Our D-PHYS mailing lists will be offline for maintenance on Thursday 6th June from early morning to approximately 10h00. No emails to @lists.phys.ethz.ch addresses will be accepted during that downtime.

Under the hood, the mailing list software will be migrated from mailman2 to mailman3. After the migration, the web page lists.phys.ethz.ch will have a new look with a modern web interface. You will be able to see and manage all your mailing lists right from the landing page. But note that all other URLs will have a new structure, so any browser bookmarks to individual mailing list configurations or archives will need to be updated.

For users that only receive messages from these mailing lists, nothing should change.

When sending messages to our mailing lists, pay attention, already now, to always use the <somelist>@lists.phys.ethz.ch domain. The obsolete <somelist>@phys.ethz.ch alias exceptions will no longer be accepted after the migration.

Mailing list owners and moderators will be contacted in a separate email with additional information, right after the migration. In particular, the new system will have personal accounts for all users, so that passwords must no longer be shared among list administrators. Also note that any held messages pending for moderation will not be migrated. So please accept or discard moderation requests the day before the migration.

Further documentation is available in our readme.

The central IT services will gradually disable the older IPSec protocol for ETH VPN:

• 16th Nov 2023 for students (@student-net.ethz.ch realm)
• 13th Dec 2023 for employees (@staff-net.ethz.ch realm)

Those of you who are already using the Cisco Secure Client for their VPN connections will not be affected by this change. Also the Linux openconnect client will continue to work.

However, any client relying on the IPSec protocol will become non-functional. In particular, the built-in VPN of Apple operating systems (macOS, iOS, iPadOS) will stop working. All affected users must migrate to the Cisco Secure Client in the upcoming weeks, to avoid any disruption of the VPN service.

For the actual installation, please refer to the VPN documentation of Informatikdienste, or our own readme for macOS.

Also note that, in the upcoming months, ETH will enable Multi-Factor-Authentication (MFA) for the VPN service. So all users will have to enter a one-time-password (OTP) when connecting the VPN. This is similar to the other services, mainly the cloud services of Microsoft, Adobe and Zoom, where MFA has already been enforced for ETH accounts. Further details regarding the VPN MFA migration will be announced as soon as the precise dates have been fixed.

The central Informatikdienste will have a scheduled downtime of all networking (cable and wireless) in the buildings HPK, HEZ, HPM, HPL and HPW on Monday 6th Dec 2021 in the evening between 19h00 and 23h00.

This is the second of three downtimes for the ongoing project to split the current networks into smaller chunks. This major undertaking will also induce a short downtime for some computers in the dynamic DHCP pool in other buildings (as some of our IP ranges are being moved to the listed buildings).

Users don’t need to do anything and their computers should come back online automatically. Otherwise try to reboot or get in touch with us.

In order to prepare for the migration, Informatikdienste will forbid all changes to their DHCP servers between Friday 3th Dec 13:00 and Tuesday morning. As a consequence we will not be able to register new devices or hostnames during this period.

Between yesterday Tue 23rd Nov 07:27 and tonight Wed 24th Nov 01:48 several hundred emails have erroneously been flagged as spam by our mail server. Please check your SpamBox folder for potential false positives during that period.

While we are constantly updating our filtering rules to catch the nasty spam, we are always doing our best to avoid flagging real emails as spam. We apologize for this and are still investigating the details of the root cause. Because the bulk of the messages were being correctly delivered, it took us several hours before we noticed the problem and could fix it.

The central Informatikdienste will have a scheduled downtime of all networking (cable and wireless) in the buildings HPH, HPP, HPR, HPS, HPV and HPZ on Monday 8th Nov 2021 in the evening between 19h00 and 23h00.

This is the first of three downtimes for the ongoing project to split the current networks into smaller chunks. This major undertaking will also induce a short downtime for some computers in the dynamic DHCP pool in other buildings (as some of our IP ranges are being moved to the listed buildings).

Users don't need to do anything and their computers should come back online automatically. Otherwise try to reboot or get in touch with us.

In order to prepare for the migration, Informatikdienste will forbid all changes to their DHCP servers between Friday 5th Nov 13:00 and Tuesday morning. As a consequence we will not be able to register new devices or hostnames during this period.

Several network migrations will take place over the next months that will have an impact on the design and inner workings of the ethernet network at D-PHYS. Even though all hosts will be affected at a technical level, we believe that most changes will not require any involvement from your side. By the end of the year this should further increase the fault-tolerance of the cabled network infrastructure and enhance the security of the bulk of the computers at D-PHYS.

Network segmentation

The central Informatikdienste are splitting several networks into smaller chunks to increase the overall stability and fault-tolerance. Unfortunately the details are flagged as confidential, prohibiting us from exposing the precise structure of this segmentation. The main repercussion is that our D-PHYS networks will no longer be able to span across all current buildings at once. So depending on the building, we will have to introduce new subnets and assign new IP addresses to the computers inside.

NAT network

Motivated by the above-mentioned segmentation as well as security considerations, we are planning to migrate a large number of hosts to a NAT network. This means that the computer will only get an ETH-internal IP address and will no longer be directly reachable from outside of ETH. From inside ETH or VPN, all communication with that computer remains unaffected. However, while the host can still communicate with all of the internet, it will no longer be exposed to direct attacks from the outside. We believe that this is a very sensible default for most computers and laptops. Of course it will still be possible to assign a public IP to selected hosts in order to provide a specific service to the outside. The new NAT network also provides DynDNS with sentname.dhcp-int.phys.ethz.ch hostnames and full IPv6 connectivity. So if you rely on DNS entries for dynamic IP addresses, make sure to use the domain dhcp.phys.ethz.ch for public subnets and dhcp-int.phys.ethz.ch for internal subnets.

DHCP migration

Right now, some of our networks are serviced by our own D-PHYS DHCP servers, while others use the DHCP servers of central IT services. We are now consolidating all networks and migrating the remaining ones step-by-step to the DHCP servers of Informatikdienste. This change is mostly technical and should remain unnoticed by most users.

For further details and up-to-date information please refer to our readme page.

Some of you make use of our DynDNS infrastructure that automatically assigns hostnames to computers with a dynamic IP address. This feature enables you to connect to your computer using its sent hostname, followed by the dhcp.phys.ethz.ch domain (eg example.dhcp.phys.ethz.ch) instead of the ever-changing dynamic IP address.

Thursday morning

Jan 30 2020 between 9:00 and 11:00

we will be migrating our DynDNS service to the servers of central Informatikdienste. As a consequence the resolution of example.dhcp.phys.ethz.ch to its dynamic IP address may not always work during that time. The global phys.ethz.ch and ethz.ch domains are not affected. Therefore the bulk of our users will not even notice the migration.

Update: Informatikdienste have postponed the migration from 23rd to 30th January.

Adobe has forced ETH to move from impersonal serial numbers to Adobe Cloud accounts, linked to your full name and personal @ethz.ch email address. All previous installations will stop working after November 30th 2019. ETH encourages users to switch to one of the many alternatives to Adobe software. You may also consider using the free Adobe Reader to open PDFs, as many don't need the features of the paid Acrobat Pro. If you really need to keep using Adobe software, you have to migrate to the new personalized license. The detailed usage conditions and disclaimer regarding the Adobe Cloud will be visible when ordering the software in the IT Shop.

Unfortunately the central IT services only provided the new installers two days ago, meaning that everyone is forced to have migrated within 5 weeks. We tested the Windows and macOS installers and explain the activation and installation of Adobe programs in our readme.

Impact on managed workstations

The change in the Adobe licensing also affects our ISG D-PHYS managed computers. Given that all Adobe licenses must now be personal, we can no longer order the licenses for you. This, in turn, implies that we must exclude all Adobe software from our yearly software license accounting. Starting with the current 2019/2020 period, we will not charge you for Adobe products, as you will have to pay them directly yourself while ordering from the IT Shop.

All managed Windows and macOS computers will be migrated to the new Adobe Creative Cloud on

Wednesday, November 20th

In case you need to keep using Adobe software, we advise you to already order the license from the IT Shop. Starting on November 20th, you will need to log in with your personal Adobe account and install the programs, as explained in our readme. Feel free to get in touch with us, if you want us to migrate your computer before that date.

Update 07:25 The migration is complete and our mail server is back online. Please let us know if you notice anything peculiar. This concludes our multi-step migration to the new mail server hardware

---

In order to finalize the upgrade of the D-PHYS mail server, we schedule a maintenance downtime on

Tuesday, March 27, between 06:30 and 08:00 in the morning

During that time it will not be possible to send or receive emails. In particular, incoming external emails will not be lost, but held on the sender’s side and will be delivered after the migration. Outgoing mail will be kept in your mail client until the connection is restored.

We will update this posting once the mail server is back online.

New location for mail filtering rules, forwarding and vacation auto-replies

After the migration, all mail-related settings will be consolidated into the Roundcube Webmail interface:

• spam filtering rules (whitelist, blacklist)
• forwarding of your emails to a different account
• setting a vacation or out-of-office auto-reply message
• defining rules to automatically file incoming mails into specific folders

This will make configuring your email settings easier and also give you more options than before (for example, the out-of-office auto-reply can now be configured to automatically terminate at the end of your absence).

Please refer to our readme for details on how to customize these settings in the future. Feel free to contact us if you have any questions.

The current settings of all active users have been converted and imported.

In technical terms we are migrating from procmail to sieve. In particular the hidden text file ~/.procmailrc in the user's home folder will be ignored after the migration.

Update 07:25 Migration finished, welcome on the new mail server!

We schedule a maintenance downtime for the D-PHYS mail server on

Wednesday, January 24, between 07:00 and 08:00 in the morning

During this period, sending and receiving new emails will have interruptions, thereby delaying incoming and outgoing mails. In particular, incoming external emails will not be lost, but held on the sender's side and will be delivered after the migration. Outgoing mail will be kept in your mail client until the connection is restored. The IMAP server will not be affected, so all email clients should have continuous access to the existing mailboxes.

This maintenance window will be used to migrate the first part of our mail server infrastructure to the latest version of the operating system and new hardware with fast SSD storage.

New location for SpamAssassin user preferences

We re-designed how our mail server is parsing the user's configuration for the spam filtering. Currently one has to edit the hidden text file ~/.spamassassin/user_prefs in the home folder. Starting from next Wednesday the spam filtering rules can be edited more conveniently through the settings in the Webmail interface. This will allow users to easily

• accept mail from a given sender and never mark it as spam (whitelist)
• reject mail from a given sender and always mark it as spam (blacklist)
• set the threshold score required for any message to be considered as spam

The existing user preferences have been parsed and all of the above settings have been imported into the new setup. The contents of ~/.spamassassin/ will be ignored after the migration. Please contact us if you have questions regarding your advanced SpamAssassin rules.