2034 (2.4.5005)

The internal architecture of the REDDOXX appliance was completely changed. All applications on the appliance are now implemented as microservices based on .NET.

The user interfaces were also completely renewed, the web app is now based on Vue.JS and has been developed with the latest technology.

Along with the change of the Web App, we have also revised the native user interfaces such as the Outlook Plugin and the Windows User GUI, which we will make available as Electron App in the future.
The great advantage of these Electron Apps is that the Web App is integrated natively.
In concrete terms, this means that the user interface will look identical everywhere in the future and changes will be immediately visible in all apps after an update, without having to install a new Outlook plugin, for example.

Due to time constraints, the administration interface was implemented with the previous framework and therefore looks the same as you already know it.

New operating system, Ubuntu 18.04 LTS
Storages: When adding NFS storages, the NFS version can be selected, V2, V3, V4 and V4.1 are supported.
Storages: When adding CIFS storages, the SMB version can be selected, V2, V2.1 and V3 are supported.
In the HTTPS settings the allowed TLS versions can be defined, a minimum and a maximum version can be configured.
In the administration interface there is now a notification centre.

New, responsive web access
New Outlook plugin
New Windows user GUI (REDDOXX Desktop)
User interfaces now have a light and dark mode
Extended search in MailDepot can be created with any number of AND/OR query groups
Outgoing queue has been removed from the user interfaces

The SMTP transport has been fundamentally revised:

Integration SPF
Integration DKIM
Integration DMARC
New TLS settings: In addition to StartTLS, SMTPS and the protocol version can now also be defined.
New TLS settings: Different certificates can be used for recipient domains via rule sets
Integration mTLS
New transport rules: Routing can no longer be based only on the domain, but also for individual email addresses
Allow outgoing e-mails from Microsoft 365 only DKIM-signed
If the appliance is to transport e-mails from Microsoft 365, it acts as a relay for *mail.protection.outlook.com. The result is that theoretically all users who have an account with Microsoft 365 can send e-mails via the appliance. To prevent this, you can now activate that the appliance only transports outgoing e-mails if they are DKIM-signed. Provided you have set the DNS entry for your domain correctly, the appliance will now only transport outgoing e-mails for your mail domain(s). This function concerns outgoing e-mail traffic so that your appliance cannot be misused as an open relay. Of course, you can still receive e-mails from Microsoft 365 users, even if they do not use a DKIM signature.
Fail2Ban: After 5 failed SMTP authentication attempts, the IP address of the remote peer is blacklisted for 24 hours, after which connection attempts are no longer possible.

New live log with improved filter options
Log files can be filtered by date, time and service.
Additional filtering via Message-ID, which in future will make it possible to display the complete mail processing process with one click
Log files can be automatically zipped before being stored on a file share

New metrics: Provision of telemetry data as a managed service by REDDOXX

New LDAP connection: New synchronisation of users from the Active Directory
New LDAP connection: Synchronisation of groups from the Active Directory
New LDAP connection: Synchronisation of e-mail activated public folders for automatic creation of access authorisations to these e-mail addresses
New LDAP connection: Synchronisation of users with linked mailboxes (Remote User Mailbox) from hybrid environments
E-mail addresses of e-mail-enabled public folders are automatically offered to authorised users for selection in archive searches
E-mail addresses of shared mailboxes are automatically offered to authorised users for selection during archive searches.
E-mail addresses of distribution groups are automatically offered to authorised users for selection during archive searches.
A default realm can be selected, which is then automatically preset during user logon.
A second LDAP server can be specified (backup server) if, for example, several domain controllers are in use.

Extended settings in the virus scanner: Encrypted archives and phishing URLs can each be blocked
Obsolete filter methods have been removed
In future, the negative filters will always have quarantine as an action, tagging in the subject is no longer possible.
In the spam quarantine, images are initially deactivated for security reasons, but can be reloaded as in the mail client.

The search speed has been increased significantly
The categories have been completely reworked, the search in categories is now also much faster
The advanced search now allows complex search queries with AND/OR groups
Extended MailDepot policies: Policies can now be controlled on the basis of the mail source, whereby e-mails can be treated differently if they were archived via a MailDepot Connector, for example.
SMTP connector: In the TLS settings the desired mode and protocol version can now be configured
More than 32 data containers can now be mounted at the same time (however, more containers have an effect on the search speed)

Integration of OpenPGP
Automatic creation of OpenPGP certificates if none are available for the user's e-mail address.
Integration of REDDCRYPT
In the policies it can be set that calendar invitations should not be signed and encrypted
The MailSealer Light has been removed

The following problems with this service pack and related hotfixes or workarounds are known.
You can install the respective hotfixes in the Admin Webinterface => Administration => Updates => Install hotfixes.
Obsolete hotfixes in the table are integrated into more recent hotfixes and are therefore no longer available.

Date	Problem Title	Problem Description	Workaround / Hotfix
27.05.2024	Hotfix 22-logrotate	Hotfix Logrotate for MongoDB	hf-22-logrotate
04.03.2023	Hotfix 21-hwdetect-azure	Hotfix Hardware Detection Azure	hf-21-hwdetect-azure
04.03.2023	Hotfix 20-hwdetect-azure	Hotfix Hardware Detection Azure	hf-20-hwdetect-azure
06.07.2023	Hotfix 19-dns-resolve	After reboots, DNS settings may not have been correct	hf-19-dns-resolve
21.02.2023	Hotfix 18-clamav-sec	Security update for ClamAV	hf-18-clamav-sec
13.02.2023	Hotfix 16-smtpreceiver	Fix for SMTP Receiver - error while saving message	hf-16-smtpreceiver
09.01.2023	Hotfix 14-services	Adjustments to MailSealer and SMTP Receiver	hf-14-services
16.11.2022	Hotfix 13-hyper-v	Updates HyperV guest services on HyperV appliances	hf-13-hyper-v
15.11.2022	Hotfix 12-services	Fixes DKIM signature problems and incorrect evaluation of Spamfinder subject filtering	hf-12-services
02.11.2022	Hotfix 11-kvm-guest-agent	In some KVM based virtualisation environments the guest agents were not active	hf-11-kvm-guest-agent
28.10.2022	Hotfix 10-raid-diag	Correction to hardware detection of raid diagnostics	hf-10-raid-diag
28.10.2022	Hotfix 09-remote-support	Fixes display error in Admin Interface for Remote Support Service Status	hf-09-remote-support
27.10.2022	Hotfix 08-backup-restore	After a restore several configurations were missing	hf-08-backup-restore
21.10.2022	Hotfix 07-admin-gui	Fixes paging problems in various views	hf-07-admin-gui
21.10.2022	Hotfix 06-services	Fixes problems with DKIM, LDAP Sync, Spamfinder	hf-06-services
21.10.2022	Hotfix 05-samba-service	Fixes problems with NMBD Service Start	hf-05-samba-service
12.10.2022	Hotfix 03-services	Bug fixes in some Appliance Services	hf-03-services
26.09.2022	Hotfix 01-clamav-ram	Performance update for ClamAV	hf-01-clamav-ram

Detailed descriptions are provided below for the existing hotfixes.

Unfortunately, the logrotate did not take the MongoDB log files into account, this has been corrected.

Adjustment of hardware detection on Azure appliances for update compatibility

Adjustment of hardware detection on Azure appliances for update compatibility

After a restart it could happen that the DNS settings were not applied correctly, this is fixed with the hotfix.

The hotfix fixes critical security vulnerabilities by updating ClamAV to 1.0.1.

Fixes the error "error while saving message", which can sporadically occur with appliances with a high mail load.

DMARC records are now evaluated correctly, even if they contain spaces.

The network blacklist may have had a caching problem and rejected connections to formerly blocked IP addresses, even if they were no longer on the list.

MailSealer now correctly processes mails if they are sent to multiple recipients and there is no pubic key for encryption for some of them.

On HyperV based appliances the hotfix updates the HyperV guest services to allow VSS based snapshots (live snapshots) again.
Some packages are updated in the process, so the Hotifx may take a little longer than usual to install.
After installing the hotfix, a reboot of the appliance is necessary so that the adjustments are applied.

When installing the hotfix, it checks whether it is in a HyperV environment and is also only applied to HyperV appliances.

If the DKIM signature is activated for a local domain, the DKIM signature is now correctly replaced when processing an already DKIM signed e-mail (e.g. from the O365 environment).
Especially when using the MailSealer, which adjusts the header information, the DKIM signature would otherwise be invalid.

Due to a previous update, Spamfinder unfortunately interpreted the subject blacklist entries as whitelist entries (and thus actually delivered unwanted emails instead of sending them to quarantine), this has now been corrected.

In certain KVM-based virtualisation hosts, although KVM was recognised as a system, the associated guest utilities were not started.
The hardware detection has now been adjusted via the hotfix and the guest services have also been activated for systems with this error.

The hardware raid diagnosis delivered an incorrect result under certain raid controls, although the raid itself had no error.
This was repaired accordingly.

If remote support was deactivated on an appliance after a support, it was incorrectly displayed as active again after a restart of the appliance, although it was not active.
as active again, although it had actually been terminated. The hotfix fixes this display error and displays the actual status of the Remote Support Service.
Support Service.

After restoring a backup to a freshly installed appliance, some configuration parameters were missing (e.g. the realm settings).
The hotfix now correctly applies all settings again and also takes into account that storages (e.g. iSCSI) are not started directly after the
restored. In the event that the "old" appliance is still active in parallel, this double data access to block devices could lead to unpredictable errors.
could lead to unforeseeable errors. The restore also explicitly points this out if such a constellation is detected.

Certain areas in the administration interface only displayed 25 lines of entries, but environments with, for example, more than 25 policies or deputy policies were configured,
had no access to the entries exceeding 25. The hotfix now introduces paging in the respective configuration overviews,
This makes it possible to scroll page by page and access all entries again.

Several problems are fixed here:

Spamfinder now checks both header and envelope email addresses for email-based white and blacklist entries.
The LDAP synchronisation now also takes into account remote shared mailboxes, mail users and the associated permissions.
After applying the hotfix, a synchronisation must be started manually for the corresponding realm.
The DKIM signature check in the SMTP receiver has been corrected (e.g. to correctly evaluate DKIM entries in the DNS with blanks).
The DKIM signature with activated MailSealer and already DKIM signed e-mail has been revised (as the original signature becomes invalid through the MailSealer).
Currently the DKIM signature is removed, with a following hotfix own DKIM signatures will be applied, if this is configured for the local domain in the APpliance.

The appliance SMB/CIFS release requires that the respective integrated storages are entered in the Samba configuration file.
The service is restarted in the process. If there were several storages, this resulted in many restarts of the service
and possibly to a Linux-related intervention (because the service was restarted in too short an interval).
The hotfix fixes this behaviour and now only carries out one reload.
For appliances that are already in the state "NMBD Service not running" (reported by the Diagnostics process list in the Diagnostics Centre),
the service is restarted once in order to rectify this error state.

In rare cases (especially with slowly connected storages) it could happen that database and index services were terminated before the MailDepot service,
this resulted in containers in need of repair. The hotfix implements a dependency of all system services in such a way that the services are now terminated correctly and in the intended order.
in the correct way and in the intended order.

In addition, a security adjustment was made to the SMTP authentication used in the SMTP receiver.
Login attempts without passwords are now always rejected and not checked against the LDAP.

Updating the virus scanner pattern database can cause the memory consumption of ClamAV to increase considerably for a short time.
This could lead to the Linux operating system terminating other processes with the Out Of Memory Killer, especially on appliances with 4GB of RAM.
terminated other processes.

The hotfix therefore implements an adjustment in the ClamAV configuration and now lets it restart with current virus patterns.
E-mails to be processed then "wait" in the mail processing queue until the ClamAV has restarted and are then processed again.

The Outlook Addin refuses the connection to REDDOXX Desktop in certain current Outlook clients, therefore either REDDOXX Desktop has to be used directly to work with the MailDepot, or the user web interface has to be used