This month, in addition to the usual bundle of bug fixes and minor improvements, we’ve implemented changes related to Content-Security-Policy (CSP) and to LDAP authentication process.
Starting November 29, the following changes will be available:
We’ve replaced the obsolete “X-Frame-Options” header with “Content-Security-Policy: frame-ancestors directive, for preventing cross-site scripting attacks.
More details can be found here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
With this change, by default, we will not allow the application to be loaded in an iFrame.
If this is needed and “Protection level” has “No protection” option, please set it to “Allow from URL” option, until November 29 (“Settings” page, “Protection against rendering in HTML Frames” section).
All the existing configurations where Protection level is “Same origin” or “Allow from URL” will be migrated to match the new directive.
One external library used for LDAP email user login was deprecated. To continue supporting the existing feature, we’ve replaced it, and the new one requires the configurations for “BaseDN” (based_dn) and “Search base” (username_attr), which could be missing before.
Therefore, we recommend checking your configuration for “LDAP authentication” in “Manage email users” page and set “BaseDN” and “Search base” to avoid email user authentication issue, until November 29.
The details can be found in the product documentation page https://documentation.n-able.com/mail-assure/userguide/Content/C_Domain%20Level/webinterface-users/set-up-ldap-authentication.htm
Since the latest major release, we’ve fixed the following issues:
- MMA-8482. Fixed the issue when add a domain containing “ß”.
- MMA-8517. Fixed the issue with “Automatically populate the list with mailboxes” option in case Microsoft 365 Sync is used.
- MMA-8310. Fixed the issue with editing remote syslog values for domain on Admin level.
- MMA-8543. Fixed the issue with Email Scout Reports being blocked due to the deprecated “Pacific-New” timezone.
- MMA-8547. Fixed the issue with Protection Reports not being generated due to the domains containing hyphen.
We’ve also made the following improvements:
- MMA-8539, MMA-8523. “Private Portal” option from “Microsoft 365 Sync” and “Add Domain” wizards was replaced with “Default Private Portal policies” for better understanding of the option. This option only enable/disable the default policies for Private Portal feature, but it does not change the custom policies created in “Private Portal policies” page.