Available for purchase
Machines covered by a software maintenance contract as well as systems which have been purchased lately may update free of
charge. Access has already been activated for the respective licenses. For all other systems access will be granted as soon
as the update has been purchased.
The credentials required to download the update will be sent automatically when using the system's interactive update feature.
For a manual download you will have to specify the support IP as username (e.g. 172.18.253.15) and the hardware ID as password
Please pay attention to the following information regarding the changed administration interface port and the storage type
of local mailboxes.
Docker-based operating-system-level virtualization
Optional extensions (running within containers) can be installed in the new menu "System > Apps". Please note that apps have
to be updated separately, so please check the "Apps" menu regularly once you have apps installed.
While fully virtualized guests each run a whole operating system of their own, with operating-system-level virtualization
the host and all of its guests share the same operating system core (in our case the Linux kernel). This makes operating-system-level
virtualization very efficient. Still the guests, usually called containers, run in an isolated environment. However this isolation
is not as strong as with full virtualization.
Following this approach, we want to offer even bigger software modules in the future, without major impact on system security.
Administration interface now on port 44344
Browser access to containers, as described above, requires the reverse proxy, which plays a more central role now. So we decided
to enable the reverse proxy on port 443. Port 443 was previously allocated to the administration interface which has been
moved to port 44344.
In order to facilitate the transition, the reverse proxy will redirect requests for the administration interface to the LAN
ip, port 44344. By using a redirect, the browser will then access the administration interface directly and not via reverse
proxy. This is to prevent granting Internet access to the administration interface by mistake when granting Internet access
to Port 443.
The redirect probably won't work when trying to access the administration interface from outside the LAN. Please consider
using the reverse proxy for external access to the administration interface or make sure that you can access port 44344.
Web client for RDP, VNC and SSH
This new component is installed as container in menu "System > Apps". It offers access to remote desktops (RDP), VNC server
and Secure Shell server with a web browser (HTML5). No need for additional client software. The reverse proxy is required
to access this component, so it is possible to enforce authentication with client certificates upon request. A two-factor
authentication using time-based one-time passwords (TOTP) is also possible. Free smartphone apps for TOTP are available (e.g.
Google Authenticator). We also offer TOTP hardware tokens.
A license must be purchased for this optional extension.
Webmailer replaced with new groupware
The update replaces the rather outdated web mailer with a far more extensive groupware, which is also installed as container.
The solution is based on the "SOGo" groupware, which uses IMAP only to access the mail storage. So it is always possible to
access emails without using the groupware, too. Contacts, events, tasks, mail filters and settings are stored in a database,
which is a "MariaDB" in our case. Both, groupware and database are installed as containers.
In contrast to the web mailer, the groupware is no longer pre-installed. You can install or update it anytime without a fee
in menu "System > Apps". Install the app "Database" first, then "Groupware".
When compared with the old web mailer, the groupware adds the following features:
- modern, smartphone optimized web interface
- share and subscribe to calendars and address books with individual user rights
- plan and exchange appointments by mail via iCalendar
- free-busy information
- tasks (TODOs)
- marks for emails, events and tasks
- delegation of accounts ("Send as")
For native access with smartphone apps, Outlook and other mail clients we offer an extension featuring Exchange ActiveSync,
CalDAV and CardDAV.
A license must be purchased for this optional extension. Groupware access by browser remains free of charge.
Mailbox storage type and mail backups
Mailboxes are stored in different way now. Mailboxes are converted automatically during the update and when uploading a mail
backup which contains data in the old format.
We recommend to stop the mail server and download a mail backup before updating. After the update, download a mail backup
in new format before starting the mail server.
Depending on the number of the emails, the conversion may take several minutes or even hours if tens of thousands of mails
have to be converted. Rebooting or switching off the device during this process may result in the loss of data.
When uploading a mail backup in new format, the mails from the backup are merged into the current mail store, i.e. deleted
mails are restored from the backup while new mails and all changes are retained. If you are using the groupware, the same
applies to contacts, events and tasks. The groupware users settings and mail filters will be taken from the backup.
Mails are not merged when uploading a mail backup in old format. The mails from the backup are restored and any new mails
will be lost.
Previously the data of an account was restored only if the account had no inbox. This is no longer the case. To restore data
of specific accounts only, you will have to open the mail backup with a ZIP archive tool. Mail backups contain one backup
file per account. Extract the backups of the accounts you want to restore and upload them one after the other.
S/MIME email encryption gateway
This new component lets you use S/MIME based signatures and encryption for your external communication without the need to
roll out and maintain S/MIME for all local mail clients.
A license must be purchased for this optional extension.
With this solution, inbound emails will be decrypted automatically before applying security checks like virus scan or attachment
filtering. Also the signatures of inbound emails will be checked. Certificates received as part of the signatures can be stored
for encryption of outbound emails automatically. So all future mails to these communication partners will be encrypted without
any effort. It is also possible to manually release or import peer certificates for automatic encryption of outbound emails.
Finally outbound emails can be signed automatically, too.
For signing outbound emails and decrypting inbound emails an S/MIME certificate is required for each email address. The certificate
has to be stored in the user administration, one certificate per users.
Macro detection for email attachment filter
The attachment filter can now quarantine attachments that contain an office document with a macro. The filter can distinguish
between autoexec macros and macros in general. If the attachment filter is already enabled, this new feature will be enabled
by the update automatically.
It still makes sense to quarantine office documents based on the filename, if the filename extension already indicates that
the file contains a macro (docm, dotm, pptm, potm, xlsm, xltm). But those who filter the "classic" filename extensions by
name (doc, ppt, xls) might consider to rely on the new feature instead, as it quarantines those documents only if they contain
Email synchronisation between cluster nodes
The contents of the mail folders on clusters with local mail domains will now be synchronized.
Two-factor authentication for access to administration interface
To better secure the administration interface, one-time-passwords (OTPs) may be enabled. There are separate settings for direct
access and for access via reverse proxy. If OTPs are mandatory, users without OTP can no longer login. If "optional" an OPT
is only required for accounts with enabled OTPs.
Extended functionality of DNS IP objects
In addition to hostnames, you are now also able to resolve service (SRV), mail exchanger (MX) and name server records (NS)
in IP objects.
The periodical update of DNS IP objects has been replaced by dynamic intervals based on the records' individual time-to-live
(TTL), i.e. the period the IP may be cached.
The IP addresses associated with a hostname may change every few seconds when DNS-based loadbalancers come into play. But
the same addresses re-occur when viewed over a longer period of time. With a new option you can keep old addresses for a while
in order to reduce the number of configuration changes.
Background image and dark colour theme
The new dark theme is the default. You can disable it via the tools menu in the upper right corner.
Homepage docklet "Updates"
The new docklet checks if new system or app updates are available.
Menu "CA Certificates"
You can store custom trusted CA certificates in the new menu item "System > Certificate manager > CA certificates". The CA
bundles which are maintained by us are also visible there. The two previous menu items of the local CA have been moved into
the new menu, too.
Redesigned license menu
You can now view and change all kinds of license keys in this menu (base system, virusscanners, URL filter, apps).
Incorrect routing for IPsec tunnels with SNAT
In some situations it is necessary to SNAT the local sender address when forwarding connections into a certain IPsec tunnel.
In these situations, manually configured routes had precedence, so that connections actually destined for IPsec might have
been routed incorrectly.
Support for the following features has been removed: McAfee virus scanner, LDAP server for LDAP address book, IMAP/webmail
access for admin to attachment and virus quarantine directories, deleting and modifying the contents of mailboxes.
Minor bugfixes and improvements
In the 7.0 releases some features had only been available on systems with a software maintenance contract. In 7.1 these features
will now be available on all systems. This includes:
You can now connect Ethernet, VLAN and WLAN interfaces with a network bridge. For connections within the bridge and connections
coming out of the bridge the firewall is configured individually for each port. So it is possible to run a transparent firewall
between two network segments (e.g. between LAN and router). For connections routed into a bridge however, there's no firewall
configuration by port, only by bridge.
Aggregation of network adapters
You can now aggregate multiple network adapters to get redundant connections with switches or to increase throughput.
URL filter message when breaking SSL connections
An option has been added to the web proxy content filter settings which affects what the users will see when the URL filter
blocks a whole domain. The proxy used to already block the connection attempt, so the browser reported the generic error,
that the proxy forbids the connection. With the new option you can change the behaviour, so the connection is initially allowed
and the detailed error message of the URL filters is shown in the browser.
User specific message after logging into administration interface
For users with access to the administration interface (group "system-admin") a message can be configured in the user administration
which is displayed every time after the user logged into the administration interface.
Rejecting emails with unwanted attachments
The "admin" user can now grant members of group "sytem-admin" read-only access to the most important configuration menus,
e.g. to grant access for an auditor. Previously "admin" could only grant full access to individual menus.
URL filter user groups via Active Directory
The URL filter can now retrieve user groups directly from an Active Directory server. A computer account in the Windows domain
is required just like for NTLM proxy authentication.
Let's Encrypt certificates
Certificates can now be updated automatically using the ACME protocol, so you can now use free Let's Encrypt certificates.
This new option is available when requesting a new certificate in the "Keyring" menu. For authentication the "http-01" method
is used. This requires that the reverse proxy can be reached on port 80 from the Internet and a virtual host is defined for
all requested domains with the pre-defined backend "ACME HTTP-Authorization" enabled.
Avira macro detection for web proxy
On installations running Avira antivirus, a new option in the web proxy content filter allows blocking office documents containing
macros or autostart macros.
Monitoring for SSH TCP forwarding
Connections via SSH TCP forwarder are now displayed on a new tab in menu "Monitoring > Network > Status".
Logging to syslog server
You can send a copy of most logs to a syslog server now.