Dear Caldera Customer,
This Cover Letter describes Volution Messaging Server Maintenance Pack 1.1.0
which is intended for use with Caldera Volution Messaging Server 1.0.0.
Maintenance Pack 1.1.0 contains several security and functionality
improvements (as described in section IV "Problems Fixed" below), and
it is recommended for all Volution Messaging Server installations.
Maintenance Pack 1.1.0 also includes the contents of Maintenance Pack
1.0.1 and 1.0.2. If you have not already installed the earlier Maintenance
Packs, it is not necessary to do so before installing Maintenance Pack 1.1.0.
------------------------------------------------------------------------
I. Software Notes and Recommendations
1. Maintenance Pack 1.1.0 should only be applied to systems running the
Volution Messaging Server 1.0.0 with or without Maintenance Pack 1.0.1
or 1.0.2.
2. You should not remove any previous Maintenance Packs prior to installing
this release of the Maintenance Pack.
3. Maintenance Pack 1.1.0 should only be installed on the following base
systems:
Open UNIX 8 Release 8.0.0 with LKP or
Caldera OpenLinux Server 3.1 or 3.1.1
4. Always ensure you have a full system backup prior to installing any new
software on your system.
5. Do not install any Volution Messaging Server components that do not come
directly from Caldera or you may disable or your system or cause
unrecoverable failures.
Caldera has modified the Opensource components of VMS, replacing them with
components directly from the original vendor is not supported, including:
Postfix
Cyrus
OpenLDAP
Horde/IMP
If you have questions regarding this supplement, or the product on which it
is installed, please contact your support representative or your software
supplier.
------------------------------------------------------------------------
II. Installation Instructions
There are different installation procedures depending on your platform:
A. OpenLinux 3.1.x
B. Open Unix 8
A. For installation on an OpenLinux 3.1.x system:
1. Download the file below to the /tmp directory on your machine.
volutionmsg-mpack-1.1.0.tar.gz
2. Add the update to your system using these commands as root user:
# cd /tmp
# gunzip volutionmsg-mpack-1.1.0.tar.gz
# tar -xvf volutionmsg-mpack-1.1.0.tar
# cd volutionmsg-mpack-1.1.0
# ./install.sh
B. For installation on an Open UNIX 8 system:
1. Download the file below to the /tmp directory on your machine.
volutionmsg-mpack-1.1.0.tar.gz
2. Switch to the LKP environment by entering this command:
# linux
3. Add the update to your system using these commands:
# cd /tmp
# gunzip volutionmsg-mpack-1.1.0.tar.gz
# tar -xvf volutionmsg-mpack-1.1.0.tar
# cd volutionmsg-mpack-1.1.0
# ./install.sh
-------------------------------------------------------------------------
III. Removal Instructions
Maintenance Pack 1.1.0 cannot be removed from a Messaging Server system.
To return to an earlier version, you must completely remove and reinstall
the Messaging Server product.
-------------------------------------------------------------------------
IV. Problems Fixed
A. Fixes previously from Maintenance Pack 1.0.1 (mpack1):
1. New Postfix 1.1.3. The new Postfix RPM addresses a vulnerability by which
remote attacker could cause a DoS (Denial of Service) condition on the
server. The SMTP session log could grow to an unreasonable size and
possibly exhaust the server's memory if no other limits were in place.
The new Postfix 1.1.3 also complies with RFC 2821 which provides
extensions to the SMTP protocol. Many other RFC's are supported in as
well, see www.postfix.org for more information.
2. New "InstallShield" installation for the client configuration includes:
Outlook Com-Addin should not be installed if already present.
fz519865
3. Error while Entering European characters in descriptive fields.
4. Volution menu showing up twice, Outlook exits with an error.
5. The symbol "@" should not be a valid uid character.
6. Need new field validation based on LDAP schema restrictions for each
field.
7. Client links for preferences should use the preferences login url.
8. The uninstall script asks for "yes or no", if you type "y" it assumes
"no".
519216
9. Client setup displays incorrect Server Name value $_HOST ambiguous.
10. The utilities user/password.php and admin/userchpasswd.php allow null
password.
11. The command msguserpw returns errors when setting password of user with
null password (although it works).
12. Can't remove members of alias as user or as admin, problem with
msgaliasremove --mail and/or --domain.
13. Can't view full e-mail address of members on alias list.
14. The file mailboxes.db is never backed-up.
15. Registry path incorrect for Outlook XP autoconfig key removal.
16. Detection of Outlook version fails on international platforms.
17. Add option for SSL configuration.
18. Remove users login/passwd from Free/busy config - security issue.
19. Cannot shut off vacation message.
20. Set message type to work with IMP.
21. Replace Outlook XP free/busy ftp with WebDAV to fix Outlook bug.
22. Search facility not working for users or aliases.
23. Phone numbers are more restrictive, get charset from backend.
24. The alias view screen doesn't display membership value open or
restricted.
25. The alias modify screen is missing field labels.
26. The file aliasnonesuch.php is missing from user directory.
27. Have to go through confusing wizard to post free/busy.
28. Default SSL certificate doesn't work for IE.
29. Errors on entering * in search field.
30. Need a link when stopping or starting mail.
31. Cyrus Start Stop script doesn't stop all current IMAP processes.
32. Outlook XP can now publish and retrieve free/busy data. The Client
Configuration Tool now configures the Web Publishing Wizard and WebDAV to
publish free/busy data for Outlook 2000 and Outlook XP, respectively.
/etc/httpd/httpd.conf is modified to enable WebDAV for the pub/calendar
directory using Apache and to protect the directory with the user's LDAP
username and password.
The uid of the ftp anonymous user account is also changed to be the same
as the httpd user's uid. This allows files in /home/ftp/pub to be
accessed by LDAP (non-system) users using either httpd or ftp (this is
necessary to support all Outlook free/busy implementations). Web server
security is maintained because these users can only access files within
the chroot'd ftp jail.
33. It is no longer necessary to enter the email login and password in the
free/busy publication URL. The user simply enables free/busy publication
by checking the "Publish My Free/Busy" data checkbox as documented. When
Outlook publishes the free/busy data for the first time it will prompt
the user for their email login and password. At this time the user can
choose the option to have Windows remember their email login and password
so that they will not need to enter it again unless they change their
password.
Due to limitations with Outlook98 it is still necessary the enter the
user's email login and password in the free/busy publication URL.
34. The default Mail Format is set to Plain Text for compatibility with IMP
web mail client.
35. Postfix relaying and the Name Service Caching Daemon. The maintenance
pack disables the Name Services Caching Daemon (nscd) which is enabled by
default on OpenLinux 3.1.1. This software is incompitable with the
standard client verification checks done by Postfix rendering the default
postfix relaying checks vulnerable to forged PTR records.
B. Fixes previously from Maintenance Pack 1.0.2 (mpack2):
36. Security fix for IMP. The new Horde and IMP RPMs fix a potential IMP
vulnerability that could allow session hijacking through a cross-site
scripting attack.
37. Security fix for Cyrus SASL (used by Cyrus IMAP). The Cyrus SASL
library provides an authentication API for mail clients and servers.
The new cyrus-sasl RPM included in this update fixes a format bug
in one of the logging functions, which could be used by an attacker
to gain access to a machine or to acquire higher privileges.
38. Security fix for ftp. Volution Messaging Server 1.0.0 incorrectly
configured ftp to ignore the /etc/ftpusers file, this has been fixed.
39. Virus scanning support (using the msgvscan(8) utility) for commercial
virus scanners (such as Sophos Sweep and CA Innoculate IT) has been
fixed to properly decode MIME messages before calling the scanner.
40. An updated msgimpsetup(8) utility adds an LDAP address book to Horde
if it is not already there; if it is already there, it will rewrite
it with current information.
41. Windows client support for one-button installation on non-English
clients. Windows 95 and Windows NT 4 installation now also works
correctly.
42. In some cases, the security fixes are merely an update to the latest
version of their respective open source technologies.
43. Some Messaging Server configuration utilities are updated as part of this
update to conform to the changes in the updated RPMs.
The following RPMs are part of this update:
cyrus-sasl-1.5.24-2
horde-1.2.7-1
imp-2.2.7-1
C. New in Maintenance Pack 1.1.0 (mpack3)
44. Upgrade detection, supporting both full product and update installation.
45. Optional non-graphical installation.
46. Integration with Steltor CorporateTime, providing global address books
and web calendaring.
47. Default POP-Before-SMTP support with the Dynamic Relay Authentication
Control (DRAC) server.
48. Single-byte internationalization (UTF-8).
49. Graphical and command line interface support for French, German, and
Spanish.
50. Enhanced graphical administration for junk mail filtering, user quotas
and mail forwarding.
51. Improved graphical administration for alias management.
52. More extensive administrative control of user privileges.
53. Ability to change default domain name.
54. Utilities to migrate existing IMAP mailboxes to Messaging Server and
migrate a Messaging Server LDAP directory to iPlanet.
55. After client setup, the busy free URL information was not added to
outlook98.
518973
56. When clicking shutdown system now in LKP OMS install does not work.
518966
57. Inconsistency in wording of config tool for Outlook.
518974
58. Button Icons do not look correct for web client setup interface.
518984
59. Add an alias as ADMIN, assign owner with diff ID and email address
(such as daniel and danielg@) resulted in error "bad owner".
519215
60. A normal user is never allowed to add an outside address.
521222
61. You can't have both aliases file and LDAP aliases.
521233
62. Need fallback mechanism in GUI for the case of no doc exists for GUI
language.
521077
63. Install does not handle properly php if php security update is installed.
521111
64. Text installer (install.sh -c) gives error about lkp_master.
521112
65. Add Steltor integration to msguserlistall.
521114
66. Strings with embedded quotes get truncated when values are used in HTML
attributes.
521127
67. Adding an alias with the same mail as a user results in blank error
screen.
521169
68. The command msgvscan reports errors in /var/log/mail.
521253
69. The command msgcalendarlistnodes produces wrong output format for GUI.
521300
70. Admin user shows up as a normal user in web gui.
521393
-------------------------------------------------------------------------
V. Contents
install.sh (run this script to install the update)
postfix-1.1.3-1.i586.rpm
volutionmsg-1.1.0-1.i586.rpm
Files changed since volutionmsg-1.0.0:
Whole directories updated:
/opt/lsb-caldera.com-volution/msg/bin 42 files.
/opt/lsb-caldera.com-volution/msg/webgui 524 files.
(Above are total number of files in the directories, not the
file modified counts. Most have changed, however.)
Individual files updated:
/etc/ldap/schema/msg.schema
/var/opt/lsb-caldera.com-volution/msgconfigscript
/etc/opt/lsb-caldera.com-volution/msg/msg.conf
/etc/httpd/httpd.conf
/etc/rc.d/init.d/cyrus
New files:
/opt/lsb-caldera.com-volution/msg/bin/msgutil.msg - msg cat src
/opt/lsb-caldera.com-volution/msg/bin/msgutil.cat - msg catalog
/home/ftp/pub/clientconfig/setup.exe (replaces 3 files below)
/usr/lib/apache/mod_auth_ldap
Files removed
/home/ftp/pub/clientconfig/msgaddin.cab
/home/ftp/pub/clientconfig/setup.exe
/home/ftp/pub/clientconfig/setup.lst
Two new perl modules:
Locale::msgcat - XPG4 message catalogs for perl.
/usr/lib/perl5/site-perl/i386-linux/Locale/Msgcat.pm
/usr/lib/perl5/site-perl/i386-linux/auto/Locale/Msgcat/Msgcat.bs
/usr/lib/perl5/site-perl/i386-linux/auto/Locale/Msgcat/Msgcat.so
/usr/share/perl5/man/man3/Locale::Msgcat.3
Text::Iconv - allows perl to call the system iconv() routine directly
& converts from one character set to another.
/usr/lib/perl5/site-perl/i386-linux/Text/Iconv.pm
/usr/lib/perl5/site-perl/i386-linux/auto/Text/Iconv/Iconv.bs
/usr/lib/perl5/site-perl/i386-linux/auto/Text/Iconv/Iconv.so
/usr/lib/perl5/site-perl/i386-linux/auto/Text/Iconv/autosplit.ix
/usr/share/perl5/man/man3/Text::Iconv.3
NOTES: On 3.1.1 the Locale::msgcat module already exists.
On 3.1 both of the above modules are needed.
These are not uninstalled as part of VMS removal.
From Maintenance Pack 1.0.1:
cyrus-sasl-1.5.24-2-i586.rpm
horde-1.2.7-1.i3876.rpm (needed for updated imp)
imp-2.2.7-1.i386.rpm
-------------------------------------------------------------------------