EU servers cloud update 28-2-18

Improvement Highlights

• Cleaned up confusing brand settings
• Auditing for lock outs and administrator login/logout attempts
• Improved branding UX flow of webmail integration plugin for atmail mail server
• Updated jQuery and jQuery-UI libraries
• Random password generator in atmail mail server account manager
• New theme settings to for atmail suite integration theme edit form

Bug Fixes

• Delete_account script fixed allowing admins to delete accounts
• Deleting a brand, then domain is still assigned to it in the DB resolved
• Fixed issue with some database migration scripts
• Fixed various areas in mail server that was missing internationalization support
• Forgotten password was not functional - resolved by adding a new configuration for an atmail mail server administration api user

Security Improvements/Fixes

• Branding calls can expose customer enumeration
• Stored XSS in theme name
• Missing input validation -> Negative value for quota
• Missing input validation - searches
• Outdated jQuery library with CVE, upgraded
• Secure flag now used for admin cookie
• Password policy settings checked against Global settings even if Global has been disabled
• "accountsettingssave" API method now checks against password policy
• Admin users should not be allowed to change the password policy of its own role
• Error on disabling password policy for a domain when there is a global policy as well
• Global password policy is not applied while creating mail account if domain password policy is disabled
• Password policy was not applied to forgot password for email users. 

atmail suite summary

Epics

• Password policy and good practices features and improvements to increase security and configuration options for the atmail product line
• Translation support and refresh

New Feature Highlights

• API server now uses new atmail mail server administration API user to update mail server password
• API server can now store authentication details client side

Improvement Highlights

• New API authentication method which uses the client side storage for service accounts credentials
  • This includes new authentication flows such as prompting for a service account password
• Internationalization improved
• New translation - Dutch
• All translations refreshed
• Forgotten password will now update your service account passwords
• Password policy is now applied to forgot password for email users

Bug Fixes

• Calendar VEVENTS that contain UTC timezone can now be processed
• Error now displayed to user when a calendar invite fails to be processed
• Fixed error where an invited event cannot be modified
• When deleting from important list task stays in important list
• Support for short TZID field in calendar invites added
• Correctly changes service account passwords with forgotten password, not just main user
• Fixed various nil pointers and invalid memory address issues in calendar event processing
• Accepting calendar invites sent from Apple products duplicates DTSTAMP resolved
• Fixed JavaScript error breaking calendar when using locale other then English
• API proxy server side event not releasing connections correctly on disconnect.

Known Issues

• API call getContacts → blank {} properties is treated as NULL
• atmail suite → When receiving a thread update, the avatar is not updated to latest replied user

atmail dav summary

Bugs Fixes

• Fixed initialize declaration in PropertyStoage
• Calendar VEVENTS when snoozing in atmail suite are now reflected in Outlook for Mac
• Accepting calendar invites sent from Apple products duplicates DTSTAMP resolved

Changelog 

T	Summary	Status	Component(S)
	Error when createing cloud account through store or Security > Add cloud	RESOLVED	Mail server
	ApiAdmin using wrong hash	RESOLVED	API server
	SPECIAL-USE missing in dovecot 2.33.2	RESOLVED	Mail server
	Password policy not displayed on error on forgot password	RESOLVED	Webmail
	Forgotten Password is broken	RESOLVED	Mail server
	Forgotten password path doesn't apply password policy	RESOLVED	Mail server
	Password policy is not applied to forgot password for email users	RESOLVED	Mail server
	SSE not releasing connections correctly on disconnect	RESOLVED	JMAP API
	Can no longer add domains in mailserver	RESOLVED	Mail server
	Forgotten password is broken	RESOLVED	JMAP API, Webmail
	Admin users should not be allowed to change the password policy of its own role	RESOLVED	Mail server
	Javascript error breaks calendar event add when using non english locale	RESOLVED	Webmail
	Random password generated by MS will stop apiserver provisioning	RESOLVED	Mail server
	Unable to login to webmail after updating User password by webadmin	RESOLVED	Webmail, Mail server
	Apostrophes in international descriptions breaking webmail	RESOLVED	Webmail
	Secure flag should be used for admin cookie	RESOLVED	Mail server
	Outdated libs -> jQuery	RESOLVED	Mail server
	Missing input validation - searches	RESOLVED	Mail server
	Missing input validation -> Negative value for quota	RESOLVED	Mail server
	Stored XSS theme name	RESOLVED	Mail server
	Customer enumeration via branding call	RESOLVED	Mail server
	delete_account cron scripts don't account for new Auditing code	RESOLVED	Mail server
	When deleting from important list task stays in important list	RESOLVED	Calendars, Tasks, Webmail
	accepting calendar error - Timezone: UTC Not found	RESOLVED	Calendars, JMAP API
	CALENDAR: runtime error: invalid memory address or nil pointer dereference	RESOLVED	Calendars, Webmail
	CALENDAR: nil pointer in calendar event	RESOLVED	Calendars, Webmail
	CALENDAR - Snooze Webmail to Outlook for Mac	RESOLVED	Calendars, Webmail
	Invited event cannot be modified.	RESOLVED	Calendars, Webmail
	No error displayed to user when actioning a calendar invite fails	RESOLVED	Dav, Webmail
	Support for short TZID field in calendar invites	RESOLVED	Calendars, Webmail
	accepting calendar invitation error	RESOLVED	Dav, Webmail
	Accepting calendar invites sent from Apple products duplicates DTSTAMP	RESOLVED	Calendars, Dav, Webmail
	Add API Admin to mailserver	RESOLVED	Mail server, Mail Server API
	On admin user password expiry user should be enforced to change the password	RESOLVED	Mail server
	Admin Account login/logout and lockouts will be logged in DB	RESOLVED	Mail server
	apiserver doesn't support UTC timezone	RESOLVED	API, JMAP API
	As an administrator I expect that no passwords are stored on disk in a reversible encryption format	RESOLVED	JMAP API, Passwords, Webmail
	As a service desk operator I would like to assign a one-time password to a user or admin. The User/admin should then be prompted for a new password on use of this one time pass	RESOLVED	Mail server, Passwords, Webmail
	As an administrator I do not want any information that can be used to guess passwords, a generic message should always be used	RESOLVED	Mail server, Webmail
	As an admin user I would like my account to be locked out for a period of time after a specified amount of failed login attempts	RESOLVED	Mail server
	As an administrator I would like to enforce good password practices on my other subadmins	RESOLVED	Mail server
	As an admin user I do not want password policies to be applied to any one-time passwords or tokens	RESOLVED	Mail server, Passwords
	As an webmail/admin user I want to define my password using special characters	RESOLVED	Mail server, Passwords, Webmail
	Database migration scripts	RESOLVED	Mail serfver
	Add password change frequency requirement	RESOLVED	Mail server
	Auditing for lock outs and administrator login/logout attempts	RESOLVED	Mail server
	New password must be different from the last five passwords used	RESOLVED	Mail server
	Deleting a brand, then domain is still assigned to it in the DB	RESOLVED	Mail server
	Clean up confusing brand settings slightly	RESOLVED	Mail server
	Import new translations, including new Dutch file	RESOLVED	Webmail