With the release of Kopano Core of 8.2.0 we are continuing our efforts to deliver a solid and very well performing foundation for the Kopano product suite.
The release of 8.2.0 contains quite some larger changes, please read this release announcement carefully, since it contains important information for upgrading to this latest major version.
Extended and enforced SSL hostname verification
With Kopano Core 8.2.0, we have made the decision to now enforce SSL subject name verification. This results in Kopano clients rejecting to connect to Kopano services via SSL if the hostname(s)/address(es) represented in the certificate does not match. The decision to enforce this behaviour is new to Kopano Core and has been made to ensure proper SSL authentication and therefore disallow any potential certificate identification mismatches, protecting from potential man-in-the-middle (MITM) attacks.
This change now matches the quite industry-standard behaviour with SSL-based services in general. We now have adapted to this behaviour, but this change potentially does require certain changes with certificates and configuration to continue operation, if it has not been configured correctly in the past already. Server certificates need to have the hostnames and/or IP addresses by which any client wants to contact them in the certificate, usually as subjectAltName, or (deprecated practice) as CN.
Please take note of the following recommended changes of settings:
- For multi-server environments, please make sure the attribute
ipHostNumber
(attribute configuration vialdap_server_address_attribute
) has the name or address from the SSL certificate. - For any
server_socket
definition in/etc/kopano/*.cfg
, please make sure to use a name/address matching the SSL certificate. - Please make sure that any scripts pointing to a SSL socket follow the same, otherwise requests made from these clients will be blocked. Alternatively, we suggest for any script to use the
default:
socket, which is the default for kopano-shipped scripts.
Again, please note that this change in behavior affects all connections of any Kopano client (that is: any client connecting to the Kopano server socket). Unfortunately we have not been able to make these changes configurable, but we have decided to change this default behavior with this release to ensure data security for any environment.
We have also updated the Kopano Administrator Manual to show you how to generate SSL certificates with hostnames.
Streamlined and clean LDAP configuration file layout
The release of 8.2 includes a streamlined LDAP configuration file layout which allows easier future updates to the LDAP configuration by our packaging mechanism. This implementation was made as flexible as possible, meaning all configuration settings in /etc/kopano are able to override the default settings available under /usr/share/kopano/. That change allows the introduction of new LDAP schema configuration directives, while at the same time keeping the intended overridden settings from /etc/kopano available and unchanged for future updates without the need to merge changes for every update in the LDAP configuration files manually.
Effectively, the changes with Kopano Core 8.2 provide the default LDAP configuration files in /usr/share/kopano/ldap.active-directory.cfg, /usr/share/kopano/ldap.openldap.cfg and /usr/share/kopano/ldap.propmap.cfg with an example configuration of the new ldap.cfg at /usr/share/doc/packages/kopano/example-config/ldap.cfg. With this new structure you are able to include the intended backend quite easily with just maintaining the major attributes such as ldap_{host,port,protocol}/ldap_uri, ldap_bind_user, ldap_bind_passwd and keeping custom attributes in there, which override the default options under /usr/share/kopano.
New PST & IMAP Migration Toolset
Kopano 8.2 ships two new utilities: kopano-migration-pst
and kopano-migration-imap for migration from PST files and IMAP mailboxes. PST migration can now be made directly on the Kopano Core system, which is very fast with transporting data from PST’s to Kopano. kopano-migration-imap is based on imapsync, and is a utility for easily migrating from about any IMAP server to Kopano.
A lot more…
Kopano Core 8.2 introduces support for Python 3 (experimental), openSSL 1.1 and gSOAP 2.8.39. Next to that, we have improved PHP 7 support and recommend Kopano Core 8.2 when using PHP 7.
As usual, every release of Kopano Core receives bug fixes and improvements for many areas, the most prominent ones being:
- It is now also possible to utilize a whitelist of domains which can be used to allow forwarding rules only to a trusted list of domains.
- Support for AWS4-HMAC-SHA256, enabling the most recent attachment backend authentication scheme with Minio, Openstack Swift and S3 – allowing the highest available security standard for the S3-based protocol.
- Kopano Backup has received numerous enhancements, such as to deal with broken ACLs, rules and delegates.
For a full overview of the changes, please refer to the changelog.
On the road to final
Until final (which is planned to be released end of December/beginning of January) we are going to introduce support for SLES 12 SP2, also then new in combination with PHP 7. Next to that, we are extending documentation to cover all the aspects of the upcoming Kopano Core 8.2 release.
We are really looking forward to your feedback on this version as this will help us further improve and adapt Kopano Core to fit the required needs best. Let us know what you think by sending an email to feedback@kopano.com.
Where do I get the packages?
The packages can be found in the repositories, the portal and the download server (all require login). You can find the latest development version of Kopano Core on the community download site. The changelog can be found here, alongside the documentation.