Release Notes CSG 7.0.12

Collax Security Gateway

Installation Notes

Update Instructions

To install this update please follow the following steps:


  1. It is highly recommended to backup of all server data with the Collax backup system before proceeding. Check that the backup was successful before proceeding with the update (this can be done within the backup information email).
  2. In the administration interface go to System → System Operation → Software → System Update and press Get Package List. This will download the listed update packages. If successful the message Done! will be displayed on the screen.
  3. Click Get Packages to download the update packages.
  4. Click Install. This installs the update. The end of this process is indicated by the message Done!.
  5. A new kernel will now be installed. The system will reboot automatically after installing the update. An appropriate note will be shown if the update process is completed.

New in this Version

Security: Webproxy System Security

Collax webproxy software packages are hardened to reduce the vulnerability and secure the system. See here

GUI: Clone more objects

With this release a framework to clone objects is introduced. It enables the user to generate a clone method. This method copies the given object. Thereby the user can clone external mailboxes or header filters and a bunch of other objects. You can use the right mouse and the action “clone” to make a copy of the object.

E-Mail: SMTP Submission Agent

The dialog under Mail and Messaging → Mail → SMTP Reception is used for configuring the various settings concerning the SMTP reception. With this Collax software update the SMTP Submission Port 587 is beeing added to accept e-mail for validated users. The user has to autheticate to use the service.

E-Mail: Delivery Status Notification

The dialog Mail and Messaging → Mail → SMTP Reception contains the basic settings for the transmission of e-mails in general. With this Collax software update Delivery Status Notifications (DSN) are configurable. DSNs are beeing sent to the sender of an email if the e-mail couldn’t be delivered to its recipient. Delayed message warning time and the maximum time to keep messages in the queue can be configured now.

Web Proxy: Clamcap - Filter engine and Virus notification

Clamcap (Clamav scanning icap server) is a high-performance and reliable interface between the Web Proxy and one or more virus scanners. The inspection of websites will now result in a more detailled description of the virus and the used scanengine in the system logfile.

Web Proxy: Peak and intercept

Normally, the content of encrypted HTTP traffic (HTTPS) cannot be evaluated or filtered, as encryption is used between the Web server and the browser. To analyze HTTPS traffic for content or malware, the interception function can be activated. The section “SSL-Interception” moved to a new postition “HTTPS Requests” to the Basic Settings tab. To filter URLs and domains only the option URL, domain filtering only is to be set in den the dialog Web-Proxy -> Rules.

Web Proxy: Transparent HTTPS proxy

The function of the tranparent HTTPS proxies makes it possible to filter requests to HTTPS pages without the need for Internet users to make repositions on the client side. This dialog is located under Networking -> Web Proxy -> Permissions. This option activates the transparent https proxy server.

Web Proxy: Share CA certificate for download

To analyze HTTPS traffic for content or malware, the interception function can be activated. For the Web proxy to analyze the encrypted traffic, a CA certificate is necessary, which the Web proxy delivers to the browser. For every HTTPS connection, this certificate is sent to the browser. The selected certificate can be provisioned for downloading within the web access for users. Afterwards the CA can be imported on the client PCs in order for the browser to automatically trust this certificate. This CA can be shared within the dialog X.509 Certificates for all users and can be downloaded without authentication using an url.

Misc: Important System Components

This update will also install/update the following important system components:

  • phpmyadmin 4.7.3
  • curl 7.55
  • ghostscript 9.20
  • tcpdump 4.7.3
  • clamav 0.99.2

Issues Fixed in this Version

Security: Optionsbleed-Bug

In the source code of apache webserver, security holes have been discovered. These holes are going to be closed with this software update.

E-Mail: Postmaster Notification for large e-mails

The maximum size of an individual e-mail can be defined in the dialogue “SMTP reception”. When retrieving e-mail from external mailboxes, the postmaster notification didn’t work properly when exceeding the maximum message size. Within this release the postmaster notification is going to be fiexd.

E-Mail: Default certificate for SMTP reception

To use TLS for incoming smtp connections, a certificate must first be generated or imported for the SMTP service. Due to a validation error, the form with the default certificate could not be saved. This is going to be fixed within this release.

E-Mail: correct date in mailqueue display

All incoming e-mail is buffered in the mail queue. The “Received” column displays that time at which the system received the e-mail. Due to a conversion error, the time was displayed wrong. This is going to be fixed within this release.

Net: DHCP server

Upon start-up, the systems in the local network get their IP address and network configuration from the DHCP server. Due to wrong configuration files, leases and IP adresses have been erroneous. This is going to be fixed with this software update.

VPN: VPN Wizard and NCP Client

The VPN wizard guides you trough the setup and configuration of a virtual private network (VPN). For connections to a NCP Secure Entry Client the configuration for the clients can be downloaded. Due to an error in the wizard this wasn’t possible anymore. This is going to be fixed with this update.

Authentication: LDAP Server stability

In this update many improvements will be implemented for the integration of openldap.


System Management: Monitoring Media Erros on LSI Controllers

Within this update the active monitoring of media errors on LSI RAID-Controllers has been customized. Up to now a warning information for hard disks with a single media error has been issued, although the controller was able to handle those errors and correct them automatically. From now on the warning threshold is 100 errors.