5210R/5211R/5212R: DNF Updates released
We just published a large set of DNF updates that bring new features and general improvements to BlueOnyx.
Prevent Sender Identity Spoofing
When a user account is compromised, attackers often waste no time turning your mail server into a spam cannon. Even with strong passwords, 2FA, outgoing volume limits, and tight MTA configurations, a determined attacker who controls valid login credentials can still cause damage. BlueOnyx now adds another layer of protection: an enforced mapping between authenticated users and the sender identities they are allowed to use.
In simple terms: An authenticated user can now only send email using addresses that belong to them. Alias spoofing and cross-account impersonation are no longer possible. Everyone else hopes users don’t spoof. BlueOnyx prevents it.
More information about this feature is available here.
Prevent siteAdmin deletion if he owns /web
If PHP is used for a Vsite, then the "SiteAdmin who owns /web" must NOT be deleted. Added checks for that in the GUI and if this edge case happens via the GUI, then an appropriate error message is shown instead:
We now allow GUI login by IP instead of forcing hostname
On a freshly set up BlueOnyx the DNS A record for the hostname may not be set yet. Hence forcing logins to always redirec to the hostname even after a fresh setup is counter-productive.
However: CodeIgniter forces us to set 'baseURL' to something in the configuration, so we chose to set the hostname.
To compensate for that extensive code changes have been made throughout several parts of CodeIgniter and the BlueOnyx GUI to allow usage of IP address for successful logins AND throughout the entire GUI.
But please note: If "Redirect to Server-Name" is enabled (by default it is not), then accessing the GUI by IP or any other hostname than the server name WILL always redirect to the servername. This option is recommended to prevent SSL certificate name mismatches.
Alternate Disk Quota check over/under-reported usage
On BlueOnyx servers without available file system disk quota we used to use find/stat to determine disk usage in a fast way. However: It turned out that this can easily result in 30-35% over- or under-reporting.
It under-reported disk usage when:
- Files are sparse
- Filesystem uses tail-packing (ext4)
- Inline data (ext4 small files)
- Compression (XFS, Btrfs)
It over-reported when:
- Files are fragmented (rarely significant)
- Block size wasn't 512byte
The code for this has now been changed to closer mimic how quotatool/setquota work when native disk quota is available.
Jailkit: Shell change for siteAdmin fixed
Failure condition:
- Shell change for siteAdmin who owns /web
- Vsite uses PHP-FPM
- PHP-FPM pool of that Vsite is currently actively processing PHP requests
In that case Jailkit did fail to perform the shell change and would report "User is logged in" (due to the running PHP-FPM pool under the UID/GID of the siteAdmin). The changed code now checks if these conditions are true and if so, it stops that particular PHP-FPM pool briefly, performs the shell change and then restarts PHP-FPM. That solves the issue.
Bugfix: 'allow_url_fopen = On' was always being reset
There was a bug in a handler that caused that changing the PHP setting "allow_url_fopen" from the (safe) default "Off" to the unsafe "On" did not stick.
PHP Versions display sorted now
The pulldown from which you could select PHP versions showed the available versions in an unsorted fashion. This has been fixed.
Code Changes:
Here is the list of code changes in SVN.
In Closing:
We hope you like the new features and fixes and hope that they will serve you well. As always: If you run into any issues or problems? Don't hesitate to reach out by email, in the mailiing list, Discord or file a Bug Report or Support Request via your BlueOnyx GUI interface.
← Return