Dada Mail v11.20.1 Released!

This version of Dada Mail is a minor bug release.

Of note is a nasty bug in the Bridge plugin that affected some messages that are sent to it. These messages would fail to be sent, and a line in your error log may be found,

parse_data: unable to open in-memory file handle at...

See the following issue:

https://github.com/justingit/dada-mail/issues/1135

Bugfixes

One-click unsubscription can’t be enabled #1139

https://github.com/justingit/dada-mail/issues/1139

Mis-speling in, “Subscribed” Message #1140

https://github.com/justingit/dada-mail/issues/1140

bridge – irrecoverable error processing message #1135

https://github.com/justingit/dada-mail/issues/1135

Rate Limits should be ignored for logged in administrators when handling unsubscribe requests #1130

https://github.com/justingit/dada-mail/issues/1130

Searching a list’s message archive in the public view may return 500 error #1141

https://github.com/justingit/dada-mail/issues/1141


Dada Mail v11.19.0 Released!

v11.19.0 has been released – and this is a big update! The biggest update is actually with the including Perl library that comes with Dada Mail – over 150,000 lines within it have been updated!

Download Dada Mail today – if you’re a Pro Dada Subscriber, log in to your account, to download Pro Dada, which has no mailing list or subscriber limits!

Below is the change log for v11.19.0:

Features

Enable/Disable mailing list specific email headers

Mailing list headers help mail readers categorize the messages you send as being from a mailing list, as well as provide meta information about your mailing list. Sometimes, they can get in the way of deliverability. We’ve made the use of them optional.

Find this feature in, Mailing List: Options labeled, Use mailing list headers (enabled by default).

The list headers you can enable/disable is found in the Config.pm file in the variable, $LIST_HEADERS. Here are the headers that can be enabled/disabled,

        Precedence      
        List         
        List-Archive        
        List-Digest         
        List-Help           
        List-ID           
        List-Owner        
        List-Post       
        List-Subscribe     
        List-Unsubscribe    
        List-Unsubscribe    
        List-Unsubscribe-Post
        List-URL            
        X-Mailer

Enhanced HTML editing via “Grab content from a URL”

Dada Mail can grab content for a mailing list message just by giving it a URL.

You can also crop the webpage to only send the content found in a specific HTML id or class attribute, and remove content found in HTML tags that have specific id or class attributes.

We’ve enhanced that last feature, by allowing you to set multiple attributes, be they HTML ids, classes, or any other HTML attribute found in a tag. You can also just remove all instances of any HTML tag.

Find this option where you edit your draft mailing list messages, under Grab content from a URL. The feature itself is labeled, Remove content found between the following ids, classes, or other attributes:

If you wanted to remove all instances of tags with the class of, “example”, you would add in,

        class="example"

for an id of the same name:

        id="example"

To remove all <img> tags,

        _tag="img"

Experiment with other HTML attributes!

This same feature is also available for fetching content from an RSS/Atom Feed.

Breaking Changes!

In past versions of Dada Mail, either “id” or, “class” had to be picked in a separate text box. This text box has been removed now that you can set a id, class, or other attributes in the text box that remains. If you are already using this feature (located only for fetching via a Feed URL), you will need to adjust your draft settings.

Installer: Ability to Switch the path to the Perl interpreter

Oftentimes (and especially on cPanel-based hosting accounts) there is an alternative Perl interpreter available to use, but isn’t at the default Perl path that Dada Mail is configured to use. This alternative Perl interpreter could be more up to date, and also use the modules that are available to the cPanel-based Perl module installer.

We’ve made it easy to switch to this alternative Perl interpreter located. Do note, that there’s no way to revert to the default Perl interpreter location. You would need to either reinstall Dada Mail from scratch, or manually reset the “shebang lines” yourself.

Upgraded Included Perl Library! (perllib)

Dada Mail comes with most all of the Perl CPAN Perl modules needed to run the app. These modules are located in the, dada/DADA/perllib directory. This collection of CPAN modules was very much out of date, and the exact list of Perl modules shipped wasn’t exactly known.

This has now been fixed, and steps have been taken to make sure that future releases will have an up to date included Perl library. The exact modules that are included have been removed from the Dada Mail git repo, and have been made into their own repo:

https://github.com/justingit/dada-mail-perllib

This itself is created using the following Bundle:

https://github.com/justingit/Bundle-DadaMail-IncludedInDistribution

So you can see which modules are included and install them yourself, rather than use the included perllib.

This change will most likely be transparent to most users, but the updates of these modules was huge in terms of code line count, and many bug fixes and security fixes within these modules are now bundled with Dada Mail.

Cross-Site Request Forgery (CSRF) Prevention can now be disabled

Cross-Site Request Forgery Prevention is an awesome feature to have, but sometimes can get in the way of working with the app. We’ve made a way to make it easily optional, so that you can get your job down, before enable it back on.

Find this within the installer under, Configure Security Options: Cross-Site Request Forgery (CSRF) Protection

We do highly suggest keeping this enabled.

Bugfixes

Grab content from a URL: Auto-generated PlainText version not cropped

https://github.com/justingit/dada-mail/issues/1115

Resend Subscription Confirmation via the list control panel broken

https://github.com/justingit/dada-mail/issues/1114

CPAN modules shipped with Dada Mail are outdated and impossible to maintain

https://github.com/justingit/dada-mail/issues/1113

List Control Panel Archive Screen: message_blurb() call memory leak?

https://github.com/justingit/dada-mail/issues/1116

Previews of message drafts always show in modal menu and not in new window in Drafts Index

https://github.com/justingit/dada-mail/issues/1117


v11.16.0 – Important Security Vulnerabilities Fixed, Upgrade Highly Suggested

v11.16.0 has been released! This released was pushed out to fix a fairly critical security issue dealing with CSRF. Below is the change log, which we think paints a good picture of what the problem is, and what we did to remediate it.

If you’re a customer/client of ours that we’ve provided an installation for, please get in touch, so that we can talk about getting you upgraded. If you don’t know exactly what coverage you have, we can help you look up your order information. Generally:

  • Customers with Lifetime Upgrade Coverage have all already been upgraded to v11.16.0. If you’re one of the customers, check the versions you’re running, and make sure it’s at least v11.16.0.
  • Yearly Upgrade Coverage customers will want to contact us to get upgraded.
  • One-Time installation and Upgrade customers do have 30-days of complementary upgrades. Please take advantage of that!

11.16.0

Focus

This version of Dada Mail has been released primarily to fix a security vulnerability dealing with Cross-Site Request Forgery (CSRF).

Enhanced Cross-Site Request Forgery (CSRF) Prevention

In theory (and confirmed), a bad actor could give someone a carefully crafted web page via email, SMS, etc, that – when visited, could allow them control of the list control panel as if the bad actor was logged in themselves. This includes changing any mailing list password, as well as the Dada Mail Root Password – which could effectively shut out actual list owners of the mailing list and allow the bad actor complete and unfettered control of your mailing list. This vulnerability also affects profile logins.

For this vulnerability to work, the target of the bad actor would need to be logged into the list control panel themselves. This CSRF vulnerability in Dada Mail affects all versions of Dada Mail v11.15.1 and below. Although we know of no known CSRF exploits that have happened in the wild, this vulnerability has been confirmed by our testing, and by a third party.

Security enhancements added to v11.16.0:

  • CSRF protection to all list control panel screens (including plugins) when logged in

  • Initial CSRF protection on the actual list control panel login form is enabled by default

    This feature was available in Dada Mail, but was not enabled by default

  • CSRF protection for any a user who logs into their profile would be able to do when logged in

  • CSRF protection for the initial profile login form

  • Login cookies for both the list control panel and profiles have the, “SameSite” flag added, and set to, “Lax”

  • Login cookies for both the list control panel and profiles have the, “secure” flag added, and set to, “1”, if the connection is under https

  • Google reCAPTCHA added to the Change List Password, Change Dada Mail Root Password, Profile login, and Profile Registration

    You’ll want to set up Google reCAPTCHA in the included Dada Mail installer.

More Details

Here’s an overview of CSRF:

https://owasp.org/www-community/attacks/csrf

v11.16.0 comes with Cross-Site Request Forgery prevention using the Double Submit Cookie pattern: (https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#double-submit-cookie).

To enhance this, we also “HMAC the token with a secret key known only by the server and place this value in a cookie” (as described in the above doc), and set cookies to have, SameSite set to, Lax (instead of not setting SameSite at all), (https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#samesite-cookie-attribute),

Additional Suggestions to Help Harden Security

  • Run Dada Mail under https

    Running Dada Mail under https will protect sensitive data from being able to read in transmission.

  • Set up Google reCAPTCHA

    Google reCAPTCHA helps stop automated submission of forms in Dada Mail.

Features

RESTFUL API supports Global Public/Private Keys, Creating New Mailing Lists

Please see:

https://dadamailproject.com/d/install_dada_mail-advanced_configuration.pod.html#Configure-Global-API-Options

and,

https://dadamailproject.com/d/features-restful_web_services.pod.html#Global-Public-and-Private-Keys

Changes

Default Membership: View address order is now Date Added/Subscription Date/Descending

Previous order was email address alphabetically/descending

Bugfixes

Switching between lists accepts “GET” requests

https://github.com/justingit/dada-mail/issues/1067

“logout” accepts “GET” requests

https://github.com/justingit/dada-mail/issues/1066

You can send a mass mailing to no one

https://github.com/justingit/dada-mail/issues/1064


Dada Mail v11.12.1 Released

This is mostly a bug-fix release for issues found in the v11.12.0 release of Dada Mail.

Bugfixes

Image resizing using Image::Scale does not work correctly

https://github.com/justingit/dada-mail/issues/989

Recurring schedules that grab content from an outside source (webpage, feed) which fail during constructing and sending still update MD5

https://github.com/justingit/dada-mail/issues/986

Content-Encoding never changed in messages received via Bridge

https://github.com/justingit/dada-mail/issues/985

Recurring Schedules that end many decades into the future are slow to process

https://github.com/justingit/dada-mail/issues/984


v11.10.0 brings reCAPTCHA v3 support and more Tracker analytics

v11.10.0 has recently been released. Download and Install! Here’s what’s new to look out for:

reCAPTCHA v3 Support

Google’s reCAPTCHA system helps keep abuse of the app to a minimum. It’s the best tool you’ve got for the job to stop the process of a web bot submitting forms with garbage information. v2 of reCAPTCHA works great, but does require your users to check a box, and perhaps even solve a CAPTCHA puzzle, which is yet another barrier between them and subscribing to your mailing list.

v3 does away with the checkbox, and handles verification based on a number of things, including reputation of the user. No checkbox will be visible, but you’ll see the floating reCAPTCHA badge on the lower right hand side of the screen:

reCAPTCHA is used in the following areas of the app:

  • Initial subscription form
  • Resend Subscription confirmation form
  • After a successful subscription confirmation
  • Reset mailing list password
  • Forward to a friend form
  • Profile registration
  • Logging into a mailing list
  • Creating a new mailing list
  • Deleting a mailing list

The last three being new to v11.10.0.

Configuring reCAPTCHA Dada Mail is done through the Dada Mail Installer. See the documentation for the installer itself for details.

Mass Mailing Sending Details Logged and Reported

The start time, finish time, sending method, and message size are now logged and reported for each mass mailing. This information is available in the Tracker plugin for each individual mass mailing.

This information can be used to help draw relationships on things like sending speed vs. message size (bigger the message, the slower the sending generally), or sending method and all the other analytics (opens, clickthroughs, bounces) and help draw conclusions (is Amazon SES causing better deliverability?).



Tracker Enhancements, Better Charts, and Unique Clickthrough/Opens Tracking/Reporting is Back

Rejoice! The Tracker plugin has been given a wonderful refresh. The new chart on the main Tracker screen is now more useful, easier to read, and better designed:

Tracking and reporting unique Opens and Clickthroughs has also been re-implemented, this time using completely anonymous data. When we released v11.0, we removed this ability to comply with the GDPR, as we also tracked the email addresses with the opens + clickthroughs. For this version of Dada Mail, we don’t – all this data is tracked without using Personally Identifying Information.

The table below this chart has also been redesigned to show a greater amount of useful information, to help you see just how impactful your mass mailings are.


To see even more data on each individual mass mailing, click the chart icons on the left hand side of each row. Reports on message recipients, opens, clickthroughs, unsubscribes, bounces, sending errors, abuse reports, archive views, and mail forwards will be available to you.

We’ve also updated the chapter for using the Tracker plugin that’s available in the Dada Mail Manual. Access to the Dada Mail Manual is given to Pro Dada Subscribers.

Find out more about the Dada Mail Manual and getting a Pro Dada Subscription.


Bridge Announcement List and Authorized Senders Enhancements in v11.7.0

Bridge Announcement List and Authorized Senders Enhancements

The Bridge plugin allows you to send messages with Dada Mail through your mail reader without having to log into Dada Mail’s own list control panel – both for Announce-Only, and Discussion Lists,

You can set up a list of Authorized Senders who, along with your List Owner, are allowed to send messages to your mailing list. Your Authorized Senders won’t need to log into your mailing list list control panel.

We have added several features to allow you to send more effective announce-only messages through Bridge:

Rewrite From: Header Correctly

The first change we’ve made is actually a bug fix. One way to run your announcement list utilizing Authorized Senders is to rewrite the From: header, so all messages sent to your mailing list use the List Owner in the From: header, no matter what Authorized Sender sent the message.

Look for the radio button labeled,

Rewrite From header to List Owner

in Bridge

Another option available is to preserve the original From: header so that any replies go to that address, rather than the List Onwer. The issue was that the From: header wasn’t correctly managed to deal with DMARC restrictions.

Say you have an Authorized Sender that’s using a Gmail account, and you’ve set up your mailing list to send using your own SMTP server. Sending a mass mailing from your own server with (for example) a Gmail address in the From: header won’t work. You’ll need to instead send the message “on behalf of” the original sender, just like we do for discussion lists. In past versions, this wasn’t happening, and in v11.7- it now is. Rejoice!

Look for the radio button labeled,

Rewrite From header to be “on behalf of” List Owner

in Bridge.

Don’t rewrite the From header for email addresses from certain domains

We’ve also added an option to list domains that you would not like this rewrite to happen, just in case your mail system has already allowed certain additional domains to be sent through it.

Look for textbox labeled,

Don’t rewrite From header for the following domains: (one domain per line)

Set the Reply-To: header

The ability to set the Reply-To header to the List Owner or the original sender (or no one!) has been kept, even though the From: header need to be sent “On Behalf Of”.

Mention the original sender

Similar to what you’re able to do already for discussion lists, you can now set your mailing list to mention who the original authorized sender was, who sent the message. This option can be enabled (default) and disabled in Bridge for both announce-only and discussion lists. Look for the checkbox labeled:

Mention the original sender of the message at the top of the message itself

in Bridge.


v11.6.0 Released: new features to look out for

v11.6.0 is out the door, and with it are some welcome changes. Most of the changes of v11.6.0 are on the backend of the app, and most likely won’t be noticeable to a casual user. Plow into the actual changelog to see what those are.

Here are some things to look out for on the frontend:

Global Unsubscribe + Global Black List Safeguards

Dada Mail has a global setting called, Global Unsubscribe, which allows you to unsubscribe an email address from all your mailing lists, when you unsubscribe an email address from any of your mailing lists. It’s a powerful feature! Dada Mail also has the ability to remove all your Subscribers with the push of a single button:

The, Unsubscribe All button: use with care.

This button is problematic, if Global Unsubscribe is enabled, since not only will Dada Mail unsubscribe everyone from your mailing list, it may in fact unsubscribe everyone for every mailing list.

We’re not going to remove this ability – it may be something you rely upon, but we are going to put some safeguards in. First, we’ve put an alert box on top just to remind you that Global Unsubscribe is a Thing:

Just to remind you…

If you try to use the “Unsubscribe All” button, the alert box that pops up will also remind you that Global Unsubscribe is enabled:

Just to warn you…

This button itself is also disabled. You may enable it in the Membership: Options screen. Look for the checkbox labeled, Enable, “Unsubscribe/Remove ALL” Members button:

Check this checkbox to enable Unsubscribe ALL subscribers button

Hopefully, this will help stop inadvertently causing chaos to your mailing lists! Similar situation when the Global Black List is enabled: button to remove all Blacklisted is disabled, alert box will mention this feature being activated, and there is an alert box reminding you at the top of the table that shows your Black List.

Other things to look out for: the admin menu now lists which theme you have enabled, right on the menu:

See the Theme that’s enabled in the admin menu

Want Whatsapp support? You’ve now got WhatsApp support. Your Whatsapp number will appear in the footer of your mailing list email messages. Set it under, Mailing List: List Information:

Let your users know that your organization can be contacted via WhatsApp



v11.5.1 Bug Fixes and Welcome Changes

v11.5.1 is mostly a bug fix release – we suggest anyone running a previous version of Dada Mail to upgrade (as always). See the changelog for all details for this release. If you need an upgrade, we’re here for you.

In this post, we’re going to look at a few changes that you may welcome:

Cleanup of backup file/directories

During an upgrade, Dada Mail’s installer makes backups of some of the directories it finds in the, dada_file_support_files directory. If you’ve been running Dada Mail for a while, and have been on top of upgrading, this directory can get filled with more backups than you’d know what to do with. So many, that it can be a pain to have to manually remove the unneeded backups.

Here’s an example:

This screenshot looks into the dada_files_support_files directory via an FTP client, showing 30+ backups of the, “ckeditor” directory! Not good. If we run a du -h on the directory, we’ll find out that all these files take quite a bit of space:

Yikes: about 2 gigs of wasted disk space.

Now, when you upgrade with Dada Mail v11.5.1, only the last 3 backups will be kept, the rest will be removed. Here’s the dada_mail_support_files directory after the upgrade to v11.5.1:

Much cleaner!

And the disk space is down, too:

By about 90%!

Second cool thing to look for are for those running discussion lists that utilize moderation. We’ve made it a little easier to find the list of messages awaiting moderation. Under Plugins/Extensions: Bridge, look for the settings that deal with Moderation. A new button should be visible that allows you to see all the messages that are awaiting moderation:

Clicking this button will bring you to the listing of awaiting messages:

Each row in the able will show the message From and subject, as well as when the message was sent. Four buttons are available, allowing you to approve, deny, delete, or even resend the moderation message to the moderators.