As the name implies Kopano Core sits at the heart of every Kopano environment and is therefore a key figure in our promise to deliver stability and extendability of Kopano’s proven communication platform. In version 8.2 we introduce improvements on SSL hostname verification, LDAP configuration organisation, migration tools and many more enhancements. Please read this release announcement carefully, since it contains important information for upgrading to this latest major version.
Extended and enforced SSL hostname verification
With Kopano Core 8.2.0, we have made the decision to now enforce SSL subject name verification. This results in Kopano clients rejecting to connect to Kopano services via SSL if the hostname(s)/address(es) represented in the certificate does not match. The decision to enforce this behaviour is new to Kopano Core and has been made to ensure proper SSL authentication and therefore disallow any potential certificate identification mismatches, protecting from potential man-in-the-middle (MITM) attacks.
This change now matches the quite industry-standard behaviour with SSL-based services in general. We now have adapted to this behaviour, but this change potentially does require certain changes with certificates and configuration to continue operation, if it has not been configured correctly in the past already. Server certificates need to have the hostnames and/or IP addresses by which any client wants to contact them in the certificate, usually as subjectAltName, or (deprecated practice) as CN.
Please take note of the following recommended changes of settings:
- For multi-server environments, please make sure the attribute ipHostNumber (attribute configuration via ldap_server_address_attribute) has the name or address from the SSL certificate.
- For any server_socket definition in /etc/kopano/*.cfg, please make sure to use a name/address matching the SSL certificate.
Please make sure that any scripts pointing to a SSL socket follow the same, otherwise requests made from these clients will be blocked. Alternatively, we suggest for any script to use the default: socket, which is the default for kopano-shipped scripts.
Again, please note that this change in behaviour affects all connections of any Kopano client (that is: any client connecting to the Kopano server socket). Unfortunately we don’t see a way to make these changes configurable and ensure data security for any environment at the same time. This is also the reason why we have decided to introduce this new default behaviour with a new major release.
We have also updated the Kopano Administrator Manual to show you how to generate SSL certificates with hostnames.
Streamlined and clean LDAP configuration file layout
The release of 8.2 includes a streamlined LDAP configuration file layout, which allows easier future updates to the LDAP configuration by our packaging mechanism. This implementation was made as flexible as possible, meaning all configuration settings in /etc/kopano are able to override the default settings available under /usr/share/kopano/. This change allows the introduction of new LDAP schema configuration directives, while at the same time keeping the intended overridden settings from /etc/kopano available and unchanged for future updates without the need to merge changes for every update in the LDAP configuration files manually. Additionally this also means that you can continue to use your current ldap configuration.
Effectively, the changes with Kopano Core 8.2 provide the default LDAP configuration files in /usr/share/kopano/ldap.active-directory.cfg, /usr/share/kopano/ldap.openldap.cfg and /usr/share/kopano/ldap.propmap.cfg with an example configuration of the new ldap.cfg at /usr/share/doc/packages/kopano/example-config/ldap.cfg. With this new structure you are able to include the intended backend quite easily with just maintaining the major attributes such as ldap_{host,port,protocol}/ldap_uri, ldap_bind_user, ldap_bind_passwd and keeping custom attributes in there, which override the default options under /usr/share/kopano.
New PST & IMAP Migration Toolset
Kopano 8.2 ships two new utilities: kopano-migration-pst and kopano-migration-imap for migration from PST files and IMAP mailboxes. PST migration can now be made directly on the Kopano Core system, which is very fast with transporting data from PST’s to Kopano. kopano-migration-imap is based on imapsync, and is a utility for easily migrating from about any IMAP server to Kopano.
A lot more…
Kopano Core 8.2 introduces support for Python 3 (experimental), openSSL 1.1 and gSOAP 2.8.39. Next to that, we have improved PHP 7 support and recommend Kopano Core 8.2 when using PHP 7.
As usual, every release of Kopano Core receives bug fixes and improvements for many areas, the most prominent ones being:
- Kopano Search has been updated to allow recursive searches in shared stores. This requires a small update of the search data, which can be performed by executing kopano-search-upgrade-findroots.py.
- It is now also possible to utilize a whitelist of domains which can be used to allow forwarding rules only to a trusted list of domains.
- Support for AWS4-HMAC-SHA256, enabling the most recent attachment backend authentication scheme with Minio, Openstack Swift and S3 – allowing the highest available security standard for the S3-based protocol.
- Kopano Backup has received numerous enhancements, such as to deal with broken ACLs, rules and delegates.
For a full overview of the changes, please refer to the changelog.
Support for SLES 12 (SUSE Linux Enterprise Server) with SP2 and also PHP7
With this release we have introduced support also for SLES 12 SP2, both with PHP 5 and PHP 7, available via the Web & Scripting Addon Repository from SUSE. Please note, that we have restructured the format of the repositories slightly – There is now for any SP-Level for SLES just two repositories, named “SLE_12” and “SLE_12_PHP7” – “SLE_12_SP1” has vanished and customers are asked to please change the repository path of existing SLES 12 SP1 installations from “SLE_12_SP1” to “SLE_12”. This can easily be done with zypper, or directly by changing the corresponding paths under /etc/zypp/repos.d.
We are really looking forward to your feedback on this version as this will help us further improve and adapt Kopano Core to fit the required needs best. Let us know what you think by sending an email to , or posting over at our new Kopano Forum.
Where do I get the packages?
The packages can be found in the repositories, the portal and the download server (all require login). You can find the latest development version of Kopano Core on the community download site. The general changelog can be found alongside the documentation.