This is a beta release. Problems with the new and modified components might occur on some installations.
To be able to install the update at least version 7.0-4.6 is required.
The 7.1-0.* release series is a beta branch which will be finished with the release of update 7.1-1.0. We would like to invite
you to paticipate and hope to receive feedback regarding the new features. We would like to thank everyone for their active
participation.
Before installing the beta update, please make sure that a current backup is available. For systems with mailboxes, please
carefully read the special notes in section "Mailbox storage type and mail backups" below.
Available for purchase
Machines covered by a software maintenance contract as well as systems which have been purchased lately may update free of
charge. Access has already been activated for the respective licenses. For all other systems access will be granted as soon
as the update has been purchased.
The credentials required to download the update will be sent automatically when using the system's interactive update feature.
For a manual download you will have to specify the support IP as username (e.g. 172.18.253.15) and the hardware ID as password
(e.g. 473I-QN34-O@:5).
S/MIME email encryption gateway
This new component lets you use S/MIME based signatures and encryption for your external communication without the need to
roll out and maintain S/MIME for all local mail clients.
Starting with release 7.1-1.0 this component is subject to a fee!
With this solution, inbound emails will be decrypted automatically before applying security checks like virus scan or attachment
filtering. Also the signatures of inbound emails will be checked. Certificates received as part of the signatures can be stored
for encryption of outbound emails automatically. So all future mails to these communication partners will be encrypted without
any effort. It is also possible to manually release or import peer certificates for automatic encryption of outbound emails.
Finally outbound emails can be signed automatically, too.
For signing outbound emails and decrypting inbound emails an S/MIME certificate is required for each email address. The certificate
has to be stored in the user administration, one certificate per users.
Menu "CA Certificates"
You can store custom trusted CA certificates in the new menu item "System > Certificate manager > CA certificates". The CA
bundles which are maintained by us are also visible there. The two previous menu items of the local CA have been moved into
the new menu, too.
Docker-based operating-system-level virtualization
Optional extensions (running within containers) can be installed in the new menu "System > Apps". Please note that apps have
to be updated separately, so please check the "Apps" menu regularly once you have apps installed.
While fully virtualized guests each run a whole operating system of their own, with operating-system-level virtualization
the host and all of its guests share the same operating system core (in our case the Linux kernel). This makes operating-system-level
virtualization very efficient. Still the guests, usually called containers, run in an isolated environment. However this isolation
is not as strong as with full virtualization.
Following this approach, we want to offer even bigger software modules in the future, without major impact on system security.
Administration interface now on port 44344
Browser access to containers, as described aboved, requires the reverse proxy, which plays a more central role now. So we
decided to enable the reverse proxy on port 443. Port 443 was previously allocated to the administration interface which has
been moved to port 44344.
In order to facilitate the transition, the reverse proxy will redirect requests for the administration interface to the LAN
ip, port 44344. By using a redirect, the browser will then access the administration interface directly and not via reverse
proxy. This is to prevent granting Internet access to the administration interface by mistake when granting Internet access
to Port 443.
Webmailer replaced with new groupware
The update replaces the rather outdated webmailer with a far more extensive groupware. The solution is based on the "SOGo"
groupware, which uses IMAP only to access the mail storage. So it is always possible to access emails without using the groupware,
too. Contacts, events, tasks, mail filters and settings are stored in a database, which is a "MariaDB" in our case. Both,
groupware and database are installed as containers.
In contrast to the webmailer, the groupware is no longer pre-installed. You can install or update it anytime without a fee
in menu "System > Apps". Install the app "Database" first, then "Groupware".
When compared with the old webmailer, the groupware adds the following features:
- modern, smartphone optimized web interface
- share and subscribe to calendars and address books with individual user rights
- plan and exchange appointments by mail via iCalendar
- free-busy information
- tasks (TODOs)
- marks for emails, events and tasks
- delegation of accounts ("Send as")
For native access with smartphone apps, Outlook and other mail clients we offer an extension featuring Exchange ActiveSync,
CalDAV and CardDAV.
Starting with release 7.1-1.0 this extension is subject to a fee! Groupware access by browser remains free of charge.
Web client for RDP, VNC and SSH
This new component is also installed as container in menu "System > Apps". It offers access to remote desktops (RDP), VNC
server and Secure Shell server with a web browser (HTML5). No need for additional client software. The reverse proxy is required
to access this component, so it is possible to enforce authentication with client certificates upon request. A two-factor
authentication using time-based one-time passwords (TOTP) is also possible. Free smartphone apps for TOTP are available (e.g.
Google Authenticator). We also offer TOTP hardware tokens.
Starting with release 7.1-1.0 this extension is subject to a fee!
Mailbox storage type and mail backups
Mailboxes are stored in different way now. Mailboxes are converted automatically during the update and when uploading a mail
backup which contains data in the old format.
We recommend to stop the mailserver and download a mail backup before updating. After the update, download a mail backup in
new format before starting the mailserver.
Depending on the size of the mailboxes, the conversion may take several minutes or even hours if gigabytes of mails have to
be converted. Rebooting or switching off the device during this process may result in the loss of data.
When uploading a mail backup in new format, the mails from the backup are merged into the current mail store, i.e. deleted
mails are restored from the backup while new mails and all changes are retained. If you are using the groupware, the same
applies to contacts, events and tasks. The groupware users settings and mail filters will be taken from the backup.
Mails are not merged when uploading a mail backup in old format. The mails from the backup are restored and any new mails
will be lost.
Previously the data of an account was restored only if the account had no inbox. This is no longer the case. To restore data
of specific accounts only, you will have to open the mail backup with a ZIP archive tool. Mail backups contain one backup
file per account. Extract the backups of the accounts you want to restore and upload them one after the other.
Support for the following features has been removed: McAfee virus scanner, LDAP server for LDAP address book, IMAP/webmail
access for admin to attachment and virus quarantine directories, deleting and modifying the contents of mailboxes.
Minor bugfixes and improvements
In the 7.0 releases some features had only been available on systems with a software maintenance contract. In 7.1 these features
will now be available on all systems. This includes:
Bridging
You can now connect Ethernet, VLAN and WLAN interfaces with a network bridge. For connections within the bridge and connections
coming out of the bridge the firewall is configured individually for each port. So it is possible to run a transparent firewall
between two network segments (e.g. between LAN and router). For connections routed into a bridge however, there's no firewall
configuration by port, only by bridge.
Aggregation of network adapters
You can now aggregate multiple network adapters to get redundant connections with switches or to increase throughput.
URL filter message wenn breaking SSL connections
An option has been added to the web proxy content filter settings which affects what the users will see when the URL filter
blocks a whole domain. The proxy used to already block the connection attempt, so the browser reported the generic error,
that the proxy forbids the connection. With the new option you can change the behaviour, so the connection is initially allowed
and the detailed error message of the URL filters is shown in the browser.
User specific message after logging into administration interface
For users with access to the administration interface (group "system-admin") a message can be configured in the user administration
which is displayed every time after the user logged into the administration interface.
Rejecting emails with unwanted attachments
The "admin" user can now grant members of group "sytem-admin" read-only access to the most important configuration menus,
e.g. to grant access for an auditor. Previously "admin" could only grant full access to individual menus.
URL filter user groups via Active Directory
The URL filter can now retrieve user groups directly from an Active Directory server. A computer account in the Windows domain
is required just like for NTLM proxy authentication.
Let's Encrypt certificates
Certificates can now be updated automatically using the ACME protocol, so you can now use free Let's Encrypt certificates.
This new option is available when requesting a new certificate in the "Keyring" menu. For authentication the "http-01" method
is used. This requires that the reverse proxy can be reached on port 80 from the Internet and a virtual host is defined for
all requested domains with the pre-defined backend "ACME HTTP-Authorization" enabled.
Avira macro detection for web proxy
On installations running Avira antivirus, a new option in the web proxy content filter allows blocking office documents containing
macros or autostart macros.
Monitoring for SSH TCP forwarding
Connections via SSH TCP forwarder are now displayed on a new tab in menu "Monitoring > Network > Status".
Logging to syslog server
You can send a copy of most logs to a syslog server now.