News

phlyMail 4.4 released - Security update!

2013-01-28

We've just released phlyMail 4.4.

This build offers you many changes and new features. We've gone into greater detail with the release announcements of the Early Preview. Please read this post first.

Some potential security holes have been discovered, which this build addresses and fixes. These vulnerabilities affected all phlyMail versions since 3.00.00.
You should update your installation as soon as possible. If you still run phlyMail 4.3.4 or older we suggest you do some intensive test runs with this build to ensure fitness for your environment and needs. In case of bugs or problems please inform us through the apposite forum.

Please make a backup of both installation direcotry and database tables. Going back to version 4.3 after the update is not possible without loss of data!

After applying the update please check all mail accounts (or let your users check theirs) regarding whether SSL / TLS shall be used. This setting has changed and might no longer be setup correctly.

Please switch off the old phlyMail Cronjobs and activate the new Cronjob as described here.

Besides what we've mentioned before, these changes were made in the betas:

Security Fix: The most severe problem affected the so called Dereferer. This script shall decouple external links and resources from the user's session. It is used for loading remote content (e.g. images and CSS) for displaying HTML mails and when linking to external sites from within emails displayed in the frontend. Unfortunately this script also allowed to forward users to arbitrary destinations from outside a user's session.
This build fixes the whole situation by registering valid URLs with the database.
Security Fix: Another potential problem arose from the fact, that some forms within the Config did not properly escape their output, thus allowing to inject XSS (Cross Site Scripting) in those forms. From our current knowledge it was hard to actually make use of this problem.
This build addresses this issue by properly escaping output in these places.
small bug fixes in the email composition form.
Fixes in the manner, how the AutoUpdater tries HTTPS and HTTP connections respectively.
Config: The drop down to select the default frontend theme no longer lists mobile themes.
Since POP3 accounts share a common Archive folder (structure) we removed the option to select a different Archive folder for POP3 accounts. IMAP accounts are not affected by this change.
The automatic selection of the From: profile when sending an email failed on IDN addresses.
Rerouting (Bouncing) an email did work from the mail list, but not with emails opened by double click.
The algorithm to calculate the positions and sizes of elements in the mail compose window failed horribly in Chrome, thus leaving the content being tiny and unusable.
It's now possible to "hide" the mobile interface through two new configuration options.
The frontend login screen advertises the mobile interface and links to it. This can be switched on / off now. Also the login screen autodetects mobile devices and redirects them to the mobile interface. This can be switched on / off as well.
Attention: These options are "off" by default!
mobile interface: Updated jQuery Mobile to 1.2.0; adjusted the mobile themes; CSS fixes
mobile interface: Sending emails does now work, including attaching local files (stored on the mobile device).
mobile interface: Fixes in the mail view. Now just a few mail operations (e.g. copying / moving) are missing.
mobile interface: Improvements in the calendar views. The pretty useless list view has been replaced by a more sensible month view with a detailed list of events of a given day. Now just the screens for viewing and editing events and taks are missing.

The builds are available as usual either through the AutoUpdate service or from the customer service (for the MessageCenter) or here for Lite.

Thanks to Zero Science Lab for pointing out the vulnerabilities; see ZSL-2013-5122 and ZSL-2013-5123 for details.

See the post in the forum

phlyMail 4.4 RC1 released - Security update!

2013-01-23

We've just released build 4.3.57. It is the first release candidate (RC1) of phlyMail 4.4.

Some potential security holes have been discovered, which this build addresses and fixes. These vulnerabilities affected all phlyMail versions since 3.00.00.
You should update your installation as soon as possible. If you still run phlyMail 4.3.4 or older we suggest you do some intensive test runs with this build to ensure fitness for your environment and needs. In case of bugs or problems please inform us through the apposite forum.

The following changes were made since the previous build 4.3.56:

Security Fix: The most severe problem affected the so called Dereferer. This script shall decouple external links and resources from the user's session. It is used for loading remote content (e.g. images and CSS) for displaying HTML mails and when linking to external sites from within emails displayed in the frontend. Unfortunately this script also allowed to forward users to arbitrary destinations from outside a user's session.
This build fixes the whole situation by registering valid URLs with the database.
Security Fix: Another potential problem arose from the fact, that some forms within the Config did not properly escape their output, thus allowing to inject XSS (Cross Site Scripting) in those forms. From our current knowledge it was hard to actually make use of this problem.
This build addresses this issue by properly escaping output in these places.
small bug fixes in the email composition form.
Fixes in the manner, how the AutoUpdater tries HTTPS and HTTP connections respectively.
Config: The drop down to select the default frontend theme no longer lists mobile themes.
Since POP3 accounts share a common Archive folder (structure) we removed the option to select a different Archive folder for POP3 accounts. IMAP accounts are not affected by this change.
The automatic selection of the From: profile when sending an email failed on IDN addresses.
Rerouting (Bouncing) an email did work from the mail list, but not with emails opened by double click.
The algorithm to calculate the positions and sizes of elements in the mail compose window failed horribly in Chrome, thus leaving the content being tiny and unusable.
It's now possible to "hide" the mobile interface through two new configuration options.
The frontend login screen advertises the mobile interface and links to it. This can be switched on / off now. Also the login screen autodetects mobile devices and redirects them to the mobile interface. This can be switched on / off as well.
Attention: These options are "off" by default!
mobile interface: Updated jQuery Mobile to 1.2.0; adjusted the mobile themes; CSS fixes
mobile interface: Sending emails does now work, including attaching local files (stored on the mobile device).
mobile interface: Fixes in the mail view. Now just a few mail operations (e.g. copying / moving) are missing.
mobile interface: Improvements in the calendar views. The pretty useless list view has been replaced by a more sensible month view with a detailed list of events of a given day. Now just the screens for viewing and editing events and taks are missing.

See the post in the forum

Services outage on Dec 26, 2012

2012-12-26

Due to a sudden hardware failure our web server crashed today, leading to an outage of these services:
- UMS gateway
- AutoUpdate service
- phlyMail.com website and customer service

We almost finished moving to another machine, all service should be fine again, the UMS gateway even since the morning hours.

We are very sorry for any inconvenience the downtime may have caused to you.

See the post in the forum

phlyMail 4.4 Early Preview released

2012-08-23

Finally it is here: a testable [bpreview version of phlyMail 4.4[/b] is available!

Many of the new features are already considered "ready", i.e. from our point of view they are stable and more or less free of bugs.

But before you just run off replacing your stable installation with this Early Preview - wait a minute! First let us give you some advice. We recommend to start a fresh install with this preview alongside your stable installation. Under no circumstances should you overwrite your perfectly fine installation.
If you want to test, how the update will work later on, just make a clone of the stable installation and update that.

What's in for me?

- mobile interface - "phlyMail Mobile"
Although the interface is not yet finished, we decided to give you a sneak peek beforehand for getting an impression, where we're heading. Many parts are already working fine, e.g. the modules Contacts and Bookmarks and sending SMS, yet some other areas are still awaiting completion like the profile manager or sending emails.
The current state of development allows to give it a shot on various client devices, though.

- complete overhaul of the Cronjob handling
In the future all Cronjob tasks of phlyMail will be completely handled by phlyMail itself, from one single script, which takes care of starting the individual jobs due. This script will be put into the server's crontab and started every minute. That's it, the rest is handled by phlyMail.
This gives us maximum flexibility in adding various background tasks. Furthermore some old oddities are fixed along the way. E.g. appointment alerts can now be sent out the minute they are due. And there's no longer confusion about when the system will fetch mails.
We tried hard to find the optimum in terms of resource usage so there shouldn't be too many parallel tasks forcing the server on its knees.
Yet you should keep an eye on the resource usage of your server in the first few days after putting the new cronjob system to work.

- Automated syncing of IMAP subfolders
One of the great weaknesses of phlyMail so far was, that subfolders in IMAP accounts were not automatically synced with the server. Instead users hat to wait for that process to run and finish each time they opened such a folder. Additionally the system did not notify the user about new (unread) mails in those folders. Quite annoying.
Alongside the new Cronjob system this is now finally addressed. Some long term tests show, that we got the teething troubles out of the way already.

- Improved security settings in mail accounts
Up to now phlyMail behaves quite well-tempered when talking to POP3, IMAP and SMTP accounts. It automatically tries its best to establish a secure as possible connection, but does not bail out, if this fails. In fact, even the least secure connections were welcome. Just don't bother the user... Although this might not be as crucial when talking about point-to-point connections between servers, it's clearly no longer seasonable behaviour. So we changed the accounts settings in a way, that one can now clearly define the level of security one wants (SSL [or TLS for that matter], STARTTLS, automatic, none). Only when the chosen security level is reached, the connection will be established.

- WebDAV for calendars
The individual calendars can now be shared as WebDAV files (not CalDAV!) in suitable clients. That means, that one can use e.g. Thunderbird (Sunbird) or a mobile client to read-write access ones calendars in phlyMail. CalDAV is still a topic to address, though.

- Option to enforce secure connections
Similar to the accounts, this feature allows the admin to force secure connection from clients to the frontend, the Config, APIs and the mobile frontend. After switching on that option all calls to the non-secure URLs will be forcefully redirected to the SSL secured ones.
Since it requires SSL to be available in PHP and might add some more load to the server we decided to leave that as an option for the admin.

- Application structure modernized
This paragraph is intended for the geeky audience among our customers.
Large parts of the application are fairly aged by now, some code segments are round about 10 years old. That's visible in the overall application structure as well. One bottleneck, which even made things more complex than necessary was the central database connection class. Although it somehow abstracted the database away from the scripts (which is a good thing), it was overly complicated to use for other parts of the application, which themselves needed to talk to the database.
So we now did a few things:
- Create an explicit singleton for accessing the database
- Create small, lightweight objects for specific tasks in favour of the former, monstrous DB class
- That previous step is not quite finished, but now its easy to do it one object at a time in the future
- Logical, tree-like organization of the classes in a structure reflecting their task
- Switch to lazy loading instead of hundreds of individual require commands scattered around
- Include the classes of the handlers in the aforementioned concept
All in all these changes took far less time than expected and its even more time-saving in the long run. And it has not even been the end of reorganization. Some central classes in the email handler await a full rewrite to untangle some code.
Another future step will be to remove all assignments of I18N strings in templates from the script, instead let the template class handle it. This will make the scripts much leaner and bring the system much closer to the pure MVC principles.

Where do I get it from?
The builds are available as usual either through the AutoUpdate service or from the customer service (for the MessageCenter) or here for Lite.

What's next?
We hope to fulfill the one or other wish with this release. Our goal is now, to as quickly as possible finish the missing parts in the mobile interface.
Depending on whether you find many bugs or not we might need one or more bugfixing run, too.

See the post in the forum

New server minimum requirements as of version 4.4

2012-03-01

With the next major release (4.4.0) of phlyMail we will introduce new minimum server requirements. The last time we did so is already more than four years ago.

phlyMail will require:
- PHP 5.3.0+
- MySQL 5.5.0+

This will -again - not mean, that phlyMail will immediately stop working but new features will no longer regard the lack of certain features in former PHP / MySQL versions. Instead we will actively incorporate newly available features into the code in a gradual fashion.
The first module to require PHP 5.3 will be the WebDAV server component.

PHP 5.3.0 has been release June 30th 2009, MySQL 5.5 around the end of 2010. Please check with your hosting provider, whether the required version are already installed or can be installed shortly.
We ask our paying customers to actively check for availability and come forward in case an update is completely infeasible. We would like to submit you an offer to do the update for you.

See the post in the forum

phlyMail 4.3 released

2012-01-19

After quite some time used for intensive testing we finally have released phlyMail 4.3.0.

The builds are available via AutoUpdate as well as (for Lite) at http://phlymail.com/en/phlymail/lite/download/ and (for the MessageCenter) the Customer Service as installable or core build.

For a comprehensive list of changes we'd like to point you to the following postings:

phlymail-4.3-beta-1-released-t2392.html
phlymail-4.3-beta-2-released-t2408.html
phlymail-4.3-rc-1-released-t2418.html
phlymail-4.3-rc-2-released-t2424.html

See the post in the forum

phlyMail 4.3 RC 2 released

2012-01-15

We have just released phlyMail 4.3 RC 2 (build 4.01.53).

The builds are available via AutoUpdate as well as (for Lite) at http://phlymail.com/en/phlymail/lite/download/ and (for the MessageCenter) the Customer Service as installable or core build.

This build brings the following changes:

One can state multiple recipients for email / SMS in event reminders now
SabreDAV has been updated to version 1.5.6
A rare issue with moving mails in IMAP has been fixed
BCC addresses are now always removed from the email before it is handed over to the mail server / sendmail. Some mil servers violate the RFCs and leave the BCC headers in the mail, so the BCC addresses could be leaked to recipients.

We are looking forward to your feedback!

See the post in the forum

phlyMail 4.3 RC 1 released

2012-01-01

We have just released phlyMail 4.3 RC 1 (build 4.01.52).

The builds are available via AutoUpdate as well as (for Lite) at http://phlymail.com/en/phlymail/lite/download/ and (for the MessageCenter) the Customer Service as installable or core build.

This build brings the following changes:

The new means of editing events has been implemented for tasks as well
Multiple system folders set in the account settings to point to the same folder do not confuse the display of folder icons any more
external calendars read in from Apple iCal or Google calendar now handle the display of all-day events properly
If the user allows cookies to be set the set language and theme are stored in such, so these settings are available in the login screen, too
the login message is now shown through the notification system, no longer via a JavaScript popup
a few other minor bugs have been fixed
All themes have been updated

We are looking forward to your feedback!

See the post in the forum

phlyMail 4.3 Beta 2 released

2011-12-19

We have just released phlyMail 4.2 Beta 1 (build 4.01.50).

The builds are available via AutoUpdate as well as (for Lite) at http://phlymail.com/en/phlymail/lite/download/ and (for the MessageCenter) the Customer Service as installable or core build.

This build brings the following changes:

The integrated HTML CKEditor editor has been updated to v 3.6.2
The integrated WebDAV server's base library SabreDAV has been updated to v 1.5.5
Update notification for frontend users can now either include or exclude beta versions on a per user basis
The test for session cookies' availability failed due to a browser bug
Events from external calendars are now treated as read-only
Editing events has been vastly improved. There's now an extra field to state the duration of an event in standardized manner, changing the start changes the end according to the duration, changing the end changes the duration, changing the duration changes the end. This should allow for a much more logical and comprehensible manipulation of the event's dates and times.
The separate date and time pickers ave been replaced by a combined date-time-picker.
Calendar's month view did not show the holidays from adjacent months
a few other minor bugs have been fixed
All themes have been updated to reflect necessary CSS changes.

We are looking forward to your feedback!

See the post in the forum

phlyMail 4.3 Beta 1 released

2011-11-06

Much nicer display of events in the calendar views. We recommend a browser capable of CSS3 for the full effect.
It's now possible to assign colours to the calendar groups. The chosen colour (if any) will be shown alongside the event in the main calendar.
External calendars in the format iCalendar (ICS / VCS) can now be defined as groups (folders) in the calendar. One can state the URL, the refresh rhythm and optionally username and password.
phlyMail supports BASIC and Digest-MD5 authentication.
The syncing is performed by another CronJob, which needs to be added to crontab.
Users can switch the type (internal / external) of a calendar at any time. Events stored at that time will not be removed. When switching from internal to external, events will of course be replaced by the ones from the external source.
SabreDAV (the library used for the WebDAV server) has been updated to version 1.5.4.
All themes have been updated to carry some new icons with them.

We are looking forward to your feedback!

See the post in the forum

Read all news and comments