your productivity by allowing you to use your existing storage solutions right from the WebApp interface. The function Kopano Files for Teams needs a special licence. Find more information on:

File Management im Web

Kopano Groupware: Kopano Webmeetings

With this Collax software update Kopano Webmeetings-Plug-In is beeing implemented. Meet online with unparalleled video and audio quality, right within WebApp. The function Kopano Webmeetings needs a special licence. Find more information on:

Webmeetings

Zarafa Groupware: Outlook-Client Software Zarafa Client

With this Collax software update the Outlook-Client software for Windows zarafaclient-7.2.4-52167.msi is available. To ensure the auto deployment function for the Zarafa clients with Kopano Groupware it is necessary to update the Zarafa Outlook(tm) clients to 7.2.4 before upgrading the Collax server to version 7.0.4.

Kopano Groupware: New version of Z-Push

With this Collax software update, Z-Push 2.3.5 is going to be installed. More information on:

Z-Push 2.3.5 Release

Add-on Software: New Version of Collax Virus Protection

The virus scanner Collax Virus Protection offers comprehensive antivirus protection for email services. Within this Collax system update the scanner is updated to the newest version.

Add-on Software: New Version of Avira Antivir

The virus scanner Avira Antivir offers comprehensive antivirus protection for email services. Within this Collax system update the scanner is updated to the newest version.

Add-on Software: New Version of Clam-AV

The Open Source virus scanner Clam-AV offers comprehensive antivirus protection for email services. Within this Collax system update the scanner is updated to the newest version.

After updating and the automatically reboot of your Collax Server you have to do a manual pattern update under “Software->Virus Scanners->Update clamAV”.

System Management: New Supervisor

A new service supervisor for the Collax platform is beeing implemented. The supervisor manages system processes and services likemonitoring, logging and starting of processes and services.

System Management: Active Monitoring

Within this update the active monitoring (Nagios) is activated per default after installing the system.

Hardware: Partitionschema

Within this release new installations get a new paritionschema. A new minimal size should be 16GB and the service partition will be removed.

Hardware: PVSCSI Driver for VMWare

VMware’s PVSCSI SCSI-driver has been added to simplify the installation in VMWare environments. The driver supporte VMWare’s para virtualized SCSI HBA.

Hardware: VMCI Driver for VMWare

VMware’s Virtual Machine Communication Interface drivers have been added to simplify the installation in VMWare environments. The driver enables high-speed communication through the VMCI-device.

Hardware: Microsoft Hyper-V-Support

Microsofts Hyper-V Linux Integration Services drivers have been added to simplify the installation in Microsoft Hyper-V environments. The driver enables high-speed communication through the VMBus-network-controller and the SCSI-controller.

Hardware: Additional hardware support for NVMe-devices

This update brings support for NVM Express (NVMe) Devices.

Misc: Important System Components

This update will also install/update the following important system components:

  • apache2 2.2.31
  • php5 5.6.30
  • perl5.8 5.22.1
  • python 2.7.12
  • openssl 1.0.2k
  • libc6 2.18
  • kernel 4.4.50
  • mariadb 10.0.29
  • squid 3.5.24
  • samba 4.3.13
  • bind 9.9.9.6
  • dhcpd 4.3.5
  • spamassassin 3.4.1

Misc: SSL/TLS Version and local services

By connecting to various local services like the Webadministration-Service or IMAP, from now on you can choose the encryption method for SSL/TLS. You can either choose “compatible” or “modern” now. Not all clients support modern TLS (TLS 1.2). That’s why due to compatibility reason you can still configure weak TLS (TLS 1.0) for older clients.

Misc: SDK Changes

For information regarding changes to the Collax Software Developement Kit (SDK) please contact our Product Management.

Issues Fixed in this Version

GUI: Revoke certificates

Using the action “Revoke Certificates” the certificate is deleted and entered in the CRL (Certificate Revocation List) for the CA. From this time on, the certificate is blocked on the Collax server. In this juncture the GUI output details have been to small. With this release we maximize it to the uses screen view.

GUI: Intranet Wizard

The configuration of the Intranet Wizard lead to an error under vertain circumstances when saving the Nameserver form. This is going to be fixed within this release.

The graphical status of network links can be shown in bytes per second. Due to an error the view was labeled with bits instead of bytes. This is going to be fixed within this release.

E-Mail: Fetchmail - Retrieval times

You can determine multiple times and intervals for executing the defined jobs for retrieving mail from external mailboxes through the dialog “Retrieval Times”. This lead to an error in the generated configuration file so that retrieving e-mail from external mailboxes didn’t work. This is going to be fixed within this update.

E-Mail: NiX-Spam for Spam Filter

The service ixhash.junkemailfilter.com suspended its service and has been removed from the configuration within this update.

E-Mail: SMTPUTF8 extension disabled

The SMTPUTF8 extension allows UTF-8 encoding in email header fields and has been added with the current Postfix version. Since SMPTUTF8 is not yet widely supported, some emails couldn’t be delivered to its recipient. Thus the extension has been disbaled from the configuration within this update.

Net: Forwarding of multiple destination ports

In the form Networking -> Firewall -> DNAT/Port Forwarding services can be forwarded to multiple destination ports. The forwarding of services with multiple destination ports lead to an error in the configuration. Within this release services with multiple destination ports are forwarded correctly.

Port forwardings are used to forward incoming requests to a different server. If a port forwardig was restricted to a PPPoE-link, it didn’t work correctly. This ist going to be fixed with this software update.

Net: Bonding ethernet ports

After creating new ethernet bonding ports, the link could not be started because of a missing startscript. This ist going to be fixed with this software update.

Net: MTU calculation

Because of a bad MTU calculation, the Internetlink could not be started under certain circumstances after the Upgrade to Release V7. This ist going to be fixed with this software update.

Under certain circumstances the link scripts for PPtP had an bug, so that the daemon for PPtP could not start. This update fixes this bug.

Network connections from type Ethernet are defined by an IP-address and the physically connected, reachable network. If the netmask of the network was /32, the connection wasn’t established. Within this release, this case is respected.

VPN: IPSec L2TP form

When creating new VPN-Connections, it could lead to an error in the ipsec.secrets file after saving the IPSec form. This is going to be fixed with this update.

VPN: IPSec startscript

When creating new VPN-Connections, it could lead to an error in the vpn startscript configuration. This is going to be fixed with this update.

Authentication: Kerberos 5 authentication

By default, Kerberos 5 password-checking tries to verify the mapping between kerberos principal and local user account by reading a ‘.k5login’ file. Since that file usually does not exist, it produced an authentication error. The behaviour has been improved within this release through ignoring the ‘.k5login’ file.

Authentication: Restarting ldap service

When restarting the authentification service ldap it could lead under certain circumstances to an error in some services. The services needed to be restarted too. The behaviour has been improved so that the services work without any intervention.

Backup/Restore: Backup Target Server changed to fake FQDN

After the upgrade the backup target server setting had been changed to a wrong FQDN. In this case, the backup job couldn’t proceed successfully. With this version, the backup target server is going to be changed preferably to the IP address originally set. Thereafter the backup jobs can proceed correct.

Kopano Groupware: Z-Push: Mobile devices - Timeout

The mobile devices dialogue shows status information of all connected Z-Push clients. This dialogue is located under Monitoring/Analysis -> Z-Push -> Mobile devices. Under certain circumstances the search could lead to a timeout. This is going to be fixed with this update.

Notes

Security: Intrusion Detection System (IDS/IPS)

Within this release the network based intrusion detection system (IDS) Snort is not available anymore.

GUI: Event Monitor

Within this release the event monitor prelude is not available anymore.

Link Aggregation for ISDN links is not available any more.

Net: Remote Access via ISDN

Remote Access via ISDN links is not available any more.

Net: Support for Analog Modems

Support for analog modem is not available any more.

Net: Multi Level Firewall

Within this release the Collax Module Multi Level Firewall is not available any more.

Net: Wake on LAN

Wake on LAN (WOL) is not available any more.

Kopano Groupware: Multi-Server setup

Within this release Multi-Server setup is suppressed at the moment.

Kopano Groupware: Kopano and MySQL Performance Tuning Paramater

This version will extend and adjust tuning parameters for Kopano. For an optimal tuning, the settings of the MySQL database should be optimized. Especially the values for the innodb_buffer_pool_size will be increased. The innodb_log_file_size will also be restricted to 2048M.

Hardware: 32-Bit CPU

Within this release 32-Bit Hardware is not supported any more. This affects installaing and upgrading 32-Bit hardware.

Hardware: HP Smart Array CCISS Driver

The existing Smart Array CCISS-driver is replaced with the new HP Smart Array SCSI (HPSA) driver during the upgrade.

Table of Contents