To install this update please follow these steps:
1. Click on "System Update -> Get package list" . This action downloads a list which contains the specific version of a package. This list is then compared to the list of already installed packages and thus it is possible to determine which packages need to be updated. The packages to be downloaded and their size are displayed in the frame. The end of this process is shown by the message "Done!" in the frame. Then proceed with the next step.
2. "Get packages" . This action downloads the packages shown in step 1.
IMPORTANT: when downloading the update with a slow internet connection (ISDN, Analog etc. ) it is possible that the Web-Browser drops the connection to the Admin GUI because of a timeout.
The progress will then not be shown anymore but is still active in the background. A click on "Get packets" will then show an error message. We recommend to wait for a while and when you assume that the packets are completely downloaded, please click on "Install" . If you get an error, the download is still in progress. Wait again for a moment and then click on "Install" again.
3. "Install" . This action finally installs the packets. During the installation there are messages shown for each single packet. "Warnings" can be ignored. E. g. there is the warning "... time stamp 2003-01-30 is 123456s in the future" which can be ignored. The end of this process is shown by the message "Done!" in the frame.
4. This update installs a new kernel. Therefore it is necessary to reboot the system after the installation of the update.
5. This update changes the GUI completely so that a restart of your browser is necessary. Just close your browser after you initiated the reboot and open the browser again.
Installation
New in this release
Fixed problems in this release
Hints and restrictions
Known problems in this release
When CBS doesn't already have a software version 2.0.0 or higher please refer to the Release Notes 2.5.2: http://www.collax.com/de/support/relnotes-2.5.2.php
IMPORTANT: Clients must have a connector with version 3.X! Older clients are not supported anymore!
This update installs exchange4linux in the new version 3. Because of the change to the higher version some things need to be newly and re-configured respectively.
In the main configuration screen of exchange4linux you will find the usual items at the top; the new options are at the bottom. exchange4linux now uses Apache-2 as an application server. This offers you the possibility to connect to exchange4linux with plain HTTP and/or encrypted HTTPS. Activate the preferred method and choose a port from the drop-down-menu. Please be aware that for HTTPS you need a certificate which needs to be installed beforehand.
Below there are the options for Free/Busy. Activate Free/Busy if you wish so and choose a share in which the informations should be saved. When you activate the option "Use default Free/Busy-Share" the share "freebusy" will be generated automatically with the right parameters if it is not yet existent.
In the groups in the usage policy you will no find the following permissions:
exchange4linux-3 User: this option defines a user as an exchange4linux-user and does only work with clients which have the connector installed in version 3.x.
exchange4linux via HTTP: This option allows a client to connect to exchange4linux with plain HTTP on the defined port. It is the IP-Address and the net respectively which are of importance here.
exchange4linux via HTTPS: this option allows a client to connect to exchange4linux with encrypted HTTPS on the defined port. It is the IP-Address and the net respectively which are of importance here.
The permissions for Free/Busy are below the item "Files" .
IMPORTANT: do not forget to save the password of the e4l administrator: "Usage Policy->Environment->Administrator->Password" . After the setup of e4l run a full-configuration.
For a more detailed description of the new menu items please have look in the online-help.
The configuration GUI has been restructured to make it even more user friendly and usable. These also includes speed improvements when rendering pages in the browser, but also in some part of the server-side functionality.
All dialogs giving on-line informations about the system state or having an immediate effect on the system are now grouped together in the "system" menu to distinguish them from those dialogs that only modify the systems master configuration file (which can be found in the "settings" tab).
All selection tables within dialogs now can be sorted by clicking into the title of a column. Possible actions for table entries can now be selected via a context menu that is reachable via a rght click within a table row.
The new "Wizards" are intended to ease an speed-up the initial installation of the Collax Business Server. You will find the Wizards in the according tab at the left side of the main menu.
The wizards should be invoked in the order they appear in the menu dtarting with the "System usage" wizard. Some wizards won't show up in the menu until you have selected the according sub-system there.
Currently the following wizards are implemented.
System Usage
Master data
Intranet
Internet access
User
Mail server
Web proxy
File shares
Backup
It is now possible to import user account informations from a CSV (comma separated values) files, which can be created by common spreadsheet applications such as Excel.
This functionality has been implemented within the "User" dialog in the "usage policy" menu and also within the new user account wizard.
It is now possible to generate a printable PDF document per user account, that contains the informations neccessary to set-up client software.
The export of account data into CSV files makes it possible to use the account data in applications such as Spreadsheets or to import those data into other systems.
Please note that these files also contain account passwords and should be kept confidental.
You can find the dialog to export user account data under "System -> Reports -> Export user accounts"
Systems with more than HT-enabled (Hyper Threading) and/or more than one CPU, a SMP version of the kernel is automatically selected at system boot.
Note that some systems may have HT disabled in the BIOS settings, you need to turn this on manually to benefit from this feature.
For systems having more than 4 GB of physical RAM, PAE (Physical Adress Extension) has been activated in the SMP Kernel.
The system now supports LVM, which can be used to integrate additional disk drives into the systems storage or later remove such drives from the system.
You can find these settings in the menu under "System -> System Operation -> Harddisk management"
The ISDN card FritzCard! made by AVM is now detected and can be used for network connectivity.
Because this card is a passive isdn card without fax support in hardware, this card cannot be used to send or receive fax messages.
IPMI (Intelligent Platform Management Interface) can be used hardware monitoring and management on some systems. You can find the settings for this in the "System -> System configuration-> Hardware" . menu. For more informations about IPMI see <http://www.intel.com/design/servers/ipmi/>.
The default value for the serial console is changed from 9600 Baud to 115200 Baud.
Imported groups don't need anymore to be named "DOMAIN_groupname" . It is sufficient to provide the groupname.
At installation time, the current configuration will be validated and some of the errors within that file will automatically be corrected. This will fix a few problems that may have been introduced by previous versions of the configuration software.
The backup now supports directories that are exported with CIFS instead of only using SMB. CIFS is automatically being used when the server is member of an AD. Windows 2003 server needs CIFS and older versions of Windows (<=WinNT) do only support SMB.
Beside forwarding a fax message via e-mail, it is now also possible to print fax messages on a network printer or to store them within the home directory of a user.
To print fax messages on a network printer, the printing subsystem on your Collax Business Server must to be enabled.
Several enhancement for the program "aklinkd" and "pppd" yield in better performance when re-connecting a PPP connection f.e when connecting the internet via ISP using a forced termination of connections.
Files that have been detected as virus infected, now can be moved into a special file share for further inspection by an administrator.
You may find this option under "Filter -> Virus Scanner -> General" .
Virus infected email messages can now be moved into a shared IMAP folder, from where an administrator could easily inspect and possibly forwad such mail.
As for any other shared folder, a time to live can be specified, after which messages are automatically deleted from the virus folder.
Please note that this folder must not be accessible to ordinary users, as this would effectively bypasse the virus protection mechanisms
You will find this option in the menu under "Filter -> Virus Scanner -> General " and "Filter -> Mail-Filter -> Spam" .
The NTLM authentication scheme that is usually used by windows client software is now enabled when the support for windows networks has been enabled. It is no longer neccessary to enable it separately.
The limitation of the Web-Content-Filter that only the first rule matches is lifted. With the option "Process further rules" it is possible to create complex rulesets.
Furthermore the filter shows a page with a detailed description of an error instead of silently passing requests.
exchange4linux is updated to version 3.1.10 which scales much better and is much faster than previous versions. Note: this version only supports clients with a connector in version 3.X. And do also pay attention to the notes under "Installation" .
There is a new version of the URL filter Cobion on the Collax Business Server. This was inevitable as the old product is not supported anymore by the manufacturer. The new filter contains three new categories to guard against Phishing, Spam and Spyware.
The new version can authorize with NTLM. The biggest technical change is that ICAP is no longer used to communicate with the Cobion process. Instead Cobion is integrated in the filter squidGuard. Important: please pay attention to "Hints and restrictions" in this document.
The virus scanner AntiVir is updated to version 6.32.
The virus "Lupper", also known as "Linux Worm" uses a vulnerability in the program "awstats" up to release 6.2. This problem has been solved by upgrading "awstats" to version 6.4.
The "pppd" program that is used in different kinds of dial-up connections opened some devices but never closed them. Under specific circumstances this would lead to the situation that such dial-up connections could no longer be established.
The behavior of the "aklinkd" program in some situations has been improved.
The "proftp" program that is used to provide the FTP file service did not support access control lists, which resulted in files not to be accessibe to users even when the file's ACL would have allowed access. Also some inconsistencies in directory listing could be observed.
A new version of the "proftp" service has been integrated, which offers full ACL support.
When "NTLM" -authentication was enabled, the standard "Basic" -authentication has been disabled. This blocked some older or simpler software that does not support the "NTLM" -authentication scheme from using the proxy.
"Basic" -authentication is now always enabled when "NTLM" -authentication is enabled.
Up to now only authentication was possible with imported groups. With this release Proxy-Filter rules can be applied on imported groups. Note that the finishing rule for an imported group must not have the option "Process further rules" enabled.
The Cyrus IMAP server did not accept self signed certificates for its own use, that is such certificates that have not been signed by a CA. The IMAP server would start, but will issue an error message that it did not receive a valid certificate.
The Cyrus IMAP server now accepts self-signed certificates.
It can happen, that hylafax denies facsimiles from callers. In this case, you should deactivate fax spamlists. Please follow this description: The left menu shows Messaging/Fax/General. Deactivate 'Switch on number control'. You can save now and activate the configuration.
In some cases it was possible that faxes were not submitted correctly so that the header was cut or missing wholly.
If you experience these problems you should set the maximum receive rate to a value below 14.400 Bit/s. You can set this in the MODEM-Page on the GUI.
In order to be able to use the Sedlbauer-ISDN-Card for an analog connection to a provider, the following must be set in "Additional Hayes-Options" : "AT&FS14=10S15=0S18=1&E" followed by the MSN of the ISDN-Card.
The configuration used within CBS works properly with the most commonly used MODEM models. Nevertheless it is possible that specific Modems cannot be ininitalized correctly. At the moment analog links are not used as fallback by the "Link monitoring" .
It is possible, that problems occur when a FritzCard-AVM-PCMCIA and another different PCMCIA-card are used at the same time. In this case please call the support hotline.
If your CBS was installed from a CD, after this update only the first five users will be shown in the administration GUI. All other users are still existent on the system and do not affect the functionality of the server. In order to unmake these restrictions you can clear your license with our support: support@collax.com. Wether you own a CD-installed system or not can be seen from the text on the top of the administration GUI.
The Base-DN of the LDAP directory cannot be changed retroactively through the GUI. The reason for this is that not all directory data can be rebuilt from the configuration.
Although data is lost, the easier way is to delete the files in the "/var/lib/openldap/openldap-data" directory, and then recreate the directory.
To achive that, follow these steps:
Log on to the system as "root" .
Stop the LDAP server. You can do this either through the GUI (System->Services) or with the "/etc/init.d/openldap stop" command.
Use "cd /var/lib/openldap/openldap-data" to change to to the database directory of the LDAP server. Verify that you are in the right path with the "pwd" command.
Delete all files in the directory with "rm *.dbb" .
Change the Base-DN of the directory in the GUI.
Activate the changes. You will get an array of error messages explaining that data cannot be written into the LDAP directory. When the activation is completed, the LDAP server should restart with the changed configuration.
Execute the "/usr/lib/akconfig/scripts/ldif.gen config" command to transfer the data from the system configuration into the LDAP directory.
Beware: all passwords of all users will be lost after having changed the Base-DN. You have to enter them again via the Admin GUI.
Because of a limitation in the IPSec implementation (OpenSWAN), IPSec can only be used with four different network interfaces. In particular, this leads to problems involving failovers and outgoing IPSec connections.
You can (and must) select the interface that you will use to create a VPN link. For this link, select "dial-in" in the "initiate" field. Then, in the "on Link" field, choose the network link over which the IPSec data will be forwarded.
Additionally, if you wish to prevent these links from being used to establish an inbound connection to your local network, you must specify the system certificate as your own certificate as well as the receiver's certificate.
It is not possible to use VPN connections with asymmetric routes if the system is both a router and an IPSec gateway.
This is because IPSec accumulates a checksum of the IP header contents. With asymmetric routing, the IP addresses of the links - over which the data is transmitted and received - do not correspond.
It is not possible to establish multiple IPSec connections for the same networks and the same two security gateways. This is due to how OpenSWAN works internally (keyword "eroutes". Those having trouble with OpenSWAN know what is meant here; a deeper analysis would go beyond the scope of these release notes).
You can set up a GRE-tunnel over the IPSec-tunnel to bypass this problem.
Because VPN connections are handled as network devices some limitations apply to traffic shaping inside VPN tunnels. Concrete this means classification information can be lost for data transmitted inside a VPN tunnel.
All networks that are reachable through a VPN link must also be specified as reachable networks in the corresponding dialin-link.
In order that special services like Web Proxy can use NTLM authentication, CBS has to join its own domain. Please do it the same way as you would join CBS to another PDC.
Exporting virtual hosts via FTP is only possible with IP-based virtual hosts. Name-based virtual hosting with FTP is not possible due to limitations in the FTP protocol itself.
The setting "Canonicalize sender address" can be used to rewrite internal email addresses to addresses that can be reached externally.
If you create multiple mail domains, the address is always rewritten to the first matching rewrite address. The order in which mail domains within the LDAP directory are considered for matches can change, though, and is more or less random.
You can work around this problem by configuring the email clients such that the external address is always used for outgoing emails.
When the authentication of users is made against a non-local database, e. g. ADS/PDC, please be aware that the user "mailadmin" does not exist on the ADS/PD, because this user is used internally in CBS. Otherwise problems will occur, e. g. during the creation of local mailboxes.
When using the Web-Content-Filter with own lists which contain URLS and/or Domains and/or Expressions, the error that the filter doesn't work properly and thus doesn't block anything might occur. In order to fix this problem please save each list and activate the configuration.
Please note that for being able to authenticate with NTLM against a Windows 2003 Server Service Pack 1 has to be installed.
The AntiVir-WebGate does not yet support HTTPS which means that HTTPS-connections are not possible in combination with AntiVir-WebGate. So at the moment HTTPS-traffic bypasses this filter.
The virus scanner TrendMicro WebWall can not authenticate itself against other proxies. If you use a remote proxy with authentication, e. g. the proxy of your provider, you can not use WebWall. Workaround: enable AntiVir WebGate additionally which is able to authenticate itself against a different proxy.
There is no special statistics for Cobion anymore. Statistics can be done with awstats but there are no statistics for used categories.
There is no Passlock anymore.
As the compatibility to the old settings couldn't be assured these settings have to be done again.
Installations using keys not being bought from us will not work anymore. We can relicense these keys when you contact us.
The LC-display hangs during the update, because the driver for the LCD is updated. After rebooting the system, the LCD will work again as usual.