AMS 5 release window / features?

[EKjellquist]

Gents,

Just curious as to whether there's any release window or news regarding the future of AMS whether that's more of a 4.3 or a 5.0 sort of thing? Haven't seen any news or announcements in some time. For me mainly I'm looking for TLS 1.3 support and openSSL updates but I'd be interested to know if you have any other new features you're working on or planning on supporting!

[Code Crafters]

We don't have any release dates for adding TLS 1.3 yet but this is high on our priorities. Other updates will likely include a bunch of small WebMail changes and also possibly DKIM as this has been asked for a few times lately.

[EKjellquist]

I'd be interested in DKIM, especially as a foundation for using DMARC for our domains, as more and more domains we send to and receive from are using both and we've had a few send failures recently due to not being able to use either with AMS yet (though it's been rare so far).

[Code Crafters]

We've started work on an update to the WebMail system. This migrates the whole project from Angular 2 to Angular 7 with quite a few feature and bug tweaks.

We will consider either TLS 1.3 / DKIM for our next major update though.

[sjoram]

Hi,

I've been using SPF for a number of years now and have just got around to adding a DMARC record for it.
However, AMS doesn't yet support DKIM and obviously also does not check DMARC inbound.

The inbound mail for me mostly passes through web hosting forwarders so has already been checked at that level and AMS is set to look for specific mail headers from those checks and act accordingly, but it would be good to have DKIM support on outbound mail without needing to use a relay.

I'm currently still using an old version that lacks the TLSv1.2 support (I know that this was added some time ago). Again for me, mainly an issue with outbound mail.
Given that when purchasing a licence updates are only covered for 1 year and AMS updates don't seem as frequent as in the early years, I wondered whether to upgrade now or hold out a bit longer if any newer releases with some extra features are on the horizon? Although I'm well aware that TLS1.0 is now deprecated, given mine is only a home server, I'm not too fussed at holding out a little longer if it's worth waiting?...

[Code Crafters]

Ability Mail Server 4 mainly adds a new WebMail interface. We're doing an update to this soon. After that we'll try to add DKIM as we know this is a very popular feature that's often asked for. If you upgrade now, hopefully DKIM will be added before your year of upgrades expires.

[EKjellquist]

<BUMP>

Just looking for any updates, haven't heard any news on the beta front or otherwise regarding any updates post-4.3.0. Still a lot of features we need security-wise, and it'd be comforting to have any information for us to chew on. It's been about 16 months since the last OpenSSL 1.0.2 update (official support was dropped after that time), and though we're able to mitigate most of the security vulnerabilities by other means, it's harder and harder to remain compliant. We really need TLS 1.3 / OpenSSL 1.1.1 support more than anything, and DMARC/DKIM, DANE/TLSA, ECC certificate support would be nice-to-haves.

We're starting to have issues where sending servers refuse to connect to us w/o whitelisting b/c of outdated ciphers, and I can't get approval for a software upgrade when I have no information on when those features might be available, or if a version 5.0 would fall within the typical 1-year software maintenance window.

[Code Crafters]

We're hoping to add support for TLS 1.3 and DKIM this year. Whether this is in version 4 or 5, it will be included as long as you have an active license to update.

[sjoram]

Just to chime in, it looks like OpenSSL v1.0.x may start to have issues using LetsEncrypt certs as of later this year... https://community.letsencrypt.org/t/ope ... tes/143816

[Code Crafters]

Thanks for the update

[EKjellquist]

Bumping this thread, haven't heard / seen anything on an AMS 5 release or beta period. Any news on that? Seems to be no update to 4.x since 9/1/2020, either.

[Code Crafters]

We're planning an AMS 5 release before the end of the year hopefully. This will mainly include WebMail updates and bug fixes. This won't include OpenSSL / DKIM in the initial release though.

[Code Crafters]

We have now released Ability Mail Server 5.0.0

Changes in this update are:

- Added: WebMail folder list filter.
- Updated: WebMail to Angular 13.
- Updated: WebMail number of languages increased from 52 to 89.
- Updated: WebMail folders ordered by special folders first then alphabetical.
- Updated: WebMail move emails modal now auto-focuses the folder filter.
- Updated: WebMail date format.
- Updated: WebMail Email page 'Close' button renamed to 'Back to Messages'.
- Updated: WebMail auto-signups now requires at least one signup domain.
- Updated: AMS Transfer tool migrates user language (e.g. en-US to en).
- Fixed: AMS Transfer tool now correctly migrates users and groups.
- Fixed: Remote Admin 'language is invalid' error could prevent saving.
- Fixed: WebMail Edit Address Book Entry didn't load the correct fields.
- Fixed: WebMail compose message body click didn't always focus the edit area.
- Fixed: WebMail new folders didn't appear in move email folder list straight away.
- Fixed: WebMail large numbers were sometimes wrongly converted.
- Fixed: WebMail mobile menu options didn't align correctly when hovered.
- Fixed: WebMail logout now shows a loading spinner.

https://www.codecrafters.com/AbilityMai ... ateHistory

To update your current installation, please select ‘Check for Updates’ from the Help menu of the dialog admin interface. You can also perform the update by downloading from https://download.codecrafters.com/ams.exe and re-installing over the top of your current installation.

[EKjellquist]

We performed the upgrade a few weeks back from AMS 4, took awhile but went ok (due to large mail folders mostly). Happy with the Angular updates as there were a lot of emails previously in Webmail that would format weird and affect the webmail GUI, haven't noticed that at all in A13.

This is currently my biggest worry, given that we're still effectively using OpenSSL 1.0.2 - https://www.securityweek.com/high-severity-dos-vulnerability-patched-openssl?&web_view=true

[Code Crafters]

DKIM and SSL still are the biggest features on our list to do. Both are not small updates but are our highest priority.

[EKjellquist]

Wondering if there have been any development updates lately, still needing TLS 1.3, OpenSSL 1.1.1, DKIM, DMARC support if possible.

But lately the biggest issue has been with trying to disable AUTH reporting; for PCI compliance I need AMS to stop saying it supports plaintext connections, which AFAIK the only way to do so is 'disable Auth reporting' for SMTP. If I do so in AMS 5.0.2, the EHLO response goes from this:

250-mail.domain.com
250-PIPELINING
250-8BITMIME
250-AUTH PLAIN LOGIN CRAM-MD5 CRAM-SHA1
250-STARTTLS
250 OK

to this:

250-mail.domain.com
250-PIPELINING
250-8BITMIME
250-STARTTLS
250 OK

SMTP connections / transfers from other servers seem to still occur fine; Using a tool like https://www.checktls.com/TestReceiver will work ok. BUT SMTP connections by AMS users 100% fail, whether those users are local or outside our network.

I have ports 25/465/587 enabled for SMTP as well as 465 for implicit SSL connections. I also have explicit SSL enabled so STARTTLS should still work. No matter if I use 'Auto', SSL/TLS or STARTTLS with any of the defined ports, using any common mail client (e.g. Outlook 2010, 2021, 365, mobile clients, etc), absolutely none of them can connect via SMTP. in Outlook clients, I get:

Task 'admin@domain.com - Sending' reported error (0x800CCC80) : 'None of the authentication methods supported by thus client are supported by your server.'

I do have SMTP Authentication enabled, and 'Only allow secure login' for the existing groups, using TLS 1.2 on all services (switching to TLS 1.0 for SMTP makes no difference). So I'm not sure what the issue is, but to me it appears basically the same as in 4.x in terms of being unable to turn off AUTH...

[Code Crafters]

This functionality hasn't changed in probably the last 15 years. Obviously, you can't hide supporting auth methods and then expect clients to use these. This option only works if you don't actually need to use them. The clients you have are likley using AUTH PLAIN and won't continue if the server doesn't support this (rightly so). If you have an idea for how this can be improved, please let us know.

[EKjellquist]

We have no clients specifically trying to use AUTH PLAIN. Port 993 / TLS will work fine for IMAP with Auth disabled or not, but NO combination of 465/587 or SSL/TLS mode will work with auth disabled for SMTP; that's my issue. If I uncheck that box, SMTP works for clients again fine.

The part I can't figure out here is that mail from outside our LAN being relayed from other servers via port 25 are fine; with Auth disabled, if I try to connect from a client using 465 or 587, the SMTP logs look like this when trying to send an email:

Mon, 25 Jul 2022 12:28:49 -> 192.168.1.254 -> Success: Action=[Accept Connection], Details=[Port 587]
Mon, 25 Jul 2022 12:28:49 -> 192.168.1.254 -> Success: Action=[Close Connection]
Mon, 25 Jul 2022 12:28:54 -> 192.168.1.254 -> Success: Action=[Accept Connection], Details=[Port 465: Implicit SSL]
Mon, 25 Jul 2022 12:28:54 -> 192.168.1.254 -> Success: Action=[Received Hello], Details=[Host=MACHINENAME]
Mon, 25 Jul 2022 12:28:54 -> 192.168.1.254 -> Success: Action=[Close Connection]

if I uncheck the box and re-enable auth, I get what I expect to see normally

Mon, 25 Jul 2022 12:29:46 -> 192.168.1.254 -> Success: Action=[Accept Connection], Details=[Port 465: Implicit SSL]
Mon, 25 Jul 2022 12:29:46 -> 192.168.1.254 -> Success: Action=[Received Hello], Details=[Host=MACHINENAME]
Mon, 25 Jul 2022 12:29:46 -> 192.168.1.254 -> Success: Action=[Starting Login], Details=[LOGIN authentication.]
Mon, 25 Jul 2022 12:29:46 -> 192.168.1.254 -> Success: Action=[Login], Details=[user@domain.com]
Mon, 25 Jul 2022 12:29:46 -> 192.168.1.254 -> Success: Action=[Received Sender], Details=user@domain.com]
Mon, 25 Jul 2022 12:29:46 -> 192.168.1.254 -> Success: Action=[Received Recipient], Details=[user@domain.com]
Mon, 25 Jul 2022 12:29:46 -> 192.168.1.254 -> Success: Action=[Start Mail Transaction]
Mon, 25 Jul 2022 12:29:46 -> 192.168.1.254 -> Success: Action=[Complete Mail Transaction], Details=[From Host=MACHINENAME, Size=1 KB, From=user@domain.com, To=user@domain.com]
Mon, 25 Jul 2022 12:29:46 -> 192.168.1.254 -> Success: Action=[Close Connection]

The aforementioned error (0x800CCC80) seems to occur when those connections are accepted and immediately closed if I try to send an email. if I try to update Account Settings in Outlook and test, I'll get the generic 'Something went wrong' error and have to try again. AFAIK there's no settings conflict anywhere, but I don't know that 100%. Can you provide recommended SMTP settings I can compare against?

[Code Crafters]

Other mail servers may be more resilliant. It's your SMTP client that is connecting, seeing AUTH methods not supported and then immediately disconnecting as it's not happy to proceed. You will have to either enable Auth Reporting so the clients will continue or create a front end SMTP that the clients are happy to relay through.

[EKjellquist]

Yeah, but we're not talking about obscure email clients here, this is Outlook 365, Outlook 2021, Outlook 2010, iphone's mail app, Outlook mobile, etc; they ALL seem to have the same issue. MS even recommends disabling SMTP Auth on Exchange https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/authenticated-client-smtp-submission.

If there's something I'm missing, by all means I'd love to find it; For example, checkTLS.com responds with the following EHLO from gmail:

250-SIZE 157286400
250-8BITMIME
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-CHUNKING
250 SMTPUTF8

Gmail does accept SMTP Auth on port 587, and none of the aforementioned clients have an issue connecting (but there is no EHLO AUTH code returned). if I uncheck 'Only Allow Secure Login' from the Groups entry for my users, and I try to connect to SMTP w/o authentication, it still fails in the same way on the client. HOWEVER, if I ALSO disable SMTP Authentication entirely, it will connect ok:

Tue, 26 Jul 2022 16:34:33 -> 192.168.1.254 -> Success: Action=[Accept Connection], Details=[Port 587]
Tue, 26 Jul 2022 16:34:33 -> 192.168.1.254 -> Success: Action=[Received Hello], Details=[Host=MACHINENAME]
Tue, 26 Jul 2022 16:34:33 -> 192.168.1.254 -> Success: Action=[Start TLS]
Tue, 26 Jul 2022 16:34:33 -> 192.168.1.254 -> Success: Action=[Received Hello], Details=[Host=MACHINENAME]
Tue, 26 Jul 2022 16:34:33 -> 192.168.1.254 -> Success: Action=[Received Sender], Details=[user@domain.com]
Tue, 26 Jul 2022 16:34:33 -> 192.168.1.254 -> Success: Action=[Received Recipient], Details=[user@domain.com]
Tue, 26 Jul 2022 16:34:33 -> 192.168.1.254 -> Success: Action=[Start Mail Transaction]
Tue, 26 Jul 2022 16:34:33 -> 192.168.1.254 -> Success: Action=[Complete Mail Transaction], Details=[From Host=MACHINENAME, Size=1 KB, From=user@domain.com, To=user@domain.com]
Tue, 26 Jul 2022 16:34:33 -> 192.168.1.254 -> Success: Action=[Close Connection]

So I think the issue lies somewhere in checking 'Disable AUTH reporting' while still having SMTP Authentication enabled that's causing the aforementioned connection problem. Given the option, I'd still rather be able to use SMTP authentication rather than having an open relay, if nothing else b/c AMS doesn't support stuff like OAuth yet...