To install this update please follow these steps:
1. Go to "System -> System Operation -> Software -> System Update" and click "Get Package List" . The successful update of the package list is indicated by the message "Done!" .
2. Click "Get Packages" . This action downloads the listed update packages.
Important: If you download the packages over a slow connection (ISDN, analog, etc.), the browser may drop the connection to the administration interface. However, the download will continue in the background. Continue with the next step. If you get an error message, wait a few minutes and try again.
3. Click "Install" . This action installs the update. The end of this process is indicated by the message "Done!" .
4. If a new kernel is going to be installed, the system must be rebooted after installing the update: "System -> System Management -> Shutdown/Reboot -> General" .
An appropriate note will be shown if the update process is completed.
Installation Notes
New in this Release
Problems Fixed in this Release
Notes
Restrictions
Known Issues
Please note the hardware requirements if you want to do an upgrade to version 4.1.x.
If your Collax Business Server version is below 2.0.0 please make sure that you do a backup of the intermediate Version 1.18b. To upgrade to the current version a further intermediate step to version 2.5.2, 3.0.6 and 3.0.26 will be accomplished.
To accomplish the upgrade to version 4.1.x the prior version 3.0.26 needs to be installed. To install the version 3.0.26 please follow the steps "Get Package List", "Get Packages" and "Install".
Please follow the steps "Accomplish Upgrade to Version 4.1.x" if the version CBS 3.0.26 is installed. Please read the release notes to the appropriate version.
A new kernel is going to be installed and a reboot of the system is necessary. The output of the installation can be disrupted before the reboot is initialized.
Please note: Please wait, until all software packages are installed. The reboot of the system will then be initialized automatically and the server is going to be available after a few minutes.
The Intel Active Management Technology and the Intel vPro Technology offers Out-of-Band system access to Intel AMT-enabled chipset based computer systems. AMT host status can be checked, the hosts can be booted or shut down or BIOS settings can be displayed or changed.
With this Collax update the AMT remote management for these computer systems is integrated. Besides gathering information about the AMT hardware or starting actions as "Power on", "Reboot" and "Power off" the AMT systems BIOS settings can be displayed and changed via Serial-over-Lan. If a PXE-capable server like a Collax Business Server exists the AMT host can be booted and installed with the action "PXE-boot" without any physical access.
Settings for the AMT hosts can be found under "Settings -> Networking -> DNS -> Hosts". The AMT remote management is located under "System -> Monitoring/Analysis -> Remote Management".
Within the user web access users of the Collax Server have access to applications like web mail and groupware or shared documents. From this update on the web access uses up-to-date AJAX-technology with a new window and top level menu orientated layout. It also offers new Collax methods to implement SDK developed individual web applications.
E-Mails on hold are either Virus infected, contain Spam or have been filtered by an individual header filter. For well arrangend and faster administration of such emails the new form "E-Mails on Hold" is introduced with this Collax update. Emails listed in this form can be displayed, deleted or released for further delivery. E-Mails that are active or deferred will be managed within the form "Mail Queue" as before.
The form "E-Mails on Hold" is placed in the menu "System -> Monitoring/Analysis -> Status -> E-Mails on Hold".
For establishing VPN/IPSec links various parameter for key and data exchange needed to be chosen in each VPN link defined. To ease the handling and to improve stability of VPN connections these parameters are merged into the new form "IPSec Proposals" from this version on. Additional a default proposal can be defined in the menu "Settings - Networks - Links - General".
Information on the update procedure:
All existing parameters are checked during the update procedure and matching IPSec proposals will be set to establish existing VPN connections as before.
For road warrior connections the automatically generated proposal "RW" will be set. Parameters in this proposal are gathered from existing links during update procedure. If "Compression" or "Perfect Forwarding Secrecy" had been turned off in one road warrior connection, none of them will be included in the generated proposal "RW". Had "Compression" or "Perfect Forwarding Secrecy" been set always on, they also will be activated always in the proposal "RW".
If a client transmits its host name within a dhcp request this host name will be displayed in the list of assigned dhcp leases.
Per group based E-Mail quota can be used in the Collax email system. From this update on the utilisation of the users email quota is shown in SquirrelMail graphically.
With this software update support for Masterguard UPS devices is implemented.
With the tool "Setip" the very first network settings can be made without any grafical user interface. With this update Setip also can set remote access via SSH or HTTPS.
An host check for availability is performed by the active monitoring for computer systems with Intel AMT-enabled chipsets. The status will be shown in the menu "System -> Monitoring/Analysis -> Status -> Active Monitoring" and also within the menu "System -> Monitoring/Analysis -> Remote Management -> Remote Management-AMT".
With this update the active monitoring checks the number of emails processed by the email server. A warning is shown within the active monitoring if the number of 30 emails are to be processed concurrently by the email server.
In the source code of the Windows SMB/CIFS fileserver Samba security holes have been discovered. These holes will be closed within this Samba software version 3.0.28.
Assigned Common Vulnerabilities and Exposures (CVE) numbers:
CVE-2007-4572 CVE-2007-5398 CVE-2007-6015
In the source code of Apache webserver security holes have been discovered. These holes will be closed within this Collax software update.
Assigned Common Vulnerabilities and Exposures (CVE) numbers:
CVE-2007-5000 CVE-2007-6388 CVE-2007-6422 CVE-2007-6421 CVE-2007-6423 CVE-2008-0455 CVE-2008-0456
In the source code of the web proxy server security holes have been discovered. These holes will be closed within this Collax software update.
Assigned Common Vulnerabilities and Exposures (CVE) numbers:
CVE-2007-6239
In the source code of web mailer SquirrelMail security holes have been discovered. These holes will be closed within this Collax software update.
Assigned Common Vulnerabilities and Exposures (CVE) numbers:
CVE-2007-1262 CVE-2007-2589
From this update on the automatic redirect of HTTP requests to the HTTPS protocol is not applied anymore if no HTTP share exists. Services like the user web access or WevDAV calender have to be addressed via HTTPS protocol if no share for HTTP had been defined.
From this update on the forth octet in ip addresses will not be validated for the value 255. Hosts can now be imported with an IP address ending with 255.
Sorting elements in a table and then choosing elements led to wrong result within the system settings after activating the configuration. With this update elements of a sorted table will be taken correctly into the Collax configuration settings.
If choosing date "Others" in form "System Log Files" the result was not showing log items of the chosen time range. This is fixed within the released update, if choosing a different time range log file items are shown correctly from the given time range.
If generating a forwarding SIEVE rules within SquirrelMail, the display of the option "Keep a local copy as well" is corrected within this software update.
From this update on more than 2GB of mail box quota for a user group can be defined.
Sending an email with SquirrelMail via the Collax web access from a dynamic IP range resulted in detecting this email as spam. With this update the issue is corrected, emails can be sent from a dynamic IP address range via SquirrelMail, the emails will be delivered correctly.
Links are checked to fall back to an other link if a link failure occurs. With this update the link check will be improved by active link checks for link type "route" to ensure fall back to a link with less priority.
Packets going through a VPN tunnel can be rewritten to a different source address. The SNAT/Masquerading in VPN tunnel has been corrected with this update, packets going through a VPN tunnel will be rewritten to the source address set in the link using the function SNAT/masquerading.
All web server entities of Collax servers use PHP safe mode from this update on. The following security issues are addressed:
Find details at http://www.php.net/manual/en/features.safe-mode.php
Some software needs safe mode deactivated. To deactivate PHP safe mode globally, enter the following lines as additional options to Web server -> General -> Extras.
You can also disable the safe mode for individual shares, instead of disabling globally, by writing the options like this:
Here the safe mode is disabled only for the share "TestShare".
Configuration files of Collax server are used for easy managing of one or more servers. From this update on the validation of the files has been tightened to increase the usibility Please check the imported files that were saved before version 3.0.0 via the new AJAX gui and correct the values if necessary. The gui will give the information, if any value needs to be modified.
The setting "Canonicalize sender address" can be used to rewrite internal email addresses to addresses that can be reached externally.
If you create multiple mail domains, the address is always rewritten to the first matching rewrite address. The order in which mail domains within the LDAP directory are considered for matches can change, though, and is more or less random.
You can work around this problem by configuring the email clients such that the external address is always used for outgoing e-mail.
When the authentication of users is made against a non-local database, e. g. ADS/PDC, please be aware that the user "mailadmin" does not exist on the ADS/PD, because this user is used internally in CBS. Otherwise problems will occur, e. g. during the creation of local mailboxes.
When using the web-content filter with custom lists which contain URLS and/or domains and/or expressions, it is possible that the filter is not working correctly, and doesn’t block anything. In order to fix this problem please save each list and activate the configuration.
The NTLM authentication scheme that is usually used by windows client software is now enabled when the support for windows networks has been enabled. It is no longer necessary to enable it separately.
Please note that for being able to authenticate with NTLM against a Windows 2003 Server Service Pack 1 has to be installed.
If the above error message is displayed when surfing over the web proxy and rules are used to limit the web traffic, please check the rules configured under "Settings -> Filter -> Web-Content Filter -> Rules". Load every individual rule by double-clicking the entry. If the message "Please specify at least one URL or Cobion list" is displayed, specify the respective list to be associated with this rule or enable the menu item "All". If no such error message is displayed, you can return to the list of rules by clicking "Cancel". If you changed any of the rules, activate the configuration.
To establish an initiating VPN tunnel an additional VPN link with connection method "dial-in" was always required. With this update VPN tunnel with connection method "Always" don't presume a VPN "dial-in" link anymore.
It can happen, that hylafax denies facsimiles from callers. In this case, you should deactivate fax spamlists. Please follow this description: The left menu shows Messaging/Fax/General. Deactivate 'Switch on number control'. You can save now and activate the configuration.
It is possible, that problems occur when a FritzCard-AVM-PCMCIA and another different PCMCIA-card are used at the same time. In this case please call the support hotline.
In some cases it was possible that faxes were not submitted correctly so that the header was cut or missing wholly.
If you experience these problems you should set the maximum receive rate to a value below 14.400 Bit/s. You can set this in the MODEM-Page on the GUI.
In order to be able to use the Sedlbauer-ISDN-Card for an analog connection to a provider, the following must be set in "Additional Hayes-Options" : "AT&FS14=10S15=0S18=1&E" followed by the MSN of the ISDN-Card.
The configuration used within CBS works properly with the most commonly used modems. Nevertheless, it is possible that specific modems cannot be initialized correctly. At the moment, analog links are not used as fallback by the "Link monitoring" .
The AntiVir-WebGate does not yet support HTTPS which means that HTTPS-connections are not possible in combination with AntiVir-WebGate. So at the moment HTTPS-traffic bypasses this filter.
The print service itself offers its services over the Internet Printing Protocol (IPP). This protocol is directly supported by MacOS X and most Linux distributions. Printers with Ethernet ports can be added to the queues on the Collax Business Server. These printers are also exported over the printer support of the SMB/CIFS server and can be addressed directly over IPP by Windows clients.
From update 3.0.12 on, replication logs of the MySQL database are no longer written. If you need these logs, enable the option "log-bin" in the file "/etc/mysql/my.cnf.template" by removing the comment sign preceding this option. Subsequently, run a full configuration over the web interface.
To integrate the Collax Server for authentification in a Windows server network, the SMB/CIFS service can be used. It is important, that this service has at least one policy group containing a local network.
Exporting virtual hosts via FTP is only possible with IP-based virtual hosts. Name-based virtual hosting with FTP is not possible due to limitations in the FTP protocol itself.
The initial setup of the mailboxes is in conjunction with the option "Alternative namespace". This means that you should decide which format you want to use before the mailboxes are created. When this option is enabled the folders Sent, Draft and Trash are below the folder Inbox. When this option is disabled the folders Sent, Draft and Trash are on the same level as the folder Inbox. When you change the option "Alternative namespace" after the creation of the mailboxes, the Webmailer will show up a error in the following form: "Query: CREATE "INBOX.Sent" and "Reason Given: Invalid mailbox name". The name of the folder can vary.
In order to accomplish NTLM-Authorization with an imported group, this group must be a global group on the AD-Server and must be the primary group of the user.
It is not possible to use VPN connections with asymmetric routes if the system is both a router and an IPSec gateway.
This is because IPSec accumulates a checksum of the IP header contents. With asymmetric routing, the IP addresses of the links - over which the data is transmitted and received - do not correspond.
It is not possible to establish multiple IPSec connections for the same networks and the same two security gateways. This is due to how OpenSWAN works internally (keyword "eroutes". Those having trouble with OpenSWAN know what is meant here; a deeper analysis would go beyond the scope of these release notes).
You can set up a GRE-tunnel over the IPSec-tunnel to bypass this problem.
The encryption algorhithm SHA2 is used in VPN tunnels. In kernel 2.6 this encryption method causes errors in the service OpenSwan and the VPN tunnel crashs. For that reason this method can't be chosen for VPN links on Collax Server until it is fixed. As an alternativ the method SHA1 can be chosen. Please note that the encryption method needs to be changed and the other VPN gateway modified. The upgrade will choose SHA1 if SHA2 was setup before.
The base DN of the LDAP directory cannot be changed retroactively through the GUI. The reason for this is that not all directory data can be rebuilt from the configuration.
Although data is lost, the easier way is to delete the files in the "/var/lib/openldap/openldap-data" directory, and then recreate the directory.
To achieve that, proceed as follows:
Log on to the system as "root" .
Stop the LDAP server. You can do this either through the GUI (System -> Services) or with the "/etc/init.d/openldap stop" command.
Use "cd /var/lib/openldap/openldap-data" to change to to the database directory of the LDAP server. Verify that you are in the right path with the "pwd" command.
Delete all files in the directory with "rm *.bdb" .
Change the base DN of the directory in the GUI.
Activate the changes. You will get an array of error messages explaining that data cannot be written into the LDAP directory. When the activation is completed, the LDAP server should restart with the changed configuration.
Execute the "/usr/lib/akconfig/scripts/ldif.gen config" command to transfer the data from the system configuration into the LDAP directory.
Beware: all passwords of all users will be lost after having changed the base DN. You have to enter them again via the Admin GUI.
If a transparent web proxy is activated and the Antivir Web virus scanner is activated together with the "Show download status" option, the download no longer works properly. The download progress is displayed but does not change; after a short while, the browser displays an error message indicating that antivir.webgate cannot be found. To make the download work with the progress bar, enter the proxy in the client or disable the "Show download status" option.
After updating OXtender to version 4.2.19 when creating an appointment the created appointment is correctly displayed in creators calendar but is shifted two hours ahead in other participants' calendar.
Solution: Install OXtender 4.2.19 on one of your Windows workstations and copy the "zoneinfo" subdirectory to: C:\Programs\OPEN-XCHANGE\OXlook to the workstations where "zoneinfo" is missing.