------------------------------------------------------------
E-SMITH SERVER AND GATEWAY 4.1.2
Release notes - March 30, 2001
------------------------------------------------------------

e-smith, inc. is pleased to announce the availability of the e-smith
server and gateway version 4.1.2.

e-smith version 4.1.2 is a security update to the 4.1.1 package and also
contains several new features and corrections. These security updates have
been released as a result of an ongoing review of the e-smith configuration.

This release is based on RedHat 7.0 and includes all applicable security 
updates. The documentation, bug and FAQ listings have been updated.

e-smith, inc. advises all users of e-smith 4.1.1 and earlier versions to 
upgrade to e-smith 4.1.2

SECURITY ENHANCEMENTS

1.  Packet filtering (ipchains) rules have been updated to provide further 
    optional controls, including the ability to block unprivileged TCP/UDP 
    ports using configuration database parameters. External connections to 
    mysql and squid are blocked by packet filters (note: these programs were 
    already configured in previous versions to reject requests from external 
    addresses).

2.  The standard e-smith public services (HTTP, SMTP and AUTH) can now
    be restricted to allow access only from the local network. These advanced 
    configuration settings are not currently available through the manager.

3.  The logging of network packets denied by filtering rules is now
    disabled by default but can be enabled with a configuration database
    setting. In versions 4.1 and 4.1.1, logging was enabled by default. In
    some cases this generated significant logging activity and could
    cause system performance degradation.

4.  The i-bay configuration screens have a new choice to 'Enable dynamic
    content' which will enable the use of CGI, PHP and SSI content. This 
    replaces the 'Execution of CGI scripts' in previous versions. This
    option is disabled by default for each i-bay. Please consult our
    Security Whitepaper to understand the security implications of allowing
    dynamic content before enabling this setting.
    (http://www.e-smith.org/docs/papers/)

5.  The configuration of the PPTP (VPN) server has been modified to restrict
    authentication to valid current user accounts only. Additional password
    checks have also been incorporated into the login processing.

6.  The latest security updates from Red Hat for ntp, openssh, vim, and mutt
    have been included.

7.  The IMAP daemon has been rebuilt to remove drivers for some unused
    mailbox formats. These drivers had buffer overflow problems enabling 
    exploits which allow valid authenticated users to circumvent some
    access restrictions.

8.  The configuration for ProFTPD has been restricted to defeat attempts to
    exploit a known denial of service attack.

9.  The default setting of hard drive performance optimization has been
    changed from "enabled" to "disabled", in response to a number of reports
    from users of file system corruption and failure to boot.

E-MAIL SETTINGS

1.  Some system administrators preferred not to receive email from
    the fetchmail daemon, which reported the successful fetching of
    email messages (in multi-drop mode only). These messages crypticly
    contained just a series of periods (i.e. '.....'). These have
    been eliminated by setting fetchmail's default verbosity level 
    to '--silent'. Fetchmail errors will still be delivered to the 
    admin user.

2.  The console email program pine has been configured to access personal
    mailboxes using the IMAP protocol. This will allow command line
    access to mailboxes without custom configuration. Note: this feature is
    not normally accessible to users.

3.  The packet filters are now correctly modified when external POP/IMAP is
    enabled. Note: e-smith , inc strongly advises against the use of public
    POP and IMAP. The use of SSL based webmail or a VPN connection provides
    secure remote access to email.

4.  Machines on other internal networks, as listed in the "Local Networks" 
    panel, are permitted to send mail via the SMTP server.

IP MASQUERADING

1.  The PPTP masquerade module is now loaded by default. This allows PPTP
    clients using an e-smith server as a gateway to access remote PPTP VPN
    servers (for example, another e-smith server) using PPTP client software.
    This feature was not offered in previous versions as the PPTP masquerade
    module included with the RedHat 7 kernel was faulty.  This version includes
    a replacement module which functions correctly.

2.  The IPSec masquerade module is now loaded by default.  This feature
    was not offered in previous versions as the IPSec masquerade module
    included with the RedHat 7 kernel was faulty. This version includes
    a replacement module which functions correctly.

    This module has not undergone extensive testing by e-smith at this
    stage, but does not conflict with the existing modules and so is
    loaded as a service to those who may need to use it.

3.  Masquerading modules can now be selectively loaded via settings in the
    configuration database. These advanced configuration settings are not 
    currently available through the manager.

SMB/WINDOWS FILE SHARING

1.  The default character set and code page for Samba have been changed to
    ISO-Latin-1 which caters to Western European languages. These settings
    can also be customized through the configuration database.

2.  The NetBIOS OS level used by Samba has been increased to ensure that the
    e-smith server will win a browser election if it has been configured to 
    become the Domain Master.

3.  SMB networking "Opportunistic locks" have been disabled.  These locks 
    allow client machines to aggressively cache data and can cause data 
    inconsistencies if the files are modified by other applications.

BACKUP AND RESTORE

1.  The group and shared alias files are regenerated after a restore.

2.  The tape header format has been changed to support a wider range of 
    IDE tape drives

3.  The tape is automatically rewound after a restore.

4.  The timezone is now reconfigured after a restore

5.  The --linear option to lilo was added to the kickstart file included
    on the floppy disk created by the reinstallation floppy function.

MISCELLANEOUS ENHANCEMENTS

1.  A concurrency problem in the processing of configuration databases, which 
    could have resulted in the loss of database entries, has been fixed.

2.  Any comments (prefixed by "#") found in a configuration database are 
    now ignored.

3.  The expand-template program, which is provided to allow ad-hoc
    expansion of templated configuration files, has been enhanced to
    retain ownership and permissions of output files.

4.  A configuration error affecting access to an externally hosted
    website has been corrected. For example, with the domain name
    set to frog.pond, and the "www" name modified in the "Hostnames
    and Addresses" panel to point to an external web server, the site
    http://www.frog.pond could be accessed, but the site http://frog.pond
    would still resolve to the local server.

5.  Documentation of all e-smith perl modules is included. This can be viewed
    from the command line by typing:

	perldoc -U esmith::{module name}

    For example, to read the documentation for the cgi.pm perl module, you 
    would type:

	perldoc -U esmith::cgi

6.  The kernel module configuration database /etc/modules.conf is now
    adjusted for e-smith requirements using the template mechanism, with
    multiple template fragments, rather than by a perl program. This will
    allow additions and modifications to be performed using standard,
    documented templates, rather than by making modifications to
    a program.

7.  A kernel module search path is set up so that e-smith specific kernel
    modules are loaded from a separate directory tree in preference to
    standard kernel modules (if they exist in that tree). This mechanism
    allows additional or replacement kernel modules to be installed
    without overwriting the standard set of kernel modules.

8   The e-smith manager now allows no more than 28 groups to be
    added. This limit arises because the current Linux kernel restricts
    the number of groups per user to 32, and current e-smith design
    requires the user "admin" to be a member of each user-defined group,
    as well as a number of hidden system groups. Future versions of the
    product may remove or increase this limit to the number of groups.

9.  The "Back" button on the "Select ethernet card assignment" screen of the
    console now goes to the correct screen.

10. The file /var/log/diald/accounting.log is now created automatically to log
    dialup attempts and connect times.

11. The appletalk, ppp, ip_masq_h323 and ip_masq_icq modules have been 
    rebuilt to provide reliable support for SMP kernels.

12. Some manager pages were updated to correctly display default values.