Kolab Server 2.1 Beta 3 released

Thomas Arendsen Hein thomas at intevation.de
Wed Nov 15 19:43:29 CET 2006


Hi!

I've just uploaded the last bits of Kolab Server 2.1 Beta 3, which
fixes more than 30 problems found in Beta 2 and includes the
security updates published until now.

Documentation and OpenPKG source packages will be available in the
directory server/beta/kolab-server-2.1-beta-3/ of the mirrors listed
on http://kolab.org/mirrors.html soon. Included is a gpg signed
MD5SUMS file to verify if your download is correct:

  $ gpg --verify MD5SUMS
  $ md5sum -c MD5SUMS

The packages are available since Friday, so you already can start
downloading from server/development-2.1/dated/20061110/, all that
was changed since then are the files release-notes.txt, 1st.README
and UPGRADING.20-21, which I have attached to this mail for your
convenience.

Please follow the instructions in 1st.README, because otherwise some
things will not work as expected.

UPGRADING.20-21 contains instructions for upgrading from Kolab
server 2.0 to 2.1, but they need testing on more live systems.
Please report failed and successful upgrades to the mailing list.

Regards,
Thomas Arendsen Hein

-- 
Email: thomas at intevation.de
http://intevation.de/~thomas/
-------------- next part --------------
Release notes Kolab2 Server
(Version 20061110, Kolab Server 2.1 beta 3)

This is a development snapshot of the kolab server leading up to a 2.1
release.  For upgrading and installation instructions, please refer to
the 1st.README file in the source directory.

WARNING, these topics need testing in 2.1 beta 3:

 - Instructions for upgrading from Kolab server 2.0 in 1st.README.
 - Changed imapd database format for annotations.db and mailboxes.db
 - New free/busy code (see section "Known problems")


Differences between Kolab 2.0.x and 2.1:

    - Simple multi-domain support

      The Kolab server can now accept mail for multiple email domains.
      There is also a new class of maintainers which are only allowed to
      manage settings for a subset of the mail domains of the kolab
      server.

    - Hashed IMAP spool

      The default imapd configuration has been changed to enable the
      hashimapspool option.  This means that in 2.1 the default directory
      layout of the imapd spool (/kolab/var/imapd/spool/) is different from
      the one in 2.0. When you upgrade from 2.0 it's best to keep using the
      old structure, so remove or comment out the corresponding line in
      /kolab/etc/kolab/templates/imapd.conf.template *before* running
      kolabconf. For new installations the new default setting is recommended
      because it's more efficient especially when you have many mailboxes.
      For details see kolab/issue1089.


Known problems:

    - Retrieving the free/busy information isn't working, unless you use
      the following workaround on the server:

        cd /kolab && ln -s . kolab

      See kolab/issue1490 (freebusy cache written to /kolab/kolab/...)
      for details. Be careful when creating backups of your /kolab directory
      to not follow symbolic links, because this is a recursive one.

    - Under some circumstance the Kolab server may not update create
      users or update the configuration after changes have been made in
      the web interface.  This happens most often immediately after the
      bootstrap.  In that case restart the kolabd:

	/kolab/bin/openpkg rc kolabd restart

      See kolab/issue1068 (Mailboxes are not created until kolabd restart)
      and kolab/ssue1098 (Changes in the service tab are not accepted after
      bootstrap) for details.

    - If modifying or deleting of address book entries doesn't work,
      restarting openldap can help, see kolab/issue854 for details.

    - Setting Cyrus IMAP quota to 4096MB or more breaks delivery to this user.
      Setting to unlimited works though. See kolab/issue1262 for details.

Changes since 2.1 beta 2:

    - openpkg-2.5.4-2.5.4

	New upstream version.

    - apache-1.3.33-2.5.6

	denial of service and possibly arbitrary code execution via crafted
	URLs that are not properly handled using certain rewrite rules.
	http://www.openpkg.org/security/advisories/OpenPKG-SA-2006.015-apache.html

    - gzip-1.3.5-2.5.1

	denial of service, arbitrary code execution
	http://www.openpkg.org/security/advisories/OpenPKG-SA-2006.020-gzip.html

    - curl-7.15.0-2.5.2

	buffer overflow
	http://www.openpkg.org/security/advisories/OpenPKG-SA-2006.012-curl.html

    - openssl-0.9.8a-2.5.4

	denial of service, may allow execution of arbitrary code
	(http://kolab.org/security/kolab-vendor-notice-12.txt)

    - clamav-0.88.5-2.20061018

	buffer overflow, remotely exploitable (CVE-2006-4018)
	(http://kolab.org/security/kolab-vendor-notice-10.txt)

	heap overflow, remotely exploitable (CVE-2006-4182),
	denial of service, remotely exploitable (CVE-2006-5295)
	(http://kolab.org/security/kolab-vendor-notice-13.txt)

    - file-4.15-2.5.0_kolab

	kolab/issue1458 (Password protected .sxw files can be banned by
	                 amavisd, as a result of the file command)

    - openldap-2.3.27-2.20061018_kolab

	New upstream version, fixes CVE-2006-4600 (Bugtraq ID 19832)
	and other problems.

	kolab/issue1229 (Master openldap's slurpd fails to start after
	                 adding slave)
	kolab/issue1431 (Slave cannot access master ldap server via SSL)

    - imapd-2.2.12-2.5.0_kolab2

	Fix folder structure for foldernames with non-alphanumeric characters,
	when using skiplist as the database backend for mailboxes.db.

    - perl-kolab-5.8.7-20061110

	kolab/issue1194 (serious performance problem on high number of users)

    - kolabd-2.0.99-20061110

	Added missing relay service for postfix.

	Changed main.cf masquerading defaults so email to
	user at machine.example.org is actually delivered.

	Use mailbox_transport instead of local_transport for
	kolabmailboxfilter to work around issue825.

	Removed doubled attribute cyrus-autocreatequota.

	Added indexes for delegate and delete.

	Updated freebusy.conf template for freebusy IMAP caching.

	Changed imapd.conf template to use berkeley db instead of
	skiplist for annotations.db and mailboxes.db as a workaround
	for kolab/issue840 (Annotations needs to be more robust).

	kolab/issue824  (kolabmailboxfilter run once for each recipient)
	kolab/issue1264 (Add support for sieve based notifications)
	kolab/issue1273 (Sending as delegate broken in Kolab server 2.1)
	kolab/issue1428 (Fixed locking issue)
	kolab/issue1433 (Some files in /kolab/etc/postfix have wrong ownership)

    - kolab-webadmin-2.0.99-20061110

	Fixes for setting folder type of shared folders.

	Guard against large number of users.

	kolab/issue1457 (updated French translation)

    - kolab-resource-handlers-2.0.99-20061110

	Improvements and fixes for freebusy IMAP caching.

	kolab/issue815  (invitation replies vanish in resmgr)
	kolab/issue957  (All-day events from Outlook don't show up in freebusy)
	kolab/issue974  (Localize the text for rewritten From: headers)
	kolab/issue1042 (empty lines at the end of mails delivered via LMTP)
	kolab/issue1352 (resmgr can create wrong range dates)
	kolab/issue1387 (resmgr replies to replies creating mail loop)
	kolab/issue1422 (Dummy freebusy info)


Changes since 2.1 beta 1:

    OpenPKG updates:

      openpkg-2.5.2-2.5.2
      openpkg-registry-0.2.7-20060223
      libxslt-1.1.15-2.5.1
      php-smarty-2.6.10-20051003
      clamav-0.88.2-20060524

      binutils-2.16.1-2.5.1
	http://www.openpkg.org/security/advisories/OpenPKG-SA-2006.009-binutils.html

      openldap-2.3.11-2.5.1
	http://www.openpkg.org/security/advisories/OpenPKG-SA-2006.008-openldap.html


    Kolab updates:

      More distconf changes by Richard Bos and Markus H?we.

      - perl-kolab-5.8.7-20060619

	Resolved:
	    Issue1194 (kolabd quota performance)
	    Issue1220 (postfix permissions)
	    issue1237 (Handling of @@@var@@@ in Conf.pm (Gunnar Wrobel))

      - kolabd-2.0.99-20060619

	* The default imapd configuration has been changed to enable the
	  hashimapspool option.  This affects the upgrade procedure.
	  See 1st.README for upgrade instructions.

	* amavis now logs to /kolab/var/amavisd/amavisd.log.  This is
	  part of the fix for Issue1015

	Resolved:
	    Issue1015 (fixing logging and logrotate for amavisd)
	    Issue1089 (enable hashimapspool for imapd to cope with many users)
	    Issue1101 (allowapop: no; disable apop access to imapd by default)
	    Issue1105 (fix compilation of kolabd on FreeBSD)
	    Issue1257 (wrong attribute name for imap quota)

      - kolab-webadmin-2.0.99-20060619

	* patch from Tobias K?nig in order to support setting of
	  foldertype for public folders

	Resolved:
	    Issue848 (Modifying address book entry may break distribution list)
	    Issue1106 (email validation in webgui)
	    Issue1214 (number of days for vacation messages on webinterface)
	    Issue1263 (Bug in the shared folders folder-type code) [Wrobel]

      - kolab-resource-handlers-2.0.99-20060619

	* create empty pfbcache.db if missing

	Resolved:
	    Issue973 (quoting and rewriting From header)
	    Issue966 (Wrong CN for resource accounts)
	    Issue1042 (server modifies email content)
	    Issue1195 (error message in bounce)
	    Issue1243 (rewriting fails when "From:" contains quoted printable)
	    Issue1245 (rewriting problems on folded Header "From:"-line)


$Id: release-notes.txt,v 1.55 2006/11/15 17:57:01 thomas Exp $
-------------- next part --------------
Kolab2 Server Important Information
===================================

For more information on Kolab, see http://www.kolab.org

Quick install instructions
--------------------------

For a fresh install /kolab needs to be an empty directory with enough space.
You can use a symlink, but do _not_ use an NFS mounted drive.
Make sure that the following names are not in /etc/passwd or /etc/groups,
as openpkg will want to create them: "kolab" "kolab-r" "kolab-n"

Check the www.openpkg.org documentation for your platform.
E.g. some platforms need gettext installed 
or the locale set to C during installation, like:
        LC_ALL=C
        LC_MESSAGES=C
        LANG=C
        SUPPORTED=C
        export LC_ALL LC_MESSAGES LANG SUPPORTED

Make sure the locale you want to set is supported by your c-library.
Otherwise the webadmin interface might only be in English.

To install the Kolab2 server, you need to download the files from the
directory containing this file (1st.README) to some local directory,
then as root, chdir into that local directory and run

# ./obmtool kolab 2>&1 | tee kolab-build.log

to build and install packages in /kolab.
By default, the Kolab Server will now be started at boottime.
After the build/install is complete, please run

# /kolab/etc/kolab/kolab_bootstrap -b

and follow the instructions.


Workaround for problem in free/busy cache generation
----------------------------------------------------

Retrieving the free/busy information isn't working, unless you use
the following workaround on the server:

  cd /kolab && ln -s . kolab

See kolab/issue1490 (freebusy cache written to /kolab/kolab/...)
for details. Be careful when creating backups of your /kolab directory
to not follow symbolic links, because this is a recursive one.


General update instructions
---------------------------

Usually an update of the Kolab 2 server works as described here.  In
some cases you will need to deviate from these instructions a bit.  All
such cases are documented below, so read the release specific update
instructions for all releases newer than the one you already have before
you start the update.

In any case you should completely read *all* relevant update
instruction *before* starting the upgrade procedure.  All ways make
sure you have a recent backup of your /kolab directory before you
attempt to upgrade Kolab.

The installation of the new packages works just as for the initial
installation.  Download the files as described above and run

# ./obmtool kolab

obmtool will usually automatically determine which packages need to be
built.  If you have made changes to the configuration files in
/kolab/etc/kolab/templates/ and the new release has a new kolabd package
you may need to transfer your changes from the backups created by rpm
(the *.rpmsave) files to the new template files.  Then regenerate the
configuration with

# /kolab/sbin/kolabconf


You may want to check the permissions of your files in /kolab/etc/kolab/
after installing or upgrading, as there have been problems with this in
the past.  Especially kolab.conf and copies shall only be readable to
the owner (usually "kolab").  The installation and configuration scripts
should make sure that the permissions are correct but there's a chance
that the permissions can still go wrong, especially if you upgrade from
pre Beta1 releases.


Upgrading from earlier versions
-------------------------------

Direct upgrade from Kolab1 is not recommendable at this point. We
suggest that you back up your IMAP store, install Kolab2 and manually
recreate user accounts and then restore the IMAP data from the backup.

After an upgrade, always run /kolab/sbin/kolabconf to make sure the
configuration files are regenerated from your templates.


Upgrade from 2.0 releases to 2.1-versions
-----------------------------------------

Upgrading from Kolab 2.0.x to 2.1 is described in detail in the file
UPGRADING.20-21 in this directory.

The latest version of the upgrading instruction can be found in the
Kolab.org raw-howtos CVS:

http://kolab.org/cgi-bin/viewcvs-kolab.cgi/*checkout*/doc/raw-howtos/kolab_2.0_to_2.1_upgrade_instructions.txt

Please read carefully all the following update instructions in this
file, while some of the information might be redundant there are
additional notes which are essential for an successful update.


Upgrade from pre-2.1-snapshot-20051130
--------------------------------------

This upgrade is somewhat tricky, because of a new db package and a new
OpenLDAP version.  To make sure that no data is lost, you are strongly
advised to stop the server and make a backup before you start the
update.  Some files are removed during the upgrade described below.


1. Before installing the new RPMs

Before installing the new packages, copy the contents of the openldap
database (use a different output filename if you want):

   /kolab/sbin/slapcat > ~/kolab-slapcat-data


The db update also affects the imap server.

   cd /kolab/var/imapd/db
   /kolab/bin/db_recover
   rm /kolab/var/imapd/db/*


2. After installing the new RPMs

You need to make two small changes are required for the openldap
configuration file /kolab/etc/openldap/slapd.conf:

  - comment out the line 

     require        none

  - Move the line with the suffix setting to just after the "database
    bdb" line.

These changes have already been done in the new slapd.conf.template, so
it can be used for guidance.


Then restore the openldap data:

   rm /kolab/var/openldap/openldap-data/*
   /kolab/sbin/slapadd -l ~/kolab-slapcat-data


The IMAP server should work without further changes.


Upgrade from pre-2.1-snapshot-20051215
--------------------------------------

Nothing special has to be done for this upgrade.


Upgrade from 2.1-beta-1
-----------------------

1. imapd hashimapspool setting

The default imapd configuration has been changed to enable the
hashimapspool option.  This means that in 2.1-beta-2 the directory
layout of the imapd spool (/kolab/var/imapd/spool/) is different from
the one in beta-1.  When you upgrade from beta-1 it's best to keep using
the old structure, so remove or comment out the corresponding line in
/kolab/etc/kolab/templates/imapd.conf.template *before* running
kolabconf.

For new installations the new default setting is recommended because
it's more efficient especially when you have many mailboxes.

For some background information about this see the dicussion at
https://intevation.de/roundup/kolab/issue1089


2. distribution lists

There was a bug in earlier versions regarding the distribution lists for
administrative emails aliases like postmaster@<domain>.  They were
created without the domain part.  This has been fixed so that they are
created with the correct domains in their names, but admin distribution
lists created by an earlier Kolab server version will not be updated
automatically.  The easiest way to do this is by deleting them all and
then to create them again with the services page of the web-interface.

For more details about the bug, see
https://intevation.de/roundup/kolab/issue1100


Upgrade from 2.1-beta-2
-----------------------

1. postfix: ownership of virtual and transport:

The owner of two config files has to be root, otherwise postfix will
change to an unprivileged user for creating the corresponding .db files,
isn't able to write them after the upgrade and fails to create further
database files which don't get generated from kolab templates.

To correct the file owner, execute the following commands as root:
  cd /kolab/etc/postfix
  chown root transport virtual
  make

See kolab/issue1433 for details about this topic.


2. imapd: database format for annotations.db and mailboxes.db

The default database format for /kolab/var/imapd/annotations.db and
/kolab/var/imapd/mailboxes.db has changed from skiplist to berkeley db.

If you want to keep the old format, comment out or remove the lines
"annotation_db: berkeley" and "mboxlist_db: berkeley" in the file
"/kolab/etc/kolab/templates/imapd.conf.template" and make sure the file
"/kolab/etc/imapd/imapd.conf" reflects this, too, by either running
/kolab/sbin/kolabconf or changing it manually there, too.

To convert the databases to berkeley db format, execute as root:

  /kolab/bin/openpkg rc imapd stop
  su - kolab-r
  cd /kolab/var/imapd/
  mv annotations.db annotations.db-skiplist
  cvt_cyrusdb /kolab/var/imapd/annotations.db-skiplist skiplist \
              /kolab/var/imapd/annotations.db berkeley
  mv mailboxes.db mailboxes.db-skiplist
  cvt_cyrusdb /kolab/var/imapd/mailboxes.db-skiplist skiplist \
              /kolab/var/imapd/mailboxes.db berkeley
  exit
  /kolab/bin/openpkg rc imapd start

See http://wiki.kolab.org/index.php/Kolab2_IMAPD_annotations.db_Problems
for details about this topic.


$Id: README.1st,v 1.40 2006/11/15 17:57:01 thomas Exp $
-------------- next part --------------
Upgrade Kolab Server from 2.0.x to 2.1
======================================

Preliminary instructions for the upgrade of a Kolab Server from version
2.0.x to Kolab Server 2.1.

NOTE: This is an early version of the upgrade instructions.  It is not
very well tested and may not cover all problems that may occur during
the upgrade.  Before attempting the upgrade, make sure you have a
current and working backup of your data.


Preparation for the Upgrade
---------------------------

1. Backup the old installation.


2. Stop the Kolab Server

    /kolab/bin/openpkg rc all stop

3. Extract ldap data

Copy the contents of the openldap database (use a different output
filename if you want):

    /kolab/sbin/slapcat > ~/kolab-2.0.ldif

4. Prepare for berkeley db update

    cd /kolab/var/imapd/db
    /kolab/bin/db_recover
    rm /kolab/var/imapd/db/*


Installation
------------

The installation of the new packages is done in the normal way.  See the
file 1st.README accompanying the 2.1 server for details.  Do not do
anything after the installation yet.  In particular, do not start any
part of the server again or run kolabconf.


Configuration
-------------

1. Check custom configuration

If you have custom configurations in your templates, the installation
process renames your templates and leaves them in files with the
extension .rpmsave.  Copy any modifications from your templates to the
new one if they are still needed.

After that the files with the extension .rpmsave must be removed or
renamed.  There might be more files with the .rpmsave ending in
/kolab/etc, you can find them for example using the find command:

find /kolab/etc -name '*.rpmsave'

Any files found must be checked and moved out of the way, in most
cases they can just be deleted.


2. Cyrus IMAPd

The default imapd configuration has been changed to enable the
hashimapspool option.  This means that in 2.1 the default directory
layout of the imapd spool (/kolab/var/imapd/spool/) is different from
the one in 2.0.  When you upgrade from 2.0 it's best to keep using the
old structure, so remove or comment out the line "hashimapspool: yes"
in /kolab/etc/kolab/templates/imapd.conf.template *before* running
kolabconf.

For new installations the new default setting is recommended because
it's more efficient especially when you have many mailboxes.

For some background information about this see the dicussion at
https://intevation.de/roundup/kolab/issue1089


3. LDAP

You need to make two small changes to the configuration file
/kolab/etc/openldap/slapd.conf:

  - comment out the line

     require        none

  - Move the line with the suffix setting to just after the "database
    bdb" line.

These changes have already been made in the new slapd.conf.template, so
that could be used for guidance.

Convert the openldap data.  The LDAP data-structures have changed
between 2.0 and 2.1 as described in Kolab2 Architecture Draft:
http://kolab.org/doc/concept-draft-cvs20060921.pdf

There's a Python script that can do the transformation.  The script is
utils/admin/convert-ldif-21.py in Kolab CVS and requires python >= 2.1
and python-ldap >= 2.0, you can download the current version from:

  http://kolab.org/cgi-bin/viewcvs-kolab.cgi/*checkout*/utils/admin/convert-ldif-21.py

The script works on the ldif data that was exported with slapcat earlier:

   python convert-ldif-21.py ~/kolab-2.0.ldif ~/kolab-2.1.ldif


Then restore the openldap data using the output from upgrade-ldap.py:

   rm /kolab/var/openldap/openldap-data/*
   /kolab/sbin/slapadd -l ~/kolab-2.1.ldif

This will issue some warnings which can be safely ignored.


4. kolabconf

Now start the openldap server and run kolabconf

    /kolab/bin/openpkg rc openldap start
    /kolab/sbin/kolabconf


Kolabconf will might complain about be some files ending .rpmnew under
/kolab/etc.  Check those files and move them out of the way.  It's
likely that you can simply remove them.


Start the Server
----------------

Now you should be able to start the server again:

    /kolab/bin/openpkg rc all start


Final Steps
-----------

1. The internal format of the ldap records for the list of privileged
   networks has changed, to updated these recods go to the kolab web
   interface an log in as administrative user.  Open the "Services"
   page and search for the "Privileged Networks" section.  Click the
   update button for the networks list.

2. Kolab 2.1 doesn't need some of the OpenPKG packages which were
   installed for 2.0, these can be removed:

   /kolab/bin/openpkg rpm -e dcron vim pth

   Especially the dcron package should be removed in any case,
   otherwise deprecated cronjobs will be run and generate mails with
   error messages to the kolab administrator.


$Id: kolab_2.0_to_2.1_upgrade_instructions.txt,v 1.4 2006/11/15 17:37:40 thomas Exp $
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.kolab.org/pipermail/users/attachments/20061115/2f8649eb/attachment.sig>


More information about the users mailing list