OpenEFA v1.5.7.7 Released - Critical Security & Operational Fixes

Posted on OpenEFA.com | October 20, 2025 | By the OpenEFA Team

CRITICAL UPDATE - Update Immediately

Severity: HIGH - Contains critical security and operational fixes affecting all versions prior to v1.5.7.7. If you're running v1.5.7.6 or earlier, you should update as soon as possible.

Version 1.5.7.7 addresses 7 critical issues that affect both security and email delivery functionality, including CSRF vulnerabilities, missing XSS protection, and Postfix mail routing loops.

Why You Need to Update NOW

Security Vulnerabilities Fixed:

  • Missing CSRF Protection - Web interface endpoints were vulnerable to Cross-Site Request Forgery attacks
  • No XSS Protection Headers - Missing Content Security Policy (CSP) headers
  • Credential Exposure Risk - Database credentials could appear in error logs

Operational Issues Fixed:

  • Postfix Mail Loop - Misconfigured mydestination causing mail routing loops
  • Broken Domain Relay - Multi-domain configurations failing to relay properly
  • Configuration File Errors - Scripts looking in wrong paths for config files
  • Session Timeout Inconsistency - Different timeouts for admin/superadmin roles

What's Fixed in v1.5.7.7

1. CSRF Protection (CRITICAL SECURITY FIX)

Problem: All POST/PUT/DELETE endpoints lacked CSRF token validation

Impact: Attackers could perform unauthorized actions on behalf of logged-in users

Fix: Flask-WTF CSRF protection now enforces tokens on all state-changing operations

File: openefa-files/web/app.py

2. Content Security Policy Headers (SECURITY ENHANCEMENT)

Problem: No XSS protection headers

Impact: Vulnerable to Cross-Site Scripting attacks

Fix: Implemented comprehensive CSP policy in report-only mode using flask-talisman

Features:

  • Restricts script sources to trusted CDNs only
  • Blocks inline scripts (with temporary exceptions during migration)
  • Prevents clickjacking with frame-ancestors
  • Violation reporting to /csp-violation-report

3. Credential Sanitization (SECURITY FIX)

Problem: Database error messages could expose MySQL credentials in logs

Impact: Sensitive credentials visible in error output

Fix: Enhanced error handling with credential scrubbing before logging

File: openefa-files/email_filter.py

4. Postfix Mail Loop Prevention (CRITICAL OPERATIONAL FIX)

Problem: mydestination parameter included hosted domains, causing routing loops

Impact: Mail loops, bounces, delivery failures

Fix: Set mydestination = localhost only, removed hosted domains

Technical Details: Hosted domains are handled via virtual_mailbox_domains, not mydestination. Including them in both causes Postfix to attempt local delivery instead of relaying to API endpoints.

Files: templates/postfix/main.cf, templates/postfix/main.cf.template

5. Domain Relay Configuration (OPERATIONAL FIX)

Problem: Multi-domain setups failing to relay correctly

Impact: Some domains not receiving mail

Fix: Corrected virtual_mailbox_domains and transport_maps configuration

File: templates/postfix/main.cf

6. Configuration File Location Handling (OPERATIONAL FIX)

Problem: Scripts hardcoded wrong paths for config files

Impact: Database connection failures, startup errors

Fix: Standardized config paths to /opt/spacyserver/config/

Files: lib/database.sh, lib/services.sh, lib/postfix.sh

7. Session Timeout Standardization (SECURITY ENHANCEMENT)

Problem: Admins had 60-minute timeout, superadmins had 30-minute timeout

Impact: Security inconsistency

Fix: All roles now use 30-minute timeout for consistency

File: openefa-files/web/app.py

Update Instructions

Option 1: Automatic Update (Recommended)

Run the update script:

sudo /opt/spacyserver/tools/update.sh

The update script will:

  • Automatically backup your installation
  • Download v1.5.7.7 from GitHub
  • Preserve all your configuration
  • Restart services
  • Validate everything is working

Update time: ~2-3 minutes

Option 2: Manual Update

# Backup first!
sudo cp -r /opt/spacyserver /opt/spacyserver-backup-$(date +%Y%m%d)

# Download and run installer
cd /tmp
git clone https://github.com/openefaadmin/openefa-installer.git
cd openefa-installer
sudo ./install.sh

Important Notes

Known Issue & Hotfix (v1.5.7.7.1)

If you updated to v1.5.7.7 between October 20 20:14 UTC and October 20 20:17 UTC, you may have received a version with a CSP configuration bug causing HTTP 500 errors on the web interface.

Symptom: Web interface returns "Internal Server Error"
Error in logs: TypeError: can only join an iterable

Fix: Re-run the update script or manually apply hotfix v1.5.7.7.1:
sudo /opt/spacyserver/tools/update.sh

Post-Update Verification

Run these commands to verify your update:

# Check version
cat /opt/spacyserver/VERSION
# Should show: VERSION=1.5.7.7

# Verify all services running
systemctl status spacyweb spacy-db-processor spacy-release-api \
  spacy-whitelist-api spacy-block-api

# Test web interface (should return HTTP 302 redirect to login)
curl -I https://localhost:5500 -k

# Check for CSP headers in response
# Should see: Content-Security-Policy-Report-Only header

Full Changelog

  • Version: 1.5.7.7
  • Released: October 20, 2025
  • Commit: 91e3682 (with CSP hotfix e3f70ba)
  • Modified Files: 12 files
  • New Documentation: 6 files, 76KB
  • Total Changes: 2,865 insertions, 106 deletions

New Documentation Files

  • CHANGES_v1.5.7.7.md - Comprehensive changelog
  • CSRF_PROTECTION_FIX_v1.5.7.7.md - CSRF implementation details
  • CSP_IMPLEMENTATION_v1.5.7.7.md - CSP header documentation
  • POSTFIX_LOOP_FIX_v1.5.7.7.md - Mail loop technical details
  • DOMAIN_RELAY_FIX_v1.5.7.7.md - Domain relay configuration
  • CONFIG_LOCATION_FIX_v1.5.7.7.md - Config path standardization

Need Help?

Update Issues?

  • Check backup location: /opt/spacyserver-backup-[timestamp]/
  • View update log: /tmp/openefa-update-[timestamp].log

Still Having Problems?

  1. Check service logs: journalctl -u spacyweb -n 50
  2. Verify Redis: redis-cli ping
  3. Post on the forum at forum.openefa.com with error details

Rollback (if needed):

sudo systemctl stop spacyweb spacy-db-processor spacy-release-api \
  spacy-whitelist-api spacy-block-api
sudo mv /opt/spacyserver /opt/spacyserver-failed
sudo mv /opt/spacyserver-backup-[timestamp] /opt/spacyserver
sudo systemctl start spacyweb spacy-db-processor spacy-release-api \
  spacy-whitelist-api spacy-block-api

Statistics

  • Total Installations Affected: All versions prior to 1.5.7.7
  • Security Issues Fixed: 3 (CSRF, CSP, credential exposure)
  • Operational Issues Fixed: 4 (mail loops, relay, config paths, sessions)
  • Lines of Code Changed: 2,971
  • Testing Status: Fully tested on production systems

About OpenEFA

OpenEFA is the open-source successor to the EFA (Email Filter Appliance) project, bringing enterprise-grade email security to organizations of all sizes. Built on advanced AI-powered filtering with OpenSpacy modules, OpenEFA provides transparent, community-driven protection without the enterprise price tag.

Questions or Issues?

Visit forum.openefa.com to get help from the OpenEFA community, or check the GitHub repository for complete documentation.

Repository: github.com/openefaadmin/openefa-installer

Latest Commit: e3f70ba (includes CSP hotfix)

← Back to Blog Index