New in MDaemon 17.5
Contents
Location Screening
Location Screening is a geographically based blocking system that you can use to block incoming SMTP, POP, IMAP, WorldClient, ActiveSync, AutoDiscovery, XML API, Remote Administration, CalDAV/CardDAV, XMPP, and Minger connections from unauthorized regions of the world. MDaemon determines the country associated with the connecting IP address and then blocks that connection if it is from a restricted location, and adds a line to the Screening log. For SMTP, Location Screening can optionally block only connections using AUTH. This is useful, for example, if you have no users in a specific country but still wish to be able to receive mail from there. That way you would only block those attempting to log in to your server.
The \MDaemon\Geo\ folder contains database files that serve as the master country IP database. The files were provided by MaxMind (www.maxmind.com), and updates can be downloaded from their site if desired.
Dynamic Screening for All Protocols and Services
MDaemon's Dynamic Screening system has been greatly expanded to operate with SMTP, POP, IMAP, WorldClient, ActiveSync, AutoDiscovery, XML API, Remote Administration, CalDAV/CardDAV, XMPP, and Minger. Authentication failures are tracked across all of these services and IPs addresses can be blocked for all of them. Dynamic Screening can be configured on its new, multi-tabbed dialog under the Security menu.
PIM Attachments
PIM (calendar, contact, tasks, notes) items now support attachments. Attachments can be added to a PIM item via WorldClient, Outlook Connector, or CalDAV/CardDAV. When scheduling a meeting, any attachments will be sent to the meeting attendees.
PGP Key-exchange During SMTP
The MDPGP dialog contains a new option to enable the automatic transmission of public keys as part of the SMTP message delivery process. To do so, MDaemon's SMTP server will honor an SMTP command called RKEY. When sending an email to a server that supports RKEY, MDaemon will offer to transmit the sender's current, preferred public-key to the other host. That host will respond indicating that it either already has that key ("250 2.7.0 Key already known") or that it needs that key, in which case the key is immediately transferred in ASCII armored form ("354 Enter key, end with CRLF.CRLF") just like an email message. Keys that are expired or revoked are never transmitted. If MDaemon has multiple keys for the sender it will always send the key that is currently marked as preferred. If no key is preferred then the first one found is sent. If no valid keys are available then nothing is done. Only public-keys that belong to local users are offered.
Public-key transfers happen as part of the SMTP mail session that delivers the message from the user. In order for the public-keys transmitted in this way to be accepted, the public-key must be sent along with a message that has been DKIM signed by the domain of the key owner with the i= set to the address of the key owner, which also must exactly match the From: header address of which there can be only one. The "key owner" is taken from within the key itself. Also, the message must arrive from a host in the sender's SPF path. Finally, the key owner (or his entire domain via use of wildcards) must be authorized for RKEY by adding an appropriate entry to the MDPGP rules file (instructions are in the rules file for this) indicating that the domain can be trusted for key exchange. All this checking is done automatically for you but you must have DKIM and SPF verification enabled or no work can be done.
The MDPGP log shows the results and details of all keys imported or deleted, and the SMTP session log also tracks this activity. This process tracks the deletion of existing keys and the selection of new preferred keys and updates all participating servers it sends mail to when these things change.
Manage Outlook Add-ins for Outlook Connector Users
Using the new Add-ins screen on the OC Client Settings dialog, you can manage the state of the Outlook Add-ins used by your Outlook Connector users. You can allow any or all of the add-ins to be used normally, or you can disable any that you choose. This feature can be especially useful in cases where you know of a specific add-in that conflicts with the Outlook Connector Client, allowing you to disable that add-in to avoid problems. The Add-ins feature requires Outlook Connector 5.0 or newer.
WorldClient Changes
Import/Export Groups/Distributions Lists
In the LookOut and WorldClient themes, an option was added to export and import Groups/Distribution Lists from and to a contact folder in WorldClient. The format is WorldClient specific, since Outlook does not support exporting and importing Groups. The format is as follows:
Columns: Group GUID, Group Name, GUID, Full Name, Email
Each line that contains either a Group Name or a Group GUID is considered the beginning of a new group. Any GUID, Full Name or Email on that line is considered the first member of the group/list.
Example from Excel:
Group GUID |
Group Name |
GUID |
Full Name |
|
|---|---|---|---|---|
The Jedis |
Anakin Skywalker |
ani@jedi.mail |
||
Leia Organa |
leia.organa@jedi.mail |
|||
Luke Skywalker |
luke.skywalker@jedi.mail |
|||
Yoda |
yoda@jedi.mail |
|||
The Siths |
Darth Maul |
darth.maul@sith.mail |
||
Darth Vader |
darth.vader@sith.mail |
|||
Emperor Palpatine |
emperor.palpatine@sith.mail |
When importing, the Group GUID is replaced with a freshly generated GUID. If no Group Name is included, the name will be displayed without translation as "ImportedFromCSV_%GUID%", where %GUID% is replaced with the first five characters of the GUID. Leaving the cells to the right of a group name empty will result in the next line being the first member of the group/list. The Email field is required for a member to be added.
Voice Recorder
Voice Recording was added to the Lookout and WorldClient themes. This feature requires a microphone and is only available in certain browsers. It can be disabled by the admin on a per user basis by adding EnableVoiceRecorder=No to the User.ini. Users are limited to five tracks of five minutes each. Attempting to record more than five tracks in a Voice Recorder session will result in either the selected track or the first track being replaced by the new recording (the user will be prompted). After recording is stopped (either automatically or by the user), the track is converted to an mp3 and uploaded to the server. Users have four options regarding each track:
| • | Save to the desktop |
| • | Save to default WorldClient documents folder |
| • | Send in an email using a quick dialog that only includes To, CC, BCC, Subject, and a plain/text Message Body |
Only the To is required. There are generic Subject and Message Body phrases used when no Subject or Message Body is input by the user.
| • | Open a new Compose view with the track attached |
Users can only act on one track at a time. For example, only one track can be attached to a message. If a user wants to attach multiple tracks to a message, the user will need to save each track to the default documents, and do the attaching from there.
New Folder Management Features
The LookOut and WorldClient themes have new folder management features in the Options » Folders view and in the main folder list view.
In the folder list view (left pane):
| • | Users can drag and drop to move folders from one parent folder to another. |
| • | Users can rename folders and give favorites nicknames by clicking on them a second time (shortly after folder selection) |
| • | Show Folders by Type is now available in the LookOut theme |
| • | If there is already at least one favorite folder (because favorites are hidden until one is added), users can drag and drop a folder to favorites in order to add it (dragging a folder out of the favorites does nothing). |
| • | The new folder and rename folder dialogs were added to the LookOut theme |
In the Options » Folders view, the folder tree is now collapsible, and the New Folder dialog has been moved to an external window like in the WorldClient theme.
Additional Features and Changes
MDaemon 17.5 has many more new features and changes. See RelNotes.html located in MDaemon's \Docs\ subfolder for a complete list of all new features, changes, and fixes to MDaemon from the previous version.
New in MDaemon 17.0
XMPP support for WorldClient Instant Messenger (WCIM)
WCIM now uses the XMPP protocol for instant messaging instead of WorldClient's proprietary protocol. This allows the WCIM desktop client to communicate not only with other WCIM clients, but any third-party XMPP clients (including mobile clients) connected to your MDaemon's XMPP server. Additionally, WCIM now has two types of connections: "WCMailCheck" and "WCIMXMPP." WCMailCheck connects to WorldClient for new mail notifications and message counts. WCIMXMPP connects to the XMPP server for instant messaging. Consequently, WCIM users will now have an entry for each type of connection listed on the Connections screen of the client (e.g. "Example.com Mail" and "Example.com WCIM"). When updating to version 17, WCIM will automatically create a WCIMXMPP connection to go with your already existing WCMailCheck connection, and it will migrate your IM contacts from the old system to XMPP. The look and feel of the new WCIM client is essentially the same, but there are some differences, such as how contacts and group chats are managed. See the WCIM client's Help system for more info about what has changed.
WorldClient Dropbox Integration
WorldClient is new equipped with direct support for Dropbox, which allows your users to save file attachments to their Dropbox accounts, and to insert direct links to Dropbox files in outgoing messages. To provide this feature to your WorldClient users, you must set up your WorldClient as a Dropbox app on the Dropbox Platform. This is a simple process, requiring you only to sign in to a Dropbox account, create a unique name for an app with Full Dropbox access, specify the Redirect URI to WorldClient, and change one default setting. Then, you will copy and paste the Dropbox App Key and App Secret from there to the options on Dropbox screen in MDaemon. After that your users will be able to link their Dropbox accounts to WorldClient when they next sign in to WorldClient. For step-by-step instructions on how to create your Dropbox app and link it to WorldClient, see: Creating and Linking Your Dropbox App.
When you create your Dropbox app it will initially have "Development" status. This allows up to 500 of your WorldClient users to link their Dropbox accounts to the app. According to Dropbox, however, "once your app links 50 Dropbox users, you will have two weeks to apply for and receive Production status approval before your app's ability to link additional Dropbox users will be frozen, regardless of how many users between 0 and 500 your app has linked." This means that until you receive production approval, Dropbox integration will continue to work but no additional users will be able to link their accounts. Obtaining production approval is a straightforward process to ensure that your app complies with Dropbox's guidelines and terms of service. For more information, see the Production Approval section of the Dropbox Platform developer guide.
Once your WorldClient app is created and configured properly, each WorldClient user will be given the option to connect their account to their Dropbox account when they sign in to WorldClient. The user is required to log in to Dropbox and grant permission for the app to access the Dropbox account. Then the user will be redirected back to WorldClient using a URI that was passed to Dropbox during the authentication process. For security that URI must match one of the Redirect URIs you specified on your app's info page at Dropbox.com. Finally, WorldClient and Dropbox will exchange an access code and access token, which will allow WorldClient to connect to the user's Dropbox account so that the user can save attachments there. The exchanged access token expires every seven days, meaning that periodically the user must reauthorize the account to use Dropbox. Users can also manually disconnect their account from Dropbox, or reauthorize it when necessary, from the Cloud Apps options screen within WorldClient.
MDaemon Health Check
MDaemon is now equipped with a new troubleshooting utility called MDaemon Health Check, located at: MDaemon\App\MDHealthCheck.exe. It can be launched from the MDaemon UI using a new toolbar button or the new menu item under the Help menu. Click Analyze on the MDaemon Health Check interface to have it scan MDaemon's security-related settings (AV, SPAM, SSL, etc.) to find settings that are not recommended. All non-recommended settings are then displayed on the screen. Each entry contains the name of the setting, its current value, the recommended value, and the location in MDaemon where that setting can be found. You can then select any entries you wish to change to the recommended value and click Set to Recommended to have MDaemon change them for you. Finally, MDaemon Health Check also creates a log file of the analysis and places it in MDaemon\Logs. The log includes the current value of all the analyzed settings and any warnings or errors found. There is an Open Log button for displaying the last log generated.
Integration with Let's Encrypt via PowerShell script
To support SSL/TLS and HTTPS for MDaemon, WorldClient, and Remote Administration, you need an SSL/TLS Certificate. Certificates are small files issued by a Certificate Authority (CA) that are used to verify to a client or browser that it is connected to its intended server, and that enable SSL/TLS/HTTPS to secure the connection to that server. Let's Encrypt is a CA that provides free certificates via an automated process designed to eliminate the currently complex process of manual creation, validation, signing, installation, and renewal of certificates for secure websites.
To support using Let's Encrypt's automated process to manage a certificate, MDaemon includes a PowerShell script in the "MDaemon\LetsEncrypt" folder. A dependency of the script, the ACMESharp module, requires PowerShell 3.0, which means the script will not work on Windows 2003. Additionally, WorldClient must be listening on port 80 or the HTTP challenge cannot be completed and the script will not work. You will need to correctly set the execution policy for PowerShell before it will allow you to run this script. Running the script will set up everything for Let's Encrypt, including putting the necessary files in the WorldClient HTTP folder to complete the http-01 challenge. It uses the SMTP host name of the default domain as the domain for the certificate, retrieves the certificate, imports it into Windows, and configures MDaemon to use the certificate for MDaemon, WorldClient, and Remote Administration.
If you have an FQDN setup for your default domain that does not point to the MDaemon server, this script will not work. If you want to setup alternate host names in the certificate, you can do so by passing the alternate host names on the command line.
Example usage:
..\LetsEncrypt.ps1 -AlternateHostNames mail.domain.com,wc.domain.com -IISSiteName MySite -To "admin@yourdomain.com"
You do not need to include the FQDN for the default domain in the AlternateHostNames list. For example, suppose your default domain is "example.com" configured with an FQDN of "mail.example.com", and you want to use an alternate host name of "imap.example.com". When you run the script, you will only pass "imap.example.com" as an alternate host name. Further, if you pass alternate host names, an HTTP challenge will need to be completed for each one. If the challenges are not all completed then the process will not complete correctly. If you do not want to use any alternate host names then do not include the –AlternateHostNames parameter in the command line.
If you are running WorldClient via IIS, you will need to pass this script the name of your site using the -IISSiteName parameter. You must have Microsoft's Web Scripting tools installed in order for the certificate to be automatically setup in IIS.
Finally, the script creates a log file in the "MDaemon\Logs\" folder, called LetsEncrypt.log. This log file is removed and recreated each time the script runs. The log includes the starting date and time of the script but not the date and time stamp for each action. Also, notification emails can be sent when an error occurs. This is done using the $error variable, which is automatically created and set by PowerShell. If you do not wish to have email notifications sent when an error occurs, do not include the –To parameter in the command line.
Option to store mailbox passwords using non-reversible encryption
There is a new Password option to store mailbox passwords using non-reversible encryption. This protects the passwords from being decrypted by MDaemon, the administrator, or a possible attacker. When enabled, MDaemon uses the bcrypt password hashing function, which allows for longer passwords (up to 72 characters), and for passwords to be preserved yet not revealed when exporting and importing accounts. Some features, however, are not compatible with this option, such as weak password detection and APOP & CRAM-MD5 authentication, because they depend on MDaemon being able to decrypt passwords. Non-reversible passwords is disabled by default.
ActiveSync Client Approval
There is a new ActiveSync setting that you can use to require that "New clients must be authorized by an administrator prior to synchronizing" with an account. The Clients list indicates any clients awaiting authorization, and the administrator can authorize them from the same screen. This option is available on the Global and Account client settings screens. The global option is Off by default and the account option is set to "Inherit."
ActiveSync Notifications
Two types of administrative notifications have been added to ActiveSync: Sync Rollback Notifications and Corrupt Message Notifications.
Sync Rollback Notifications
The ActiveSync Service can now notify the administrators if a client is repeatedly/frequently sending expired Sync Keys in Sync operations.
These merely inform the admin that the server issued a rollback for a given collection because a client made a sync request with the most recently expired Sync Key. The subject states "ActiveSync Client Using expired Sync Key". This could occur because of a network issue or something about the content previously sent to the client in that collection. In some cases, the item ID will be there, it merely depends upon whether or not the previous sync on that collection sent any items.
Rollback warnings do not mean the client is out of Sync, it means that the client has the potential to go out of Sync and our internal system detected it. Rollback warnings are issued for a collection no more than once per 24 hour period.
| • | [System] SendRollbackNotifications=[0|1|Yes|No|True|False] |
| • | [System] RollbackNotificationThreshhold=[1-254] : The number of rollbacks that must occur on a given collection prior to a notification being sent to the admin. We recommend a value of at least 5 here, since Network hiccups play a part in this. |
| • | [System] RollbackNotificationCCUser=[0|1|Yes|No|True|False] : Whether or not to CC the user whose client sent that expired Sync Key. |
ActiveSync Corrupt Message Notifications
The ActiveSync Service can now notify the administrators if a particular message cannot be processed. These are sent in real time to inform the admin of a mail item that could not be parsed and that further action on this item is not possible. The subject states "Corrupt message notification". These items, in previous versions, could lead to a crash. In most cases, the content of the msg file will not be MIME data. If it is MIME data, it is likely corrupt. You can choose to CC the affected user of these notifications with the CMNCCUser key so that they are aware that an email has arrived in their mailbox that is un-readable. The appropriate action for these is to move the designated msg file from the user's mailbox and analyze it to determine both why it is not able to be parsed and how it came to exist in the state that it is in.
[System] CMNCCUser==[0|1|Yes|No|True|False]
New in MDaemon 16.5
MDPGP Improvements
Key Server Support
WorldClient
WorldClient can now act as a basic public-key server. Enable the new MDPGP option to "Send public-keys over HTTP (WorldClient)" and WorldClient then will honor requests for your users' public-keys. The format of the URL to make the request looks like this: "http://<WorldClient-URL>/WorldClient.dll?View=MDPGP&k=<Key-ID>". Where <WorldClient-URL> is the path to your WorldClient server (for example, "http://wc.example.com") and <Key-ID> is the sixteen character key-id of the key you want (for example, "0A1B3C4D5E6F7G8H"). The key-id is constructed from the last 8 bytes of the key fingerprint - 16 characters in total.
DNS (PKA1)
Enable the new MDPGP option to "Collect public-keys from DNS (pka1) and cache for [xx] hours" if you want MDPGP to query for message recipient public-keys over DNS using PKA1. This is useful because it automates the process of obtaining some recipients' public keys, preventing you or your users from having to obtain and import them manually in order to send encrypted messages. When PKA1 queries are made, any key URI found is immediately collected, validated, and added to the key-ring. Keys successfully collected and imported to the key-ring using this method will automatically expire after the number of hours specified in this option or according to the TTL value of the PKA1 record that referred them, whichever value is greater.
Key Handling
Tracking Keys
MDPGP now always tracks keys by their primary key-ids rather than sometimes by the key-id and other times the sub-key-id. Consequently, the MDPGP dialog's list of keys was cleaned up to remove two unnecessary columns. Further, MDPGP now more strictly controls the contents of its "exports" folder. As a result you will always find exported copies of local user keys there. Even though the private keys are encrypted, for extra security you should use OS tools to protect this folder (and indeed the entire PEM folder structure) from unauthorized access.
Preferred Keys
Previously, when multiple different keys for the same email address were found in the key-ring, MDPGP would encrypt messages using the first one that it found. Now you can right-click on any key and set it as preferred, so that MDPGP will use that key when multiple keys are found. If no preferred key is declared, MDPGP will use the first one found. When decrypting a message MDaemon will try each one.
Disabled Keys
Disabled and deleted keys are now tracked in a new file called oldkeys.txt. Previously, disabled keys were tracked in the plugins.dat file.
MDPGP Signature Verification
MDPGP can now verify embedded signatures found within messages that are not encrypted. Previously it was not able verify signatures unless the message was both signed and encrypted. When viewing a message with a verified signature in WorldClient, a new icon is displayed to indicate it was verified. Signature verification is enabled by default for all non-local users, or you can specify exactly which email addresses can and cannot use the service (see: "Configure exactly who can and can not use MDPGP services" on the MDPGP dialog).
XMPP Instant Messaging Server
MDaemon is now equipped with an Extensible Messaging and Presence Protocol (XMPP) server, sometimes called a Jabber server. This allows your users to send and receive instant messages using third-party XMPP clients, such as Pidgin, Gajim, Swift and many others. Clients are available for most operating systems and mobile device platforms. MDaemon's XMPP instant messaging system is completely independent of MDaemon's WorldClient Instant Messenger chat system; the two systems cannot communicate with each other and do not share buddy lists.
The XMPP server is installed as a Windows service, and the default server ports are 5222 (SSL via STARTTLS) and 5223 (dedicated SSL). The XMPP server will use MDaemon's SSL configuration if it is enabled in MDaemon. Also, some XMPP clients use DNS SRV records for auto-discover of host names. Please refer to http://wiki.xmpp.org/web/SRV_Records for more information.
Users sign-in through their chosen XMPP client using their email address and password. Some clients, however, require the email address to be split into separate components for signing in. For example, instead of "frank@example.com," some clients require you to use "frank" as the Login/Username and "example.com" as the Domain.
For multi-user/group chat service, clients typically display this as "rooms" or "conferences." When you want to start a group chat session, create a room/conference (giving it a name) and then invite the other users to that room. Most clients don't require you to enter a server location for the conference; you only need to enter a name for it. When you are required to do so, however, use "conference.<your domain>" as the location (e.g. conference.example.com). A few clients require you to enter the name and location together in the form: "room@conference.<your domain>" (e.g. Room01@conference.example.com).
Some clients (such as Pidgin), support the user search service, allowing you to search the server for users by name or email address, which makes adding contacts much easier. Usually you will not have to provide a search location, but if asked to do so, use "search.<your domain>" (e.g. search.example.com). When searching, the % symbol can be used as a wildcard. Therefore you could use "%@example.com" in the email address field to display a list of all users with an email address ending in "@example.com."
Centralized Management of OC Client Settings
Use the OC Client Settings dialog to centrally manage the client settings of your Outlook Connector users. Configure each screen with your desired client settings and MDaemon will push those settings to the corresponding client screens as necessary, each time an Outlook Connector user connects to the server. The OC Client Settings are only sent to clients when one of the settings has changed since the last time the client connected and received them. If you enable the provided option to "Allow OC users to override pushed settings," users can override any pushed settings on their individual clients. If that option is disabled, then all of the client screens are locked; Outlook Connector users can make no changes.
To allow for certain settings that must be different for each user or domain, OC Client Settings supports macros such as $USERNAME$, $EMAIL$, and $DOMAIN$. These macros will be converted to data specific to the user or domain when pushing settings to a client. Take care not to place any static values in any fields that should use a macro, such as putting something like "Frank Thomas" in the Your Name field. To do so would cause every Outlook Connector user who connects to MDaemon, to have his or her name set to "Frank Thomas." For your convenience there is a Macro Reference button on the General screen, which displays a simple list of the supported macros.
For those using MDaemon Private Cloud (MDPC), there is another OC Client Settings dialog on the Domain Manager, for controlling the Outlook Connector client settings on a per domain basis.
This feature is disabled by default, and works only for those using Outlook Connector client version 4.0.0 or higher.
"From:" Header Protection/Modification
This new security feature modifies the "From:" header of incoming messages to cause the name-only portion of the header to contain both the name and email address. This is done to combat a common tactic used in spam and attacks where the message is made to appear to be coming from someone else. When displaying a list of messages, email clients commonly display only the sender's name rather than the name and email address. To see the email address, the recipient must first open the message or take some other action, such as right-click the entry, hover over the name, or the like. For this reason attackers commonly construct an email so that a legitimate person or company name appears in the visible portion of the "From:" header while an illegitimate email address is hidden. For example, a message's actual "From:" header might be, "Honest Bank and Trust" <lightfingers.klepto@example.com>, but your client might display only "Honest Bank and Trust" as the sender. This feature changes the visible portion of the header to display both parts, with the email address given first. In the above example the sender would now appear as "lightfingers.klepto@example.com -- Honest Bank and Trust," giving you a clear indication that the message is fraudulent. This option only applies to messages to local users, and it is disabled by default.
Improved IP Screening
The IP Screen now contains an Import button that you can use to import IP address data from an APF or .htaccess file. MDaemon's support for these files is currently limited to the following:
| • | "deny from" and "allow from" are supported |
| • | only IP values are imported (not domain names) |
| • | CIDR notation is allowed but partial IP addresses are not. |
| • | Each line can contain any number of space-separated or comma-separated IP addresses. For example, "deny from 1.1.1.1 2.2.2.2/16", ""3.3.3.3, 4.4.4.4, 5.5.5.5", and the like. |
| • | Lines starting with # are ignored. |
Automatic Installation of Product Updates
Using the Automatic Updates features you can configure MDaemon to inform the postmaster whenever an update is available for one of your installed products, or you can download and install updates automatically. This includes MDaemon, SecurityPlus, and Outlook Connector. Automatically installing updates can be controlled separately for each product, and a server reboot is required each time an update is installed. Installer files are downloaded when the update is detected, but the installation and reboot occur later at whichever hour you have designated. All installation activity is logged in the MDaemon system log, and the postmaster is informed after an update has occurred. See the Updates dialog for more information.
WorldClient Changes
WorldClient supports categories for email in the LookOut and WorldClient themes. Users can add the Categories column to the message list by going to "Options » Columns" and checking "Categories" in the Message List section. To select categories for one or multiple messages, select the messages and right-click one of them. Use the context menu to set the category.
| • | Administrators can create custom categories. There are two files for this purpose: DomainCategories.json and PersonalCategories.json. |
| • | Domain Categories are enabled globally by default. To disable them open MDaemon\WorldClient\Domains.ini, and in the [Default:Settings] section change the value of "DomainCategoriesEnabled=" from "Yes" to "No". |
| • | Users are able to add and edit their own categories by default. If you wish to disable this option, you can do so per user or globally by changing the value of "CanEditPersonalCategories=" from "Yes" to "No". The user option is located in the [User] section of the User.ini file and the global option is in the Domains.ini file under the [Default:UserDefaults] section. |
| • | If Domain Categories are enabled, and a user is not allowed to edit personal categories, the user will only see the categories listed in DomainCategories.json. |
| • | If Domain Categories are disabled, and a user is not allowed to edit personal categories, the user will see the categories listed in PersonalCategories.json. |
| • | The file CustomCategoriesTranslations.json is used to support your custom category names in multiple languages. Add any necessary custom category translatations to that file to make it possible for WorldClient to recognize a category saved to an event, note, or task in one language as the equivalent category in another language. |
For more detailed information relating to the files mentioned here, see: MDaemon\WorldClient\CustomCategories.txt.
You can now hide the White List and Black List folders for WorldClient users by default. To do so, open MDaemon\WorldClient\Domains.ini, and under [Default:UserDefaults] change the value of "HideWhiteListFolder=" or "HideBlackListFolder=" from "No" to "Yes". You can hide or show these folders for specific users by editing those same keys in the User.ini file under the [User] section.
Check for Attachments
In the LookOut and WorldClient themes there is now an option to check a composed message for attachments before sending, when attachments are mentioned in the subject or body of the message. This can help you avoid accidentally sending a message without an attachments when it is supposed to include one.
You can now control whether or not accounts are allowed to use or required to use Two-Factor Authentication (2FA). There are two new options on the New Accounts template for controlling the default settings for new accounts, and there are corresponding options on the Web Services screen for controlling 2FA for individual accounts.
New in MDaemon 16.0
MDaemon Remote Administration (MDRA) UI Update
The user interface for MDRA no longer uses frames and has been updated to use a mobile first responsive design. Browser support is limited to IE10+, the latest Chrome, the latest Firefox, and the latest Safari on Mac and iOS. Android stock browsers have been known to have issues with scrolling, but Chrome on Android devices works well.
This design is based entirely on the size of the window being used. Whether the user is on a phone, tablet, or PC, the appearance is the same for the same window size. The most important change here is the menu. From 1024 pixels width and below, the menu is hidden on the left side of the browser. There are two methods that can be used to display the menu. If a touch device is in use, swiping to the right will show the secondary menu. Whether or not the device is in use, there is also a "menu" button in the top left corner that will display the secondary menu. Tapping or clicking the menu title with the left arrow next to it at the top of the menu will display the primary menu. The help, about, and sign out menu in the top right corner changes based on the width of the screen as well. From 768 pixels and above, the words Help, About, and Sign Out are displayed. From 481 pixels to 767 pixels, only the icons are displayed. 480 pixels and below displays only a "gear" icon which when clicked or tapped will display a drop down menu with the Help, About, Sign Out options. List views with more than one column have column on/off buttons that are accessed by clicking or tapping the gray right arrow button on the far right of the toolbar container. The settings pages are no longer designed to be exact copies of the MDaemon GUI, but are instead designed to reposition and resize based on the width/height of the browser.
Spambot Detection (MDaemon PRO only)
A new feature called Spambot Detection tracks the IP addresses that every SMTP MAIL (return-path) value uses over a given period of time. If the same return-path is used by in an unusual number of IP addresses in a short period of time, this may indicate a spambot network. Although it could still be a legitimate use of the mail system, experimentation has shown that this can be effective in limited cases at detecting a distributed spambot network as long as the same return-path is utilized throughout. If a spambot is detected, the current connection to it is immediately dropped and the return-path value is optionally blacklisted for a length of time you specify. You can also optionally blacklist all the spambot IPs then known for a user-defined period.
CardDAV (MDaemon PRO only)
MDaemon now supports synchronizing contacts via the CardDAV protocol. MDaemon's CardDAV server allows an authenticated CardDAV client to access the contact information that is stored in MDaemon. Notable CardDAV clients are Apple Contacts (included with Mac OS X), Apple iOS (iPhone), and Mozilla Thunderbird via the SOGO plugin. For more information on CardDAV and configuring CardDAV clients, see: CalDAV & CardDAV.
Two Factor Authentication for WorldClient and Remote Administration
MDaemon now supports Two Factor Authentication (i.e. 2-Step Verification) for users signing into WorldClient or MDaemon's Remote Administration web-interface. Any user who signs into WorldClient via HTTPS can activate Two Factor Authentication for the account on the Options » Security screen. From then on the user must enter a verification code when signing into WorldClient or Remote Administration. The code is obtained at sign-in from an authenticator app installed on the user's mobile device or tablet. This feature is designed for any client that supports Google Authenticator.
ActiveSync Protocol Migration Client
MDaemon now includes an ActiveSync protocol based Migration Client (ASMC.exe). It supports migrating mail, calendars, tasks, notes, and contacts from ActiveSync servers that support protocol version 14.1. Documentation for it can be found in the \MDaemon\Docs folder.
XML API for Management Tasks
MDaemon now ships with an XML over http(s) based API. The result of this is that MDaemon Management clients can be written using any language on any platform that can make http(s):// post requests to the server. In MDaemon Pro, this is only available to authenticated Global Admins, but in MDaemon Private Cloud a subset of the available operations is accessible to authenticated domain admins as well. The API also produces a website with documentation on the API specification. The installation default is to have it installed at http://servername:RemoteAdminPort/MdMgmtWS/, however, this can be set to any url for the sake of additional security.
The available operations include:
| • | Help |
| • | CreateDomain |
| • | DeleteDomain |
| • | GetDomainInfo |
| • | UpdateDomain |
| • | CreateUser |
| • | DeleteUser |
| • | GetUserInfo |
| • | UpdateUser |
| • | CreateList |
| • | DeleteList |
| • | GetListInfo |
| • | UpdateList |
| • | AddDomainAdministrator |
| • | DeleteDomainUsers |
| • | GetDomainList |
| • | GetVersionInfo |
| • | GetQueueState |
| • | GetServiceState |
| • | SetAddressRestriction |
| • | GetAddressRestriction |
At this time, command line management clients have been written/tested in Javascript, Powershell, VBScript, C, C++ and Visual Basic. A simple HTML and Javascript test site has been used as a proof of concept for a web based management console that operates within several popular browsers. While not tested yet, it is fully expected that this API should work fine from web servers using PHP, Perl, and other development platforms.
New in MDaemon 15.5
CALDAV (MDaemon PRO only)
MDaemon in now equipped with a CalDAV server. CalDAV is an Internet standard for managing and sharing calendars and scheduling information. MDaemon's CalDAV support makes it possible for your accounts to use any client that supports CalDAV to access and manage their personal calendars and tasks. They can also access any public or shared calendars or tasks according to their access rights.
MDPGP Provides OpenPGP Support (MDaemon PRO only)
OpenPGP is an industry standard protocol for exchanging encrypted data, and there are a variety of OpenPGP plugins for email clients that make it possible for users to send and receive encrypted messages. MDPGP is MDaemon's integrated OpenPGP component that can provide encryption, decryption, and basic key management services for your users without requiring them to use an email client plugin.
MDPGP encrypts and decrypts emails using a public-key/private-key system. To do this, when you wish to use MDPGP to send a private and secure message to someone, MDPGP will encrypt that message using a "key" that you previously obtained from that person (i.e. his "public key") and imported into MDPGP. Conversely, if he wishes to send a private message to you, then he must encrypt the message using your public key, which he obtained from you. Giving the sender your public key is absolutely necessary, because without it he can't send you an OpenPGP encrypted message. Your unique public key must be used to encrypt the message because your unique private key is what MDPGP will use to decrypt the message when it arrives.
In order for MDPGP to manage signing, encrypting, and decrypting messages, it maintains two stores of keys (i.e. keyrings)—one for public keys and one for private keys. MDPGP can generate your users' keys automatically as needed, or you can create them manually for specific users. You can also import keys that were created elsewhere. Further, MDaemon can look for public keys attached to authenticated messages from local users, and then import those keys automatically. That way a user can request a public key from someone and then email that key to himself so that MDPGP will detect it and then import it into the public keyring. Finally, whenever a message arrives for an address that has a key in a keyring, MDPGP will sign, encrypt, or decrypt the message as needed, according to your settings.
You can configure MDPGP's signing and encryption services to operate either automatically or manually. When set to operate automatically, MDPGP will automatically sign and encrypt messages whenever possible. When set to operate manually, MDPGP will only sign or encrypt a message when the sending user inserts a special command into the message's Subject. In any case messages will only be signed or encrypted (or decrypted) when the account has been given permission to use those services.
Do Not Disturb
Do Not Disturb is a new Group Properties feature that makes it possible for you to schedule a time frame during which an account may not send mail or be accessed by its users. Access during a Do Not Disturb period is not allowed and returns an appropriate error response to IMAP, POP, SMTP, ActiveSync, and WorldClient access requests. MDaemon will still accept incoming mail for accounts in this state, but those accounts may not send mail or be accessed by mail clients.
ActiveSync Redesigned
The ActiveSync for MDaemon interface was completely redesigned, and there are a variety of new features and policy options available. You can manage ActiveSync under Mobile Device Management, the Domain Manager, and on the Account Editor.
UI Improvements
| • | There is now an Accounts screen on the Domain Manager, to more easily access accounts while managing a domain. |
| • | The Account Manager and Domain Accounts screens now have a right-click menu with common shortcuts, such as: enable, disable, and properties. |
| • | The DNS screen was redesigned. |
| • | Added options to Preferences » UI to center dialogs when opening, to split the Sessions tab in the main MDaemon UI into its own pane, and to display system generated lists (e.g. Everyone@ and MasterEveryone@) in the Mailing List Manager. |
WorldClient Improvements
| • | Modernized the LookOut theme's icons and colors, and made some adjustments to its layout. There is also a new gray color style, although the default style is blue. The "New" button was moved to where the user's email address was previously located, and the email address is now in the top navigation bar. The Help and Sign Out options were moved to a drop-down list beneath user's address, like in the WorldClient theme. Finally, the Options icon was moved to the far right in the navigation bar. |
| • | WorldClient now supports adding inline images to a user's signature. |
| • | Merged Categories and Labels into just Categories. Users can now add, edit, and delete categories from a predefined list based on the old labels and categories. Each category has a color associated with it. More than one category can be associated with a given color, but only one category with a specific name may exist. There are 26 colors to choose from (including white) which match Outlook category color options. If an event, task, note, or contact already has categories associated with it, but they don't match the predefined categories, their colors will be white until the user adds them to the predefined list of categories. If there is already a label associated with an event, the user can choose to remove the label and add a category, or leave the label. Old labels are not lost on upgrade. |
| • | WorldClient and LookOut themes - Desktop notifications are now available. When LookOut or WorldClient loads, the browser will prompt the user on whether or not to allow desktop notifications. If the user chooses to allow them, then the user will receive notifications of new email messages, new instant messages (in the case that the corresponding chat is not in focus), and any change in status of a chat buddy. Desktop notifications are not supported by Internet Explorer. |
| • | WorldClient and LookOut themes - Added ability to view pdf files in the browser (not supported in IE8). This is available in any document folder and any message that has a pdf file. |
| • | There is now a Password Recovery feature in WorldClient. When this feature is enabled, users who have permission to edit their password will be able to enter an alternate email address in WorldClient, which can be sent a link to reset their password if they forget it. To set up this feature, users must enter both the password recovery email address and their current password in WorldClient on the Options » Personalize page. Once set, if the user attempts to log in to WorldClient with an incorrect password a "forgot password?" link will appear. This link takes them to a page that asks them to confirm their password recovery email address. If entered correctly, an email will be sent with a link to a change password page. |
| • | LookOut and WorldClient themes - added buttons and context menu items for users to create a new event, task, or note from the contents of a message. |
| • | Lite, LookOut, and WorldClient themes now attempt to detect and use the language currently being used by the browser. |
| • | LookOut and WorldClient themes - users can now use the browser's back and forward buttons to navigate in the main window |
| • | LookOut and WorldClient themes - Virtru can now be disabled by the admin on a per user basis by adding VirtruDisabled=Yes to the [User] section of the user's WC\User.ini file. |
| • | WorldClient theme - added a "Today" button to the calendar view buttons. |
| • | LookOut and WorldClient themes - users can now sort by the Description, Location, Start, and End columns in the Calendar List view |
| • | Lite, LookOut, and WorldClient themes - Added <ROOT> as top most option when creating or editing a folder. |
| • | LookOut and WorldClient themes - added button to send a message to all attendees of a meeting in the event editor. |
| • | Lite theme - a Mark Unread/Read option is now available in the Message view. Clicking it will mark the message unread and take the user back to the List view. |
| • | Lite, LookOut, and WorldClient themes - users can now print the details of a single event. |
| • | LookOut and WorldClient themes - there is now a "custom intro" feature in the compose window for Virtru encrypted messages |
See: