Release overview
Release Date: 28 February 2018
Servers: atmail cloud EU servers
Release Versions: atmail suite - 8.3.1 / atmail dav server - 8.3.1 / atmail mail server - 8.3.1
⚠ Please Note:
Release 8.3.1 marks the first release that all products in that atmail 8 line up share the same version number.
atmail mail server summary
Epics
- Password policy and good practices features and improvements to increase security and configuration options for the atmail product line
- Security fixes
Improvement Highlights
- Cleaned up confusing brand settings
- Auditing for lock outs and administrator login/logout attempts
- Improved branding UX flow of webmail integration plugin for atmail mail server
- Updated jQuery and jQuery-UI libraries
- Random password generator in atmail mail server account manager
- New theme settings to for atmail suite integration theme edit form
Bug Fixes
- Delete_account script fixed allowing admins to delete accounts
- Deleting a brand, then domain is still assigned to it in the DB resolved
- Fixed issue with some database migration scripts
- Fixed various areas in mail server that was missing internationalization support
- Forgotten password was not functional - resolved by adding a new configuration for an atmail mail server administration api user
Security Improvements/Fixes
- Branding calls can expose customer enumeration
- Stored XSS in theme name
- Missing input validation -> Negative value for quota
- Missing input validation - searches
- Outdated jQuery library with CVE, upgraded
- Secure flag now used for admin cookie
- Password policy settings checked against Global settings even if Global has been disabled
- "accountsettingssave" API method now checks against password policy
- Admin users should not be allowed to change the password policy of its own role
- Error on disabling password policy for a domain when there is a global policy as well
- Global password policy is not applied while creating mail account if domain password policy is disabled
- Password policy was not applied to forgot password for email users.
atmail suite summary
Epics
- Password policy and good practices features and improvements to increase security and configuration options for the atmail product line
- Translation support and refresh
New Feature Highlights
- API server now uses new atmail mail server administration API user to update mail server password
- API server can now store authentication details client side
Improvement Highlights
- New API authentication method which uses the client side storage for service accounts credentials
- This includes new authentication flows such as prompting for a service account password
- Internationalization improved
- New translation - Dutch
- All translations refreshed
- Forgotten password will now update your service account passwords
- Password policy is now applied to forgot password for email users
Bug Fixes
- Calendar VEVENTS that contain UTC timezone can now be processed
- Error now displayed to user when a calendar invite fails to be processed
- Fixed error where an invited event cannot be modified
- When deleting from important list task stays in important list
- Support for short TZID field in calendar invites added
- Correctly changes service account passwords with forgotten password, not just main user
- Fixed various nil pointers and invalid memory address issues in calendar event processing
- Accepting calendar invites sent from Apple products duplicates DTSTAMP resolved
- Fixed JavaScript error breaking calendar when using locale other then English
- API proxy server side event not releasing connections correctly on disconnect.
Known Issues
- API call getContacts → blank {} properties is treated as NULL
- atmail suite → When receiving a thread update, the avatar is not updated to latest replied user
atmail dav summary
Bugs Fixes
- Fixed initialize declaration in PropertyStoage
- Calendar VEVENTS when snoozing in atmail suite are now reflected in Outlook for Mac
- Accepting calendar invites sent from Apple products duplicates DTSTAMP resolved
Changelog
| T | Summary | Status | Component(S) |
|---|---|---|---|
| Error when createing cloud account through store or Security > Add cloud | RESOLVED | Mail server | |
| ApiAdmin using wrong hash | RESOLVED | API server | |
| SPECIAL-USE missing in dovecot 2.33.2 | RESOLVED | Mail server | |
| Password policy not displayed on error on forgot password | RESOLVED | Webmail | |
| Forgotten Password is broken | RESOLVED | Mail server | |
| Forgotten password path doesn't apply password policy | RESOLVED | Mail server | |
| Password policy is not applied to forgot password for email users | RESOLVED | Mail server | |
| SSE not releasing connections correctly on disconnect | RESOLVED | JMAP API | |
| Can no longer add domains in mailserver | RESOLVED | Mail server | |
| Forgotten password is broken | RESOLVED | JMAP API, Webmail | |
| Admin users should not be allowed to change the password policy of its own role | RESOLVED | Mail server | |
| Javascript error breaks calendar event add when using non english locale | RESOLVED | Webmail | |
| Random password generated by MS will stop apiserver provisioning | RESOLVED | Mail server | |
| Unable to login to webmail after updating User password by webadmin | RESOLVED | Webmail, Mail server | |
| Apostrophes in international descriptions breaking webmail | RESOLVED | Webmail | |
| Secure flag should be used for admin cookie | RESOLVED | Mail server | |
| Outdated libs -> jQuery | RESOLVED | Mail server | |
| Missing input validation - searches | RESOLVED | Mail server | |
| Missing input validation -> Negative value for quota | RESOLVED | Mail server | |
| Stored XSS theme name | RESOLVED | Mail server | |
| Customer enumeration via branding call | RESOLVED | Mail server | |
| delete_account cron scripts don't account for new Auditing code | RESOLVED | Mail server | |
| When deleting from important list task stays in important list | RESOLVED | Calendars, Tasks, Webmail | |
| accepting calendar error - Timezone: UTC Not found | RESOLVED | Calendars, JMAP API | |
| CALENDAR: runtime error: invalid memory address or nil pointer dereference | RESOLVED | Calendars, Webmail | |
| CALENDAR: nil pointer in calendar event | RESOLVED | Calendars, Webmail | |
| CALENDAR - Snooze Webmail to Outlook for Mac | RESOLVED | Calendars, Webmail | |
| Invited event cannot be modified. | RESOLVED | Calendars, Webmail | |
| No error displayed to user when actioning a calendar invite fails | RESOLVED | Dav, Webmail | |
| Support for short TZID field in calendar invites | RESOLVED | Calendars, Webmail | |
| accepting calendar invitation error | RESOLVED | Dav, Webmail | |
| Accepting calendar invites sent from Apple products duplicates DTSTAMP | RESOLVED | Calendars, Dav, Webmail | |
| Add API Admin to mailserver | RESOLVED | Mail server, Mail Server API | |
| On admin user password expiry user should be enforced to change the password | RESOLVED | Mail server | |
 |
Admin Account login/logout and lockouts will be logged in DB | RESOLVED | Mail server |
|
apiserver doesn't support UTC timezone | RESOLVED | API, JMAP API |
|
As an administrator I expect that no passwords are stored on disk in a reversible encryption format | RESOLVED | JMAP API, Passwords, Webmail |
|
As a service desk operator I would like to assign a one-time password to a user or admin. The User/admin should then be prompted for a new password on use of this one time pass | RESOLVED | Mail server, Passwords, Webmail |
|
As an administrator I do not want any information that can be used to guess passwords, a generic message should always be used | RESOLVED | Mail server, Webmail |
|
As an admin user I would like my account to be locked out for a period of time after a specified amount of failed login attempts | RESOLVED | Mail server |
|
As an administrator I would like to enforce good password practices on my other subadmins | RESOLVED | Mail server |
|
As an admin user I do not want password policies to be applied to any one-time passwords or tokens | RESOLVED | Mail server, Passwords |
|
As an webmail/admin user I want to define my password using special characters | RESOLVED | Mail server, Passwords, Webmail |
| Database migration scripts | RESOLVED | Mail serfver | |
| Add password change frequency requirement | RESOLVED | Mail server | |
| Auditing for lock outs and administrator login/logout attempts | RESOLVED | Mail server | |
| New password must be different from the last five passwords used | RESOLVED | Mail server | |
| Deleting a brand, then domain is still assigned to it in the DB | RESOLVED | Mail server | |
| Clean up confusing brand settings slightly | RESOLVED | Mail server | |
| Import new translations, including new Dutch file | RESOLVED | Webmail |
Comments