------------------------------------------------------------ E-SMITH SERVER AND GATEWAY 4.1.1 Release notes - February 15, 2001 ------------------------------------------------------------ e-smith, inc. is pleased to announce the availability of the e-smith server and gateway version 4.1.1. E-smith 4.1.1 is a bug fix release - see CORRECTIONS and UPDATES below for details. e-smith version 4.1 contains many new features, as well as many minor improvements and corrections. The documentation has been updated and includes additional information. This release is based on RedHat 7.0, with all available updates, except as noted. NEW INTERNET CONNECTIVITY OPTIONS 1. PPP over Ethernet PPP over Ethernet (PPPoE) enables users to connect their e-smith server to the Internet using residential ADSL connections (in addition to the cablemodem, dialup, and other connectivity options that were previously supported). NEW REMOTE ACCESS FEATURES 1. PPTP based virtual private networking PPTP enables remote users to connect to their corporate network via their regular ISP Internet connection. The e-smith PPTP configuration uses (and requires) 128-bit encryption to make the connection completely secure and private. PPTP is disabled by default and can be enabled or disabled via the "Remote Access" function in the e-smith manager. 2. Web based email Web based email enables remote users to access their email from anywhere on the Internet via a web browser (like a secure, private version of Hotmail) using the open-source IMP server application. Users can access their email by visiting the web site "https://www.mycompany.com/webmail" (where "www.mycompany.com" is the users' own web site). Web based email is disabled by default, but is configurable via the "Other Email Settings" function in the e-smith manager. Access can be enabled via HTTP and HTTPS, or can be restricted to HTTPS for additional security. (HTTPS encrypts the web session using SSL - secure sockets layer - for a secure, private connection. Requires an SSL enabled web browser such as Netscape or Internet Explorer.) 3. SSH remote access SSH enables remote users to connect to their corporate network via their regular ISP Internet connection using the SSH suite of programs. (See http://www.ssh.com/ and http://www.openssh.com/ for more information about SSH.) Options allow plain password or secure key authentication, and enable or disable root logins. SSH is disabled by default, and can be enabled via the "Remote Access" function in the e-smith manager. NEW DATA PROTECTION FEATURES 1. RAID-1 support (disk mirroring) RAID-1 support enables the e-smith server to use dual hard disks, and writes all data to both disks during server operation. This protects against loss of data in the event of a hard disk failure, and also tends to improve system performance because data can be read from both disks in parallel. e-smith 4.1 supports both hardware RAID-1 controllers and software RAID-1 configurations (simply connect two hard drives to your e-smith server and select software RAID-1 during installation). The two hard drives should be the same size (the RAID size will be as large as the smallest disk). 2. Tape backup The e-smith manager has a new "Backup and restore" function to configure tape backup to run daily at a specified time using the flexbackup program. Restoring from tape backups can now be done via the "Restore from tape" function. All SCSI tape drives are supported, as well as the following IDE drives: - Seagate STT220000A Hornet 20GB IDE Tape Drive - HP SureStore T20XAI 20GB IDE Tape Drive - other models to be announced... 3. Reinstall floppy diskette The "reinstall floppy diskette" function allows you to create a customized floppy diskette that can be used to perform future e-smith installations that automatically restore the system configuration. Note: User data is NOT backed up when using the reinstall floppy. SECURITY ENHANCEMENTS 1. Packet filtering (IPchains) rules have been added to provide another layer of security filtering. 2. Email (SMTP) server changes allow for tighter anti-spam rules. 3. User accounts are now locked when first created, and unlocked when the password is first changed. 4. All of the latest available software updates and security fixes are included for the software packages used by e-smith. Exceptions: - RedHat has released a kernel update 2.2.17-14. This update fixes a number of vulnerabilities which do not affect the e-smith server, as they require local shell access to be exploited. This kernel is also incompatible with a number of e-smith specific modifications. - RedHat has released an updated version of glibc (2.2-12) which fixes a number of vulnerabilities which do not affect the e-smith server, as they require local shell access to be exploited. As RedHat also split the glibc into glibc-common and glibc RPMs, and did not specify dependency relationships correctly, these new RPMs could not be used on a fresh installation. They can, however, safely be applied as an update. - RedHat has released PHP updates to address a number of security and reliability issues. These issues do not affect the webmail application which is included in the e-smith 4.1 software. Conversely, the updated PHP RPMs do not work correctly withe IMP webmail software. If you run other PHP software, you should evaluate the RedHat advisory and apply the PHP updates if security would otherwise be compromised. 5. FTP has a new setting to limit access to the FTP server. 6. Telnet has a new setting to enable/disable administrative command line access. 7. FTP support has been updated to latest ProFTPd release. ADDITIONAL SOFTWARE Several open source applications used by e-smith 4.1 are included with this product. However e-smith only provides support for the applications as used by e-smith 4.1. 1. Apache web server is now SSL enabled (a certificate is automatically created for each virtual domain declared by the user), and supports PHP scripting. PHP is an HTML-embedded scripting language (see http://www.php.net for more information). 2. MySQL database server is included and automatically enabled. MySQL is a multi-threaded, multi-user, SQL (Structured Query Language) database server (see http://www.mysql.com for more information). MISCELLANEOUS OTHER ENHANCEMENTS 1. New "upgrade" option enables users to upgrade an older version of e-smith without erasing existing data. 2. Many improvements to the e-smith console (for initial server configuration). Dialogs are presented in a more logical sequence, and the e-smith manager and on-line documentation can both be accessed via the console (using a text mode web browser). 3. Improved ethernet auto-detection, with many additional ethernet cards supported. 4. Reboots are now required only if hostname, domain name, system mode or network interface parameters are changed. Other configuration changes are made without rebooting the server. 5. New e-smith manager function enables users to view mail server statistics. 6. Support for definition of local and remote network hostnames and addresses. 7. New "pseudonyms" function in the e-smith-manager allows the creation of additional email addresses which automatically forward email to existing users or groups. The pseudonym "everyone" is automatically declared to forward email to every user account (accessible only from the local network). 8. The H323 IP masquerading module has been installed, enabling the use of popular videoconferencing software packages on the local network which use this protocol (calls can be initiated from behind the e-smith server and gateway, but cannot be received). 9. An ICQ IP masquerading module has been installed, enabling the use of ICQ 99x compatible clients on the local network. 10. The i-bay setting "public access via web or anonymous ftp" has been changed slightly. If this parameter is set to "None" (i.e. the user does not want to provide any access to the i-bay via the web), then Samba and Netatalk are reconfigured to define their root as the "files" subdirectory within the i-bay, making them act more like an ordinary Windows shared directory. (As a consequence of this change, any applications using a mapping directly to the i-bay network share will need to be changed to "sharename/" instead of "sharename/files/".) 11. New services model for starting/restarting/stopping services (for developers only - not normally supported for e-smith customers). 12. Hard disk optimization available for IDE disk drives. 13. Customizable email virtual domain handling (for developers only - not normally supported for e-smith customers). CORRECTIONS AND UPDATES 1. The following RPMS contained kernel modules which were not correctly built for operation with the SMP kernel: ppp appletalk-fixed ip_masq_h323 ip_masq_icq These have now been built correctly and operate with the SMP kernel. 2. The DNS resolution daemon "named" was started too late in the boot process to be used by the Dynamic DNS client used to register new external IP addresses. The bootup sequence has been changed to first bring up the loopback interface and then start "named" before any other network interfaces are initialised. 3. The configuration of the tape backup drive was not correctly restored after a tape restore, and tape backups would not resume until the tape drive was reconfigured via the web interface. This has been corrected. 4. A cosmetic problem with the remote access web form was corrected. The form sometimes displayed the PermitRootLogin field as "yes" for the "telnet" and "ssh" services, even when those services were disabled. The form now always displays "no" if the service is disabled. Naturally, root access has never been possible if the service was disabled. 5. The "linear" option was added to the configuration file of the LILO boot loader, to correct problems with boot failure ("LILO stops after displaying LI"). All users should remember to create a rescue boot floppy at install time. 6. The issue of a missing mysql user after a restore from a 4.0 backup to a freshly installed 4.1 system has been fixed.