User Tools

Site Tools



This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
whats_new_112 [2018/04/28 19:50]
avon mystic 1.12 Alpha 39 released
whats_new_112 [2018/12/27 21:42] (current)
avon updated to 1.12 a41
Line 3111: Line 3111:
    <​ALPHA 1.12 A39 RELEASED -- April 20, 2018>    <​ALPHA 1.12 A39 RELEASED -- April 20, 2018>
 +===== 1.12 Alpha 40 =====
 + + Door command lines now have %R which will return the user name without
 +   ​underscores in the name.
 + ! Fixed a bug where groups could be created with a duplicate ID.  You may
 +   wish to double check you groups to make sure none of them have the same
 +   ID.
 + ! Fixed a bug in Python GotoXY function that would cause a crash when using
 +   it.
 + + The MUTIL ImportNA function now allows a "​use_ansi"​ default value to be
 +   ​defined when creating message bases.
 + + The MUTIL Echomail Import function now allows a "​use_ansi"​ default value
 +   to be defined when automatically creating message bases.
 + + The MUTIL ImportMessageBase function now allows a "​use_ansi"​ default value
 +   to be defined when creating message bases.
 + + MIS FTP now logs when a SysOp deletes a file from a filebase via FTP
 + + MIS FTP/​NNTP/​SMTP/​POP3 servers now have a better idle/​timeout system which
 +   will cause the server to shutdown more gracefully when exiting MIS with
 +   ​active connections.
 + + New menu command: M! This is a rewrite of the message area index reader
 +   ​rebuilt to work identically to the file base index lister. ​ See the
 +   ​msg_index.ini file for more details. ​ Command line option is the template
 +   name or default to msg_index.ini if none is specified. ​ I am not removing
 +   the old one just yet so that people have time to adapt to the new version
 +   and to test it for issues, but please note the old one will likely be
 +   ​replaced by this new one eventually once the features are all done and
 +   ​tested.
 + + New MPL variable: UserPosts contains the number of posts a user has made
 + + New MPL variable: UserDLs contains the number of downloads user has made
 + + New MPL variable: UserULs contains the number of uploads user has made
 + + Mystic now has a new User Editor which doesn'​t look a whole lot different
 +   than the old one, except that it incorporates some newer ideas that were
 +   ​introduced into the Echomail Node editor that makes jumping around between
 +   pages of information easier. ​ One major thing to note is that you can no
 +   ​longer view user passwords and can now only "​reset"​ user passwords.
 +   Like the other page-based editors you can scroll from the first or last
 +   item to change page, use the tab key, the pageup/down keys, the left
 +   and right arrows, or enter a page number directly to shift between pages.
 + + Mystic now has a password policy in System Configuration where the minimum
 +   ​password length can be set along with number of required capital letters,
 +   ​numbers,​ and symbols. ​ It is highly recommended that the minimum password
 +   ​length is set to at least 7 characters. ​ Some default prompts have been
 +   ​updated to support this new feature: 18, 419, 420. If you have custom
 +   ​themes,​ you should take a look at the new defaults and consider updating
 +   your custom prompts as well.
 + + Mystic now allows the option to store passwords in case insensitive
 +   ​cleartext and case insensitive hashing using industry standard methods for
 +   ​password storage.
 + + Mystic now allows passwords to be stored using PBKDF2 with SHA512-bit
 +   ​hashing at variable configurable iterations. ​ What does this mean?  The
 +   ​biggest benefit is that when enabled, Mystic will never store a user's
 +   ​password anywhere in the BBS system. ​ This system is the same system used
 +   for Password Managers such as LastPass, 1Password and operating systems
 +   such as MacOS. ​ In fact, with its variable iterations Mystic could be
 +   ​considered to be more secure as those products in terms of cracking a
 +   ​user'​s password hash.
 +   Two new options are added into the Password Policy options, the first is a
 +   ​password storage method which has three options:
 +      ClearText Case Insensitive ​      (This was the legacy storage method)
 +      ClearText Case Sensitive
 +      PBKDF2 SHA512 Hash               (This is also case sensitive)
 +   It is highly recommended to use password hashing and stop using cleartext
 +   ​passwords. ​ With password hashing enabled, a person could be given your
 +   ​users.dat and they still would not be able get a user's password.
 +   The second option is VERY important when using PBKDF2 and that is the
 +   ​number of iterations the process will use when hasing a password. ​ The
 +   ​default value is 1000 and may be considered a little low in terms of
 +   ​enterprise level password storage but it works at a reasonable speed for most
 +   ​systems. ​ In general, the higher the number of iterations the more secure it
 +   is, but the longer it will take for Mystic to store or check a password.
 +   ​Setting this value to 10,000 on an original Raspberry Pi for example may
 +   cause Mystic to take 10+ seconds to store or check a password and for many
 +   that may be too slow.
 +   It is recommended that it is kept at 3000 or lower for performance reasons
 +   ​unless you know what you are doing. ​ Even at this level PBKDF2 with a 512
 +   bit hashing system is more secure than any other BBS software today. ​ If
 +   you find the delay for 1000 is too short you can adjust the value but just
 +   ​beware that if you change hardware someday, those values still remain...
 +   The way the system works is that a user's password is stored in the format
 +   ​configured at the time their password is set, including the iterations. The
 +   ​password remains stored in this format even if you change the storage method
 +   until the user changes their password or you reset it using the user editor.
 +   It is important that you do not set the iteration level too high for the
 +   ​hardware you are using to run your BBS now or in the future.
 + + Mystic user passwords have now been expanded to 25 characters maximum.
 + + Mystic now allows passwords to be reset via Internet e-mail. ​ This option
 +   can be enabled in System Configuration -> Password Policy and will require
 +   that the SMTP sendmail/​relay options are configured in the Server General
 +   ​Options tab.  The user must also have a valid e-mail address assigned to
 +   their user account.
 +   If enabled, the user will be sent an e-mail with a randomly generated code
 +   and then prompted by the BBS to enter the code.  Upon entering the code
 +   the user will be prompted to change their password and finally logged into
 +   the BBS as if they had typed their password in correctly.
 +   8 new prompts have been added to the themes to support this new feature
 +   most having 4 promptinfo MCI codes active: &1=min length ​ &2=min caps
 +   &​3=min nums  &4=min symbols. ​ These new prompts (538-546) will need to
 +   be added to your custom themes if you have them.  See the upgrade.txt
 +   for more information.
 + + New Configuration theme: Turbo Vision. ​ Not really a favorite of mine,
 +   but one of the goals of this theme option is for nostalgia preservation
 +   and the TurboVision look was widely used in the BBS scene.
 + + Mystic'​s built in RAR archive functions should now work with newer RAR5
 +   ​format RAR files. ​ If you encounter any issues viewing a RAR file please
 +   ​e-mail me a link to download the same file or the file itself so I can
 +   take a look at it.  Keep in mind Mystic does not allow you to view
 +   ​encrypted archives.
 + + Changed the e(X)it command in the text editor to (Q)uit to match that of
 +   the ANSI editor.
 + + New ACS function "​OV"​ returns true if the user has validated their current
 +   ​e-mail address.
 + + Email address fields have been expanded to 60 characters, input field
 +   ​length by default is 40 characters (up from 35).
 + + Mystic will now validate that the user enters a valid e-mail address
 +   ​format when prompting for e-mail address during new user application and
 +   when editing user information. ​ Two new prompts have been added that will
 +   be displayed when they enter an invalid e-mail address: #463, #486.  You
 +   ​should update your prompts based on the new defaults.
 + + New menu command: -V (Validate e-mail address). ​ This function will send
 +   a code to the user's e-mail address and then prompt them to enter it on
 +   the BBS.  Upon entering the code successfully,​ the "​OV"​ ACS command will
 +   begin to report true.  If the optional data field contains a security level
 +   ​Mystic will also update the user's security profile. The OV ACS can also be
 +   used in order to perform any number of actions if validation is successful.
 +   New prompts have been added to support this: #​547-#​552. ​ You will need to
 +   add these if you have custom themes.
 + + Mystic now supports CNET Control-Y color codes. ​ These work in file
 +   ​description .DIZ importing, in file descriptions,​ in message reading, in
 +   ​Mystic'​s file/ANSI viewer and ANSI gallery, and Mystic'​s ANSI editor can
 +   now load CNET color coded files. ​ Thanks to NuSkooler for initial info
 +   about the color codes.
 + + New Python function: "​logerror(string)"​. ​ This creates an entry into the
 +   ​global error log of the string passed to it, and also creates an entry in
 +   the current node log as well.
 + + The group editors now have a Move function that allows repositioning the
 +   order of groups. ​ Simply Copy a group and them move to where you want to
 +   place it and select Move.
 + + The file base editor now also has a move function.
 + ! When tagging a bunch of bases in the message base editor and selecting
 +   Sort, it was possible to press ESCAPE and wipe out your message base
 +   ​configuration entirely. ​ Fixed. ​ Sorry to anyone affected by this.
 + ! Fixed a bug in the global message base editor where setting the Max Msgs
 +   value could cause the value to get garbled when updating the bases.
 + + Two new options to the GD menu command (Display a file):
 +      /MCI   - If this option is supplied, Mystic will not filter out any MCI
 +               codes including pipe colors.
 +      /ABORT - If this option is supplied, Mystic will not allow the display
 +               file to be aborted. ​ By default they are allowed.
 + + Mystic'​s SMTP sendmail function now supports opportunistic SSL via the
 +   TLS v1.2+ protocol. ​ Combined with CRAM-MD5 authenication,​ this provides
 +   ​encryption of both the password handshake and the overall session.
 + + Message Box MCI codes no longer automatically pad the header text with a
 +   space on each side. This makes it consistent with other box functions and
 +   ​allows a bit more flexibility.
 + + MUTIL echo import now gives a more meaningful message when a PKT password
 +   is defined and there is no echomail node configured for the origin address
 + + Mystic BINKP server and FIDOPOLL now support opportunistic SSL (TLS v1.2+)
 +   using a proprietary extension of the BINKP protocol. ​ This means that it
 +   will only work with other Mystic BBS clients and servers, but I do plan
 +   to document the extension and send it to the authors of other mailers in
 +   hopes that it can be standardized.
 +   BINKP server settings now have a "Use SSL" setting which can be set to
 +   one of three settings:
 +      No     : BINKP server will not offer SSL extension at all
 +      Yes    : BINKP server WILL offer SSL extension optionally
 +      Forced : BINKP server will refuse all connections not using SSL
 +   ​EchoMail Nodes now have a similar setting which will be used when polling
 +   for new mail:
 +      No     : FIDOPOLL will not use SSL extension at all
 +      Yes    : FIDOPOLL WILL use SSL if the server supports it
 +      Forced : FIDOPOLL will refuse to exchange mail with a server
 +               ​unless it supports SSL
 + + For those of you who downloaded the A40 pre-alpha before Dec 16th, you
 +   will have password issues. ​ To fix this you can copy over the latest
 +   ​upgrade.exe and place your A39 users.dat into DATA and execute "​upgrade
 +   ​password"​.
 + + Message bases with an origin line set to a blank will now inherit the
 +   ​default value set in System Configuration > Message Settings. ​ This is how
 +   it was supposed to work but it wasn'​t. ​ The origin line will now also be
 +   blank when creating a new message base, instead of setting the value to
 +   the current default. ​ This also includes MUTIL import/​create functions.
 + + The random origin line selection engine (@ORIGIN=) will now be processed
 +   if it is defined in the default origin line.  In the past it was only
 +   ​processed when defined for an individual message base.
 + ! Mystic will no longer make echomail bundles with a bracket in the filename
 +   ​extension which could happen in a certain circumstance.
 + ! Fixed a bug where Mystic was adding a point to the INTL kludge origin/dest
 +   ​addresses when dealing with point systems.
 + + Message Base editor now has a /A command to select all bases.
 + + File Base editor now has a /A command to select all bases.
 + + File Base editor now has a /G Global Editor similar to the Message Base
 +   ​editor
 + + Echomail nodes now have an "​Encryption Key" option. ​ When this option is
 +   set to a non-blank value, Mystic will encrypt all of the contents of
 +   ​Netmail messages to this node with an AES-256 encryption. ​ This completes
 +   a fully encrypted echomail solution as both transport and private messages
 +   are secured.
 +   This is done in a way that is completely transparent to unsupporting
 +   ​systems,​ meaning that you can still route netmail through systems and they
 +   will not harm the encrypted netmails! ​ The encryption also hides the
 +   ​message subject, so when combined with Area/​Filefix passwords will no
 +   ​longer be readable. You must have Cryptlib installed for this to work.
 +   The other echomail node must of course have the same key configured for
 +   your node in order to decrypt the netmail when it arrives. ​ This works the
 +   same way as any other password setting in echomail nodes.
 +   When routing Netmail, Mystic will intelligently re-encrypt the message
 +   ​between routing points when possible. ​ In other words if you have a point
 +   ​system who sends from 555:1/2.1 to 555:1/1 but is routed through 555:1/2,
 +   ​Mystic at 555:1/2 will know that it has an encryption agreement between
 +   both 555:1/2.1 and 555:1/1 so it will decrypt the message from 555:1/2.1
 +   and then reencrypt it for 555:1/1 before routing it.
 + + Mystic Area/​Filefix will now accept commands that start and end with a
 +   ​percentage sign (as opposed to just starting with) so: %LIST and %LIST%
 +   will work, for example.
 + ! Mystic wasn't properly using UTC time when adding the @VIA kludge while
 +   ​routing Netmail (it was using local system time).
 + ! Reviewed Netmail routing with point systems and corrected a couple little
 +   bugs with addressing. ​ This will hopefully have no negative effect on any
 +   other behavior.
 + + Mystic BINKP now sends the local time and time zone information whenever
 +   it connects to another BINKP server.
 + + MUTIL MsgPack now no longer users the Mystic temp directories while
 +   ​packing message bases. ​ Instead, it creates temp files in the same
 +   ​directory as the message base.  This should allow MsgPack to continue to
 +   ​rename files when message bases are stored on different devices than the
 +   root Mystic directory.
 + + New MPL function to go along with new password engine:
 +     ​Function CheckPW (PW: String) : Boolean;
 +   This function checks the supplied PW against the current loaded User
 +   and returns true if the password matches or false if it does not.
 + + New MPL function to go along with new password engine:
 +     ​Procedure SetPW (PW: String);
 +   This procedure sets the password for the currently loaded users (ie
 +   the User storeed in the current User variables)
 + + New MPL function to go along with new password engine:
 +     ​Procedure ValidPW (PW: String) : Byte;
 +   This procedure checks the password passed in PW against the configured
 +   ​password policy and returns a result depending on its status:
 +     1 = Password does not meet min length
 +     2 = Password does not meet min cap letters
 +     3 = Password does not meet min symbols
 +     4 = Password does not meet min numbers
 +   <​ALPHA 1.12 A40 RELEASED -- Dec 25, 2018>
 +===== 1.12 Alpha 41 =====
 + ! Fixed the broken SSH that creeped its way into A40.
 + + Changed the date format in message quoting to "DD MMM YYYY"
 + ! MUTIL echo export should no longer toss messages back to the origin node
 +   <​ALPHA 1.12 A41 RELEASED -- Dec 27, 2018>
 </​code>​ </​code>​
whats_new_112.1524959404.txt.gz ยท Last modified: 2018/04/28 19:50 by avon