Thru Server 9.7.0 Release Notes January 5 2018

Added Portuguese and Russian languages to UI

Portuguese and Russian languages are added to Thru Portal User interface

Restrict File Types on upload in the portal

Site administrators can set restrictions on file types allowed for upload in the portal or in a dropbox feature. Setting allows file type selection by inclusion or exclusion as shown below:

Upload screens display allowed or blocked file types:

API to store LAN locations in the cloud

REST and SOAP API calls are added to manage a list of LAN locations associated with the names, see API documentation for details. The functionality is used by Thru Outlook add-in in email archiving function to store LAN archive locations and can be used in integrations to store LAN locations associated with the tags for any purpose.

Dashboard changes

Widget My Documents which points to subfolder My Documents of user’s home folder is replaced by the widget My Files which points to user home folder. Change is made since My Documents folder is not created by default any longer when user is provisioned.

Dropbox URL parameters

To set a subject of the email on Dropbox URL both parameter names subjectemail and subject are supported.

Security Enhancements

Password reset

·         Forgot Password operation is allowed every N minutes, setting in in administration section

·         password reset links expire in K hours, setting is defined in administration section. Default value : 8. The setting also defines expiration of password setup links sent to a new user when a user is created.

·         next password reset request invalidates previous request.

Integration of Thru Web email with external address book for Chrome and Firefox via CORS security mechanism

Cross-Origin Resource Sharing (CORS) mechanism is implemented to enable integration of Thru Web email with external address book via JavaScript, required in Chrome and Firefox browsers.

Article on CORS requirements which specifies requirements for external address book developers:

https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
Section: Requests with credentials

According to CORS specification the following logic should be implemented in the address book application called from Thru Web email:

In Request headers from the client connection application should read the header Origin, example :
Origin: https://site.thruinc.com

In Response headers application should return the headers: 
Access-Control-Allow-Origin: https://site.thruinc.com - should match the origin header

Access-Control-Allow-Credentials: true

Vary: Origin

Other security fixes

·         cross-site scripting vulnerability in Thru web email

·         If a user is created by SSO, administrator should not be able to modify user data

·         minor security fixes discovered by Qualys runs

Compatibility with the services

Required minimum versions of Thru services:

·         Thru FTP Service – 2.0.37

·         Thru SFTP Service – 2.2.0

·         Thru Purge Service – 1.12