This month, in addition to the usual bundle of bug fixes and minor improvements, we’ve implemented changes related to Content-Security-Policy (CSP) and to LDAP authentication process.
Starting November 29, the following changes will be available:
We’ve replaced the obsolete “X-Frame-Options” header with “Content-Security-Policy: frame-ancestors directive, for preventing cross-site scripting attacks.
More details can be found here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
With this change, by default, we will not allow the application to be loaded in an iFrame.
If this is needed and “Protection level” has “No protection” option, please set it to “Allow from URL” option, until November 29 (“Settings” page, “Protection against rendering in HTML Frames” section).
All the existing configurations where Protection level is “Same origin” or “Allow from URL” will be migrated to match the new directive.
One external library used for LDAP email user login was deprecated. To continue supporting the existing feature, we’ve replaced it, and the new one requires the configurations for “BaseDN” (based_dn) and “Search base” (username_attr), which could be missing before.
Therefore, we recommend checking your configuration for “LDAP authentication” in “Manage email users” page and set “BaseDN” and “Search base” to avoid email user authentication issue, until November 29.
The details can be found in the product documentation page https://documentation.n-able.com/mail-assure/userguide/Content/C_Domain%20Level/webinterface-users/set-up-ldap-authentication.htm
Since the latest major release, we’ve fixed the following issues:
- MMA-8289. Fixed an issue when using Email Scout Reports incoming page.
- MMA-8314. Fixed the issue with Email Scout Reports not being generated.
- MMA-8421. Fixed “Sender location – is not” filter rule.
- MMA-8436. Fixed issue with Let’s Encrypt certificates not being renewed.
- MMA-8338. Fixed Export button not being active after Log search range changed.
- MMA-8349. Fixed the issue with accepting EULAs.
- MMA-8482. Fixed the issue when add a domain containing “ß”.
- MMA-8310. Fixed the issue with editing remote syslog values for domain on Admin level.
- MMA-8543. Fixed the issue with Email Scout Reports being blocked due to the deprecated “Pacific-New” timezone.
- MMA-8547. Fixed the issue with Protection Reports not being generated due to the domains containing hyphen.
We’ve also made the following improvements:
- MMA-8101. Removed false-positive and false-negative from main class options.
- MMA-7541. Improved the availability accessing archived messages.
- MMA-6655. Sanitized HTML code when preview Email Scout Report.
- Extended the information available for remote syslog in Splunk.
- Database performance tweaks.