Libraesva EA v24.9: Release Notes

Libraesva EA

Overview

In this release, we’ve made significant security improvements to the product. The new version is built on an updated version of Libraesva OS, which is maintained directly by Libraesva and derived from a Debian distribution.

For existing appliances, a migration and a change of virtual machine (VM) will be mandatory.

For our cloud-managed customers, we will handle the entire process on their behalf starting from November.

For on-premise appliances, a migration tool will be made available starting from December.

NOTE: at the moment, version 24.9 lacks support for Samba, SASL and Kerberos.

Security

  • Full disk encryption: enabled full disk encryption for all default Archiver disks. Note that additional disks attached to the VM will not be encrypted.
  • HSTS: enabled HTTP Strict Transport Security (HSTS) on nginx to enhance security.
  • Spam attack prevention: the Archiver now only accepts journaling emails with a recipient format of archiver.*@ to prevent spam.
  • JWT Token Expiration: JWT tokens for administrator users now expire after 15 minutes, while non-administrator users’ tokens are valid for 2 hours.
  • SSH root access removal: root password-based access over SSH has been disabled.
  • TLS Security: the tls_ssl_options setting is now set to NO_RENEGOTIATION to mitigate potential CPU exhaustion attacks. Refresh token handling: the web app, progressive web app and the Outlook add-in no longer generate multiple refresh tokens for the same user.

Features

  • PEC and IMAP connector: a new PEC and IMAP connector implementation boosts performance, making subsequent incremental syncs up to 10x faster compared to version 24.1. The old connector will be used for mail servers not supporting IMAP RFC 5162. As of October 2024, 95% of Libraesva customers are compatible with the new connectors.
  • Connector cache management: admins can now see when and why a user’s sync is operating without cache and when the cache was last reset.
  • Log volume retention: added retention configuration option for log volumes.
  • Hypervisor disk management: improved options to attach and resize additional Archiver disks via the hypervisor console. Added option to detach disks. Engine disk expansion now works without Libraesva support.
  • Optimized notifications: the first notification for connector sync issues is now skipped, reducing unnecessary alerts. If the issue persists after the next sync, a notification will be triggered.
  • Cloud zip purge automation: the Archiver will automatically purge zip files for a tenant if deleted emails exceed 50GB on a cloud appliance.
  • Notification search: a search field has been added to the notifications page for easier filtering.
  • PST import panel: now displays a full list of uploaded PST files and their sizes.
  • URL indexing: all URLs in newly archived emails will now be indexed (this feature is not retroactive).
  • Connector scheduling: weekly scheduling is now available for connector syncs.
  • Daily zip validation: each night, a random set of zip files are downloaded and validated to ensure storage consistency.
  • Dashboard enhancements: added separate counts for queued and deferred emails, along with new connector and service status cards for on-premise appliances.
  • Disk usage flexibility: reindex jobs with normal priority can now use the engine disk without requiring additional disk mounting.
  • Increased maximum export size: the maximum export size has been increased to 50GB.
  • Job completion notifications: admins will now receive email notifications when an import job completes successfully.
  • Sync and cleaning scheduling: connector sync and cleaning operations are now be scheduled separately, giving the Archiver maximum flexibility. Up to 4 cleanings can run in parallel. Connectors can start cleaning for a specific user only after the first sync completes.
  • SMTP test logs: logs are now displayed when an SMTP test fails.
  • Connector cleaning status: added a new section to the connector status page dedicated to the connector cleaning feature.

Improvements

  • Tenant report metrics: the “Total Compressed Size” column in tenant reports now displays values in GB.
  • Manticore pre-caching: improved Manticore’s automatic restart by allowing more time for the engine to pre-cache indexes.
  • Email index repair: the archiving process is fully suspended during index repairs and resumes automatically once completed.
  • Purge process efficiency: optimized purge processes for improved download and upload speeds.
  • Mailbox license count: when the Archiver is unable to fetch or validate users for a PEC/IMAP connector (for example for invalid credentials), the total number of users attached to the connector is considered when computing used licenses for Archiver with mailbox based licensing.
  • License usage calculation: improved used licenses calculation, taking into account users attached to connectors with disabled automatic folder sync and PEC/IMAP connectors unable to validate users.
  • Disabled IPv6: appliances are now distributed with IPv6 disabled by default.
  • Firewall page speed: reduced the time required to load the firewall page.
  • Legacy Microsoft 365 connector: removed the legacy Microsoft 365 connector. The Graph connector is now mandatory for Office 365 integrations.
  • Hostname update: automatically add Archiver hostname to /etc/hosts in order to prevent Outlook addin login issue for Archiver hosted privately in a LAN
  • Improved disk notifications: disk space alerts now consider both percentage and absolute free space values.
  • License overuse info: storage-based license notifications now include purgeable space details and time tracking for overuse conditions.
  • Postfix control post-update: if Postfix was suspended before an update due to critical disk usage or high email queues, it will remain down after the update.
  • Multiple connectors sync for same user: sync is allowed for the first connector only and a notification is triggered.
  • Deferred email cleanup: deferred emails without associated tenants are now automatically deleted after 40 retries.
  • Filesystem checks on reboot: filesystem consistency checks and repairs are now run automatically during reboots.
  • Clickable license card: the license card in the dashboard is now clickable and links to detailed license information. -Libraesva cloud volumes warnings: warnings are now hidden since those volumes are handled directly by Libraesva support team in case of any issue.
  • License overuse: in case of license overuse, show from how much time the Archiver is running in license overuse.
  • Connector sync queue: prevented overflow in the sync queue for connectors or users with long names.
  • Tenant page load time: reduced loading time for the tenants page on MSP appliances with a large number of tenants.
  • PST import safeguard: prevented PST imports when no tenant is configured.
  • Job ID display: the job ID is now displayed for currently executing jobs.

Bugfix

  • fixed connector running users list not showing elements for tenant admins
  • fixed LDAP validation failing when editing existing LDAP connections
  • fixed PST skipped emails modal automatically open when opening PST batch import job details
  • fixed inactive user connector notifications not honoring notification snooze settings
  • fixed IMAP connector showing wrong users number when removing a user from users credentials list
  • fixed search interface allowing to save a bad configured search with missing parameters

Breaking changes

  • journaling emails not sent to archiver.*@ will be automatically rejected. Please ensure you configured journaling based on docs.libraesva.com
  • support for OpenStack and RackSpace (which was deprecated in v24.1) has completely been removed
  • if you use SPF flattening on your domain, please ensure to select Microsoft or Google provider in the Archiver listener configuration

API breaking changes

  • APIs /api/v1/administration/sphinx_index have been moved to /api/v1/administration/manticore_index
  • APIs /api/v1/administration/disks have been completely refactored. Please check API documentation.
  • APIs /api/v1/administration/firewall/start and /api/v1/administration/firewall/stop have been removed.
  • APIs /api/{version}/administration/system_status/start, /api/{version}/administration/system_status/restart and /api/{version}/administration/system_status/stop have been removed.