My activities New request

contact atmail support

PH: +61 (7) 5357-6605

support@atmail.com

Follow

Major Update 7.5.0 / Atmail ActiveSync 1.1

Stewart -

Release overview

Release Date: 05 Feb 2015
Release Versions: On-Premises v7.5.0 and ZPush 1.1

New Features

FeatureFeature DescriptionComponent/s ImpactedUsers ImpactedImpact Description
end user password reset tool As an end user, I want to be able to reset my password by following a simple and secure process, so that I can reset my password if I forget it. User - Reset Password End users of atmail server installations who use the web user interface - A "Forgot your password?" link is displayed to the user within the web user interface login screen.
- When user clicks on "Forgot your password?" link, user will be taken to a page where user is prompted to enter the username.
- If username is Invalid (No such username in the system / User has NOT setup the information required to reset password), a message will be displayed to the user.
- If username is valid, a message will be displayed to the user notifying that an email has been sent to the "recovery email address" provided, and to attend to it "within the email link expiry time frame".
- When user clicks on link of the email sent user is taken to a page where he/she is prompted to answer 3 randomly selected questions out of 5 questions setup by the user.
- If user answers at least one of the 3 questions incorrectly, an error message will be displayed and the page will be refreshed with 3 different randomly selected questions.
- If user exceeds the maximum number of attempts allowed to answer security questions, user is prompted to contact the administrator and the password reset link will expire. However user can click on "Forgot your password?" link again to initiate the same process again. (The user account will NOT be locked)
- If user answers the security questions correctly, user is taken to a page where user can set his/her new password (New password / Confirm New Password).
- Once password is captured and stored, user will be navigated to the login page, where he/she can use the new password to login to the system.
end user password reset tool As an end user, I want to be encouraged/reminded to enter required information that enables me to use "end user password reset tool", so that I can reset my own password in case I forget it. User - Configure password reset - Reminder End users of atmail server installations who use the web user interface - If user has NOT setup security questions and a recovery email address, a pop-up will be displayed at login time reminding the user to setup the information
- If user chose "Setup Now", user is taken to "Web User Interface >> Settings >> Password reset settings" where user can start setting up information required.
- If user chose "Dismiss", the reminder pop-up window is "closed", but the reminder will be displayed at the next login.
- If user chose "Remind me later (Options: 1 day, 3 days, 7 days)", the reminder pop-up window is "closed", and the reminder will be displayed again when user logs in after the specified number of days.
- If user chose "Do not show this message again", user is displayed a warning to ensure that user understands he/she will NOT be able to recover their own password without filling out this information, how user can do this task later and what the alternative is, prior to reminder pop-up window being closed.
end user password reset tool As an end user, I want to store information unique to me to be used during password recovery time, so that I can reset my password in a secure manner User - Settings - Password reset settings End users of atmail server installations who use the web user interface - User is able to setup / manage information required via "Web user interface >> Settings >> Password reset settings"
- User is required to provide 5 security questions and answers.
- The system will provide a list of standard security questions that can be used, while allowing the user to specify their own security question.
- There are no restrictions (character limit, allowed characters, etc) for the answers.
- The answers are encrypted using the same encryption method used to store passwords in the system, hence will NOT be displayed to the user once saved.
- Once questions / answers are setup successfully, user is prompted to enter a recovery email address.
- Once a valid email address is entered, a verification email is sent to the email address provided to verify the validity of the email address.
- User will be notified that a verification email has been sent to the email address provided, and to attend to it "within the email link expiry time frame"
- Once user clicks on the verification email link, user will be displayed a "Success message" which explains that user can now use the "password reset feature".
end user password reset tool As an administrator of the atmail on-premise system, I can enable / disable the "End user password reset feature", so that I can adopt to organization's needs. Admin - Security - End user password reset, Admin Interface System administrator users who administer atmail on-premise server installations.

Feature Availability:
- "End user password reset feature" is ONLY available for "atmail server installation" and is NOT available for "Web only installation".

Enable/Disable Feature:
- A new menu item is displayed in "Admin Interface >> Security >> End user password reset"
- Once user navigates to "Admin Interface >> Security >> End user password reset", an option will be displayed to enable / disable "End user password reset feature" across the atmail installation.
- For fresh installations, "End user password reset feature" is enabled by default.
- For upgrades, "End user password reset feature" is disabled by default, where administrators are given the choice to enable the feature if needed.

end user password reset tool As an administrator of the atmail on-premise system, I can manage the standard list of secret questions given to system users, so that they suite organization's and cultural needs. Admin - Security - End user password reset System administrator users who administer atmail on-premise server installations.

System defaults:
- 10 industry standard questions are populated as the "standard list of secret questions given to system users" during product installation or upgrade

Manage questions:
- Administrator is given the ability manage the "standard list of secret questions given to system users" via "Admin Interface >> Security >> End user password reset"
- If a question is already "in use" (used by an end user as a secret question), the system does NOT allow the administrator to delete / modify the question. However, the question can be made "Inactive" so that the question is NOT included in the "standard list of secret questions" displayed for end users.
- A maximum limit of 10 active "standard questions" is enforced.
- A maximum limit of 50 total (active and inactive) "standard questions" is enforced.

Filter / Search:
- By default the administrator is displayed the "standard list of questions" created by the administrator (or during installation / upgrade)
- However, administrator is given the ability to view custom questions created by users.
- Administrator can search / filter questions by question, owner and status.

end user password reset tool As an administrator of the atmail on-premise system, I can define the "recovery email verification link" expiry time, so that I can change it to suite both organization's and end users needs. Admin - Security - End user password reset System administrator users who administer atmail on-premise server installations. - The "recovery email address verification link" expiry time is be set to 24 hours (1440 minutes) by default during product installation or upgrade.
- However, the administrator is given the ability to change "recovery email address verification link" expiry time to suite their needs via "Admin Interface >> Security >> End user password reset"
end user password reset tool As an administrator of the atmail on-premise system, I can define the "request for password reset email link" expiry time, so that I can change it to suite both organization's and end users needs. Admin - Security - End user password reset System administrator users who administer atmail on-premise server installations. - The "Request for password reset email link" expiry time is be set to 15 minutes by default during product installation or upgrade.
- However, the administrator is given the ability to change "request for password reset email link" expiry time to suite their needs via "Admin Interface >> Security >> End user password reset"
end user password reset tool As an administrator of the atmail on-premise system, I can define the "maximum number of failed attempts" a user is given to answer security questions in order to reset password, so that I can change it to suite both organization's and end users needs. Admin - Security - End user password reset System administrator users who administer atmail on-premise server installations. - The "maximum number of failed attempts" a user is given to answer security questions in order to reset password is set to 3 attempts by default during product installation or upgrade.
- However, the administrator is given the ability to change this value via "Admin Interface >> Security >> End user password reset"
end user password reset tool As an administrator of the atmail on-premise system, I can customize the emails sent during "recovery email verification process" and "password reset" process, so that I can change the email to suite organization's needs. Admin - Security - End user password reset System administrator users who administer atmail on-premise server installations. - An industry standard default email is made available during product install / upgrade.
- The emails will follow HTML format.
- The emails will adhere to "Custom Branding" settings (E.g. Custom logo, Custom brand name, etc)
- These emails can be customized by modifying the default "html" files stored in the atmail installation directory.
E.g
Recovery email address verification email:
/usr/local/atmail/webmail/application/modules/mail/views/scripts/settings/passwordverify-email.html
Request for password reset email:
/usr/local/atmail/webmail/application/modules/mail/views/scripts/passwordreset/passwordreset-email.html

Defect Fixes

Core Product

Component/s ImpactedImpact CategoryIssue OutlineImpact Description / New User ExperianceUser/s Impacted
Admin Interface, Sign-Up, Web User Interface Security Invalid html / javascript scripts written in Web Admin >> Settings >> Webmail Settings >> Disclaimer, gets executed when user clicks on WebMail User Login >> Signup


Scripts written within "disclaimer" is not executed.

End users who use sign up option in web user interface, given Sign-up page enabled is set to "enabled" within Admin Interface
Admin - Services - Anti-Spam, Admin Interface Functionality Improve SpamAssassin's default trusted_networks to remove misleading warnings caused by incorrectly formatted CIDR

The default trusted networks specified in "Admin Interface >> Services >> Anti-Spam >> Trusted Networks" is "192.168/16, 127/8"

While this is not an error, it does throw warnings for the following two reasons:
1. 192.168/16, is an incorrectly formatted CIDR
2. 127/8 is included into SpamAssassin by default

This is resolved by changing to default trusted networks to "192.168/16". This will solve any warnings coming from spamd_log on starting SpamAssassin that may cause clients to think something is wrong if they're inspecting logs.

System administrators who use the Web Admin Control Panel
Core Functionality Change custom HTTP header "x_csrf" to "x-csrf" to allow compatibility with various http server software

The custom HTTP header x_csrf is sent by the web client as a simple CSRF protection for the API.

If nginx is used as to proxy connections to the web application it will drop this header. This affects any call to the CSRF header matching code, and will break things like storage uploads.

Solution: Change x_csrf to x-csrf

End users who use web user interface

System administrators who use the Web Admin Control Panel

Core Compliance Update licenses directory to include licenses of all 3rd party software used by atmail on-premise solution Update licenses directory to:
- Add any missing licenses of 3rd party software used by atmail on-premise solution
- Remove any licenses of 3rd party software that are no longer used by atmail on-premise solution
No direct impact to end users
Email, Email - Composer, Web User Interface Security Invalid html tags / javascript included when entering an email address in To/CC/BCC fields gets executed on field exit

The invalid characters is filtered and script is not executed

End users who use the web user interface
Contacts, Mobile/Accessibility User Interface, Security Security Invalid html / javascript scripts are not filtered when saving a contact (add/edit) via mobile UI, and are executed when displayed.

The invalid characters is filtered and script is not executed

End users who use the Mobile/Accessibility user interface
Tab Navigation, Web User Interface UX - User Experience Users cannot navigate to opened email tab from Tasks tab

Steps to reproduce:

1- Open an email using 2 pane view.
2- Click on Tasks tab.
3- Try to go back to the email tab.

If you click on the email tab the email doesn't get displayed.

End users who use the web user interface
User - Settings, Web User Interface UI - User Interface Improve theme example within web user interface >> settings, by removing "atmail" logo to avoid conflicts with custom branding

Steps to reproduce:
1. Go to web user interface >> settings >> web mail settings

Issue: The theme example image displays atmail logo, which conflicts for custom branded installations.

resolution: Remove atmail logo from theme example image

End users who use the web user interface
Calendar, Calendar Sharing, Contact Sharing, Contacts, Email, Email - Composer, Web User Interface UI - User Interface When user types in text is character "g" or "l" in auto populated contact fields (E.g. email to/cc/bcc, contacts sharing, calendar sharing), the contact name is not rendered properly (> converted to > and < converted to <)

Steps to Reproduce:

1. Go to Web Mail >> Email and compose an email (New/Reply/FWD)

2. Click on To/CC/BCC fields and type in:

- Character "g"

- Character "l"

 

Issue:

Auto populated contacts drop down:

> in a contact is converted to &gt

< in a contact is converted to &lt

 

NOTE: This can be seen in all places this list is displayed:

- Contact Sharing

- Calendar Sharing

- Task Sharing

End users who use the web user interface.
Admin - Plugins, Admin Interface Functionality User is unable to install plugins via Admin Interface for fresh installed atmail server due to directories related to plugins not being created

Steps to reproduce:

1. Login to Admin Interface

2. Go to Plugins >> Add Plugins

3. Attempt to upload a valid plugin

 

Issue: User cannot upload plugins. An error message is given.

System administrators who use the Web Admin Control Panel.
Core Security Fix to security vulnerability - Possible SQL injection via EXIM config due to unfiltered / unquoted mysql queries in exim config file.(/usr/local/atmail/mailserver/configure file)

Fix to security vulnerability - Possible SQL injection via EXIM config due to unfiltered / unquoted mysql queries in exim config file.(/usr/local/atmail/mailserver/configure file)

System administrators who maintain the atmail server installation

End users who use the web user interface of atmail server installation

ZPush

Impact CategoryIssue OutlineImpact Description / New User ExperianceUser/s Impacted
UX - User Experience Modify push installer to use default caldav/carddav port 8008 instead of port 80 for dav services. The push installer currently defaults to port 80 for dav services which means that a path is also required to be entered. If we default to the proper dav port (8008) then no path is required. Simplifying the install process and reducing chances of user error during installation. System administrators who administer atmail push for activesync services.
Functionality Calendar events are alternatively created / removed for each consecutive sync with android devices

When creating an event in the atmail calendar, it syncs with the android device and appears on it correctly. However, after the next EAS sync command the event is removed from the device. Then upon each sync command thereafter the event is alternatively created / removed.

NOTE: Devices running Android versions previous to KitKat (4.4) can't sync multiple calendars through its native calendar app. Therefore, only events under 'Private' calendar are sync to the devices running these versions.

End users who use android device to connect via activesync.
Functionality When email client is configured to use activesync (push), HTML emails are rendered as plaintext

Steps to reproduce:
1. Configure mobile device to connect to email server via push 1.0
2. Once emails have been synced, view an HTML email

Issue: Email is displayed as plain text.

End users who use active synce (via push) to connect their mobile device to mail server
UX - User Experience Install script displays warnings at the beginining of the sequence

Install script shows a message at the beginning of the sequence.

PHP Warning: array_key_exists() expects parameter 2 to be array, null given in /usr/share/push/install.php on line 86

System administrators who administer atmail push for activesync services.
Functionality When sending email via mobile device that users EAS (push), CC and BCC recipeints are ignored.

Steps to reproduce:
1. Using a mobile device that is configured to use EAS to connect to email server, compose a message.
2. Enter valid email addresses in To, CC, and BCC fields.
3. Enter subject and email body and send email.

Issue: Recipients in CC, BCC gets ignored.

End users who use active synce (via push) to connect their mobile device to mail server
Functionality Some directories and required htaccess are missing during push installation Some directories and required htaccess are missing during push installation End users who use active synce (via push) to connect their mobile device to mail server
System administrators who administer atmail push for activesync services.
Functionality Installing push fails if user doesn't run install.php from within the push directory

The push install's config.ini file is not populated with the correct information if the user runs install.php from outside of the push install's directory.

To reproduce bug:
mkdir /usr/share/push
tar xfvz atmail7.push.344c6fbb95dcbea1ab2e8698906eb6ed.tgz -C /usr/share/push/
chown -R atmail:apache /usr/share/push/
*cd /*
php /usr/share/push/install.php

Issue is a result of line 798 in /usr/share/push/install.php:
$file = file('sql/push.sql');

System administrators who administer atmail push for activesync services.
Functionality Intermittently some users who connect their mobile device to mail server via ActiveSync are unable to connect to the mail server

When users attempt to connect their mobile device to mail server via ActiveSync, in case the IMAP authentication fails over a number of times, the user gets marked as an external user. In such an instance, user cannot login to the server via ActiveSync indefinitely.

End users who use active synce (via push) to connect their mobile device to mail server
Have more questions? Submit a request

Comments