MX Admin Changelog

v26.06.04-1 Current Release

Security Hardening

TOTP Replay Protection: Added last_totp_step tracking to iredadmin_2fa; a TOTP code accepted for a given 30-second window cannot be reused, preventing replay attacks within that window.
Session Fixation Mitigation: The session ID is now regenerated immediately after a successful password check when 2FA is pending, closing a window where a fixed session ID could be exploited during the two-step login flow.
Timezone Input Validation: Timezone values submitted via POST are now validated against PHP's timezone_identifiers_list() before being stored; invalid values fall back to the server default.
Path Disclosure Removed: The fatal error displayed when Composer dependencies are missing no longer includes the server filesystem path.

v26.5.10-1 June Release

Advanced SOGo Integration

Activity Monitoring: The Mailboxes list now displays last SOGo webmail activity (⬡) alongside standard mail client activity (✉), utilizing data from the sogo_cache_folder.
Session & Data Management: Added administrative controls to the mailbox edit modal to terminate active SOGo web sessions and a double-confirmed "Wipe SOGo Data" feature for calendars, contacts, and preferences.
Global SOGo Oversight: Introduced a new SOGO navigation group for global admins to monitor and revoke calendar/contact sharing rules (ACLs) across the entire system.
Administrative Rights: The Admins view now includes the sogo_admin table with direct grant/revoke controls for SOGo super-admin status.
Dashboard Metrics: Integrated a new SOGo Sessions stat card to track total active web sessions in real-time.

Automated Cleanup & Maintenance

Roundcube Integration: Mailbox deletion (single or bulk) now triggers an automated cleanup of all associated Roundcube data, including identities, contacts, and filestore.
Database Integrity: Cleanup logic is ordered to respect foreign key constraints (e.g., removing group members before contacts).
SOGo Deletion Sync: Deleting a mailbox now automatically purges all related SOGo data to maintain storage efficiency and data privacy.
Robust Execution: Cleanup operations are designed to be non-blocking; failures are logged server-side without interrupting the primary mailbox deletion process.

v26.5.7-1 May Release

Security & Hardening

XSS Prevention: Implemented output escaping for flash messages in layout_top.php to prevent Cross-Site Scripting. Intentional markup in system messages has been converted to plain text for safe rendering.
Iframe Sandboxing: Hardened the Changelog srcdoc iframe by removing the allow-same-origin attribute, further isolating embedded content from the parent window.
Default Proxy Logic: Updated the configuration template to set BEHIND_PROXY to false by default. This ensures new direct installations are protected against IP spoofing unless the administrator explicitly enables proxy support.

Bug Fixes & Mail Queue

Queue Management: Resolved an issue where the "Flush Queue" button was non-functional. Added the required backend handler in actions.php to execute postqueue -f.
Operational Auditing: All manual queue flushes are now restricted to global administrators and are recorded in the system audit log.

v26.5.4-10 May Release

Enhanced Login Security

Unified Thresholds: Introduced the LOGIN_BLOCK_ATTEMPTS setting in config.php (default 5), creating a single threshold for password, 2FA, and username-based failures.
Username Attack Protection: Implemented logic to block IPs targeting specific usernames; if threshold attempts occur against one account within 15 minutes, the triggering IP is blocked for "Username attack".
Reason Classification: The Blocked IPs page now features distinct visual badges for "Login failures (IP)", "2FA failures", "Username attack", and "Manual" block reasons.

Notification & State Management

Persistent Notification State: Added a seen column to the iredadmin_blocked_ips table, allowing the "unseen" status of blocks to persist in the database rather than volatile sessions.
Smart Badge Counts: The SYSTEM navigation badge now specifically counts only unseen blocked IPs, providing a more accurate alert for new security events.
Administrative Sync: The badge count remains consistent across all admin accounts and survives logouts; visiting the Blocked IPs page automatically marks all current blocks as seen for the entire system.

v26.5.4-8 May Release

Reverse Proxy & IP Handling

BEHIND_PROXY Support: Added a BEHIND_PROXY toggle in config.php (defaulting to false) to allow reading client IPs from the X-Real-IP header.
Security: Direct installations remain secure by default, as the false setting prevents header-based IP spoofing.
Audit Consistency: Resolved issues where the proxy IP was erroneously recorded; both the audit log and the admin last-login table now correctly identify the real client IP based on proxy settings.

Bulk Operations & UI Refinement

Mailbox Bulk Deletion: Introduced a "Delete selected" button to the mailbox action bar with a configurable "Retention" period dropdown (defaulting to +1 month).
Admin Protection: Selection logic now identifies and skips administrator accounts during bulk deletions, reporting these skipped accounts in the result message.
Queue Integration: Deleted mailboxes are automatically moved to the standard retention queue for consistency.
Dashboard Cleanup: Removed the systemctl permission notice from the dashboard view for a cleaner interface.

v26.5.4-5 May Release

Proxy & Network Configuration

Proxy Support: Introduced a new behind_proxy setting in config.php to properly handle header processing when the application is placed behind a load balancer or reverse proxy.
Network Flexibility: Enhanced routing logic to allow for seamless switching between direct access on the localnet and external access via reverse proxying.

v26.5.4-4 May Release

Rebranding & Routing

Product Identity: Formally renamed the application from iRedAdmin Custom to MX Admin.
URL Schema: Updated the primary access path; the application is now served via the /mxa/ subdirectory.
Global Updates: Refactored internal references, page titles, and navigation links to reflect the new MX Admin branding.

v26.5.4-2 May Release

Login Protection & IP Blocking

Automated Thresholds: IPs are automatically blocked after 11+ failed password attempts or 5+ failed 2FA attempts within a 15-minute window.
Persistent Storage: Blocked addresses are now stored in the iredadmin_blocked_ips database table, ensuring protection persists across server restarts.
UX Improvements: Implemented a dedicated "Access Blocked" landing page that displays the user's IP, the specific reason for the block, and the timestamp.

Blocked IPs Management (Global Admin)

Management Interface: Added a new view under SYSTEM → Blocked IPs to monitor all active blocks, including attempt counts and block types (auto vs. manual).
Administrative Control: Enabled manual IP blocking and single-click unblocking; all actions are CSRF-protected and recorded in the audit log.
UI Indicators: Integrated dynamic red notification badges on the SYSTEM navigation label and the Blocked IPs link to alert admins when active blocks exist.

v26.5.3-2 May Release

Database Logic Corrections

Distribution List Schema: Fixed an issue in the user creation and group assignment logic where vmail.forwardings.is_mailist was being targeted incorrectly.
Field Mapping: Updated the update query to correctly populate vmail.forwardings.is_list.
Forwarding Status: Implemented necessary updates to the vmail.forwardings.is_forwarding flag to ensure proper mail routing for group members.

v26.5.2-52 May 2026

Application Hardening

Session Security: Enforced secure, httponly, and Samesite => 'Lax' cookie settings to prevent XSS-based hijacking and CSRF attacks.
Security Headers: Implemented a full suite of headers: HSTS (Force HTTPS), CSP (local assets only), X-Frame-Options (Clickjacking defense), and X-Content-Type-Options (MIME-sniffing prevention).
Brute-Force Protection: Added database-backed rate limiting for login and 2FA attempts; IPs are temporarily blocked after exceeding thresholds within a 15-minute window.

Infrastructure & 2FA Privacy

Local QR Generation: Migrated 2FA QR code generation from third-party APIs to the local server using chillerlan/php-qrcode. Secrets are now processed entirely on-site.
Nginx Hardening: Updated deployment configurations to strictly block /app/ and /vendor/ directories and return 404s for unauthorized file targets.
Enhanced Auditing: Logout actions are now recorded in the audit log for complete session lifecycle tracking.

v26.5.2-24 May 2026

Layout Enhancements

Sticky Footers: Implemented sticky footer logic to ensure the footer remains at the bottom of the viewport regardless of content length.

v26.5.2-23 May 2026

UI Architecture & Navigation

Persistent Navigation: Converted Site Header and Navigation to position: fixed for constant menu availability.
Action Bar Relocation: Moved primary action buttons into dedicated bars directly above data tables.
Modal Workflow: Replaced static creation forms with groupModal for a focused administrative experience.

v26.5.2-14 May 2026

Hierarchical Navigation Refactoring

Consolidated Views: Organized Dashboard, Admins, Domains, Mail Queue, and Audit Log under core SYSTEM, ACCOUNTS, and ROUTING categories.
Service Monitoring: Integrated SOGo alongside Postfix, Dovecot, and MariaDB with network socket verification.

v26.4.30-17 April 2026

Security & Protocol Management

Two-Factor Authentication: Enabled 2FA support for both Global and Domain administrator logins.
Per-User Protocol Control: Added granular options to enable or disable specific mailbox protocols (SOGo, IMAP, SMTP, POP3) on a per-user basis.

Bug Fixes & UI Enhancements

Audit Log Correction: Resolved an issue where audit log date ranges were displaying incorrectly; fixed logic handling UTC and browser timezone conversions.
MX Selection Guidance: Enhanced the Domain Edit interface to display an informational icon explaining MX selection logic.

v26.4.30-12 May 2026

Configurable Dashboards & Global Controls

Dashboard Visibility: Added a configuration parameter to toggle the visibility of the "Recent Activity" panel on the dashboard.
Metric Granularity: New parameters added to config.php to define the specific number of recent admin logins and failed logins displayed.
Audit Management: Implemented a configurable cap for the maximum number of logs displayed within the audit log view.

Audit Log Intelligence

Advanced Filtering: Introduced a dropdown menu to filter audit logs by specific action types.
Temporal Selection: Added quick-filter options to view logs for Today, Yesterday, This Week, or a custom number of days.
Visual Alignment: Right-justified the display for the last X lines of administrative actions for improved readability.

Domain & System Refinements

Interface Cleanup: Modernized the domains page by replacing verbose "no delete" text with clean information icons featuring hover-over tooltips.
Safe Deletion: Enhanced domain deletion workflow for empty domains to show counts of forwarders, aliases, and catch-all addresses during confirmation.
Timezone Standardization: Updated system logic to store all SQL timestamps in UTC while dynamically rendering dates in the browser's local timezone.

v26.4.30-7 April 2026

Global Admin Dashboard

Intelligence Hub: Implemented a new default landing page for Global Admins featuring high-level metrics for mailboxes, domains, and storage used.
System Health: Added retention queue monitoring, recent audit activity, and quota usage analytics (Top 5 users and accounts near capacity).
Performance: Optimized data retrieval via lightweight summary queries per dashboard panel.

Mailbox Management & UI

Real-time Filtering: Added JavaScript-driven search for the mailbox table that filters across username, display name, department, and ID with URL hash persistence.
Bulk Actions: Implemented checkbox selection for multi-user Suspend, Activate, and Delete operations with server-side validation and confirmation prompts.
Password Security: Integrated a 16-character mixed-case password generator directly within the mailbox creation and edit modals.
Visual Quota Warnings: Added color-coded progress bars for mailbox usage (Green < 70%, Amber 70-90%, Red > 90%).

System Operations & Tracking

Retention Restoration: Added "Restore" functionality to the retention queue, allowing for seamless recovery of mailbox records and alias data.
Access Monitoring: Introduced a new background parser (app/cron/parse_dovecot_log.php) and database table to track and display user "Last Login" details and source IPs.
Modal Enhancements: Added an inline Alias management section to the mailbox edit modal for faster per-user routing updates while maintaining the global Aliases tab.

v26.4.30-3 April 2026

Distribution & Verification

Repository Completeness: Restored the missing config.php file to the main repository; it is now included as a standard part of the packaged version.
Version Awareness: Implemented a direct link to the changelog within the application to allow for manual verification of the current version status.

v26.4.29-8 April 2026

Session & Resource Management

Configurable Session Expiry: Introduced session_timeout in config.php to allow modification of the 1-hour default.
Quota Visualization: Changed domain quota display to show the true value instead of an editable input field.

v26.4.29-2 April 2026

Architectural Refactoring

Modular Codebase Transition: Migrated from a monolithic single-file structure to a clean, multi-file MVC-style architecture.
Externalized Configuration: Sensitive credentials moved to /etc/iredadmin/config.php.
Nginx Template Security: Updated /etc/nginx/templates/iredadmin-custom.tmpl to protect the app/ directory.

v26.4.29-1 April 2026

UI & Visual Overhaul

Mailbox Table Modernization: Replaced legacy dense text with a high-clarity Role / Contact column, including dynamic blue department badges and yellow Admin status badges.
Clean View Logic: Reduced visual clutter by hiding empty departments, admin rights, or mobile numbers.
Global Expansion: Expanded timezone selection to ~90 entries, covering Australia/Pacific, Asia, Europe, Americas, Africa, Middle East, and UTC.

Enforcement & Validation Logic

Limit Enforcement: Integrated strict domain-level resource enforcement for mailboxes, aliases, and groups.
MX Conflict Prevention: Enhanced validation to prevent Backup MX marking if existing records (mailboxes, aliases, groups) exist.

v26.4.28-6 April 2026

Database & Sync Optimization

MariaDB Compliance: Updated logic to save NULL values instead of empty strings for strict database compatibility.
Counter Synchronization: Optimized domain counter sync for forwarders, aliases, and mailing lists.

UI & UX Refinements

Visual Metrics: Implemented the infinity symbol (∞) for unlimited mailbox sizes.
Contextual Administration: Enabled forwarding and catch-all management specifically when MX is enabled.

v26.4.28-5 April 2026

Security & Auditing

Audit Logging: Centralized log to track administrative changes.
Status Management: Toggle users/domains between "Active" and "Suspended".
Spam Filters: Integrated Whitelist and Blacklist helper management.

User & UI Enhancements

Localized Defaults: Default timezone set to Australia/Brisbane.
Mobile Integration: Dedicated Mobile field using 04xx xxx xxx format.
Interface Cleanup: Streamlined user creation via global domain association.

v26.4.28-3 Initial Public Release

Authentication & Access Control

Hierarchical Permissions: Scoped access control for Domain Admins vs. Global Admins.
Administrative Management: Functionality to grant/revoke administrator privileges.

Mailbox & User Management

Full User Life-cycle: Tools for creating, editing, and deleting mailboxes.
Retention Management: Controls for viewing and extending deletion dates for archived accounts.

Domain & Routing Configuration

Domain Control: Management of primary and alias domains.
Mailing Groups: Management of group names and member lists.
Forwarding & Aliases: Control over individual forwarders and account aliases.
Catch-All Logic: Support for domain-wide catch-all addresses.