Release overview
Release Date: 05 Feb 2015
Release Versions: On-Premises v7.5.0 and ZPush 1.1
New Features
| Feature | Feature Description | Component/s Impacted | Users Impacted | Impact Description |
|---|---|---|---|---|
| end user password reset tool | As an end user, I want to be able to reset my password by following a simple and secure process, so that I can reset my password if I forget it. | User - Reset Password | End users of atmail server installations who use the web user interface | - A "Forgot your password?" link is displayed to the user within the web user interface login screen. - When user clicks on "Forgot your password?" link, user will be taken to a page where user is prompted to enter the username. - If username is Invalid (No such username in the system / User has NOT setup the information required to reset password), a message will be displayed to the user. - If username is valid, a message will be displayed to the user notifying that an email has been sent to the "recovery email address" provided, and to attend to it "within the email link expiry time frame". - When user clicks on link of the email sent user is taken to a page where he/she is prompted to answer 3 randomly selected questions out of 5 questions setup by the user. - If user answers at least one of the 3 questions incorrectly, an error message will be displayed and the page will be refreshed with 3 different randomly selected questions. - If user exceeds the maximum number of attempts allowed to answer security questions, user is prompted to contact the administrator and the password reset link will expire. However user can click on "Forgot your password?" link again to initiate the same process again. (The user account will NOT be locked) - If user answers the security questions correctly, user is taken to a page where user can set his/her new password (New password / Confirm New Password). - Once password is captured and stored, user will be navigated to the login page, where he/she can use the new password to login to the system. |
| end user password reset tool | As an end user, I want to be encouraged/reminded to enter required information that enables me to use "end user password reset tool", so that I can reset my own password in case I forget it. | User - Configure password reset - Reminder | End users of atmail server installations who use the web user interface | - If user has NOT setup security questions and a recovery email address, a pop-up will be displayed at login time reminding the user to setup the information - If user chose "Setup Now", user is taken to "Web User Interface >> Settings >> Password reset settings" where user can start setting up information required. - If user chose "Dismiss", the reminder pop-up window is "closed", but the reminder will be displayed at the next login. - If user chose "Remind me later (Options: 1 day, 3 days, 7 days)", the reminder pop-up window is "closed", and the reminder will be displayed again when user logs in after the specified number of days. - If user chose "Do not show this message again", user is displayed a warning to ensure that user understands he/she will NOT be able to recover their own password without filling out this information, how user can do this task later and what the alternative is, prior to reminder pop-up window being closed. |
| end user password reset tool | As an end user, I want to store information unique to me to be used during password recovery time, so that I can reset my password in a secure manner | User - Settings - Password reset settings | End users of atmail server installations who use the web user interface | - User is able to setup / manage information required via "Web user interface >> Settings >> Password reset settings" - User is required to provide 5 security questions and answers. - The system will provide a list of standard security questions that can be used, while allowing the user to specify their own security question. - There are no restrictions (character limit, allowed characters, etc) for the answers. - The answers are encrypted using the same encryption method used to store passwords in the system, hence will NOT be displayed to the user once saved. - Once questions / answers are setup successfully, user is prompted to enter a recovery email address. - Once a valid email address is entered, a verification email is sent to the email address provided to verify the validity of the email address. - User will be notified that a verification email has been sent to the email address provided, and to attend to it "within the email link expiry time frame" - Once user clicks on the verification email link, user will be displayed a "Success message" which explains that user can now use the "password reset feature". |
| end user password reset tool | As an administrator of the atmail on-premise system, I can enable / disable the "End user password reset feature", so that I can adopt to organization's needs. | Admin - Security - End user password reset, Admin Interface | System administrator users who administer atmail on-premise server installations. |
Feature Availability: Enable/Disable Feature: |
| end user password reset tool | As an administrator of the atmail on-premise system, I can manage the standard list of secret questions given to system users, so that they suite organization's and cultural needs. | Admin - Security - End user password reset | System administrator users who administer atmail on-premise server installations. |
System defaults: Manage questions: Filter / Search: |
| end user password reset tool | As an administrator of the atmail on-premise system, I can define the "recovery email verification link" expiry time, so that I can change it to suite both organization's and end users needs. | Admin - Security - End user password reset | System administrator users who administer atmail on-premise server installations. | - The "recovery email address verification link" expiry time is be set to 24 hours (1440 minutes) by default during product installation or upgrade. - However, the administrator is given the ability to change "recovery email address verification link" expiry time to suite their needs via "Admin Interface >> Security >> End user password reset" |
| end user password reset tool | As an administrator of the atmail on-premise system, I can define the "request for password reset email link" expiry time, so that I can change it to suite both organization's and end users needs. | Admin - Security - End user password reset | System administrator users who administer atmail on-premise server installations. | - The "Request for password reset email link" expiry time is be set to 15 minutes by default during product installation or upgrade. - However, the administrator is given the ability to change "request for password reset email link" expiry time to suite their needs via "Admin Interface >> Security >> End user password reset" |
| end user password reset tool | As an administrator of the atmail on-premise system, I can define the "maximum number of failed attempts" a user is given to answer security questions in order to reset password, so that I can change it to suite both organization's and end users needs. | Admin - Security - End user password reset | System administrator users who administer atmail on-premise server installations. | - The "maximum number of failed attempts" a user is given to answer security questions in order to reset password is set to 3 attempts by default during product installation or upgrade. - However, the administrator is given the ability to change this value via "Admin Interface >> Security >> End user password reset" |
| end user password reset tool | As an administrator of the atmail on-premise system, I can customize the emails sent during "recovery email verification process" and "password reset" process, so that I can change the email to suite organization's needs. | Admin - Security - End user password reset | System administrator users who administer atmail on-premise server installations. | - An industry standard default email is made available during product install / upgrade. - The emails will follow HTML format. - The emails will adhere to "Custom Branding" settings (E.g. Custom logo, Custom brand name, etc) - These emails can be customized by modifying the default "html" files stored in the atmail installation directory. E.g Recovery email address verification email: /usr/local/atmail/webmail/application/modules/mail/views/scripts/settings/passwordverify-email.html Request for password reset email: /usr/local/atmail/webmail/application/modules/mail/views/scripts/passwordreset/passwordreset-email.html |
Defect Fixes
Core Product
| Component/s Impacted | Impact Category | Issue Outline | Impact Description / New User Experiance | User/s Impacted |
|---|---|---|---|---|
| Admin Interface, Sign-Up, Web User Interface | Security | Invalid html / javascript scripts written in Web Admin >> Settings >> Webmail Settings >> Disclaimer, gets executed when user clicks on WebMail User Login >> Signup |
|
End users who use sign up option in web user interface, given Sign-up page enabled is set to "enabled" within Admin Interface |
| Admin - Services - Anti-Spam, Admin Interface | Functionality | Improve SpamAssassin's default trusted_networks to remove misleading warnings caused by incorrectly formatted CIDR |
The default trusted networks specified in "Admin Interface >> Services >> Anti-Spam >> Trusted Networks" is "192.168/16, 127/8" While this is not an error, it does throw warnings for the following two reasons: This is resolved by changing to default trusted networks to "192.168/16". This will solve any warnings coming from spamd_log on starting SpamAssassin that may cause clients to think something is wrong if they're inspecting logs. |
System administrators who use the Web Admin Control Panel |
| Core | Functionality | Change custom HTTP header "x_csrf" to "x-csrf" to allow compatibility with various http server software |
The custom HTTP header x_csrf is sent by the web client as a simple CSRF protection for the API. If nginx is used as to proxy connections to the web application it will drop this header. This affects any call to the CSRF header matching code, and will break things like storage uploads. Solution: Change x_csrf to x-csrf |
End users who use web user interface System administrators who use the Web Admin Control Panel |
| Core | Compliance | Update licenses directory to include licenses of all 3rd party software used by atmail on-premise solution | Update licenses directory to: - Add any missing licenses of 3rd party software used by atmail on-premise solution - Remove any licenses of 3rd party software that are no longer used by atmail on-premise solution |
No direct impact to end users |
| Email, Email - Composer, Web User Interface | Security | Invalid html tags / javascript included when entering an email address in To/CC/BCC fields gets executed on field exit |
The invalid characters is filtered and script is not executed |
End users who use the web user interface |
| Contacts, Mobile/Accessibility User Interface, Security | Security | Invalid html / javascript scripts are not filtered when saving a contact (add/edit) via mobile UI, and are executed when displayed. |
The invalid characters is filtered and script is not executed |
End users who use the Mobile/Accessibility user interface |
| Tab Navigation, Web User Interface | UX - User Experience | Users cannot navigate to opened email tab from Tasks tab |
Steps to reproduce: 1- Open an email using 2 pane view. If you click on the email tab the email doesn't get displayed. |
End users who use the web user interface |
| User - Settings, Web User Interface | UI - User Interface | Improve theme example within web user interface >> settings, by removing "atmail" logo to avoid conflicts with custom branding |
Steps to reproduce: Issue: The theme example image displays atmail logo, which conflicts for custom branded installations. resolution: Remove atmail logo from theme example image |
End users who use the web user interface |
| Calendar, Calendar Sharing, Contact Sharing, Contacts, Email, Email - Composer, Web User Interface | UI - User Interface | When user types in text is character "g" or "l" in auto populated contact fields (E.g. email to/cc/bcc, contacts sharing, calendar sharing), the contact name is not rendered properly (> converted to > and < converted to <) |
Steps to Reproduce: 1. Go to Web Mail >> Email and compose an email (New/Reply/FWD) 2. Click on To/CC/BCC fields and type in: - Character "g" - Character "l"
Issue: Auto populated contacts drop down: > in a contact is converted to > < in a contact is converted to <
NOTE: This can be seen in all places this list is displayed: - Contact Sharing - Calendar Sharing - Task Sharing |
End users who use the web user interface. |
| Admin - Plugins, Admin Interface | Functionality | User is unable to install plugins via Admin Interface for fresh installed atmail server due to directories related to plugins not being created |
Steps to reproduce: 1. Login to Admin Interface 2. Go to Plugins >> Add Plugins 3. Attempt to upload a valid plugin
Issue: User cannot upload plugins. An error message is given. |
System administrators who use the Web Admin Control Panel. |
| Core | Security | Fix to security vulnerability - Possible SQL injection via EXIM config due to unfiltered / unquoted mysql queries in exim config file.(/usr/local/atmail/mailserver/configure file) |
Fix to security vulnerability - Possible SQL injection via EXIM config due to unfiltered / unquoted mysql queries in exim config file.(/usr/local/atmail/mailserver/configure file) |
System administrators who maintain the atmail server installation End users who use the web user interface of atmail server installation |
ZPush
| Impact Category | Issue Outline | Impact Description / New User Experiance | User/s Impacted |
|---|---|---|---|
| UX - User Experience | Modify push installer to use default caldav/carddav port 8008 instead of port 80 for dav services. | The push installer currently defaults to port 80 for dav services which means that a path is also required to be entered. If we default to the proper dav port (8008) then no path is required. Simplifying the install process and reducing chances of user error during installation. | System administrators who administer atmail push for activesync services. |
| Functionality | Calendar events are alternatively created / removed for each consecutive sync with android devices |
When creating an event in the atmail calendar, it syncs with the android device and appears on it correctly. However, after the next EAS sync command the event is removed from the device. Then upon each sync command thereafter the event is alternatively created / removed. NOTE: Devices running Android versions previous to KitKat (4.4) can't sync multiple calendars through its native calendar app. Therefore, only events under 'Private' calendar are sync to the devices running these versions. |
End users who use android device to connect via activesync. |
| Functionality | When email client is configured to use activesync (push), HTML emails are rendered as plaintext |
Steps to reproduce: Issue: Email is displayed as plain text. |
End users who use active synce (via push) to connect their mobile device to mail server |
| UX - User Experience | Install script displays warnings at the beginining of the sequence |
Install script shows a message at the beginning of the sequence. PHP Warning: array_key_exists() expects parameter 2 to be array, null given in /usr/share/push/install.php on line 86 |
System administrators who administer atmail push for activesync services. |
| Functionality | When sending email via mobile device that users EAS (push), CC and BCC recipeints are ignored. |
Steps to reproduce: Issue: Recipients in CC, BCC gets ignored. |
End users who use active synce (via push) to connect their mobile device to mail server |
| Functionality | Some directories and required htaccess are missing during push installation | Some directories and required htaccess are missing during push installation | End users who use active synce (via push) to connect their mobile device to mail server System administrators who administer atmail push for activesync services. |
| Functionality | Installing push fails if user doesn't run install.php from within the push directory |
The push install's config.ini file is not populated with the correct information if the user runs install.php from outside of the push install's directory. To reproduce bug: Issue is a result of line 798 in /usr/share/push/install.php: |
System administrators who administer atmail push for activesync services. |
| Functionality | Intermittently some users who connect their mobile device to mail server via ActiveSync are unable to connect to the mail server |
When users attempt to connect their mobile device to mail server via ActiveSync, in case the IMAP authentication fails over a number of times, the user gets marked as an external user. In such an instance, user cannot login to the server via ActiveSync indefinitely. |
End users who use active synce (via push) to connect their mobile device to mail server |
Comments