help centre
For more info visit status.atmail.com

How can we help?


Search our knowledge base for answers to
common questions and latest updates.



My activities New request

Follow

EU servers cloud update 19-1-18

Stewart -

Summary

atmail mail server 1.2.0 introduces global address books, and resolves various bugs and security issues.

Important highlights from this release

  1. Security improvements
  2. Global address list

Changelog

MAILSERVER

Summary Description
Cross-Site Request Forgeries

eu.atmailcloud.com 443/tcp
The identified host failed to properly validate whether a request originated from the correct user resulting in scenario whereby an attacker can perform actions on behalf of the victim.

There are various forms of CSRF. Depending on the form, exploitation may occur as a result of an attacker enticing an application consumer into clicking a malicious URL or web site.

In some cases, the payload may be loaded from persistent storage on the vulnerable site itself, executing when it is accessed by a user.

New Feature 

Summary Description
Globally toggle global address book modes

Further setting added in services/webmail settings -> enable global addressbook (per domain).

Improvement

Summary Description
Update provision/deprovision function

Updated provision/deprovision functions.

Provision and deprovision functions on jmapproxy have been updated, the same functions in the mailserver have also updated.

Bug

Summary Description
Disabled GAL shows error on publish

When GAL is disabled, running publish produces an error to the user. This is now handled as a viable option.

failed: [localhost] (item=

{u'Val': u'true', u'Prop': u'ENABLE_STORAGE'}

) => {"changed": false, "failed": true, "item":

{"Prop": "ENABLE_STORAGE", "Val": "true"}

, "msg": "Destination /etc/atmail/dav/config.php does not exist !", "rc": 257}
failed: [localhost] (item=

{u'Val': u"'/var/atmail/storage/'", u'Prop': u'STORAGE_DIR'}

) => {"changed": false, "failed": true, "item":

{"Prop": "STORAGE_DIR", "Val": "'/var/atmail/storage/'"}

, "msg": "Destination /etc/atmail/dav/config.php does not exist !", "rc": 257}
failed: [localhost] (item=

{u'Val': u"'/var/atmail/temp_storage/'", u'Prop': u'STORAGE_TEMP_DIR'}

) => {"changed": false, "failed": true, "item":

{"Prop": "STORAGE_TEMP_DIR", "Val": "'/var/atmail/temp_storage/'"}

, "msg": "Destination /etc/atmail/dav/config.php does not exist !", "rc": 257}
failed: [localhost] (item=

{u'Val': u'false', u'Prop': u'ENABLE_GLOBAL_DIRECTORY'}

) => {"changed": false, "failed": true, "item":

{"Prop": "ENABLE_GLOBAL_DIRECTORY", "Val": "false"}

, "msg": "Destination /etc/atmail/dav/config.php does not exist !", "rc": 257}
failed: [localhost] (item=

{u'Val': u"'disabled'", u'Prop': u'ENABLE_GLOBAL_DIRECTORY_MODE'}

) => {"changed": false, "failed": true, "item":

{"Prop": "ENABLE_GLOBAL_DIRECTORY_MODE", "Val": "'disabled'"}

, "msg": "Destination /etc/atmail/dav/config.php does not exist !", "rc": 257}
failed: [localhost] (item=

{u'Val': u"'system'", u'Prop': u'ENABLE_GLOBAL_DIRECTORY_CARD_MODE'}

) => {"changed": false, "failed": true, "item":

{"Prop": "ENABLE_GLOBAL_DIRECTORY_CARD_MODE", "Val": "'system'"}

, "msg": "Destination /etc/atmail/dav/config.php does not exist !", "rc": 257}

API /users/update MYSQL SYNTAX ERROR
Syntax error within API call for updating users resolved.
$ curl -k -i --data "userId=2&domainIds=2" 
-u "admin:changeme"
"https://ms.local/admin/index.php/api/users/update/" HTTP/2 200 server: nginx/1.10.2 date: Thu, 26 Oct 2017 00:35:42 GMT content-type: text/xml x-powered-by: PHP/5.4.16 set-cookie: PHPSESSID=9lr8kn5hej5s6eun8naopnma94;
path=/; HttpOnly expires: Thu, 19 Nov 1981 08:52:00 GMT cache-control: no-store, no-cache, must-revalidate,
post-check=0, pre-check=0 pragma: no-cache <?xml version="1.0" encoding="UTF-8"?> <api generator="zend" version="1.0"><userupdate>
<status>failed</status><response><message>SQLSTATE[42000]:
Syntax error or access violation:
1064 You have an error in your SQL syntax;
check the manual that corresponds to your MariaDB
server version for the
right syntax to use near 'WHERE (userId = '2')'
at line 1</message>
<results></results></response></userupdate></api>
Update mailserverAuditing to just log fail not php error stack trace

Audit code updated to be person task/details/success/fail rather than including php stack traces.

Error state from alias delete is ingored

When deleting an alias, if an error occurred the UI would ignore it and do nothing.

User is now presented an error to inform them of the failure.

Incorrect permission referenced for alias delete

In api.php aliasesDelete() function, permissions have been resolved. 

Have more questions? Submit a request

Comments


Contact our support team


+61 (7) 5357 6605       support@atmail.com