As the name implies Kopano Core sits at the heart of every Kopano environment and is therefore a key figure in our promise to deliver stability and extendability of Kopano’s proven communication platform. In version 8.2 we introduce improvements on SSL hostname verification, LDAP configuration organisation, migration tools and many more enhancements. Please read this release announcement carefully, since it contains important information for upgrading to this latest major version.
Extended and enforced SSL hostname verification
With Kopano Core 8.2.0, we have made the decision to now enforce SSL subject name verification. This results in Kopano clients rejecting to connect to Kopano services via SSL if the hostname(s)/address(es) represented in the certificate does not match. The decision to enforce this behaviour is new to Kopano Core and has been made to ensure proper SSL authentication and therefore disallow any potential certificate identification mismatches, protecting from potential man-in-the-middle (MITM) attacks.
This change now matches the quite industry-standard behaviour with SSL-based services in general. We now have adapted to this behaviour, but this change potentially does require certain changes with certificates and configuration to continue operation, if it has not been configured correctly in the past already. Server certificates need to have the hostnames and/or IP addresses by which any client wants to contact them in the certificate, usually as subjectAltName, or (deprecated practice) as CN.
Please take note of the following recommended changes of settings:
- For multi-server environments, please make sure the attribute ipHostNumber (attribute configuration via ldap_server_address_attribute) has the name or address from the SSL certificate.
- For any server_socket definition in /etc/kopano/*.cfg, please make sure to use a name/address matching the SSL certificate.
Please make sure that any scripts pointing to a SSL socket follow the same, otherwise requests made from these clients will be blocked. Alternatively, we suggest for any script to use the default: socket, which is the default for kopano-shipped scripts.
Again, please note that this change in behaviour affects all connections of any Kopano client (that is: any client connecting to the Kopano server socket). Unfortunately we don’t see a way to make these changes configurable and ensure data security for any environment at the same time. This is also the reason why we have decided to introduce this new default behaviour with a new mayor release.
We have also updated the Kopano Administrator Manual to show you how to generate SSL certificates with hostnames.
Streamlined and clean LDAP configuration file layout
The release of 8.2 includes a streamlined LDAP configuration file layout, which allows easier future updates to the LDAP configuration by our packaging mechanism. This implementation was made as flexible as possible, meaning all configuration settings in /etc/kopano are able to override the default settings available under /usr/share/kopano/. This change allows the introduction of new LDAP schema configuration directives, while at the same time keeping the intended overridden settings from /etc/kopano available and unchanged for future updates without the need to merge changes for every update in the LDAP configuration files manually. Additionally this also means that you can continue to use your current ldap configuration.
Effectively, the changes with Kopano Core 8.2 provide the default LDAP configuration files in /usr/share/kopano/ldap.active-directory.cfg, /usr/share/kopano/ldap.openldap.cfg and /usr/share/kopano/ldap.propmap.cfg with an example configuration of the new ldap.cfg at /usr/share/doc/packages/kopano/example-config/ldap.cfg. With this new structure you are able to include the intended backend quite easily with just maintaining the major attributes such as ldap_{host,port,protocol}/ldap_uri, ldap_bind_user, ldap_bind_passwd and keeping custom attributes in there, which override the default options under /usr/share/kopano.
New PST & IMAP Migration Toolset
Kopano 8.2 ships two new utilities: kopano-migration-pst and kopano-migration-imap for migration from PST files and IMAP mailboxes. PST migration can now be made directly on the Kopano Core system, which is very fast with transporting data from PST’s to Kopano. kopano-migration-imap is based on imapsync, and is a utility for easily migrating from about any IMAP server to Kopano.
A lot more…
Kopano Core 8.2 introduces support for Python 3 (experimental), openSSL 1.1 and gSOAP 2.8.39. Next to that, we have improved PHP 7 support and recommend Kopano Core 8.2 when using PHP 7.
As usual, every release of Kopano Core receives bug fixes and improvements for many areas, the most prominent ones being:
- Kopano Search has been updated to allow recursive searches in shared stores. This requires a small update of the search data, which can be performed by executing kopano-search-upgrade-findroots.py.
- It is now also possible to utilize a whitelist of domains which can be used to allow forwarding rules only to a trusted list of domains.
- Support for AWS4-HMAC-SHA256, enabling the most recent attachment backend authentication scheme with Minio, Openstack Swift and S3 – allowing the highest available security standard for the S3-based protocol.
- Kopano Backup has received numerous enhancements, such as to deal with broken ACLs, rules and delegates.
For a full overview of the changes, please refer to the changelog.
What has changed?
Since beta 1 we have introduced some sanitation fixes which we and beta testers have come along since the release of beta 1, for example with the new PST based import utility as well as dealing with attachments in certain scenarios.
On the road to final
We are not planning any further enhancements in this release of Kopano Core 8.2 – This allows us to release faster, since we are a bit behind our intended release schedule. Work on Kopano Core 8.3 has already started in the background, this means we are in general heading towards a faster release cycle now also with Kopano Core.
We are really looking forward to your feedback on this version as this will help us further improve and adapt Kopano Core to fit the required needs best. Let us know what you think by sending an email to , or posting over at our new Kopano Forum.
Where do I get the packages?
The packages can be found in the repositories, the portal and the download server (all require login). You can find the latest development version of Kopano Core on the community download site. The general changelog can be found alongside the documentation.