OpenEFA v1.5.7.7 Released - Critical Security & Operational Fixes

Posted on OpenEFA.com | October 20, 2025 | By the OpenEFA Team

CRITICAL UPDATE - Update Immediately

Severity: HIGH - Contains critical security and operational fixes affecting all versions prior to v1.5.7.7. If you're running v1.5.7.6 or earlier, you should update as soon as possible.

Version 1.5.7.7 addresses 7 critical issues that affect both security and email delivery functionality, including CSRF vulnerabilities, missing XSS protection, and Postfix mail routing loops.

Why You Need to Update NOW

Security Vulnerabilities Fixed:

  • Missing CSRF Protection - Web interface endpoints were vulnerable to Cross-Site Request Forgery attacks
  • No XSS Protection Headers - Missing Content Security Policy (CSP) headers
  • Credential Exposure Risk - Database credentials could appear in error logs

Operational Issues Fixed:

  • Postfix Mail Loop - Misconfigured mydestination causing mail routing loops
  • Broken Domain Relay - Multi-domain configurations failing to relay properly
  • Configuration File Errors - Scripts looking in wrong paths for config files
  • Session Timeout Inconsistency - Different timeouts for admin/superadmin roles

What's Fixed in v1.5.7.7

1. CSRF Protection (CRITICAL SECURITY FIX)

Problem: All POST/PUT/DELETE endpoints lacked CSRF token validation

Impact: Attackers could perform unauthorized actions on behalf of logged-in users

Fix: Flask-WTF CSRF protection now enforces tokens on all state-changing operations

File: openefa-files/web/app.py

2. Content Security Policy Headers (SECURITY ENHANCEMENT)

Problem: No XSS protection headers

Impact: Vulnerable to Cross-Site Scripting attacks

Fix: Implemented comprehensive CSP policy in report-only mode using flask-talisman

Features:

  • Restricts script sources to trusted CDNs only
  • Blocks inline scripts (with temporary exceptions during migration)
  • Prevents clickjacking with frame-ancestors
  • Violation reporting to /csp-violation-report

3. Credential Sanitization (SECURITY FIX)

Problem: Database error messages could expose MySQL credentials in logs

Impact: Sensitive credentials visible in error output

Fix: Enhanced error handling with credential scrubbing before logging

File: openefa-files/email_filter.py

4. Postfix Mail Loop Prevention (CRITICAL OPERATIONAL FIX)

Problem: mydestination parameter included hosted domains, causing routing loops

Impact: Mail loops, bounces, delivery failures

Fix: Set mydestination = localhost only, removed hosted domains

Technical Details: Hosted domains are handled via virtual_mailbox_domains, not mydestination. Including them in both causes Postfix to attempt local delivery instead of relaying to API endpoints.

Files: templates/postfix/main.cf, templates/postfix/main.cf.template

5. Domain Relay Configuration (OPERATIONAL FIX)

Problem: Multi-domain setups failing to relay correctly

Impact: Some domains not receiving mail

Fix: Corrected virtual_mailbox_domains and transport_maps configuration

File: templates/postfix/main.cf

6. Configuration File Location Handling (OPERATIONAL FIX)

Problem: Scripts hardcoded wrong paths for config files

Impact: Database connection failures, startup errors

Fix: Standardized config paths to /opt/spacyserver/config/

Files: lib/database.sh, lib/services.sh, lib/postfix.sh

7. Session Timeout Standardization (SECURITY ENHANCEMENT)

Problem: Admins had 60-minute timeout, superadmins had 30-minute timeout

Impact: Security inconsistency

Fix: All roles now use 30-minute timeout for consistency

File: openefa-files/web/app.py

Update Instructions

Option 1: Automatic Update (Recommended)

Run the update script:

sudo /opt/spacyserver/tools/update.sh

The update script will:

  • Automatically backup your installation
  • Download v1.5.7.7 from GitHub
  • Preserve all your configuration
  • Restart services
  • Validate everything is working

Update time: ~2-3 minutes

Option 2: Manual Update

# Backup first!
sudo cp -r /opt/spacyserver /opt/spacyserver-backup-$(date +%Y%m%d)

# Download and run installer
cd /tmp
git clone https://github.com/openefaadmin/openefa-installer.git
cd openefa-installer
sudo ./install.sh

Important Notes

Known Issue & Hotfix (v1.5.7.7.1)

If you updated to v1.5.7.7 between October 20 20:14 UTC and October 20 20:17 UTC, you may have received a version with a CSP configuration bug causing HTTP 500 errors on the web interface.

Symptom: Web interface returns "Internal Server Error"
Error in logs: TypeError: can only join an iterable

Fix: Re-run the update script or manually apply hotfix v1.5.7.7.1:
sudo /opt/spacyserver/tools/update.sh

Post-Update Verification

Run these commands to verify your update:

# Check version
cat /opt/spacyserver/VERSION
# Should show: VERSION=1.5.7.7

# Verify all services running
systemctl status spacyweb spacy-db-processor spacy-release-api \
  spacy-whitelist-api spacy-block-api

# Test web interface (should return HTTP 302 redirect to login)
curl -I https://localhost:5500 -k

# Check for CSP headers in response
# Should see: Content-Security-Policy-Report-Only header

Full Changelog

  • Version: 1.5.7.7
  • Released: October 20, 2025
  • Commit: 91e3682 (with CSP hotfix e3f70ba)
  • Modified Files: 12 files
  • New Documentation: 6 files, 76KB
  • Total Changes: 2,865 insertions, 106 deletions

New Documentation Files

  • CHANGES_v1.5.7.7.md - Comprehensive changelog
  • CSRF_PROTECTION_FIX_v1.5.7.7.md - CSRF implementation details
  • CSP_IMPLEMENTATION_v1.5.7.7.md - CSP header documentation
  • POSTFIX_LOOP_FIX_v1.5.7.7.md - Mail loop technical details
  • DOMAIN_RELAY_FIX_v1.5.7.7.md - Domain relay configuration
  • CONFIG_LOCATION_FIX_v1.5.7.7.md - Config path standardization

Need Help?

Update Issues?

  • Check backup location: /opt/spacyserver-backup-[timestamp]/
  • View update log: /tmp/openefa-update-[timestamp].log

Still Having Problems?

  1. Check service logs: journalctl -u spacyweb -n 50
  2. Verify Redis: redis-cli ping
  3. Post on the forum at forum.openefa.com with error details

Rollback (if needed):

sudo systemctl stop spacyweb spacy-db-processor spacy-release-api \
  spacy-whitelist-api spacy-block-api
sudo mv /opt/spacyserver /opt/spacyserver-failed
sudo mv /opt/spacyserver-backup-[timestamp] /opt/spacyserver
sudo systemctl start spacyweb spacy-db-processor spacy-release-api \
  spacy-whitelist-api spacy-block-api

Statistics

  • Total Installations Affected: All versions prior to 1.5.7.7
  • Security Issues Fixed: 3 (CSRF, CSP, credential exposure)
  • Operational Issues Fixed: 4 (mail loops, relay, config paths, sessions)
  • Lines of Code Changed: 2,971
  • Testing Status: Fully tested on production systems

About OpenEFA

OpenEFA is an AI-powered email security platform, bringing enterprise-grade email security to organizations of all sizes. Built on advanced AI-powered filtering with OpenSpacy modules, OpenEFA provides transparent protection with competitive pricing.

Questions or Issues?

Visit forum.openefa.com to get help from the OpenEFA community, or check the GitHub repository for complete documentation.

Repository: github.com/openefaadmin/openefa-installer

Latest Commit: e3f70ba (includes CSP hotfix)

← Back to Blog Index