April 9, 2020
Summary
eZuce is pleased to announce the Generable Availability of sipXcom 19.12.
We're bringing a couple of nice new features to sipXcom. In previous versions if somebody dialed a user's name in dial by name directory the system would read back a mailbox number if the user had not setup their name in voicemail. Now the system will read back the user name.
The second new feature we'll highlight here is a security enhancement. We worked with the guys at https://apiban.org to add their automatically created ban list of IP's to sipXcom. Check out their site, they're offering a great service. All you need to do is request an API key and you can have sipXcom automatically poll their honeypot created ban list.
Highlights
sipXcom New Features
- Read back voice mailbox owner name if the user has not configured their voicemail greeting.
- Support for apiban.org to automatically ban SIP scanners
sipXcom Improvements:
- Log error messages at Notice level vs. at higher proxy logging levels.
- Firewall blacklist allows entries that are added automatically by fail2ban to be kept in ban list
- Manage list of banned IP's in Admin GUI
Notes
- 19.08 and later are now released on CentOS 7 only. This will require that administrators install CentOS 7 minimal, then install Uniteme with our single line installer and then restore from a previous version backup.
- AudioCodes and other gateways may need to have their configuration changed if faxing is used. See SIPX-811.
- For Let's Encrypt certificates to work properly, the server must have a valid outside DNS name and have port 80 and 443 open to LE's servers.
Who Should Install?
New software releases are made at a rate of two to four releases a year. Releases are numbered in the <yy>.<mm>.<uu> format where <yy> and <mm> designate the year and the month, respectively, in which a release is made generally available. Where applicable, <uu> corresponds to an update release relative to a general release on which fixes are made available.
Questions
Please post to the sipXcom-users google group if you have questions.
https://groups.google.com/forum/#!forum/sipxcom-users
Specific Issues Addressed
| SIPX-738 | Firewall Blacklist Enhancement | An administrator would like to allow automatically added banned hosts to be remembered and re-loaded when a server is restarted or IPTables is restarted. Each type of system message in System -> Security -> SIP Security should allow for a setting of -1 to add the host to the banned hosts list. Additionally, the administrator would like to be able to see the banned hosts in the admin GUI, why they were banned (sip-dos, invites, registrations, etc.) and be able to remove individual hosts from the list of banned hosts. | Enhancement | Security Firewall |
| SIPX-740 | SIP Proxy should write errors to log file at Notice level | An administrator would like to have certain SIP system errors written to log when at Notice level. Proxy logs are overly verbose at Info or Debug. sipxProxy should write some additional errors to log file at Notice Level. The log file should have the date and time, a description of the error, the offending source IP address and destination IP address. This would be for 4xx, 5xx and 6xx message that sipXproxy can generate. | Enhancement | Logs |
| SIPX-803 | Cleanup Temp Directory on Reset | When the user runs "sipxecs-setup --reset-all" it should cleanup the /var/sipxdata/tmp directory. Some of the files within the directory are used by other services and a cleanup is necessary to do a proper reset. | Fix | Setup |
| SIPX-804 | sipx-backup and postgresql_running | Looks like the /usr/bin/sipx-backup is making a call to postgresql_running that fails even though postgresql is running. | Fix | Backup |
| SIPX-809 | Read back voice mailbox owner name | An administrator would like to have the voicemail system play back a user's name if the user has not recorded their name for voicemail. This can be done with mod_flite Speaking the name If the user has recorded their name, then that recording will be used when listing the matches. If they have not, the name will be read one letter at a time by default. If you would like the system to read their name as if it were being spoken, the following two files will have to be edited: [freeswitch_root]/conf/lang/[language]/dir/sounds.xml - Replace the action tag under "directory_result_say_name" with: <action function="speak-text" data="$1"/> [freeswitch_root]/conf/lang/[language]/[language].xml - Make sure that your tts engine and voice are correct in the line: <language name="[language]" say-module="[language]" sound-prefix="$${sounds_dir}/en/us/callie" tts-engine="flite" tts-voice="slt"> If you are using flite, you can find information about it here: mod_flite language is the two character language abbreviation freeswitch_root is the root of your Freeswitch installation | Enhancement | Voicemail |
| SIPX-820 | /var/log/messages spammed by ipv6 messages | The system /var/log/messages log is spammed by these messages: Oct 24 08:30:37 1912 systemd: Reloading. Oct 24 08:30:37 1912 systemd: Binding to IPv6 address not available since kernel does not support IPv6. Oct 24 08:30:37 1912 systemd: Binding to IPv6 address not available since kernel does not support IPv6. Looks like a service that keeps trying to start but can't because ipv6 is disabled. This should be found and removed or its ipv6 support disabled UPDATE: This happens in connection to sipxagent runs. Further investigation has found that it is rpcbind that is misconfigured. On CentOS 7.2 and later it comes with default binding on ipv6 also. | Fix | Logs |
| SIPX-821 | Reverse DNS errors (SERVFAIL) in messages log | named is spamming the messages log with reverse DNS errors from queries coming from cluster members. | Bug | Logs |
| SIPX-825 | Fix CFEngine promises | CFengine promises don't work with newer versions of CFEngine. The policy file parser is stricter in CFEngine >=3.5.0. The parser is now fully compliant with the CFEngine language syntax reference. The main difference you will encounter is that promiser/promisee no longer allows a comma at the end of the line. This will cause your existing policies to produce errors when they are read by CFEngine 3.5.0. | Bug | Config |
| SIPX-827 | Users report registrations are expiring | Registrations are expiring for a while on different CentOS 7 versions of MongoDB, one had 3.4 and another 3.6. This happens only in clusters. Might or might not be related to http://jira.sipxcom.org/browse/SIPX-745 Testing has revealed that expired registrations happen on certain nodes, not related to phone location and/or network. Investigation of registrar logs on DEBUG has seen weird expires values on these servers: grep RegDB sipregistrar.log "2019-12-18T06:56:40.156575Z":150380:SIP:INFO:caracal.iuliu.test::7f7300988700:sipxregistry:"RegDB::getUnexpiredContactsUser Identity: 202@iuliu.test Contact: <sip:202@10.3.0.11;transport=tcp;x-sipX-nonat> Expires: 18446744073709551309 sec Call-Id: 253f71d042b2fac4712c900ccf819fa3" Registration flow for the call-ids seems ok Changed Registrar to default to 60 minute registration grace period. Set this as the new default in system | Bug | Registrar |
| SIPX-829 | Setting DHCP to "unmanaged" disables it instead of leaving it running | A customer issue has showed us that there is some kind of problem with running DHCP in "unmanaged" mode, with the service unexpectedly dying. Investigation has shown that setting DHCP to "unmanaged" causes cfengine to kill the service instead of leaving it running and just not managing the configuration. Upon manual start of the service, it keeps running until the first cfengine run when it is killed. Seems like /usr/share/sipxecs/cfinputs/plugin.d/dhcpd.cf needs to be modified | Fix | DHCP |
| SIPX-830 | "Identity Validity" setting in Proxy is not documented and doesn't seem to work | "Identity Validity" setting in Proxy is not documented and doesn't seem to work. The value of X-Sipx-Authidentity and P-Asserted-Identity headers are signed using MD5. The signature is calculated over the content of the header value, signature timestamp, data from the SIP message and a unique secret, known only to sipXecs components in a given installation. This should prevent (or minimize) the replay attacks on the system making it relatively difficuilt to spoof the X-Sipx-Authidentity and P-Asserted-Identity headers. Signature includes a timestamp as epoch seconds indicating when the signature was calculated. - "signature-hash" is MD5(<timestamp><secret><from-tag><call-id><identity>) Signature validation fails if the signature is older then a configurable amount of time (Identity Validity defaulted to 300). | Fix | Config |
| SIPX-835 | Update freeswitch flite RPMs | Flite is broken in our rpms, the module does not load, needs updating: From here https://files.freeswitch.org/repo/yum/centos-release/7/x86_64/ Flite must be version 2.0.0-1 not 2.0.0-0 flite-2.0.0-1.el7.centos.x86_64.rpm 2017-01-12 22:27 13M flite-debuginfo-2.0.0-1.el7.centos.x86_64.rpm 2017-01-12 22:27 19M flite-devel-2.0.0-1.el7.centos.x86_64.rpm 2017-01-12 22:27 36K | Fix | Freeswitch |
| UC-4814 | 1904.centos7 voicemail and cdr restore prompt config options | When uploading just cdr or just voicemail and clicking restore, the config archive options are prompted next. See attached images. | Fix | Restore |
| UC-4817 | 19.04 sipregistrar webui options | In the 1904 webui the 'log console' option is not defined. It's not defined in the wiki either. I'm not sure what that does? http://wiki.ezuce.com/display/unite/SIP+Registrar Setting does nothing, remove from WebUI | Fix | Config |
| UC-4821 | zen 8412: domain alias limitation | Also reported in (4.2, closed) XX-9799 , there is a limitation to the amount of domain aliases you can enter in the webui (varchar 255). Customer workaround was to stand up a second system. Have tested now to 3000 characters | Fix | Config |
| UC-4839 | Support APIBAN.org | apiban.org keeps a honeypot generated list of SIP 'bad actors'. An administrator would like to poll apiban.org periodically and update a local list of banned IP's to block with unite / sipxcom's integrated firewall. https://apiban.org/doc.html | Enhancement | Security |
| UC-4841 | 19.12 sipxecs init script references sipxfreeswitch | The 'sipxecs' service script still references sipxfreeswitch. For example: [root@sipx ~]# service sipxecs status | grep freeswitch /etc/init.d/sipxecs: line 21: /etc/init.d/sipxfreeswitch: No such file or directory [root@sipx ~]# ll /etc/init.d/freeswitch -rwxr-xr-x 1 root root 3953 Nov 28 07:24 /etc/init.d/freeswitch [root@sipx ~]# ll /etc/init.d/sipxfreeswitch ls: cannot access /etc/init.d/sipxfreeswitch: No such file or directory [root@sipx init.d]# grep 'freeswitch' /etc/sipxpbx/sipxecs-services.ini sipxfreeswitch | Fix | Config |