NetMail 3.10G README NetMail 3.10G is a free update for NetMail 3.1. It contains fixes for software defects and configuration problems. This is a cumulative patch. You do not need to install any other NetMail 3.1 patch before installing NetMail 3.10G. Table of Contents A) Resolved Issues B) Caveats C) Installation Instructions D) Special Thanks E) Issues Addressed in Previous Patches ============================================================================= A) Resolved Issues 1) Eliminated the possibility of a deadlock when modules are unloaded. 2) OpenSSL (used in IMAP, POP, SMTP, MODWEB) - Increased the timeout from 15 to 30 minutes to conform with IMAP spec - Eliminated the chances of closing sockets more than once - Made the SSL library thread safe 3) Address Book Agent - Fixed a decoding issue that caused the Address Book Agent not to return results to some mail clients - Prevented an abend if illegal addresses are stored in user objects 4) Fixed memory leaks in the anti-virus agent. 5) Prevented an abend in the IMAP agent caused by broken MIME structures. 6) Modweb Agent - Fixed translation of certain extended characters in the following charsets: CP1133, CP866, iso8859_2, iso8859_3, iso8859_4, iso8859_5, iso8859_6, iso8859_7, iso8859_8, iso8859_9, iso8859_10, iso8859_13, iso8859_14, iso8859_15, iso8859_16 - Fixed improperly encoded headers that sometimes caused CPU Hog abends in the iso2022_cn character set - Prevented a stack overflow - Prevented favicon requests from browsers (such as Konqueror) from launching a login dialog box - Prevented a CPU HOG abend when a message contains a large header. - Prevented a message from being undeliverable when an external user replies to all, if the message originally had local recipients. Modweb will now add the local domain to the local recipients at send time. - Fixed a pagefault when a user opens message containing header extensions that are non-ASCII encoded. - Fixed message truncation problems and other view problems for messages that have header fields and bodies that come from different messages. The problem occurs more frequently for users that enable the immediate purge feature, use the WebAccess template, and delete messages in the message view. 7) Modweb Templates - Fixed Tom links for Delete and Modify to no longer open new windows. 8) MWCal Module - Fixed time zone compensation inconsistencies - Fixed code to consistently generate the FROM field when creating e-mail. The benefit of this is seen primarily in the list server to allow users to be correctly identified. 9) MWMail Module - Corrected a problem creating and displaying folder names containing non-ASCII characters - Prevented a stack overflow - Reduced ambiguity of the selected folder - Ensured consistently generated FROM e-mail address when generating messages 10) NMAP Agent - Prevented CPU Hog abend - Provided better handling of broken MIME structures - Fixed duplicate mail delivery issue - Prevented situation where queue processing can stop on multiprocessor servers - Corrected a non-compliance in the creation of DSN messages 11) SMTP Agent - Corrected the 'received from' line in time zones where offsets are not in whole hours - Prevented messages with more than a few thousand local recipients from getting stuck in queue 6 or 7. This was usually seen as a hang in the list server when using large traditional lists with many local users. - Added the ability to limit the number of mail exchangers the STMP agent will try to send to when receiving 5xx errors. To put a limit in place, add the value MaxMXServers= to the Novonyx:Configuration attribute on the SMTP agent object. - Prevented an infinite loop condition when an email address resolves to 0.0.0.0 - Fixed numerous memory leaks - When an IP address is added to the SMTP agent's block list, an SMTP client coming from that IP address will receive the following message when it attempts to connect to NetMail's SMTP agent: "Your site is blocked due to previous spamming incidents" This message can now be overridden by adding the following value to the Novonyx:Configuration attribute in the SMTP Agent object: BlockMessage={Put your message here} 12) Auto Reply Agent - Fixed a buffer overrun condition - Fixed forwarding to function in a predictable manner for users with forwarding enabled and configured with a parent object. 13) Provided correct SYSLOG behavior on Windows. Additionally, on all platforms, fixed the ability to correctly roll log files after the max size is reached. For detailed instructions on configuring SYSLOG for Windows, see the document entitled "Configuring Syslog for NetMail 3.1.txt," included with the Windows distribution. 14) Safari 1.0 and Firefox browsers are now supported 15) Fixed the disappearing inbox when using Netscape browser 16) Provided work around for SSL interoperability with Eudora. The version of OpenSSL included with NetMail 3.10f had a security fix to prevent a vulnerability in CBC ciphersuites in SSL 3.0/TLS 1.0. The fix was to send an empty fragment before the application data chunks to avoid the use of known initialization vectors with data potentially chosen by the attacker. However this fix caused incompatibility with other SSL implementations, such as is used in certain versions of the Eudora client. The Eudora client reports this error as a failure to initialize the SSL or TLS session. The workaround provided in this release of NetMail is to configure OpenSSL to ignore the attack through an NDS attribute. Configuration: Use DSSnoop or other equivalent utility to add 32 (turn on bit 5 in the binary representation) to the value stored in the Novonyx:SSL Options attribute on the Messaging Server object. CAUTION: setting this attribute will make your NetMail installation prone to this attack. You should set this attribute only if you must have this SSL interoperability with your email client. As an alternative, since the countermeasure provided in OpenSSL was specific to SSL 3.0 and TLS 1.0, you might be able to work around the incompatibility by forcing the client to handshake with the NetMail server using the SSL 2.0 protocol only. 17) List Server - The list server treats authenticated senders differently than non- authenticated senders. If the sender is authenticated, the list server uses the user ID to identify the sender. If the sender is not authenticated, the list server uses the From address to identify the sender. NetMail 3.10g adds an option to force the list server to ignore authenticated users, and determine list membership and rights from the From field. This is less secure, but makes the list server identify all list users in the same way regardless of if they authenticated. To use this option, add the following value to the Novonyx:Configuration attribute in the list agent object: DoNotOverrideFromFieldWithAuthFrom=1 - NetMail 3.10g now consistently identifies authenticated list senders by their user ID for both Modweb clients and standards-based clients, so long as the standards-based client is configured to authenticate to SMTP when sending. 18) Fixed a problem in DDB with not consistently finding attributes on DS objects. This problem has been seen only with eDirectory 8.7.1 or later. The problem has manifested itself in numerous ways, such as a user's timeout value suddenly changes, a user's default template suddenly changes on next login, a user's rules revert to system defaults, or forwarding does not consistently work for a user. The root of the problem is in the eDirectory access interfaces, and it is expected to be fixed in a future eDirectory 8.7.x patch. We have provided a temporary fix in DDB for this release of NetMail, until the fix is made available in eDirectory. ============================================================================= B) Caveats 1) The version of Mozilla that NetMail 3.10G supports is Firefox. If you use Firebird, you may see some erratic behavior on some menus. 2) The Version of Konqueror that NetMail 3.10G supports is version 3.1.4 or later. If you use a version prior to 3.1.4, you may see some erratic behavior on some menus. 3) The 3.10G patch for the Windows platform mightfail to install if the template files webacc.ctp and webmail.ctp are marked as read-only files. To address this, make a backup of these files, and then change the permissions on the files stored in C:\Program Files\Novell\NetMail\bin\modweb to remove the read-only attribute. Note: If you have customized your templates you will need to re-apply the customizations into the 3.10G templates, or continue to use your existing templates. The 3.10G template sources and the template compiler are available on Novell CoolSolutions at the following URL: http://www.novell.com/coolsolutions/tools/1846.html ============================================================================= C) Installation Instructions NetWare ------- On servers using the default binary directory (SYS:\SYSTEM), install the patch by extracting the zip file in the root of the SYS volume. You can also extract the files manually and copy them into their proper places. Section C below lists the default locations of the files. After extracting or copying the files, you need to stop and restart NetMail by entering the following commands at the NetWare console: ims u ims The restart can be done whenever it is convenient. NetMail does not use any of the new files until it is restarted. Linux ----- The NetMail 3.10G update is provided as a gzipped tar file (.tgz). It is meant to be extracted from the root of the file system. The extraction of the files in the .tgz assumes that NetMail is located in the default installation directories. Before extracting or copying the files, you need to stop NetMail by entering the following commands at a shell prompt /etc/rc.d/init.d/nims stop /etc/rc.d/init.d/psql stop After extracting the NetMail files, restart NetMail by entering the following commands at a shell prompt /etc/rc.d/init.d/nims start /etc/rc.d/init.d/psql start Solaris ------- The NetMail 3.10G update is provided as a compressed tar file (.tar). It should be extracted from the root of the file system. The extraction of the files in the .tar assumes that NetMail is located in the default installation directories. You must uncompress the tar file before extracting it. Before extracting or copying the files, you need to stop NetMail by entering the following commands at a shell prompt /etc/init.d/nims stop /etc/init.d/psql stop After extracting the NetMail files, restart NetMail by entering the following commands at a shell prompt /etc/init.d/nims start /etc/init.d/psql start Windows ------- The NetMail 3.10G update is provided as a zip file (.zip) To install: 1. Stop the NetMail Manager and NetMail Web Administration services. The services utility can be found at Control Panel > Administrative Tools > Services. 2. Extract the .zip file to the location where you installed NetMail 3.1. The default location is C:\Program Files\Novell\NetMail. If the correct directory is specified, Windows asks if the current files should be overwritten. Note: During file extraction process, you might encounter an error copying the webacc.ctp and webmail.ctp files. If this happens, you will need to change permission on these files to read/write and then rerun the 3.10G update install. On a default install, these files are located at C:\Program Files\Novell\Netmail\bin\modweb 3. Restart the services. ============================================================================= D) Special Thanks Thanks to John Carter, Marc Caterina, Matt DeFoor, Joe Flowers, John Goswick, Mitch Mitchell, and Vasu Salem, who helped identify many of the issues addressed in this support pack. ============================================================================= E) Issues Addressed in Previous Patches Because this is a cumulative patch, all of the issues addressed in previous patches are included here for reference. ====================== NetMail 3.10F A) Resolved Issues 1) ALL AGENTS: OpenSSL security vulnerabilities described in CERT Advisories CAN-2003-0543 (VU#255484), CAN-2003-0544 (VU#380864), VU#686224, and VU#732952 have been addressed. (See http://www.cert.org/advisories/CA-2003-26.html) 2) Solaris and Linux AGENTS: Agents no longer unload unnecessarily for certain signals. 3) AVIRUS: Now correctly adheres to configuration, if set, to not notify the sender of the virus. 4) AVIRUS: Now logs all viruses regardless of the notification settings. 5) IMAP: Added support for the command: fetch body[.MIME]. This command is used by some IMAP clients to determine the existence and properties of attachments. 6) IMAP: Several scenarios that caused messages to lose their state (deleted, read, etc.) have been addressed. 7) IMAP: Clients that maintain multiple connections to the same mailbox will notice faster synchronization of message status between connections. 8) IMAP: RFC violation in the response to IMAP's SEARCH command has been fixed. 9) NMAP: Several scenarios that caused messages to lose their state (deleted, read, etc.) have been addressed. 10) NMAP: Improved handling of incorrectly formatted messages. 11) NMAP: On NetWare, low memory conditions no longer cause ABENDs. 12) PROXY: Now allows downloading of incorrectly formatted messages. 13) SMTP: Prevent an ABEND dealing with configuration updates. 14) SMTP: The "Received" line added by the SMTP Agent now accounts for daylight savings time when calculating time zone offset. 15) DDB: On NetWare, an abend has been prevented. When this abend occurred in previous versions, it usually happened multiple times in quick succession. 16) MWMAIL: Address Book results are now alphabetized when searching more than one address book. ====================== NetMail 3.10e A) New Resources: 1) Look for a new version of the NetMail 3.1 Administration Guide at http://www.novell.com/documentation/lg/netmail31/pdfdoc/netmail31.pdf 2) The sources for the ModWeb templates included in this patch are available on the NetMail Cool Solutions site at http://www.novell.com/coolsolutions/netmail/downloadables.html 3) The NetMail SDK has been posted on leading edge at http://developer.novell.com/ndk/leadedge.htm#le162 B) Improvements 1) The Anti-Virus agent can now use the CSAV Interceptor for NetMail from Command software on all platforms where NetMail runs. The WebAdmin and NWAdmin administration tools have been updated to facilitate its use. When configuring NetMail to use Command Software on the NetWare operating system, the volume name must be specified as part of the pattern file path. 2) A user can now have an unlimited quota even if user quotas are enforced. Configuration: Set the user quota to be 0. 3) NetMail Agents now support chained certificates in addition to the standard certificates that have always been supported*. Modified Binaries: pop3d, imapd, modwebd, and smtpd. * Certgen can still only create non-chained certificates. A variety of open source tools exist to create chained openssl certificates. 4) In this and previous versions, when a user composes a message in the Web interface and their user object has the Internet Email Address attribute, then that value is used in the From: field. A configuration option has been added to make the modular Web agent ignore this attribute, even if it has a value. Configuration: - Use a DS editor to add the value "IgnoreInternetEmailAddressAttribute" to the Novonyx:Configuration attribute of the Modular Web Agent object. 5) Additional memory caching is introduced in ddb and nmap to improve performance and reduce the chance of server memory fragmentation. C) Resolved Issues 1) ALL AGENTS: OpenSSL security vulnerabilities described in CERT Advisory CA-2002-23 (http://www.cert.org/advisories/CA-2002-23.html) have been eliminated. The 3.10d patch did not include these as stated in the 3.10d Readme. 2) ALL AGENTS: Potential high utilization issues (CPU hogs on NetWare) eliminated in OpenSSL code. 3) Solaris AGENTS: Agents no longer exit in specific IP error conditions. (ECONNABORTED in accept()) 4) Windows AGENTS: Agents no longer crash when trying to display dates prior to 1970. 5) AVIRUS: Memory leak fixed. 6) AVIRUS: Fixed a high utilization (CPU hog ABEND on NW) issue that could occur when NetMail's Anti-virus agent was configured to use the Symantec CarrierScan product. 7) AVIRUS: Fixed an abend/crash that could occur when NetMail's Anti-virus agent was configured to use the McAfee NetShield product. 8) IMAP: Memory leak fixed. 9) IMAP: Abend/crash prevented. 10) MODWEB: Abend/crash prevented 11) MODWEB: Fixed the truncation of text encoded in 2022-JP. 12) MWCAL: Prevented the remaining issue where one user could potentially see somebody else's message when composing a message. 13) MWMAIL: Prevent high utilization/CPU hog caused by network errors. 14) MWMAIL: Allow ModWeb users whose From address is not their userid to post to lists when list requires authentication. 15) MWMAIL: Fixed memory leak. 16) MWMAIL: Abend/crash fixed when reading particular messages with a WAP device. 17) MWMAIL: Address book queries work in the Solaris version without needing to load modwebd separately. 18) NMAP: Abend/crash processing queued messages prevented. 19) NMAP: Abend/crash opening broken mailboxes prevented. 20) NMAP: A loophole in the quota was closed. No quota was enforced if a user had a quota value, but only system quotas were being enforced. 21) NMAP: Improved tolerance for an uncommon MIME header. 22) SMTP: Memory leak fixed. 23) SMTP: Prevented mail loops by preventing connections to illegal local addresses. The change only affects Solaris and Linux servers, because NetWare and Windows did not allow such connections anyway. 24) SMTP: NetMail can now send to users on foreign mail systems that require the original recipient even if the user's e-mail address contains legal non- alphanumeric characters. (See RFC 1891) 25) The WebAccess Template was changed so that the Create and Delete buttons on on the Address Book Results Page do not scroll off to the right. 26) Other miscellaneous fixes. ====================== NetMail 3.10d A) Improvements 1) The Finger Daemon, dropped in 3.1, was reinstated in 3.10d. Some mail clients still depend on it. 2) The Alias Agent is now more flexible in a distributed NetMail system. Until now, if an Alias Agent serviced just one NMAP queue, it could only auto-generate aliases for users hosted by that NMAP agent. In this revi- sion, the alias agent can generate aliases for any group of NetMail users regardless of which NMAP agent the agent monitors. No configuration changes are required unless you want to take advantage of the new flexibility. Configuration: - Using the Queue Server tab, select the NMAP Agent where the Alias Agent will process messages in the queue. - Using the Monitored Servers tab, select the NMAP Agents hosting the users for whom aliases should be automatically generated. The Alias Agent now looks to see if there is an NMAP agent configured in the Queue Server tab. If there is, it only processes messages going through that queue. It creates auto-generated aliases based on the NMAP agents listed in the Monitored Servers tab. If nothing is configured in the Queue Server tab, the Alias Agent will use the Monitored Server's list for both functions just as it always has. Note: The Queue Server tab found in other objects has a completely different function; it is used to determine where new messages are generated. Modified Binaries: msgalias, NIMS snap-in for NWADMIN and WebAdmin. B) Resolved Issues 1) ALL AGENTS: OpenSSL security vulnerabilities described in CERT Advisory CA-2002-23 (http://www.cert.org/advisories/CA-2002-23.html) have been eliminated. 2) MODWEBD: Messages written in the Latin 1 (CP1252) character set are now displayed correctly. 3) MODWEBD: Extended characters in attachment names will now be replaced with the '^' character. This change is designed to preserve, in a predictable way, as much of the original name as possible. Until this release, NetMail encoded such attachment names in an attempt to preserve extended characters and the character set needed to interpret them. Because the most widely used browsers still do not support RFC2022, these attachment names were unrecognizable when displayed. 4) MODWEBD: Where no attachment name is available, ModWeb uses a default name of "Unnamed". Previously, the attachment name displayed for such files was "w". 5) MWCAL: A potential crash that could occur while displaying certain calendar objects was fixed. 6) MWCAL: Calendar events are now deleted correctly even if there are multiple connections to the calendar. 7) MWCAL: Blank User directories are not created when authenticating to a server that does not service the users context. 8) MWMAIL: A potential crash that could occur while displaying the recipient list was fixed. 9) MWMAIL: E-mail addresses containing the '\' or '"' characters are now displayed correctly. 10) MWPREF: A timing problem that caused rules to become corrupt was fixed. This fix prevents new rules from being created incorrectly, but does not fix corrupt rules that already exist. Such rules will cause the Rules Agent to crash. If the Rules Agent abends on NetWare, look for the name of the thread in the ABEND log. The thread name contains the username of the user that has the corrupt rule. To prevent the abend, remove and re-create the rules for this user. 11) MWPREF: Sanity checking was added to prevent users from entering wrong proxy information. 12) MWTOM: A "Don't Set" option was added to the feature selection page. It allows the TOM administrator to set one feature for the selected users without affecting the other features. 13) NMAP: Improved the handling of common broken messages. 14) NMAP: A potential CPU hog ABEND (NetWare Only) was fixed. This condition had the greatest chance of occurring when a large number of previously queued messages would reach their queue time-out all at once. 15) NMAP: Messages addressed to more than 2000 recipients no longer hang when being transferred between distributed NetMail servers. 16) NMAP: A potential page fault has been fixed. The fault could occur when using NMAP's search command. 17) NMAP: A timing problem was fixed. A page fault could occur if NMAP tried to process the same queued message more than once at the same time. 18) ALIAS: A potential page fault was fixed. The fault occurred when a user object did not have values for all the fields used to generate aliases. 19) AVIRUS: The anti-virus agent can now load the McAfee virus scanning engine on a properly configured NetWare 4.x NetMail server. 20) FOWARD/AUTOREPLY: Messages sent to NetMail users who are over quota and have auto-reply enabled are now bounced correctly. 21) IMAP: Several security vulnerabilities in the IMAP Agent were fixed. 22) IMAP: The server now supports IMAP clients that download large attachments in segments (partial fetches). 23) POP: POP Clients that use the AUTH login method no longer receives errors when logging in. 24) PROXY: The proxy agent no longer pulls mail for users that are disabled. 25) MSGAPI: A potential mail loop has been prevented. The loop occurred when the MX record for a NetMail server and a second SMTP server have the same preference value for the same domain. 26) SMTP: Non-alpha characters in original recipient (ORCPT) addresses can now be preserved. 27) SMTP: The message delivery time is no longer off by an hour during daylight savings time on the Windows and Solaris platforms. 28) WEBADMIN: Potential mail loss prevented. Directory lookups could return incorrect information to NetMail agents after the filter feature in the 3.1 version of webadmin was used. 29) WEBADMIN: A potential page fault was fixed. The fault occurred when attempting to set a value for Server Manager. 30) WEBADMIN: The Parent Object Field in the SMTP Agent object now accepts multiple values. 31) WEBADMIN: Global and Local alias fields can now be cleared. 32) WEBADMIN: A 'Status Tab' was added to Modular Web Agent object. 33) Other Miscellaneous fixes.